npm - dependency-radar - Versions diffs - 0.5.1 → 0.6.1 - Mend

dependency-radar 0.5.1 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +214 -119
package/dist/cli.js +402 -50
package/dist/failOn.js +177 -0
package/dist/report-assets.js +2 -2
package/dist/report.js +70 -3
package/dist/runners/importGraphRunner.js +28 -5
package/dist/runners/lockfileGraph.js +40 -22
package/dist/runners/lockfileParsers.js +434 -0
package/dist/runners/npmAudit.js +28 -11
package/dist/runners/npmLs.js +58 -18
package/dist/runners/npmOutdated.js +37 -16
package/package.json +4 -8

package/dist/report.js CHANGED Viewed

@@ -63,7 +63,7 @@ function buildHtml(data) {
                 month: 'short',
                 year: 'numeric',
                 hour: '2-digit',
-                minute: '2-digit'
+                minute: '2-digit',
             }).format(date);
         }
     }
@@ -199,6 +199,16 @@ ${safeCssContent}
             </svg>
             <input type="search" id="search" placeholder="Search packages..." />
           </div>
+          <div class="view-switch" id="view-switch">
+            <button
+              type="button"
+              class="view-switch-btn"
+              id="view-graph-btn"
+              data-view="graph"
+            >
+              Graph View
+            </button>
+          </div>
           <button
             type="button"
             class="filters-toggle"
@@ -319,7 +329,60 @@ ${safeCssContent}
   <!-- Main Content -->
   <main class="main-content">
-    <div id="dependency-list" class="dependency-grid"></div>
+    <section class="view-panel active" id="list-view" data-view="list" aria-hidden="false">
+      <div id="dependency-list" class="dependency-grid"></div>
+    </section>
+    <section class="view-panel" id="graph-view" data-view="graph" aria-hidden="true">
+      <div class="graph-canvas-shell" id="graph-canvas-shell">
+        <canvas id="graph-canvas"></canvas>
+        <div class="graph-overlay-top">
+          <button type="button" class="graph-back-btn" id="graph-back-btn">Back to List View</button>
+          <div class="graph-key" aria-label="Graph key">
+            <span class="graph-workspace-label">Key</span>
+            <div class="graph-key-items">
+              <span class="graph-key-item">
+                <span class="graph-key-dot dependency" aria-hidden="true"></span>
+                <span>Dependency</span>
+              </span>
+              <span class="graph-key-item">
+                <span class="graph-key-dot dev-dependency" aria-hidden="true"></span>
+                <span>Dev-Dependency</span>
+              </span>
+              <span class="graph-key-item">
+                <span class="graph-key-dot sub-dependency" aria-hidden="true"></span>
+                <span>Sub-Dependency</span>
+              </span>
+            </div>
+          </div>
+          <div class="graph-overlay-left" id="graph-workspace-wrap">
+            <label class="graph-workspace-label" for="graph-workspace">Workspace</label>
+            <select id="graph-workspace" class="graph-workspace-select"></select>
+          </div>
+        </div>
+        <div class="graph-controls graph-overlay graph-overlay-right" id="graph-controls">
+          <div class="dpad">
+            <button type="button" class="graph-control-btn up" data-action="pan-down" aria-label="Pan Up">▲</button>
+            <button type="button" class="graph-control-btn left" data-action="pan-right" aria-label="Pan Left">◀</button>
+            <div class="center-spacer" aria-hidden="true"></div>
+            <button type="button" class="graph-control-btn right" data-action="pan-left" aria-label="Pan Right">▶</button>
+            <button type="button" class="graph-control-btn down" data-action="pan-up" aria-label="Pan Down">▼</button>
+          </div>
+          <div class="zoom-controls">
+            <button type="button" class="graph-control-btn" data-action="zoom-in" aria-label="Zoom In">+</button>
+            <button type="button" class="graph-control-btn" data-action="zoom-out" aria-label="Zoom Out">−</button>
+          </div>
+          <button type="button" class="graph-control-btn reset-btn" data-action="reset">reset</button>
+        </div>
+        <div class="graph-popover" id="graph-popover" hidden>
+          <div class="graph-popover-name" id="graph-popover-name"></div>
+          <div class="graph-popover-meta" id="graph-popover-version"></div>
+          <div class="graph-popover-meta" id="graph-popover-license"></div>
+          <div class="graph-popover-meta" id="graph-popover-vulns"></div>
+          <div class="graph-popover-meta" id="graph-popover-amplification"></div>
+          <button type="button" class="graph-popover-action" id="graph-open-list">Open in List</button>
+        </div>
+      </div>
+    </section>
   </main>
   <footer class="report-footer">
@@ -335,5 +398,9 @@ ${safeJsContent}
 </html>`;
 }
 function escapeHtml(str) {
-    return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;');
 }

package/dist/runners/importGraphRunner.js CHANGED Viewed

@@ -10,7 +10,22 @@ const module_1 = require("module");
 const utils_1 = require("../utils");
 const IGNORED_DIRS = new Set(['node_modules', 'dist', 'build', 'coverage', '.dependency-radar']);
 const SOURCE_EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'];
-async function runImportGraph(projectPath, tempDir) {
+/**
+ * Builds an import graph for a project and optionally writes it to disk.
+ *
+ * The produced graph maps each project-relative source file to its resolved local file dependencies,
+ * referenced packages, per-file package usage counts, and any unresolved import specifiers.
+ *
+ * @param options - Optional settings.
+ * @param options.persistToDisk - When `false`, the graph is not written to disk; defaults to `true`.
+ * @returns An object with:
+ *  - `ok: true` and `data` containing `{ files, packages, packageCounts, unresolvedImports }` on success.
+ *    When the graph was persisted to disk, a `file` field points to the written JSON file (`<tempDir>/import-graph.json`).
+ *  - `ok: false` and `error` containing an error message on failure. If persistence was enabled, a `file` field may point to
+ *    the JSON file containing the error object.
+ */
+async function runImportGraph(projectPath, tempDir, options = {}) {
+    const persistToDisk = options.persistToDisk !== false;
     const targetFile = path_1.default.join(tempDir, 'import-graph.json');
     try {
         const srcPath = path_1.default.join(projectPath, 'src');
@@ -32,12 +47,20 @@ async function runImportGraph(projectPath, tempDir) {
             unresolvedImports.push(...resolved.unresolved.map((spec) => ({ importer: rel, specifier: spec })));
         }
         const output = { files: fileGraph, packages: packageGraph, packageCounts, unresolvedImports };
-        await (0, utils_1.writeJsonFile)(targetFile, output);
-        return { ok: true, data: output, file: targetFile };
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, output);
+        }
+        return { ok: true, data: output, ...(persistToDisk ? { file: targetFile } : {}) };
     }
     catch (err) {
-        await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
-        return { ok: false, error: `import graph failed: ${String(err)}`, file: targetFile };
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
+        }
+        return {
+            ok: false,
+            error: `import graph failed: ${String(err)}`,
+            ...(persistToDisk ? { file: targetFile } : {})
+        };
     }
 }
 async function collectSourceFiles(rootDir) {

package/dist/runners/lockfileGraph.js CHANGED Viewed

@@ -6,7 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.tryBuildDependencyTreeFromLockfile = tryBuildDependencyTreeFromLockfile;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
-const yaml_1 = __importDefault(require("yaml"));
+const lockfileParsers_1 = require("./lockfileParsers");
 const treeCache = new Map();
 const parseCache = new Map();
 /**
@@ -244,7 +244,10 @@ function buildPnpmNode(packageKey, snapshots, index, memo, installState, stack)
         dependencies: {}
     };
     stack.add(packageKey);
-    const childRefs = mergeStringRecord(snapshot === null || snapshot === void 0 ? void 0 : snapshot.dependencies, mergeStringRecord(snapshot === null || snapshot === void 0 ? void 0 : snapshot.optionalDependencies, snapshot === null || snapshot === void 0 ? void 0 : snapshot.peerDependencies));
+    // pnpm snapshots already carry resolved installed deps in `dependencies`/`optionalDependencies`.
+    // Do not traverse `peerDependencies` ranges here: they can overwrite resolved child refs
+    // (for example `child: ^1.0.0` over `child: 1.0.0`) and incorrectly drop installed nodes.
+    const childRefs = mergeStringRecord(snapshot === null || snapshot === void 0 ? void 0 : snapshot.dependencies, snapshot === null || snapshot === void 0 ? void 0 : snapshot.optionalDependencies);
     for (const [childName, childRef] of Object.entries(childRefs)) {
         if (!childRef || isWorkspaceLikeSpecifier(childRef))
             continue;
@@ -502,6 +505,10 @@ function buildNpmNodeFromPackages(packageKey, fallbackName, packages, memo, stac
         version,
         dependencies: {}
     };
+    const packagePath = resolveNpmInstalledPath(packageKey, installState.lockDir);
+    if (packagePath) {
+        out.path = packagePath;
+    }
     if ((entry === null || entry === void 0 ? void 0 : entry.dev) !== undefined) {
         out.dev = Boolean(entry.dev);
     }
@@ -561,6 +568,33 @@ function resolveNpmPackagePath(fromPackageKey, depName, packages) {
     const rootCandidate = `node_modules/${depName}`;
     return rootCandidate in packages ? rootCandidate : undefined;
 }
+/**
+ * Resolve an npm lockfile package key to the absolute filesystem path where that package would be installed under a given lock directory.
+ *
+ * @param packageKey - The package key from a lockfile (e.g., a normalized/package-relative path or package identifier).
+ * @param lockDir - The lockfile directory to treat as the installation root.
+ * @returns The absolute path inside `lockDir` corresponding to `packageKey` if it resolves to a location contained within `lockDir`, `undefined` otherwise.
+ */
+function resolveNpmInstalledPath(packageKey, lockDir) {
+    const normalizedKey = normalizeLockPackageKey(packageKey);
+    if (!normalizedKey)
+        return undefined;
+    const segments = normalizedKey.split('/').filter(Boolean);
+    if (segments.length === 0)
+        return undefined;
+    for (const segment of segments) {
+        if (segment === '.' || segment === '..')
+            return undefined;
+        if (path_1.default.isAbsolute(segment))
+            return undefined;
+    }
+    const lockRoot = path_1.default.resolve(lockDir);
+    const resolved = path_1.default.resolve(lockRoot, ...segments);
+    const relative = path_1.default.relative(lockRoot, resolved);
+    if (relative.startsWith('..') || path_1.default.isAbsolute(relative))
+        return undefined;
+    return resolved;
+}
 /**
  * Normalize a legacy npm lockfile node into a ResolvedNode.
  *
@@ -641,20 +675,7 @@ function parseYarnTree(projectPath, searchRoot) {
  * @returns A Map where each selector string maps to its YarnV1Entry, or `undefined` if parsing fails or the lockfile is not a Yarn v1 success parse
  */
 function parseYarnV1(raw) {
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
-    const lockfile = require('@yarnpkg/lockfile');
-    const parsed = lockfile.parse(raw);
-    if (!parsed || parsed.type !== 'success' || !parsed.object)
-        return undefined;
-    const map = new Map();
-    for (const [selectorKey, entry] of Object.entries(parsed.object)) {
-        for (const selector of splitSelectors(selectorKey)) {
-            if (!map.has(selector)) {
-                map.set(selector, entry || {});
-            }
-        }
-    }
-    return map;
+    return (0, lockfileParsers_1.parseYarnV1Lockfile)(raw);
 }
 /**
  * Parse a Yarn v2 (Berry) lockfile YAML string into a selector-to-entry map.
@@ -663,7 +684,7 @@ function parseYarnV1(raw) {
  * @returns A Map where each lockfile selector maps to its YarnV2Entry, or `undefined` if the input could not be parsed into an object
  */
 function parseYarnV2(raw) {
-    const parsed = yaml_1.default.parse(raw);
+    const parsed = (0, lockfileParsers_1.parseYamlLike)(raw);
     if (!parsed || typeof parsed !== 'object')
         return undefined;
     const map = new Map();
@@ -830,10 +851,7 @@ function collectPackageJsonDependencySpecs(pkg) {
  * @returns An array of trimmed, non-empty selector strings
  */
 function splitSelectors(selectorKey) {
-    return selectorKey
-        .split(',')
-        .map((part) => part.trim())
-        .filter(Boolean);
+    return (0, lockfileParsers_1.splitSelectorList)(selectorKey);
 }
 /**
  * Merge two arbitrary values into a string-to-string record, with entries from the second overriding the first.
@@ -995,7 +1013,7 @@ function getCachedYaml(filePath) {
     const raw = readCachedText(filePath);
     if (!raw)
         return undefined;
-    const parsed = yaml_1.default.parse(raw);
+    const parsed = (0, lockfileParsers_1.parseYamlLike)(raw);
     parseCache.set(cacheKey, parsed);
     return parsed;
 }