depstein 0.1.0

package/README.md

@@ -0,0 +1,438 @@
+<p align="center">
+  <img src="https://img.shields.io/npm/v/depstein?color=0ea5e9&style=flat-square" alt="npm version" />
+  <img src="https://img.shields.io/npm/l/depstein?color=22c55e&style=flat-square" alt="license" />
+  <img src="https://img.shields.io/node/v/depstein?color=f59e0b&style=flat-square" alt="node version" />
+  <img src="https://img.shields.io/badge/ecosystems-npm%20%C2%B7%20PyPI%20%C2%B7%20Cargo%20%C2%B7%20Go-a855f7?style=flat-square" alt="ecosystems" />
+</p>
+
+```
+██████╗ ███████╗██████╗ ███████╗████████╗███████╗██╗███╗   ██╗
+██╔══██╗██╔════╝██╔══██╗██╔════╝╚══██╔══╝██╔════╝██║████╗  ██║
+██║  ██║█████╗  ██████╔╝███████╗   ██║   █████╗  ██║██╔██╗ ██║
+██║  ██║██╔══╝  ██╔═══╝ ╚════██║   ██║   ██╔══╝  ██║██║╚██╗██║
+██████╔╝███████╗██║     ███████║   ██║   ███████╗██║██║ ╚████║
+╚═════╝ ╚══════╝╚═╝     ╚══════╝   ╚═╝   ╚══════╝╚═╝╚═╝  ╚═══╝
+```
+
+<p align="center"><strong>Dependency health scoring for npm · PyPI · Cargo · Go — right in your terminal.</strong></p>
+
+<br />
+
+depstein audits every dependency in your project and scores it **0–100** across six dimensions — security, maintenance, popularity, bundle size, TypeScript support, and license. Pop it open with a single command and get an interactive TUI to triage your dependencies before they become problems.
+
+---
+
+## Screenshots
+
+### Main Dashboard
+
+```
+  ██████╗ ███████╗██████╗  ...
+  v0.1.0  ~/projects/my-app  [npm]
+  ────────────────────────────────────────────────────────────────────────────────
+  8 packages   avg 80/100  B   ██████████████████████░░░░░░░░  0 critical  1 poor
+
+  PACKAGE              VER         SCORE    GRADE   ISSUES
+  ────────────────────────────────────────────────────────────────────────────────
+  › @types/react       18.2.0       89/100    A
+    @types/node        20.10.0      85/100    A      huge size
+    chalk              5.3.0        84/100    B      1 vuln (LOW)
+    commander          11.1.0       84/100    B
+    ink                4.4.1        84/100    B
+    typescript         5.3.0        75/100    B      huge size
+    react              18.2.0       74/100    B      vulnerable
+    tsx                4.6.0        64/100    C      no types
+
+  ────────────────────────────────────────────────────────────────────────────────
+  [↑↓] navigate  [enter] details  [f] filter: All  [s] sort: Score  [e] export  [q] quit
+```
+
+### Detail Panel (`Enter` on any package)
+
+```
+  moment               2.29.4    42/100   D   [prod]
+  Parse, validate, manipulate, and display dates in javascript.
+
+  license  MIT    updated  3 years ago    downloads  12.1M/wk    bundle  329KB gzip (65KB min)
+  repo     https://github.com/moment/moment
+
+  Score Breakdown
+    Maintenance   ██░░░░░░░░░░░░░░░░░░      2/20   ↓ Updated over 2 years ago
+    Popularity    ████████████████████    10/10   87.3M/week
+    Bundle Size   ░░░░░░░░░░░░░░░░░░░░     0/15   ↓ Huge bundle (>100KB gzip)
+    TypeScript    ██████████████░░░░░░      7/10   @types/ available
+    License       ████████████████████    15/15   MIT (permissive)
+    Security      ███████████████░░░░░    22/30   1 vuln(s), LOW
+
+  Suggested Actions
+    ⚠  Not actively maintained — consider a fork or alternative
+    ◆  Very large bundle — evaluate if this package is worth the size
+    ↑  New version available: 2.29.4 → 2.30.1
+
+  Replace with
+    →  dayjs  (91/100 A)  — saves 327KB gzip   lightweight Day.js, same API
+      or:  date-fns  (94/100 A)  — saves 281KB gzip   modular date utilities
+```
+
+### Interactive Path Picker (run `depstein` from any directory)
+
+```
+  ██████╗ ███████╗██████╗  ...
+  Dependency health scorer  ·  npm · pypi · cargo · go
+  ────────────────────────────────────────────────────────────────────────────────
+
+  Enter the path to a project, or press Enter to scan the current directory.
+
+  › Project path  ·  ~/projects/my-rust-app█
+
+  [enter] scan  [esc/ctrl-c] quit
+```
+
+### CI Output (`--ci`)
+
+```
+depstein CI — 32 packages, avg 68/100 (C)
+threshold: 70/100
+
+  ✗ moment                           42/100  D  outdated, huge bundle
+      → Replace with: dayjs
+  ✗ left-pad                         18/100  F  abandoned
+  ! node-sass                        49/100  D  vulnerable, outdated
+  ~ axios                            66/100  C  no types
+  ✓ express                          94/100  A  ok
+  ✓ chalk                            84/100  B  ok
+
+✗ Average score 68/100 is below threshold 70/100
+```
+
+In GitHub Actions, failing packages additionally emit `::error::` annotations visible inline in pull request diffs.
+
+---
+
+## Installation
+
+```bash
+# Install globally
+npm install -g depstein
+
+# Or run without installing
+npx depstein
+
+# Or with Bun
+bunx depstein
+```
+
+**Requirements:** Node.js 18+
+
+---
+
+## Usage
+
+```bash
+# Open the interactive TUI (auto-detects ecosystem)
+depstein
+
+# Analyze a specific directory
+depstein ~/projects/my-app
+
+# Show only failing/critical dependencies
+depstein --filter critical
+
+# Sort by date last updated (oldest first = most stale)
+depstein --sort updated
+
+# Show only the 10 worst packages
+depstein --top 10
+
+# Export a full JSON report
+depstein --json > report.json
+
+# CI mode — plain text + GitHub Actions annotations
+depstein --ci
+depstein --ci --min-score 80
+
+# Auto-replace deprecated packages in package.json
+depstein --fix
+
+# Force a specific ecosystem
+depstein --ecosystem pypi
+
+# Bypass disk cache for fresh API data
+depstein --no-cache
+```
+
+---
+
+## CLI Reference
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `[path]` | Project directory to analyze | `.` |
+| `--ecosystem` | Force: `npm` \| `pypi` \| `cargo` \| `golang` | auto |
+| `--filter` | `all` \| `critical` \| `poor` \| `dev` \| `prod` | `all` |
+| `--sort` | `score` \| `name` \| `size` \| `updated` | `score` |
+| `--top <n>` | Show only the N worst packages | all |
+| `--json` | Raw JSON output instead of TUI | — |
+| `--ci` | CI mode: plain text + GitHub Actions `::error::` | — |
+| `--min-score <n>` | Exit 1 if avg score < N (default 70 with `--ci`) | — |
+| `--fix` | Rewrite `package.json` with modern replacements | — |
+| `--no-cache` | Skip disk cache, fetch fresh data | — |
+| `-v, --version` | Show version | — |
+
+---
+
+## Interactive Controls
+
+| Key | Action |
+|-----|--------|
+| `↑` / `↓` | Navigate the dependency list |
+| `Enter` | Open detail panel for the selected package |
+| `Esc` | Close the detail panel |
+| `f` | Cycle filters (all → critical → poor → dev → prod) |
+| `s` | Cycle sort (score → name → size → updated) |
+| `e` | Export report to `depstein-report-<timestamp>.json` |
+| `q` | Quit |
+
+---
+
+## Scoring
+
+Each dependency is scored **0–100** by summing six dimensions. The model is penalty-based — packages start clean and lose points when evidence suggests a problem.
+
+| Dimension | Max | Measured by |
+|-----------|:---:|-------------|
+| Security | 30 | CVEs from [OSV.dev](https://osv.dev), version-aware |
+| Maintenance | 20 | Days since last release |
+| Bundle Size | 15 | Gzip size via [bundlephobia](https://bundlephobia.com) (npm only) |
+| License | 15 | Legal risk classification |
+| TypeScript | 10 | Built-in types, `@types/`, or none |
+| Popularity | 10 | Weekly / monthly downloads |
+| **Total** | **100** | |
+
+### Security (0–30)
+
+| Worst CVE affecting installed version | Points |
+|--------------------------------------|--------|
+| None | 30 |
+| LOW | 22 |
+| MEDIUM | 15 |
+| HIGH | 3 |
+| CRITICAL | 0 |
+
+Queries are version-aware — only CVEs that affect the _installed_ version count.
+
+### Maintenance (0–20)
+
+| Time since last release | Points |
+|------------------------|--------|
+| ≤ 30 days | 20 |
+| ≤ 90 days | 18 |
+| ≤ 6 months | 16 |
+| ≤ 1 year | 10 |
+| ≤ 2 years | 2 |
+| > 2 years | 0 |
+
+### Bundle Size (0–15) — npm only
+
+Uses real gzip sizes from bundlephobia, not tarball unpacked size.
+
+| Gzip size | Points |
+|-----------|--------|
+| < 5 KB | 15 |
+| < 25 KB | 12 |
+| < 50 KB | 10 |
+| < 100 KB | 10 (flagged: large) |
+| ≥ 100 KB | 0 (flagged: huge) |
+
+Non-npm packages receive 15/15.
+
+### TypeScript Support (0–10)
+
+| Support | Points |
+|---------|--------|
+| Built-in (`types`/`typings` in `package.json`) | 10 |
+| `@types/` package available | 7 |
+| No types | 0 |
+
+### License (0–15)
+
+| License | Points |
+|---------|--------|
+| MIT, Apache-2.0, BSD-*, ISC | 15 |
+| Unlicense, CC0 | 12 |
+| MPL-2.0, LGPL | 10 |
+| GPL variants | 5 |
+| Unknown / Proprietary | 0 |
+
+### Popularity (0–10)
+
+| Weekly downloads (npm) | Points |
+|------------------------|--------|
+| ≥ 1 million | 10 |
+| ≥ 100K | 8 |
+| ≥ 10K | 7 |
+| ≥ 1K | 5 |
+| ≥ 100 | 2 |
+| < 100 | 0 |
+
+### Grade Scale
+
+| Score | Grade |
+|-------|:-----:|
+| 85–100 | **A** |
+| 70–84 | **B** |
+| 50–69 | **C** |
+| 30–49 | **D** |
+| 0–29 | **F** |
+
+---
+
+## Supported Ecosystems
+
+| Ecosystem | Manifest | Data sources |
+|-----------|----------|-------------|
+| **npm** | `package.json` | npm registry · download API · bundlephobia · OSV |
+| **PyPI** | `requirements.txt` · `pyproject.toml` · `setup.py` | pypi.org · pypistats.org · OSV |
+| **Cargo** | `Cargo.toml` · `Cargo.lock` | crates.io · OSV |
+| **Go** | `go.mod` | proxy.golang.org · GitHub API · OSV |
+
+---
+
+## `--fix` — Automated Replacements
+
+`depstein --fix` rewrites `package.json` replacing 30+ known problematic packages:
+
+| Remove | Replace with | Why |
+|--------|-------------|-----|
+| `moment` | `dayjs` | 329KB → ~2KB gzip, near-identical API |
+| `request` | `got` | Officially deprecated since 2020 |
+| `node-sass` | `sass` | Official Dart Sass port |
+| `tslint` | `eslint` | Deprecated, merged into ESLint |
+| `colors` | `chalk` | Supply-chain incident |
+| `lodash` | `es-toolkit` | Native ESM, tree-shakeable, 97% smaller |
+| `uuid` | `nanoid` | Smaller, faster, cryptographically strong |
+| `faker` | `@faker-js/faker` | Community-maintained fork |
+| `cross-fetch` | `native fetch` | Node 18+ has `fetch` built-in |
+| `left-pad` | `String.prototype.padStart` | Abandoned; native in JS |
+| … and 20+ more | | |
+
+Run `npm install` after `--fix` to apply lockfile changes.
+
+---
+
+## CI / CD
+
+### GitHub Actions
+
+```yaml
+- name: Audit dependencies
+  run: npx depstein --ci --min-score 75
+```
+
+- Outputs a plain-text table of all packages with scores and issues
+- Emits `::error::` annotations on failing packages when `GITHUB_ACTIONS=true`
+- Exits with code 1 if the average score is below the threshold
+
+### Plain shell
+
+```bash
+# Fail if average drops below 70
+depstein --min-score 70 --json
+```
+
+---
+
+## Caching
+
+API responses are cached at `~/.depstein/cache.json` with a **1-hour TTL**. Repeated runs are near-instant. Cached packages are labelled `[cached]` in the detail panel. Use `--no-cache` to bypass.
+
+---
+
+## JSON Output
+
+```jsonc
+{
+  "projectPath": "/Users/you/my-app",
+  "ecosystem": "npm",
+  "averageScore": 80.4,
+  "grade": "B",
+  "totalCount": 8,
+  "criticalCount": 0,
+  "poorCount": 1,
+  "scoredDependencies": [
+    {
+      "raw": { "name": "chalk", "version": "5.3.0", "isDev": false },
+      "totalScore": 84,
+      "grade": "B",
+      "issues": ["1 vuln (LOW)"],
+      "suggestion": null,
+      "dimensions": {
+        "maintenance":   { "score": 18, "maxScore": 20, "reason": "Updated within 6 months" },
+        "popularity":    { "score": 10, "maxScore": 10, "reason": "430.9M/week" },
+        "bundleSize":    { "score": 12, "maxScore": 15, "reason": "3.1KB gzip (small)" },
+        "typescript":    { "score": 10, "maxScore": 10, "reason": "Built-in types" },
+        "license":       { "score": 15, "maxScore": 15, "reason": "MIT (permissive)" },
+        "vulnerability": { "score": 22, "maxScore": 30, "reason": "1 vuln(s), LOW" }
+      }
+    }
+  ]
+}
+```
+
+---
+
+## Architecture
+
+```
+src/
+├── index.ts                   CLI entry (Commander) — routes to TUI / JSON / CI / fix
+├── core/
+│   ├── types.ts               Shared TypeScript interfaces
+│   ├── cache.ts               Disk cache  (~/.depstein/cache.json, 1-hr TTL)
+│   ├── scanner.ts             Detects ecosystem, parses manifests + lockfiles
+│   ├── fetcher.ts             Parallel batch fetcher (10 concurrent)
+│   ├── scorer.ts              Pure scoring engine (6 dimensions → 0–100)
+│   ├── replacements.ts        30+ deprecated-package replacement database
+│   └── vulnerabilities.ts     OSV.dev API client (version-aware CVE queries)
+├── ecosystems/
+│   ├── npm.ts                 npm registry · download API · bundlephobia
+│   ├── pypi.ts                PyPI JSON API · pypistats.org
+│   ├── cargo.ts               crates.io API
+│   └── golang.ts              Go module proxy · GitHub API
+├── tui/
+│   ├── dashboard.tsx          Main Ink/React app component
+│   ├── table.tsx              Scrollable dependency table with grade colours
+│   ├── summary.tsx            Score distribution bar
+│   ├── detail.tsx             Package detail panel + replacement suggestions
+│   ├── picker.tsx             Interactive path picker (run from any directory)
+│   └── colors.ts              Grade/score colour helpers
+└── utils/
+    ├── http.ts                Fetch with retry + rate-limit backoff
+    ├── format.ts              Number formatting, relative dates, progress bars
+    └── spinner.ts             Stderr spinner for non-TUI modes
+```
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/depstein/depstein
+cd depstein
+npm install
+
+# Run in dev mode against any local project
+npm run dev -- ~/projects/my-app
+
+# Build
+npm run build
+
+# Install as a global command from local build
+npm install -g .
+```
+
+---
+
+## License
+
+MIT

package/dist/core/cache.d.ts

@@ -0,0 +1,15 @@
+import type { PackageMetadata } from './types.js';
+declare class DiskCache {
+    private store;
+    private dirty;
+    constructor();
+    private load;
+    private save;
+    get(ecosystem: string, name: string): Omit<PackageMetadata, 'fromCache'> | null;
+    set(ecosystem: string, name: string, data: Omit<PackageMetadata, 'fromCache'>): void;
+    clear(): void;
+    /** Flush dirty writes at process exit */
+    flush(): void;
+}
+export declare const cache: DiskCache;
+export {};

package/dist/core/cache.js

@@ -0,0 +1,75 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+const CACHE_DIR = join(homedir(), '.depstein');
+const CACHE_FILE = join(CACHE_DIR, 'cache.json');
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+class DiskCache {
+    store = {};
+    dirty = false;
+    constructor() {
+        this.load();
+    }
+    load() {
+        try {
+            if (existsSync(CACHE_FILE)) {
+                const raw = readFileSync(CACHE_FILE, 'utf-8');
+                this.store = JSON.parse(raw);
+            }
+        }
+        catch {
+            this.store = {};
+        }
+    }
+    save() {
+        try {
+            mkdirSync(CACHE_DIR, { recursive: true });
+            writeFileSync(CACHE_FILE, JSON.stringify(this.store, null, 2), 'utf-8');
+            this.dirty = false;
+        }
+        catch {
+            // Silently fail — cache writes are best-effort
+        }
+    }
+    get(ecosystem, name) {
+        const key = `${ecosystem}:${name}`;
+        const entry = this.store[key];
+        if (!entry)
+            return null;
+        if (Date.now() - entry.timestamp > CACHE_TTL_MS) {
+            delete this.store[key];
+            this.dirty = true;
+            return null;
+        }
+        const cached = entry.data;
+        return {
+            ...cached,
+            publishedAt: cached.publishedAt ? new Date(cached.publishedAt) : null,
+        };
+    }
+    set(ecosystem, name, data) {
+        const key = `${ecosystem}:${name}`;
+        this.store[key] = {
+            data: {
+                ...data,
+                // Serialize Date to ISO string for JSON storage
+                publishedAt: data.publishedAt ? data.publishedAt.toISOString() : null,
+            },
+            timestamp: Date.now(),
+        };
+        this.save();
+    }
+    clear() {
+        this.store = {};
+        this.save();
+    }
+    /** Flush dirty writes at process exit */
+    flush() {
+        if (this.dirty)
+            this.save();
+    }
+}
+export const cache = new DiskCache();
+// Ensure final flush on clean exit
+process.on('exit', () => cache.flush());
+//# sourceMappingURL=cache.js.map

package/dist/core/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../src/core/cache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAG7B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;AAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;AACjD,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAE9C,MAAM,SAAS;IACH,KAAK,GAAe,EAAE,CAAC;IACvB,KAAK,GAAG,KAAK,CAAC;IAEtB;QACI,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAEO,IAAI;QACR,IAAI,CAAC;YACD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;YAC/C,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QACpB,CAAC;IACL,CAAC;IAEO,IAAI;QACR,IAAI,CAAC;YACD,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YACxE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACL,+CAA+C;QACnD,CAAC;IACL,CAAC;IAED,GAAG,CAAC,SAAiB,EAAE,IAAY;QAC/B,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,IAAI,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,YAAY,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAClB,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAsB,CAAC;QAC5C,OAAO;YACH,GAAG,MAAM;YACT,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;SACxE,CAAC;IACN,CAAC;IAED,GAAG,CAAC,SAAiB,EAAE,IAAY,EAAE,IAAwC;QACzE,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG;YACd,IAAI,EAAE;gBACF,GAAG,IAAI;gBACP,gDAAgD;gBAChD,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;aACtD;YACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,KAAK;QACD,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,yCAAyC;IACzC,KAAK;QACD,IAAI,IAAI,CAAC,KAAK;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;IAChC,CAAC;CACJ;AAED,MAAM,CAAC,MAAM,KAAK,GAAG,IAAI,SAAS,EAAE,CAAC;AAErC,mCAAmC;AACnC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC"}

package/dist/core/fetcher.d.ts

@@ -0,0 +1,7 @@
+import type { RawDependency, PackageMetadata } from './types.js';
+export type ProgressCallback = (done: number, total: number, current: string) => void;
+/**
+ * Fetch metadata for all dependencies in parallel batches.
+ * Never throws — individual failures are captured in metadata.fetchError.
+ */
+export declare function fetchAll(deps: RawDependency[], noCache: boolean, onProgress?: ProgressCallback): Promise<PackageMetadata[]>;

package/dist/core/fetcher.js

@@ -0,0 +1,59 @@
+import { fetchNpm } from '../ecosystems/npm.js';
+import { fetchPypi } from '../ecosystems/pypi.js';
+import { fetchCargo } from '../ecosystems/cargo.js';
+import { fetchGolang } from '../ecosystems/golang.js';
+const BATCH_SIZE = 10;
+async function fetchOne(dep, noCache) {
+    switch (dep.ecosystem) {
+        case 'npm': return fetchNpm(dep.name, dep.version, noCache);
+        case 'pypi': return fetchPypi(dep.name, dep.version, noCache);
+        case 'cargo': return fetchCargo(dep.name, dep.version, noCache);
+        case 'golang': return fetchGolang(dep.name, dep.version, noCache);
+    }
+}
+/**
+ * Fetch metadata for all dependencies in parallel batches.
+ * Never throws — individual failures are captured in metadata.fetchError.
+ */
+export async function fetchAll(deps, noCache, onProgress) {
+    let done = 0;
+    const results = new Array(deps.length);
+    for (let i = 0; i < deps.length; i += BATCH_SIZE) {
+        const batch = deps.slice(i, i + BATCH_SIZE);
+        await Promise.all(batch.map(async (dep, batchIdx) => {
+            const globalIdx = i + batchIdx;
+            onProgress?.(done, deps.length, dep.name);
+            try {
+                results[globalIdx] = await fetchOne(dep, noCache);
+            }
+            catch (err) {
+                // Defensive fallback — fetchOne should never throw, but just in case
+                results[globalIdx] = {
+                    name: dep.name,
+                    ecosystem: dep.ecosystem,
+                    latestVersion: dep.version,
+                    requestedVersion: dep.version,
+                    publishedAt: null,
+                    description: '',
+                    license: 'Unknown',
+                    repositoryUrl: null,
+                    weeklyDownloads: null,
+                    monthlyDownloads: null,
+                    totalDownloads: null,
+                    unpackedSize: null,
+                    gzipSize: null,
+                    minifiedSize: null,
+                    hasBuiltinTypes: false,
+                    hasTypesPackage: false,
+                    vulnerabilities: [],
+                    fromCache: false,
+                    fetchError: err.message,
+                };
+            }
+            done++;
+            onProgress?.(done, deps.length, dep.name);
+        }));
+    }
+    return results;
+}
+//# sourceMappingURL=fetcher.js.map

package/dist/core/fetcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetcher.js","sourceRoot":"","sources":["../../src/core/fetcher.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAGtD,MAAM,UAAU,GAAG,EAAE,CAAC;AAItB,KAAK,UAAU,QAAQ,CAAC,GAAkB,EAAE,OAAgB;IACxD,QAAQ,GAAG,CAAC,SAAS,EAAE,CAAC;QACpB,KAAK,KAAK,CAAC,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5D,KAAK,MAAM,CAAC,CAAC,OAAO,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9D,KAAK,OAAO,CAAC,CAAC,OAAO,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChE,KAAK,QAAQ,CAAC,CAAC,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACtE,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC1B,IAAqB,EACrB,OAAgB,EAChB,UAA6B;IAE7B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,MAAM,OAAO,GAAsB,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE1D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;QAE5C,MAAM,OAAO,CAAC,GAAG,CACb,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE;YAC9B,MAAM,SAAS,GAAG,CAAC,GAAG,QAAQ,CAAC;YAC/B,UAAU,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YAE1C,IAAI,CAAC;gBACD,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,qEAAqE;gBACrE,OAAO,CAAC,SAAS,CAAC,GAAG;oBACjB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,aAAa,EAAE,GAAG,CAAC,OAAO;oBAC1B,gBAAgB,EAAE,GAAG,CAAC,OAAO;oBAC7B,WAAW,EAAE,IAAI;oBACjB,WAAW,EAAE,EAAE;oBACf,OAAO,EAAE,SAAS;oBAClB,aAAa,EAAE,IAAI;oBACnB,eAAe,EAAE,IAAI;oBACrB,gBAAgB,EAAE,IAAI;oBACtB,cAAc,EAAE,IAAI;oBACpB,YAAY,EAAE,IAAI;oBAClB,QAAQ,EAAE,IAAI;oBACd,YAAY,EAAE,IAAI;oBAClB,eAAe,EAAE,KAAK;oBACtB,eAAe,EAAE,KAAK;oBACtB,eAAe,EAAE,EAAE;oBACnB,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAG,GAAa,CAAC,OAAO;iBACrC,CAAC;YACN,CAAC;YAED,IAAI,EAAE,CAAC;YACP,UAAU,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,CACL,CAAC;IACN,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC"}

package/dist/core/replacements.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Curated replacement suggestions for common problematic npm packages.
+ *
+ * savesKbGzip: approximate bundle size reduction in KB (gzip) vs the original.
+ *   null = can't be meaningfully compared (CLI-only tool, Node built-in, etc.)
+ * approxScore: rough health score for the alternative (used for display only).
+ * replacement: actual npm package name for --fix. null for native JS alternatives.
+ */
+export interface PackageAlternative {
+    name: string | null;
+    label: string;
+    replacement: string | null;
+    reason: string;
+    savesKbGzip: number | null;
+    approxScore: number;
+}
+export interface ReplacementEntry {
+    alternatives: PackageAlternative[];
+}
+export declare const REPLACEMENTS: Record<string, ReplacementEntry>;
+/**
+ * Returns the replacement info for a package, or null if none is known.
+ */
+export declare function getReplacements(name: string): PackageAlternative[] | null;
+/**
+ * Returns the label of the first/best replacement (for summary display).
+ */
+export declare function getSuggestedLabel(name: string): string | null;
+/**
+ * Returns the npm package name for the best replacement (for --fix).
+ */
+export declare function getBestReplacementPackage(name: string): string | null;