npm - npm-audit-report-cli - Versions diffs - 1.0.0 - Mend

npm-audit-report-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/cli.cjs ADDED Viewed

@@ -0,0 +1,760 @@
+#!/usr/bin/env node
+"use strict";
+// src/cli.ts
+var import_node_fs = require("fs");
+// src/parse.ts
+var ParseError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ParseError";
+  }
+};
+var VALID_SEVERITIES = ["critical", "high", "moderate", "low", "info"];
+function normalizeSeverity(value) {
+  if (typeof value === "string" && VALID_SEVERITIES.includes(value)) {
+    return value;
+  }
+  return "info";
+}
+function buildSummary(vulns, metaCounts) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    info: 0,
+    total: 0
+  };
+  for (const v of vulns) {
+    summary[v.severity] += 1;
+    summary.total += 1;
+  }
+  if (metaCounts && summary.total === 0) {
+    return {
+      critical: metaCounts.critical ?? 0,
+      high: metaCounts.high ?? 0,
+      moderate: metaCounts.moderate ?? 0,
+      low: metaCounts.low ?? 0,
+      info: metaCounts.info ?? 0,
+      total: metaCounts.total ?? (metaCounts.critical ?? 0) + (metaCounts.high ?? 0) + (metaCounts.moderate ?? 0) + (metaCounts.low ?? 0) + (metaCounts.info ?? 0)
+    };
+  }
+  return summary;
+}
+function buildMeta(raw) {
+  const totalDependencies = raw && typeof raw["totalDependencies"] === "number" ? raw["totalDependencies"] : 0;
+  return {
+    npmVersion: "",
+    nodeVersion: typeof process !== "undefined" && process.version ? process.version : "",
+    auditedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    totalDependencies
+  };
+}
+function parseV1(data) {
+  const advisories = data["advisories"] ?? {};
+  const vulns = [];
+  for (const key of Object.keys(advisories)) {
+    const adv = advisories[key];
+    if (!adv) continue;
+    const cves = Array.isArray(adv["cves"]) ? adv["cves"] : [];
+    const firstCve = cves.length > 0 ? cves[0] : void 0;
+    const advisoryId = adv["id"];
+    const idStr = firstCve ?? (typeof advisoryId === "number" || typeof advisoryId === "string" ? `npm-advisory-${String(advisoryId)}` : `npm-advisory-${key}`);
+    const findings = Array.isArray(adv["findings"]) ? adv["findings"] : [];
+    const paths = [];
+    for (const f of findings) {
+      const p = f["paths"];
+      if (Array.isArray(p)) {
+        for (const path of p) {
+          if (typeof path === "string") paths.push(path);
+        }
+      }
+    }
+    const fixAvailable = adv["fixAvailable"] === true;
+    const name = typeof adv["module_name"] === "string" ? adv["module_name"] : typeof adv["name"] === "string" ? adv["name"] : paths[0] ?? "unknown";
+    const range = typeof adv["vulnerable_versions"] === "string" ? adv["vulnerable_versions"] : "*";
+    const patched = typeof adv["patched_versions"] === "string" ? adv["patched_versions"] : void 0;
+    const vuln = {
+      id: idStr,
+      name,
+      severity: normalizeSeverity(adv["severity"]),
+      title: typeof adv["title"] === "string" ? adv["title"] : "Unknown vulnerability",
+      url: typeof adv["url"] === "string" ? adv["url"] : "",
+      range,
+      fixAvailable,
+      paths
+    };
+    if (fixAvailable && patched && patched !== "<0.0.0") {
+      vuln.fixCommand = `npm install ${name}@${patched}`;
+    } else if (fixAvailable) {
+      vuln.fixCommand = `npm audit fix`;
+    }
+    vulns.push(vuln);
+  }
+  const metadata = data["metadata"] ?? {};
+  const metaCounts = metadata["vulnerabilities"] ?? void 0;
+  return {
+    meta: buildMeta(metadata),
+    summary: buildSummary(vulns, metaCounts),
+    vulnerabilities: vulns
+  };
+}
+function parseV2(data) {
+  const vulnsRaw = data["vulnerabilities"] ?? {};
+  const vulns = [];
+  for (const name of Object.keys(vulnsRaw)) {
+    const entry = vulnsRaw[name];
+    if (!entry) continue;
+    const via = Array.isArray(entry["via"]) ? entry["via"] : [];
+    let title = "Unknown vulnerability";
+    let url = "";
+    let range = typeof entry["range"] === "string" ? entry["range"] : "*";
+    let id = `npm:${name}`;
+    for (const v of via) {
+      if (typeof v === "object" && v !== null) {
+        if (typeof v["title"] === "string") title = v["title"];
+        if (typeof v["url"] === "string") url = v["url"];
+        if (typeof v["range"] === "string") range = v["range"];
+        if (typeof v["source"] === "number" || typeof v["source"] === "string") {
+          id = `GHSA-${String(v["source"])}`;
+        }
+        break;
+      }
+    }
+    const fix = entry["fixAvailable"];
+    let fixAvailable = false;
+    let fixCommand;
+    if (fix === true) {
+      fixAvailable = true;
+      fixCommand = `npm audit fix`;
+    } else if (typeof fix === "object" && fix !== null) {
+      fixAvailable = true;
+      const fixObj = fix;
+      const fixName = typeof fixObj["name"] === "string" ? fixObj["name"] : name;
+      const fixVersion = typeof fixObj["version"] === "string" ? fixObj["version"] : void 0;
+      if (fixVersion) {
+        fixCommand = `npm install ${fixName}@${fixVersion}`;
+      } else {
+        fixCommand = `npm audit fix`;
+      }
+      const isSemVerMajor = fixObj["isSemVerMajor"] === true;
+      if (isSemVerMajor) {
+        fixCommand = `npm audit fix --force`;
+      }
+    }
+    const nodes = Array.isArray(entry["nodes"]) ? entry["nodes"] : [];
+    const vuln = {
+      id,
+      name: typeof entry["name"] === "string" ? entry["name"] : name,
+      severity: normalizeSeverity(entry["severity"]),
+      title,
+      url,
+      range,
+      fixAvailable,
+      paths: nodes.filter((n) => typeof n === "string")
+    };
+    if (fixCommand) vuln.fixCommand = fixCommand;
+    vulns.push(vuln);
+  }
+  const metadata = data["metadata"] ?? {};
+  const metaCounts = metadata["vulnerabilities"] ?? void 0;
+  return {
+    meta: buildMeta(metadata),
+    summary: buildSummary(vulns, metaCounts),
+    vulnerabilities: vulns
+  };
+}
+function looksLikeV2(data) {
+  const v = data["vulnerabilities"];
+  if (typeof v !== "object" || v === null) return false;
+  return !Array.isArray(v);
+}
+function looksLikeV1(data) {
+  return typeof data["advisories"] === "object" && data["advisories"] !== null;
+}
+function parse(input) {
+  let data;
+  try {
+    data = JSON.parse(input);
+  } catch {
+    throw new ParseError("Invalid JSON input");
+  }
+  if (typeof data !== "object" || data === null || Array.isArray(data)) {
+    throw new ParseError("Unrecognized npm audit schema");
+  }
+  const obj = data;
+  const version = obj["auditReportVersion"];
+  if (version === 1) return parseV1(obj);
+  if (version === 2) return parseV2(obj);
+  if (looksLikeV2(obj)) return parseV2(obj);
+  if (looksLikeV1(obj)) return parseV1(obj);
+  throw new ParseError("Unrecognized npm audit schema");
+}
+// src/threshold.ts
+var SEVERITY_ORDER = ["info", "low", "moderate", "high", "critical"];
+function meetsThreshold(severity, threshold) {
+  return SEVERITY_ORDER.indexOf(severity) >= SEVERITY_ORDER.indexOf(threshold);
+}
+function shouldFail(report, failOn) {
+  if (failOn === "none") return false;
+  return report.vulnerabilities.some((v) => meetsThreshold(v.severity, failOn));
+}
+function filterBySeverity(vulns, minSeverity) {
+  return vulns.filter((v) => meetsThreshold(v.severity, minSeverity));
+}
+// src/formatters/markdown.ts
+var SEVERITY_ORDER2 = ["critical", "high", "moderate", "low", "info"];
+var SEVERITY_EMOJI = {
+  critical: "\u{1F534}",
+  high: "\u{1F7E0}",
+  moderate: "\u{1F7E1}",
+  low: "\u{1F535}",
+  info: "\u26AA"
+};
+var SEVERITY_LABEL = {
+  critical: "Critical",
+  high: "High",
+  moderate: "Moderate",
+  low: "Low",
+  info: "Info"
+};
+function countBySeverity(vulns) {
+  const result = {
+    critical: { count: 0, fixable: 0 },
+    high: { count: 0, fixable: 0 },
+    moderate: { count: 0, fixable: 0 },
+    low: { count: 0, fixable: 0 },
+    info: { count: 0, fixable: 0 }
+  };
+  for (const v of vulns) {
+    result[v.severity].count += 1;
+    if (v.fixAvailable) result[v.severity].fixable += 1;
+  }
+  return result;
+}
+function renderVulnerability(v) {
+  const lines = [];
+  lines.push(`### ${v.name}`);
+  lines.push(`- **ID:** ${v.id}`);
+  lines.push(`- **Title:** ${v.title}`);
+  lines.push(`- **Range:** \`${v.range}\``);
+  if (v.fixAvailable && v.fixCommand) {
+    lines.push(`- **Fix:** \`${v.fixCommand}\``);
+  } else {
+    lines.push(`- **Fix:** No fix available`);
+  }
+  if (v.url) lines.push(`- **Advisory:** ${v.url}`);
+  if (v.paths.length > 0) lines.push(`- **Paths:** \`${v.paths.join(", ")}\``);
+  return lines.join("\n");
+}
+function markdown(report, opts = {}) {
+  const title = opts.title ?? "npm audit report";
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report.vulnerabilities, minSeverity);
+  const out = [];
+  out.push(`## ${title}`);
+  out.push("");
+  if (filtered.length === 0) {
+    out.push(`## \u2705 No vulnerabilities found`);
+    out.push("");
+    const date2 = report.meta.auditedAt ? report.meta.auditedAt.slice(0, 10) : "";
+    out.push(
+      `> 0 vulnerabilities found \xB7 audited ${date2} \xB7 ${report.meta.totalDependencies} dependencies`
+    );
+    out.push("");
+    out.push(`---`);
+    out.push(`*Generated by [audit-report](https://github.com/dimasdarfi/audit-report)*`);
+    return out.join("\n");
+  }
+  const date = report.meta.auditedAt ? report.meta.auditedAt.slice(0, 10) : "";
+  out.push(
+    `> ${filtered.length} vulnerabilities found \xB7 audited ${date} \xB7 ${report.meta.totalDependencies} dependencies`
+  );
+  out.push("");
+  const counts = countBySeverity(filtered);
+  out.push(`| Severity | Count | Fixable |`);
+  out.push(`|----------|-------|---------|`);
+  for (const sev of SEVERITY_ORDER2) {
+    const c = counts[sev];
+    if (c.count === 0) continue;
+    out.push(`| ${SEVERITY_EMOJI[sev]} ${SEVERITY_LABEL[sev]} | ${c.count} | ${c.fixable} |`);
+  }
+  out.push("");
+  out.push("---");
+  out.push("");
+  for (const sev of SEVERITY_ORDER2) {
+    const group = filtered.filter((v) => v.severity === sev);
+    if (group.length === 0) continue;
+    out.push(`<details>`);
+    out.push(`<summary>${SEVERITY_EMOJI[sev]} ${SEVERITY_LABEL[sev]} (${group.length})</summary>`);
+    out.push("");
+    for (const v of group) {
+      out.push(renderVulnerability(v));
+      out.push("");
+    }
+    out.push(`</details>`);
+    out.push("");
+  }
+  out.push("---");
+  out.push(`*Generated by [audit-report](https://github.com/dimasdarfi/audit-report)*`);
+  return out.join("\n");
+}
+// src/formatters/html.ts
+var SEVERITY_ORDER3 = ["critical", "high", "moderate", "low", "info"];
+var SEVERITY_COLOR = {
+  critical: "#fee2e2",
+  high: "#ffedd5",
+  moderate: "#fef9c3",
+  low: "#dbeafe",
+  info: "#f0fdf4"
+};
+var SEVERITY_LABEL2 = {
+  critical: "Critical",
+  high: "High",
+  moderate: "Moderate",
+  low: "Low",
+  info: "Info"
+};
+var SEVERITY_RANK = {
+  critical: 5,
+  high: 4,
+  moderate: 3,
+  low: 2,
+  info: 1
+};
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function countBySeverity2(vulns) {
+  const r = { critical: 0, high: 0, moderate: 0, low: 0, info: 0 };
+  for (const v of vulns) r[v.severity] += 1;
+  return r;
+}
+function html(report, opts = {}) {
+  const title = opts.title ?? "npm audit report";
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report.vulnerabilities, minSeverity);
+  const date = report.meta.auditedAt ? report.meta.auditedAt.slice(0, 10) : "";
+  const styles = `
+    * { box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; margin: 0; padding: 2rem; color: #1f2937; background: #f9fafb; }
+    .container { max-width: 1100px; margin: 0 auto; background: #ffffff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); padding: 2rem; }
+    h1 { margin: 0 0 0.5rem; font-size: 1.6rem; }
+    .meta { color: #6b7280; font-size: 0.9rem; margin-bottom: 1.5rem; }
+    table { width: 100%; border-collapse: collapse; margin-bottom: 1.5rem; font-size: 0.95rem; }
+    th, td { padding: 0.6rem 0.75rem; text-align: left; border-bottom: 1px solid #e5e7eb; }
+    th { background: #f3f4f6; cursor: pointer; user-select: none; font-weight: 600; }
+    th[data-sort] .arrow { color: #9ca3af; font-size: 0.75rem; margin-left: 0.25rem; }
+    th.sorted-asc .arrow::after { content: " \u25B2"; color: #1f2937; }
+    th.sorted-desc .arrow::after { content: " \u25BC"; color: #1f2937; }
+    tr.sev-critical { background: ${SEVERITY_COLOR.critical}; }
+    tr.sev-high { background: ${SEVERITY_COLOR.high}; }
+    tr.sev-moderate { background: ${SEVERITY_COLOR.moderate}; }
+    tr.sev-low { background: ${SEVERITY_COLOR.low}; }
+    tr.sev-info { background: ${SEVERITY_COLOR.info}; }
+    details { margin-bottom: 0.5rem; }
+    summary { cursor: pointer; padding: 0.4rem 0; font-weight: 600; }
+    .badge { display: inline-block; padding: 0.15rem 0.55rem; border-radius: 999px; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; }
+    .badge-critical { background: #dc2626; color: white; }
+    .badge-high { background: #ea580c; color: white; }
+    .badge-moderate { background: #ca8a04; color: white; }
+    .badge-low { background: #2563eb; color: white; }
+    .badge-info { background: #16a34a; color: white; }
+    code { background: #f3f4f6; padding: 0.1rem 0.3rem; border-radius: 4px; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, monospace; font-size: 0.85rem; }
+    .empty { padding: 2rem; text-align: center; color: #6b7280; }
+    .empty-icon { font-size: 3rem; }
+    .summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(120px, 1fr)); gap: 0.75rem; margin-bottom: 1.5rem; }
+    .summary-card { padding: 0.85rem; border-radius: 6px; border: 1px solid #e5e7eb; }
+    .summary-card .label { font-size: 0.75rem; text-transform: uppercase; color: #6b7280; font-weight: 600; letter-spacing: 0.03em; }
+    .summary-card .value { font-size: 1.4rem; font-weight: 700; margin-top: 0.15rem; }
+    footer { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid #e5e7eb; color: #6b7280; font-size: 0.85rem; text-align: center; }
+    @media print {
+      body { background: white; padding: 0; }
+      .container { box-shadow: none; padding: 0; }
+      th { cursor: default; }
+      th .arrow { display: none; }
+      details { break-inside: avoid; }
+      details[open] summary { display: list-item; }
+    }
+  `;
+  const counts = countBySeverity2(filtered);
+  let body = "";
+  if (filtered.length === 0) {
+    body = `<div class="empty"><div class="empty-icon">\u2705</div><h2>No vulnerabilities found</h2><p>Audited ${report.meta.totalDependencies} dependencies</p></div>`;
+  } else {
+    const summaryCards = SEVERITY_ORDER3.map((sev) => {
+      const c = counts[sev];
+      return `<div class="summary-card" style="background:${SEVERITY_COLOR[sev]}"><div class="label">${SEVERITY_LABEL2[sev]}</div><div class="value">${c}</div></div>`;
+    }).join("");
+    const rows = filtered.map((v) => {
+      const fix = v.fixAvailable && v.fixCommand ? `<code>${escapeHtml(v.fixCommand)}</code>` : "No fix";
+      return `<tr class="sev-${v.severity}" data-severity="${SEVERITY_RANK[v.severity]}" data-name="${escapeHtml(v.name)}">
+          <td><span class="badge badge-${v.severity}">${SEVERITY_LABEL2[v.severity]}</span></td>
+          <td><strong>${escapeHtml(v.name)}</strong></td>
+          <td>${escapeHtml(v.title)}</td>
+          <td><code>${escapeHtml(v.range)}</code></td>
+          <td>${fix}</td>
+        </tr>`;
+    }).join("\n");
+    body = `
+      <div class="summary-grid">${summaryCards}</div>
+      <table id="vuln-table">
+        <thead>
+          <tr>
+            <th data-sort="severity">Severity<span class="arrow"></span></th>
+            <th data-sort="name">Package<span class="arrow"></span></th>
+            <th data-sort="title">Title<span class="arrow"></span></th>
+            <th data-sort="range">Range<span class="arrow"></span></th>
+            <th data-sort="fix">Fix<span class="arrow"></span></th>
+          </tr>
+        </thead>
+        <tbody>
+${rows}
+        </tbody>
+      </table>
+    `;
+  }
+  const sortScript = `
+    (function(){
+      var table = document.getElementById('vuln-table');
+      if (!table) return;
+      var headers = table.querySelectorAll('th[data-sort]');
+      headers.forEach(function(h, idx){
+        h.addEventListener('click', function(){
+          var asc = !h.classList.contains('sorted-asc');
+          headers.forEach(function(other){ other.classList.remove('sorted-asc','sorted-desc'); });
+          h.classList.add(asc ? 'sorted-asc' : 'sorted-desc');
+          var tbody = table.querySelector('tbody');
+          var rows = Array.prototype.slice.call(tbody.querySelectorAll('tr'));
+          rows.sort(function(a, b){
+            var key = h.getAttribute('data-sort');
+            var av, bv;
+            if (key === 'severity') {
+              av = parseInt(a.getAttribute('data-severity'), 10);
+              bv = parseInt(b.getAttribute('data-severity'), 10);
+            } else {
+              av = a.children[idx].textContent.trim().toLowerCase();
+              bv = b.children[idx].textContent.trim().toLowerCase();
+            }
+            if (av < bv) return asc ? -1 : 1;
+            if (av > bv) return asc ? 1 : -1;
+            return 0;
+          });
+          rows.forEach(function(r){ tbody.appendChild(r); });
+        });
+      });
+    })();
+  `;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>${escapeHtml(title)} \u2014 ${escapeHtml(date)}</title>
+<style>${styles}</style>
+</head>
+<body>
+<div class="container">
+  <h1>${escapeHtml(title)}</h1>
+  <div class="meta">Audited ${escapeHtml(date)} \xB7 ${report.meta.totalDependencies} dependencies \xB7 ${filtered.length} vulnerabilities</div>
+  ${body}
+  <footer>Generated by audit-report</footer>
+</div>
+<script>${sortScript}</script>
+</body>
+</html>`;
+}
+// src/formatters/sarif.ts
+function severityToLevel(s) {
+  if (s === "critical" || s === "high") return "error";
+  if (s === "moderate") return "warning";
+  return "note";
+}
+function sarif(report, opts = {}) {
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report.vulnerabilities, minSeverity);
+  const rulesMap = /* @__PURE__ */ new Map();
+  for (const v of filtered) {
+    if (!rulesMap.has(v.id)) {
+      const rule = {
+        id: v.id,
+        name: v.name,
+        shortDescription: { text: v.title },
+        properties: { severity: v.severity }
+      };
+      if (v.url) rule.helpUri = v.url;
+      rulesMap.set(v.id, rule);
+    }
+  }
+  const results = filtered.map((v) => {
+    const fixText = v.fixAvailable && v.fixCommand ? `Fix: ${v.fixCommand}` : "No fix available.";
+    const messageText = `${v.title}. Affected range: ${v.range}. ${fixText}`;
+    return {
+      ruleId: v.id,
+      level: severityToLevel(v.severity),
+      message: { text: messageText },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: "package.json" }
+          }
+        }
+      ]
+    };
+  });
+  const doc = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "npm-audit",
+            version: report.meta.npmVersion || "0.0.0",
+            informationUri: "https://docs.npmjs.com/cli/commands/npm-audit",
+            rules: Array.from(rulesMap.values())
+          }
+        },
+        results
+      }
+    ]
+  };
+  return JSON.stringify(doc, null, 2);
+}
+// src/formatters/annotations.ts
+function severityToAnnotation(s) {
+  if (s === "critical" || s === "high") return "error";
+  if (s === "moderate") return "warning";
+  return "notice";
+}
+function escapeAnnotation(s) {
+  return s.replace(/%/g, "%25").replace(/\r/g, "%0D").replace(/\n/g, "%0A");
+}
+function escapeProperty(s) {
+  return escapeAnnotation(s).replace(/:/g, "%3A").replace(/,/g, "%2C");
+}
+function annotations(report, opts = {}) {
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report.vulnerabilities, minSeverity);
+  const lines = filtered.map((v) => {
+    const level = severityToAnnotation(v.severity);
+    const fixPart = v.fixAvailable && v.fixCommand ? `fix: ${v.fixCommand}` : "no fix";
+    const message = `${v.name} \u2014 ${v.title}, affected: ${v.range} (${fixPart})`;
+    const titleProp = escapeProperty(v.id);
+    return `::${level} file=package.json,title=${titleProp}::${escapeAnnotation(message)}`;
+  });
+  return lines.join("\n");
+}
+// src/formatters/index.ts
+function format(report, opts = {}) {
+  const fmt = opts.format ?? "markdown";
+  switch (fmt) {
+    case "markdown":
+      return markdown(report, opts);
+    case "html":
+      return html(report, opts);
+    case "sarif":
+      return sarif(report, opts);
+    case "annotations":
+      return annotations(report, opts);
+    default:
+      throw new Error(`Unknown format: ${String(fmt)}`);
+  }
+}
+// src/cli.ts
+var VERSION = "1.0.0";
+var VALID_FORMATS = ["markdown", "html", "sarif", "annotations"];
+var VALID_SEVERITIES2 = ["critical", "high", "moderate", "low", "info"];
+var VALID_FAIL_ON = ["critical", "high", "moderate", "low", "info", "none"];
+function printHelp() {
+  const help = `audit-report v${VERSION}
+Convert npm audit JSON to Markdown, HTML, SARIF, or GitHub annotations.
+Usage:
+  npm audit --json | audit-report [options]
+  audit-report --file audit.json [options]
+Options:
+  -f, --format <fmt>       Output format: markdown|html|sarif|annotations (default: markdown)
+  -o, --output <path>      Write to file instead of stdout
+  -s, --severity <sev>     Minimum severity to include: critical|high|moderate|low|info (default: low)
+      --fail-on <sev>      Exit 1 if findings at/above this severity: critical|high|moderate|low|info|none (default: high)
+      --file <path>        Read audit JSON from file (default: stdin)
+      --title <text>       Report title (default: "npm audit report")
+      --template <path>    Custom markdown template (reserved; not yet implemented)
+      --no-color           Disable colored output (no-op)
+  -q, --quiet              Suppress non-essential stderr output
+  -v, --version            Print version and exit
+  -h, --help               Print this help and exit
+Exit codes:
+  0  success, no findings at/above --fail-on threshold
+  1  findings at/above --fail-on threshold
+  2  invalid input (bad JSON, unrecognized schema)
+  3  --file not found
+`;
+  process.stdout.write(help);
+}
+function isFormat(s) {
+  return VALID_FORMATS.includes(s);
+}
+function isSeverity(s) {
+  return VALID_SEVERITIES2.includes(s);
+}
+function isFailOn(s) {
+  return VALID_FAIL_ON.includes(s);
+}
+function fail(msg, code) {
+  process.stderr.write(`audit-report: ${msg}
+`);
+  process.exit(code);
+}
+function parseArgs(argv) {
+  const args = {
+    format: "markdown",
+    severity: "low",
+    failOn: "high",
+    title: "npm audit report",
+    quiet: false
+  };
+  const take = (i, flag) => {
+    const v = argv[i + 1];
+    if (v === void 0 || v.startsWith("-")) fail(`missing value for ${flag}`, 2);
+    return v;
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === void 0) continue;
+    switch (a) {
+      case "-h":
+      case "--help":
+        printHelp();
+        process.exit(0);
+        break;
+      case "-v":
+      case "--version":
+        process.stdout.write(`${VERSION}
+`);
+        process.exit(0);
+        break;
+      case "-f":
+      case "--format": {
+        const v = take(i, a);
+        if (!isFormat(v)) fail(`invalid format: ${v}`, 2);
+        args.format = v;
+        i++;
+        break;
+      }
+      case "-o":
+      case "--output":
+        args.output = take(i, a);
+        i++;
+        break;
+      case "-s":
+      case "--severity": {
+        const v = take(i, a);
+        if (!isSeverity(v)) fail(`invalid severity: ${v}`, 2);
+        args.severity = v;
+        i++;
+        break;
+      }
+      case "--fail-on": {
+        const v = take(i, a);
+        if (!isFailOn(v)) fail(`invalid fail-on: ${v}`, 2);
+        args.failOn = v;
+        i++;
+        break;
+      }
+      case "--file":
+        args.file = take(i, a);
+        i++;
+        break;
+      case "--title":
+        args.title = take(i, a);
+        i++;
+        break;
+      case "--template":
+        args.template = take(i, a);
+        i++;
+        break;
+      case "--no-color":
+        break;
+      case "-q":
+      case "--quiet":
+        args.quiet = true;
+        break;
+      default:
+        fail(`unknown argument: ${a}`, 2);
+    }
+  }
+  return args;
+}
+async function readStdin() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  let input;
+  if (args.file) {
+    if (!(0, import_node_fs.existsSync)(args.file)) fail(`file not found: ${args.file}`, 3);
+    try {
+      input = (0, import_node_fs.readFileSync)(args.file, "utf8");
+    } catch (e) {
+      fail(`could not read file: ${args.file}`, 3);
+    }
+  } else {
+    if (process.stdin.isTTY) {
+      fail(
+        "no input. Pipe `npm audit --json` to this command or use --file <path>. Run with --help for usage.",
+        1
+      );
+    }
+    input = await readStdin();
+  }
+  let report;
+  try {
+    report = parse(input);
+  } catch (e) {
+    const msg = e instanceof ParseError ? e.message : "failed to parse input";
+    fail(msg, 2);
+  }
+  if (args.template && !args.quiet) {
+    process.stderr.write("audit-report: --template is reserved for future use and is being ignored\n");
+  }
+  const opts = {
+    format: args.format,
+    severity: args.severity,
+    failOn: args.failOn,
+    title: args.title
+  };
+  const output = format(report, opts);
+  if (args.output) {
+    (0, import_node_fs.writeFileSync)(args.output, output, "utf8");
+  } else {
+    process.stdout.write(output);
+    if (!output.endsWith("\n")) process.stdout.write("\n");
+  }
+  if (shouldFail(report, args.failOn)) {
+    process.exit(1);
+  }
+  process.exit(0);
+}
+main().catch((e) => {
+  process.stderr.write(`audit-report: ${e instanceof Error ? e.message : String(e)}
+`);
+  process.exit(2);
+});