npm-audit-report-cli 1.0.0

package/dist/index.cjs

@@ -0,0 +1,613 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  ParseError: () => ParseError,
+  filterBySeverity: () => filterBySeverity,
+  format: () => format,
+  meetsThreshold: () => meetsThreshold,
+  parse: () => parse,
+  report: () => report,
+  shouldFail: () => shouldFail
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/parse.ts
+var ParseError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ParseError";
+  }
+};
+var VALID_SEVERITIES = ["critical", "high", "moderate", "low", "info"];
+function normalizeSeverity(value) {
+  if (typeof value === "string" && VALID_SEVERITIES.includes(value)) {
+    return value;
+  }
+  return "info";
+}
+function buildSummary(vulns, metaCounts) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    info: 0,
+    total: 0
+  };
+  for (const v of vulns) {
+    summary[v.severity] += 1;
+    summary.total += 1;
+  }
+  if (metaCounts && summary.total === 0) {
+    return {
+      critical: metaCounts.critical ?? 0,
+      high: metaCounts.high ?? 0,
+      moderate: metaCounts.moderate ?? 0,
+      low: metaCounts.low ?? 0,
+      info: metaCounts.info ?? 0,
+      total: metaCounts.total ?? (metaCounts.critical ?? 0) + (metaCounts.high ?? 0) + (metaCounts.moderate ?? 0) + (metaCounts.low ?? 0) + (metaCounts.info ?? 0)
+    };
+  }
+  return summary;
+}
+function buildMeta(raw) {
+  const totalDependencies = raw && typeof raw["totalDependencies"] === "number" ? raw["totalDependencies"] : 0;
+  return {
+    npmVersion: "",
+    nodeVersion: typeof process !== "undefined" && process.version ? process.version : "",
+    auditedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    totalDependencies
+  };
+}
+function parseV1(data) {
+  const advisories = data["advisories"] ?? {};
+  const vulns = [];
+  for (const key of Object.keys(advisories)) {
+    const adv = advisories[key];
+    if (!adv) continue;
+    const cves = Array.isArray(adv["cves"]) ? adv["cves"] : [];
+    const firstCve = cves.length > 0 ? cves[0] : void 0;
+    const advisoryId = adv["id"];
+    const idStr = firstCve ?? (typeof advisoryId === "number" || typeof advisoryId === "string" ? `npm-advisory-${String(advisoryId)}` : `npm-advisory-${key}`);
+    const findings = Array.isArray(adv["findings"]) ? adv["findings"] : [];
+    const paths = [];
+    for (const f of findings) {
+      const p = f["paths"];
+      if (Array.isArray(p)) {
+        for (const path of p) {
+          if (typeof path === "string") paths.push(path);
+        }
+      }
+    }
+    const fixAvailable = adv["fixAvailable"] === true;
+    const name = typeof adv["module_name"] === "string" ? adv["module_name"] : typeof adv["name"] === "string" ? adv["name"] : paths[0] ?? "unknown";
+    const range = typeof adv["vulnerable_versions"] === "string" ? adv["vulnerable_versions"] : "*";
+    const patched = typeof adv["patched_versions"] === "string" ? adv["patched_versions"] : void 0;
+    const vuln = {
+      id: idStr,
+      name,
+      severity: normalizeSeverity(adv["severity"]),
+      title: typeof adv["title"] === "string" ? adv["title"] : "Unknown vulnerability",
+      url: typeof adv["url"] === "string" ? adv["url"] : "",
+      range,
+      fixAvailable,
+      paths
+    };
+    if (fixAvailable && patched && patched !== "<0.0.0") {
+      vuln.fixCommand = `npm install ${name}@${patched}`;
+    } else if (fixAvailable) {
+      vuln.fixCommand = `npm audit fix`;
+    }
+    vulns.push(vuln);
+  }
+  const metadata = data["metadata"] ?? {};
+  const metaCounts = metadata["vulnerabilities"] ?? void 0;
+  return {
+    meta: buildMeta(metadata),
+    summary: buildSummary(vulns, metaCounts),
+    vulnerabilities: vulns
+  };
+}
+function parseV2(data) {
+  const vulnsRaw = data["vulnerabilities"] ?? {};
+  const vulns = [];
+  for (const name of Object.keys(vulnsRaw)) {
+    const entry = vulnsRaw[name];
+    if (!entry) continue;
+    const via = Array.isArray(entry["via"]) ? entry["via"] : [];
+    let title = "Unknown vulnerability";
+    let url = "";
+    let range = typeof entry["range"] === "string" ? entry["range"] : "*";
+    let id = `npm:${name}`;
+    for (const v of via) {
+      if (typeof v === "object" && v !== null) {
+        if (typeof v["title"] === "string") title = v["title"];
+        if (typeof v["url"] === "string") url = v["url"];
+        if (typeof v["range"] === "string") range = v["range"];
+        if (typeof v["source"] === "number" || typeof v["source"] === "string") {
+          id = `GHSA-${String(v["source"])}`;
+        }
+        break;
+      }
+    }
+    const fix = entry["fixAvailable"];
+    let fixAvailable = false;
+    let fixCommand;
+    if (fix === true) {
+      fixAvailable = true;
+      fixCommand = `npm audit fix`;
+    } else if (typeof fix === "object" && fix !== null) {
+      fixAvailable = true;
+      const fixObj = fix;
+      const fixName = typeof fixObj["name"] === "string" ? fixObj["name"] : name;
+      const fixVersion = typeof fixObj["version"] === "string" ? fixObj["version"] : void 0;
+      if (fixVersion) {
+        fixCommand = `npm install ${fixName}@${fixVersion}`;
+      } else {
+        fixCommand = `npm audit fix`;
+      }
+      const isSemVerMajor = fixObj["isSemVerMajor"] === true;
+      if (isSemVerMajor) {
+        fixCommand = `npm audit fix --force`;
+      }
+    }
+    const nodes = Array.isArray(entry["nodes"]) ? entry["nodes"] : [];
+    const vuln = {
+      id,
+      name: typeof entry["name"] === "string" ? entry["name"] : name,
+      severity: normalizeSeverity(entry["severity"]),
+      title,
+      url,
+      range,
+      fixAvailable,
+      paths: nodes.filter((n) => typeof n === "string")
+    };
+    if (fixCommand) vuln.fixCommand = fixCommand;
+    vulns.push(vuln);
+  }
+  const metadata = data["metadata"] ?? {};
+  const metaCounts = metadata["vulnerabilities"] ?? void 0;
+  return {
+    meta: buildMeta(metadata),
+    summary: buildSummary(vulns, metaCounts),
+    vulnerabilities: vulns
+  };
+}
+function looksLikeV2(data) {
+  const v = data["vulnerabilities"];
+  if (typeof v !== "object" || v === null) return false;
+  return !Array.isArray(v);
+}
+function looksLikeV1(data) {
+  return typeof data["advisories"] === "object" && data["advisories"] !== null;
+}
+function parse(input) {
+  let data;
+  try {
+    data = JSON.parse(input);
+  } catch {
+    throw new ParseError("Invalid JSON input");
+  }
+  if (typeof data !== "object" || data === null || Array.isArray(data)) {
+    throw new ParseError("Unrecognized npm audit schema");
+  }
+  const obj = data;
+  const version = obj["auditReportVersion"];
+  if (version === 1) return parseV1(obj);
+  if (version === 2) return parseV2(obj);
+  if (looksLikeV2(obj)) return parseV2(obj);
+  if (looksLikeV1(obj)) return parseV1(obj);
+  throw new ParseError("Unrecognized npm audit schema");
+}
+
+// src/threshold.ts
+var SEVERITY_ORDER = ["info", "low", "moderate", "high", "critical"];
+function meetsThreshold(severity, threshold) {
+  return SEVERITY_ORDER.indexOf(severity) >= SEVERITY_ORDER.indexOf(threshold);
+}
+function shouldFail(report2, failOn) {
+  if (failOn === "none") return false;
+  return report2.vulnerabilities.some((v) => meetsThreshold(v.severity, failOn));
+}
+function filterBySeverity(vulns, minSeverity) {
+  return vulns.filter((v) => meetsThreshold(v.severity, minSeverity));
+}
+
+// src/formatters/markdown.ts
+var SEVERITY_ORDER2 = ["critical", "high", "moderate", "low", "info"];
+var SEVERITY_EMOJI = {
+  critical: "\u{1F534}",
+  high: "\u{1F7E0}",
+  moderate: "\u{1F7E1}",
+  low: "\u{1F535}",
+  info: "\u26AA"
+};
+var SEVERITY_LABEL = {
+  critical: "Critical",
+  high: "High",
+  moderate: "Moderate",
+  low: "Low",
+  info: "Info"
+};
+function countBySeverity(vulns) {
+  const result = {
+    critical: { count: 0, fixable: 0 },
+    high: { count: 0, fixable: 0 },
+    moderate: { count: 0, fixable: 0 },
+    low: { count: 0, fixable: 0 },
+    info: { count: 0, fixable: 0 }
+  };
+  for (const v of vulns) {
+    result[v.severity].count += 1;
+    if (v.fixAvailable) result[v.severity].fixable += 1;
+  }
+  return result;
+}
+function renderVulnerability(v) {
+  const lines = [];
+  lines.push(`### ${v.name}`);
+  lines.push(`- **ID:** ${v.id}`);
+  lines.push(`- **Title:** ${v.title}`);
+  lines.push(`- **Range:** \`${v.range}\``);
+  if (v.fixAvailable && v.fixCommand) {
+    lines.push(`- **Fix:** \`${v.fixCommand}\``);
+  } else {
+    lines.push(`- **Fix:** No fix available`);
+  }
+  if (v.url) lines.push(`- **Advisory:** ${v.url}`);
+  if (v.paths.length > 0) lines.push(`- **Paths:** \`${v.paths.join(", ")}\``);
+  return lines.join("\n");
+}
+function markdown(report2, opts = {}) {
+  const title = opts.title ?? "npm audit report";
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report2.vulnerabilities, minSeverity);
+  const out = [];
+  out.push(`## ${title}`);
+  out.push("");
+  if (filtered.length === 0) {
+    out.push(`## \u2705 No vulnerabilities found`);
+    out.push("");
+    const date2 = report2.meta.auditedAt ? report2.meta.auditedAt.slice(0, 10) : "";
+    out.push(
+      `> 0 vulnerabilities found \xB7 audited ${date2} \xB7 ${report2.meta.totalDependencies} dependencies`
+    );
+    out.push("");
+    out.push(`---`);
+    out.push(`*Generated by [audit-report](https://github.com/dimasdarfi/audit-report)*`);
+    return out.join("\n");
+  }
+  const date = report2.meta.auditedAt ? report2.meta.auditedAt.slice(0, 10) : "";
+  out.push(
+    `> ${filtered.length} vulnerabilities found \xB7 audited ${date} \xB7 ${report2.meta.totalDependencies} dependencies`
+  );
+  out.push("");
+  const counts = countBySeverity(filtered);
+  out.push(`| Severity | Count | Fixable |`);
+  out.push(`|----------|-------|---------|`);
+  for (const sev of SEVERITY_ORDER2) {
+    const c = counts[sev];
+    if (c.count === 0) continue;
+    out.push(`| ${SEVERITY_EMOJI[sev]} ${SEVERITY_LABEL[sev]} | ${c.count} | ${c.fixable} |`);
+  }
+  out.push("");
+  out.push("---");
+  out.push("");
+  for (const sev of SEVERITY_ORDER2) {
+    const group = filtered.filter((v) => v.severity === sev);
+    if (group.length === 0) continue;
+    out.push(`<details>`);
+    out.push(`<summary>${SEVERITY_EMOJI[sev]} ${SEVERITY_LABEL[sev]} (${group.length})</summary>`);
+    out.push("");
+    for (const v of group) {
+      out.push(renderVulnerability(v));
+      out.push("");
+    }
+    out.push(`</details>`);
+    out.push("");
+  }
+  out.push("---");
+  out.push(`*Generated by [audit-report](https://github.com/dimasdarfi/audit-report)*`);
+  return out.join("\n");
+}
+
+// src/formatters/html.ts
+var SEVERITY_ORDER3 = ["critical", "high", "moderate", "low", "info"];
+var SEVERITY_COLOR = {
+  critical: "#fee2e2",
+  high: "#ffedd5",
+  moderate: "#fef9c3",
+  low: "#dbeafe",
+  info: "#f0fdf4"
+};
+var SEVERITY_LABEL2 = {
+  critical: "Critical",
+  high: "High",
+  moderate: "Moderate",
+  low: "Low",
+  info: "Info"
+};
+var SEVERITY_RANK = {
+  critical: 5,
+  high: 4,
+  moderate: 3,
+  low: 2,
+  info: 1
+};
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function countBySeverity2(vulns) {
+  const r = { critical: 0, high: 0, moderate: 0, low: 0, info: 0 };
+  for (const v of vulns) r[v.severity] += 1;
+  return r;
+}
+function html(report2, opts = {}) {
+  const title = opts.title ?? "npm audit report";
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report2.vulnerabilities, minSeverity);
+  const date = report2.meta.auditedAt ? report2.meta.auditedAt.slice(0, 10) : "";
+  const styles = `
+    * { box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; margin: 0; padding: 2rem; color: #1f2937; background: #f9fafb; }
+    .container { max-width: 1100px; margin: 0 auto; background: #ffffff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); padding: 2rem; }
+    h1 { margin: 0 0 0.5rem; font-size: 1.6rem; }
+    .meta { color: #6b7280; font-size: 0.9rem; margin-bottom: 1.5rem; }
+    table { width: 100%; border-collapse: collapse; margin-bottom: 1.5rem; font-size: 0.95rem; }
+    th, td { padding: 0.6rem 0.75rem; text-align: left; border-bottom: 1px solid #e5e7eb; }
+    th { background: #f3f4f6; cursor: pointer; user-select: none; font-weight: 600; }
+    th[data-sort] .arrow { color: #9ca3af; font-size: 0.75rem; margin-left: 0.25rem; }
+    th.sorted-asc .arrow::after { content: " \u25B2"; color: #1f2937; }
+    th.sorted-desc .arrow::after { content: " \u25BC"; color: #1f2937; }
+    tr.sev-critical { background: ${SEVERITY_COLOR.critical}; }
+    tr.sev-high { background: ${SEVERITY_COLOR.high}; }
+    tr.sev-moderate { background: ${SEVERITY_COLOR.moderate}; }
+    tr.sev-low { background: ${SEVERITY_COLOR.low}; }
+    tr.sev-info { background: ${SEVERITY_COLOR.info}; }
+    details { margin-bottom: 0.5rem; }
+    summary { cursor: pointer; padding: 0.4rem 0; font-weight: 600; }
+    .badge { display: inline-block; padding: 0.15rem 0.55rem; border-radius: 999px; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; }
+    .badge-critical { background: #dc2626; color: white; }
+    .badge-high { background: #ea580c; color: white; }
+    .badge-moderate { background: #ca8a04; color: white; }
+    .badge-low { background: #2563eb; color: white; }
+    .badge-info { background: #16a34a; color: white; }
+    code { background: #f3f4f6; padding: 0.1rem 0.3rem; border-radius: 4px; font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, monospace; font-size: 0.85rem; }
+    .empty { padding: 2rem; text-align: center; color: #6b7280; }
+    .empty-icon { font-size: 3rem; }
+    .summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(120px, 1fr)); gap: 0.75rem; margin-bottom: 1.5rem; }
+    .summary-card { padding: 0.85rem; border-radius: 6px; border: 1px solid #e5e7eb; }
+    .summary-card .label { font-size: 0.75rem; text-transform: uppercase; color: #6b7280; font-weight: 600; letter-spacing: 0.03em; }
+    .summary-card .value { font-size: 1.4rem; font-weight: 700; margin-top: 0.15rem; }
+    footer { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid #e5e7eb; color: #6b7280; font-size: 0.85rem; text-align: center; }
+    @media print {
+      body { background: white; padding: 0; }
+      .container { box-shadow: none; padding: 0; }
+      th { cursor: default; }
+      th .arrow { display: none; }
+      details { break-inside: avoid; }
+      details[open] summary { display: list-item; }
+    }
+  `;
+  const counts = countBySeverity2(filtered);
+  let body = "";
+  if (filtered.length === 0) {
+    body = `<div class="empty"><div class="empty-icon">\u2705</div><h2>No vulnerabilities found</h2><p>Audited ${report2.meta.totalDependencies} dependencies</p></div>`;
+  } else {
+    const summaryCards = SEVERITY_ORDER3.map((sev) => {
+      const c = counts[sev];
+      return `<div class="summary-card" style="background:${SEVERITY_COLOR[sev]}"><div class="label">${SEVERITY_LABEL2[sev]}</div><div class="value">${c}</div></div>`;
+    }).join("");
+    const rows = filtered.map((v) => {
+      const fix = v.fixAvailable && v.fixCommand ? `<code>${escapeHtml(v.fixCommand)}</code>` : "No fix";
+      return `<tr class="sev-${v.severity}" data-severity="${SEVERITY_RANK[v.severity]}" data-name="${escapeHtml(v.name)}">
+          <td><span class="badge badge-${v.severity}">${SEVERITY_LABEL2[v.severity]}</span></td>
+          <td><strong>${escapeHtml(v.name)}</strong></td>
+          <td>${escapeHtml(v.title)}</td>
+          <td><code>${escapeHtml(v.range)}</code></td>
+          <td>${fix}</td>
+        </tr>`;
+    }).join("\n");
+    body = `
+      <div class="summary-grid">${summaryCards}</div>
+      <table id="vuln-table">
+        <thead>
+          <tr>
+            <th data-sort="severity">Severity<span class="arrow"></span></th>
+            <th data-sort="name">Package<span class="arrow"></span></th>
+            <th data-sort="title">Title<span class="arrow"></span></th>
+            <th data-sort="range">Range<span class="arrow"></span></th>
+            <th data-sort="fix">Fix<span class="arrow"></span></th>
+          </tr>
+        </thead>
+        <tbody>
+${rows}
+        </tbody>
+      </table>
+    `;
+  }
+  const sortScript = `
+    (function(){
+      var table = document.getElementById('vuln-table');
+      if (!table) return;
+      var headers = table.querySelectorAll('th[data-sort]');
+      headers.forEach(function(h, idx){
+        h.addEventListener('click', function(){
+          var asc = !h.classList.contains('sorted-asc');
+          headers.forEach(function(other){ other.classList.remove('sorted-asc','sorted-desc'); });
+          h.classList.add(asc ? 'sorted-asc' : 'sorted-desc');
+          var tbody = table.querySelector('tbody');
+          var rows = Array.prototype.slice.call(tbody.querySelectorAll('tr'));
+          rows.sort(function(a, b){
+            var key = h.getAttribute('data-sort');
+            var av, bv;
+            if (key === 'severity') {
+              av = parseInt(a.getAttribute('data-severity'), 10);
+              bv = parseInt(b.getAttribute('data-severity'), 10);
+            } else {
+              av = a.children[idx].textContent.trim().toLowerCase();
+              bv = b.children[idx].textContent.trim().toLowerCase();
+            }
+            if (av < bv) return asc ? -1 : 1;
+            if (av > bv) return asc ? 1 : -1;
+            return 0;
+          });
+          rows.forEach(function(r){ tbody.appendChild(r); });
+        });
+      });
+    })();
+  `;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>${escapeHtml(title)} \u2014 ${escapeHtml(date)}</title>
+<style>${styles}</style>
+</head>
+<body>
+<div class="container">
+  <h1>${escapeHtml(title)}</h1>
+  <div class="meta">Audited ${escapeHtml(date)} \xB7 ${report2.meta.totalDependencies} dependencies \xB7 ${filtered.length} vulnerabilities</div>
+  ${body}
+  <footer>Generated by audit-report</footer>
+</div>
+<script>${sortScript}</script>
+</body>
+</html>`;
+}
+
+// src/formatters/sarif.ts
+function severityToLevel(s) {
+  if (s === "critical" || s === "high") return "error";
+  if (s === "moderate") return "warning";
+  return "note";
+}
+function sarif(report2, opts = {}) {
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report2.vulnerabilities, minSeverity);
+  const rulesMap = /* @__PURE__ */ new Map();
+  for (const v of filtered) {
+    if (!rulesMap.has(v.id)) {
+      const rule = {
+        id: v.id,
+        name: v.name,
+        shortDescription: { text: v.title },
+        properties: { severity: v.severity }
+      };
+      if (v.url) rule.helpUri = v.url;
+      rulesMap.set(v.id, rule);
+    }
+  }
+  const results = filtered.map((v) => {
+    const fixText = v.fixAvailable && v.fixCommand ? `Fix: ${v.fixCommand}` : "No fix available.";
+    const messageText = `${v.title}. Affected range: ${v.range}. ${fixText}`;
+    return {
+      ruleId: v.id,
+      level: severityToLevel(v.severity),
+      message: { text: messageText },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: "package.json" }
+          }
+        }
+      ]
+    };
+  });
+  const doc = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "npm-audit",
+            version: report2.meta.npmVersion || "0.0.0",
+            informationUri: "https://docs.npmjs.com/cli/commands/npm-audit",
+            rules: Array.from(rulesMap.values())
+          }
+        },
+        results
+      }
+    ]
+  };
+  return JSON.stringify(doc, null, 2);
+}
+
+// src/formatters/annotations.ts
+function severityToAnnotation(s) {
+  if (s === "critical" || s === "high") return "error";
+  if (s === "moderate") return "warning";
+  return "notice";
+}
+function escapeAnnotation(s) {
+  return s.replace(/%/g, "%25").replace(/\r/g, "%0D").replace(/\n/g, "%0A");
+}
+function escapeProperty(s) {
+  return escapeAnnotation(s).replace(/:/g, "%3A").replace(/,/g, "%2C");
+}
+function annotations(report2, opts = {}) {
+  const minSeverity = opts.severity ?? "info";
+  const filtered = filterBySeverity(report2.vulnerabilities, minSeverity);
+  const lines = filtered.map((v) => {
+    const level = severityToAnnotation(v.severity);
+    const fixPart = v.fixAvailable && v.fixCommand ? `fix: ${v.fixCommand}` : "no fix";
+    const message = `${v.name} \u2014 ${v.title}, affected: ${v.range} (${fixPart})`;
+    const titleProp = escapeProperty(v.id);
+    return `::${level} file=package.json,title=${titleProp}::${escapeAnnotation(message)}`;
+  });
+  return lines.join("\n");
+}
+
+// src/formatters/index.ts
+function format(report2, opts = {}) {
+  const fmt = opts.format ?? "markdown";
+  switch (fmt) {
+    case "markdown":
+      return markdown(report2, opts);
+    case "html":
+      return html(report2, opts);
+    case "sarif":
+      return sarif(report2, opts);
+    case "annotations":
+      return annotations(report2, opts);
+    default:
+      throw new Error(`Unknown format: ${String(fmt)}`);
+  }
+}
+
+// src/index.ts
+function report(json, opts = {}) {
+  const parsed = parse(json);
+  return format(parsed, opts);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ParseError,
+  filterBySeverity,
+  format,
+  meetsThreshold,
+  parse,
+  report,
+  shouldFail
+});

package/dist/index.d.cts

@@ -0,0 +1,54 @@
+type Severity = 'critical' | 'high' | 'moderate' | 'low' | 'info';
+type Format = 'markdown' | 'html' | 'sarif' | 'annotations';
+interface Vulnerability {
+    id: string;
+    name: string;
+    severity: Severity;
+    title: string;
+    url: string;
+    range: string;
+    fixAvailable: boolean;
+    fixCommand?: string;
+    paths: string[];
+}
+interface AuditMeta {
+    npmVersion: string;
+    nodeVersion: string;
+    auditedAt: string;
+    totalDependencies: number;
+}
+interface AuditSummary {
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+    info: number;
+    total: number;
+}
+interface AuditReport {
+    meta: AuditMeta;
+    summary: AuditSummary;
+    vulnerabilities: Vulnerability[];
+}
+interface FormatOptions {
+    format?: Format;
+    severity?: Severity;
+    failOn?: Severity | 'none';
+    title?: string;
+    template?: string;
+}
+
+declare class ParseError extends Error {
+    constructor(message: string);
+}
+declare function parse(input: string): AuditReport;
+
+declare function format(report: AuditReport, opts?: FormatOptions): string;
+
+declare function meetsThreshold(severity: Severity, threshold: Severity): boolean;
+declare function shouldFail(report: AuditReport, failOn: Severity | 'none'): boolean;
+declare function filterBySeverity(vulns: Vulnerability[], minSeverity: Severity): Vulnerability[];
+
+declare function report(json: string, opts?: FormatOptions): string;
+
+export { type AuditMeta, type AuditReport, type AuditSummary, type Format, type FormatOptions, ParseError, type Severity, type Vulnerability, filterBySeverity, format, meetsThreshold, parse, report, shouldFail };