ossrisk 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 depkeep
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,160 @@
+# ossrisk
+
+Scan your dependencies for long-term viability risk: **EOL versions**, **known CVEs**, and **abandonment signals**.
+
+Supports `package.json` (npm) and `requirements.txt` (PyPI).
+
+[![CI](https://github.com/depkeep/ossrisk/actions/workflows/ci.yml/badge.svg)](https://github.com/depkeep/ossrisk/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/ossrisk)](https://www.npmjs.com/package/ossrisk)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+---
+
+## Install
+
+```bash
+npm install -g ossrisk
+```
+
+Or run without installing:
+
+```bash
+npx ossrisk .
+```
+
+---
+
+## CLI usage
+
+```
+ossrisk [path] [options]
+```
+
+| Option | Default | Description |
+|---|---|---|
+| `[path]` | `.` | Path to project directory to scan |
+| `-f, --format <fmt>` | `table` | Output format: `table`, `json`, `markdown` |
+| `--fail-on <level>` | `high` | Exit 1 if any dep reaches this risk level (`none`\|`low`\|`medium`\|`high`\|`critical`) |
+| `-c, --concurrency <n>` | `8` | Concurrent API requests per batch |
+| `--no-eol` | | Skip EOL checks |
+| `--no-cve` | | Skip CVE checks |
+| `--no-activity` | | Skip abandonment/staleness checks |
+| `--no-outdated` | | Skip latest-version checks |
+
+### Examples
+
+```bash
+# Scan the current directory
+ossrisk
+
+# Scan a specific project
+ossrisk /path/to/project
+
+# Output as JSON
+ossrisk . --format json
+
+# Fail on medium risk or above
+ossrisk . --fail-on medium
+
+# Skip CVE checks, output markdown
+ossrisk . --no-cve --format markdown
+```
+
+---
+
+## Risk levels
+
+| Level | Triggers |
+|---|---|
+| `critical` | CVE with CVSS ≥ 9.0 |
+| `high` | CVE with CVSS 7.0–8.9, or EOL version |
+| `medium` | CVE with CVSS 4.0–6.9, or no release in 24+ months (abandoned) |
+| `low` | CVE with CVSS < 4.0, no release in 12–24 months (stale), or newer version available |
+| `none` | No issues found |
+
+---
+
+## GitHub Actions
+
+Add ossrisk to your CI pipeline to automatically scan dependencies on every pull request.
+
+```yaml
+- name: Scan dependencies
+  uses: depkeep/ossrisk@v1
+  with:
+    fail-on: high
+    github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+When `github-token` is provided and the workflow runs on a pull request, ossrisk posts a markdown report as a PR comment.
+
+### Action inputs
+
+| Input | Default | Description |
+|---|---|---|
+| `path` | `.` | Path to the project directory |
+| `fail-on` | `high` | Exit 1 if any dep reaches this level or above |
+| `no-eol` | `false` | Skip EOL checks |
+| `no-cve` | `false` | Skip CVE checks |
+| `no-activity` | `false` | Skip abandonment/staleness checks |
+| `no-outdated` | `false` | Skip latest-version checks |
+| `github-token` | | GitHub token for posting a PR comment |
+
+### Action outputs
+
+| Output | Description |
+|---|---|
+| `risk-level` | Highest risk level found across all dependencies |
+
+---
+
+## Programmatic API
+
+```ts
+import { scan } from 'ossrisk';
+
+const result = await scan({
+  path: '/path/to/project',
+  format: 'json',
+  failOn: 'high',
+  concurrency: 8,
+  noEol: false,
+  noCve: false,
+  noActivity: false,
+  noOutdated: false,
+});
+
+console.log(result.summary);
+// { total: 42, critical: 0, high: 1, medium: 3, low: 5, clean: 33 }
+```
+
+---
+
+## Data sources
+
+- **CVEs** — [OSV.dev](https://osv.dev) batch API
+- **EOL dates** — [endoflife.date](https://endoflife.date) API
+- **Activity** — npm registry / PyPI JSON API
+- **Latest versions** — npm registry / PyPI JSON API
+
+All checks are read-only and require no API keys.
+
+---
+
+## Contributing
+
+```bash
+git clone https://github.com/depkeep/ossrisk.git
+cd ossrisk
+npm install
+npm test          # run tests
+npm run dev .     # run CLI from source
+```
+
+Before submitting a PR, run `npm run build` and commit the updated `dist/` so the GitHub Action stays functional.
+
+---
+
+## License
+
+MIT © [DepKeep](https://depkeep.com)

package/dist/action/main.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=main.d.ts.map

package/dist/action/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../action/main.ts"],"names":[],"mappings":""}

package/dist/action/main.js

@@ -0,0 +1,67 @@
+import { appendFileSync, readFileSync } from 'fs';
+import { resolve } from 'path';
+import { scan } from '../src/scanner.js';
+import { renderMarkdown } from '../src/output/markdown.js';
+const RISK_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
+function getInput(name, fallback = '') {
+    return process.env[`INPUT_${name.toUpperCase().replace(/-/g, '_')}`] ?? fallback;
+}
+function setOutput(name, value) {
+    const file = process.env.GITHUB_OUTPUT;
+    if (file)
+        appendFileSync(file, `${name}=${value}\n`);
+}
+async function postPrComment(token, body) {
+    const { GITHUB_REPOSITORY, GITHUB_EVENT_PATH } = process.env;
+    if (!GITHUB_REPOSITORY || !GITHUB_EVENT_PATH)
+        return;
+    const event = JSON.parse(readFileSync(GITHUB_EVENT_PATH, 'utf-8'));
+    const prNumber = event.pull_request?.number;
+    if (!prNumber)
+        return;
+    const [owner, repo] = GITHUB_REPOSITORY.split('/');
+    await fetch(`https://api.github.com/repos/${owner}/${repo}/issues/${prNumber}/comments`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ body }),
+    });
+}
+async function run() {
+    const opts = {
+        path: resolve(getInput('path', '.')),
+        format: 'markdown',
+        failOn: getInput('fail-on', 'high'),
+        concurrency: 8,
+        noEol: getInput('no-eol') === 'true',
+        noCve: getInput('no-cve') === 'true',
+        noActivity: getInput('no-activity') === 'true',
+        noOutdated: getInput('no-outdated') === 'true',
+    };
+    try {
+        const result = await scan(opts);
+        const report = renderMarkdown(result);
+        console.log(report);
+        const token = getInput('github-token');
+        if (token && process.env.GITHUB_EVENT_NAME === 'pull_request') {
+            await postPrComment(token, report);
+        }
+        setOutput('risk-level', result.results[0]?.riskLevel ?? 'none');
+        const threshold = RISK_ORDER.indexOf(opts.failOn);
+        if (threshold > 0) {
+            const breached = result.results.some(r => RISK_ORDER.indexOf(r.riskLevel) >= threshold);
+            if (breached) {
+                console.error(`ossrisk: one or more dependencies are at risk level "${opts.failOn}" or above`);
+                process.exit(1);
+            }
+        }
+    }
+    catch (err) {
+        console.error('ossrisk action failed:', err.message);
+        process.exit(2);
+    }
+}
+run();
+//# sourceMappingURL=main.js.map

package/dist/action/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../action/main.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAG3D,MAAM,UAAU,GAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AAE9E,SAAS,QAAQ,CAAC,IAAY,EAAE,QAAQ,GAAG,EAAE;IAC3C,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC,IAAI,QAAQ,CAAC;AACnF,CAAC;AAED,SAAS,SAAS,CAAC,IAAY,EAAE,KAAa;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACvC,IAAI,IAAI;QAAE,cAAc,CAAC,IAAI,EAAE,GAAG,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,KAAa,EAAE,IAAY;IACtD,MAAM,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAC7D,IAAI,CAAC,iBAAiB,IAAI,CAAC,iBAAiB;QAAE,OAAO;IAErD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAEhE,CAAC;IACF,MAAM,QAAQ,GAAG,KAAK,CAAC,YAAY,EAAE,MAAM,CAAC;IAC5C,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEtB,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,KAAK,CACT,gCAAgC,KAAK,IAAI,IAAI,WAAW,QAAQ,WAAW,EAC3E;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;KAC/B,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,IAAI,GAAgB;QACxB,IAAI,EAAS,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,EAAO,UAAU;QACvB,MAAM,EAAO,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAc;QACrD,WAAW,EAAE,CAAC;QACd,KAAK,EAAQ,QAAQ,CAAC,QAAQ,CAAC,KAAK,MAAM;QAC1C,KAAK,EAAQ,QAAQ,CAAC,QAAQ,CAAC,KAAK,MAAM;QAC1C,UAAU,EAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,MAAM;QAC/C,UAAU,EAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,MAAM;KAChD,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QAEtC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,MAAM,KAAK,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;QACvC,IAAI,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,cAAc,EAAE,CAAC;YAC9D,MAAM,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QAED,SAAS,CAAC,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;QAEhE,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAClC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,SAAS,CAClD,CAAC;YACF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,wDAAwD,IAAI,CAAC,MAAM,YAAY,CAAC,CAAC;gBAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,GAAG,EAAE,CAAC"}

package/dist/src/checkers/activity.d.ts

@@ -0,0 +1,3 @@
+import type { AbandonedSignal, Dependency, StaleSignal } from '../types.js';
+export declare function checkActivity(dep: Dependency): Promise<(AbandonedSignal | StaleSignal)[]>;
+//# sourceMappingURL=activity.d.ts.map

package/dist/src/checkers/activity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"activity.d.ts","sourceRoot":"","sources":["../../../src/checkers/activity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AA+B5E,wBAAsB,aAAa,CACjC,GAAG,EAAE,UAAU,GACd,OAAO,CAAC,CAAC,eAAe,GAAG,WAAW,CAAC,EAAE,CAAC,CAuB5C"}

package/dist/src/checkers/activity.js

@@ -0,0 +1,49 @@
+const ABANDONED_MONTHS = 24;
+const STALE_MONTHS = 12;
+function monthsSince(date) {
+    return (Date.now() - date.getTime()) / (1000 * 60 * 60 * 24 * 30.44);
+}
+async function lastNpmRelease(name) {
+    const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}`, {
+        headers: { Accept: 'application/json' },
+    });
+    if (!res.ok)
+        return null;
+    const data = await res.json();
+    const modified = data.time?.modified;
+    return modified ? new Date(modified) : null;
+}
+async function lastPypiRelease(name) {
+    const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+    if (!res.ok)
+        return null;
+    const data = await res.json();
+    const files = data.releases[data.info.version];
+    if (!files?.length)
+        return null;
+    return new Date(files[0].upload_time);
+}
+export async function checkActivity(dep) {
+    try {
+        let last = null;
+        if (dep.ecosystem === 'npm')
+            last = await lastNpmRelease(dep.name);
+        if (dep.ecosystem === 'pypi')
+            last = await lastPypiRelease(dep.name);
+        if (!last)
+            return [];
+        const months = Math.floor(monthsSince(last));
+        const dateStr = last.toISOString().split('T')[0];
+        if (months >= ABANDONED_MONTHS) {
+            return [{ type: 'abandoned', lastReleaseDate: dateStr, monthsSince: months }];
+        }
+        if (months >= STALE_MONTHS) {
+            return [{ type: 'stale', lastReleaseDate: dateStr, monthsSince: months }];
+        }
+    }
+    catch {
+        // Registry unreachable — not a failure condition
+    }
+    return [];
+}
+//# sourceMappingURL=activity.js.map

package/dist/src/checkers/activity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"activity.js","sourceRoot":"","sources":["../../../src/checkers/activity.ts"],"names":[],"mappings":"AAEA,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,YAAY,GAAG,EAAE,CAAC;AAExB,SAAS,WAAW,CAAC,IAAU;IAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;AACvE,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE;QAChF,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KACxC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAuC,CAAC;IACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC;IACrC,OAAO,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,yBAAyB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAG1B,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAe;IAEf,IAAI,CAAC;QACH,IAAI,IAAI,GAAgB,IAAI,CAAC;QAE7B,IAAI,GAAG,CAAC,SAAS,KAAK,KAAK;YAAG,IAAI,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpE,IAAI,GAAG,CAAC,SAAS,KAAK,MAAM;YAAE,IAAI,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAErE,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QAErB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEjD,IAAI,MAAM,IAAI,gBAAgB,EAAE,CAAC;YAC/B,OAAO,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;YAC3B,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/src/checkers/eol.d.ts

@@ -0,0 +1,3 @@
+import type { Dependency, EolSignal } from '../types.js';
+export declare function checkEol(dep: Dependency): Promise<EolSignal[]>;
+//# sourceMappingURL=eol.d.ts.map

package/dist/src/checkers/eol.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eol.d.ts","sourceRoot":"","sources":["../../../src/checkers/eol.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAgDzD,wBAAsB,QAAQ,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC,CA2BpE"}

package/dist/src/checkers/eol.js

@@ -0,0 +1,71 @@
+// Maps package names → endoflife.date product slugs.
+// Only packages/runtimes that have formal EOL policies are included.
+const EOL_MAP = {
+    // Runtimes
+    'node': 'nodejs',
+    'nodejs': 'nodejs',
+    'python': 'python',
+    'ruby': 'ruby',
+    'php': 'php',
+    'golang': 'go',
+    // Frameworks
+    'django': 'django',
+    'rails': 'rails',
+    'laravel': 'laravel',
+    'symfony': 'symfony',
+    'spring-boot': 'spring-boot',
+    'angular': 'angular',
+    '@angular/core': 'angular',
+    'bootstrap': 'bootstrap',
+    // Databases (client package name → server product)
+    'pg': 'postgresql',
+    'mysql': 'mysql',
+    'mysql2': 'mysql',
+    'mongodb': 'mongodb',
+    // Others
+    'wordpress': 'wordpress',
+    'drupal': 'drupal',
+    'magento': 'magento-2',
+    'nextjs': 'nextjs',
+    'next': 'nextjs',
+    'nuxt': 'nuxtjs',
+};
+function candidateCycles(version) {
+    const parts = version.split('.').filter(p => /^\d+$/.test(p));
+    const cycles = [];
+    if (parts.length >= 2)
+        cycles.push(`${parts[0]}.${parts[1]}`);
+    if (parts.length >= 1)
+        cycles.push(parts[0]);
+    return cycles;
+}
+export async function checkEol(dep) {
+    const product = EOL_MAP[dep.name];
+    if (!product)
+        return [];
+    try {
+        const res = await fetch(`https://endoflife.date/api/${product}.json`);
+        if (!res.ok)
+            return [];
+        const cycles = await res.json();
+        const candidates = candidateCycles(dep.version);
+        for (const candidate of candidates) {
+            const cycle = cycles.find(c => c.cycle === candidate);
+            if (!cycle)
+                continue;
+            const { eol } = cycle;
+            if (eol === false)
+                return []; // still supported
+            if (eol === true)
+                return [{ type: 'eol', cycle: candidate, eolDate: 'unknown' }];
+            if (new Date(eol) <= new Date()) {
+                return [{ type: 'eol', cycle: candidate, eolDate: eol }];
+            }
+        }
+    }
+    catch {
+        // Silently skip — endoflife.date may not have data for every product
+    }
+    return [];
+}
+//# sourceMappingURL=eol.js.map

package/dist/src/checkers/eol.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eol.js","sourceRoot":"","sources":["../../../src/checkers/eol.ts"],"names":[],"mappings":"AAEA,qDAAqD;AACrD,qEAAqE;AACrE,MAAM,OAAO,GAA2B;IACtC,WAAW;IACX,MAAM,EAAa,QAAQ;IAC3B,QAAQ,EAAW,QAAQ;IAC3B,QAAQ,EAAW,QAAQ;IAC3B,MAAM,EAAa,MAAM;IACzB,KAAK,EAAc,KAAK;IACxB,QAAQ,EAAW,IAAI;IACvB,aAAa;IACb,QAAQ,EAAW,QAAQ;IAC3B,OAAO,EAAY,OAAO;IAC1B,SAAS,EAAU,SAAS;IAC5B,SAAS,EAAU,SAAS;IAC5B,aAAa,EAAM,aAAa;IAChC,SAAS,EAAU,SAAS;IAC5B,eAAe,EAAI,SAAS;IAC5B,WAAW,EAAQ,WAAW;IAC9B,mDAAmD;IACnD,IAAI,EAAe,YAAY;IAC/B,OAAO,EAAY,OAAO;IAC1B,QAAQ,EAAW,OAAO;IAC1B,SAAS,EAAU,SAAS;IAC5B,SAAS;IACT,WAAW,EAAQ,WAAW;IAC9B,QAAQ,EAAW,QAAQ;IAC3B,SAAS,EAAU,WAAW;IAC9B,QAAQ,EAAW,QAAQ;IAC3B,MAAM,EAAa,QAAQ;IAC3B,MAAM,EAAa,QAAQ;CAC5B,CAAC;AAOF,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9D,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,GAAe;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,OAAO,OAAO,CAAC,CAAC;QACtE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAEvB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAgB,CAAC;QAC9C,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC;YACtD,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;YACtB,IAAI,GAAG,KAAK,KAAK;gBAAE,OAAO,EAAE,CAAC,CAA+B,kBAAkB;YAC9E,IAAI,GAAG,KAAK,IAAI;gBAAG,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;YAClF,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChC,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/src/checkers/osv.d.ts

@@ -0,0 +1,3 @@
+import type { CveSignal, Dependency } from '../types.js';
+export declare function checkCvesBatch(deps: Dependency[]): Promise<Map<string, CveSignal[]>>;
+//# sourceMappingURL=osv.d.ts.map

package/dist/src/checkers/osv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/checkers/osv.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAa,MAAM,aAAa,CAAC;AA0CpE,wBAAsB,cAAc,CAClC,IAAI,EAAE,UAAU,EAAE,GACjB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,CAqCnC"}

package/dist/src/checkers/osv.js

@@ -0,0 +1,71 @@
+const OSV_BATCH_API = 'https://api.osv.dev/v1/querybatch';
+const BATCH_SIZE = 100;
+const ECOSYSTEM_MAP = {
+    npm: 'npm',
+    pypi: 'PyPI',
+    maven: 'Maven',
+    cargo: 'crates.io',
+    go: 'Go',
+};
+function cvssToLevel(score) {
+    const n = parseFloat(score);
+    if (n >= 9.0)
+        return 'critical';
+    if (n >= 7.0)
+        return 'high';
+    if (n >= 4.0)
+        return 'medium';
+    return 'low';
+}
+function vulnSeverity(v) {
+    for (const s of v.severity ?? []) {
+        if (s.type === 'CVSS_V3' || s.type === 'CVSS_V2')
+            return cvssToLevel(s.score);
+    }
+    const ds = v.database_specific?.severity?.toUpperCase();
+    if (ds === 'CRITICAL')
+        return 'critical';
+    if (ds === 'HIGH')
+        return 'high';
+    if (ds === 'MODERATE' || ds === 'MEDIUM')
+        return 'medium';
+    if (ds === 'LOW')
+        return 'low';
+    return 'medium';
+}
+export async function checkCvesBatch(deps) {
+    const results = new Map();
+    for (let i = 0; i < deps.length; i += BATCH_SIZE) {
+        const batch = deps.slice(i, i + BATCH_SIZE);
+        try {
+            const res = await fetch(OSV_BATCH_API, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    queries: batch.map(d => ({
+                        version: d.version,
+                        package: { name: d.name, ecosystem: ECOSYSTEM_MAP[d.ecosystem] ?? d.ecosystem },
+                    })),
+                }),
+            });
+            if (!res.ok)
+                continue;
+            const data = await res.json();
+            for (let j = 0; j < batch.length; j++) {
+                const dep = batch[j];
+                const vulns = data.results[j]?.vulns ?? [];
+                results.set(`${dep.name}@${dep.version}`, vulns.map(v => ({
+                    type: 'cve',
+                    id: v.id,
+                    severity: vulnSeverity(v),
+                    summary: v.summary ?? 'No description available',
+                })));
+            }
+        }
+        catch {
+            // Network errors: skip batch, leave entries absent (treated as no CVEs)
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=osv.js.map

package/dist/src/checkers/osv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/checkers/osv.ts"],"names":[],"mappings":"AAEA,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAC1D,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,MAAM,aAAa,GAA2B;IAC5C,GAAG,EAAI,KAAK;IACZ,IAAI,EAAG,MAAM;IACb,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,WAAW;IAClB,EAAE,EAAK,IAAI;CACZ,CAAC;AAWF,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC5B,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IAChC,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAC5B,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,CAAU;IAC9B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACjC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC;IACD,MAAM,EAAE,GAAG,CAAC,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxD,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAM,OAAO,MAAM,CAAC;IACrC,IAAI,EAAE,KAAK,UAAU,IAAI,EAAE,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAO,OAAO,KAAK,CAAC;IACpC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAkB;IAElB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;gBACrC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBACvB,OAAO,EAAE,CAAC,CAAC,OAAO;wBAClB,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE;qBAChF,CAAC,CAAC;iBACJ,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,SAAS;YAEtB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAsB,CAAC;YAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACrB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACxD,IAAI,EAAE,KAAc;oBACpB,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;oBACzB,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,0BAA0B;iBACjD,CAAC,CAAC,CAAC,CAAC;YACP,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/src/checkers/outdated.d.ts

@@ -0,0 +1,3 @@
+import type { Dependency, OutdatedSignal } from '../types.js';
+export declare function checkOutdated(dep: Dependency): Promise<OutdatedSignal[]>;
+//# sourceMappingURL=outdated.d.ts.map

package/dist/src/checkers/outdated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"outdated.d.ts","sourceRoot":"","sources":["../../../src/checkers/outdated.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAmB9D,wBAAsB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAkB9E"}

package/dist/src/checkers/outdated.js

@@ -0,0 +1,33 @@
+async function latestNpmVersion(name) {
+    const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`, { headers: { Accept: 'application/json' } });
+    if (!res.ok)
+        return null;
+    const data = await res.json();
+    return data.version ?? null;
+}
+async function latestPypiVersion(name) {
+    const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+    if (!res.ok)
+        return null;
+    const data = await res.json();
+    return data.info?.version ?? null;
+}
+export async function checkOutdated(dep) {
+    try {
+        let latest = null;
+        if (dep.ecosystem === 'npm') {
+            latest = await latestNpmVersion(dep.name);
+        }
+        else if (dep.ecosystem === 'pypi') {
+            latest = await latestPypiVersion(dep.name);
+        }
+        if (!latest || latest === dep.version)
+            return [];
+        return [{ type: 'outdated', latestVersion: latest }];
+    }
+    catch {
+        // Registry unreachable — not a failure condition
+    }
+    return [];
+}
+//# sourceMappingURL=outdated.js.map

package/dist/src/checkers/outdated.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"outdated.js","sourceRoot":"","sources":["../../../src/checkers/outdated.ts"],"names":[],"mappings":"AAEA,KAAK,UAAU,gBAAgB,CAAC,IAAY;IAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,8BAA8B,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAC/D,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAC5C,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;IACtD,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAC3C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,yBAAyB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAqC,CAAC;IACjE,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAe;IACjD,IAAI,CAAC;QACH,IAAI,MAAM,GAAkB,IAAI,CAAC;QAEjC,IAAI,GAAG,CAAC,SAAS,KAAK,KAAK,EAAE,CAAC;YAC5B,MAAM,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,GAAG,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YACpC,MAAM,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,GAAG,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAEjD,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/src/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/src/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":""}

package/dist/src/cli.js

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join, resolve } from 'path';
+import { Command } from 'commander';
+import { scan } from './scanner.js';
+import { renderTable } from './output/table.js';
+import { renderMarkdown } from './output/markdown.js';
+function readVersion() {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    // '../package.json' works when running via `tsx src/cli.ts` (dev)
+    // '../../package.json' works from the compiled `dist/src/cli.js`
+    for (const rel of ['../package.json', '../../package.json']) {
+        try {
+            const p = JSON.parse(readFileSync(join(dir, rel), 'utf-8'));
+            if (p.name === 'ossrisk' && p.version)
+                return p.version;
+        }
+        catch { /* skip */ }
+    }
+    return '0.0.0';
+}
+const RISK_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
+const program = new Command();
+program
+    .name('ossrisk')
+    .description('Scan dependencies for long-term viability risk:\n' +
+    'EOL versions, known CVEs, and abandonment signals.\n\n' +
+    'Supports: package.json (npm), requirements.txt (PyPI)')
+    .version(readVersion());
+program
+    .argument('[path]', 'Path to project directory to scan', '.')
+    .option('-f, --format <fmt>', 'Output format: table | json | markdown', 'table')
+    .option('--fail-on <level>', 'Exit 1 if any dep reaches this level or above (none|low|medium|high|critical)', 'high')
+    .option('-c, --concurrency <n>', 'Concurrent API requests per batch', '8')
+    .option('--no-eol', 'Skip EOL checks')
+    .option('--no-cve', 'Skip CVE checks')
+    .option('--no-activity', 'Skip abandonment/staleness checks')
+    .option('--no-outdated', 'Skip latest-version checks')
+    .action(async (pathArg, options) => {
+    const opts = {
+        path: resolve(pathArg),
+        format: options.format,
+        failOn: options.failOn,
+        concurrency: parseInt(options.concurrency, 10) || 8,
+        noEol: !options.eol,
+        noCve: !options.cve,
+        noActivity: !options.activity,
+        noOutdated: !options.outdated,
+    };
+    try {
+        if (opts.format === 'table') {
+            process.stdout.write('\r  Scanning…');
+        }
+        const result = await scan(opts);
+        if (opts.format === 'json') {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else if (opts.format === 'markdown') {
+            console.log(renderMarkdown(result));
+        }
+        else {
+            process.stdout.write('\r' + ' '.repeat(20) + '\r');
+            console.log(renderTable(result));
+        }
+        if (opts.failOn !== 'none') {
+            const threshold = RISK_ORDER.indexOf(opts.failOn);
+            const breached = result.results.some(r => RISK_ORDER.indexOf(r.riskLevel) >= threshold);
+            if (breached)
+                process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`\n  error: ${err.message}`);
+        process.exit(2);
+    }
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/src/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,SAAS,WAAW;IAClB,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,kEAAkE;IAClE,iEAAiE;IACjE,KAAK,MAAM,GAAG,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,OAAO,CAAC,CAAwC,CAAC;YACnG,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,OAAO;gBAAE,OAAO,CAAC,CAAC,OAAO,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,GAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AAE9E,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CACV,mDAAmD;IACnD,wDAAwD;IACxD,uDAAuD,CACxD;KACA,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;AAE1B,OAAO;KACJ,QAAQ,CAAC,QAAQ,EAAE,mCAAmC,EAAE,GAAG,CAAC;KAC5D,MAAM,CAAC,oBAAoB,EAAG,wCAAwC,EAAE,OAAO,CAAC;KAChF,MAAM,CAAC,mBAAmB,EAAI,+EAA+E,EAAE,MAAM,CAAC;KACtH,MAAM,CAAC,uBAAuB,EAAE,mCAAmC,EAAE,GAAG,CAAC;KACzE,MAAM,CAAC,UAAU,EAAa,iBAAiB,CAAC;KAChD,MAAM,CAAC,UAAU,EAAa,iBAAiB,CAAC;KAChD,MAAM,CAAC,eAAe,EAAQ,mCAAmC,CAAC;KAClE,MAAM,CAAC,eAAe,EAAQ,4BAA4B,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,OAAO,EAAE,EAAE;IACzC,MAAM,IAAI,GAAgB;QACxB,IAAI,EAAS,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAO,OAAO,CAAC,MAA+B;QACpD,MAAM,EAAO,OAAO,CAAC,MAAmB;QACxC,WAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,IAAI,CAAC;QACnD,KAAK,EAAQ,CAAC,OAAO,CAAC,GAAG;QACzB,KAAK,EAAQ,CAAC,OAAO,CAAC,GAAG;QACzB,UAAU,EAAG,CAAC,OAAO,CAAC,QAAQ;QAC9B,UAAU,EAAG,CAAC,OAAO,CAAC,QAAQ;KAC/B,CAAC;IAEF,IAAI,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAEhC,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAClC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,SAAS,CAClD,CAAC;YACF,IAAI,QAAQ;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,cAAe,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/src/output/markdown.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from '../types.js';
+export declare function renderMarkdown(result: ScanResult): string;
+//# sourceMappingURL=markdown.d.ts.map

package/dist/src/output/markdown.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdown.d.ts","sourceRoot":"","sources":["../../../src/output/markdown.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAa,UAAU,EAAE,MAAM,aAAa,CAAC;AAUzD,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA6CzD"}

package/dist/src/output/markdown.js

@@ -0,0 +1,47 @@
+const EMOJI = {
+    critical: '🔴',
+    high: '🟠',
+    medium: '🟡',
+    low: '🔵',
+    none: '🟢',
+};
+export function renderMarkdown(result) {
+    const { summary } = result;
+    const lines = [];
+    lines.push('## ossrisk — Dependency Health Report');
+    lines.push('');
+    lines.push(`Scanned \`${result.manifest}\` · ${result.scannedAt}`);
+    lines.push('');
+    lines.push(`**${summary.total} dependencies** — ` +
+        `${EMOJI.critical} ${summary.critical} critical · ` +
+        `${EMOJI.high} ${summary.high} high · ` +
+        `${EMOJI.medium} ${summary.medium} medium · ` +
+        `${EMOJI.low} ${summary.low} low · ` +
+        `${EMOJI.none} ${summary.clean} clean`);
+    lines.push('');
+    const risky = result.results.filter(r => r.riskLevel !== 'none');
+    if (risky.length === 0) {
+        lines.push('✅ All dependencies are healthy.');
+        return lines.join('\n');
+    }
+    lines.push('| Package | Version | Risk | Details |');
+    lines.push('|---------|---------|------|---------|');
+    for (const dep of risky) {
+        const details = dep.signals.map(s => {
+            if (s.type === 'cve') {
+                return `[${s.id}](https://osv.dev/vulnerability/${s.id}) — ${s.summary}`;
+            }
+            if (s.type === 'eol')
+                return `EOL since ${s.eolDate} (cycle ${s.cycle})`;
+            if (s.type === 'abandoned')
+                return `No release in ${s.monthsSince} months (last: ${s.lastReleaseDate})`;
+            if (s.type === 'stale')
+                return `Last release ${s.monthsSince} months ago (${s.lastReleaseDate})`;
+            if (s.type === 'outdated')
+                return `Newer version available: ${s.latestVersion}`;
+        }).join('<br>');
+        lines.push(`| \`${dep.name}\` | \`${dep.version}\` | ${EMOJI[dep.riskLevel]} ${dep.riskLevel} | ${details} |`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=markdown.js.map

package/dist/src/output/markdown.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdown.js","sourceRoot":"","sources":["../../../src/output/markdown.ts"],"names":[],"mappings":"AAEA,MAAM,KAAK,GAA8B;IACvC,QAAQ,EAAE,IAAI;IACd,IAAI,EAAM,IAAI;IACd,MAAM,EAAI,IAAI;IACd,GAAG,EAAO,IAAI;IACd,IAAI,EAAM,IAAI;CACf,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAC3B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,QAAQ,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,KAAK,OAAO,CAAC,KAAK,oBAAoB;QACtC,GAAG,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,cAAc;QACnD,GAAG,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,UAAU;QACvC,GAAG,KAAK,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,YAAY;QAC7C,GAAG,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,SAAS;QACpC,GAAG,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ,CACvC,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC;IAEjE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IAErD,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAClC,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC,CAAC,EAAE,mCAAmC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3E,CAAC;YACD,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK;gBAAQ,OAAO,aAAa,CAAC,CAAC,OAAO,WAAW,CAAC,CAAC,KAAK,GAAG,CAAC;YAC/E,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW;gBAAE,OAAO,iBAAiB,CAAC,CAAC,WAAW,kBAAkB,CAAC,CAAC,eAAe,GAAG,CAAC;YACxG,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO;gBAAM,OAAO,gBAAgB,CAAC,CAAC,WAAW,gBAAgB,CAAC,CAAC,eAAe,GAAG,CAAC;YACrG,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU;gBAAG,OAAO,4BAA4B,CAAC,CAAC,aAAa,EAAE,CAAC;QACnF,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhB,KAAK,CAAC,IAAI,CACR,OAAO,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC,OAAO,QAAQ,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,SAAS,MAAM,OAAO,IAAI,CACnG,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/src/output/table.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from '../types.js';
+export declare function renderTable(result: ScanResult): string;
+//# sourceMappingURL=table.d.ts.map

package/dist/src/output/table.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"table.d.ts","sourceRoot":"","sources":["../../../src/output/table.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAa,UAAU,EAAE,MAAM,aAAa,CAAC;AAqCzD,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAmDtD"}

package/dist/src/output/table.js

@@ -0,0 +1,77 @@
+const C = {
+    reset: '\x1b[0m',
+    bold: '\x1b[1m',
+    dim: '\x1b[2m',
+    red: '\x1b[31m',
+    yellow: '\x1b[33m',
+    blue: '\x1b[34m',
+    cyan: '\x1b[36m',
+    green: '\x1b[32m',
+};
+const LEVEL_COLOR = {
+    critical: C.red,
+    high: C.yellow,
+    medium: C.blue,
+    low: C.cyan,
+    none: C.green,
+};
+const LEVEL_ICON = {
+    critical: '✖',
+    high: '▲',
+    medium: '●',
+    low: '◆',
+    none: '✔',
+};
+function col(text, level) {
+    return `${LEVEL_COLOR[level]}${text}${C.reset}`;
+}
+function pad(s, n) {
+    return s.length >= n ? s.slice(0, n - 1) + '…' : s.padEnd(n);
+}
+export function renderTable(result) {
+    const lines = [];
+    lines.push('');
+    lines.push(`${C.bold}ossrisk${C.reset}  ${C.dim}${result.manifest}${C.reset}`);
+    lines.push(`${C.dim}${result.scannedAt}${C.reset}`);
+    lines.push('');
+    const nameW = Math.min(42, Math.max(20, ...result.results.map(r => r.name.length + 2)));
+    lines.push(`  ${C.bold}${'Package'.padEnd(nameW)}${'Version'.padEnd(14)}${'Risk'.padEnd(11)}Details${C.reset}`);
+    lines.push('  ' + '─'.repeat(84));
+    for (const dep of result.results) {
+        const details = dep.signals.map(s => {
+            if (s.type === 'cve')
+                return `${s.id} (${s.severity})`;
+            if (s.type === 'eol')
+                return `EOL ${s.eolDate}`;
+            if (s.type === 'abandoned')
+                return `no release in ${s.monthsSince}mo`;
+            if (s.type === 'stale')
+                return `last release ${s.monthsSince}mo ago`;
+            if (s.type === 'outdated')
+                return `latest ${s.latestVersion}`;
+        }).join('  ');
+        const isClean = dep.riskLevel === 'none';
+        const icon = LEVEL_ICON[dep.riskLevel];
+        const name = pad(dep.name, nameW - 2);
+        lines.push(isClean
+            ? `  ${C.dim}${icon} ${name}  ${dep.version.padEnd(12)}  ${'—'.padEnd(9)}  —${C.reset}`
+            : `  ${col(`${icon} ${name}`, dep.riskLevel)}  ` +
+                `${dep.version.padEnd(12)}  ` +
+                `${col(dep.riskLevel.padEnd(9), dep.riskLevel)}  ` +
+                `${C.dim}${details}${C.reset}`);
+    }
+    const s = result.summary;
+    const parts = [
+        `${C.bold}${s.total}${C.reset} deps`,
+        s.critical ? col(`${s.critical} critical`, 'critical') : '',
+        s.high ? col(`${s.high} high`, 'high') : '',
+        s.medium ? col(`${s.medium} medium`, 'medium') : '',
+        s.low ? col(`${s.low} low`, 'low') : '',
+        col(`${s.clean} clean`, 'none'),
+    ].filter(Boolean);
+    lines.push('');
+    lines.push(`  ${parts.join('  ·  ')}`);
+    lines.push('');
+    return lines.join('\n');
+}
+//# sourceMappingURL=table.js.map

package/dist/src/output/table.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"table.js","sourceRoot":"","sources":["../../../src/output/table.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,GAAG;IACR,KAAK,EAAK,SAAS;IACnB,IAAI,EAAM,SAAS;IACnB,GAAG,EAAO,SAAS;IACnB,GAAG,EAAO,UAAU;IACpB,MAAM,EAAI,UAAU;IACpB,IAAI,EAAM,UAAU;IACpB,IAAI,EAAM,UAAU;IACpB,KAAK,EAAK,UAAU;CACrB,CAAC;AAEF,MAAM,WAAW,GAA8B;IAC7C,QAAQ,EAAE,CAAC,CAAC,GAAG;IACf,IAAI,EAAM,CAAC,CAAC,MAAM;IAClB,MAAM,EAAI,CAAC,CAAC,IAAI;IAChB,GAAG,EAAO,CAAC,CAAC,IAAI;IAChB,IAAI,EAAM,CAAC,CAAC,KAAK;CAClB,CAAC;AAEF,MAAM,UAAU,GAA8B;IAC5C,QAAQ,EAAE,GAAG;IACb,IAAI,EAAM,GAAG;IACb,MAAM,EAAI,GAAG;IACb,GAAG,EAAO,GAAG;IACb,IAAI,EAAM,GAAG;CACd,CAAC;AAEF,SAAS,GAAG,CAAC,IAAY,EAAE,KAAgB;IACzC,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,GAAG,CAAC,CAAS,EAAE,CAAS;IAC/B,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAkB;IAC5C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/E,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACxF,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,CAAC,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,CACpG,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAElC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAClC,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK;gBAAQ,OAAO,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC;YAC7D,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK;gBAAQ,OAAO,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC;YACtD,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW;gBAAE,OAAO,iBAAiB,CAAC,CAAC,WAAW,IAAI,CAAC;YACtE,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO;gBAAM,OAAO,gBAAgB,CAAC,CAAC,WAAW,QAAQ,CAAC;YACzE,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU;gBAAG,OAAO,UAAU,CAAC,CAAC,aAAa,EAAE,CAAC;QACjE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,MAAM,OAAO,GAAG,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC;QACzC,MAAM,IAAI,GAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAM,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QAEzC,KAAK,CAAC,IAAI,CACR,OAAO;YACL,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,IAAI,IAAI,IAAI,KAAK,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE;YACvF,CAAC,CAAC,KAAK,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI;gBAC9C,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI;gBAC7B,GAAG,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI;gBAClD,GAAG,CAAC,CAAC,GAAG,GAAG,OAAO,GAAG,CAAC,CAAC,KAAK,EAAE,CACnC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,MAAM,KAAK,GAAG;QACZ,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,OAAO;QACpC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;QAC3D,CAAC,CAAC,IAAI,CAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,OAAO,EAAU,MAAM,CAAC,CAAK,CAAC,CAAC,EAAE;QAC5D,CAAC,CAAC,MAAM,CAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,SAAS,EAAO,QAAQ,CAAC,CAAG,CAAC,CAAC,EAAE;QAC7D,CAAC,CAAC,GAAG,CAAO,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,EAAa,KAAK,CAAC,CAAM,CAAC,CAAC,EAAE;QAC7D,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,EAAE,MAAM,CAAC;KAChC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAElB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/src/parsers/npm.d.ts

@@ -0,0 +1,3 @@
+import type { Dependency } from '../types.js';
+export declare function parseNpm(dir: string): Promise<Dependency[]>;
+//# sourceMappingURL=npm.d.ts.map

package/dist/src/parsers/npm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../../src/parsers/npm.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA+C9C,wBAAsB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAEjE"}

package/dist/src/parsers/npm.js

@@ -0,0 +1,43 @@
+import { readFile } from 'fs/promises';
+import { join } from 'path';
+function cleanVersion(raw) {
+    // Strip range operators (^, ~, >=, etc.) and take the first concrete version
+    return raw
+        .replace(/^[^0-9]*/, '')
+        .split(/\s+/)[0]
+        .split('||')[0]
+        .trim();
+}
+async function fromLockfile(dir) {
+    try {
+        const content = await readFile(join(dir, 'package-lock.json'), 'utf-8');
+        const lock = JSON.parse(content);
+        if (!lock.packages)
+            return null;
+        return Object.entries(lock.packages)
+            .filter(([name, pkg]) => name !== '' && !pkg.dev && pkg.version)
+            .map(([name, pkg]) => ({
+            name: name.replace(/^node_modules\//, ''),
+            version: pkg.version,
+            ecosystem: 'npm',
+        }));
+    }
+    catch {
+        return null;
+    }
+}
+async function fromPackageJson(dir) {
+    const content = await readFile(join(dir, 'package.json'), 'utf-8');
+    const pkg = JSON.parse(content);
+    return Object.entries(pkg.dependencies ?? {})
+        .map(([name, version]) => ({
+        name,
+        version: cleanVersion(version),
+        ecosystem: 'npm',
+    }))
+        .filter(d => d.version && !d.version.includes('github') && !d.version.startsWith('file:'));
+}
+export async function parseNpm(dir) {
+    return (await fromLockfile(dir)) ?? (await fromPackageJson(dir));
+}
+//# sourceMappingURL=npm.js.map

package/dist/src/parsers/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sourceRoot":"","sources":["../../../src/parsers/npm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,SAAS,YAAY,CAAC,GAAW;IAC/B,6EAA6E;IAC7E,OAAO,GAAG;SACP,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;SACvB,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SACd,IAAI,EAAE,CAAC;AACZ,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAE9B,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;aACjC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC;aAC/D,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;YACrB,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC;YACzC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,SAAS,EAAE,KAAc;SAC1B,CAAC,CAAC,CAAC;IACR,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;IACnE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAE7B,CAAC;IAEF,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;SAC1C,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QACzB,IAAI;QACJ,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC;QAC9B,SAAS,EAAE,KAAc;KAC1B,CAAC,CAAC;SACF,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,GAAW;IACxC,OAAO,CAAC,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC"}

package/dist/src/parsers/python.d.ts

@@ -0,0 +1,3 @@
+import type { Dependency } from '../types.js';
+export declare function parsePython(dir: string): Promise<Dependency[]>;
+//# sourceMappingURL=python.d.ts.map

package/dist/src/parsers/python.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.d.ts","sourceRoot":"","sources":["../../../src/parsers/python.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAO9C,wBAAsB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAmBpE"}

package/dist/src/parsers/python.js

@@ -0,0 +1,24 @@
+import { readFile } from 'fs/promises';
+import { join } from 'path';
+function cleanVersion(spec) {
+    const match = spec.match(/[=~><!]+\s*([0-9][0-9a-zA-Z._-]*)/);
+    return match ? match[1] : spec.trim();
+}
+export async function parsePython(dir) {
+    const content = await readFile(join(dir, 'requirements.txt'), 'utf-8');
+    const deps = [];
+    for (const raw of content.split('\n')) {
+        const line = raw.split('#')[0].trim();
+        if (!line || line.startsWith('-'))
+            continue;
+        // e.g. "Django==4.2.0", "requests>=2.28.0", "flask~=2.3"
+        const match = line.match(/^([a-zA-Z0-9_.-]+)\s*([=~><!][=~>!]?\s*[0-9][0-9a-zA-Z._-]*)?/);
+        if (!match)
+            continue;
+        const name = match[1].toLowerCase().replace(/_/g, '-');
+        const version = match[2] ? cleanVersion(match[2]) : '0.0.0';
+        deps.push({ name, version, ecosystem: 'pypi' });
+    }
+    return deps;
+}
+//# sourceMappingURL=python.js.map

package/dist/src/parsers/python.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.js","sourceRoot":"","sources":["../../../src/parsers/python.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC9D,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAW;IAC3C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,IAAI,GAAiB,EAAE,CAAC;IAE9B,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAE5C,yDAAyD;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;QAC1F,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAE5D,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/scanner.d.ts

@@ -0,0 +1,3 @@
+import type { ScanOptions, ScanResult } from './types.js';
+export declare function scan(opts: ScanOptions): Promise<ScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/src/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/scanner.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAMV,WAAW,EACX,UAAU,EACX,MAAM,YAAY,CAAC;AAyCpB,wBAAsB,IAAI,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA+CjE"}

package/dist/src/scanner.js

@@ -0,0 +1,74 @@
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { checkCvesBatch } from './checkers/osv.js';
+import { checkActivity } from './checkers/activity.js';
+import { checkEol } from './checkers/eol.js';
+import { checkOutdated } from './checkers/outdated.js';
+import { parseNpm } from './parsers/npm.js';
+import { parsePython } from './parsers/python.js';
+const RISK_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
+function signalRisk(s) {
+    switch (s.type) {
+        case 'cve': return s.severity;
+        case 'eol': return 'high';
+        case 'abandoned': return 'medium';
+        case 'stale': return 'low';
+        case 'outdated': return 'low';
+    }
+}
+function maxRisk(signals) {
+    return signals.reduce((max, s) => {
+        const level = signalRisk(s);
+        return RISK_ORDER.indexOf(level) > RISK_ORDER.indexOf(max) ? level : max;
+    }, 'none');
+}
+async function detectAndParse(dir) {
+    if (existsSync(join(dir, 'package.json'))) {
+        const deps = await parseNpm(dir);
+        return { deps, manifest: join(dir, 'package.json') };
+    }
+    if (existsSync(join(dir, 'requirements.txt'))) {
+        const deps = await parsePython(dir);
+        return { deps, manifest: join(dir, 'requirements.txt') };
+    }
+    throw new Error('No supported manifest found. Supported: package.json, requirements.txt');
+}
+export async function scan(opts) {
+    const { deps, manifest } = await detectAndParse(opts.path);
+    // CVEs: one batched API call for all deps
+    const cveMap = opts.noCve
+        ? new Map()
+        : await checkCvesBatch(deps);
+    // EOL + activity: per-dep, run concurrently in controlled batches
+    const results = [];
+    for (let i = 0; i < deps.length; i += opts.concurrency) {
+        const batch = deps.slice(i, i + opts.concurrency);
+        const batchResults = await Promise.all(batch.map(async (dep) => {
+            const signals = [
+                ...(cveMap.get(`${dep.name}@${dep.version}`) ?? []),
+                ...(!opts.noEol ? await checkEol(dep) : []),
+                ...(!opts.noActivity ? await checkActivity(dep) : []),
+                ...(!opts.noOutdated ? await checkOutdated(dep) : []),
+            ];
+            return {
+                name: dep.name,
+                version: dep.version,
+                ecosystem: dep.ecosystem,
+                riskLevel: maxRisk(signals),
+                signals,
+            };
+        }));
+        results.push(...batchResults);
+    }
+    results.sort((a, b) => RISK_ORDER.indexOf(b.riskLevel) - RISK_ORDER.indexOf(a.riskLevel));
+    const summary = {
+        total: results.length,
+        critical: results.filter(r => r.riskLevel === 'critical').length,
+        high: results.filter(r => r.riskLevel === 'high').length,
+        medium: results.filter(r => r.riskLevel === 'medium').length,
+        low: results.filter(r => r.riskLevel === 'low').length,
+        clean: results.filter(r => r.riskLevel === 'none').length,
+    };
+    return { scannedAt: new Date().toISOString(), manifest, results, summary };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/src/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAU5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,UAAU,GAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AAE9E,SAAS,UAAU,CAAC,CAAa;IAC/B,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;QACf,KAAK,KAAK,CAAC,CAAO,OAAO,CAAC,CAAC,QAAQ,CAAC;QACpC,KAAK,KAAK,CAAC,CAAO,OAAO,MAAM,CAAC;QAChC,KAAK,WAAW,CAAC,CAAC,OAAO,QAAQ,CAAC;QAClC,KAAK,OAAO,CAAC,CAAK,OAAO,KAAK,CAAC;QAC/B,KAAK,UAAU,CAAC,CAAE,OAAO,KAAK,CAAC;IACjC,CAAC;AACH,CAAC;AAED,SAAS,OAAO,CAAC,OAAqB;IACpC,OAAO,OAAO,CAAC,MAAM,CAAY,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5B,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;IAC3E,CAAC,EAAE,MAAM,CAAC,CAAC;AACb,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAW;IACvC,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;IACvD,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,CAAC;IAC3D,CAAC;IACD,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAiB;IAC1C,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE3D,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK;QACvB,CAAC,CAAC,IAAI,GAAG,EAAuB;QAChC,CAAC,CAAC,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;IAE/B,kEAAkE;IAClE,MAAM,OAAO,GAAuB,EAAE,CAAC;IAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAA6B,EAAE;YACjD,MAAM,OAAO,GAAiB;gBAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;gBACnD,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAM,CAAC,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAO,CAAC,CAAC,EAAE,CAAC;gBACtD,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAE,CAAC,CAAC,MAAM,aAAa,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,EAAE,CAAC;gBACvD,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAE,CAAC,CAAC,MAAM,aAAa,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,EAAE,CAAC;aACxD,CAAC;YACF,OAAO;gBACL,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC;gBAC3B,OAAO;aACR,CAAC;QACJ,CAAC,CAAC,CACH,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAC5E,CAAC;IAEF,MAAM,OAAO,GAAG;QACd,KAAK,EAAK,OAAO,CAAC,MAAM;QACxB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,UAAU,CAAC,CAAC,MAAM;QAChE,IAAI,EAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,MAAM;QAC5D,MAAM,EAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,MAAM;QAC9D,GAAG,EAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,MAAM;QAC3D,KAAK,EAAK,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,MAAM;KAC7D,CAAC;IAEF,OAAO,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC7E,CAAC"}

package/dist/src/types.d.ts

@@ -0,0 +1,65 @@
+export type Ecosystem = 'npm' | 'pypi' | 'maven' | 'cargo' | 'go';
+export type RiskLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
+export interface Dependency {
+    name: string;
+    version: string;
+    ecosystem: Ecosystem;
+}
+export interface CveSignal {
+    type: 'cve';
+    id: string;
+    severity: RiskLevel;
+    summary: string;
+}
+export interface EolSignal {
+    type: 'eol';
+    cycle: string;
+    eolDate: string;
+}
+export interface AbandonedSignal {
+    type: 'abandoned';
+    lastReleaseDate: string;
+    monthsSince: number;
+}
+export interface StaleSignal {
+    type: 'stale';
+    lastReleaseDate: string;
+    monthsSince: number;
+}
+export interface OutdatedSignal {
+    type: 'outdated';
+    latestVersion: string;
+}
+export type RiskSignal = CveSignal | EolSignal | AbandonedSignal | StaleSignal | OutdatedSignal;
+export interface DependencyResult {
+    name: string;
+    version: string;
+    ecosystem: Ecosystem;
+    riskLevel: RiskLevel;
+    signals: RiskSignal[];
+}
+export interface ScanSummary {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    clean: number;
+}
+export interface ScanResult {
+    scannedAt: string;
+    manifest: string;
+    results: DependencyResult[];
+    summary: ScanSummary;
+}
+export interface ScanOptions {
+    path: string;
+    format: 'table' | 'json' | 'markdown';
+    failOn: RiskLevel | 'none';
+    concurrency: number;
+    noEol: boolean;
+    noCve: boolean;
+    noActivity: boolean;
+    noOutdated: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,IAAI,CAAC;AAElE,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAExE,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,KAAK,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,KAAK,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,WAAW,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,UAAU,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,GAAG,cAAc,CAAC;AAEhG,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;IACtC,MAAM,EAAE,SAAS,GAAG,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,EAAE,OAAO,CAAC;CACrB"}

package/dist/src/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/src/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "ossrisk",
+  "version": "0.1.0",
+  "description": "Scan dependencies for long-term viability risk: EOL versions, CVEs, and abandonment signals",
+  "type": "module",
+  "bin": {
+    "ossrisk": "./dist/src/cli.js"
+  },
+  "main": "./dist/src/scanner.js",
+  "types": "./dist/src/scanner.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/src/scanner.d.ts",
+      "default": "./dist/src/scanner.js"
+    }
+  },
+  "files": [
+    "dist/"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/cli.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepare": "npm run build",
+    "prepublishOnly": "npm test"
+  },
+  "keywords": ["security", "dependencies", "cve", "eol", "supply-chain", "sbom", "cli"],
+  "author": "DepKeep <hello@depkeep.com>",
+  "license": "MIT",
+  "dependencies": {
+    "commander": "^14.0.3"
+  },
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "@types/node": "^20.0.0",
+    "tsx": "^4.0.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/depkeep/ossrisk.git"
+  },
+  "homepage": "https://github.com/depkeep/ossrisk#readme",
+  "bugs": {
+    "url": "https://github.com/depkeep/ossrisk/issues"
+  }
+}