pnpmcheker 0.1.0

package/dist/analyzer/index.js

@@ -0,0 +1,765 @@
+import { access, readFile, stat } from "node:fs/promises";
+import path from "node:path";
+import YAML from "yaml";
+import { daysUntil, findMinimumNodeMajor, getNodeLine } from "./node-support.js";
+import { fetchPackageMetadata } from "./registry.js";
+const LOCKFILES = [
+    { file: "package-lock.json", manager: "npm" },
+    { file: "npm-shrinkwrap.json", manager: "npm" },
+    { file: "yarn.lock", manager: "yarn" },
+    { file: "pnpm-lock.yaml", manager: "pnpm" },
+    { file: "bun.lock", manager: "bun" },
+    { file: "bun.lockb", manager: "bun" }
+];
+const DEPENDENCY_SECTIONS = [
+    "dependencies",
+    "devDependencies",
+    "optionalDependencies",
+    "peerDependencies"
+];
+export async function analyzeProject(projectPath, options = {}) {
+    const targetPath = path.resolve(projectPath);
+    const now = options.now ?? new Date();
+    const checks = [];
+    const packageJsonPath = path.join(targetPath, "package.json");
+    const packageJson = await readJson(packageJsonPath);
+    if (!packageJson) {
+        checks.push({
+            id: "package-json-required",
+            category: "identity",
+            status: "fail",
+            title: "package.json is required",
+            summary: "No package.json was found at the selected path.",
+            recommendation: "Run this against an npm project root or add a package.json before evaluating project practices.",
+            evidence: [packageJsonPath]
+        });
+        return buildReport(targetPath, checks, [], [], now);
+    }
+    checks.push({
+        id: "package-json-present",
+        category: "identity",
+        status: "pass",
+        title: "Project manifest found",
+        summary: "package.json is present and readable.",
+        evidence: [packageJsonPath]
+    });
+    const packageManager = readString(packageJson.packageManager)?.split("@")[0];
+    const lockfiles = await detectLockfiles(targetPath);
+    addLockfileChecks(checks, lockfiles, packageManager, packageJson);
+    await addPnpmSecurityChecks(checks, targetPath, lockfiles, packageManager);
+    addRuntimeChecks(checks, packageJson, now);
+    await addNpmConfigChecks(checks, targetPath);
+    addScriptChecks(checks, packageJson);
+    await addAutomationChecks(checks, targetPath);
+    const tools = await suggestTools(targetPath, packageJson);
+    checks.push(...toolChecks(tools));
+    const packages = options.includeRegistryMetadata === false ? [] : await collectRegistryMetadata(packageJson);
+    addRegistryChecks(checks, packages, now);
+    return buildReport(targetPath, checks, tools, packages, now, readString(packageJson.name), readString(packageJson.packageManager));
+}
+function addLockfileChecks(checks, lockfiles, packageManager, packageJson) {
+    if (lockfiles.length === 0) {
+        checks.push({
+            id: "lockfile-present",
+            category: "lockfiles",
+            status: "fail",
+            title: "Lockfile is missing",
+            summary: "No package manager lockfile was found.",
+            recommendation: "Commit exactly one lockfile for applications so installs are reproducible in CI and on developer machines."
+        });
+    }
+    else {
+        checks.push({
+            id: "lockfile-present",
+            category: "lockfiles",
+            status: "pass",
+            title: "Lockfile is committed",
+            summary: `${lockfiles.map((lockfile) => lockfile.file).join(", ")} found.`,
+            evidence: lockfiles.map((lockfile) => lockfile.file)
+        });
+    }
+    if (lockfiles.length > 1) {
+        checks.push({
+            id: "single-lockfile",
+            category: "lockfiles",
+            status: "warn",
+            title: "Multiple lockfiles detected",
+            summary: "More than one package manager lockfile is present.",
+            recommendation: "Keep one lockfile that matches the package manager used by the team.",
+            evidence: lockfiles.map((lockfile) => lockfile.file)
+        });
+    }
+    else if (lockfiles.length === 1) {
+        checks.push({
+            id: "single-lockfile",
+            category: "lockfiles",
+            status: "pass",
+            title: "Single package manager lockfile",
+            summary: "Only one lockfile was detected."
+        });
+    }
+    if (!packageManager) {
+        checks.push({
+            id: "package-manager-pinned",
+            category: "lockfiles",
+            status: "warn",
+            title: "Package manager is not pinned",
+            summary: "package.json does not define the packageManager field.",
+            recommendation: "Add packageManager, such as npm@latest, pnpm@latest, or yarn@stable, so Corepack and CI use the same toolchain."
+        });
+    }
+    else {
+        checks.push({
+            id: "package-manager-pinned",
+            category: "lockfiles",
+            status: "pass",
+            title: "Package manager is pinned",
+            summary: `packageManager is set to ${packageJson.packageManager}.`
+        });
+    }
+    if (packageManager && lockfiles.length > 0) {
+        const matching = lockfiles.some((lockfile) => lockfile.manager === packageManager);
+        checks.push({
+            id: "lockfile-manager-match",
+            category: "lockfiles",
+            status: matching ? "pass" : "fail",
+            title: matching ? "Lockfile matches package manager" : "Lockfile does not match package manager",
+            summary: matching
+                ? `The detected lockfile matches ${packageManager}.`
+                : `packageManager is ${packageManager}, but detected lockfiles belong to ${lockfiles.map((lockfile) => lockfile.manager).join(", ")}.`,
+            recommendation: matching
+                ? undefined
+                : "Regenerate the lockfile with the pinned package manager and remove stale lockfiles."
+        });
+    }
+    const npmLock = lockfiles.find((lockfile) => lockfile.file === "package-lock.json");
+    if (npmLock?.version === "1") {
+        checks.push({
+            id: "package-lock-modern",
+            category: "lockfiles",
+            status: "warn",
+            title: "package-lock.json uses legacy format",
+            summary: "lockfileVersion 1 is from npm 6 and misses newer reproducibility metadata.",
+            recommendation: "Regenerate the lockfile with a current npm version."
+        });
+    }
+    else if (npmLock) {
+        checks.push({
+            id: "package-lock-modern",
+            category: "lockfiles",
+            status: "pass",
+            title: "package-lock.json uses a modern format",
+            summary: `lockfileVersion ${npmLock.version ?? "unknown"} detected.`
+        });
+    }
+    const directDeps = getDirectDependencyNames(packageJson);
+    if (directDeps.length === 0) {
+        checks.push({
+            id: "direct-dependencies-declared",
+            category: "lockfiles",
+            status: "info",
+            title: "No direct dependencies declared",
+            summary: "This package.json does not list dependencies or devDependencies."
+        });
+    }
+    else {
+        checks.push({
+            id: "direct-dependencies-declared",
+            category: "lockfiles",
+            status: "pass",
+            title: "Direct dependencies are declared",
+            summary: `${directDeps.length} direct dependency entries found.`
+        });
+    }
+}
+function addRuntimeChecks(checks, packageJson, now) {
+    const engines = asObject(packageJson.engines);
+    const nodeRange = readString(engines?.node);
+    if (!nodeRange) {
+        checks.push({
+            id: "node-engine-pinned",
+            category: "runtime",
+            status: "warn",
+            title: "Node version range is missing",
+            summary: "package.json does not define engines.node.",
+            recommendation: "Set engines.node to a supported LTS line and mirror it in CI."
+        });
+        return;
+    }
+    const minimumMajor = findMinimumNodeMajor(nodeRange);
+    const releaseLine = minimumMajor ? getNodeLine(minimumMajor) : undefined;
+    checks.push({
+        id: "node-engine-pinned",
+        category: "runtime",
+        status: "pass",
+        title: "Node version range is declared",
+        summary: `engines.node is set to ${nodeRange}.`
+    });
+    if (!minimumMajor || !releaseLine) {
+        checks.push({
+            id: "node-engine-supported",
+            category: "runtime",
+            status: "warn",
+            title: "Node support window could not be verified",
+            summary: `The analyzer could not map ${nodeRange} to a known Node release line.`,
+            recommendation: "Use a clear range such as >=22 <27 or >=24 <27."
+        });
+        return;
+    }
+    const remainingDays = daysUntil(releaseLine.eol, now);
+    if (releaseLine.status === "eol" || remainingDays < 0) {
+        checks.push({
+            id: "node-engine-supported",
+            category: "runtime",
+            status: "fail",
+            title: "Minimum Node version is end-of-life",
+            summary: `The minimum supported Node major appears to be ${minimumMajor}, which reached EOL on ${releaseLine.eol}.`,
+            recommendation: "Raise the supported runtime to an actively supported LTS line."
+        });
+    }
+    else if (remainingDays <= 180) {
+        checks.push({
+            id: "node-engine-supported",
+            category: "runtime",
+            status: "warn",
+            title: "Minimum Node version expires soon",
+            summary: `Node ${minimumMajor} reaches EOL on ${releaseLine.eol}.`,
+            recommendation: "Plan the runtime upgrade before the support window closes."
+        });
+    }
+    else {
+        checks.push({
+            id: "node-engine-supported",
+            category: "runtime",
+            status: "pass",
+            title: "Minimum Node version is supported",
+            summary: `Node ${minimumMajor} is supported until ${releaseLine.eol}.`
+        });
+    }
+}
+async function addNpmConfigChecks(checks, targetPath) {
+    const npmrcPath = path.join(targetPath, ".npmrc");
+    const npmrc = await readText(npmrcPath);
+    if (!npmrc) {
+        checks.push({
+            id: "npmrc-present",
+            category: "security",
+            status: "info",
+            title: "No project .npmrc found",
+            summary: "Project-specific npm config was not detected."
+        });
+        return;
+    }
+    const hasInlineToken = /:_authToken\s*=\s*(?!\$\{)[^\s]+/.test(npmrc);
+    checks.push({
+        id: "npm-token-not-committed",
+        category: "security",
+        status: hasInlineToken ? "fail" : "pass",
+        title: hasInlineToken ? "Committed npm token detected" : "No committed npm token detected",
+        summary: hasInlineToken
+            ? ".npmrc appears to contain a literal auth token."
+            : ".npmrc does not appear to contain a literal npm auth token.",
+        recommendation: hasInlineToken
+            ? "Use environment-variable substitution such as ${NPM_TOKEN} and rotate any exposed token."
+            : undefined,
+        evidence: [".npmrc"]
+    });
+    const engineStrict = /^engine-strict\s*=\s*true$/m.test(npmrc);
+    checks.push({
+        id: "engine-strict",
+        category: "runtime",
+        status: engineStrict ? "pass" : "warn",
+        title: engineStrict ? "engine-strict is enabled" : "engine-strict is not enabled",
+        summary: engineStrict
+            ? "npm will reject installs on unsupported Node versions."
+            : "npm may allow installs even when engines.node does not match.",
+        recommendation: engineStrict
+            ? undefined
+            : "Set engine-strict=true in .npmrc when the project relies on a specific supported Node range."
+    });
+}
+async function addPnpmSecurityChecks(checks, targetPath, lockfiles, packageManager) {
+    const usingPnpm = packageManager === "pnpm" || lockfiles.some((lockfile) => lockfile.manager === "pnpm");
+    if (!usingPnpm) {
+        checks.push({
+            id: "pnpm-security-profile",
+            category: "security",
+            status: "info",
+            title: "pnpm security profile is recommended",
+            summary: "This project is not using pnpm, so pnpm's dependency-age, build-approval, and trust-policy settings are not available.",
+            recommendation: "Evaluate migrating to pnpm, then commit pnpm-lock.yaml and add pnpm-workspace.yaml security settings for minimumReleaseAge, minimumReleaseAgeStrict, trustPolicy, and build approvals."
+        });
+        return;
+    }
+    checks.push({
+        id: "pnpm-security-profile",
+        category: "security",
+        status: "pass",
+        title: "pnpm is in use",
+        summary: "The project uses pnpm or has a pnpm lockfile, so pnpm security settings can be enforced."
+    });
+    const workspacePath = path.join(targetPath, "pnpm-workspace.yaml");
+    const workspace = await readYaml(workspacePath);
+    if (!workspace) {
+        checks.push({
+            id: "pnpm-workspace-security-config",
+            category: "security",
+            status: "warn",
+            title: "pnpm security settings are missing",
+            summary: "pnpm-workspace.yaml was not found.",
+            recommendation: "Add pnpm-workspace.yaml with minimumReleaseAge: 1440, minimumReleaseAgeStrict: true, trustPolicy: no-downgrade, and build-script approvals."
+        });
+        return;
+    }
+    checks.push({
+        id: "pnpm-workspace-security-config",
+        category: "security",
+        status: "pass",
+        title: "pnpm workspace settings found",
+        summary: "pnpm-workspace.yaml is present and readable.",
+        evidence: ["pnpm-workspace.yaml"]
+    });
+    const minimumReleaseAge = readNumber(workspace.minimumReleaseAge);
+    if (minimumReleaseAge === undefined) {
+        checks.push({
+            id: "pnpm-minimum-release-age",
+            category: "security",
+            status: "warn",
+            title: "pnpm minimumReleaseAge is not explicit",
+            summary: "The project does not explicitly delay newly published package versions.",
+            recommendation: "Set minimumReleaseAge: 1440 or higher so packages must age before installation."
+        });
+    }
+    else if (minimumReleaseAge < 1440) {
+        checks.push({
+            id: "pnpm-minimum-release-age",
+            category: "security",
+            status: "warn",
+            title: "pnpm minimumReleaseAge is low",
+            summary: `minimumReleaseAge is ${minimumReleaseAge} minutes.`,
+            recommendation: "Use at least 1440 minutes unless the project has a documented reason for a shorter delay."
+        });
+    }
+    else {
+        checks.push({
+            id: "pnpm-minimum-release-age",
+            category: "security",
+            status: "pass",
+            title: "pnpm minimumReleaseAge is enabled",
+            summary: `minimumReleaseAge is ${minimumReleaseAge} minutes.`
+        });
+    }
+    checks.push({
+        id: "pnpm-minimum-release-age-strict",
+        category: "security",
+        status: workspace.minimumReleaseAgeStrict === true ? "pass" : "warn",
+        title: workspace.minimumReleaseAgeStrict === true
+            ? "pnpm release-age strict mode is enabled"
+            : "pnpm release-age strict mode is not explicit",
+        summary: workspace.minimumReleaseAgeStrict === true
+            ? "minimumReleaseAgeStrict is set to true."
+            : "Installs may fall back to versions that do not satisfy the release-age policy.",
+        recommendation: workspace.minimumReleaseAgeStrict === true
+            ? undefined
+            : "Set minimumReleaseAgeStrict: true to make the release-age policy enforceable."
+    });
+    checks.push({
+        id: "pnpm-trust-policy",
+        category: "security",
+        status: workspace.trustPolicy === "no-downgrade" ? "pass" : "warn",
+        title: workspace.trustPolicy === "no-downgrade" ? "pnpm trustPolicy is enabled" : "pnpm trustPolicy is not enabled",
+        summary: workspace.trustPolicy === "no-downgrade"
+            ? "trustPolicy is set to no-downgrade."
+            : "The project is not checking for package trust-level downgrades.",
+        recommendation: workspace.trustPolicy === "no-downgrade"
+            ? undefined
+            : "Set trustPolicy: no-downgrade and add narrowly scoped trustPolicyExclude entries only when required."
+    });
+    const blockExoticSubdeps = workspace.blockExoticSubdeps;
+    checks.push({
+        id: "pnpm-block-exotic-subdeps",
+        category: "security",
+        status: blockExoticSubdeps === false ? "fail" : blockExoticSubdeps === true ? "pass" : "info",
+        title: blockExoticSubdeps === false
+            ? "pnpm blockExoticSubdeps is disabled"
+            : blockExoticSubdeps === true
+                ? "pnpm blockExoticSubdeps is enabled"
+                : "pnpm blockExoticSubdeps uses the pnpm default",
+        summary: blockExoticSubdeps === false
+            ? "Transitive dependencies may use exotic sources such as git repositories or tarball URLs."
+            : blockExoticSubdeps === true
+                ? "Transitive dependencies are blocked from using exotic sources."
+                : "Modern pnpm defaults block exotic transitive dependency sources.",
+        recommendation: blockExoticSubdeps === false ? "Set blockExoticSubdeps: true." : undefined
+    });
+    const allowBuilds = asObject(workspace.allowBuilds);
+    const onlyBuiltDependencies = Array.isArray(workspace.onlyBuiltDependencies)
+        ? workspace.onlyBuiltDependencies
+        : undefined;
+    const ignoredBuiltDependencies = Array.isArray(workspace.ignoredBuiltDependencies)
+        ? workspace.ignoredBuiltDependencies
+        : undefined;
+    const hasBuildPolicy = Boolean(allowBuilds && Object.keys(allowBuilds).length > 0) ||
+        Boolean(onlyBuiltDependencies?.length) ||
+        Boolean(ignoredBuiltDependencies?.length);
+    checks.push({
+        id: "pnpm-build-approvals",
+        category: "security",
+        status: hasBuildPolicy ? "pass" : "warn",
+        title: hasBuildPolicy ? "pnpm build approvals are configured" : "pnpm build approvals are not configured",
+        summary: hasBuildPolicy
+            ? "The workspace has an allow/deny policy for dependency install scripts."
+            : "No allowBuilds, onlyBuiltDependencies, or ignoredBuiltDependencies policy was found.",
+        recommendation: hasBuildPolicy
+            ? undefined
+            : "Run pnpm approve-builds and commit the resulting build-script allow/deny policy."
+    });
+}
+function addScriptChecks(checks, packageJson) {
+    const scripts = asObject(packageJson.scripts) ?? {};
+    const hasTest = Boolean(readString(scripts.test)) && readString(scripts.test) !== 'echo "Error: no test specified" && exit 1';
+    const hasLint = Boolean(readString(scripts.lint));
+    const hasTypecheck = Boolean(readString(scripts.typecheck) ?? readString(scripts["type-check"]) ?? readString(scripts.tsc));
+    checks.push({
+        id: "test-script",
+        category: "quality",
+        status: hasTest ? "pass" : "warn",
+        title: hasTest ? "Test script is defined" : "Test script is missing",
+        summary: hasTest ? `test runs: ${scripts.test}` : "package.json does not define a useful test script.",
+        recommendation: hasTest ? undefined : "Add a deterministic test command that CI can run."
+    });
+    checks.push({
+        id: "lint-script",
+        category: "quality",
+        status: hasLint ? "pass" : "warn",
+        title: hasLint ? "Lint script is defined" : "Lint script is missing",
+        summary: hasLint ? `lint runs: ${scripts.lint}` : "package.json does not define a lint script.",
+        recommendation: hasLint ? undefined : "Add linting so code-style and likely bug checks run before review."
+    });
+    checks.push({
+        id: "typecheck-script",
+        category: "quality",
+        status: hasTypecheck ? "pass" : "info",
+        title: hasTypecheck ? "Typecheck script is defined" : "Typecheck script is not defined",
+        summary: hasTypecheck ? "A type checking script is available." : "No dedicated type checking script was detected.",
+        recommendation: hasTypecheck ? undefined : "For TypeScript projects, add a typecheck script such as tsc --noEmit."
+    });
+}
+async function addAutomationChecks(checks, targetPath) {
+    const hasGithubActions = await exists(path.join(targetPath, ".github", "workflows"));
+    const hasDependabot = (await exists(path.join(targetPath, ".github", "dependabot.yml"))) ||
+        (await exists(path.join(targetPath, ".github", "dependabot.yaml")));
+    const hasRenovate = (await exists(path.join(targetPath, "renovate.json"))) ||
+        (await exists(path.join(targetPath, ".github", "renovate.json")));
+    checks.push({
+        id: "ci-present",
+        category: "automation",
+        status: hasGithubActions ? "pass" : "warn",
+        title: hasGithubActions ? "CI workflow folder found" : "CI workflow folder is missing",
+        summary: hasGithubActions ? ".github/workflows exists." : "No GitHub Actions workflow folder was found.",
+        recommendation: hasGithubActions
+            ? undefined
+            : "Add CI that runs install, lint, tests, typecheck, and audit checks on pull requests."
+    });
+    checks.push({
+        id: "dependency-update-automation",
+        category: "maintenance",
+        status: hasDependabot || hasRenovate ? "pass" : "warn",
+        title: hasDependabot || hasRenovate ? "Dependency update automation found" : "Dependency update automation is missing",
+        summary: hasDependabot
+            ? "Dependabot config found."
+            : hasRenovate
+                ? "Renovate config found."
+                : "No Dependabot or Renovate config was found.",
+        recommendation: hasDependabot || hasRenovate
+            ? undefined
+            : "Add Renovate or Dependabot so dependency and lockfile updates are reviewed continuously."
+    });
+}
+async function suggestTools(targetPath, packageJson) {
+    const allDeps = new Set(getDirectDependencyNames(packageJson));
+    const scripts = asObject(packageJson.scripts) ?? {};
+    const packageManager = readString(packageJson.packageManager)?.split("@")[0];
+    const hasTsconfig = await exists(path.join(targetPath, "tsconfig.json"));
+    const hasEslintConfig = await anyExists(targetPath, [
+        "eslint.config.js",
+        "eslint.config.mjs",
+        ".eslintrc",
+        ".eslintrc.json",
+        ".eslintrc.js"
+    ]);
+    const hasPrettierConfig = await anyExists(targetPath, [
+        ".prettierrc",
+        ".prettierrc.json",
+        ".prettierrc.js",
+        "prettier.config.js",
+        "prettier.config.mjs"
+    ]);
+    const hasVitest = allDeps.has("vitest") || /vitest/.test(readString(scripts.test) ?? "");
+    const hasJest = allDeps.has("jest") || /jest/.test(readString(scripts.test) ?? "");
+    const hasLockfileLint = allDeps.has("lockfile-lint");
+    const hasLintStaged = allDeps.has("lint-staged");
+    const hasHusky = allDeps.has("husky") || (await exists(path.join(targetPath, ".husky")));
+    const hasPnpm = packageManager === "pnpm" || (await exists(path.join(targetPath, "pnpm-lock.yaml")));
+    return [
+        {
+            name: "pnpm",
+            purpose: "Package manager with lockfile-focused installs, strict dependency layout, release-age gates, trust policy checks, and dependency build approvals.",
+            install: "corepack enable && corepack use pnpm@latest",
+            configHint: "Commit pnpm-lock.yaml and add pnpm-workspace.yaml with minimumReleaseAge, minimumReleaseAgeStrict, trustPolicy, and build approvals.",
+            priority: "high",
+            present: hasPnpm
+        },
+        {
+            name: "TypeScript",
+            purpose: "Static typing and API drift detection.",
+            install: "npm install -D typescript @types/node",
+            configHint: "Add tsconfig.json and a typecheck script.",
+            priority: "high",
+            present: hasTsconfig || allDeps.has("typescript")
+        },
+        {
+            name: "ESLint",
+            purpose: "Static analysis for common JavaScript and TypeScript defects.",
+            install: "npm install -D eslint",
+            configHint: "Use eslint.config.js and wire npm run lint into CI.",
+            priority: "high",
+            present: hasEslintConfig || allDeps.has("eslint")
+        },
+        {
+            name: "Prettier",
+            purpose: "Consistent formatting with low review noise.",
+            install: "npm install -D prettier",
+            configHint: "Add a format:check script for CI.",
+            priority: "medium",
+            present: hasPrettierConfig || allDeps.has("prettier")
+        },
+        {
+            name: "Vitest or Jest",
+            purpose: "Fast deterministic unit and integration tests.",
+            install: "npm install -D vitest",
+            configHint: "Add a test script that exits non-zero on failure.",
+            priority: "high",
+            present: hasVitest || hasJest
+        },
+        {
+            name: "lockfile-lint",
+            purpose: "Validate lockfile hosts, schemes, and integrity metadata.",
+            install: "npm install -D lockfile-lint",
+            configHint: "Run it in CI against the committed lockfile.",
+            priority: "medium",
+            present: hasLockfileLint
+        },
+        {
+            name: "lint-staged + Husky",
+            purpose: "Run cheap local checks only on files being committed.",
+            install: "npm install -D lint-staged husky",
+            configHint: "Keep hooks fast and leave full test suites to CI.",
+            priority: "low",
+            present: hasLintStaged && hasHusky
+        }
+    ];
+}
+function toolChecks(tools) {
+    return tools.map((tool) => ({
+        id: `tool-${tool.name
+            .toLowerCase()
+            .replace(/[^a-z0-9]+/g, "-")
+            .replace(/(^-|-$)/g, "")}`,
+        category: "quality",
+        status: tool.present ? "pass" : tool.priority === "high" ? "warn" : "info",
+        title: tool.present ? `${tool.name} is present` : `${tool.name} is recommended`,
+        summary: tool.present ? `${tool.name} appears to be configured or installed.` : tool.purpose,
+        recommendation: tool.present ? undefined : `${tool.install}. ${tool.configHint ?? ""}`.trim()
+    }));
+}
+async function collectRegistryMetadata(packageJson) {
+    const directDeps = getDirectDependencyNames(packageJson);
+    const names = [...new Set(directDeps)].slice(0, 60);
+    const results = await Promise.all(names.map((name) => fetchPackageMetadata(name)));
+    return results.sort((a, b) => a.name.localeCompare(b.name));
+}
+function addRegistryChecks(checks, packages, now) {
+    if (packages.length === 0) {
+        checks.push({
+            id: "registry-metadata",
+            category: "maintenance",
+            status: "info",
+            title: "Registry metadata not checked",
+            summary: "Registry checks were skipped or no dependencies were found."
+        });
+        return;
+    }
+    const deprecated = packages.filter((pkg) => pkg.deprecated);
+    checks.push({
+        id: "deprecated-packages",
+        category: "maintenance",
+        status: deprecated.length > 0 ? "fail" : "pass",
+        title: deprecated.length > 0 ? "Deprecated packages detected" : "No deprecated latest packages detected",
+        summary: deprecated.length > 0
+            ? `${deprecated.length} direct package latest versions are marked deprecated.`
+            : "The npm registry did not report deprecation on the latest version of direct packages.",
+        recommendation: deprecated.length > 0 ? "Replace deprecated packages or move to maintained alternatives." : undefined,
+        evidence: deprecated.map((pkg) => `${pkg.name}: ${pkg.deprecated}`)
+    });
+    const stale = packages.filter((pkg) => {
+        if (!pkg.modified)
+            return false;
+        const ageMs = now.getTime() - new Date(pkg.modified).getTime();
+        return ageMs > 730 * 86_400_000;
+    });
+    checks.push({
+        id: "stale-package-activity",
+        category: "maintenance",
+        status: stale.length > 0 ? "warn" : "pass",
+        title: stale.length > 0 ? "Packages with stale registry activity" : "Direct package metadata looks active",
+        summary: stale.length > 0
+            ? `${stale.length} direct packages have not been modified in over two years.`
+            : "Direct package registry metadata has recent modification dates.",
+        recommendation: stale.length > 0
+            ? "Review stale packages for maintenance risk before relying on them in critical paths."
+            : undefined,
+        evidence: stale.map((pkg) => `${pkg.name}: ${pkg.modified}`)
+    });
+}
+async function detectLockfiles(targetPath) {
+    const found = [];
+    for (const lockfile of LOCKFILES) {
+        const fullPath = path.join(targetPath, lockfile.file);
+        if (!(await exists(fullPath))) {
+            continue;
+        }
+        if (lockfile.file === "package-lock.json" || lockfile.file === "npm-shrinkwrap.json") {
+            const json = await readJson(fullPath);
+            found.push({
+                ...lockfile,
+                version: readString(json?.lockfileVersion) ??
+                    (typeof json?.lockfileVersion === "number" ? String(json.lockfileVersion) : undefined)
+            });
+        }
+        else if (lockfile.file === "pnpm-lock.yaml") {
+            const text = await readText(fullPath);
+            const parsed = text ? YAML.parse(text) : undefined;
+            found.push({
+                ...lockfile,
+                version: readString(parsed?.lockfileVersion) ??
+                    (typeof parsed?.lockfileVersion === "number" ? String(parsed.lockfileVersion) : undefined)
+            });
+        }
+        else {
+            found.push(lockfile);
+        }
+    }
+    return found;
+}
+function buildReport(targetPath, checks, tools, packages, now, packageName, packageManager) {
+    const pass = checks.filter((check) => check.status === "pass").length;
+    const warn = checks.filter((check) => check.status === "warn").length;
+    const fail = checks.filter((check) => check.status === "fail").length;
+    const info = checks.filter((check) => check.status === "info").length;
+    const scored = pass + warn + fail;
+    const value = scored === 0 ? 0 : Math.max(0, Math.round(((pass + warn * 0.45) / scored) * 100));
+    return {
+        targetPath,
+        generatedAt: now.toISOString(),
+        packageName,
+        packageManager,
+        score: { value, pass, warn, fail, info },
+        checks,
+        tools,
+        packages
+    };
+}
+function getDirectDependencyNames(packageJson) {
+    const names = new Set();
+    for (const section of DEPENDENCY_SECTIONS) {
+        const dependencies = asObject(packageJson[section]);
+        if (!dependencies)
+            continue;
+        for (const name of Object.keys(dependencies)) {
+            names.add(name);
+        }
+    }
+    return [...names].sort();
+}
+async function readJson(filePath) {
+    const text = await readText(filePath);
+    if (!text)
+        return undefined;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return undefined;
+    }
+}
+async function readYaml(filePath) {
+    const text = await readText(filePath);
+    if (!text)
+        return undefined;
+    try {
+        return YAML.parse(text);
+    }
+    catch {
+        return undefined;
+    }
+}
+async function readText(filePath) {
+    try {
+        return await readFile(filePath, "utf8");
+    }
+    catch {
+        return undefined;
+    }
+}
+async function exists(filePath) {
+    try {
+        await access(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function anyExists(targetPath, filenames) {
+    for (const filename of filenames) {
+        if (await exists(path.join(targetPath, filename))) {
+            return true;
+        }
+    }
+    return false;
+}
+function asObject(value) {
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+        return value;
+    }
+    return undefined;
+}
+function readString(value) {
+    if (typeof value === "string" && value.trim().length > 0) {
+        return value;
+    }
+    if (typeof value === "number") {
+        return String(value);
+    }
+    return undefined;
+}
+function readNumber(value) {
+    if (typeof value === "number" && Number.isFinite(value)) {
+        return value;
+    }
+    if (typeof value === "string" && value.trim().length > 0) {
+        const parsed = Number(value);
+        return Number.isFinite(parsed) ? parsed : undefined;
+    }
+    return undefined;
+}
+export async function isDirectory(filePath) {
+    try {
+        return (await stat(filePath)).isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=index.js.map