react-doctor 0.5.8-dev.31c0657 → 0.5.8-dev.5774deb

package/dist/index.js

@@ -1,5 +1,5 @@
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="33508ee6-c977-5b5f-8585-9939928ce74d")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="b9d1a98e-f5ec-5357-a08b-f84864fdfa20")}catch(e){}}();
 import { r as __toESM$1, t as __commonJSMin$1 } from "./chunk-N93fKeF6.js";
 import { createRequire } from "node:module";
 import * as NFS from "node:fs";
@@ -5996,7 +5996,7 @@ const composePassthrough = /* @__PURE__ */ dual(2, (left, right) => (input) => {
 * @since 2.0.0
 */
 const Scheduler = /* @__PURE__ */ Reference("effect/Scheduler", { defaultValue: () => new MixedScheduler() });
-const setImmediate = "setImmediate" in globalThis ? (f) => {
+const setImmediate$1 = "setImmediate" in globalThis ? (f) => {
 	const timer = globalThis.setImmediate(f);
 	return () => globalThis.clearImmediate(timer);
 } : (f) => {
@@ -6040,7 +6040,7 @@ var PriorityBuckets = class {
 var MixedScheduler = class {
 	executionMode;
 	setImmediate;
-	constructor(executionMode = "async", setImmediateFn = setImmediate) {
+	constructor(executionMode = "async", setImmediateFn = setImmediate$1) {
 		this.executionMode = executionMode;
 		this.setImmediate = setImmediateFn;
 	}
@@ -6065,7 +6065,7 @@ var MixedSchedulerDispatcher = class {
 	tasks = /* @__PURE__ */ new PriorityBuckets();
 	running = void 0;
 	setImmediate;
-	constructor(setImmediateFn = setImmediate) {
+	constructor(setImmediateFn = setImmediate$1) {
 		this.setImmediate = setImmediateFn;
 	}
 	/**
@@ -33694,6 +33694,7 @@ const MILLISECONDS_PER_SECOND = 1e3;
 const SCORE_API_URL = "https://www.react.doctor/api/score";
 const FETCH_TIMEOUT_MS = 1e4;
 const GITHUB_VIEWER_PERMISSION_TIMEOUT_MS = 2e3;
+const SPAWN_ARGS_MAX_LENGTH_CHARS = 24e3;
 const PER_WORKER_MEM_BUDGET_BYTES = 1024 * 1024 * 1024;
 const DEFAULT_BRANCH_CANDIDATES = ["main", "master"];
 const ADOPTABLE_LINT_CONFIG_FILENAMES = [".oxlintrc.json", ".eslintrc.json"];
@@ -33751,6 +33752,7 @@ const DEAD_CODE_PHASE_TIMEOUT_MS = 15e4;
 const LINT_PHASE_TIMEOUT_MS = 3e5;
 const SCAN_TOTAL_DEADLINE_MS = 9e5;
 const DEAD_CODE_WORKER_MAX_OLD_SPACE_MB = 8192;
+const DEAD_CODE_WORKER_MEM_BUDGET_BYTES = 2 * 1024 * 1024 * 1024;
 const DEAD_CODE_TIMEOUT_CEILING_MS = 6e5;
 const DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS = 3e4;
 const DEAD_CODE_OVERLAP_PARSE_SHARE = .4;
@@ -34487,7 +34489,10 @@ for (const [legacyRuleKey, nativeRuleKey] of Object.entries(LEGACY_RULE_KEY_TO_N
 	NATIVE_RULE_KEY_TO_LEGACY_RULE_KEYS.set(nativeRuleKey, aliases);
 }
 const getLegacyRuleKeysForNative = (ruleKey) => NATIVE_RULE_KEY_TO_LEGACY_RULE_KEYS.get(ruleKey) ?? [];
-const canonicalizeRuleKey = (ruleKey) => LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY[ruleKey] ?? ruleKey;
+const canonicalizeRuleKey = (ruleKey) => {
+	const nativeRuleKey = LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY[ruleKey];
+	return typeof nativeRuleKey === "string" ? nativeRuleKey : ruleKey;
+};
 const isReactDoctorShortIdOf = (bareRuleKey, qualifiedRuleKey) => !bareRuleKey.includes("/") && qualifiedRuleKey === `react-doctor/${bareRuleKey}`;
 const isSameRuleKey = (candidateRuleKey, targetRuleKey) => {
 	const canonicalCandidate = canonicalizeRuleKey(candidateRuleKey);
@@ -35365,7 +35370,7 @@ const resolveScanConcurrency = (requested) => {
 	if (!Number.isFinite(requested) || requested < 1) return 1;
 	return Math.min(Math.floor(requested), 32);
 };
-const readSystemFacts = () => ({
+const readSystemFacts$1 = () => ({
 	availableCores: os.availableParallelism(),
 	totalMemoryBytes: os.totalmem(),
 	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
@@ -35386,7 +35391,7 @@ const readSystemFacts = () => ({
 * `facts` is injectable so tests exercise core-bound, memory-bound, cgroup-
 * limited, and ceiling cases without mocking `os` or the filesystem.
 */
-const resolveAutoScanConcurrency = (facts = readSystemFacts()) => {
+const resolveAutoScanConcurrency = (facts = readSystemFacts$1()) => {
 	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
 	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / PER_WORKER_MEM_BUDGET_BYTES);
 	return resolveScanConcurrency(Math.min(facts.availableCores, memoryBoundedWorkers));
@@ -35577,6 +35582,12 @@ const BOOLEAN_FIELD_NAMES = [
 	"adoptExistingLintConfig"
 ];
 const STRING_FIELD_NAMES = ["rootDir"];
+const STRING_ARRAY_FIELD_NAMES = [
+	"projects",
+	"textComponents",
+	"rawTextWrapperComponents",
+	"serverAuthFunctionNames"
+];
 const SURFACE_CONTROL_FIELD_NAMES = [
 	"includeTags",
 	"excludeTags",
@@ -35678,6 +35689,7 @@ const validateConfigTypes = (config) => {
 	const validated = { ...config };
 	for (const fieldName of BOOLEAN_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => coerceMaybeBooleanString(fieldName, value));
 	for (const fieldName of STRING_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateString(fieldName, value));
+	for (const fieldName of STRING_ARRAY_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateStringArrayField(fieldName, value));
 	applyFieldValidator(config, validated, "surfaces", validateSurfacesField);
 	for (const fieldName of SEVERITY_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateSeverityMap(fieldName, value, fieldName === "categories"));
 	applyFieldValidator(config, validated, "plugins", (value) => validateStringArrayField("plugins", value));
@@ -36912,7 +36924,10 @@ const shouldEnableRule = (requires, tags, capabilities, ignoredTags, disabledBy)
 	}
 	return true;
 };
-const checkSecurityScan = (rootDirectory, options = {}) => {
+const yieldToEventLoop = () => new Promise((resolve) => {
+	setImmediate(resolve);
+});
+const createSecurityScanSession = (rootDirectory, options) => {
 	const capabilities = options.project ? buildCapabilities(options.project) : /* @__PURE__ */ new Set();
 	const ignoredTags = options.ignoredTags ?? /* @__PURE__ */ new Set();
 	const enabledScanRules = REACT_DOCTOR_RULES.flatMap((entry) => {
@@ -36927,7 +36942,7 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 			committedFilesOnly: rule.committedFilesOnly === true
 		}];
 	});
-	if (enabledScanRules.length === 0) return [];
+	if (enabledScanRules.length === 0) return null;
 	const diagnostics = [];
 	const seen = /* @__PURE__ */ new Set();
 	const gitIgnoredCache = /* @__PURE__ */ new Map();
@@ -36939,15 +36954,34 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 		}
 		return status === true;
 	};
-	for (const file of collectSecurityScanFiles(rootDirectory)) for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
-		if (committedFilesOnly && isFileGitIgnored(file)) continue;
-		const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
-		const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		diagnostics.push(diagnostic);
+	const scanFile = (file) => {
+		for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
+			if (committedFilesOnly && isFileGitIgnored(file)) continue;
+			const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
+			const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			diagnostics.push(diagnostic);
+		}
+	};
+	return {
+		scanFile,
+		diagnostics
+	};
+};
+const checkSecurityScanCooperative = async (rootDirectory, options = {}) => {
+	const session = createSecurityScanSession(rootDirectory, options);
+	if (session === null) return [];
+	let filesSinceYield = 0;
+	for (const file of collectSecurityScanFiles(rootDirectory)) {
+		session.scanFile(file);
+		filesSinceYield += 1;
+		if (filesSinceYield >= 16) {
+			filesSinceYield = 0;
+			await yieldToEventLoop();
+		}
 	}
-	return diagnostics;
+	return session.diagnostics;
 };
 var import_picocolors = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports, module) => {
 	let p = process || {}, argv = p.argv || [], env = p.env || {};
@@ -37164,6 +37198,74 @@ const collectDeadCodeIgnorePatterns = (rootDirectory) => {
 	return [...seen].filter((pattern) => pattern.length > 0);
 };
 const collectDeadCodeEntryPatterns = (rootDirectory) => [...new Set(collectKnipPatterns(rootDirectory, "entry"))].filter((pattern) => pattern.length > 0);
+const readSystemFacts = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* How many real deslop dead-code child processes may run at once, across the
+* concurrent per-project `runInspect` fibers of one CLI run. The cap is the
+* smaller of the core count and the number of `DEAD_CODE_WORKER_MEM_BUDGET_BYTES`
+* workers that fit in available memory, floored at 1.
+*
+* On a roomy dev box / CI runner this resolves high enough that every
+* concurrently-scanned project still spawns its own worker (no serialization vs
+* the prior uncapped behavior); on a memory-constrained runner it collapses
+* toward 1, so the `withDeadCodeWorkerSlot` semaphore serializes the spawns
+* instead of oversubscribing memory with N simultaneous children — the global
+* cap the per-project spawn path lacked.
+*
+* Mirrors `resolveAutoScanConcurrency` (lint), but budgets memory per the
+* heavier dead-code worker. `facts` is injectable for tests.
+*/
+const resolveDeadCodeConcurrency = (facts = readSystemFacts()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / DEAD_CODE_WORKER_MEM_BUDGET_BYTES);
+	return Math.max(1, Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+let availableSlots = -1;
+const waiters = [];
+const releaseSlot = () => {
+	const nextWaiter = waiters.shift();
+	if (nextWaiter !== void 0) nextWaiter();
+	else availableSlots += 1;
+};
+/**
+* Runs `task` once a dead-code worker slot is free, releasing the slot when the
+* task settles (success or failure). With a high cap (roomy machine) every
+* caller proceeds immediately; with a low cap (constrained runner) callers
+* queue and run as slots free.
+*
+* `abortSignal` short-circuits the WAIT: if it's already aborted, or fires while
+* this caller is queued, the call rejects without acquiring a slot or running
+* `task` — so a cancelled scan (e.g. lint failed) doesn't sit in the queue and
+* then spawn a child only to tear it down. A queued caller that aborts removes
+* its own waiter so a later release never hands a slot to a dead request.
+*/
+const withDeadCodeWorkerSlot = async (task, abortSignal) => {
+	if (abortSignal?.aborted) throw new Error("Dead-code worker aborted.");
+	if (availableSlots < 0) availableSlots = resolveDeadCodeConcurrency();
+	if (availableSlots > 0) availableSlots -= 1;
+	else await new Promise((resolve, reject) => {
+		const waiter = () => {
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve();
+		};
+		const onAbort = () => {
+			const queuedIndex = waiters.indexOf(waiter);
+			if (queuedIndex !== -1) waiters.splice(queuedIndex, 1);
+			reject(/* @__PURE__ */ new Error("Dead-code worker aborted."));
+		};
+		waiters.push(waiter);
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+	});
+	try {
+		return await task();
+	} finally {
+		releaseSlot();
+	}
+};
 /**
 * Resolves a path to its canonical, symlink-free form, falling back to
 * the input when it cannot be realpath'd (broken symlink, permission
@@ -37454,14 +37556,17 @@ const checkDeadCode = async (options) => {
 	if (!NFS.existsSync(Path.join(rootDirectory, "package.json"))) return [];
 	const entryPatterns = collectDeadCodeEntryPatterns(rootDirectory);
 	const ignorePatterns = collectDeadCodeIgnorePatterns(rootDirectory);
-	const result = parseDeadCodeWorkerResult(await runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
-		rootDirectory,
-		entryPatterns,
-		tsConfigPath: resolveTsConfigPath(rootDirectory),
-		ignorePatterns,
-		deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
-		parseConcurrency: options.parseConcurrency
-	}), options.workerTimeoutMs ?? 12e4, options.abortSignal));
+	const spawnAndRun = () => {
+		return runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
+			rootDirectory,
+			entryPatterns,
+			tsConfigPath: resolveTsConfigPath(rootDirectory),
+			ignorePatterns,
+			deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
+			parseConcurrency: options.parseConcurrency
+		}), options.workerTimeoutMs ?? 12e4, options.abortSignal);
+	};
+	const result = parseDeadCodeWorkerResult(options.createWorker === void 0 ? await withDeadCodeWorkerSlot(spawnAndRun, options.abortSignal) : await spawnAndRun());
 	const toRelative = (filePath) => toRelativeFilePath(rootDirectory, filePath);
 	const diagnostics = [];
 	for (const unusedFile of result.unusedFiles) diagnostics.push({
@@ -37862,43 +37967,46 @@ var Git = class Git extends Service()("react-doctor/Git") {
 		* reason: GitInvocationFailed })` so the rest of the codebase
 		* sees a single failure channel.
 		*/
-		const runCommand = (input) => scoped(gen(function* () {
-			const handle = yield* spawner.spawn(make$1(input.command, [...input.args], {
-				cwd: input.directory,
-				env: input.env,
-				extendEnv: true
-			}));
-			const maxStdoutBytes = input.maxStdoutBytes;
-			const stdoutByteCount = yield* make$13(0);
-			const [stdout, stderr, status] = yield* all([
-				mkString(decodeText(maxStdoutBytes === void 0 ? handle.stdout : handle.stdout.pipe(tap((chunk) => updateAndGet(stdoutByteCount, (total) => total + chunk.length).pipe(flatMap$2((total) => total > maxStdoutBytes ? fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
-					args: [...input.args],
-					directory: input.directory,
-					cause: /* @__PURE__ */ new Error(`git stdout exceeded ${maxStdoutBytes} bytes`)
-				}) })) : void_)))))),
-				mkString(decodeText(handle.stderr)),
-				handle.exitCode
-			], { concurrency: 3 });
-			return {
-				status,
-				stdout,
-				stderr
-			};
-		})).pipe(catchTag$1("PlatformError", (cause) => {
-			if (input.command !== "git") return succeed$2({
+		const runCommand = (input) => {
+			const foldSpawnFailure = (cause) => input.command !== "git" ? succeed$2({
 				status: 127,
 				stdout: "",
 				stderr: String(cause)
-			});
-			return new ReactDoctorError({ reason: new GitInvocationFailed({
+			}) : fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
 				args: [...input.args],
 				directory: input.directory,
 				cause
-			}) });
-		}), withSpan("git.exec", { attributes: {
-			"git.command": input.command,
-			"git.subcommand": input.args[0] ?? ""
-		} }));
+			}) }));
+			return scoped(gen(function* () {
+				if (!isDirectory(input.directory)) return yield* foldSpawnFailure(`spawn ENOTDIR (cwd is not a directory: ${input.directory})`);
+				const argvLengthChars = input.command.length + 1 + input.args.reduce((total, arg) => total + arg.length + 1, 0);
+				if (argvLengthChars > 24e3) return yield* foldSpawnFailure(`spawn ENAMETOOLONG (${argvLengthChars} argv chars exceed ${SPAWN_ARGS_MAX_LENGTH_CHARS})`);
+				const handle = yield* spawner.spawn(make$1(input.command, [...input.args], {
+					cwd: input.directory,
+					env: input.env,
+					extendEnv: true
+				}));
+				const maxStdoutBytes = input.maxStdoutBytes;
+				const stdoutByteCount = yield* make$13(0);
+				const [stdout, stderr, status] = yield* all([
+					mkString(decodeText(maxStdoutBytes === void 0 ? handle.stdout : handle.stdout.pipe(tap((chunk) => updateAndGet(stdoutByteCount, (total) => total + chunk.length).pipe(flatMap$2((total) => total > maxStdoutBytes ? fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
+						args: [...input.args],
+						directory: input.directory,
+						cause: /* @__PURE__ */ new Error(`git stdout exceeded ${maxStdoutBytes} bytes`)
+					}) })) : void_)))))),
+					mkString(decodeText(handle.stderr)),
+					handle.exitCode
+				], { concurrency: 3 });
+				return {
+					status,
+					stdout,
+					stderr
+				};
+			})).pipe(catchTag$1("PlatformError", foldSpawnFailure), withSpan("git.exec", { attributes: {
+				"git.command": input.command,
+				"git.subcommand": input.args[0] ?? ""
+			} }));
+		};
 		const runGit = (directory, args) => runCommand({
 			command: "git",
 			args,
@@ -37931,7 +38039,7 @@ var Git = class Git extends Service()("react-doctor/Git") {
 			"rev-parse",
 			"--verify",
 			branch
-		]).pipe(map$3((result) => result.status === 0));
+		]).pipe(map$3((result) => result.status === 0), catch_$1((error) => error.reason._tag === "GitInvocationFailed" ? succeed$2(false) : fail$4(error)));
 		const headSha = (directory) => runGit(directory, ["rev-parse", "HEAD"]).pipe(map$3((result) => result.status === 0 ? trimOrNull(result.stdout) : null));
 		const mergeBase = (input) => isSafeGitRevision(input.ref) ? runGit(input.directory, [
 			"merge-base",
@@ -38145,7 +38253,7 @@ var Git = class Git extends Service()("react-doctor/Git") {
 				]);
 				if (result.status !== 0) return null;
 				return parseChangedLineRanges(result.stdout);
-			}).pipe(withSpan("Git.changedLineRanges"))
+			}).pipe(catch_$1((error) => error.reason._tag === "GitInvocationFailed" ? succeed$2(null) : fail$4(error)), withSpan("Git.changedLineRanges"))
 		});
 	})).pipe(provide$2(layer$2.pipe(provide$2(mergeAll$1(layer$1, layer)))));
 	/**
@@ -40622,7 +40730,10 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      diagnostics).
 *   2. beforeLint hook (e.g. CLI renders the project-detection block)
 *   3. environment checks (reduced-motion + pnpm hardening +
-*      expo/react-native + security scan), collected synchronously
+*      expo/react-native), collected synchronously. The heavier
+*      content-regex security scan is forked instead (like supply-chain
+*      below) and joined before the concat, so its CPU overlaps lint
+*      rather than blocking the event loop before it.
 *   4. The supply-chain check (Socket.dev) is forked onto a background
 *      fiber so its ~100% network-bound time overlaps the ~100%
 *      CPU/subprocess-bound lint pass below, collapsing two serial
@@ -40642,7 +40753,7 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      order, so terminal output is identical either way; supply-chain
 *      rides alongside without a spinner.
 *   6. Join the supply-chain fiber, then assemble the diagnostics in a
-*      FIXED order (env, supply-chain, lint, dead-code) so the output is
+*      FIXED order (env, security-scan, supply-chain, lint, dead-code) so the output is
 *      byte-identical regardless of which fiber settled first. The
 *      viewer-permission fiber is joined later, during score-metadata
 *      assembly (it feeds score metadata, not diagnostics). The per-element
@@ -40703,12 +40814,12 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		...checkPnpmHardening(scanDirectory),
 		...checkReactServerComponentsAdvisory(scanDirectory, project),
 		...checkExpoProject(scanDirectory, project),
-		...checkReactNativeProject(scanDirectory, project),
-		...checkSecurityScan(scanDirectory, {
-			project,
-			ignoredTags: input.ignoredTags
-		})
+		...checkReactNativeProject(scanDirectory, project)
 	])));
+	const securityScanFiber = yield* forkChild(runCollect(applyPerElementPipeline(isDiffMode ? empty$4 : unwrap(promise(() => checkSecurityScanCooperative(scanDirectory, {
+		project,
+		ignoredTags: input.ignoredTags
+	})).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)))))).pipe(withSpan("SecurityScan.run")));
 	const shouldRunSupplyChain = !isDiffMode || (input.supplyChainManifestChanged ?? false);
 	const supplyChainOverlapTimeout = yield* SupplyChainOverlapTimeoutMs;
 	const supplyChainFiber = yield* forkChild(shouldRunSupplyChain ? runCollect(applyPerElementPipeline(supplyChainService.run({
@@ -40844,9 +40955,11 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 	else yield* scanProgress.succeed(`Scanned ${scannedFilesLabel} in ${scanElapsedSeconds}s${workerCountSuffix}`);
 	const supplyChainResult = yield* join(supplyChainFiber);
 	const supplyChainCollected = supplyChainResult.diagnostics;
+	const securityScanCollected = yield* join(securityScanFiber);
 	yield* reporterService.finalize;
 	const finalDiagnostics = sortDiagnosticsStable(assignFixGroups([
 		...envCollected,
+		...securityScanCollected,
 		...supplyChainCollected,
 		...lintCollected,
 		...deadCodeCollected
@@ -41469,4 +41582,4 @@ const toJsonReport = (result, options) => buildJsonReport({
 export { AmbiguousProjectError, NoReactDependencyError, NotADirectoryError, PackageJsonNotFoundError, ProjectNotFoundError, ReactDoctorError, buildJsonReport, buildJsonReportError, clearCaches, defineConfig, diagnose, filterSourceFiles, getDiffInfo, isProjectDiscoveryError, isReactDoctorError, summarizeDiagnostics, toJsonReport };
 
 //# sourceMappingURL=index.js.map
-//# debugId=33508ee6-c977-5b5f-8585-9939928ce74d
+//# debugId=b9d1a98e-f5ec-5357-a08b-f84864fdfa20