toolip 1.0.6 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +157 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/alternatives.d.ts +2 -0
  42. package/dist/src/commands/alternatives.js +17 -0
  43. package/dist/src/commands/alternatives.js.map +1 -0
  44. package/dist/src/commands/announce.d.ts +2 -0
  45. package/dist/src/commands/announce.js +27 -0
  46. package/dist/src/commands/announce.js.map +1 -0
  47. package/dist/src/commands/ast-scan.d.ts +2 -0
  48. package/dist/src/commands/ast-scan.js +86 -0
  49. package/dist/src/commands/ast-scan.js.map +1 -0
  50. package/dist/src/commands/audit-repo.d.ts +2 -0
  51. package/dist/src/commands/audit-repo.js +20 -0
  52. package/dist/src/commands/audit-repo.js.map +1 -0
  53. package/dist/src/commands/compare.d.ts +2 -0
  54. package/dist/src/commands/compare.js +19 -0
  55. package/dist/src/commands/compare.js.map +1 -0
  56. package/dist/src/commands/config.d.ts +2 -0
  57. package/dist/src/commands/config.js +69 -0
  58. package/dist/src/commands/config.js.map +1 -0
  59. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  60. package/dist/src/commands/dependency-confusion.js +37 -0
  61. package/dist/src/commands/dependency-confusion.js.map +1 -0
  62. package/dist/src/commands/diff.d.ts +2 -0
  63. package/dist/src/commands/diff.js +24 -0
  64. package/dist/src/commands/diff.js.map +1 -0
  65. package/dist/src/commands/docker-scan.d.ts +2 -0
  66. package/dist/src/commands/docker-scan.js +34 -0
  67. package/dist/src/commands/docker-scan.js.map +1 -0
  68. package/dist/src/commands/doctor.d.ts +2 -0
  69. package/dist/src/commands/doctor.js +42 -0
  70. package/dist/src/commands/doctor.js.map +1 -0
  71. package/dist/src/commands/git-audit.d.ts +2 -0
  72. package/dist/src/commands/git-audit.js +37 -0
  73. package/dist/src/commands/git-audit.js.map +1 -0
  74. package/dist/src/commands/git-history.d.ts +2 -0
  75. package/dist/src/commands/git-history.js +40 -0
  76. package/dist/src/commands/git-history.js.map +1 -0
  77. package/dist/src/commands/history.d.ts +2 -0
  78. package/dist/src/commands/history.js +69 -0
  79. package/dist/src/commands/history.js.map +1 -0
  80. package/dist/src/commands/hook.d.ts +2 -0
  81. package/dist/src/commands/hook.js +16 -0
  82. package/dist/src/commands/hook.js.map +1 -0
  83. package/dist/src/commands/inspect.d.ts +2 -0
  84. package/dist/src/commands/inspect.js +24 -0
  85. package/dist/src/commands/inspect.js.map +1 -0
  86. package/dist/src/commands/install-scripts.d.ts +2 -0
  87. package/dist/src/commands/install-scripts.js +52 -0
  88. package/dist/src/commands/install-scripts.js.map +1 -0
  89. package/dist/src/commands/learn.d.ts +2 -0
  90. package/dist/src/commands/learn.js +42 -0
  91. package/dist/src/commands/learn.js.map +1 -0
  92. package/dist/src/commands/licenses.d.ts +2 -0
  93. package/dist/src/commands/licenses.js +40 -0
  94. package/dist/src/commands/licenses.js.map +1 -0
  95. package/dist/src/commands/mcp.d.ts +2 -0
  96. package/dist/src/commands/mcp.js +10 -0
  97. package/dist/src/commands/mcp.js.map +1 -0
  98. package/dist/src/commands/monorepo.d.ts +2 -0
  99. package/dist/src/commands/monorepo.js +21 -0
  100. package/dist/src/commands/monorepo.js.map +1 -0
  101. package/dist/src/commands/package-health.d.ts +2 -0
  102. package/dist/src/commands/package-health.js +50 -0
  103. package/dist/src/commands/package-health.js.map +1 -0
  104. package/dist/src/commands/pre-commit.d.ts +2 -0
  105. package/dist/src/commands/pre-commit.js +37 -0
  106. package/dist/src/commands/pre-commit.js.map +1 -0
  107. package/dist/src/commands/profile.d.ts +2 -0
  108. package/dist/src/commands/profile.js +18 -0
  109. package/dist/src/commands/profile.js.map +1 -0
  110. package/dist/src/commands/publish.d.ts +2 -0
  111. package/dist/src/commands/publish.js +25 -0
  112. package/dist/src/commands/publish.js.map +1 -0
  113. package/dist/src/commands/reachability.d.ts +2 -0
  114. package/dist/src/commands/reachability.js +47 -0
  115. package/dist/src/commands/reachability.js.map +1 -0
  116. package/dist/src/commands/sbom.d.ts +2 -0
  117. package/dist/src/commands/sbom.js +33 -0
  118. package/dist/src/commands/sbom.js.map +1 -0
  119. package/dist/src/commands/scan.d.ts +2 -0
  120. package/dist/src/commands/scan.js +48 -0
  121. package/dist/src/commands/scan.js.map +1 -0
  122. package/dist/src/commands/score.d.ts +2 -0
  123. package/dist/src/commands/score.js +24 -0
  124. package/dist/src/commands/score.js.map +1 -0
  125. package/dist/src/commands/self-test.d.ts +2 -0
  126. package/dist/src/commands/self-test.js +63 -0
  127. package/dist/src/commands/self-test.js.map +1 -0
  128. package/dist/src/commands/tree.d.ts +2 -0
  129. package/dist/src/commands/tree.js +21 -0
  130. package/dist/src/commands/tree.js.map +1 -0
  131. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  132. package/dist/src/commands/upgrade-pr.js +15 -0
  133. package/dist/src/commands/upgrade-pr.js.map +1 -0
  134. package/dist/src/commands/vault.d.ts +2 -0
  135. package/dist/src/commands/vault.js +86 -0
  136. package/dist/src/commands/vault.js.map +1 -0
  137. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  138. package/dist/src/commands/vulnerabilities.js +42 -0
  139. package/dist/src/commands/vulnerabilities.js.map +1 -0
  140. package/dist/src/commands/watch.d.ts +2 -0
  141. package/dist/src/commands/watch.js +34 -0
  142. package/dist/src/commands/watch.js.map +1 -0
  143. package/dist/src/config/version.d.ts +6 -0
  144. package/dist/src/config/version.js +29 -0
  145. package/dist/src/config/version.js.map +1 -0
  146. package/dist/src/contracts/analyzer.d.ts +23 -0
  147. package/dist/src/contracts/analyzer.js +2 -0
  148. package/dist/src/contracts/analyzer.js.map +1 -0
  149. package/dist/src/contracts/finding.d.ts +35 -0
  150. package/dist/src/contracts/finding.js +13 -0
  151. package/dist/src/contracts/finding.js.map +1 -0
  152. package/dist/src/contracts/report.d.ts +30 -0
  153. package/dist/src/contracts/report.js +2 -0
  154. package/dist/src/contracts/report.js.map +1 -0
  155. package/dist/src/contracts/rule.d.ts +12 -0
  156. package/dist/src/contracts/rule.js +7 -0
  157. package/dist/src/contracts/rule.js.map +1 -0
  158. package/dist/src/core/alternatives.d.ts +8 -0
  159. package/dist/src/core/alternatives.js +35 -0
  160. package/dist/src/core/alternatives.js.map +1 -0
  161. package/dist/src/core/analyze-package.d.ts +2 -0
  162. package/dist/src/core/analyze-package.js +49 -0
  163. package/dist/src/core/analyze-package.js.map +1 -0
  164. package/dist/src/core/announce/generate.d.ts +9 -0
  165. package/dist/src/core/announce/generate.js +19 -0
  166. package/dist/src/core/announce/generate.js.map +1 -0
  167. package/dist/src/core/compare-packages.d.ts +7 -0
  168. package/dist/src/core/compare-packages.js +19 -0
  169. package/dist/src/core/compare-packages.js.map +1 -0
  170. package/dist/src/core/config/load.d.ts +3 -0
  171. package/dist/src/core/config/load.js +21 -0
  172. package/dist/src/core/config/load.js.map +1 -0
  173. package/dist/src/core/config/policy.d.ts +3 -0
  174. package/dist/src/core/config/policy.js +48 -0
  175. package/dist/src/core/config/policy.js.map +1 -0
  176. package/dist/src/core/config/schema.d.ts +172 -0
  177. package/dist/src/core/config/schema.js +84 -0
  178. package/dist/src/core/config/schema.js.map +1 -0
  179. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  180. package/dist/src/core/dependencies/inventory.js +43 -0
  181. package/dist/src/core/dependencies/inventory.js.map +1 -0
  182. package/dist/src/core/dependency-scan.d.ts +17 -0
  183. package/dist/src/core/dependency-scan.js +70 -0
  184. package/dist/src/core/dependency-scan.js.map +1 -0
  185. package/dist/src/core/dependency-tree.d.ts +16 -0
  186. package/dist/src/core/dependency-tree.js +19 -0
  187. package/dist/src/core/dependency-tree.js.map +1 -0
  188. package/dist/src/core/dependency-types.d.ts +17 -0
  189. package/dist/src/core/dependency-types.js +2 -0
  190. package/dist/src/core/dependency-types.js.map +1 -0
  191. package/dist/src/core/diff/security-diff.d.ts +10 -0
  192. package/dist/src/core/diff/security-diff.js +20 -0
  193. package/dist/src/core/diff/security-diff.js.map +1 -0
  194. package/dist/src/core/file-walker.d.ts +6 -0
  195. package/dist/src/core/file-walker.js +27 -0
  196. package/dist/src/core/file-walker.js.map +1 -0
  197. package/dist/src/core/git-audit.d.ts +12 -0
  198. package/dist/src/core/git-audit.js +111 -0
  199. package/dist/src/core/git-audit.js.map +1 -0
  200. package/dist/src/core/github/remote-audit.d.ts +5 -0
  201. package/dist/src/core/github/remote-audit.js +28 -0
  202. package/dist/src/core/github/remote-audit.js.map +1 -0
  203. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  204. package/dist/src/core/github/upgrade-pr.js +41 -0
  205. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  206. package/dist/src/core/history/git-metadata.d.ts +5 -0
  207. package/dist/src/core/history/git-metadata.js +37 -0
  208. package/dist/src/core/history/git-metadata.js.map +1 -0
  209. package/dist/src/core/history/store.d.ts +5 -0
  210. package/dist/src/core/history/store.js +65 -0
  211. package/dist/src/core/history/store.js.map +1 -0
  212. package/dist/src/core/history/types.d.ts +27 -0
  213. package/dist/src/core/history/types.js +2 -0
  214. package/dist/src/core/history/types.js.map +1 -0
  215. package/dist/src/core/hooks.d.ts +1 -0
  216. package/dist/src/core/hooks.js +14 -0
  217. package/dist/src/core/hooks.js.map +1 -0
  218. package/dist/src/core/learn.d.ts +11 -0
  219. package/dist/src/core/learn.js +163 -0
  220. package/dist/src/core/learn.js.map +1 -0
  221. package/dist/src/core/license-analysis.d.ts +18 -0
  222. package/dist/src/core/license-analysis.js +98 -0
  223. package/dist/src/core/license-analysis.js.map +1 -0
  224. package/dist/src/core/load-toolip-ignore.d.ts +5 -0
  225. package/dist/src/core/load-toolip-ignore.js +35 -0
  226. package/dist/src/core/load-toolip-ignore.js.map +1 -0
  227. package/dist/src/core/monorepo/discover.d.ts +7 -0
  228. package/dist/src/core/monorepo/discover.js +49 -0
  229. package/dist/src/core/monorepo/discover.js.map +1 -0
  230. package/dist/src/core/npm-registry.d.ts +3 -0
  231. package/dist/src/core/npm-registry.js +5 -0
  232. package/dist/src/core/npm-registry.js.map +1 -0
  233. package/dist/src/core/pre-commit.d.ts +11 -0
  234. package/dist/src/core/pre-commit.js +22 -0
  235. package/dist/src/core/pre-commit.js.map +1 -0
  236. package/dist/src/core/profile-project.d.ts +23 -0
  237. package/dist/src/core/profile-project.js +119 -0
  238. package/dist/src/core/profile-project.js.map +1 -0
  239. package/dist/src/core/publish/html.d.ts +6 -0
  240. package/dist/src/core/publish/html.js +44 -0
  241. package/dist/src/core/publish/html.js.map +1 -0
  242. package/dist/src/core/read-dependencies.d.ts +2 -0
  243. package/dist/src/core/read-dependencies.js +24 -0
  244. package/dist/src/core/read-dependencies.js.map +1 -0
  245. package/dist/src/core/report-writer.d.ts +5 -0
  246. package/dist/src/core/report-writer.js +61 -0
  247. package/dist/src/core/report-writer.js.map +1 -0
  248. package/dist/src/core/report.d.ts +34 -0
  249. package/dist/src/core/report.js +26 -0
  250. package/dist/src/core/report.js.map +1 -0
  251. package/dist/src/core/risk-score.d.ts +5 -0
  252. package/dist/src/core/risk-score.js +14 -0
  253. package/dist/src/core/risk-score.js.map +1 -0
  254. package/dist/src/core/sbom/generate.d.ts +2 -0
  255. package/dist/src/core/sbom/generate.js +120 -0
  256. package/dist/src/core/sbom/generate.js.map +1 -0
  257. package/dist/src/core/scanner-context.d.ts +12 -0
  258. package/dist/src/core/scanner-context.js +27 -0
  259. package/dist/src/core/scanner-context.js.map +1 -0
  260. package/dist/src/core/score.d.ts +13 -0
  261. package/dist/src/core/score.js +44 -0
  262. package/dist/src/core/score.js.map +1 -0
  263. package/dist/src/core/security-doctor.d.ts +12 -0
  264. package/dist/src/core/security-doctor.js +158 -0
  265. package/dist/src/core/security-doctor.js.map +1 -0
  266. package/dist/src/core/security-patterns.d.ts +14 -0
  267. package/dist/src/core/security-patterns.js +139 -0
  268. package/dist/src/core/security-patterns.js.map +1 -0
  269. package/dist/src/core/typosquat.d.ts +6 -0
  270. package/dist/src/core/typosquat.js +50 -0
  271. package/dist/src/core/typosquat.js.map +1 -0
  272. package/dist/src/core/vault.d.ts +48 -0
  273. package/dist/src/core/vault.js +127 -0
  274. package/dist/src/core/vault.js.map +1 -0
  275. package/dist/src/core/watch/watch.d.ts +5 -0
  276. package/dist/src/core/watch/watch.js +49 -0
  277. package/dist/src/core/watch/watch.js.map +1 -0
  278. package/dist/src/errors/toolip-error.d.ts +8 -0
  279. package/dist/src/errors/toolip-error.js +11 -0
  280. package/dist/src/errors/toolip-error.js.map +1 -0
  281. package/dist/src/index.d.ts +2 -0
  282. package/dist/src/index.js +89 -0
  283. package/dist/src/index.js.map +1 -0
  284. package/dist/src/mcp/server.d.ts +1 -0
  285. package/dist/src/mcp/server.js +64 -0
  286. package/dist/src/mcp/server.js.map +1 -0
  287. package/dist/src/providers/depsdev/client.d.ts +71 -0
  288. package/dist/src/providers/depsdev/client.js +44 -0
  289. package/dist/src/providers/depsdev/client.js.map +1 -0
  290. package/dist/src/providers/osv/client.d.ts +15 -0
  291. package/dist/src/providers/osv/client.js +51 -0
  292. package/dist/src/providers/osv/client.js.map +1 -0
  293. package/dist/src/providers/osv/types.d.ts +38 -0
  294. package/dist/src/providers/osv/types.js +2 -0
  295. package/dist/src/providers/osv/types.js.map +1 -0
  296. package/dist/src/storage/memory-cache.d.ts +7 -0
  297. package/dist/src/storage/memory-cache.js +25 -0
  298. package/dist/src/storage/memory-cache.js.map +1 -0
  299. package/dist/src/utils/error-handler.d.ts +1 -0
  300. package/dist/src/utils/error-handler.js +24 -0
  301. package/dist/src/utils/error-handler.js.map +1 -0
  302. package/dist/src/utils/output.d.ts +6 -0
  303. package/dist/src/utils/output.js +72 -0
  304. package/dist/src/utils/output.js.map +1 -0
  305. package/dist/src/utils/package-output.d.ts +4 -0
  306. package/dist/src/utils/package-output.js +40 -0
  307. package/dist/src/utils/package-output.js.map +1 -0
  308. package/package.json +13 -8
@@ -0,0 +1,84 @@
1
+ import { z } from 'zod';
2
+ export const toolipConfigSchema = z.object({
3
+ schemaVersion: z.literal('1.0').default('1.0'),
4
+ include: z.array(z.string()).default([]),
5
+ exclude: z.array(z.string()).default([]),
6
+ rules: z
7
+ .record(z.object({
8
+ enabled: z.boolean().optional(),
9
+ severity: z
10
+ .enum([
11
+ 'critical',
12
+ 'high',
13
+ 'medium',
14
+ 'low',
15
+ 'info'
16
+ ])
17
+ .optional(),
18
+ paths: z
19
+ .array(z.object({
20
+ pattern: z.string(),
21
+ severity: z
22
+ .enum([
23
+ 'critical',
24
+ 'high',
25
+ 'medium',
26
+ 'low',
27
+ 'info'
28
+ ])
29
+ .optional(),
30
+ enabled: z.boolean().optional()
31
+ }))
32
+ .optional()
33
+ }))
34
+ .default({}),
35
+ suppressions: z
36
+ .array(z.object({
37
+ ruleId: z.string(),
38
+ path: z.string().optional(),
39
+ reason: z.string().min(3),
40
+ expiresAt: z.string().datetime().optional()
41
+ }))
42
+ .default([]),
43
+ history: z
44
+ .object({
45
+ enabled: z.boolean().default(true),
46
+ maxEntries: z.number().int().positive().max(5000).default(500)
47
+ })
48
+ .default({
49
+ enabled: true,
50
+ maxEntries: 500
51
+ }),
52
+ providers: z
53
+ .object({
54
+ osv: z
55
+ .object({
56
+ enabled: z.boolean().default(true),
57
+ timeoutMs: z.number().int().positive().default(20000)
58
+ })
59
+ .default({
60
+ enabled: true,
61
+ timeoutMs: 20000
62
+ }),
63
+ depsDev: z
64
+ .object({
65
+ enabled: z.boolean().default(true),
66
+ timeoutMs: z.number().int().positive().default(20000)
67
+ })
68
+ .default({
69
+ enabled: true,
70
+ timeoutMs: 20000
71
+ })
72
+ })
73
+ .default({
74
+ osv: {
75
+ enabled: true,
76
+ timeoutMs: 20000
77
+ },
78
+ depsDev: {
79
+ enabled: true,
80
+ timeoutMs: 20000
81
+ }
82
+ })
83
+ });
84
+ //# sourceMappingURL=schema.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/core/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,KAAK,EAAE,CAAC;SACL,MAAM,CACL,CAAC,CAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC;aACR,IAAI,CAAC;YACJ,UAAU;YACV,MAAM;YACN,QAAQ;YACR,KAAK;YACL,MAAM;SACP,CAAC;aACD,QAAQ,EAAE;QACb,KAAK,EAAE,CAAC;aACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,QAAQ,EAAE,CAAC;iBACR,IAAI,CAAC;gBACJ,UAAU;gBACV,MAAM;gBACN,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP,CAAC;iBACD,QAAQ,EAAE;YACb,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;SAChC,CAAC,CACH;aACA,QAAQ,EAAE;KACd,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;SACZ,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KAC5C,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KAC/D,CAAC;SACD,OAAO,CAAC;QACP,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,GAAG;KAChB,CAAC;IACJ,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;QACJ,OAAO,EAAE,CAAC;aACP,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;KACL,CAAC;SACD,OAAO,CAAC;QACP,GAAG,EAAE;YACH,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;QACD,OAAO,EAAE;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;KACF,CAAC;CACL,CAAC,CAAC"}
@@ -0,0 +1,9 @@
1
+ export type DependencyIdentity = {
2
+ ecosystem: 'npm';
3
+ name: string;
4
+ version: string;
5
+ direct: boolean;
6
+ development: boolean;
7
+ source: 'package-lock';
8
+ };
9
+ export declare function readNpmDependencyInventory(root: string): Promise<DependencyIdentity[]>;
@@ -0,0 +1,43 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ function packageNameFromLockPath(lockPath) {
4
+ const marker = 'node_modules/';
5
+ const markerIndex = lockPath.lastIndexOf(marker);
6
+ if (markerIndex === -1)
7
+ return undefined;
8
+ return lockPath.slice(markerIndex + marker.length);
9
+ }
10
+ function isDirectPackagePath(lockPath) {
11
+ if (!lockPath.startsWith('node_modules/'))
12
+ return false;
13
+ const remainder = lockPath.slice('node_modules/'.length);
14
+ if (remainder.startsWith('@'))
15
+ return remainder.split('/').length === 2;
16
+ return !remainder.includes('/');
17
+ }
18
+ export async function readNpmDependencyInventory(root) {
19
+ const raw = await readFile(path.join(root, 'package-lock.json'), 'utf8');
20
+ const lockfile = JSON.parse(raw);
21
+ if (!lockfile.packages) {
22
+ throw new Error('Toolip requires package-lock.json lockfileVersion 2 or newer.');
23
+ }
24
+ const dependencies = new Map();
25
+ for (const [lockPath, entry] of Object.entries(lockfile.packages)) {
26
+ if (lockPath === '' || !entry.version)
27
+ continue;
28
+ const name = entry.name ?? packageNameFromLockPath(lockPath);
29
+ if (!name)
30
+ continue;
31
+ const identity = {
32
+ ecosystem: 'npm',
33
+ name,
34
+ version: entry.version,
35
+ direct: isDirectPackagePath(lockPath),
36
+ development: Boolean(entry.dev),
37
+ source: 'package-lock'
38
+ };
39
+ dependencies.set(`npm:${identity.name}@${identity.version}`, identity);
40
+ }
41
+ return [...dependencies.values()].sort((a, b) => `${a.name}@${a.version}`.localeCompare(`${b.name}@${b.version}`));
42
+ }
43
+ //# sourceMappingURL=inventory.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../../../src/core/dependencies/inventory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAmB7B,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,eAAe,CAAC;IAC/B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,OAAO,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACzD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACxE,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,IAAY;IAC3D,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE3D,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,IAAI,QAAQ,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,SAAS;QAChD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,QAAQ,GAAuB;YACnC,SAAS,EAAE,KAAK;YAChB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,mBAAmB,CAAC,QAAQ,CAAC;YACrC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;YAC/B,MAAM,EAAE,cAAc;SACvB,CAAC;QAEF,YAAY,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAC9C,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACjE,CAAC;AACJ,CAAC"}
@@ -0,0 +1,17 @@
1
+ import type { PackageHealth } from './dependency-types.js';
2
+ import type { ToolipFinding } from './report.js';
3
+ export type DependencyScanResult = {
4
+ packages: PackageHealth[];
5
+ findings: ToolipFinding[];
6
+ summary: {
7
+ totalDependencies: number;
8
+ outdated: number;
9
+ deprecated: number;
10
+ highRisk: number;
11
+ mediumRisk: number;
12
+ lowRisk: number;
13
+ averageRiskScore: number;
14
+ };
15
+ };
16
+ export declare function scanDependencies(root: string): Promise<DependencyScanResult>;
17
+ export declare function packageToFindings(pkg: PackageHealth): ToolipFinding[];
@@ -0,0 +1,70 @@
1
+ import { readDependencies } from './read-dependencies.js';
2
+ import { analyzePackage } from './analyze-package.js';
3
+ export async function scanDependencies(root) {
4
+ const dependencies = await readDependencies(root);
5
+ const packages = await Promise.all(dependencies.map((dependency) => analyzePackage(dependency)));
6
+ const findings = packages.flatMap(packageToFindings);
7
+ return {
8
+ packages,
9
+ findings,
10
+ summary: {
11
+ totalDependencies: packages.length,
12
+ outdated: packages.filter((pkg) => pkg.outdated).length,
13
+ deprecated: packages.filter((pkg) => pkg.deprecated).length,
14
+ highRisk: packages.filter((pkg) => pkg.riskScore >= 70).length,
15
+ mediumRisk: packages.filter((pkg) => pkg.riskScore >= 40 && pkg.riskScore < 70).length,
16
+ lowRisk: packages.filter((pkg) => pkg.riskScore > 0 && pkg.riskScore < 40).length,
17
+ averageRiskScore: packages.length === 0
18
+ ? 0
19
+ : Math.round(packages.reduce((total, pkg) => total + pkg.riskScore, 0) / packages.length)
20
+ }
21
+ };
22
+ }
23
+ export function packageToFindings(pkg) {
24
+ const findings = [];
25
+ if (pkg.deprecated) {
26
+ findings.push({
27
+ id: `TOOLIP-DEP-DEPRECATED-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
28
+ title: `Deprecated package: ${pkg.name}`,
29
+ severity: 'high',
30
+ category: 'supply-chain',
31
+ message: `${pkg.name} is marked as deprecated on the npm registry.`,
32
+ recommendation: 'Replace deprecated packages with maintained alternatives and review migration notes.',
33
+ evidence: pkg.latestVersion ?? undefined
34
+ });
35
+ }
36
+ if (pkg.outdated) {
37
+ findings.push({
38
+ id: `TOOLIP-DEP-OUTDATED-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
39
+ title: `Outdated package: ${pkg.name}`,
40
+ severity: 'medium',
41
+ category: 'supply-chain',
42
+ message: `${pkg.name} appears outdated. Installed: ${pkg.installedVersion}. Latest: ${pkg.latestVersion ?? 'unknown'}.`,
43
+ recommendation: 'Upgrade the package after checking changelogs, breaking changes, and test coverage.',
44
+ evidence: `${pkg.installedVersion} -> ${pkg.latestVersion ?? 'unknown'}`
45
+ });
46
+ }
47
+ if (pkg.maintainers === 0) {
48
+ findings.push({
49
+ id: `TOOLIP-DEP-NO-MAINTAINERS-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
50
+ title: `No visible maintainers: ${pkg.name}`,
51
+ severity: 'medium',
52
+ category: 'supply-chain',
53
+ message: `${pkg.name} has no visible maintainer metadata from the registry response.`,
54
+ recommendation: 'Review package ownership, repository activity, and whether a better-maintained alternative exists.'
55
+ });
56
+ }
57
+ if (pkg.ageInDays !== null && pkg.ageInDays > 730) {
58
+ findings.push({
59
+ id: `TOOLIP-DEP-STALE-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
60
+ title: `Possibly stale package: ${pkg.name}`,
61
+ severity: 'low',
62
+ category: 'supply-chain',
63
+ message: `${pkg.name} has not had a detected latest publish in more than two years.`,
64
+ recommendation: 'Confirm whether the package is intentionally stable or abandoned before relying on it.',
65
+ evidence: `${pkg.ageInDays} days`
66
+ });
67
+ }
68
+ return findings;
69
+ }
70
+ //# sourceMappingURL=dependency-scan.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependency-scan.js","sourceRoot":"","sources":["../../../src/core/dependency-scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAkBtD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAC7D,CAAC;IAEF,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAErD,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,OAAO,EAAE;YACP,iBAAiB,EAAE,QAAQ,CAAC,MAAM;YAClC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,MAAM;YACvD,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM;YAC3D,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,MAAM;YAC9D,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,IAAI,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC,MAAM;YACtF,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,IAAI,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC,MAAM;YACjF,gBAAgB,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;gBACrC,CAAC,CAAC,CAAC;gBACH,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;SAC5F;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,GAAkB;IAClD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;QACnB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,yBAAyB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACnF,KAAK,EAAE,uBAAuB,GAAG,CAAC,IAAI,EAAE;YACxC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,+CAA+C;YACnE,cAAc,EAAE,sFAAsF;YACtG,QAAQ,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;SACzC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,uBAAuB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACjF,KAAK,EAAE,qBAAqB,GAAG,CAAC,IAAI,EAAE;YACtC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,iCAAiC,GAAG,CAAC,gBAAgB,aAAa,GAAG,CAAC,aAAa,IAAI,SAAS,GAAG;YACvH,cAAc,EAAE,qFAAqF;YACrG,QAAQ,EAAE,GAAG,GAAG,CAAC,gBAAgB,OAAO,GAAG,CAAC,aAAa,IAAI,SAAS,EAAE;SACzE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,6BAA6B,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACvF,KAAK,EAAE,2BAA2B,GAAG,CAAC,IAAI,EAAE;YAC5C,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,iEAAiE;YACrF,cAAc,EAAE,oGAAoG;SACrH,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,oBAAoB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YAC9E,KAAK,EAAE,2BAA2B,GAAG,CAAC,IAAI,EAAE;YAC5C,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,gEAAgE;YACpF,cAAc,EAAE,wFAAwF;YACxG,QAAQ,EAAE,GAAG,GAAG,CAAC,SAAS,OAAO;SAClC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,16 @@
1
+ export type DependencyTreeNode = {
2
+ name: string;
3
+ version: string;
4
+ type: 'dependency' | 'devDependency';
5
+ children: DependencyTreeNode[];
6
+ };
7
+ export type DependencyTree = {
8
+ root: string;
9
+ dependencies: DependencyTreeNode[];
10
+ summary: {
11
+ direct: number;
12
+ transitive: number;
13
+ maxDepth: number;
14
+ };
15
+ };
16
+ export declare function buildDependencyTree(root: string): Promise<DependencyTree>;
@@ -0,0 +1,19 @@
1
+ import { readDependencies } from './read-dependencies.js';
2
+ export async function buildDependencyTree(root) {
3
+ const dependencies = await readDependencies(root);
4
+ return {
5
+ root,
6
+ dependencies: dependencies.map((dependency) => ({
7
+ name: dependency.name,
8
+ version: dependency.version,
9
+ type: dependency.type,
10
+ children: []
11
+ })),
12
+ summary: {
13
+ direct: dependencies.length,
14
+ transitive: 0,
15
+ maxDepth: dependencies.length > 0 ? 1 : 0
16
+ }
17
+ };
18
+ }
19
+ //# sourceMappingURL=dependency-tree.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependency-tree.js","sourceRoot":"","sources":["../../../src/core/dependency-tree.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAmB1D,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAY;IACpD,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAElD,OAAO;QACL,IAAI;QACJ,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC9C,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,QAAQ,EAAE,EAAE;SACb,CAAC,CAAC;QACH,OAAO,EAAE;YACP,MAAM,EAAE,YAAY,CAAC,MAAM;YAC3B,UAAU,EAAE,CAAC;YACb,QAAQ,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC1C;KACF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,17 @@
1
+ export type DependencyInfo = {
2
+ name: string;
3
+ version: string;
4
+ type: 'dependency' | 'devDependency';
5
+ };
6
+ export type PackageHealth = {
7
+ name: string;
8
+ latestVersion: string | null;
9
+ installedVersion: string;
10
+ outdated: boolean;
11
+ deprecated: boolean;
12
+ maintainers: number;
13
+ publishedAt: string | null;
14
+ ageInDays: number | null;
15
+ downloads: number | null;
16
+ riskScore: number;
17
+ };
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=dependency-types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependency-types.js","sourceRoot":"","sources":["../../../src/core/dependency-types.ts"],"names":[],"mappings":""}
@@ -0,0 +1,10 @@
1
+ export type SecurityDiffResult = {
2
+ base: string;
3
+ head: string;
4
+ files: string[];
5
+ packageManifestChanged: boolean;
6
+ lockfileChanged: boolean;
7
+ dockerfilesChanged: string[];
8
+ sourceFilesChanged: string[];
9
+ };
10
+ export declare function securityDiff(root: string, base: string, head: string): Promise<SecurityDiffResult>;
@@ -0,0 +1,20 @@
1
+ import { execFile } from 'node:child_process';
2
+ import { promisify } from 'node:util';
3
+ const execFileAsync = promisify(execFile);
4
+ export async function securityDiff(root, base, head) {
5
+ const { stdout } = await execFileAsync('git', ['diff', '--name-only', `${base}..${head}`], {
6
+ cwd: root,
7
+ encoding: 'utf8'
8
+ });
9
+ const files = stdout.split(/\r?\n/).filter(Boolean);
10
+ return {
11
+ base,
12
+ head,
13
+ files,
14
+ packageManifestChanged: files.some((file) => /(^|\/)package\.json$/.test(file)),
15
+ lockfileChanged: files.some((file) => /(^|\/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$/.test(file)),
16
+ dockerfilesChanged: files.filter((file) => /(^|\/)Dockerfile(?:\..+)?$/.test(file)),
17
+ sourceFilesChanged: files.filter((file) => /\.(js|jsx|ts|tsx|mjs|cjs)$/.test(file))
18
+ };
19
+ }
20
+ //# sourceMappingURL=security-diff.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security-diff.js","sourceRoot":"","sources":["../../../../src/core/diff/security-diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAY1C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,IAAY,EACZ,IAAY;IAEZ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,KAAK,EACL,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,KAAK,IAAI,EAAE,CAAC,EAC3C;QACE,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,MAAM;KACjB,CACF,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEpD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,KAAK;QACL,sBAAsB,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1G,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnF,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACpF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,6 @@
1
+ export type ProjectFile = {
2
+ absolutePath: string;
3
+ relativePath: string;
4
+ extension: string;
5
+ };
6
+ export declare function walkProjectFiles(root: string): Promise<ProjectFile[]>;
@@ -0,0 +1,27 @@
1
+ import path from 'node:path';
2
+ import fg from 'fast-glob';
3
+ import { loadToolipIgnore } from './load-toolip-ignore.js';
4
+ export async function walkProjectFiles(root) {
5
+ const absoluteRoot = path.resolve(root);
6
+ const toolipIgnore = await loadToolipIgnore(absoluteRoot);
7
+ const entries = await fg(['**/*'], {
8
+ cwd: absoluteRoot,
9
+ dot: true,
10
+ onlyFiles: true,
11
+ unique: true,
12
+ followSymbolicLinks: false,
13
+ ignore: toolipIgnore.patterns
14
+ });
15
+ return entries
16
+ .map((entry) => {
17
+ const absolutePath = path.join(absoluteRoot, entry);
18
+ return {
19
+ absolutePath,
20
+ relativePath: entry.replaceAll('\\', '/'),
21
+ extension: path.extname(entry).replace('.', '').toLowerCase()
22
+ };
23
+ })
24
+ .filter((file) => !toolipIgnore.ignores(file.absolutePath))
25
+ .sort((a, b) => a.relativePath.localeCompare(b.relativePath));
26
+ }
27
+ //# sourceMappingURL=file-walker.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"file-walker.js","sourceRoot":"","sources":["../../../src/core/file-walker.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQ3D,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAE1D,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE;QACjC,GAAG,EAAE,YAAY;QACjB,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,IAAI;QACZ,mBAAmB,EAAE,KAAK;QAC1B,MAAM,EAAE,YAAY,CAAC,QAAQ;KAC9B,CAAC,CAAC;IAEH,OAAO,OAAO;SACX,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO;YACL,YAAY;YACZ,YAAY,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC;YACzC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE;SAC9D,CAAC;IACJ,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1D,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;AAClE,CAAC"}
@@ -0,0 +1,12 @@
1
+ import type { ToolipFinding } from './report.js';
2
+ export type GitAuditResult = {
3
+ findings: ToolipFinding[];
4
+ summary: {
5
+ filesChecked: number;
6
+ dangerousFiles: number;
7
+ gitignorePresent: boolean;
8
+ envIgnored: boolean;
9
+ pemIgnored: boolean;
10
+ };
11
+ };
12
+ export declare function runGitAudit(root: string): Promise<GitAuditResult>;
@@ -0,0 +1,111 @@
1
+ import { access, readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import { walkProjectFiles } from './file-walker.js';
4
+ const dangerousFilePatterns = [
5
+ {
6
+ id: 'ENV-FILE',
7
+ regex: /(^|\/)\.env(\.|$|\/)?/i,
8
+ title: '.env file present',
9
+ severity: 'high',
10
+ message: 'A .env-style file exists in the project tree.',
11
+ recommendation: 'Keep .env files local, ensure they are ignored, and never commit real secrets.'
12
+ },
13
+ {
14
+ id: 'PEM-FILE',
15
+ regex: /\.pem$/i,
16
+ title: 'PEM file present',
17
+ severity: 'critical',
18
+ message: 'A PEM key file exists in the project tree.',
19
+ recommendation: 'Remove private key files from the repository and rotate affected credentials.'
20
+ },
21
+ {
22
+ id: 'KEY-FILE',
23
+ regex: /\.(key|p12|pfx)$/i,
24
+ title: 'Key/certificate file present',
25
+ severity: 'critical',
26
+ message: 'A key or certificate-like file exists in the project tree.',
27
+ recommendation: 'Do not store key material in source repositories.'
28
+ }
29
+ ];
30
+ export async function runGitAudit(root) {
31
+ const files = await walkProjectFiles(root);
32
+ const relativePaths = files.map((file) => file.relativePath);
33
+ const gitignorePath = path.join(root, '.gitignore');
34
+ const gitignorePresent = await exists(gitignorePath);
35
+ const gitignoreContent = gitignorePresent ? await readFile(gitignorePath, 'utf8') : '';
36
+ const findings = [];
37
+ for (const file of relativePaths) {
38
+ for (const pattern of dangerousFilePatterns) {
39
+ if (!pattern.regex.test(file))
40
+ continue;
41
+ findings.push({
42
+ id: `TOOLIP-GIT-${pattern.id}-${file.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
43
+ title: pattern.title,
44
+ severity: pattern.severity,
45
+ category: 'git-security',
46
+ message: pattern.message,
47
+ recommendation: pattern.recommendation,
48
+ file
49
+ });
50
+ }
51
+ }
52
+ const envIgnored = ignoresPattern(gitignoreContent, '.env') || ignoresPattern(gitignoreContent, '.env.*');
53
+ const pemIgnored = ignoresPattern(gitignoreContent, '*.pem') || ignoresPattern(gitignoreContent, '.pem');
54
+ if (!gitignorePresent) {
55
+ findings.push({
56
+ id: 'TOOLIP-GIT-MISSING-GITIGNORE',
57
+ title: 'Missing .gitignore',
58
+ severity: 'medium',
59
+ category: 'git-security',
60
+ message: 'No .gitignore file was found.',
61
+ recommendation: 'Add a .gitignore file that excludes secrets, build output, dependencies, and local machine files.'
62
+ });
63
+ }
64
+ if (gitignorePresent && !envIgnored) {
65
+ findings.push({
66
+ id: 'TOOLIP-GIT-ENV-NOT-IGNORED',
67
+ title: '.env files may not be ignored',
68
+ severity: 'high',
69
+ category: 'git-security',
70
+ message: '.gitignore does not appear to ignore .env files.',
71
+ recommendation: 'Add .env and .env.* to .gitignore while allowing a safe .env.example.'
72
+ });
73
+ }
74
+ if (gitignorePresent && !pemIgnored) {
75
+ findings.push({
76
+ id: 'TOOLIP-GIT-PEM-NOT-IGNORED',
77
+ title: 'PEM files may not be ignored',
78
+ severity: 'medium',
79
+ category: 'git-security',
80
+ message: '.gitignore does not appear to ignore PEM files.',
81
+ recommendation: 'Add *.pem and other key material patterns to .gitignore.'
82
+ });
83
+ }
84
+ return {
85
+ findings,
86
+ summary: {
87
+ filesChecked: files.length,
88
+ dangerousFiles: findings.filter((finding) => finding.file).length,
89
+ gitignorePresent,
90
+ envIgnored,
91
+ pemIgnored
92
+ }
93
+ };
94
+ }
95
+ async function exists(filePath) {
96
+ try {
97
+ await access(filePath);
98
+ return true;
99
+ }
100
+ catch {
101
+ return false;
102
+ }
103
+ }
104
+ function ignoresPattern(gitignore, pattern) {
105
+ return gitignore
106
+ .split('\n')
107
+ .map((line) => line.trim())
108
+ .filter(Boolean)
109
+ .some((line) => line === pattern || line.includes(pattern));
110
+ }
111
+ //# sourceMappingURL=git-audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"git-audit.js","sourceRoot":"","sources":["../../../src/core/git-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAcpD,MAAM,qBAAqB,GAAG;IAC5B;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,wBAAwB;QAC/B,KAAK,EAAE,mBAAmB;QAC1B,QAAQ,EAAE,MAAe;QACzB,OAAO,EAAE,+CAA+C;QACxD,cAAc,EAAE,gFAAgF;KACjG;IACD;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,SAAS;QAChB,KAAK,EAAE,kBAAkB;QACzB,QAAQ,EAAE,UAAmB;QAC7B,OAAO,EAAE,4CAA4C;QACrD,cAAc,EAAE,+EAA+E;KAChG;IACD;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,mBAAmB;QAC1B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAmB;QAC7B,OAAO,EAAE,4DAA4D;QACrE,cAAc,EAAE,mDAAmD;KACpE;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IACpD,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IACrD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEvF,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;YAC5C,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAExC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,cAAc,OAAO,CAAC,EAAE,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;gBAClF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,cAAc;gBACxB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,IAAI;aACL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,cAAc,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IAC1G,MAAM,UAAU,GAAG,cAAc,CAAC,gBAAgB,EAAE,OAAO,CAAC,IAAI,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAEzG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,8BAA8B;YAClC,KAAK,EAAE,oBAAoB;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,+BAA+B;YACxC,cAAc,EAAE,mGAAmG;SACpH,CAAC,CAAC;IACL,CAAC;IAED,IAAI,gBAAgB,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,4BAA4B;YAChC,KAAK,EAAE,+BAA+B;YACtC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,kDAAkD;YAC3D,cAAc,EAAE,uEAAuE;SACxF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,gBAAgB,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,4BAA4B;YAChC,KAAK,EAAE,8BAA8B;YACrC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,iDAAiD;YAC1D,cAAc,EAAE,0DAA0D;SAC3E,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,QAAQ;QACR,OAAO,EAAE;YACP,YAAY,EAAE,KAAK,CAAC,MAAM;YAC1B,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM;YACjE,gBAAgB;YAChB,UAAU;YACV,UAAU;SACX;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,QAAgB;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,OAAe;IACxD,OAAO,SAAS;SACb,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAChE,CAAC"}
@@ -0,0 +1,5 @@
1
+ import { runSecurityDoctor } from '../security-doctor.js';
2
+ export declare function auditRemoteRepository(url: string): Promise<{
3
+ repository: string;
4
+ report: Awaited<ReturnType<typeof runSecurityDoctor>>;
5
+ }>;
@@ -0,0 +1,28 @@
1
+ import { mkdtemp, rm } from 'node:fs/promises';
2
+ import { execFile } from 'node:child_process';
3
+ import { promisify } from 'node:util';
4
+ import os from 'node:os';
5
+ import path from 'node:path';
6
+ import { runSecurityDoctor } from '../security-doctor.js';
7
+ const execFileAsync = promisify(execFile);
8
+ export async function auditRemoteRepository(url) {
9
+ if (!/^https:\/\/github\.com\/[^/]+\/[^/]+(?:\.git)?$/.test(url)) {
10
+ throw new Error('Only public GitHub repository URLs are supported.');
11
+ }
12
+ const temporaryRoot = await mkdtemp(path.join(os.tmpdir(), 'toolip-remote-audit-'));
13
+ const target = path.join(temporaryRoot, 'repository');
14
+ try {
15
+ await execFileAsync('gh', ['repo', 'clone', url, target, '--', '--depth=1'], {
16
+ encoding: 'utf8'
17
+ });
18
+ const report = await runSecurityDoctor(target);
19
+ return {
20
+ repository: url,
21
+ report
22
+ };
23
+ }
24
+ finally {
25
+ await rm(temporaryRoot, { recursive: true, force: true });
26
+ }
27
+ }
28
+ //# sourceMappingURL=remote-audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"remote-audit.js","sourceRoot":"","sources":["../../../../src/core/github/remote-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAW;IAIrD,IAAI,CAAC,iDAAiD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE;YAC3E,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,MAAM;SACP,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC"}
@@ -0,0 +1,4 @@
1
+ export declare function createUpgradePullRequest(root: string, packageName: string, targetVersion: string, dryRun: boolean): Promise<{
2
+ branch: string;
3
+ changed: boolean;
4
+ }>;
@@ -0,0 +1,41 @@
1
+ import { readFile, writeFile } from 'node:fs/promises';
2
+ import { execFile } from 'node:child_process';
3
+ import { promisify } from 'node:util';
4
+ import path from 'node:path';
5
+ const execFileAsync = promisify(execFile);
6
+ export async function createUpgradePullRequest(root, packageName, targetVersion, dryRun) {
7
+ const manifestPath = path.join(root, 'package.json');
8
+ const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
9
+ const sections = ['dependencies', 'devDependencies', 'optionalDependencies', 'peerDependencies'];
10
+ let changed = false;
11
+ for (const section of sections) {
12
+ if (manifest[section]?.[packageName]) {
13
+ manifest[section][packageName] = targetVersion;
14
+ changed = true;
15
+ }
16
+ }
17
+ if (!changed) {
18
+ throw new Error(`${packageName} is not declared in package.json.`);
19
+ }
20
+ const branch = `toolip/upgrade-${packageName.replaceAll(/[^A-Za-z0-9]/g, '-')}-${targetVersion}`;
21
+ if (dryRun) {
22
+ return { branch, changed: true };
23
+ }
24
+ await execFileAsync('git', ['switch', '-c', branch], { cwd: root });
25
+ await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
26
+ await execFileAsync('npm', ['install', '--package-lock-only'], { cwd: root });
27
+ await execFileAsync('npm', ['test'], { cwd: root });
28
+ await execFileAsync('git', ['add', 'package.json', 'package-lock.json'], { cwd: root });
29
+ await execFileAsync('git', ['commit', '-m', `chore: upgrade ${packageName} to ${targetVersion}`], { cwd: root });
30
+ await execFileAsync('git', ['push', '-u', 'origin', branch], { cwd: root });
31
+ await execFileAsync('gh', [
32
+ 'pr',
33
+ 'create',
34
+ '--title',
35
+ `chore: upgrade ${packageName} to ${targetVersion}`,
36
+ '--body',
37
+ `Toolip generated this dependency upgrade after updating the lockfile and running the project test suite.`
38
+ ], { cwd: root });
39
+ return { branch, changed: true };
40
+ }
41
+ //# sourceMappingURL=upgrade-pr.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"upgrade-pr.js","sourceRoot":"","sources":["../../../../src/core/github/upgrade-pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAY,EACZ,WAAmB,EACnB,aAAqB,EACrB,MAAe;IAEf,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAwB,CAAC;IACzF,MAAM,QAAQ,GAAG,CAAC,cAAc,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,kBAAkB,CAAC,CAAC;IACjG,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,GAAG,aAAa,CAAC;YAC/C,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,mCAAmC,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,WAAW,CAAC,UAAU,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,aAAa,EAAE,CAAC;IAEjG,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,WAAW,OAAO,aAAa,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,aAAa,CACjB,IAAI,EACJ;QACE,IAAI;QACJ,QAAQ;QACR,SAAS;QACT,kBAAkB,WAAW,OAAO,aAAa,EAAE;QACnD,QAAQ;QACR,0GAA0G;KAC3G,EACD,EAAE,GAAG,EAAE,IAAI,EAAE,CACd,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACnC,CAAC"}
@@ -0,0 +1,5 @@
1
+ export declare function readGitMetadata(root: string): Promise<{
2
+ branch?: string;
3
+ commit?: string;
4
+ dirty?: boolean;
5
+ }>;