npm - trawly - Versions diffs - 0.0.1 → 0.0.2 - Mend

trawly 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js CHANGED Viewed

@@ -203,8 +203,8 @@ function truncate(s, max) {
 }
 // src/scanner.ts
-import { existsSync, statSync } from "fs";
-import { resolve as resolve2, join } from "path";
+import { existsSync as existsSync2, statSync } from "fs";
+import { basename, resolve as resolve4, join as join2 } from "path";
 // src/extractors/npm-package-lock.ts
 import { readFileSync } from "fs";
@@ -290,6 +290,262 @@ function isTopLevelInstance(path) {
   return path.indexOf("node_modules/", first + 1) === -1;
 }
+// src/extractors/pnpm-lock.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+import yaml from "js-yaml";
+var SUPPORTED_MAJOR_VERSIONS = /* @__PURE__ */ new Set([6, 9]);
+function parsePnpmLock(filePath) {
+  const absolute = resolve2(filePath);
+  const raw = readFileSync2(absolute, "utf8");
+  let parsed;
+  try {
+    parsed = yaml.load(raw) ?? {};
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  const versionRaw = parsed.lockfileVersion;
+  const major = parseLockfileMajor(versionRaw);
+  if (major === null || !SUPPORTED_MAJOR_VERSIONS.has(major)) {
+    throw new Error(
+      `Unsupported pnpm lockfileVersion ${String(versionRaw)} in ${absolute}. Supported: 6.x, 9.x.`
+    );
+  }
+  const packages = parsed.packages;
+  if (!packages || typeof packages !== "object") {
+    throw new Error(
+      `Lockfile ${absolute} has no "packages" map; cannot extract installed versions.`
+    );
+  }
+  const importers = parsed.importers ?? {
+    ".": {
+      dependencies: parsed.dependencies,
+      devDependencies: parsed.devDependencies,
+      optionalDependencies: parsed.optionalDependencies
+    }
+  };
+  const direct = collectDirectFromImporters(importers);
+  const instances = [];
+  for (const [key, entry] of Object.entries(packages)) {
+    const parsed2 = parsePnpmPackageKey(key);
+    if (!parsed2) continue;
+    const name = entry.name ?? parsed2.name;
+    const version = entry.version ?? parsed2.version;
+    if (!name || !version) continue;
+    const isDirect = direct.prod.has(name) || direct.dev.has(name) || direct.optional.has(name);
+    const onlyDev = direct.dev.has(name) && !direct.prod.has(name);
+    const onlyOptional = direct.optional.has(name) && !direct.prod.has(name) && !direct.dev.has(name);
+    instances.push({
+      name,
+      version,
+      ecosystem: "npm",
+      path: key,
+      direct: isDirect,
+      dev: Boolean(entry.dev) || onlyDev,
+      optional: Boolean(entry.optional) || onlyOptional,
+      resolved: entry.resolution?.tarball,
+      integrity: entry.resolution?.integrity
+    });
+  }
+  return instances;
+}
+function parseLockfileMajor(value) {
+  if (typeof value === "number") return Math.trunc(value);
+  if (typeof value === "string") {
+    const num = parseInt(value, 10);
+    return Number.isNaN(num) ? null : num;
+  }
+  return null;
+}
+function collectDirectFromImporters(importers) {
+  const prod = /* @__PURE__ */ new Set();
+  const dev = /* @__PURE__ */ new Set();
+  const optional = /* @__PURE__ */ new Set();
+  for (const importer of Object.values(importers)) {
+    if (!importer) continue;
+    addDepNames(importer.dependencies, prod);
+    addDepNames(importer.devDependencies, dev);
+    addDepNames(importer.optionalDependencies, optional);
+  }
+  return { prod, dev, optional };
+}
+function addDepNames(block, into) {
+  if (!block) return;
+  for (const name of Object.keys(block)) into.add(name);
+}
+function parsePnpmPackageKey(key) {
+  let working = key.startsWith("/") ? key.slice(1) : key;
+  const parenIdx = working.indexOf("(");
+  if (parenIdx !== -1) working = working.slice(0, parenIdx);
+  const startSearch = working.startsWith("@") ? 1 : 0;
+  const atIdx = working.indexOf("@", startSearch);
+  if (atIdx <= 0) return null;
+  const name = working.slice(0, atIdx);
+  const version = working.slice(atIdx + 1);
+  if (!name || !version) return null;
+  return { name, version };
+}
+// src/extractors/yarn-lock.ts
+import { existsSync, readFileSync as readFileSync3 } from "fs";
+import { dirname, join, resolve as resolve3 } from "path";
+import yaml2 from "js-yaml";
+function parseYarnLock(filePath) {
+  const absolute = resolve3(filePath);
+  const content = readFileSync3(absolute, "utf8");
+  const projectDir = dirname(absolute);
+  const directs = readDirectDepsFromPackageJson(projectDir);
+  const isBerry = /^__metadata:/m.test(content);
+  return isBerry ? parseBerry(absolute, content, directs) : parseClassic(absolute, content, directs);
+}
+function readDirectDepsFromPackageJson(projectDir) {
+  const result = {
+    prod: /* @__PURE__ */ new Set(),
+    dev: /* @__PURE__ */ new Set(),
+    optional: /* @__PURE__ */ new Set(),
+    any: /* @__PURE__ */ new Set()
+  };
+  const pkgPath = join(projectDir, "package.json");
+  if (!existsSync(pkgPath)) return result;
+  try {
+    const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+    for (const name of Object.keys(pkg.dependencies ?? {})) result.prod.add(name);
+    for (const name of Object.keys(pkg.devDependencies ?? {})) result.dev.add(name);
+    for (const name of Object.keys(pkg.optionalDependencies ?? {}))
+      result.optional.add(name);
+    for (const set of [result.prod, result.dev, result.optional]) {
+      for (const n of set) result.any.add(n);
+    }
+    for (const name of Object.keys(pkg.peerDependencies ?? {})) result.any.add(name);
+  } catch {
+  }
+  return result;
+}
+function parseClassic(absolute, content, directs) {
+  const entries = parseClassicEntries(content);
+  const instances = [];
+  for (const entry of entries) {
+    const version = entry.fields.version;
+    if (!version) continue;
+    const names = uniq(entry.specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
+    const name = names[0];
+    if (!name) continue;
+    const isDirect = names.some((n) => directs.any.has(n));
+    const inProd = names.some((n) => directs.prod.has(n));
+    const inDev = names.some((n) => directs.dev.has(n));
+    const inOpt = names.some((n) => directs.optional.has(n));
+    instances.push({
+      name,
+      version,
+      ecosystem: "npm",
+      path: `${name}@${version}`,
+      direct: isDirect,
+      dev: inDev && !inProd,
+      optional: inOpt && !inProd && !inDev,
+      resolved: entry.fields.resolved,
+      integrity: entry.fields.integrity
+    });
+  }
+  void absolute;
+  return instances;
+}
+function parseClassicEntries(content) {
+  const lines = content.split(/\r?\n/);
+  const entries = [];
+  let current = null;
+  for (const rawLine of lines) {
+    if (rawLine === "" || rawLine.trimStart().startsWith("#")) continue;
+    if (!/^\s/.test(rawLine)) {
+      if (current) entries.push(current);
+      const header = rawLine.replace(/:\s*$/, "");
+      current = { specs: splitClassicSpecs(header), fields: {} };
+      continue;
+    }
+    if (!current) continue;
+    const indent = rawLine.match(/^ +/)?.[0].length ?? 0;
+    if (indent !== 2) continue;
+    const trimmed = rawLine.trim();
+    const m = trimmed.match(/^([^\s"]+)\s+"((?:[^"\\]|\\.)*)"$/) ?? trimmed.match(/^([^\s"]+)\s+(\S+)$/);
+    if (m && m[1] !== void 0 && m[2] !== void 0) {
+      current.fields[m[1]] = m[2];
+    }
+  }
+  if (current) entries.push(current);
+  return entries;
+}
+function splitClassicSpecs(header) {
+  const out = [];
+  let cur = "";
+  let inQuote = false;
+  for (const ch of header) {
+    if (ch === '"') {
+      inQuote = !inQuote;
+      continue;
+    }
+    if (ch === "," && !inQuote) {
+      const spec = cur.trim();
+      if (spec) out.push(spec);
+      cur = "";
+      continue;
+    }
+    cur += ch;
+  }
+  const last = cur.trim();
+  if (last) out.push(last);
+  return out;
+}
+function parseBerry(absolute, content, directs) {
+  let parsed;
+  try {
+    parsed = yaml2.load(content) ?? {};
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  const instances = [];
+  for (const [key, value] of Object.entries(parsed)) {
+    if (key === "__metadata") continue;
+    if (!value || typeof value !== "object") continue;
+    const entry = value;
+    if (!entry.version) continue;
+    const specs = splitClassicSpecs(key);
+    const names = uniq(specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
+    const name = names[0];
+    if (!name) continue;
+    const isDirect = names.some((n) => directs.any.has(n));
+    const inProd = names.some((n) => directs.prod.has(n));
+    const inDev = names.some((n) => directs.dev.has(n));
+    const inOpt = names.some((n) => directs.optional.has(n));
+    instances.push({
+      name,
+      version: entry.version,
+      ecosystem: "npm",
+      path: `${name}@${entry.version}`,
+      direct: isDirect,
+      dev: inDev && !inProd,
+      optional: inOpt && !inProd && !inDev,
+      resolved: entry.resolution,
+      integrity: entry.checksum
+    });
+  }
+  return instances;
+}
+function parseYarnSpec(spec) {
+  const startSearch = spec.startsWith("@") ? 1 : 0;
+  const atIdx = spec.indexOf("@", startSearch);
+  if (atIdx <= 0) return { name: spec, selector: "" };
+  const name = spec.slice(0, atIdx);
+  let selector = spec.slice(atIdx + 1);
+  if (selector.startsWith("npm:")) selector = selector.slice(4);
+  return { name, selector };
+}
+function uniq(values) {
+  return Array.from(new Set(values));
+}
 // src/types.ts
 var SEVERITY_RANK = {
   critical: 4,
@@ -301,11 +557,11 @@ var SEVERITY_RANK = {
 // src/scanner.ts
 async function scanProject(options = {}) {
-  const cwd = resolve2(options.cwd ?? process.cwd());
-  const lockfilePath = options.lockfile ? resolve2(cwd, options.lockfile) : detectLockfile(cwd);
+  const cwd = resolve4(options.cwd ?? process.cwd());
+  const lockfilePath = options.lockfile ? resolve4(cwd, options.lockfile) : detectLockfile(cwd);
   if (!lockfilePath) {
     throw new ScanInputError(
-      `No npm lockfile found in ${cwd}. Pass --lockfile or run in a directory with package-lock.json.`
+      `No supported lockfile found in ${cwd}. Pass --lockfile or run in a directory with package-lock.json, pnpm-lock.yaml, or yarn.lock.`
     );
   }
   return scanLockfile({
@@ -317,14 +573,14 @@ async function scanProject(options = {}) {
 }
 async function scanLockfile(options) {
   const { lockfilePath } = options;
-  if (!existsSync(lockfilePath)) {
+  if (!existsSync2(lockfilePath)) {
     throw new ScanInputError(`Lockfile does not exist: ${lockfilePath}`);
   }
   const stat = statSync(lockfilePath);
   if (!stat.isFile()) {
     throw new ScanInputError(`Lockfile path is not a file: ${lockfilePath}`);
   }
-  const allInstances = parseNpmPackageLock(lockfilePath);
+  const allInstances = parseLockfile(lockfilePath);
   const instances = filterInstances(allInstances, options);
   const errors = [];
   let findings = [];
@@ -351,9 +607,29 @@ var ScanInputError = class extends Error {
     this.name = "ScanInputError";
   }
 };
+var LOCKFILE_CANDIDATES = [
+  "pnpm-lock.yaml",
+  "yarn.lock",
+  "package-lock.json",
+  "npm-shrinkwrap.json"
+];
 function detectLockfile(cwd) {
-  const candidate = join(cwd, "package-lock.json");
-  return existsSync(candidate) ? candidate : void 0;
+  for (const file of LOCKFILE_CANDIDATES) {
+    const candidate = join2(cwd, file);
+    if (existsSync2(candidate)) return candidate;
+  }
+  return void 0;
+}
+function parseLockfile(lockfilePath) {
+  const name = basename(lockfilePath);
+  if (name === "pnpm-lock.yaml") return parsePnpmLock(lockfilePath);
+  if (name === "yarn.lock") return parseYarnLock(lockfilePath);
+  if (name === "package-lock.json" || name === "npm-shrinkwrap.json") {
+    return parseNpmPackageLock(lockfilePath);
+  }
+  throw new ScanInputError(
+    `Unsupported lockfile name: ${name}. Supported: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock.`
+  );
 }
 function filterInstances(instances, options) {
   const includeDev = options.prodOnly ? false : options.includeDev !== false;
@@ -389,8 +665,8 @@ function meetsThreshold(findings, threshold) {
 }
 // src/installer/pm-detect.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { join as join2 } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync4 } from "fs";
+import { join as join3 } from "path";
 var LOCKFILES = [
   { file: "pnpm-lock.yaml", pm: "pnpm" },
   { file: "yarn.lock", pm: "yarn" },
@@ -405,15 +681,15 @@ function detectPackageManager(opts = {}) {
   const fromField = readPackageManagerField(cwd);
   if (fromField) return fromField;
   for (const { file, pm } of LOCKFILES) {
-    if (existsSync2(join2(cwd, file))) return pm;
+    if (existsSync3(join3(cwd, file))) return pm;
   }
   return "npm";
 }
 function readPackageManagerField(cwd) {
-  const pkgPath = join2(cwd, "package.json");
-  if (!existsSync2(pkgPath)) return void 0;
+  const pkgPath = join3(cwd, "package.json");
+  if (!existsSync3(pkgPath)) return void 0;
   try {
-    const pkg = JSON.parse(readFileSync2(pkgPath, "utf8"));
+    const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
     if (typeof pkg.packageManager !== "string") return void 0;
     const name = pkg.packageManager.split("@")[0];
     if (name === "npm" || name === "pnpm" || name === "yarn" || name === "bun") {
@@ -454,14 +730,14 @@ function buildRemoveCommand(pm, packages, flags) {
 // src/installer/runner.ts
 import { spawn } from "child_process";
 function runPackageManager(cmd, opts = {}) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve5, reject) => {
     const child = spawn(cmd.bin, cmd.args, {
       cwd: opts.cwd,
       stdio: "inherit",
       shell: process.platform === "win32"
     });
     child.on("error", reject);
-    child.on("close", (code) => resolve3(code ?? 0));
+    child.on("close", (code) => resolve5(code ?? 0));
   });
 }
@@ -1109,7 +1385,10 @@ program.name("trawly").description(
 });
 program.command("scan", { isDefault: true }).description(
   "Scan a project and gate on findings. Exits non-zero when --fail-on is met. Use `inspect` for a log-only run."
-).argument("[path]", "Project directory to scan", ".").option("--lockfile <path>", "Explicit path to package-lock.json").option(
+).argument("[path]", "Project directory to scan", ".").option(
+  "--lockfile <path>",
+  "Explicit path to a lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock)"
+).option(
   "--format <format>",
   "Output format: table | json",
   parseFormat,
@@ -1130,7 +1409,10 @@ program.command("scan", { isDefault: true }).description(
 });
 program.command("inspect").description(
   "Scan a project and print findings without gating. Always exits 0 unless an operational error occurs. Use `scan` for CI gating."
-).argument("[path]", "Project directory to scan", ".").option("--lockfile <path>", "Explicit path to package-lock.json").option(
+).argument("[path]", "Project directory to scan", ".").option(
+  "--lockfile <path>",
+  "Explicit path to a lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock)"
+).option(
   "--format <format>",
   "Output format: table | json",
   parseFormat,