verimu 0.0.4 → 0.0.6

package/README.md

@@ -11,7 +11,7 @@ The NPM package for `verimu`, a tool for producing CRA-compliant SBOMs via CI /
 The core scanning pipeline is CI-agnostic — it works in any environment with Node.js 20+.
 Example CI configs are provided in the `ci-examples/` directory.
 
-- [x] GitHub Actions (`.github/workflows/test.yml`)
+- [x] GitHub Actions (`.github/workflows/release.yml`)
 - [x] GitLab CI (`ci-examples/gitlab-ci.yml`)
 - [x] Bitbucket Pipelines (`ci-examples/bitbucket-pipelines.yml`)
 
@@ -33,6 +33,42 @@ To run the tests, use:
 npm test
 ```
 
+## Releasing to npm (Tag Pipelines)
+
+`verimu` can publish from GitHub Actions, GitLab CI, and Bitbucket Pipelines when a semver tag is pushed.
+Each pipeline validates:
+
+- tag is semver (`v1.2.3` or `1.2.3`)
+- tag version matches `package.json` version
+- tagged commit exists on `main`
+
+### Publish credentials
+
+- GitHub Actions (`.github/workflows/release.yml`): uses npm Trusted Publishing (OIDC), so no `NPM_TOKEN` secret is required.
+- GitLab and Bitbucket pipelines in this repo still use `NPM_TOKEN` (`.gitlab-ci.yml`, `bitbucket-pipelines.yml`).
+
+### Recommended release flow
+
+1. Bump version on `main` with npm (this updates `package.json` and `package-lock.json`, then creates a git tag):
+
+```bash
+npm version patch
+```
+
+2. Push commit and tag:
+
+```bash
+git push origin main --follow-tags
+```
+
+3. Your CI provider runs the publish job on that tag and releases to npm.
+
+### Why this avoids version conflicts
+
+The source of truth remains the version committed on `main`.
+The tag is only a release trigger for that exact versioned commit.
+You should not tag arbitrary commits with a new version string that is not already committed in `package.json`.
+
 ## Maven Scanner Notes
 
 The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it uses two strategies:
@@ -42,4 +78,6 @@ The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it u
 
 ## Three CI / CD Pipelines as Self Check on the `verimu` package itself
 
-There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/test.yml` file, all of which would run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
+There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/release.yml` file, all of which would run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
+
+The same three provider configs now also include tag-based npm release automation, so this repo is a working cross-provider reference for both scanning and publishing.

package/dist/cli.mjs

@@ -2,6 +2,7 @@
 
 // src/cli.ts
 import { resolve } from "path";
+import { createRequire } from "module";
 
 // src/scan.ts
 import { writeFile } from "fs/promises";
@@ -23,7 +24,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -58,11 +59,11 @@ var NpmScanner = class {
     const directNames = /* @__PURE__ */ new Set();
     if (packageJsonRaw) {
       try {
-        const pkg = JSON.parse(packageJsonRaw);
-        for (const name of Object.keys(pkg.dependencies ?? {})) {
+        const pkg2 = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg2.dependencies ?? {})) {
           directNames.add(name);
         }
-        for (const name of Object.keys(pkg.devDependencies ?? {})) {
+        for (const name of Object.keys(pkg2.devDependencies ?? {})) {
           directNames.add(name);
         }
       } catch {
@@ -230,14 +231,14 @@ var CargoScanner = class {
     const directNames = cargoTomlRaw ? this.parseCargoToml(cargoTomlRaw) : /* @__PURE__ */ new Set();
     const rootName = packages.length > 0 ? packages[0].name : null;
     const dependencies = [];
-    for (const pkg of packages) {
-      if (pkg.name === rootName && pkg.source === void 0) continue;
+    for (const pkg2 of packages) {
+      if (pkg2.name === rootName && pkg2.source === void 0) continue;
       dependencies.push({
-        name: pkg.name,
-        version: pkg.version,
-        direct: directNames.has(pkg.name),
+        name: pkg2.name,
+        version: pkg2.version,
+        direct: directNames.has(pkg2.name),
         ecosystem: "cargo",
-        purl: this.buildPurl(pkg.name, pkg.version)
+        purl: this.buildPurl(pkg2.name, pkg2.version)
       });
     }
     return {
@@ -315,7 +316,7 @@ import { existsSync as existsSync4 } from "fs";
 import path4 from "path";
 var PipScanner = class {
   ecosystem = "pip";
-  lockfileNames = ["requirements.txt", "Pipfile.lock"];
+  lockfileNames = ["Pipfile.lock", "requirements.txt"];
   async detect(projectPath) {
     for (const lockfile of this.lockfileNames) {
       const fullPath = path4.join(projectPath, lockfile);
@@ -330,7 +331,7 @@ var PipScanner = class {
     if (filename === "Pipfile.lock") {
       dependencies = this.parsePipfileLock(raw, lockfilePath);
     } else {
-      dependencies = this.parseRequirementsTxt(raw, lockfilePath);
+      dependencies = await this.parseRequirementsTxt(raw, lockfilePath);
     }
     return {
       projectPath,
@@ -344,24 +345,43 @@ var PipScanner = class {
    * Parses `requirements.txt` format.
    *
    * Supports:
-   *   - `package==1.2.3` (pinned)
-   *   - `package>=1.2.0` (minimum — uses the specified version)
-   *   - `package~=1.2.0` (compatible release)
+   *   - `package==1.2.3` (pinned) — REQUIRED
    *   - Comments (`#`) and blank lines are skipped
-   *   - `-r other-file.txt` (include directive) — skipped for now
+   *   - `-r other-file.txt` (include directive) — recursively parsed
    *   - `--index-url` and other pip flags — skipped
+   *
+   * Throws if any dependency is not strictly pinned with ==.
+   * Use `pip freeze` to generate a properly pinned requirements.txt.
    */
-  parseRequirementsTxt(content, lockfilePath) {
+  async parseRequirementsTxt(content, lockfilePath, visited = /* @__PURE__ */ new Set()) {
     const deps = [];
+    const currentDir = path4.dirname(lockfilePath);
+    const normalizedPath = path4.resolve(lockfilePath);
+    if (visited.has(normalizedPath)) {
+      return deps;
+    }
+    visited.add(normalizedPath);
     for (const rawLine of content.split("\n")) {
       const line = rawLine.trim();
-      if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+      if (!line || line.startsWith("#")) {
         continue;
       }
-      const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*(?:[~=!<>]=?)\s*(.+)$/);
-      if (match) {
-        const [, name, versionSpec] = match;
-        const version = this.extractVersion(versionSpec);
+      const includeMatch = line.match(/^-r\s+(.+)$/) || line.match(/^--requirement\s+(.+)$/);
+      if (includeMatch) {
+        const includePath = path4.resolve(currentDir, includeMatch[1].trim());
+        if (existsSync4(includePath)) {
+          const includeContent = await readFile4(includePath, "utf-8");
+          const includedDeps = await this.parseRequirementsTxt(includeContent, includePath, visited);
+          deps.push(...includedDeps);
+        }
+        continue;
+      }
+      if (line.startsWith("-") || line.startsWith("--")) {
+        continue;
+      }
+      const pinnedMatch = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*==\s*([^,\s]+)$/);
+      if (pinnedMatch) {
+        const [, name, version] = pinnedMatch;
         if (name && version) {
           deps.push({
             name: this.normalizePipName(name),
@@ -372,6 +392,14 @@ var PipScanner = class {
             purl: this.buildPurl(name, version)
           });
         }
+        continue;
+      }
+      const depMatch = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*([~=!<>].*)$/);
+      if (depMatch) {
+        throw new LockfileParseError(
+          lockfilePath,
+          `Non-pinned dependency detected: "${line}". Use pip freeze or Pipfile.lock.`
+        );
       }
     }
     return deps;
@@ -430,15 +458,6 @@ var PipScanner = class {
     }
     return deps;
   }
-  /**
-   * Extracts the version number from a pip version specifier.
-   * "1.2.3" → "1.2.3"
-   * "1.2.3,<2.0" → "1.2.3"
-   */
-  extractVersion(spec) {
-    const cleaned = spec.split(",")[0].trim();
-    return cleaned;
-  }
   /**
    * Normalizes a pip package name per PEP 503.
    * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
@@ -473,61 +492,88 @@ var MavenScanner = class {
     return existsSync5(pomPath) ? pomPath : null;
   }
   async scan(projectPath, _lockfilePath) {
+    const pomPath = path5.join(projectPath, "pom.xml");
+    const pomContent = await readFile5(pomPath, "utf-8").catch(() => null);
+    const directDeps = pomContent ? this.parsePomDependencies(pomContent) : /* @__PURE__ */ new Set();
     const depTreePath = path5.join(projectPath, "dependency-tree.txt");
     if (existsSync5(depTreePath)) {
       const content = await readFile5(depTreePath, "utf-8");
-      const dependencies = this.parseDependencyList(content, depTreePath);
+      const dependencies = this.parseDependencyList(content, directDeps);
       return this.buildResult(projectPath, depTreePath, dependencies);
     }
     if (this.isMavenAvailable()) {
       const output = this.runMavenDependencyList(projectPath);
-      const dependencies = this.parseDependencyList(output, "mvn dependency:list");
-      return this.buildResult(projectPath, path5.join(projectPath, "pom.xml"), dependencies);
+      const dependencies = this.parseDependencyList(output, directDeps);
+      return this.buildResult(projectPath, pomPath, dependencies);
     }
     throw new LockfileParseError(
-      path5.join(projectPath, "pom.xml"),
+      pomPath,
       "Maven project detected (pom.xml found) but could not resolve dependencies. Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\n  mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true"
     );
   }
+  /**
+   * Parses pom.xml to extract direct dependency coordinates (groupId:artifactId).
+   * This is a simple regex-based parser that handles standard dependency declarations.
+   */
+  parsePomDependencies(pomContent) {
+    const directDeps = /* @__PURE__ */ new Set();
+    const depBlockRegex = /<dependency>\s*([\s\S]*?)<\/dependency>/g;
+    const groupIdRegex = /<groupId>\s*([^<]+)\s*<\/groupId>/;
+    const artifactIdRegex = /<artifactId>\s*([^<]+)\s*<\/artifactId>/;
+    let match;
+    while ((match = depBlockRegex.exec(pomContent)) !== null) {
+      const block = match[1];
+      const groupMatch = block.match(groupIdRegex);
+      const artifactMatch = block.match(artifactIdRegex);
+      if (groupMatch && artifactMatch) {
+        const groupId = groupMatch[1].trim();
+        const artifactId = artifactMatch[1].trim();
+        directDeps.add(`${groupId}:${artifactId}`);
+      }
+    }
+    return directDeps;
+  }
   /**
    * Parses Maven `dependency:list` output.
    *
    * Each dependency line has the format:
-   *   groupId:artifactId:type:version:scope
-   *   groupId:artifactId:type:classifier:version:scope
+   *   groupId:artifactId:type:version:scope (5 parts)
+   *   groupId:artifactId:type:classifier:version:scope (6 parts)
    *
    * Lines are typically indented with leading whitespace.
    */
-  parseDependencyList(content, source) {
+  parseDependencyList(content, directDeps) {
     const deps = [];
-    const depPattern = /^\s*([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;
+    const seen = /* @__PURE__ */ new Set();
     for (const rawLine of content.split("\n")) {
       const line = rawLine.trim();
       if (!line) continue;
-      const match = line.match(depPattern);
-      if (match) {
-        const groupId = match[1];
-        const artifactId = match[2];
-        const version = match[4] && match[5] ? match[5] : match[4] ?? match[5];
-        const scope = match[4] && match[5] ? match[6] : match[5] && match[6] ? match[6] : match[5];
-        const parts = line.split(":");
-        if (parts.length >= 5) {
-          const gId = parts[0].trim();
-          const aId = parts[1];
-          const ver = parts.length === 6 ? parts[4] : parts[3];
-          const scp = parts.length === 6 ? parts[5] : parts[4];
-          if (gId && aId && ver) {
-            const name = `${gId}:${aId}`;
-            deps.push({
-              name,
-              version: ver,
-              direct: scp === "compile" || scp === "runtime" || scp === "provided",
-              ecosystem: "maven",
-              purl: this.buildPurl(gId, aId, ver)
-            });
-          }
-        }
+      const parts = line.split(":");
+      if (parts.length < 5) continue;
+      const groupId = parts[0];
+      const artifactId = parts[1];
+      let version;
+      let scope;
+      if (parts.length >= 6) {
+        version = parts[4];
+        scope = parts[5];
+      } else {
+        version = parts[3];
+        scope = parts[4];
       }
+      if (!groupId || !artifactId || !version) continue;
+      if (scope === "test") continue;
+      const name = `${groupId}:${artifactId}`;
+      if (seen.has(name)) continue;
+      seen.add(name);
+      const isDirect = directDeps.has(name);
+      deps.push({
+        name,
+        version,
+        direct: isDirect,
+        ecosystem: "maven",
+        purl: this.buildPurl(groupId, artifactId, version)
+      });
     }
     return deps;
   }
@@ -811,6 +857,75 @@ var RubyScanner = class {
   }
 };
 
+// src/scanners/composer/composer-scanner.ts
+import { readFile as readFile8 } from "fs/promises";
+import { existsSync as existsSync8 } from "fs";
+import path8 from "path";
+var ComposerScanner = class {
+  ecosystem = "composer";
+  lockfileNames = ["composer.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path8.join(projectPath, "composer.lock");
+    return existsSync8(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockRaw, manifestRaw] = await Promise.all([
+      readFile8(lockfilePath, "utf-8"),
+      readFile8(path8.join(projectPath, "composer.json"), "utf-8").catch(() => null)
+    ]);
+    const directNames = manifestRaw ? this.parseComposerManifest(manifestRaw) : null;
+    const dependencies = this.parseComposerLock(lockRaw, lockfilePath, directNames);
+    return {
+      projectPath,
+      ecosystem: "composer",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  parseComposerLock(content, lockfilePath, directNames) {
+    let lock;
+    try {
+      lock = JSON.parse(content);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON in composer.lock");
+    }
+    const allPackages = [...lock.packages ?? [], ...lock["packages-dev"] ?? []];
+    if (allPackages.length === 0) {
+      throw new LockfileParseError(lockfilePath, "No packages found in composer.lock");
+    }
+    return allPackages.filter((pkg2) => pkg2.name && pkg2.version).map((pkg2) => ({
+      name: pkg2.name,
+      version: this.normalizeVersion(pkg2.version),
+      direct: directNames ? directNames.has(pkg2.name) : true,
+      ecosystem: "composer",
+      purl: this.buildPurl(pkg2.name, this.normalizeVersion(pkg2.version))
+    }));
+  }
+  parseComposerManifest(content) {
+    let manifest;
+    try {
+      manifest = JSON.parse(content);
+    } catch {
+      return /* @__PURE__ */ new Set();
+    }
+    const names = /* @__PURE__ */ new Set();
+    for (const section of [manifest.require ?? {}, manifest["require-dev"] ?? {}]) {
+      for (const name of Object.keys(section)) {
+        if (name === "php" || name.startsWith("ext-") || name.startsWith("lib-")) continue;
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  normalizeVersion(version) {
+    return version.trim();
+  }
+  buildPurl(name, version) {
+    return `pkg:composer/${name}@${version}`;
+  }
+};
+
 // src/scanners/registry.ts
 var ScannerRegistry = class {
   scanners;
@@ -822,7 +937,8 @@ var ScannerRegistry = class {
       new PipScanner(),
       new MavenScanner(),
       new GoScanner(),
-      new RubyScanner()
+      new RubyScanner(),
+      new ComposerScanner()
     ];
   }
   /**
@@ -983,7 +1099,10 @@ var OsvSource = class {
     }
     return allVulns;
   }
-  /** Uses OSV's /querybatch endpoint for efficient bulk lookups */
+  /**
+   * Uses OSV's /querybatch endpoint to get vulnerability IDs,
+   * then fetches full details for each unique vulnerability.
+   */
   async queryBatch(dependencies) {
     const queries = dependencies.map((dep) => ({
       version: dep.version,
@@ -1001,18 +1120,65 @@ var OsvSource = class {
       throw new Error(`OSV API error: ${response.status} ${response.statusText}`);
     }
     const data = await response.json();
-    const vulnerabilities = [];
+    const vulnIdToDeps = /* @__PURE__ */ new Map();
     for (let i = 0; i < data.results.length; i++) {
       const result = data.results[i];
       const dep = dependencies[i];
       if (result.vulns && result.vulns.length > 0) {
         for (const vuln of result.vulns) {
-          vulnerabilities.push(this.mapVulnerability(vuln, dep));
+          const existing = vulnIdToDeps.get(vuln.id);
+          if (existing) {
+            existing.push(dep);
+          } else {
+            vulnIdToDeps.set(vuln.id, [dep]);
+          }
         }
       }
     }
+    if (vulnIdToDeps.size === 0) {
+      return [];
+    }
+    const vulnIds = Array.from(vulnIdToDeps.keys());
+    const fullVulns = await this.fetchVulnerabilityDetails(vulnIds);
+    const vulnerabilities = [];
+    for (const osvVuln of fullVulns) {
+      const affectedDeps = vulnIdToDeps.get(osvVuln.id) ?? [];
+      for (const dep of affectedDeps) {
+        vulnerabilities.push(this.mapVulnerability(osvVuln, dep));
+      }
+    }
     return vulnerabilities;
   }
+  /**
+   * Fetches full vulnerability details from /v1/vulns/{id} for each ID.
+   * Makes parallel requests for efficiency.
+   */
+  async fetchVulnerabilityDetails(vulnIds) {
+    const results = [];
+    const CONCURRENCY = 10;
+    for (let i = 0; i < vulnIds.length; i += CONCURRENCY) {
+      const batch = vulnIds.slice(i, i + CONCURRENCY);
+      const promises = batch.map(async (id) => {
+        try {
+          const response = await this.fetchFn(`${OSV_API_BASE}/vulns/${encodeURIComponent(id)}`, {
+            method: "GET",
+            headers: { "Content-Type": "application/json" }
+          });
+          if (!response.ok) {
+            console.warn(`Failed to fetch vulnerability ${id}: ${response.status}`);
+            return null;
+          }
+          return await response.json();
+        } catch (err) {
+          console.warn(`Error fetching vulnerability ${id}:`, err);
+          return null;
+        }
+      });
+      const batchResults = await Promise.all(promises);
+      results.push(...batchResults.filter((v) => v !== null));
+    }
+    return results;
+  }
   /** Maps an OSV vulnerability record to our Vulnerability type */
   mapVulnerability(osvVuln, dep) {
     const cveId = this.extractCveId(osvVuln);
@@ -1063,12 +1229,75 @@ var OsvSource = class {
     }
     return { level: "UNKNOWN" };
   }
-  /** Parses CVSS v3 vector string to extract the base score */
+  /** Parses CVSS v3 vector string to extract/calculate the base score */
   parseCvssScore(vectorOrScore) {
     const num = parseFloat(vectorOrScore);
     if (!isNaN(num) && num >= 0 && num <= 10) return num;
+    if (vectorOrScore.startsWith("CVSS:3")) {
+      return this.calculateCvss3Score(vectorOrScore);
+    }
     return null;
   }
+  /** Calculate CVSS v3.x base score from vector string */
+  calculateCvss3Score(vector) {
+    const metricValues = {
+      AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
+      // Attack Vector
+      AC: { L: 0.77, H: 0.44 },
+      // Attack Complexity
+      PR: {
+        // Privileges Required (varies by Scope)
+        N_U: 0.85,
+        L_U: 0.62,
+        H_U: 0.27,
+        N_C: 0.85,
+        L_C: 0.68,
+        H_C: 0.5
+      },
+      UI: { N: 0.85, R: 0.62 },
+      // User Interaction
+      C: { H: 0.56, L: 0.22, N: 0 },
+      // Confidentiality Impact
+      I: { H: 0.56, L: 0.22, N: 0 },
+      // Integrity Impact
+      A: { H: 0.56, L: 0.22, N: 0 }
+      // Availability Impact
+    };
+    const parts = vector.split("/");
+    const metrics = {};
+    for (const part of parts) {
+      const [key, value] = part.split(":");
+      if (key && value) metrics[key] = value;
+    }
+    const av = metricValues.AV[metrics.AV];
+    const ac = metricValues.AC[metrics.AC];
+    const ui = metricValues.UI[metrics.UI];
+    const scope = metrics.S;
+    const c = metricValues.C[metrics.C];
+    const i = metricValues.I[metrics.I];
+    const a = metricValues.A[metrics.A];
+    const prKey = `${metrics.PR}_${scope}`;
+    const pr = metricValues.PR[prKey];
+    if ([av, ac, pr, ui, c, i, a].some((v) => v === void 0)) {
+      return null;
+    }
+    const iss = 1 - (1 - c) * (1 - i) * (1 - a);
+    let impact;
+    if (scope === "U") {
+      impact = 6.42 * iss;
+    } else {
+      impact = 7.52 * (iss - 0.029) - 3.25 * Math.pow(iss - 0.02, 15);
+    }
+    const exploitability = 8.22 * av * ac * pr * ui;
+    if (impact <= 0) return 0;
+    let baseScore;
+    if (scope === "U") {
+      baseScore = Math.min(impact + exploitability, 10);
+    } else {
+      baseScore = Math.min(1.08 * (impact + exploitability), 10);
+    }
+    return Math.ceil(baseScore * 10) / 10;
+  }
   /** Converts a CVSS score (0-10) to a severity level */
   scoreToSeverity(score) {
     if (score >= 9) return "CRITICAL";
@@ -1118,7 +1347,8 @@ var OsvSource = class {
       maven: "Maven",
       pip: "PyPI",
       go: "Go",
-      ruby: "RubyGems"
+      ruby: "RubyGems",
+      composer: "Packagist"
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -1347,7 +1577,8 @@ var VerimuApiClient = class {
       nuget: "nuget",
       go: "gomod",
       cargo: "cargo",
-      ruby: "bundler"
+      ruby: "bundler",
+      composer: "composer"
     };
     return map[eco] ?? eco;
   }
@@ -1441,7 +1672,9 @@ function shouldFailCi(report, threshold) {
 }
 
 // src/cli.ts
-var VERSION = "0.0.3";
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+var VERSION = pkg.version ?? "0.0.0";
 var BRAND = `
   \u2566  \u2566\u250C\u2500\u2510\u252C\u2500\u2510\u252C\u250C\u252C\u2510\u252C \u252C
   \u255A\u2557\u2554\u255D\u251C\u2524 \u251C\u252C\u2518\u2502\u2502\u2502\u2502\u2502 \u2502
@@ -1603,7 +1836,7 @@ function printHelp() {
     npm (package-lock.json)         pip (requirements.txt)
     Maven (pom.xml)                 NuGet (packages.lock.json)
     Cargo (Cargo.lock)              Go (go.sum)
-    Ruby (Gemfile.lock)
+    Ruby (Gemfile.lock)             Composer (composer.lock)
 
   Learn more: https://verimu.com
   Dashboard: https://app.verimu.com