update

package/node_modules/npm-audit-report/LICENSE

@@ -0,0 +1,16 @@
+ISC License
+
+Copyright (c) npm, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for
+any purpose with or without fee is hereby granted, provided that the
+above copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS
+ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+USE OR PERFORMANCE OF THIS SOFTWARE.

package/node_modules/npm-audit-report/lib/colors.js

@@ -0,0 +1,22 @@
+module.exports = (chalk) => {
+  const green = s => chalk.green.bold(s)
+  const red = s => chalk.red.bold(s)
+  const magenta = s => chalk.magenta.bold(s)
+  const yellow = s => chalk.yellow.bold(s)
+  const white = s => chalk.bold(s)
+  const severity = (sev, s) => sev.toLowerCase() === 'moderate' ? yellow(s || sev)
+    : sev.toLowerCase() === 'high' ? red(s || sev)
+    : sev.toLowerCase() === 'critical' ? magenta(s || sev)
+    : white(s || sev)
+  const dim = s => chalk.dim(s)
+
+  return {
+    dim,
+    green,
+    red,
+    magenta,
+    yellow,
+    white,
+    severity,
+  }
+}

package/node_modules/npm-audit-report/lib/exit-code.js

@@ -0,0 +1,14 @@
+// return 1 if any vulns in the set are at or above the specified severity
+const severities = new Map(Object.entries([
+  'info',
+  'low',
+  'moderate',
+  'high',
+  'critical',
+  'none',
+]).map(s => s.reverse()))
+
+module.exports = (data, level) =>
+  Object.entries(data.metadata.vulnerabilities)
+    .some(([sev, count]) => count > 0 && severities.has(sev) &&
+      severities.get(sev) >= severities.get(level)) ? 1 : 0

package/node_modules/npm-audit-report/lib/index.js

@@ -0,0 +1,41 @@
+'use strict'
+
+const reporters = {
+  install: require('./reporters/install'),
+  detail: require('./reporters/detail'),
+  json: require('./reporters/json'),
+  quiet: require('./reporters/quiet'),
+}
+
+const exitCode = require('./exit-code.js')
+
+module.exports = Object.assign((data, options = {}) => {
+  const {
+    reporter = 'install',
+    chalk,
+    unicode = true,
+    indent = 2,
+  } = options
+
+  // CLI defaults this to `null` so the defaulting method above doesn't work
+  const auditLevel = options.auditLevel || 'low'
+
+  if (!data) {
+    throw Object.assign(
+      new TypeError('ENOAUDITDATA'),
+      {
+        code: 'ENOAUDITDATA',
+        message: 'missing audit data',
+      }
+    )
+  }
+
+  if (typeof data.toJSON === 'function') {
+    data = data.toJSON()
+  }
+
+  return {
+    report: reporters[reporter](data, { chalk, unicode, indent }),
+    exitCode: exitCode(data, auditLevel),
+  }
+}, { reporters })

package/node_modules/npm-audit-report/lib/reporters/detail.js

@@ -0,0 +1,86 @@
+'use strict'
+
+const colors = require('../colors.js')
+const install = require('./install.js')
+
+module.exports = (data, { chalk }) => {
+  const summary = install.summary(data, { chalk })
+  const none = data.metadata.vulnerabilities.total === 0
+  return none ? summary : fullReport(data, { chalk, summary })
+}
+
+const fullReport = (data, { chalk, summary }) => {
+  const c = colors(chalk)
+  const output = [c.white('# npm audit report'), '']
+
+  const printed = new Set()
+  for (const [, vuln] of Object.entries(data.vulnerabilities)) {
+    // only print starting from the top-level advisories
+    if (vuln.via.filter(v => typeof v !== 'string').length !== 0) {
+      output.push(printVuln(vuln, c, data.vulnerabilities, printed))
+    }
+  }
+
+  output.push(summary)
+
+  return output.join('\n')
+}
+
+const printVuln = (vuln, c, vulnerabilities, printed, indent = '') => {
+  if (printed.has(vuln)) {
+    return null
+  }
+
+  printed.add(vuln)
+  const output = []
+
+  output.push(c.white(vuln.name) + '  ' + vuln.range)
+
+  if (indent === '' && (vuln.severity !== 'low' || vuln.severity === 'info')) {
+    output.push(`Severity: ${c.severity(vuln.severity)}`)
+  }
+
+  for (const via of vuln.via) {
+    if (typeof via === 'string') {
+      output.push(`Depends on vulnerable versions of ${c.white(via)}`)
+    } else if (indent === '') {
+      output.push(`${c.white(via.title)} - ${via.url}`)
+    }
+  }
+
+  if (indent === '') {
+    const { fixAvailable: fa } = vuln
+    if (fa === false) {
+      output.push(c.red('No fix available'))
+    } else if (fa === true) {
+      output.push(c.green('fix available') + ' via `npm audit fix`')
+    } else {
+      /* istanbul ignore else - should be impossible, just being cautious */
+      if (typeof fa === 'object' && indent === '') {
+        output.push(
+          `${c.yellow('fix available')} via \`npm audit fix --force\``,
+          `Will install ${fa.name}@${fa.version}` +
+          `, which is ${fa.isSemVerMajor ? 'a breaking change' :
+            'outside the stated dependency range'}`
+        )
+      }
+    }
+  }
+
+  for (const path of vuln.nodes) {
+    output.push(c.dim(path))
+  }
+
+  for (const effect of vuln.effects) {
+    const e = printVuln(vulnerabilities[effect], c, vulnerabilities, printed, '  ')
+    if (e) {
+      output.push(...e.split('\n'))
+    }
+  }
+
+  if (indent === '') {
+    output.push('')
+  }
+
+  return output.map(l => `${indent}${l}`).join('\n')
+}

package/node_modules/npm-audit-report/lib/reporters/install.js

@@ -0,0 +1,75 @@
+const colors = require('../colors.js')
+
+const calculate = (data, { chalk }) => {
+  const c = colors(chalk)
+  const output = []
+  const { metadata: { vulnerabilities } } = data
+  const vulnCount = vulnerabilities.total
+
+  let someFixable = false
+  let someForceFixable = false
+  let forceFixSemVerMajor = false
+  let someUnfixable = false
+
+  if (vulnCount === 0) {
+    output.push(`found ${c.green('0')} vulnerabilities`)
+  } else {
+    for (const [, vuln] of Object.entries(data.vulnerabilities)) {
+      const { fixAvailable } = vuln
+      someFixable = someFixable || fixAvailable === true
+      someUnfixable = someUnfixable || fixAvailable === false
+      if (typeof fixAvailable === 'object') {
+        someForceFixable = true
+        forceFixSemVerMajor = forceFixSemVerMajor || fixAvailable.isSemVerMajor
+      }
+    }
+    const total = vulnerabilities.total
+    const sevs = Object.entries(vulnerabilities).filter(([s, count]) => {
+      return (s === 'low' || s === 'moderate' || s === 'high' || s === 'critical') &&
+        count > 0
+    })
+
+    if (sevs.length > 1) {
+      const severities = sevs.map(([s, count]) => {
+        return `${count} ${c.severity(s)}`
+      }).join(', ')
+      output.push(`${c.red(total)} vulnerabilities (${severities})`)
+    } else {
+      const [sev, count] = sevs[0]
+      output.push(`${count} ${c.severity(sev)} severity vulnerabilit${count === 1 ? 'y' : 'ies'}`)
+    }
+
+    // XXX use a different footer line if some aren't fixable easily.
+    // just 'run `npm audit` for details' maybe?
+
+    if (someFixable) {
+      output.push('', 'To address ' +
+        (someForceFixable || someUnfixable ? 'issues that do not require attention'
+        : 'all issues') + ', run:\n  npm audit fix')
+    }
+
+    if (someForceFixable) {
+      output.push('', 'To address all issues' +
+        (someUnfixable ? ' possible' : '') +
+        (forceFixSemVerMajor ? ' (including breaking changes)' : '') +
+        ', run:\n  npm audit fix --force')
+    }
+
+    if (someUnfixable) {
+      output.push('',
+        'Some issues need review, and may require choosing',
+        'a different dependency.')
+    }
+  }
+
+  const summary = output.join('\n')
+  return {
+    summary,
+    report: vulnCount > 0 ? `${summary}\n\nRun \`npm audit\` for details.`
+    : summary,
+  }
+}
+
+module.exports = Object.assign((data, opt) => calculate(data, opt).report, {
+  summary: (data, opt) => calculate(data, opt).summary,
+})

package/node_modules/npm-audit-report/lib/reporters/json.js

@@ -0,0 +1 @@
+module.exports = (data, { indent }) => JSON.stringify(data, null, indent)

package/node_modules/npm-audit-report/lib/reporters/quiet.js

@@ -0,0 +1 @@
+module.exports = () => ''

package/node_modules/npm-audit-report/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "npm-audit-report",
+  "version": "5.0.0",
+  "description": "Given a response from the npm security api, render it into a variety of security reports",
+  "main": "lib/index.js",
+  "scripts": {
+    "test": "tap",
+    "snap": "tap",
+    "lint": "eslint \"**/*.js\"",
+    "postlint": "template-oss-check",
+    "template-oss-apply": "template-oss-apply --force",
+    "lintfix": "npm run lint -- --fix",
+    "posttest": "npm run lint"
+  },
+  "tap": {
+    "check-coverage": true,
+    "coverage-map": "map.js",
+    "nyc-arg": [
+      "--exclude",
+      "tap-snapshots/**"
+    ]
+  },
+  "keywords": [
+    "npm",
+    "security",
+    "report",
+    "audit"
+  ],
+  "author": "GitHub Inc.",
+  "license": "ISC",
+  "devDependencies": {
+    "@npmcli/eslint-config": "^4.0.0",
+    "@npmcli/template-oss": "4.14.1",
+    "chalk": "^5.2.0",
+    "tap": "^16.0.0"
+  },
+  "directories": {
+    "lib": "lib",
+    "test": "test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/npm-audit-report.git"
+  },
+  "bugs": {
+    "url": "https://github.com/npm/npm-audit-report/issues"
+  },
+  "homepage": "https://github.com/npm/npm-audit-report#readme",
+  "files": [
+    "bin/",
+    "lib/"
+  ],
+  "engines": {
+    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+  },
+  "templateOSS": {
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "4.14.1"
+  }
+}