feat: display vulunerability info (#16)

9romise · web-flow · commit f95cc0b7966d · 2026-02-02T15:59:53.000+08:00
* init

* done
diff --git a/src/providers/diagnostics/index.ts b/src/providers/diagnostics/index.ts
@@ -10,6 +10,7 @@ import { languages } from 'vscode'
 import { displayName } from '../../generated-meta'
 import { checkDeprecation } from './rules/deprecation'
 import { checkReplacement } from './rules/replacement'
+import { checkVulnerability } from './rules/vulnerability'
 
 export interface NodeDiagnosticInfo extends Pick<Diagnostic, 'message' | 'severity'> {
   node: ValidNode
@@ -19,6 +20,7 @@ export type DiagnosticRule = (dep: DependencyInfo, pkg: ResolvedPackument) => Aw
 const rules: DiagnosticRule[] = [
   checkDeprecation,
   checkReplacement,
+  checkVulnerability,
 ]
 
 export function registerDiagnosticCollection(mapping: Record<string, Extractor | undefined>) {
diff --git a/src/providers/diagnostics/rules/vulnerability.ts b/src/providers/diagnostics/rules/vulnerability.ts
@@ -0,0 +1,46 @@
+import type { OsvSeverityLevel } from '#utils/npmx'
+import type { DiagnosticRule } from '..'
+import { getVulnerability, SEVERITY_LEVELS } from '#utils/npmx'
+import { extractVersion } from '#utils/version'
+import { DiagnosticSeverity } from 'vscode'
+
+const DIAGNOSTIC_MAPPING: Record<Exclude<OsvSeverityLevel, 'unknown'>, DiagnosticSeverity> = {
+  critical: DiagnosticSeverity.Error,
+  high: DiagnosticSeverity.Warning,
+  moderate: DiagnosticSeverity.Information,
+  low: DiagnosticSeverity.Hint,
+}
+
+export const checkVulnerability: DiagnosticRule = async (dep, pkg) => {
+  const exactVersion = extractVersion(dep.version)
+  const versionInfo = pkg.versions[exactVersion]
+
+  if (!versionInfo)
+    return
+
+  const { totalCounts } = await getVulnerability({ name: dep.name, version: versionInfo.version })
+
+  const message: string[] = []
+  let severity: DiagnosticSeverity | null = null
+
+  for (const s of SEVERITY_LEVELS) {
+    const count = totalCounts[s]
+
+    if (count <= 0)
+      continue
+
+    if (!severity)
+      severity = DIAGNOSTIC_MAPPING[s]
+
+    message.push(`${count} ${s}`)
+  }
+
+  if (!message.length)
+    return
+
+  return {
+    node: dep.versionNode,
+    message: `This version has ${message.join(', ')} ${message.length === 1 ? 'vulnerability' : 'vulnerabilities'}`,
+    severity: DiagnosticSeverity.Error,
+  }
+}
diff --git a/src/utils/npmx.ts b/src/utils/npmx.ts
@@ -7,12 +7,110 @@ import { encodePackageName } from './npm'
 export const NPMX_DEV_API = 'https://npmx.dev/api'
 
 export const getReplacement = memoize<string, Promise<ModuleReplacement>>(async (name) => {
-  logger.info(`Fetching replacement for ${name}`)
+  logger.info(`Fetching replacements for ${name}`)
   const encodedName = encodePackageName(name)
 
   const result = await ofetch<ModuleReplacement>(`${NPMX_DEV_API}/replacements/${encodedName}`)
-    // Fallback for cache compatibility (LRUCache rejects null/undefined)
-    ?? {}
-  logger.info(`Fetched replacement for ${name}`)
+  logger.info(`Fetched replacements for ${name}`)
+
+  return result
+})
+
+/**
+ * Severity levels in priority order (highest first)
+ */
+export const SEVERITY_LEVELS = ['critical', 'high', 'moderate', 'low'] as const
+
+/**
+ * Severity level derived from CVSS score
+ */
+export type OsvSeverityLevel = (typeof SEVERITY_LEVELS)[number] | 'unknown'
+
+/**
+ * Simplified vulnerability info for display
+ */
+export interface VulnerabilitySummary {
+  id: string
+  summary: string
+  severity: OsvSeverityLevel
+  aliases: string[]
+  url: string
+}
+
+/** Depth in dependency tree */
+export type DependencyDepth = 'root' | 'direct' | 'transitive'
+
+/**
+ * Vulnerability info for a single package in the tree
+ */
+export interface PackageVulnerabilityInfo {
+  name: string
+  version: string
+  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
+  depth: DependencyDepth
+  /** Dependency path from root package */
+  path: string[]
+  vulnerabilities: VulnerabilitySummary[]
+  counts: {
+    total: number
+    critical: number
+    high: number
+    moderate: number
+    low: number
+  }
+}
+
+/**
+ * Deprecated package info in the dependency tree
+ */
+export interface DeprecatedPackageInfo {
+  name: string
+  version: string
+  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
+  depth: DependencyDepth
+  /** Dependency path from root package */
+  path: string[]
+  /** Deprecation message */
+  message: string
+}
+
+/**
+ * Result of dependency tree analysis
+ */
+export interface VulnerabilityTreeResult {
+  /** Root package name */
+  package: string
+  /** Root package version */
+  version: string
+  /** All packages with vulnerabilities in the tree */
+  vulnerablePackages: PackageVulnerabilityInfo[]
+  /** All deprecated packages in the tree */
+  deprecatedPackages: DeprecatedPackageInfo[]
+  /** Total packages analyzed */
+  totalPackages: number
+  /** Number of packages that could not be checked (OSV query failed) */
+  failedQueries: number
+  /** Aggregated counts across all packages */
+  totalCounts: {
+    total: number
+    critical: number
+    high: number
+    moderate: number
+    low: number
+  }
+}
+
+export const getVulnerability = memoize<{
+  name: string
+  version: string
+}, Promise<VulnerabilityTreeResult>>(async ({ name, version }) => {
+  logger.info(`Fetching vulnerabilities for ${name}`)
+  const encodedName = encodePackageName(name)
+
+  const result = await ofetch(`${NPMX_DEV_API}/registry/vulnerabilities/${encodedName}/v/${version}`)
+  logger.info(`Fetched vulnerabilities for ${name}`)
+
   return result
+}, {
+  getKey: ({ name: packageName, version }) => `${packageName}:${version}`,
 })
