class Importmap::Npm

def find_latest_version(response)

def find_latest_version(response)
  latest_version = response.dig('dist-tags', 'latest')
  return latest_version if latest_version
  return unless response['versions']
  response['versions'].keys.map { |v| Gem::Version.new(v) rescue nil }.compact.sort.last
end

def get_audit

def get_audit
  uri = self.class.base_uri.dup
  uri.path = "/-/npm/v1/security/advisories/bulk"
  body = packages_with_versions.each.with_object({}) { |(package, version), data|
    data[package] ||= []
    data[package] << version
  }
  return {} if body.empty?
  response = post_json(uri, body)
  JSON.parse(response.body)
end

def get_json(uri)

def get_json(uri)
  request = Net::HTTP::Get.new(uri)
  request["Content-Type"] = "application/json"
  response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http|
    http.request(request)
  }
  response.body
rescue => error
  raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
end

def get_package(package)

def get_package(package)
  uri = self.class.base_uri.dup
  uri.path = "/" + package
  response = get_json(uri)
  JSON.parse(response)
rescue JSON::ParserError
  nil
end

def importmap

def importmap
  @importmap ||= File.read(@importmap_path)
end

def initialize(importmap_path = "config/importmap.rb")

def initialize(importmap_path = "config/importmap.rb")
  @importmap_path = Pathname.new(importmap_path)
end

def outdated?(current_version, latest_version)

def outdated?(current_version, latest_version)
  Gem::Version.new(current_version) < Gem::Version.new(latest_version)
rescue ArgumentError
  current_version.to_s < latest_version.to_s
end

def outdated_packages

def outdated_packages
  packages_with_versions.each.with_object([]) do |(package, current_version), outdated_packages|
    outdated_package = OutdatedPackage.new(name: package,
                                           current_version: current_version)
    if !(response = get_package(package))
      outdated_package.error = 'Response error'
    elsif (error = response['error'])
      outdated_package.error = error
    else
      latest_version = find_latest_version(response)
      next unless outdated?(current_version, latest_version)
      outdated_package.latest_version = latest_version
    end
    outdated_packages << outdated_package
  end.sort_by(&:name)
end

def packages_with_versions

def packages_with_versions
  # We cannot use the name after "pin" because some dependencies are loaded from inside packages
  # Eg. pin "buffer", to: "https://ga.jspm.io/npm:@jspm/core@2.0.0-beta.19/nodelibs/browser/buffer.js"
  importmap.scan(/^pin .*(?<=npm:|npm\/|skypack\.dev\/|unpkg\.com\/)(.*)(?=@\d+\.\d+\.\d+)@(\d+\.\d+\.\d+(?:[^\/\s"]*)).*$/) |
    importmap.scan(/^pin "([^"]*)".* #.*@(\d+\.\d+\.\d+(?:[^\s]*)).*$/)
end

def post_json(uri, body)

def post_json(uri, body)
  Net::HTTP.post(uri, body.to_json, "Content-Type" => "application/json")
rescue => error
  raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
end

def vulnerable_packages

def vulnerable_packages
  get_audit.flat_map do |package, vulnerabilities|
    vulnerabilities.map do |vulnerability|
      VulnerablePackage.new(name: package,
                            severity: vulnerability['severity'],
                            vulnerable_versions: vulnerability['vulnerable_versions'],
                            vulnerability: vulnerability['title'])
    end
  end.sort_by { |p| [p.name, p.severity] }
end