288 lines
9.4 KiB
JSON
288 lines
9.4 KiB
JSON
{
|
||
"schema_version": "javascript_package_inventory_v1",
|
||
"generated_at": "2026-06-04T19:13:23+08:00",
|
||
"program_status": {
|
||
"overall_completion_percent": 95,
|
||
"current_priority": "P1",
|
||
"current_task_id": "P1-202",
|
||
"next_task_id": "P1-203",
|
||
"read_only_mode": true
|
||
},
|
||
"source_refs": [
|
||
"package.json",
|
||
"pnpm-workspace.yaml",
|
||
"pnpm-lock.yaml",
|
||
"apps/web/package.json",
|
||
"packages/lewooogo-core/package.json",
|
||
"packages/shared-types/package.json",
|
||
"packages/eslint-config/package.json",
|
||
"packages/tsconfig/package.json"
|
||
],
|
||
"lockfile_summary": {
|
||
"lockfile_ref": "pnpm-lock.yaml",
|
||
"lockfile_version": "9.0",
|
||
"importer_count": 6,
|
||
"package_entry_count": 986,
|
||
"snapshot_entry_count": 986,
|
||
"settings": {
|
||
"autoInstallPeers": true,
|
||
"excludeLinksFromLockfile": false
|
||
},
|
||
"status": "in_sync",
|
||
"write_allowed": false
|
||
},
|
||
"rollups": {
|
||
"total_workspaces": 6,
|
||
"total_direct_dependencies": 51,
|
||
"production_dependency_count": 20,
|
||
"dev_dependency_count": 31,
|
||
"workspace_dependency_count": 6,
|
||
"external_dependency_count": 45,
|
||
"caret_specifier_count": 44,
|
||
"exact_specifier_count": 1,
|
||
"tilde_specifier_count": 0,
|
||
"manifest_lock_mismatch_count": 0,
|
||
"missing_in_lockfile_count": 0,
|
||
"extra_in_lockfile_count": 0,
|
||
"by_status": {
|
||
"ready": 4,
|
||
"action_required": 2,
|
||
"planned_next": 0
|
||
},
|
||
"action_required_workspace_ids": [
|
||
"apps_web",
|
||
"shared_types"
|
||
],
|
||
"planned_next_workspace_ids": []
|
||
},
|
||
"workspaces": [
|
||
{
|
||
"workspace_id": "root_workspace",
|
||
"display_name": "Root pnpm workspace",
|
||
"manifest_ref": "package.json",
|
||
"lockfile_importer": ".",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"private_package": true,
|
||
"package_manager": "pnpm@9.0.0",
|
||
"dependency_counts": {
|
||
"dependencies": 0,
|
||
"devDependencies": 5,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 5
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 0,
|
||
"caret": 5,
|
||
"exact": 0,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [],
|
||
"evidence_refs": ["package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 定義 caret range 與 toolchain 版本漂移政策;不得直接升級。"
|
||
},
|
||
{
|
||
"workspace_id": "apps_web",
|
||
"display_name": "@awoooi/web",
|
||
"manifest_ref": "apps/web/package.json",
|
||
"lockfile_importer": "apps/web",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"private_package": true,
|
||
"package_manager": null,
|
||
"dependency_counts": {
|
||
"dependencies": 19,
|
||
"devDependencies": 14,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 33
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 4,
|
||
"caret": 28,
|
||
"exact": 1,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [
|
||
"@awoooi/lewooogo-core",
|
||
"@awoooi/shared-types",
|
||
"@awoooi/eslint-config",
|
||
"@awoooi/tsconfig"
|
||
],
|
||
"evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 定義 Next / React / Sentry / Playwright 等高影響套件的 drift、CVE、license 嚴重度;不得直接改 lockfile。"
|
||
},
|
||
{
|
||
"workspace_id": "lewooogo_core",
|
||
"display_name": "@awoooi/lewooogo-core",
|
||
"manifest_ref": "packages/lewooogo-core/package.json",
|
||
"lockfile_importer": "packages/lewooogo-core",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"private_package": true,
|
||
"package_manager": null,
|
||
"dependency_counts": {
|
||
"dependencies": 1,
|
||
"devDependencies": 4,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 5
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 2,
|
||
"caret": 3,
|
||
"exact": 0,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [
|
||
"@awoooi/eslint-config",
|
||
"@awoooi/tsconfig"
|
||
],
|
||
"evidence_refs": ["packages/lewooogo-core/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 納入 workspace package dependency policy。"
|
||
},
|
||
{
|
||
"workspace_id": "shared_types",
|
||
"display_name": "@awoooi/shared-types",
|
||
"manifest_ref": "packages/shared-types/package.json",
|
||
"lockfile_importer": "packages/shared-types",
|
||
"status": "action_required",
|
||
"risk_level": "medium",
|
||
"private_package": null,
|
||
"package_manager": null,
|
||
"dependency_counts": {
|
||
"dependencies": 0,
|
||
"devDependencies": 2,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 2
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 0,
|
||
"caret": 2,
|
||
"exact": 0,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [],
|
||
"evidence_refs": ["packages/shared-types/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 決定 shared-types 是否必須 private 或保留 publishConfig;不得自動 publish。"
|
||
},
|
||
{
|
||
"workspace_id": "eslint_config",
|
||
"display_name": "@awoooi/eslint-config",
|
||
"manifest_ref": "packages/eslint-config/package.json",
|
||
"lockfile_importer": "packages/eslint-config",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"private_package": true,
|
||
"package_manager": null,
|
||
"dependency_counts": {
|
||
"dependencies": 0,
|
||
"devDependencies": 6,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 6
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 0,
|
||
"caret": 6,
|
||
"exact": 0,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [],
|
||
"evidence_refs": ["packages/eslint-config/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 納入 lint toolchain drift policy。"
|
||
},
|
||
{
|
||
"workspace_id": "tsconfig",
|
||
"display_name": "@awoooi/tsconfig",
|
||
"manifest_ref": "packages/tsconfig/package.json",
|
||
"lockfile_importer": "packages/tsconfig",
|
||
"status": "ready",
|
||
"risk_level": "low",
|
||
"private_package": true,
|
||
"package_manager": null,
|
||
"dependency_counts": {
|
||
"dependencies": 0,
|
||
"devDependencies": 0,
|
||
"peerDependencies": 0,
|
||
"optionalDependencies": 0,
|
||
"total": 0
|
||
},
|
||
"specifier_counts": {
|
||
"workspace": 0,
|
||
"caret": 0,
|
||
"exact": 0,
|
||
"tilde": 0,
|
||
"other": 0
|
||
},
|
||
"workspace_dependency_names": [],
|
||
"evidence_refs": ["packages/tsconfig/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "維持只讀觀察。"
|
||
}
|
||
],
|
||
"lockfile_drift": {
|
||
"status": "in_sync",
|
||
"missing_in_lockfile": [],
|
||
"specifier_mismatches": [],
|
||
"extra_in_lockfile": []
|
||
},
|
||
"drift_findings": [
|
||
{
|
||
"finding_id": "manifest_lockfile_in_sync",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "6 個 workspace importer 的 manifest specifier 與 pnpm-lock.yaml importer specifier 一致;本輪未發現 missing、mismatch 或 extra dependency。",
|
||
"evidence_refs": ["package.json", "apps/web/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "維持只讀監控;後續若批准外部 registry / audit 才能補 CVE 與 version freshness。"
|
||
},
|
||
{
|
||
"finding_id": "apps_web_caret_range_exposure",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "@awoooi/web 有 33 條 direct dependencies,其中 28 條使用 caret range;lockfile 目前固定解析結果,但升級政策與高影響套件漂移門檻尚未定義。",
|
||
"evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 定義 Next / React / Sentry / Playwright / visualization dependencies 的 drift、CVE、license 嚴重度。"
|
||
},
|
||
{
|
||
"finding_id": "shared_types_publish_boundary_unclear",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "@awoooi/shared-types 未標記 private=true,且含 publishConfig access=public;需確認這是刻意的 publish contract 或應改為 private。",
|
||
"evidence_refs": ["packages/shared-types/package.json"],
|
||
"next_action": "P1-204 產生 publish boundary 批准包;不得自動 publish 或改 package metadata。"
|
||
},
|
||
{
|
||
"finding_id": "external_cve_lookup_not_run",
|
||
"severity": "medium",
|
||
"status": "planned_next",
|
||
"summary": "本輪未呼叫 npm registry、npm audit、GitHub advisory 或其他外部 CVE / license 來源;只建立 repo 內事實基線。",
|
||
"evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"],
|
||
"next_action": "P1-204 先定義資料來源、費用、速率與批准邊界,再決定是否接外部掃描。"
|
||
}
|
||
],
|
||
"operation_boundaries": {
|
||
"read_only_api_allowed": true,
|
||
"package_installation_allowed": false,
|
||
"package_upgrade_allowed": false,
|
||
"lockfile_write_allowed": false,
|
||
"external_cve_lookup_allowed": false,
|
||
"npm_audit_allowed": false,
|
||
"pnpm_install_allowed": false,
|
||
"production_routing_allowed": false
|
||
},
|
||
"approval_boundaries": {
|
||
"sdk_installation_allowed": false,
|
||
"paid_api_call_allowed": false,
|
||
"shadow_or_canary_allowed": false,
|
||
"production_routing_allowed": false,
|
||
"destructive_operation_allowed": false
|
||
}
|
||
}
|