name: Dependency Review

on:
  pull_request:
    paths:
      - 'package.json'
      - 'package-lock.json'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  dependency-review:
    runs-on: self-hosted
    name: Review Dependencies
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        
      - name: Setup Node.js
        run: |
          node --version
          npm --version
          
      - name: Check for major version changes
        run: |
          echo "Checking for major dependency updates..."
          git fetch origin main
          
          # Get the package.json from main branch
          git show origin/main:package.json > package-main.json
          
          # Compare dependencies
          node -e "
          const fs = require('fs');
          const mainPkg = JSON.parse(fs.readFileSync('package-main.json', 'utf8'));
          const currentPkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
          
          function compareDeps(mainDeps = {}, currentDeps = {}, type) {
            console.log(\`\\nChecking \${type}:\`);
            let hasChanges = false;
            
            for (const [pkg, currentVer] of Object.entries(currentDeps)) {
              const mainVer = mainDeps[pkg];
              if (!mainVer) {
                console.log(\`  ✅ Added: \${pkg}@\${currentVer}\`);
                hasChanges = true;
              } else if (mainVer !== currentVer) {
                const mainMajor = mainVer.match(/\\d+/)?.[0];
                const currentMajor = currentVer.match(/\\d+/)?.[0];
                
                if (mainMajor && currentMajor && mainMajor !== currentMajor) {
                  console.log(\`  ⚠️  Major update: \${pkg} \${mainVer} → \${currentVer}\`);
                } else {
                  console.log(\`  📦 Updated: \${pkg} \${mainVer} → \${currentVer}\`);
                }
                hasChanges = true;
              }
            }
            
            for (const [pkg, mainVer] of Object.entries(mainDeps)) {
              if (!currentDeps[pkg]) {
                console.log(\`  ❌ Removed: \${pkg}@\${mainVer}\`);
                hasChanges = true;
              }
            }
            
            if (!hasChanges) {
              console.log(\`  No changes\`);
            }
          }
          
          compareDeps(mainPkg.dependencies, currentPkg.dependencies, 'dependencies');
          compareDeps(mainPkg.devDependencies, currentPkg.devDependencies, 'devDependencies');
          "
          
      - name: Check for security advisories
        run: |
          npm audit --json > audit.json || true
          node -e "
          const audit = JSON.parse(require('fs').readFileSync('audit.json', 'utf8'));
          const vulns = audit.metadata?.vulnerabilities || {};
          
          console.log('\\nSecurity Audit Summary:');
          console.log('  Critical:', vulns.critical || 0);
          console.log('  High:', vulns.high || 0);
          console.log('  Moderate:', vulns.moderate || 0);
          console.log('  Low:', vulns.low || 0);
          
          if (vulns.critical > 0 || vulns.high > 0) {
            console.error('\\n❌ Found critical or high severity vulnerabilities!');
            process.exit(1);
          }
          "
          
      - name: Check bundle size impact
        run: |
          echo "Analyzing bundle size impact..."
          
          # Install dependencies from main
          git show origin/main:package-lock.json > package-lock-main.json
          npm ci --package-lock-only --package-lock=package-lock-main.json
          npm run build:frontend || true
          du -sh public/dist > size-main.txt
          
          # Install current dependencies
          npm ci
          npm run build:frontend
          du -sh public/dist > size-current.txt
          
          echo "Bundle size comparison:"
          echo "Main branch: $(cat size-main.txt)"
          echo "This branch: $(cat size-current.txt)"