From a7b14c4b2b83a926b195ae2c8458dd6b78a06e56 Mon Sep 17 00:00:00 2001
From: STEP35 <step35@burn-cli>
Date: Sun, 26 Apr 2026 20:43:19 -0400
Subject: [PATCH 1/2] test push

---
 test_push_marker.txt | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test_push_marker.txt

diff --git a/test_push_marker.txt b/test_push_marker.txt
new file mode 100644
index 0000000..e69de29

From c04227b03b3ba30f9306ec9e17341b2c81594232 Mon Sep 17 00:00:00 2001
From: STEP35 <step35@burn-cli>
Date: Sun, 26 Apr 2026 20:47:05 -0400
Subject: [PATCH 2/2] fix: handle package extras in requirements parsing

Fixed regex to correctly extract version spec when package includes
extras like django[argon2]==4.2.0. The previous pattern consumed
the version spec in the non-greedy .*? part when extras were present.
---
 scripts/vulnerability_scanner.py | 35 ++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/scripts/vulnerability_scanner.py b/scripts/vulnerability_scanner.py
index 189140c..6eb501e 100644
--- a/scripts/vulnerability_scanner.py
+++ b/scripts/vulnerability_scanner.py
@@ -120,25 +120,30 @@ def parse_requirements_file(path: str) -> Dict[str, str]:
 
         # Extract package name and version spec
         # Handles: pkg==1.2.3, pkg>=1.0, pkg[extra]==1.2.3, pkg ~= 1.0
-        match = re.match(
-            r'^([a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?)(\s*[[,{])?.*?((==|>=|<=|~=|!=|===)\s*([^\s;#]+))?',
-            line
-        )
-        if not match:
-            # Try simpler: name at start before any comparison
-            simple = re.match(r'^([a-zA-Z0-9][-a-zA-Z0-9_.]*)', line)
-            if simple:
-                pkg = simple.group(1).lower()
-                packages[pkg] = ""
+        # Strip inline comment first
+        line = line.split('#', 1)[0].strip()
+        if not line:
             return
 
-        pkg_name = match.group(1).lower()
-        # Strip extras like django[argon2] -> django
-        pkg_name = re.sub(r'\[.*?\]', '', pkg_name).strip()
+        # Skip editable installs and other option lines
+        if line.startswith('-e ') or line.startswith('--editable ') or (line.startswith('-') and not re.match(r'^[a-zA-Z0-9]', line[1:])):
+            return
 
+        # Extract package name: leading identifier before any extras or version spec
+        pkg_match = re.match(r'^([a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?)', line)
+        if not pkg_match:
+            return
+        pkg_name = pkg_match.group(1).lower()
+
+        # Strip extras [extra] from remainder
+        remainder = line[pkg_match.end():]
+        remainder = re.sub(r'\[.*?\]', '', remainder)
+
+        # Extract version comparison
         version = ""
-        if match.group(5):  # comparison operator + version
-            version = match.group(5) + match.group(6)
+        ver_match = re.search(r'(===|==|~=|>=|<=|!=)\s*([^\s;]+)', remainder)
+        if ver_match:
+            version = ver_match.group(1) + ver_match.group(2)
 
         packages[pkg_name] = version