@contrast/cli 1.53.0 → 1.55.0

package/bin/config-diagnostics.mjs

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+import { program } from 'commander';
+import path from 'node:path';
+import { action, version } from '../lib/config-diagnostics.mjs';
+
+program
+  .name('config-diagnostics')
+  .version(version)
+  .description('The config-diagnostics utility returns the current effective node agent configuration.')
+  .argument('<entrypoint>', 'The entrypoint JavaScript or ESM file for the application')
+  .option('-q, --quiet', 'suppress logging to stdout')
+  .option('-o, --output <string>', 'output directory for generated JSON file', path.join(process.cwd(), 'contrast_effective_config.json'))
+  .action(action)
+  .parse(process.argv);

package/bin/rewrite.mjs

@@ -0,0 +1,29 @@
+#!/usr/bin/env node --experimental-import-meta-resolve
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+import { program } from 'commander';
+import path from 'node:path';
+import { action, version } from '../lib/rewrite.mjs';
+
+program
+  .name('npx -p @contrast/cli rewrite')
+  .version(version)
+  .description('Rewrites application files, caching them so that rewriting does not need to occur when the application runs.')
+  .argument('<entrypoint>', 'The entrypoint for the application', entrypoint => path.resolve(entrypoint))
+  .option('-a, --assess', 'rewrite in assess mode')
+  .option('-p, --protect', 'rewrite in protect mode')
+  .action(action)
+  .parse(process.argv);

package/bin/system-diagnostics.mjs

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+import { program } from 'commander';
+import path from 'node:path';
+import { action, version } from '../lib/system-diagnostics.mjs';
+
+program
+  .name('system-diagnostics')
+  .version(version)
+  .description('The system-diagnostics utility returns the system info for the server/container the agent is running on.')
+  .option('-q, --quiet', 'suppress logging to stdout')
+  .option('-o, --output <string>', 'output directory for generated JSON file', path.join(process.cwd(), 'contrast_system_info.json'))
+  .action(action)
+  .parse(process.argv);

package/lib/{config-diagnostics.js → config-diagnostics.mjs}

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /*
  * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -13,36 +12,34 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-'use strict';
 
-const commander = require('commander');
-const fs = require('fs');
-const { EOL } = require('os');
-const path = require('path');
-const { name: agentName, version: agentVersion } = require('../package.json');
-const { primordials: { JSONStringify } } = require('@contrast/common');
+import { primordials } from '@contrast/common';
+import configInit from '@contrast/config';
+import appInfoInit from '@contrast/core/lib/app-info.js';
+import coreMessagesInit from '@contrast/core/lib/messages.js';
+import reporterInit from '@contrast/reporter';
+import scopesInit from '@contrast/scopes';
+import loggerInit from '@contrast/logger';
+import Perf from '@contrast/perf';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { EOL } from 'node:os';
 
-if (require.main === module) {
-  commander.program
-    .name('config-diagnostics')
-    .description('The config-diagnostics utility returns the current effective node agent configuration.')
-    .argument('<entrypoint>', 'The entrypoint JavaScript or ESM file for the application')
-    .option('-q, --quiet', 'suppress logging to stdout')
-    .option('-o, --output <string>', 'output directory for generated JSON file', path.join(process.cwd(), 'contrast_effective_config.json'))
-    .action(action)
-    .parse();
-}
+const { JSONStringify } = primordials;
+const packageJson = JSON.parse(readFileSync(new URL('../package.json', import.meta.url)));
+const { name: agentName, version: agentVersion } = packageJson;
+
+export { agentVersion as version };
 
-async function action(entrypoint, options) {
-  const core = { agentName, agentVersion, Perf: require('@contrast/perf') };
-  require('@contrast/core/lib/messages')(core);
-  require('@contrast/config')(core);
-  require('@contrast/logger').default(core);
-  require('@contrast/core/lib/app-info')(core);
+export async function action(entrypoint, options) {
+  const core = { agentName, agentVersion, Perf };
+  coreMessagesInit(core);
+  configInit(core);
+  loggerInit.default(core);
+  appInfoInit(core);
   if (core.appInfo._errors?.length) throw core.appInfo._errors[0];
 
-  require('@contrast/scopes')(core);
-  require('@contrast/reporter').default(core, { reporters: ['ui'] });
+  scopesInit(core);
+  reporterInit.default(core, { reporters: ['ui'] });
 
   for (const err of core.config._errors) {
     throw err;
@@ -62,11 +59,9 @@ async function action(entrypoint, options) {
   const content = JSONStringify({ ...core.config.getReport({ redact: true }), Status }, null, 2) + EOL;
 
   if (!options.quiet) {
-    fs.writeFileSync(1, content, 'utf8');
+    writeFileSync(process.stdout.fd, content, 'utf8');
   }
   if (options.output) {
-    fs.writeFileSync(options.output, content, 'utf-8');
+    writeFileSync(options.output, content, 'utf-8');
   }
 }
-
-module.exports.action = action;

package/lib/{rewrite.js → rewrite.mjs}

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /*
  * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -14,38 +13,45 @@
  * way not consistent with the End User License Agreement.
  */
 // @ts-check
-'use strict';
-
-const { readFile } = require('node:fs/promises');
-const { createRequire } = require('node:module');
-const path = require('node:path');
-const { program } = require('commander');
-const swc = require('@swc/core');
-const { Visitor } = require('@swc/core/Visitor');
-const { primordials: { RegExpPrototypeTest, JSONParse } } = require('@contrast/common');
-const { findPackageJson } = require('@contrast/find-package-json');
-const { rewriteIsDeadzoned } = require('@contrast/rewriter/lib/rewrite-is-deadzoned');
-const { version } = require('../package.json');
-
+import { primordials } from '@contrast/common';
+import configInit from '@contrast/config';
+import appInfoInit from '@contrast/core/lib/app-info.js';
+import coreMessagesInit from '@contrast/core/lib/messages.js';
+import { findPackageJson } from '@contrast/find-package-json';
+import loggerInit from '@contrast/logger';
+import Perf from '@contrast/perf';
+import rewriterInit from '@contrast/rewriter';
+import { rewriteIsDeadzoned } from '@contrast/rewriter/lib/rewrite-is-deadzoned.js';
+import swc from '@swc/core';
+import { Visitor } from '@swc/core/Visitor.js';
+import { readFile } from 'node:fs/promises';
+import { createRequire } from 'node:module';
+import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+const { RegExpPrototypeTest, JSONParse } = primordials;
 const JS_FILE_REGEX = /\.[cm]?js$/;
 
-/** @type {any} */
-const core = { Perf: require('@contrast/perf') };
-require('@contrast/core/lib/messages')(core);
-const config = require('@contrast/config')(core);
-if (core.config._errors?.length) throw core.config._errors[0];
+const packageJson = JSON.parse((await readFile(new URL('../package.json', import.meta.url))).toString());
+const { name: agentName, version: agentVersion } = packageJson;
 
-const logger = require('@contrast/logger').default(core, { name: 'contrast:rewriter:cli' });
+/** @type {any} */
+const core = { agentName, agentVersion, Perf };
+coreMessagesInit(core);
+const config = configInit(core);
+if (config._errors?.length) throw config._errors[0];
+// @ts-expect-error ESM interop doesn't handle this `default` very well.
+const logger = loggerInit.default(core, { name: 'contrast:rewriter:cli' });
 
 if (!config.agent.node.rewrite.enable || !config.agent.node.rewrite.cache.enable) {
   logger.warn({ 'config.agent.node.rewrite': config.agent.node.rewrite }, 'rewriter config');
   throw new Error('Rewriting disabled.');
 }
 
-const appInfo = require('@contrast/core/lib/app-info')(core);
+const appInfo = appInfoInit(core);
 if (appInfo._errors?.length) throw appInfo._errors[0];
 
-const rewriter = require('@contrast/rewriter')(core);
+const rewriter = rewriterInit(core);
 
 /**
  * Keeps track of visited files so we don't bother rewriting multiple times.
@@ -83,27 +89,23 @@ class RewriteVisitor extends Visitor {
   constructor(filename) {
     super();
     visited.add(filename);
-
-    /**
-     * Create a local `require` function so we can resolve relative filenames.
-     * @type {NodeRequire}
-     */
+    this.parentUrl = pathToFileURL(filename);
     this.require = createRequire(filename);
   }
 
   /**
-   * Visit the String Literal argument of either `import` or `require`, trying
-   * to rewrite the arg if it's a valid (i.e., absolute) path.
-   * @param {swc.StringLiteral} n
+   * Visit the argument of an import declaration or `import()` function to
+   * rewrite the arg if it's a valid (i.e., absolute) path.
+   * @param {string} source
    */
-  visitImportOrRequireString(n) {
+  visitImportSource(source) {
     try {
-      const filename = this.require.resolve(n.value);
+      const filename = fileURLToPath(import.meta.resolve(source, this.parentUrl));
       if (path.isAbsolute(filename)) {
         rewriteFile(filename);
       }
     } catch (err) {
-      logger.debug({ n, err }, 'unable to resolve %s', n.value);
+      logger.error({ err }, 'unable to resolve %s', source);
     }
   }
 
@@ -113,20 +115,41 @@ class RewriteVisitor extends Visitor {
    * @param {swc.ImportDeclaration} n
    */
   visitImportDeclaration(n) {
-    this.visitImportOrRequireString(n.source);
+    this.visitImportSource(n.source.value);
     return super.visitImportDeclaration(n);
   }
 
+  /**
+   * Visit the argument of a `require()` call to rewrite the arg if it's a valid
+   * (i.e., absolute) path.
+   * @param {string} arg
+   */
+  visitRequireArg(arg) {
+    try {
+      const filename = this.require.resolve(arg);
+      if (path.isAbsolute(filename)) {
+        rewriteFile(filename);
+      }
+    } catch (err) {
+      logger.error({ err }, 'unable to resolve %s', arg);
+    }
+  }
+
   /**
    * Visits `import(...)` or `require(...)` call expressions, recursively
    * rewriting the resolved path of the first argument if it's a string literal.
    * @param {swc.CallExpression} n
    */
   visitCallExpression(n) {
-    if (n.callee.type === 'Import' || (n.callee.type === 'Identifier' && n.callee.value === 'require')) {
+    if (n.callee.type === 'Import') {
       const { expression } = n.arguments[0];
       if (expression.type === 'StringLiteral') {
-        this.visitImportOrRequireString(expression);
+        this.visitImportSource(expression.value);
+      }
+    } else if (n.callee.type === 'Identifier' && n.callee.value === 'require') {
+      const { expression } = n.arguments[0];
+      if (expression.type === 'StringLiteral') {
+        this.visitRequireArg(expression.value);
       }
     }
 
@@ -135,12 +158,17 @@ class RewriteVisitor extends Visitor {
 }
 
 /** @param {string} filename */
-async function rewriteFile(filename) {
-  if (
+function shouldSkipFile(filename) {
+  return (
     !RegExpPrototypeTest.call(JS_FILE_REGEX, filename) ||
     visited.has(filename) ||
-    rewriteIsDeadzoned(filename)
-  ) return;
+    !!rewriteIsDeadzoned(filename)
+  );
+}
+
+/** @param {string} filename */
+async function rewriteFile(filename) {
+  if (shouldSkipFile(filename)) return;
 
   try {
     const content = (await readFile(filename)).toString();
@@ -156,24 +184,24 @@ async function rewriteFile(filename) {
     rewriter.cache.write(filename, result);
 
     /** @type {swc.Module | swc.Script} */
-    const program = await swc.parse(content, {
-      // @ts-expect-error swc types expect a literal, not an arbitrary boolean.
-      isModule
-    });
+    // @ts-expect-error SWC types expect `isModule` to be a `false` literal.
+    const program = await swc.parse(content, { isModule });
     const visitor = new RewriteVisitor(filename);
     visitor.visitProgram(program);
   } catch (err) {
-    logger.debug({ err }, 'unable to parse or rewrite %s', filename);
+    logger.error({ err }, 'unable to parse or rewrite %s', filename);
   }
 }
 
+export { agentVersion as version };
+
 /**
  * @param {string} filename
  * @param {object} opts
  * @param {boolean=} opts.assess
  * @param {boolean=} opts.protect
  */
-async function action(filename, opts) {
+export async function action(filename, opts) {
   if (!opts.protect && (config.assess.enable || opts.assess)) {
     rewriter.install('assess');
   } else {
@@ -182,25 +210,8 @@ async function action(filename, opts) {
 
   logger.info(
     'Caching rewriter results to %s',
-    path.join(
-      rewriter.cache.cacheDir,
-      rewriter.modes.has('assess') ? 'assess' : 'protect'
-    ),
+    path.join(rewriter.cache.cacheDir, rewriter.modes.has('assess') ? 'assess' : 'protect'),
   );
   logger.debug({ config }, 'Agent configuration');
   return rewriteFile(filename);
 }
-
-if (require.main === module) {
-  program
-    .name('npx -p @contrast/cli rewrite')
-    .version(version)
-    .description('Rewrites application files, caching them so that rewriting does not need to occur when the application runs.')
-    .argument('<entrypoint>', 'The entrypoint for the application', entrypoint => path.resolve(entrypoint))
-    .option('-a, --assess', 'rewrite in assess mode')
-    .option('-p, --protect', 'rewrite in protect mode')
-    .action(action)
-    .parse(process.argv);
-}
-
-module.exports.action = action;

package/lib/system-diagnostics.mjs

@@ -0,0 +1,51 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+import { primordials } from '@contrast/common';
+import configInit from '@contrast/config';
+import appInfoInit from '@contrast/core/lib/app-info.js';
+import systemInfoInit from '@contrast/core/lib/system-info/index.js';
+import loggerInit from '@contrast/logger';
+import Perf from '@contrast/perf';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { EOL } from 'node:os';
+
+const { JSONStringify } = primordials;
+const packageJson = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8'));
+const { name: agentName, version: agentVersion } = packageJson;
+
+export { agentVersion as version };
+
+export async function action(options) {
+  const core = { agentName, agentVersion, Perf };
+  configInit(core);
+  loggerInit.default(core, { level: 'silent' });
+  appInfoInit(core);
+  systemInfoInit(core);
+
+  for (const err of core.config._errors) {
+    throw err;
+  }
+
+  const systemInfo = await core.getSystemInfo();
+  const content = JSONStringify(systemInfo, null, 2) + EOL;
+
+  if (!options.quiet) {
+    writeFileSync(process.stdout.fd, content, 'utf8');
+  }
+  if (options.output) {
+    writeFileSync(options.output, content, 'utf-8');
+  }
+}

package/package.json

@@ -1,38 +1,40 @@
 {
   "name": "@contrast/cli",
-  "version": "1.53.0",
+  "version": "1.55.0",
+  "type": "module",
   "description": "A collection of agent related CLI utilities",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "files": [
+    "bin/",
     "lib/",
     "!*.test.*",
     "!tsconfig.*",
     "!*.map"
   ],
   "bin": {
-    "config-diagnostics": "lib/config-diagnostics.js",
-    "rewrite": "lib/rewrite.js",
-    "system-diagnostics": "lib/system-diagnostics.js"
+    "config-diagnostics": "bin/config-diagnostics.mjs",
+    "rewrite": "bin/rewrite.mjs",
+    "system-diagnostics": "bin/system-diagnostics.mjs"
   },
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/rewriter": "1.31.0",
-    "@contrast/common": "1.35.0",
-    "@contrast/config": "1.50.0",
-    "@contrast/core": "1.55.0",
-    "@contrast/logger": "1.28.0",
-    "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.53.0",
-    "@contrast/scopes": "1.25.0",
-    "@swc/core": "1.11.24",
+    "@contrast/rewriter": "1.33.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/config": "1.52.0",
+    "@contrast/core": "1.57.0",
+    "@contrast/logger": "1.30.0",
+    "@contrast/perf": "1.4.0",
+    "@contrast/reporter": "1.55.0",
+    "@contrast/scopes": "1.27.0",
+    "@swc/core": "1.13.3",
     "commander": "^9.4.1"
   }
 }

package/lib/system-diagnostics.js

@@ -1,57 +0,0 @@
-#!/usr/bin/env node
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const commander = require('commander');
-const fs = require('fs');
-const { EOL } = require('os');
-const path = require('path');
-const { name: agentName, version: agentVersion } = require('../package.json');
-const { primordials: { JSONStringify } } = require('@contrast/common');
-
-if (require.main === module) {
-  commander.program
-    .name('system-diagnostics')
-    .description('The system-diagnostics utility returns the system info for the server/container the agent is running on.')
-    .option('-q, --quiet', 'suppress logging to stdout')
-    .option('-o, --output <string>', 'output directory for generated JSON file', path.join(process.cwd(), 'contrast_system_info.json'))
-    .action(action)
-    .parse();
-}
-
-async function action(options) {
-  const core = { agentName, agentVersion, Perf: require('@contrast/perf') };
-  require('@contrast/config')(core);
-  require('@contrast/logger').default(core, { level: 'silent' });
-  require('@contrast/core/lib/app-info')(core);
-  require('@contrast/core/lib/system-info')(core);
-
-  for (const err of core.config._errors) {
-    throw err;
-  }
-
-  const systemInfo = await core.getSystemInfo();
-  const content = JSONStringify(systemInfo, null, 2) + EOL;
-
-  if (!options.quiet) {
-    fs.writeFileSync(1, content, 'utf8');
-  }
-  if (options.output) {
-    fs.writeFileSync(options.output, content, 'utf-8');
-  }
-}
-
-module.exports.action = action;