@openrewrite/recipes-nodejs 0.37.0-20260104-170507 → 0.37.0-20260106-083133

package/src/security/index.ts

@@ -6,3 +6,4 @@
 
 export * from "./vulnerability";
 export * from "./dependency-vulnerability-check";
+export * from "./remove-redundant-overrides";

package/src/security/npm-utils.ts

@@ -0,0 +1,414 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import {PackageManager, runInstallInTempDir} from "@openrewrite/rewrite/javascript";
+import * as semver from "semver";
+import {spawnSync, SpawnSyncReturns} from "child_process";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+/**
+ * Runs an npm command with optional .npmrc configuration.
+ * Writes a temp .npmrc file and uses --userconfig flag when config is provided.
+ *
+ * Note: Auth tokens cannot be passed via npm_config_* environment variables due to
+ * npm's underscore-to-dash conversion bug. See: https://github.com/npm/config/issues/64
+ */
+function runNpmWithConfig(
+    args: string[],
+    configFiles?: Record<string, string>,
+    options?: { timeout?: number }
+): SpawnSyncReturns<string> {
+    const timeout = options?.timeout ?? 30000;
+    let tempConfigPath: string | undefined;
+
+    try {
+        const npmrcContent = configFiles?.['.npmrc'];
+        if (npmrcContent) {
+            tempConfigPath = path.join(os.tmpdir(), `npmrc-${process.pid}-${Date.now()}`);
+            fs.writeFileSync(tempConfigPath, npmrcContent);
+            args = [...args, `--userconfig=${tempConfigPath}`];
+        }
+
+        return spawnSync('npm', args, {
+            encoding: 'utf-8',
+            timeout,
+            stdio: ['pipe', 'pipe', 'pipe']
+        });
+    } finally {
+        if (tempConfigPath) {
+            try {
+                fs.unlinkSync(tempConfigPath);
+            } catch {
+                // Ignore cleanup errors
+            }
+        }
+    }
+}
+
+/**
+ * Response from npm registry for a package.
+ */
+export interface NpmPackageInfo {
+    name: string;
+    versions: Record<string, {
+        version: string;
+        dependencies?: Record<string, string>;
+    }>;
+    'dist-tags': Record<string, string>;
+}
+
+/**
+ * Fetches package information using `npm view` command.
+ * This leverages npm's local cache and respects .npmrc settings.
+ *
+ * @param packageName The package name to fetch info for
+ * @param configFiles Optional config files (e.g., {'.npmrc': '...'}) for registry/auth settings
+ */
+export async function fetchNpmPackageInfo(
+    packageName: string,
+    configFiles?: Record<string, string>
+): Promise<NpmPackageInfo | undefined> {
+    try {
+        const result = runNpmWithConfig(
+            ['view', packageName, '--json', '--prefer-offline'],
+            configFiles
+        );
+
+        if (result.error || result.status !== 0) {
+            return undefined;
+        }
+
+        const data = JSON.parse(result.stdout);
+
+        // npm view returns different structures depending on the package
+        // For a single version it returns the version object directly
+        // For multiple versions (when using package name without version), it returns full info
+        if (data.versions) {
+            return data as NpmPackageInfo;
+        }
+
+        // If we got a single version object, we need to fetch all versions
+        const versionsResult = runNpmWithConfig(
+            ['view', packageName, 'versions', '--json', '--prefer-offline'],
+            configFiles
+        );
+
+        if (versionsResult.error || versionsResult.status !== 0) {
+            return undefined;
+        }
+
+        const versions = JSON.parse(versionsResult.stdout);
+        const versionMap: Record<string, { version: string }> = {};
+
+        if (Array.isArray(versions)) {
+            for (const v of versions) {
+                versionMap[v] = { version: v };
+            }
+        }
+
+        return {
+            name: packageName,
+            versions: versionMap,
+            'dist-tags': data['dist-tags'] || {}
+        };
+    } catch {
+        return undefined;
+    }
+}
+
+/**
+ * Gets available versions of a package using npm's cache, sorted by semver descending.
+ *
+ * @param packageName The package name to get versions for
+ * @param configFiles Optional config files (e.g., {'.npmrc': '...'}) for registry/auth settings
+ */
+export async function getAvailableVersions(
+    packageName: string,
+    configFiles?: Record<string, string>
+): Promise<string[]> {
+    try {
+        // Use npm view versions which leverages npm's cache
+        const result = runNpmWithConfig(
+            ['view', packageName, 'versions', '--json', '--prefer-offline'],
+            configFiles
+        );
+
+        if (result.error || result.status !== 0) {
+            return [];
+        }
+
+        const versions = JSON.parse(result.stdout);
+
+        if (!Array.isArray(versions)) {
+            // Single version returned as string
+            return typeof versions === 'string' ? [versions] : [];
+        }
+
+        // Sort by semver descending (newest first), excluding prereleases
+        return versions
+            .filter((v: string) => !v.includes('-'))
+            .sort((a: string, b: string) => semver.rcompare(a, b));
+    } catch {
+        return [];
+    }
+}
+
+/**
+ * Extracts the resolved version of a package from a lock file content.
+ */
+export function extractVersionFromLockFile(
+    lockFileContent: string,
+    packageName: string,
+    pm: PackageManager
+): string | undefined {
+    try {
+        switch (pm) {
+            case PackageManager.Npm: {
+                const lockJson = JSON.parse(lockFileContent);
+                // npm v2+ format
+                if (lockJson.packages) {
+                    for (const [key, value] of Object.entries(lockJson.packages)) {
+                        if (key.endsWith(`node_modules/${packageName}`) || key === `node_modules/${packageName}`) {
+                            return (value as any).version;
+                        }
+                    }
+                }
+                // npm v1 format
+                if (lockJson.dependencies?.[packageName]) {
+                    return lockJson.dependencies[packageName].version;
+                }
+                return undefined;
+            }
+
+            case PackageManager.Pnpm: {
+                // Simple regex extraction for pnpm-lock.yaml
+                const regex = new RegExp(`['"]?${escapeRegExp(packageName)}@([\\d.]+)['"]?:`, 'g');
+                const matches: string[] = [];
+                let match;
+                while ((match = regex.exec(lockFileContent)) !== null) {
+                    matches.push(match[1]);
+                }
+                // Return highest version found
+                return matches.sort((a, b) => semver.rcompare(a, b))[0];
+            }
+
+            case PackageManager.YarnClassic:
+            case PackageManager.YarnBerry: {
+                const regex = new RegExp(`"?${escapeRegExp(packageName)}@[^":\\n]+[":]*\\s*\\n\\s*version:?\\s*"?([^"\\n]+)"?`, 'g');
+                const match = regex.exec(lockFileContent);
+                return match?.[1]?.trim();
+            }
+
+            case PackageManager.Bun: {
+                const lockJson = JSON.parse(lockFileContent);
+                if (lockJson.packages) {
+                    for (const [key, value] of Object.entries(lockJson.packages)) {
+                        if (key === packageName || key.endsWith(`/${packageName}`)) {
+                            if (Array.isArray(value) && value[0]) {
+                                return String(value[0]);
+                            }
+                        }
+                    }
+                }
+                return undefined;
+            }
+
+            default:
+                return undefined;
+        }
+    } catch {
+        return undefined;
+    }
+}
+
+/**
+ * Escapes special regex characters in a string.
+ */
+function escapeRegExp(str: string): string {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/**
+ * Result of checking if a direct dependency upgrade fixes a transitive vulnerability.
+ */
+export interface DirectUpgradeCheckResult {
+    /** Whether upgrading the direct dependency fixes the transitive vulnerability */
+    fixed: boolean;
+    /** The version of the direct dependency that was tested */
+    directDepVersion: string;
+    /** The resolved version of the transitive after upgrade (if found) */
+    transitiveVersion?: string;
+}
+
+/**
+ * Dependency scope type.
+ */
+export type DependencyScope = 'dependencies' | 'devDependencies' | 'peerDependencies' | 'optionalDependencies';
+
+/**
+ * Checks if upgrading a direct dependency to a specific version fixes a transitive vulnerability.
+ * Does this by running npm install in a temp directory and checking the resolved transitive version.
+ *
+ * @param pm The package manager to use
+ * @param directDepName The direct dependency to upgrade
+ * @param directDepVersion The version to upgrade to
+ * @param transitiveDepName The transitive dependency that has a vulnerability
+ * @param isVulnerable Function that checks if a version is vulnerable
+ * @param originalPackageJson The original package.json content
+ * @param scope The dependency scope of the direct dependency
+ * @param configFiles Optional config files (e.g., .npmrc)
+ * @returns Result indicating if the upgrade fixes the vulnerability
+ */
+export async function checkDirectUpgradeFixesTransitive(
+    pm: PackageManager,
+    directDepName: string,
+    directDepVersion: string,
+    transitiveDepName: string,
+    isVulnerable: (version: string) => boolean,
+    originalPackageJson: string,
+    scope: DependencyScope,
+    configFiles?: Record<string, string>
+): Promise<DirectUpgradeCheckResult> {
+    try {
+        // Parse and modify package.json with upgraded direct dependency
+        const pkgJson = JSON.parse(originalPackageJson);
+        if (!pkgJson[scope]?.[directDepName]) {
+            return {fixed: false, directDepVersion};
+        }
+
+        // Upgrade the direct dependency
+        pkgJson[scope][directDepName] = directDepVersion;
+        const modifiedPackageJson = JSON.stringify(pkgJson, null, 2);
+
+        // Run install in temp directory
+        const result = await runInstallInTempDir(pm, modifiedPackageJson, {
+            configFiles,
+            lockOnly: true
+        });
+
+        if (!result.success || !result.lockFileContent) {
+            return {fixed: false, directDepVersion};
+        }
+
+        // Parse lock file to find transitive version
+        const transitiveVersion = extractVersionFromLockFile(
+            result.lockFileContent,
+            transitiveDepName,
+            pm
+        );
+
+        if (!transitiveVersion) {
+            // Transitive not found - might mean it's no longer a dependency
+            return {fixed: true, directDepVersion, transitiveVersion: undefined};
+        }
+
+        // Check if the resolved version is still vulnerable
+        const stillVulnerable = isVulnerable(transitiveVersion);
+
+        return {
+            fixed: !stillVulnerable,
+            directDepVersion,
+            transitiveVersion
+        };
+    } catch {
+        return {fixed: false, directDepVersion};
+    }
+}
+
+/**
+ * Finds a direct dependency upgrade that fixes a transitive vulnerability.
+ * Tries versions from newest to oldest within the allowed delta.
+ *
+ * @param pm The package manager to use
+ * @param directDepName The direct dependency to upgrade
+ * @param currentDirectVersion The current version of the direct dependency
+ * @param transitiveDepName The transitive dependency that has a vulnerability
+ * @param isVulnerable Function that checks if a version is vulnerable
+ * @param isWithinDelta Function that checks if a version is within the allowed upgrade delta
+ * @param originalPackageJson The original package.json content
+ * @param scope The dependency scope of the direct dependency
+ * @param configFiles Optional config files (e.g., .npmrc)
+ * @returns The direct dependency version that fixes the transitive, or undefined if none found
+ */
+export async function findDirectUpgradeThatFixesTransitive(
+    pm: PackageManager,
+    directDepName: string,
+    currentDirectVersion: string,
+    transitiveDepName: string,
+    isVulnerable: (version: string) => boolean,
+    isWithinDelta: (fromVersion: string, toVersion: string) => boolean,
+    originalPackageJson: string,
+    scope: DependencyScope,
+    configFiles?: Record<string, string>
+): Promise<string | undefined> {
+    // Get available versions of the direct dependency
+    const availableVersions = await getAvailableVersions(directDepName, configFiles);
+    if (availableVersions.length === 0) {
+        return undefined;
+    }
+
+    const currentMajor = semver.major(currentDirectVersion);
+
+    // Filter to versions newer than current and within delta
+    // Note: getAvailableVersions already filters out prereleases
+    const candidateVersions = availableVersions.filter(v => {
+        try {
+            return semver.gt(v, currentDirectVersion) && isWithinDelta(currentDirectVersion, v);
+        } catch {
+            return false;
+        }
+    });
+
+    if (candidateVersions.length === 0) {
+        return undefined;
+    }
+
+    // Sort candidates: same major version first (descending), then other majors (descending)
+    // This prioritizes peer-compatible versions while still allowing major upgrades if needed
+    candidateVersions.sort((a, b) => {
+        const aMajor = semver.major(a);
+        const bMajor = semver.major(b);
+        const aIsSameMajor = aMajor === currentMajor;
+        const bIsSameMajor = bMajor === currentMajor;
+
+        // Same major versions come first
+        if (aIsSameMajor && !bIsSameMajor) return -1;
+        if (!aIsSameMajor && bIsSameMajor) return 1;
+
+        // Within the same priority group, sort by version descending
+        return semver.rcompare(a, b);
+    });
+
+    // Try candidates in order (same major first, then others)
+    for (const candidate of candidateVersions) {
+        const result = await checkDirectUpgradeFixesTransitive(
+            pm,
+            directDepName,
+            candidate,
+            transitiveDepName,
+            isVulnerable,
+            originalPackageJson,
+            scope,
+            configFiles
+        );
+
+        if (result.fixed) {
+            return candidate;
+        }
+
+        // Only try a few candidates to avoid excessive npm installs
+        // After trying the newest same-major and newest other-major, give up
+        const candidateMajor = semver.major(candidate);
+        if (candidateMajor !== currentMajor) {
+            // We've tried a different major version and it didn't work, give up
+            break;
+        }
+    }
+
+    return undefined;
+}