@socketsecurity/cli-with-sentry 0.14.114 → 0.14.116

package/dist/module-sync/fs.d.ts

@@ -0,0 +1,63 @@
+/// <reference types="node" />
+import { Remap } from '@socketsecurity/registry/lib/objects'
+import { Abortable } from 'node:events'
+import {
+  ObjectEncodingOptions,
+  OpenMode,
+  PathLike,
+  PathOrFileDescriptor
+} from 'node:fs'
+import { FileHandle } from 'node:fs/promises'
+declare function removeNodeModules(cwd?: string): Promise<void>
+type FindUpOptions = {
+  cwd?: string | undefined
+  signal?: AbortSignal | undefined
+}
+declare function findUp(
+  name: string | string[],
+  { cwd, signal }: FindUpOptions
+): Promise<string | undefined>
+type ReadFileOptions = Remap<
+  ObjectEncodingOptions &
+    Abortable & {
+      flag?: OpenMode | undefined
+    }
+>
+declare function readFileBinary(
+  filepath: PathLike | FileHandle,
+  options?: ReadFileOptions | undefined
+): Promise<Buffer>
+declare function readFileUtf8(
+  filepath: PathLike | FileHandle,
+  options?: ReadFileOptions | undefined
+): Promise<string>
+declare function safeReadFile(
+  filepath: PathLike | FileHandle,
+  options?:
+    | 'utf8'
+    | 'utf-8'
+    | {
+        encoding: 'utf8' | 'utf-8'
+      }
+    | undefined
+): Promise<string | undefined>
+declare function safeReadFileSync(
+  filepath: PathOrFileDescriptor,
+  options?:
+    | 'utf8'
+    | 'utf-8'
+    | {
+        encoding: 'utf8' | 'utf-8'
+      }
+    | undefined
+): string | undefined
+export {
+  removeNodeModules,
+  FindUpOptions,
+  findUp,
+  ReadFileOptions,
+  readFileBinary,
+  readFileUtf8,
+  safeReadFile,
+  safeReadFileSync
+}

package/dist/module-sync/shadow-npm-inject.js

@@ -18,12 +18,248 @@ const sdk = require('@socketsecurity/sdk')
 const fs = require('node:fs')
 const os = require('node:os')
 const path = require('node:path')
-const promises = require('node:timers/promises')
+const fs$1 = require('@socketsecurity/registry/lib/fs')
 const packages = require('@socketsecurity/registry/lib/packages')
+const promises = require('node:timers/promises')
 const sorts = require('@socketsecurity/registry/lib/sorts')
 const indentString = require('@socketregistry/indent-string/index.cjs')
 
+const { NPM: NPM$3, PNPM } = constants
+const PNPM_WORKSPACE = `${PNPM}-workspace`
+const ignoredDirs = [
+  // Taken from ignore-by-default:
+  // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
+  '.git',
+  // Git repository files, see <https://git-scm.com/>
+  '.log',
+  // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
+  '.nyc_output',
+  // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
+  '.sass-cache',
+  // Cache folder for node-sass, see <https://github.com/sass/node-sass>
+  '.yarn',
+  // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
+  'bower_components',
+  // Where Bower packages are installed, see <http://bower.io/>
+  'coverage',
+  // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
+  'node_modules',
+  // Where Node modules are installed, see <https://nodejs.org/>
+  // Taken from globby:
+  // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
+  'flow-typed'
+]
+const ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`)
+async function getWorkspaceGlobs(agent, cwd = process$1.cwd()) {
+  let workspacePatterns
+  if (agent === PNPM) {
+    for (const workspacePath of [
+      path.join(cwd, `${PNPM_WORKSPACE}.yaml`),
+      path.join(cwd, `${PNPM_WORKSPACE}.yml`)
+    ]) {
+      // eslint-disable-next-line no-await-in-loop
+      const yml = await safeReadFile(workspacePath)
+      if (yml) {
+        try {
+          workspacePatterns = vendor.distExports$1.parse(yml)?.packages
+        } catch {}
+        if (workspacePatterns) {
+          break
+        }
+      }
+    }
+  } else {
+    workspacePatterns = (
+      await packages.readPackageJson(cwd, {
+        throws: false
+      })
+    )?.['workspaces']
+  }
+  return Array.isArray(workspacePatterns)
+    ? workspacePatterns
+        .filter(strings.isNonEmptyString)
+        .map(workspacePatternToGlobPattern)
+    : []
+}
+function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
+  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/')
+  const patterns = []
+  for (let i = 0, { length } = lines; i < length; i += 1) {
+    const pattern = lines[i].trim()
+    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
+      patterns.push(
+        ignorePatternToMinimatch(
+          pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/
+            ? `!${path.posix.join(base, pattern.slice(1))}`
+            : path.posix.join(base, pattern)
+        )
+      )
+    }
+  }
+  return patterns
+}
+function ignoreFileToGlobPatterns(content, filepath, cwd) {
+  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd)
+}
+
+// Based on `@eslint/compat` convertIgnorePatternToMinimatch.
+// Apache v2.0 licensed
+// Copyright Nicholas C. Zakas
+// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
+function ignorePatternToMinimatch(pattern) {
+  const isNegated = pattern.startsWith('!')
+  const negatedPrefix = isNegated ? '!' : ''
+  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()
+  // Special cases.
+  if (
+    patternToTest === '' ||
+    patternToTest === '**' ||
+    patternToTest === '/**' ||
+    patternToTest === '**'
+  ) {
+    return `${negatedPrefix}${patternToTest}`
+  }
+  const firstIndexOfSlash = patternToTest.indexOf('/')
+  const matchEverywherePrefix =
+    firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1
+      ? '**/'
+      : ''
+  const patternWithoutLeadingSlash =
+    firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest
+  // Escape `{` and `(` because in gitignore patterns they are just
+  // literal characters without any specific syntactic meaning,
+  // while in minimatch patterns they can form brace expansion or extglob syntax.
+  //
+  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
+  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
+  // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
+  const escapedPatternWithoutLeadingSlash =
+    patternWithoutLeadingSlash.replaceAll(
+      /(?=((?:\\.|[^{(])*))\1([{(])/guy,
+      '$1\\$2'
+    )
+  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : ''
+  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`
+}
+function workspacePatternToGlobPattern(workspace) {
+  const { length } = workspace
+  if (!length) {
+    return ''
+  }
+  // If the workspace ends with "/"
+  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
+    return `${workspace}/*/package.json`
+  }
+  // If the workspace ends with "/**"
+  if (
+    workspace.charCodeAt(length - 1) === 42 /*'*'*/ &&
+    workspace.charCodeAt(length - 2) === 42 /*'*'*/ &&
+    workspace.charCodeAt(length - 3) === 47 /*'/'*/
+  ) {
+    return `${workspace}/*/**/package.json`
+  }
+  // Things like "packages/a" or "packages/*"
+  return `${workspace}/package.json`
+}
+async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
+  const patterns = ['golang', NPM$3, 'maven', 'pypi', 'gem', 'nuget'].reduce(
+    (r, n) => {
+      const supported = supportedFiles[n]
+      r.push(
+        ...(supported
+          ? Object.values(supported).map(p => `**/${p.pattern}`)
+          : [])
+      )
+      return r
+    },
+    []
+  )
+  return entries.filter(p => vendor.micromatchExports.some(p, patterns))
+}
+async function globWithGitIgnore(patterns, options) {
+  const {
+    cwd = process$1.cwd(),
+    socketConfig,
+    ...additionalOptions
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const projectIgnorePaths = socketConfig?.projectIgnorePaths
+  const ignoreFiles = await vendor.distExports.glob(['**/.gitignore'], {
+    absolute: true,
+    cwd,
+    expandDirectories: true
+  })
+  const ignores = [
+    ...ignoredDirPatterns,
+    ...(Array.isArray(projectIgnorePaths)
+      ? ignoreFileLinesToGlobPatterns(
+          projectIgnorePaths,
+          path.join(cwd, '.gitignore'),
+          cwd
+        )
+      : []),
+    ...(
+      await Promise.all(
+        ignoreFiles.map(async filepath =>
+          ignoreFileToGlobPatterns(
+            await fs.promises.readFile(filepath, 'utf8'),
+            filepath,
+            cwd
+          )
+        )
+      )
+    ).flat()
+  ]
+  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/)
+  const globOptions = {
+    absolute: true,
+    cwd,
+    expandDirectories: false,
+    ignore: hasNegatedPattern ? [] : ignores,
+    ...additionalOptions
+  }
+  const result = await vendor.distExports.glob(patterns, globOptions)
+  if (!hasNegatedPattern) {
+    return result
+  }
+  const { absolute } = globOptions
+
+  // Note: the input files must be INSIDE the cwd. If you get strange looking
+  // relative path errors here, most likely your path is outside the given cwd.
+  const filtered = vendor
+    .ignoreExports()
+    .add(ignores)
+    .filter(absolute ? result.map(p => path.relative(cwd, p)) : result)
+  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered
+}
+async function globNodeModules(cwd = process$1.cwd()) {
+  return await vendor.distExports.glob('**/node_modules/**', {
+    absolute: true,
+    cwd
+  })
+}
+async function globWorkspace(agent, cwd = process$1.cwd()) {
+  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)
+  return workspaceGlobs.length
+    ? await vendor.distExports.glob(workspaceGlobs, {
+        absolute: true,
+        cwd,
+        ignore: ['**/node_modules/**', '**/bower_components/**']
+      })
+    : []
+}
+function pathsToGlobPatterns(paths) {
+  // TODO: Does not support `~/` paths.
+  return paths.map(p => (p === '.' || p === './' ? '**/*' : p))
+}
+
 const { abortSignal } = constants
+async function removeNodeModules(cwd = process$1.cwd()) {
+  const nodeModulesPaths = await globNodeModules(cwd)
+  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)))
+}
 async function findUp(name, { cwd = process$1.cwd(), signal = abortSignal }) {
   let dir = path.resolve(cwd)
   const { root } = path.parse(dir)
@@ -391,7 +627,7 @@ async function setupSdk(
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: '@socketsecurity/cli',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: '0.14.114',
+      version: '0.14.116',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: 'https://github.com/SocketDev/socket-cli'
     })
@@ -1193,19 +1429,36 @@ function findBestPatchVersion(
   let eligibleVersions
   if (manifestData && manifestData.name === manifestData.package) {
     const major = vendor.semverExports.major(manifestData.version)
-    eligibleVersions = availableVersions.filter(
-      v => vendor.semverExports.major(v) === major
-    )
+    eligibleVersions = availableVersions.filter(v => {
+      const coerced = vendor.semverExports.coerce(v)
+      if (coerced) {
+        try {
+          return vendor.semverExports.major(coerced) === major
+        } catch (e) {
+          debug.debugLog(`Error parsing '${v}'`, e)
+        }
+      }
+      return false
+    })
   } else {
     const major = vendor.semverExports.major(node.version)
-    eligibleVersions = availableVersions.filter(
-      v =>
+    eligibleVersions = availableVersions.filter(v => {
+      const coerced = vendor.semverExports.coerce(v)
+      try {
         // Filter for versions that are within the current major version and
         // are NOT in the vulnerable range.
-        vendor.semverExports.major(v) === major &&
-        (!vulnerableVersionRange ||
-          !vendor.semverExports.satisfies(v, vulnerableVersionRange))
-    )
+        if (coerced) {
+          return (
+            vendor.semverExports.major(coerced) === major &&
+            (!vulnerableVersionRange ||
+              !vendor.semverExports.satisfies(v, vulnerableVersionRange))
+          )
+        }
+      } catch (e) {
+        debug.debugLog(`Error parsing '${v}'`, e)
+      }
+      return false
+    })
   }
   return vendor.semverExports.maxSatisfying(eligibleVersions, '*')
 }
@@ -1417,13 +1670,9 @@ function updatePackageJsonFromNode(
 ) {
   let result = false
   if (!isTopLevel(tree, node)) {
-    debug.debugLog('not top level', node)
-    debug.debugLog('tree.children', tree.children)
     return result
   }
   const { name } = node
-  debug.debugLog('name', name)
-  debug.debugLog('editablePkgJson.content', editablePkgJson.content)
   for (const depField of [
     'dependencies',
     'optionalDependencies',
@@ -2331,6 +2580,7 @@ exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES =
 exports.SafeArborist = SafeArborist
 exports.applyRange = applyRange
 exports.captureException = captureException
+exports.filterGlobResultToSupportedFiles = filterGlobResultToSupportedFiles
 exports.findBestPatchVersion = findBestPatchVersion
 exports.findPackageNode = findPackageNode
 exports.findPackageNodes = findPackageNodes
@@ -2346,11 +2596,15 @@ exports.getPublicToken = getPublicToken
 exports.getSeverityCount = getSeverityCount
 exports.getSocketDevAlertUrl = getSocketDevAlertUrl
 exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl
+exports.globWithGitIgnore = globWithGitIgnore
+exports.globWorkspace = globWorkspace
 exports.isReadOnlyConfig = isReadOnlyConfig
 exports.overrideCachedConfig = overrideCachedConfig
 exports.overrideConfigApiToken = overrideConfigApiToken
+exports.pathsToGlobPatterns = pathsToGlobPatterns
 exports.readFileBinary = readFileBinary
 exports.readFileUtf8 = readFileUtf8
+exports.removeNodeModules = removeNodeModules
 exports.safeReadFile = safeReadFile
 exports.sensitiveConfigKeys = sensitiveConfigKeys
 exports.setupSdk = setupSdk
@@ -2358,5 +2612,5 @@ exports.supportedConfigKeys = supportedConfigKeys
 exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode
-//# debugId=992f3ef2-20a6-4ad5-b2ae-9b967b041eba
+//# debugId=5a309826-f704-4471-96b5-cdefeafaf366
 //# sourceMappingURL=shadow-npm-inject.js.map