@socketsecurity/cli-with-sentry 0.14.55 → 0.14.57

package/dist/module-sync/color-or-markdown.d.ts

@@ -0,0 +1,16 @@
+import indentString from '@socketregistry/indent-string/index.cjs';
+declare class ColorOrMarkdown {
+    useMarkdown: boolean;
+    constructor(useMarkdown: boolean);
+    bold(text: string): string;
+    header(text: string, level?: number): string;
+    hyperlink(text: string, url: string | undefined, { fallback, fallbackToUrl }?: {
+        fallback?: boolean | undefined;
+        fallbackToUrl?: boolean | undefined;
+    }): string;
+    indent(...args: Parameters<typeof indentString>): ReturnType<typeof indentString>;
+    italic(text: string): string;
+    json(value: any): string;
+    list(items: string[]): string;
+}
+export { ColorOrMarkdown };

package/dist/module-sync/edge.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="npmcli__arborist" />
 import { SafeNode } from "./node.js";
-import { SafeOverrideSet } from "./index.js";
+import { SafeOverrideSet } from "./override-set.js";
 import { DependencyProblem } from '@npmcli/arborist';
 import { Edge as BaseEdge } from "@npmcli/arborist";
 type EdgeClass = Omit<BaseEdge, 'accept' | 'detach' | 'optional' | 'overrides' | 'peer' | 'peerConflicted' | 'rawSpec' | 'reload' | 'satisfiedBy' | 'spec' | 'to'> & {

package/dist/module-sync/index.d.ts

@@ -1,177 +1,7 @@
-/// <reference types="node" />
-import { SafeEdge } from "./edge.js";
+import { kRiskyReify } from "./shadow-npm-inject.js";
+import { ArboristClass } from "./types.js";
 import { SafeNode } from "./node.js";
-import indentString from "@socketregistry/indent-string/index.cjs";
-import { LogSymbols } from "@socketsecurity/registry/lib/logger";
-import { SocketSdkResultType } from "@socketsecurity/sdk";
-import { Diff, ArboristClass } from "./types.js";
-import { ObjectEncodingOptions, OpenMode, PathLike } from "node:fs";
-import { promises as fs } from "node:fs";
-import { readFileSync as fsReadFileSync } from "node:fs";
-import { Abortable } from "node:events";
-import { FileHandle } from "node:fs/promises";
-import { kRiskyReify } from "./reify.js";
-interface OverrideSetClass {
-    children: Map<string, SafeOverrideSet>;
-    key: string | undefined;
-    keySpec: string | undefined;
-    name: string | undefined;
-    parent: SafeOverrideSet | undefined;
-    value: string | undefined;
-    version: string | undefined;
-    // eslint-disable-next-line @typescript-eslint/no-misused-new
-    new (...args: any[]): OverrideSetClass;
-    get isRoot(): boolean;
-    get ruleset(): Map<string, SafeOverrideSet>;
-    ancestry(): Generator<SafeOverrideSet>;
-    childrenAreEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
-    getEdgeRule(edge: SafeEdge): SafeOverrideSet;
-    getNodeRule(node: SafeNode): SafeOverrideSet;
-    getMatchingRule(node: SafeNode): SafeOverrideSet | null;
-    isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
-}
-declare const OverrideSet: OverrideSetClass;
-// Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
-declare class SafeOverrideSet extends OverrideSet {
-    // Patch adding doOverrideSetsConflict is based on
-    // https://github.com/npm/cli/pull/8089.
-    static doOverrideSetsConflict(first: SafeOverrideSet | undefined, second: SafeOverrideSet | undefined): boolean;
-    // Patch adding findSpecificOverrideSet is based on
-    // https://github.com/npm/cli/pull/8089.
-    static findSpecificOverrideSet(first: SafeOverrideSet | undefined, second: SafeOverrideSet | undefined): SafeOverrideSet | undefined;
-    // Patch adding childrenAreEqual is based on
-    // https://github.com/npm/cli/pull/8089.
-    childrenAreEqual(otherOverrideSet: SafeOverrideSet): boolean;
-    getEdgeRule(edge: SafeEdge): SafeOverrideSet;
-    // Patch adding isEqual is based on
-    // https://github.com/npm/cli/pull/8089.
-    isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
-}
-declare const depValid: (child: SafeNode, requested: string, accept: string | undefined, requester: SafeNode) => boolean;
-declare function getSocketDevAlertUrl(alertType: string): string;
-declare function getSocketDevPackageOverviewUrl(eco: string, name: string, version?: string | undefined): string;
-declare class ColorOrMarkdown {
-    useMarkdown: boolean;
-    constructor(useMarkdown: boolean);
-    bold(text: string): string;
-    header(text: string, level?: number): string;
-    hyperlink(text: string, url: string | undefined, { fallback, fallbackToUrl }?: {
-        fallback?: boolean | undefined;
-        fallbackToUrl?: boolean | undefined;
-    }): string;
-    indent(...args: Parameters<typeof indentString>): ReturnType<typeof indentString>;
-    italic(text: string): string;
-    json(value: any): string;
-    list(items: string[]): string;
-    get logSymbols(): LogSymbols;
-}
-type AlertUxLookup = ReturnType<typeof createAlertUXLookup>;
-type AlertUxLookupSettings = Parameters<AlertUxLookup>[0];
-type AlertUxLookupResult = ReturnType<AlertUxLookup>;
-type RuleActionUX = {
-    block: boolean;
-    display: boolean;
-};
-type SettingsType = (SocketSdkResultType<"postSettings"> & {
-    success: true;
-})["data"];
-declare function createAlertUXLookup(settings: SettingsType): (context: {
-    package: {
-        name: string;
-        version: string;
-    };
-    alert: {
-        type: string;
-    };
-}) => RuleActionUX;
-declare function uxLookup(settings: AlertUxLookupSettings): Promise<AlertUxLookupResult>;
-type CveAlertType = "cve" | "mediumCVE" | "mildCVE" | "criticalCVE";
-type ArtifactAlertCveFixable = Omit<SocketArtifactAlert, "props" | "title"> & {
-    type: CveAlertType;
-    props: {
-        firstPatchedVersionIdentifier: string;
-        vulnerableVersionRange: string;
-        [key: string]: any;
-    };
-};
-type ArtifactAlertFixable = ArtifactAlertCveFixable & {
-    type: CveAlertType | "socketUpgradeAvailable";
-};
-type SocketArtifactAlert = {
-    key: string;
-    type: string;
-    severity: string;
-    category: string;
-    action?: string | undefined;
-    actionPolicyIndex?: number | undefined;
-    file?: string | undefined;
-    props?: any | undefined;
-    start?: number | undefined;
-    end?: number | undefined;
-};
-type SocketArtifact = {
-    type: string;
-    name: string;
-    namespace?: string | undefined;
-    version?: string | undefined;
-    subpath?: string | undefined;
-    release?: string | undefined;
-    id?: string | undefined;
-    author?: string[];
-    license?: string | undefined;
-    licenseDetails?: Array<{
-        spdxDisj: string;
-        provenance: string;
-        filepath: string;
-        match_strength: number;
-    }>;
-    licenseAttrib?: Array<{
-        attribText: string;
-        attribData: Array<{
-            purl: string;
-            foundInFilepath: string;
-            spdxExpr: string;
-            foundAuthors: string[];
-        }>;
-    }>;
-    score?: {
-        supplyChain: number;
-        quality: number;
-        maintenance: number;
-        vulnerability: number;
-        license: number;
-        overall: number;
-    };
-    alerts?: SocketArtifactAlert[];
-    size?: number | undefined;
-    batchIndex?: number | undefined;
-};
-declare function batchScan(pkgIds: string[], concurrencyLimit?: number): AsyncGenerator<SocketArtifact>;
-declare function isArtifactAlertCveFixable(alert: SocketArtifactAlert): alert is ArtifactAlertCveFixable;
-declare function isArtifactAlertUpgradeFixable(alert: SocketArtifactAlert): alert is ArtifactAlertFixable;
-declare function isArtifactAlertFixable(alert: SocketArtifactAlert): alert is ArtifactAlertFixable;
-type PackageDetail = {
-    node: SafeNode;
-    existing?: SafeNode | undefined;
-};
-type GetPackagesToQueryFromDiffOptions = {
-    includeUnchanged?: boolean | undefined;
-    includeUnknownOrigin?: boolean | undefined;
-};
-declare function getPackagesToQueryFromDiff(diff_: Diff | null, options?: GetPackagesToQueryFromDiffOptions | undefined): PackageDetail[];
-declare function findUp(name: string | string[], { cwd }: {
-    cwd: string;
-}): Promise<string | undefined>;
-type ReadFileOptions = ObjectEncodingOptions & Abortable & {
-    flag?: OpenMode | undefined;
-};
-declare function readFileBinary(filepath: PathLike | FileHandle, options?: ReadFileOptions | undefined): Promise<Buffer>;
-declare function readFileUtf8(filepath: PathLike | FileHandle, options?: ReadFileOptions | undefined): Promise<string>;
-declare function safeReadFile(...args: Parameters<typeof fs.readFile>): ReturnType<typeof fs.readFile> | undefined;
-declare function safeReadFileSync(...args: Parameters<typeof fsReadFileSync>): ReturnType<typeof fsReadFileSync> | undefined;
 declare const Arborist: ArboristClass;
-declare const kCtorArgs: unique symbol;
 declare const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES: {
     __proto__: null;
     audit: boolean;
@@ -189,4 +19,4 @@ declare class SafeArborist extends Arborist {
     // @ts-ignore Incorrectly typed.
     reify(this: SafeArborist, ...args: Parameters<InstanceType<ArboristClass>['reify']>): Promise<SafeNode>;
 }
-export { SafeOverrideSet, depValid, getSocketDevAlertUrl, getSocketDevPackageOverviewUrl, ColorOrMarkdown, createAlertUXLookup, uxLookup, CveAlertType, ArtifactAlertCveFixable, ArtifactAlertFixable, SocketArtifactAlert, SocketArtifact, batchScan, isArtifactAlertCveFixable, isArtifactAlertUpgradeFixable, isArtifactAlertFixable, PackageDetail, getPackagesToQueryFromDiff, findUp, ReadFileOptions, readFileBinary, readFileUtf8, safeReadFile, safeReadFileSync, Arborist, kCtorArgs, SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES, SafeArborist };
+export { Arborist, SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES, SafeArborist };

package/dist/module-sync/node.d.ts

@@ -1,5 +1,5 @@
 /// <reference types="npmcli__arborist" />
-import { SafeOverrideSet } from "./index.js";
+import { SafeOverrideSet } from "./override-set.js";
 import { SafeEdge } from "./edge.js";
 import { Link } from '@npmcli/arborist';
 import { Node as BaseNode } from "@npmcli/arborist";

package/dist/module-sync/override-set.d.ts

@@ -0,0 +1,37 @@
+import { SafeEdge } from "./edge.js";
+import { SafeNode } from "./node.js";
+interface OverrideSetClass {
+    children: Map<string, SafeOverrideSet>;
+    key: string | undefined;
+    keySpec: string | undefined;
+    name: string | undefined;
+    parent: SafeOverrideSet | undefined;
+    value: string | undefined;
+    version: string | undefined;
+    new (...args: any[]): OverrideSetClass;
+    get isRoot(): boolean;
+    get ruleset(): Map<string, SafeOverrideSet>;
+    ancestry(): Generator<SafeOverrideSet>;
+    childrenAreEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
+    getEdgeRule(edge: SafeEdge): SafeOverrideSet;
+    getNodeRule(node: SafeNode): SafeOverrideSet;
+    getMatchingRule(node: SafeNode): SafeOverrideSet | null;
+    isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
+}
+declare const OverrideSet: OverrideSetClass;
+declare class SafeOverrideSet extends OverrideSet {
+    // Patch adding doOverrideSetsConflict is based on
+    // https://github.com/npm/cli/pull/8089.
+    static doOverrideSetsConflict(first: SafeOverrideSet | undefined, second: SafeOverrideSet | undefined): boolean;
+    // Patch adding findSpecificOverrideSet is based on
+    // https://github.com/npm/cli/pull/8089.
+    static findSpecificOverrideSet(first: SafeOverrideSet | undefined, second: SafeOverrideSet | undefined): SafeOverrideSet | undefined;
+    // Patch adding childrenAreEqual is based on
+    // https://github.com/npm/cli/pull/8089.
+    childrenAreEqual(otherOverrideSet: SafeOverrideSet): boolean;
+    getEdgeRule(edge: SafeEdge): SafeOverrideSet;
+    // Patch adding isEqual is based on
+    // https://github.com/npm/cli/pull/8089.
+    isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean;
+}
+export { SafeOverrideSet };

package/dist/module-sync/path-resolve.d.ts

@@ -6,6 +6,5 @@ declare function findBinPathDetailsSync(binName: string): {
     shadowed: boolean;
 };
 declare function findNpmPathSync(npmBinPath: string): string | undefined;
-declare function getPackageFiles(cwd: string, inputPaths: string[], config: SocketYml | undefined, supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']): Promise<string[]>;
-declare function getPackageFilesFullScans(cwd: string, inputPaths: string[], supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']): Promise<string[]>;
-export { findBinPathDetailsSync, findNpmPathSync, getPackageFiles, getPackageFilesFullScans };
+declare function getPackageFilesFullScans(cwd: string, inputPaths: string[], supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data'], config?: SocketYml | undefined): Promise<string[]>;
+export { findBinPathDetailsSync, findNpmPathSync, getPackageFilesFullScans };

package/dist/module-sync/shadow-bin.d.ts

@@ -1,2 +1,2 @@
-declare function shadowBin(binName: 'npm' | 'npx', args?: string[]): Promise<void>;
+declare function shadowBin(binName: 'npm' | 'npx', args?: string[], level?: number): Promise<void>;
 export { shadowBin as default };

package/dist/module-sync/shadow-bin.js

@@ -14,7 +14,7 @@ var npm = require('@socketsecurity/registry/lib/npm');
 var spawn = require('@socketsecurity/registry/lib/spawn');
 var path = require('node:path');
 var cmdShim = _socketInterop(require('cmd-shim'));
-var npmPaths = require('./npm-paths.js');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
 var constants = require('./constants.js');
 
 const {
@@ -24,7 +24,7 @@ const {
 async function installLinks(realBinPath, binName) {
   const isNpx = binName === NPX;
   // Find package manager being shadowed by this process.
-  const binPath = isNpx ? npmPaths.getNpxBinPath() : npmPaths.getNpmBinPath();
+  const binPath = isNpx ? shadowNpmPaths.getNpxBinPath() : shadowNpmPaths.getNpmBinPath();
   // Lazily access constants.WIN32.
   const {
     WIN32
@@ -33,7 +33,7 @@ async function installLinks(realBinPath, binName) {
   if (WIN32 && binPath) {
     return binPath;
   }
-  const shadowed = isNpx ? npmPaths.isNpxBinPathShadowed() : npmPaths.isNpmBinPathShadowed();
+  const shadowed = isNpx ? shadowNpmPaths.isNpxBinPathShadowed() : shadowNpmPaths.isNpmBinPathShadowed();
   // Move our bin directory to front of PATH so its found first.
   if (!shadowed) {
     if (WIN32) {
@@ -47,22 +47,14 @@ async function installLinks(realBinPath, binName) {
 }
 
 const {
-  NPM,
-  SOCKET_CLI_LEGACY_PACKAGE_NAME,
-  SOCKET_CLI_PACKAGE_NAME,
   SOCKET_CLI_SAFE_WRAPPER,
   SOCKET_CLI_SENTRY_BUILD,
-  SOCKET_CLI_SENTRY_PACKAGE_NAME,
   SOCKET_IPC_HANDSHAKE
 } = constants;
-async function shadowBin(binName, args = process.argv.slice(2)) {
+async function shadowBin(binName, args = process.argv.slice(2), level = 1) {
   process.exitCode = 1;
   const terminatorPos = args.indexOf('--');
-  const skipSocketCliUpgrade = binName === NPM && args.length === 3 && args[0] === 'install' && args[1] === '-g' && (args[2] === SOCKET_CLI_PACKAGE_NAME || args[2] === SOCKET_CLI_LEGACY_PACKAGE_NAME || args[2] === SOCKET_CLI_SENTRY_PACKAGE_NAME);
-  let binArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
-  if (!skipSocketCliUpgrade) {
-    binArgs = binArgs.filter(a => !npm.isProgressFlag(a));
-  }
+  const binArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isProgressFlag(a));
   const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
   const spawnPromise = spawn.spawn(
   // Lazily access constants.execPath.
@@ -71,17 +63,17 @@ async function shadowBin(binName, args = process.argv.slice(2)) {
   ...constants.nodeNoWarningsFlags,
   // Lazily access constants.ENV[SOCKET_CLI_SENTRY_BUILD].
   ...(constants.ENV[SOCKET_CLI_SENTRY_BUILD] ? ['--require',
-  // Lazily access constants.instrumentWithSentryPath.
-  constants.instrumentWithSentryPath] : []), '--require',
-  // Lazily access constants.npmInjectionPath.
-  constants.npmInjectionPath,
+  // Lazily access constants.distInstrumentWithSentryPath.
+  constants.distInstrumentWithSentryPath] : []), '--require',
+  // Lazily access constants.distShadowNpmInjectPath.
+  constants.distShadowNpmInjectPath,
   // Lazily access constants.shadowBinPath.
   await installLinks(constants.shadowBinPath, binName),
-  // Add `--no-progress` and `--quiet` flags to fix input being swallowed by
-  // the spinner when running the command with recent versions of npm.
-  ...(skipSocketCliUpgrade ? [] : ['--no-progress']),
-  // Add the '--quiet' flag if a loglevel flag is not provided.
-  ...(binArgs.some(npm.isLoglevelFlag) ? [] : skipSocketCliUpgrade ? ['--loglevel', 'error'] : ['--quiet']), ...binArgs, ...otherArgs], {
+  // Add `--no-progress` and `--loglevel=error` flags to fix input being
+  // swallowed by the npm spinner.
+  '--no-progress',
+  // Add the '--loglevel=error' flag if a loglevel flag is not provided.
+  ...(binArgs.some(npm.isLoglevelFlag) ? [] : ['--loglevel', 'error']), ...binArgs, ...otherArgs], {
     // 'inherit' + 'ipc'
     stdio: [0, 1, 2, 'ipc']
   });
@@ -95,12 +87,12 @@ async function shadowBin(binName, args = process.argv.slice(2)) {
   });
   spawnPromise.process.send({
     [SOCKET_IPC_HANDSHAKE]: {
-      [SOCKET_CLI_SAFE_WRAPPER]: true
+      [SOCKET_CLI_SAFE_WRAPPER]: level
     }
   });
   await spawnPromise;
 }
 
 module.exports = shadowBin;
-//# debugId=4b080160-768f-48ff-859c-2da65a395a61
+//# debugId=c58c4335-92d0-4ad1-86bf-6eb5428f654a
 //# sourceMappingURL=shadow-bin.js.map

package/dist/module-sync/shadow-bin.js.map

@@ -1 +1 @@
-{"version":3,"file":"shadow-bin.js","sources":["../../src/shadow/link.ts","../../src/shadow/shadow-bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './npm-paths'\nimport constants from '../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    process.env['PATH'] =\n      `${realBinPath}${path.delimiter}${process.env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../constants'\n\nconst {\n  NPM,\n  SOCKET_CLI_LEGACY_PACKAGE_NAME,\n  SOCKET_CLI_PACKAGE_NAME,\n  SOCKET_CLI_SAFE_WRAPPER,\n  SOCKET_CLI_SENTRY_BUILD,\n  SOCKET_CLI_SENTRY_PACKAGE_NAME,\n  SOCKET_IPC_HANDSHAKE\n} = constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2)\n) {\n  process.exitCode = 1\n  const terminatorPos = args.indexOf('--')\n  const skipSocketCliUpgrade =\n    binName === NPM &&\n    args.length === 3 &&\n    args[0] === 'install' &&\n    args[1] === '-g' &&\n    (args[2] === SOCKET_CLI_PACKAGE_NAME ||\n      args[2] === SOCKET_CLI_LEGACY_PACKAGE_NAME ||\n      args[2] === SOCKET_CLI_SENTRY_PACKAGE_NAME)\n\n  let binArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  if (!skipSocketCliUpgrade) {\n    binArgs = binArgs.filter(a => !isProgressFlag(a))\n  }\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access constants.ENV[SOCKET_CLI_SENTRY_BUILD].\n      ...(constants.ENV[SOCKET_CLI_SENTRY_BUILD]\n        ? [\n            '--require',\n            // Lazily access constants.instrumentWithSentryPath.\n            constants.instrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.npmInjectionPath.\n      constants.npmInjectionPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add `--no-progress` and `--quiet` flags to fix input being swallowed by\n      // the spinner when running the command with recent versions of npm.\n      ...(skipSocketCliUpgrade ? [] : ['--no-progress']),\n      // Add the '--quiet' flag if a loglevel flag is not provided.\n      ...(binArgs.some(isLoglevelFlag)\n        ? []\n        : skipSocketCliUpgrade\n          ? ['--loglevel', 'error']\n          : ['--quiet']),\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_WRAPPER]: true\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","process","SOCKET_IPC_HANDSHAKE","binArgs","constants","spawnPromise"],"mappings":";;;;;;;;;;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;AACAC;AAEF;AACA;AACF;;AC/BA;;;;;;;AAOEC;AACF;AAEe;;AAKb;;AAUA;;AAEEC;AACF;AACA;;AAEE;;AAGE;;AAEA;;AAIM;AACAC;AAIN;AACAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AASA;;AAEF;AAEF;;AAEE;;AAEA;AACEH;AACF;AACF;AACAI;AACE;AACE;AACF;AACF;AACA;AACF;;","debugId":"4b080160-768f-48ff-859c-2da65a395a61"}
+{"version":3,"file":"shadow-bin.js","sources":["../../src/shadow/npm/link.ts","../../src/shadow/npm/bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './paths'\nimport constants from '../../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    process.env['PATH'] =\n      `${realBinPath}${path.delimiter}${process.env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../../constants'\n\nconst {\n  SOCKET_CLI_SAFE_WRAPPER,\n  SOCKET_CLI_SENTRY_BUILD,\n  SOCKET_IPC_HANDSHAKE\n} = constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2),\n  level = 1\n) {\n  process.exitCode = 1\n  const terminatorPos = args.indexOf('--')\n  const binArgs = (\n    terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  ).filter(a => !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access constants.ENV[SOCKET_CLI_SENTRY_BUILD].\n      ...(constants.ENV[SOCKET_CLI_SENTRY_BUILD]\n        ? [\n            '--require',\n            // Lazily access constants.distInstrumentWithSentryPath.\n            constants.distInstrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.distShadowNpmInjectPath.\n      constants.distShadowNpmInjectPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add `--no-progress` and `--loglevel=error` flags to fix input being\n      // swallowed by the npm spinner.\n      '--no-progress',\n      // Add the '--loglevel=error' flag if a loglevel flag is not provided.\n      ...(binArgs.some(isLoglevelFlag) ? [] : ['--loglevel', 'error']),\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_WRAPPER]: level\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","process","SOCKET_IPC_HANDSHAKE","constants","spawnPromise"],"mappings":";;;;;;;;;;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;AACAC;AAEF;AACA;AACF;;AC/BA;;;AAGEC;AACF;AAEe;;AAMb;AACA;AAGA;;AAEE;;AAGE;;AAEA;;AAIM;AACAC;AAIN;AACAA;AACA;AACA;AACA;AACA;;AAEA;;AAMA;;AAEF;AAEF;;AAEE;;AAEA;AACEF;AACF;AACF;AACAG;AACE;AACE;AACF;AACF;AACA;AACF;;","debugId":"c58c4335-92d0-4ad1-86bf-6eb5428f654a"}

package/dist/module-sync/{index.js → shadow-npm-inject.js}

@@ -38,7 +38,7 @@ var logger = require('@socketsecurity/registry/lib/logger');
 var terminalLink = _socketInterop(require('terminal-link'));
 var colors = _socketInterop(require('yoctocolors-cjs'));
 var indentString = require('@socketregistry/indent-string/index.cjs');
-var npmPaths = require('./npm-paths.js');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
 var npa = _socketInterop(require('npm-package-arg'));
 
 const {
@@ -387,8 +387,9 @@ async function* createBatchGenerator(chunk) {
     method: 'POST',
     headers: {
       Authorization: `Basic ${btoa(`${getPublicToken()}:`)}`
-    },
-    signal: abortSignal$1
+    }
+    // TODO: Fix to not abort process on network abort.
+    // signal: abortSignal
   }).end(JSON.stringify({
     components: chunk.map(id => ({
       purl: `pkg:npm/${id}`
@@ -699,13 +700,6 @@ void (async () => {
   _uxLookup = createAlertUXLookup(settings);
 })();
 
-const markdownLogSymbols = Object.freeze({
-  __proto__: null,
-  info: ':information_source:',
-  error: ':stop_sign:',
-  success: ':white_check_mark:',
-  warning: ':warning:'
-});
 class ColorOrMarkdown {
   constructor(useMarkdown) {
     this.useMarkdown = !!useMarkdown;
@@ -740,9 +734,6 @@ class ColorOrMarkdown {
     const indentedContent = items.map(item => this.indent(item).trimStart());
     return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
   }
-  get logSymbols() {
-    return this.useMarkdown ? markdownLogSymbols : logger.Logger.LOG_SYMBOLS;
-  }
 }
 
 function getSocketDevAlertUrl(alertType) {
@@ -752,7 +743,7 @@ function getSocketDevPackageOverviewUrl(eco, name, version) {
   return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`;
 }
 
-const depValid = require(npmPaths.getArboristDepValidPath());
+const depValid = require(shadowNpmPaths.getArboristDepValidPath());
 
 const {
   UNDEFINED_TOKEN
@@ -782,7 +773,7 @@ function tryRequire(req, ...ids) {
 let _log = UNDEFINED_TOKEN;
 function getLogger() {
   if (_log === UNDEFINED_TOKEN) {
-    _log = tryRequire(npmPaths.getNpmRequire(), ['proc-log/lib/index.js',
+    _log = tryRequire(shadowNpmPaths.getNpmRequire(), ['proc-log/lib/index.js',
     // The proc-log DefinitelyTyped definition is incorrect. The type definition
     // is really that of its export log.
     mod => mod.log], 'npmlog/lib/log.js');
@@ -790,7 +781,7 @@ function getLogger() {
   return _log;
 }
 
-const OverrideSet = require(npmPaths.getArboristOverrideSetClassPath());
+const OverrideSet = require(shadowNpmPaths.getArboristOverrideSetClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
@@ -908,7 +899,7 @@ class SafeOverrideSet extends OverrideSet {
   }
 }
 
-const Node = require(npmPaths.getArboristNodeClassPath());
+const Node = require(shadowNpmPaths.getArboristNodeClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
@@ -1204,7 +1195,7 @@ class SafeNode extends Node {
   }
 }
 
-const Edge = require(npmPaths.getArboristEdgeClassPath());
+const Edge = require(shadowNpmPaths.getArboristEdgeClassPath());
 
 // The Edge class makes heavy use of private properties which subclasses do NOT
 // have access to. So we have to recreate any functionality that relies on those
@@ -1577,6 +1568,7 @@ async function getPackagesAlerts(arb, options) {
     consolidate = false,
     includeExisting = false,
     includeUnfixable = true,
+    includeUpgrades = false,
     output
   } = {
     __proto__: null,
@@ -1633,7 +1625,7 @@ async function getPackagesAlerts(arb, options) {
       }
       const fixableCve = isArtifactAlertCveFixable(alert);
       const fixableUpgrade = isArtifactAlertUpgradeFixable(alert);
-      if ((fixableCve || fixableUpgrade || includeUnfixable) && !(fixableUpgrade && hasOverride(pkgJson, name))) {
+      if (includeUnfixable || fixableCve || includeUpgrades && fixableUpgrade && !hasOverride(pkgJson, name)) {
         sockPkgAlerts.push({
           name,
           version,
@@ -1751,14 +1743,16 @@ function getCveInfoByPackage(alerts, options) {
   }
   return infoByPkg;
 }
+const kCtorArgs = Symbol('ctorArgs');
 const kRiskyReify = Symbol('riskyReify');
-async function reify(...args) {
+async function reify(arb, args, level = 1) {
   const {
     stderr: output,
     stdin: input
   } = process;
-  const alerts = await getPackagesAlerts(this, {
-    output
+  const alerts = await getPackagesAlerts(arb, {
+    output,
+    includeUnfixable: level < 2
   });
   if (alerts.length && !(await prompts.confirm({
     message: 'Accept risks of installing these packages?',
@@ -1769,21 +1763,17 @@ async function reify(...args) {
   }))) {
     throw new Error('Socket npm exiting due to risks');
   }
-  return await this[kRiskyReify](...args);
+  return await arb[kRiskyReify](...args);
 }
 
 const {
-  SOCKET_CLI_LEGACY_PACKAGE_NAME,
-  SOCKET_CLI_PACKAGE_NAME,
-  SOCKET_CLI_SENTRY_PACKAGE_NAME,
   SOCKET_CLI_SAFE_WRAPPER,
   kInternalsSymbol,
   [kInternalsSymbol]: {
     getIPC
   }
 } = constants;
-const Arborist = require(npmPaths.getArboristClassPath());
-const kCtorArgs = Symbol('ctorArgs');
+const Arborist = require(shadowNpmPaths.getArboristClassPath());
 const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   __proto__: null,
   audit: false,
@@ -1813,8 +1803,6 @@ class SafeArborist extends Arborist {
       ...(ctorArgs.length ? ctorArgs[0] : undefined),
       progress: false
     }, ...ctorArgs.slice(1));
-    arb.actualTree = this.actualTree;
-    arb.idealTree = this.idealTree;
     const ret = await arb.reify({
       ...(args.length ? args[0] : undefined),
       progress: false
@@ -1829,11 +1817,11 @@ class SafeArborist extends Arborist {
       __proto__: null,
       ...(args.length ? args[0] : undefined)
     };
-    const {
-      add
-    } = options;
-    const skipSocketCliUpgrade = options.global && options['npmCommand'] === 'install' && Array.isArray(add) && add.length === 1 && (add[0] === SOCKET_CLI_PACKAGE_NAME || add[0] === SOCKET_CLI_LEGACY_PACKAGE_NAME || add[0] === SOCKET_CLI_SENTRY_PACKAGE_NAME);
-    if (options.dryRun || skipSocketCliUpgrade || !(await getIPC(SOCKET_CLI_SAFE_WRAPPER))) {
+    if (options.dryRun) {
+      return await this[kRiskyReify](...args);
+    }
+    const level = await getIPC(SOCKET_CLI_SAFE_WRAPPER);
+    if (!level) {
       return await this[kRiskyReify](...args);
     }
     const safeArgs = [{
@@ -1845,19 +1833,36 @@ class SafeArborist extends Arborist {
     args[0] = options;
     await super.reify(...safeArgs);
     args[0] = old;
-    return await Reflect.apply(reify, this, safeArgs);
+    return await reify(this, args, level);
   }
 }
 
+function installSafeArborist() {
+  // Override '@npmcli/arborist' module exports with patched variants based on
+  // https://github.com/npm/cli/pull/8089.
+  const cache = require.cache;
+  cache[shadowNpmPaths.getArboristClassPath()] = {
+    exports: SafeArborist
+  };
+  cache[shadowNpmPaths.getArboristEdgeClassPath()] = {
+    exports: SafeEdge
+  };
+  cache[shadowNpmPaths.getArboristNodeClassPath()] = {
+    exports: SafeNode
+  };
+  cache[shadowNpmPaths.getArboristOverrideSetClassPath()] = {
+    exports: SafeOverrideSet
+  };
+}
+
+installSafeArborist();
+
 exports.Arborist = Arborist;
 exports.AuthError = AuthError;
 exports.ColorOrMarkdown = ColorOrMarkdown;
 exports.InputError = InputError;
 exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES;
 exports.SafeArborist = SafeArborist;
-exports.SafeEdge = SafeEdge;
-exports.SafeNode = SafeNode;
-exports.SafeOverrideSet = SafeOverrideSet;
 exports.captureException = captureException;
 exports.findPackageNodes = findPackageNodes;
 exports.findUp = findUp;
@@ -1874,5 +1879,5 @@ exports.safeReadFile = safeReadFile;
 exports.setupSdk = setupSdk;
 exports.updateNode = updateNode;
 exports.updateSetting = updateSetting;
-//# debugId=14750542-62bb-4def-b7d6-41139d5b566
-//# sourceMappingURL=index.js.map
+//# debugId=a2461f74-6908-4fea-b499-5d8392a553ba
+//# sourceMappingURL=shadow-npm-inject.js.map