@socketsecurity/cli-with-sentry 0.14.63 → 0.14.65

package/dist/module-sync/shadow-npm-inject.js

@@ -21,9 +21,6 @@ var arrays = require('@socketsecurity/registry/lib/arrays');
 var debug = require('@socketsecurity/registry/lib/debug');
 var objects = require('@socketsecurity/registry/lib/objects');
 var npa = _socketInterop(require('npm-package-arg'));
-var events = require('node:events');
-var https = require('node:https');
-var readline = require('node:readline');
 var hpagent = _socketInterop(require('hpagent'));
 var isInteractive = require('@socketregistry/is-interactive/index.cjs');
 var registryConstants = require('@socketsecurity/registry/lib/constants');
@@ -75,11 +72,11 @@ function isErrnoException(value) {
 }
 
 const {
-  abortSignal: abortSignal$2
+  abortSignal
 } = constants;
 async function findUp(name, {
   cwd = process$1.cwd(),
-  signal = abortSignal$2
+  signal = abortSignal
 }) {
   let dir = path.resolve(cwd);
   const {
@@ -106,14 +103,14 @@ async function findUp(name, {
 }
 async function readFileBinary(filepath, options) {
   return await fs.promises.readFile(filepath, {
-    signal: abortSignal$2,
+    signal: abortSignal,
     ...options,
     encoding: 'binary'
   });
 }
 async function readFileUtf8(filepath, options) {
   return await fs.promises.readFile(filepath, {
-    signal: abortSignal$2,
+    signal: abortSignal,
     ...options,
     encoding: 'utf8'
   });
@@ -122,7 +119,7 @@ async function safeReadFile(filepath, options) {
   try {
     return await fs.promises.readFile(filepath, {
       encoding: 'utf8',
-      signal: abortSignal$2,
+      signal: abortSignal,
       ...(typeof options === 'string' ? {
         encoding: options
       } : options)
@@ -288,7 +285,7 @@ function getDefaultToken() {
   return _defaultToken;
 }
 function getPublicToken() {
-  return getDefaultToken() ?? registryConstants.SOCKET_PUBLIC_API_TOKEN;
+  return (process$1.env['SOCKET_SECURITY_API_TOKEN'] || getDefaultToken()) ?? registryConstants.SOCKET_PUBLIC_API_TOKEN;
 }
 async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApiBaseUrl(), proxy = getDefaultHttpProxy()) {
   if (typeof apiToken !== 'string' && isInteractive()) {
@@ -309,7 +306,7 @@ async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApi
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: "@socketsecurity/cli",
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: "0.14.63",
+      version: "0.14.65",
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: "https://github.com/SocketDev/socket-cli"
     })
@@ -1025,132 +1022,15 @@ const {
   ALERT_TYPE_CRITICAL_CVE,
   ALERT_TYPE_CVE,
   ALERT_TYPE_MEDIUM_CVE,
-  ALERT_TYPE_MILD_CVE,
-  ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1,
-  CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE,
-  abortSignal: abortSignal$1
+  ALERT_TYPE_MILD_CVE
 } = constants;
-async function* createBatchGenerator(chunk) {
-  // Adds the first 'abort' listener to abortSignal.
-  const req = https
-  // Lazily access constants.BATCH_PURL_ENDPOINT.
-  .request(constants.BATCH_PURL_ENDPOINT, {
-    method: 'POST',
-    headers: {
-      Authorization: `Basic ${btoa(`${getPublicToken()}:`)}`
-    }
-    // TODO: Fix to not abort process on network abort.
-    // signal: abortSignal
-  }).end(JSON.stringify({
-    components: chunk.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  }));
-  // Adds the second 'abort' listener to abortSignal.
-  const {
-    0: res
-  } = await events.once(req, 'response', {
-    signal: abortSignal$1
-  });
-  const ok = res.statusCode >= 200 && res.statusCode <= 299;
-  if (!ok) {
-    throw new Error(`Socket API Error: ${res.statusCode}`);
-  }
-  const rli = readline.createInterface({
-    input: res,
-    crlfDelay: Infinity,
-    signal: abortSignal$1
-  });
-  for await (const line of rli) {
-    yield JSON.parse(line);
-  }
-}
-async function* batchScan(pkgIds, concurrencyLimit = 50) {
-  // The createBatchGenerator method will add 2 'abort' event listeners to
-  // abortSignal so we multiply the concurrencyLimit by 2.
-  const neededMaxListeners = concurrencyLimit * 2;
-  // Increase abortSignal max listeners count to avoid Node's MaxListenersExceededWarning.
-  const oldAbortSignalMaxListeners = events.getMaxListeners(abortSignal$1);
-  let abortSignalMaxListeners = oldAbortSignalMaxListeners;
-  if (oldAbortSignalMaxListeners < neededMaxListeners) {
-    abortSignalMaxListeners = oldAbortSignalMaxListeners + neededMaxListeners;
-    events.setMaxListeners(abortSignalMaxListeners, abortSignal$1);
-  }
-  const {
-    length: pkgIdsCount
-  } = pkgIds;
-  const running = [];
-  let index = 0;
-  const enqueueGen = () => {
-    if (index >= pkgIdsCount) {
-      // No more work to do.
-      return;
-    }
-    const chunk = pkgIds.slice(index, index + 25);
-    index += 25;
-    const generator = createBatchGenerator(chunk);
-    continueGen(generator);
-  };
-  const continueGen = generator => {
-    let resolveFn;
-    running.push({
-      generator,
-      promise: new Promise(resolve => resolveFn = resolve)
-    });
-    void generator.next().then(res => resolveFn({
-      generator,
-      iteratorResult: res
-    }));
-  };
-  // Start initial batch of generators.
-  while (running.length < concurrencyLimit && index < pkgIdsCount) {
-    enqueueGen();
-  }
-  while (running.length > 0) {
-    // eslint-disable-next-line no-await-in-loop
-    const {
-      generator,
-      iteratorResult
-    } = await Promise.race(running.map(entry => entry.promise));
-    // Remove generator.
-    running.splice(running.findIndex(entry => entry.generator === generator), 1);
-    if (iteratorResult.done) {
-      // Start a new generator if available.
-      enqueueGen();
-    } else {
-      yield iteratorResult.value;
-      // Keep fetching values from this generator.
-      continueGen(generator);
-    }
-  }
-  // Reset abortSignal max listeners count.
-  if (abortSignalMaxListeners > oldAbortSignalMaxListeners) {
-    events.setMaxListeners(oldAbortSignalMaxListeners, abortSignal$1);
-  }
-}
 function isArtifactAlertCve(alert) {
   const {
     type
   } = alert;
   return type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE;
 }
-function isArtifactAlertCveFixable(alert) {
-  if (!isArtifactAlertCve(alert)) {
-    return false;
-  }
-  const {
-    props
-  } = alert;
-  return !!props?.[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1] && !!props?.[CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE];
-}
-function isArtifactAlertUpgrade(alert) {
-  return alert.type === ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE;
-}
 
-const {
-  abortSignal
-} = constants;
 const ERROR_UX = {
   block: true,
   display: true
@@ -1283,83 +1163,74 @@ function createAlertUXLookup(settings) {
 }
 let _uxLookup;
 async function uxLookup(settings) {
-  while (_uxLookup === undefined) {
-    // eslint-disable-next-line no-await-in-loop
-    await promises.setTimeout(1, {
-      signal: abortSignal
-    });
-  }
-  return _uxLookup(settings);
-}
-
-// Start initializing the AlertUxLookupResult immediately.
-void (async () => {
-  const {
-    orgs,
-    settings
-  } = await (async () => {
-    try {
-      const sockSdk = await setupSdk(getPublicToken());
-      const orgResult = await sockSdk.getOrganizations();
-      if (!orgResult.success) {
-        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
-      }
-      const orgs = [];
-      for (const org of Object.values(orgResult.data.organizations)) {
-        if (org) {
-          orgs.push(org);
+  if (_uxLookup === undefined) {
+    const {
+      orgs,
+      settings
+    } = await (async () => {
+      try {
+        const sockSdk = await setupSdk(getPublicToken());
+        const orgResult = await sockSdk.getOrganizations();
+        if (!orgResult.success) {
+          throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
         }
+        const orgs = [];
+        for (const org of Object.values(orgResult.data.organizations)) {
+          if (org) {
+            orgs.push(org);
+          }
+        }
+        const result = await sockSdk.postSettings(orgs.map(org => ({
+          organization: org.id
+        })));
+        if (!result.success) {
+          throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
+        }
+        return {
+          orgs,
+          settings: result.data
+        };
+      } catch (e) {
+        const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
+        if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
+          throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
+            cause: e
+          });
+        }
+        throw e;
       }
-      const result = await sockSdk.postSettings(orgs.map(org => ({
-        organization: org.id
-      })));
-      if (!result.success) {
-        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
-      }
-      return {
-        orgs,
-        settings: result.data
-      };
-    } catch (e) {
-      const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
-      if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
-        throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
-          cause: e
-        });
+    })();
+    // Remove any organizations not being enforced.
+    const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
+    for (const {
+      0: i,
+      1: org
+    } of orgs.entries()) {
+      if (!enforcedOrgs.includes(org.id)) {
+        settings.entries.splice(i, 1);
       }
-      throw e;
     }
-  })();
-
-  // Remove any organizations not being enforced.
-  const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
-  for (const {
-    0: i,
-    1: org
-  } of orgs.entries()) {
-    if (!enforcedOrgs.includes(org.id)) {
-      settings.entries.splice(i, 1);
-    }
-  }
-  const socketYml = findSocketYmlSync();
-  if (socketYml) {
-    settings.entries.push({
-      start: socketYml.path,
-      settings: {
-        [socketYml.path]: {
-          deferTo: null,
-          // TODO: TypeScript complains about the type not matching. We should
-          // figure out why are providing
-          // issueRules: { [issueName: string]: boolean }
-          // but expecting
-          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
-          issueRules: socketYml.parsed.issueRules
+    const socketYml = findSocketYmlSync();
+    if (socketYml) {
+      settings.entries.push({
+        start: socketYml.path,
+        settings: {
+          [socketYml.path]: {
+            deferTo: null,
+            // TODO: TypeScript complains about the type not matching. We should
+            // figure out why are providing
+            // issueRules: { [issueName: string]: boolean }
+            // but expecting
+            // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
+            issueRules: socketYml.parsed.issueRules
+          }
         }
-      }
-    });
+      });
+    }
+    _uxLookup = createAlertUXLookup(settings);
   }
-  _uxLookup = createAlertUXLookup(settings);
-})();
+  return _uxLookup(settings);
+}
 
 function pick(input, keys) {
   const result = {};
@@ -1488,6 +1359,8 @@ function getTranslations() {
 }
 
 const {
+  ALERT_FIX_TYPE_CVE,
+  ALERT_FIX_TYPE_UPGRADE,
   CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
   NPM: NPM$2
 } = constants;
@@ -1531,10 +1404,11 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
         type: alert.type
       }
     });
+    const fixType = alert.fix?.type ?? '';
     const critical = alert.severity === SEVERITY.critical;
     const cve = isArtifactAlertCve(alert);
-    const fixableCve = isArtifactAlertCveFixable(alert);
-    const fixableUpgrade = isArtifactAlertUpgrade(alert);
+    const fixableCve = fixType === ALERT_FIX_TYPE_CVE;
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE_UPGRADE;
     const fixable = fixableCve || fixableUpgrade;
     const upgrade = fixableUpgrade && !objects.hasOwn(overrides, name);
     if (include.cve && cve || include.unfixable && !fixable || include.critical && critical || include.upgrade && upgrade) {
@@ -1560,8 +1434,10 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
     const highestForUpgrade = new Map();
     const unfixableAlerts = [];
     for (const sockPkgAlert of sockPkgAlerts) {
-      if (isArtifactAlertCveFixable(sockPkgAlert.raw)) {
-        const patchedVersion = sockPkgAlert.raw.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
+      const alert = sockPkgAlert.raw;
+      const fixType = alert.fix?.type ?? '';
+      if (fixType === ALERT_FIX_TYPE_CVE) {
+        const patchedVersion = alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
         const patchedMajor = semver.major(patchedVersion);
         const oldHighest = highestForCve.get(patchedMajor);
         const highest = oldHighest?.version ?? '0.0.0';
@@ -1571,7 +1447,7 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
             version: patchedVersion
           });
         }
-      } else if (isArtifactAlertUpgrade(sockPkgAlert.raw)) {
+      } else if (fixType === ALERT_FIX_TYPE_UPGRADE) {
         const oldHighest = highestForUpgrade.get(major);
         const highest = oldHighest?.version ?? '0.0.0';
         if (semver.gt(version, highest)) {
@@ -1601,11 +1477,12 @@ function getCveInfoByAlertsMap(alertsMap, options) {
     }.exclude
   };
   let infoByPkg = null;
-  for (const [pkgId, alerts] of alertsMap) {
+  for (const [pkgId, sockPkgAlerts] of alertsMap) {
     const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`);
     const name = packages.resolvePackageName(purlObj);
-    for (const alert of alerts) {
-      if (!isArtifactAlertCveFixable(alert.raw) || exclude.upgrade && registry.getManifestData(NPM$2, name)) {
+    for (const sockPkgAlert of sockPkgAlerts) {
+      const alert = sockPkgAlert.raw;
+      if (alert.fix?.type !== ALERT_FIX_TYPE_CVE || exclude.upgrade && registry.getManifestData(NPM$2, name)) {
         continue;
       }
       if (!infoByPkg) {
@@ -1619,7 +1496,7 @@ function getCveInfoByAlertsMap(alertsMap, options) {
       const {
         firstPatchedVersionIdentifier,
         vulnerableVersionRange
-      } = alert.raw.props;
+      } = alert.props;
       infos.push({
         firstPatchedVersionIdentifier,
         vulnerableVersionRange: new semver.Range(vulnerableVersionRange).format()
@@ -1805,6 +1682,7 @@ async function getAlertsMapFromArborist(arb, options) {
   const include = {
     __proto__: null,
     existing: false,
+    unfixable: true,
     ..._include
   };
   const needInfoOn = getDetailsFromDiff(arb.diff, {
@@ -1829,12 +1707,23 @@ async function getAlertsMapFromArborist(arb, options) {
       return [key, overrideSet.value];
     }));
   }
+  const socketSdk = await setupSdk(getPublicToken());
   const toAlertsMapOptions = {
     overrides,
     ...options
   };
-  for await (const artifact of batchScan(pkgIds)) {
-    await addArtifactToAlertsMap(artifact, alertsByPkgId, toAlertsMapOptions);
+  for await (const batchPackageFetchResult of socketSdk.batchPackageStream({
+    alerts: 'true',
+    compact: 'true',
+    fixable: include.unfixable ? 'false' : 'true'
+  }, {
+    components: pkgIds.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  })) {
+    if (batchPackageFetchResult.success) {
+      await addArtifactToAlertsMap(batchPackageFetchResult.data, alertsByPkgId, toAlertsMapOptions);
+    }
     remaining -= 1;
     if (spinner && remaining > 0) {
       spinner.start();
@@ -2029,7 +1918,6 @@ exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVER
 exports.SEVERITY = SEVERITY;
 exports.SafeArborist = SafeArborist;
 exports.addArtifactToAlertsMap = addArtifactToAlertsMap;
-exports.batchScan = batchScan;
 exports.captureException = captureException;
 exports.findBestPatchVersion = findBestPatchVersion;
 exports.findPackageNodes = findPackageNodes;
@@ -2049,5 +1937,5 @@ exports.safeReadFile = safeReadFile;
 exports.setupSdk = setupSdk;
 exports.updateNode = updateNode;
 exports.updateSetting = updateSetting;
-//# debugId=2af8fb11-075f-445a-9006-b004c848e12b
+//# debugId=10ac7b59-9e2e-4a6a-88ed-ed401e2c65fd
 //# sourceMappingURL=shadow-npm-inject.js.map