@socketsecurity/cli-with-sentry 0.15.22 → 0.15.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/cli.js +10 -9
  2. package/dist/cli.js.map +1 -1
  3. package/dist/constants.js +3 -5
  4. package/dist/constants.js.map +1 -1
  5. package/dist/shadow-inject.js +27 -16
  6. package/dist/shadow-inject.js.map +1 -1
  7. package/dist/utils.js +99 -83
  8. package/dist/utils.js.map +1 -1
  9. package/package.json +8 -8
package/dist/constants.js CHANGED
@@ -27,7 +27,6 @@ const API_V0_URL = 'https://api.socket.dev/v0/';
27
27
  const BINARY_LOCK_EXT = '.lockb';
28
28
  const BUN = 'bun';
29
29
  const CLI = 'cli';
30
- const CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER = 'firstPatchedVersionIdentifier';
31
30
  const DRY_RUN_LABEL = '[DryRun]';
32
31
  const DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`;
33
32
  const DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`;
@@ -124,10 +123,10 @@ const LAZY_ENV = () => {
124
123
  INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(true),
125
124
  // Comp-time inlined Socket package version.
126
125
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
127
- INLINED_SOCKET_CLI_VERSION: envAsString("0.15.22"),
126
+ INLINED_SOCKET_CLI_VERSION: envAsString("0.15.23"),
128
127
  // Comp-time inlined Socket package version hash.
129
128
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
130
- INLINED_SOCKET_CLI_VERSION_HASH: envAsString("0.15.22:53aedba:349464b3:pub"),
129
+ INLINED_SOCKET_CLI_VERSION_HASH: envAsString("0.15.23:aeed726:e2a7cde5:pub"),
131
130
  // Comp-time inlined synp package version.
132
131
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SYNP_VERSION']".
133
132
  INLINED_SYNP_VERSION: envAsString("1.9.14"),
@@ -302,7 +301,6 @@ const constants = createConstantsObject({
302
301
  BINARY_LOCK_EXT,
303
302
  BUN,
304
303
  CLI,
305
- CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
306
304
  DRY_RUN_LABEL,
307
305
  DRY_RUN_BAILING_NOW,
308
306
  DRY_RUN_NOT_SAVING,
@@ -398,5 +396,5 @@ const constants = createConstantsObject({
398
396
  });
399
397
 
400
398
  module.exports = constants;
401
- //# debugId=ac8f109d-4e95-4c90-924f-71d7c453d532
399
+ //# debugId=1cb779b7-dfbb-4433-88c0-23c051b688c8
402
400
  //# sourceMappingURL=constants.js.map
package/dist/constants.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\nconst __dirname = path.dirname(__filename)\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\ntype RegistryEnv = typeof registryConstants.ENV\n\ntype RegistryInternals = (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\ntype Sentry = any\n\ntype Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\ntype ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_ACTIONS: boolean\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_TOKEN: string\n INLINED_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_DEBUG: boolean\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\ntype IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SAFE_BIN?: string | undefined\n SOCKET_CLI_SAFE_PROGRESS?: boolean | undefined\n}>\n\ntype Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly CLI: 'cli'\n readonly CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: 'firstPatchedVersionIdentifier'\n readonly ENV: ENV\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SHADOW_BIN: 'shadow-bin'\n readonly SHADOW_INJECT: 'shadow-inject'\n readonly SOCKET: 'socket'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_BIN_NAME_ALIAS: 'cli'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_SENTRY_BIN_NAME_ALIAS: 'cli-with-sentry'\n readonly SOCKET_CLI_LEGACY_PACKAGE_NAME: '@socketsecurity/cli'\n readonly SOCKET_CLI_NPM_BIN_NAME: 'socket-npm'\n readonly SOCKET_CLI_NPX_BIN_NAME: 'socket-npx'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_PACKAGE_NAME: 'socket'\n readonly SOCKET_CLI_SAFE_BIN: 'SOCKET_CLI_SAFE_BIN'\n readonly SOCKET_CLI_SAFE_PROGRESS: 'SOCKET_CLI_SAFE_PROGRESS'\n readonly SOCKET_CLI_SENTRY_BIN_NAME: 'socket-with-sentry'\n readonly SOCKET_CLI_SENTRY_NPM_BIN_NAME: 'socket-npm-with-sentry'\n readonly SOCKET_CLI_SENTRY_NPX_BIN_NAME: 'socket-npx-with-sentry'\n readonly SOCKET_CLI_SENTRY_PACKAGE_NAME: '@socketsecurity/cli-with-sentry'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly WITH_SENTRY: 'with-sentry'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly distCliPath: string\n readonly distInstrumentWithSentryPath: string\n readonly distShadowBinPath: string\n readonly distShadowInjectPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeHardenFlags: string[]\n readonly rootBinPath: string\n readonly distPath: string\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst CLI = 'cli'\nconst CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER =\n 'firstPatchedVersionIdentifier'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SHADOW_BIN = 'shadow-bin'\nconst SHADOW_INJECT = 'shadow-inject'\nconst SOCKET = 'socket'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_BIN_NAME_ALIAS = 'cli'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_LEGACY_PACKAGE_NAME = '@socketsecurity/cli'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_NPM_BIN_NAME = 'socket-npm'\nconst SOCKET_CLI_NPX_BIN_NAME = 'socket-npx'\nconst SOCKET_CLI_PACKAGE_NAME = 'socket'\nconst SOCKET_CLI_SAFE_BIN = 'SOCKET_CLI_SAFE_BIN'\nconst SOCKET_CLI_SAFE_PROGRESS = 'SOCKET_CLI_SAFE_PROGRESS'\nconst SOCKET_CLI_SENTRY_BIN_NAME = 'socket-with-sentry'\nconst SOCKET_CLI_SENTRY_BIN_NAME_ALIAS = 'cli-with-sentry'\nconst SOCKET_CLI_SENTRY_NPM_BIN_NAME = 'socket-npm-with-sentry'\nconst SOCKET_CLI_SENTRY_NPX_BIN_NAME = 'socket-npx-with-sentry'\nconst SOCKET_CLI_SENTRY_PACKAGE_NAME = '@socketsecurity/cli-with-sentry'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst WITH_SENTRY = 'with-sentry'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nconst LAZY_ENV = () => {\n const {\n envAsBoolean,\n envAsString,\n } = require('@socketsecurity/registry/lib/env')\n const { env } = process\n const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Flag to disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),\n // Always set to true when GitHub Actions is running the workflow. This variable\n // can be used to differentiate when tests are being run locally or by GitHub Actions.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_ACTIONS: envAsBoolean(env['GITHUB_ACTIONS']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n ),\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SYNP_VERSION']\".\n INLINED_SYNP_VERSION: envAsString(process.env['INLINED_SYNP_VERSION']),\n // The location of the %localappdata% folder on Windows used to store user-specific,\n // non-roaming application data, like temporary files, cached data, and program\n // settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),\n // Flag to enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE:\n // Lazily access constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR.\n constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? // Lazily access constants.socketCachePath.\n constants.socketCachePath\n : '',\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(env['PATH']),\n // Flag to accepts risks of safe-npm and safe-npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),\n // Flag to change the base URL for all API-calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(env['SOCKET_CLI_API_BASE_URL']) ||\n envAsString(env['SOCKET_SECURITY_API_BASE_URL']),\n // Flag to set the proxy all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(env['SOCKET_CLI_API_PROXY']) ||\n envAsString(env['SOCKET_SECURITY_API_PROXY']),\n // Flag to set the API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(env['SOCKET_CLI_API_TOKEN']) ||\n envAsString(env['SOCKET_CLI_API_KEY']) ||\n envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_API_KEY']),\n // Flag containing a JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),\n // Flag to help debug Socket CLI.\n SOCKET_CLI_DEBUG: envAsBoolean(env['SOCKET_CLI_DEBUG']),\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Flag to make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),\n // Flag to view all risks of safe-npm and safe-npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(env['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () =>\n // Lazily access constants.homePath.\n path.join(constants.homePath, '.bashrc')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n // Lazily access constants.WIN32.\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyDistCliPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, 'cli.js')\n\nconst lazyDistInstrumentWithSentryPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyDistShadowBinPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, `${SHADOW_BIN}.js`)\n\nconst lazyDistShadowInjectPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, `${SHADOW_INJECT}.js`)\n\nconst lazyGithubCachePath = () =>\n // Lazily access constants.socketCachePath.\n path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n ['npm', '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'node_modules/.bin')\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ||\n // Lazily access constants.WIN32.\n constants.WIN32\n ? []\n : // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n [\n '--disable-proto',\n 'throw',\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n '--frozen-intrinsics',\n '--no-deprecation',\n ],\n )\n\nconst lazyRootBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'bin')\n\nconst lazyDistPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'dist')\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data folder:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n\n // Lazily access constants.WIN32.\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? // Lazily access constants.ENV.LOCALAPPDATA\n constants.ENV.LOCALAPPDATA\n : // Lazily access constants.ENV.XDG_DATA_HOME\n constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n // Lazily access constants.homePath.\n constants.homePath,\n // Lazily access constants.DARWIN.\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, '.cache')\n\nconst lazyShadowBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, SHADOW_BIN)\n\nconst lazyZshRcPath = () =>\n // Lazily access constants.homePath.\n path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n CLI,\n CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SHADOW_BIN,\n SHADOW_INJECT,\n SOCKET,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_BIN_NAME_ALIAS,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_SENTRY_BIN_NAME_ALIAS,\n SOCKET_CLI_LEGACY_PACKAGE_NAME,\n SOCKET_CLI_NPM_BIN_NAME,\n SOCKET_CLI_NPX_BIN_NAME,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_PACKAGE_NAME,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_CLI_SENTRY_BIN_NAME,\n SOCKET_CLI_SENTRY_NPM_BIN_NAME,\n SOCKET_CLI_SENTRY_NPX_BIN_NAME,\n SOCKET_CLI_SENTRY_PACKAGE_NAME,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_WEBSITE_URL,\n VLT,\n WITH_SENTRY,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n blessedOptions: undefined,\n distCliPath: undefined,\n distInstrumentWithSentryPath: undefined,\n distPath: undefined,\n distShadowBinPath: undefined,\n distShadowInjectPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n rootBinPath: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n blessedOptions: lazyBlessedOptions,\n distCliPath: lazyDistCliPath,\n distInstrumentWithSentryPath: lazyDistInstrumentWithSentryPath,\n distPath: lazyDistPath,\n distShadowBinPath: lazyDistShadowBinPath,\n distShadowInjectPath: lazyDistShadowInjectPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeHardenFlags: lazyNodeHardenFlags,\n rootBinPath: lazyRootBinPath,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","envAsString","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_ACTIONS","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","constants","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_DEBUG","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","path","smartCSR","term","useBCE","WIN32","logger","ENV","bashRcPath","blessedOptions","distCliPath","distInstrumentWithSentryPath","distPath","distShadowBinPath","distShadowInjectPath","githubCachePath","homePath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","rootBinPath","rootPath","shadowBinPath","socketAppDataPath","socketCachePath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAWA,iBAAA;AACA;AACA;AAEA;;AAEE;AACEA;;AAEAC;AACF;AACF;AA4IA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;;;AAGIC;AACF;;AACQC;AAAI;;AAEZ;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAEA;AACA;AACA;AACAC;AACA;AACA;;AAEE;AACAC;AACI;;AAGN;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAGA;AACA;AACAC;AAGA;AACA;AACAC;AAKA;AACAC;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AAIA;AACAC;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AACE;AACAC;AAEF;AAEIC;AACA;AACAC;AACAC;AACF;AAEF;AACE;AACAH;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AAEA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;AACE;AACAA;;AAEF;AACA;AACA;AAEI;AACAb;AACE;AACAA;AAEE;AACA;AACA;AAGE;AACA;AACA;AACA;AACA;AAKV;AACE;AACAa;AAEF;AACE;AACAA;AAEF;AAEA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;;AACQI;AAAM;;AAEV;;AAEA;;;AAGF;AACE;AACAC;AACF;;AAEI;AACAlB;AACA;AACAA;AAEJ;AACF;;AAEF;AAEA;AACE;AACAa;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEIb;;;;;;;;;;;;;;AAeFmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEEnB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"ac8f109d-4e95-4c90-924f-71d7c453d532"}
1
+ {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\nconst __dirname = path.dirname(__filename)\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\ntype RegistryEnv = typeof registryConstants.ENV\n\ntype RegistryInternals = (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\ntype Sentry = any\n\ntype Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\ntype ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_ACTIONS: boolean\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_TOKEN: string\n INLINED_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_DEBUG: boolean\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\ntype IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SAFE_BIN?: string | undefined\n SOCKET_CLI_SAFE_PROGRESS?: boolean | undefined\n}>\n\ntype Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly CLI: 'cli'\n readonly ENV: ENV\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SHADOW_BIN: 'shadow-bin'\n readonly SHADOW_INJECT: 'shadow-inject'\n readonly SOCKET: 'socket'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_BIN_NAME_ALIAS: 'cli'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_SENTRY_BIN_NAME_ALIAS: 'cli-with-sentry'\n readonly SOCKET_CLI_LEGACY_PACKAGE_NAME: '@socketsecurity/cli'\n readonly SOCKET_CLI_NPM_BIN_NAME: 'socket-npm'\n readonly SOCKET_CLI_NPX_BIN_NAME: 'socket-npx'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_PACKAGE_NAME: 'socket'\n readonly SOCKET_CLI_SAFE_BIN: 'SOCKET_CLI_SAFE_BIN'\n readonly SOCKET_CLI_SAFE_PROGRESS: 'SOCKET_CLI_SAFE_PROGRESS'\n readonly SOCKET_CLI_SENTRY_BIN_NAME: 'socket-with-sentry'\n readonly SOCKET_CLI_SENTRY_NPM_BIN_NAME: 'socket-npm-with-sentry'\n readonly SOCKET_CLI_SENTRY_NPX_BIN_NAME: 'socket-npx-with-sentry'\n readonly SOCKET_CLI_SENTRY_PACKAGE_NAME: '@socketsecurity/cli-with-sentry'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly WITH_SENTRY: 'with-sentry'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly distCliPath: string\n readonly distInstrumentWithSentryPath: string\n readonly distShadowBinPath: string\n readonly distShadowInjectPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeHardenFlags: string[]\n readonly rootBinPath: string\n readonly distPath: string\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst CLI = 'cli'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SHADOW_BIN = 'shadow-bin'\nconst SHADOW_INJECT = 'shadow-inject'\nconst SOCKET = 'socket'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_BIN_NAME_ALIAS = 'cli'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_LEGACY_PACKAGE_NAME = '@socketsecurity/cli'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_NPM_BIN_NAME = 'socket-npm'\nconst SOCKET_CLI_NPX_BIN_NAME = 'socket-npx'\nconst SOCKET_CLI_PACKAGE_NAME = 'socket'\nconst SOCKET_CLI_SAFE_BIN = 'SOCKET_CLI_SAFE_BIN'\nconst SOCKET_CLI_SAFE_PROGRESS = 'SOCKET_CLI_SAFE_PROGRESS'\nconst SOCKET_CLI_SENTRY_BIN_NAME = 'socket-with-sentry'\nconst SOCKET_CLI_SENTRY_BIN_NAME_ALIAS = 'cli-with-sentry'\nconst SOCKET_CLI_SENTRY_NPM_BIN_NAME = 'socket-npm-with-sentry'\nconst SOCKET_CLI_SENTRY_NPX_BIN_NAME = 'socket-npx-with-sentry'\nconst SOCKET_CLI_SENTRY_PACKAGE_NAME = '@socketsecurity/cli-with-sentry'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst WITH_SENTRY = 'with-sentry'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nconst LAZY_ENV = () => {\n const {\n envAsBoolean,\n envAsString,\n } = require('@socketsecurity/registry/lib/env')\n const { env } = process\n const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Flag to disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),\n // Always set to true when GitHub Actions is running the workflow. This variable\n // can be used to differentiate when tests are being run locally or by GitHub Actions.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_ACTIONS: envAsBoolean(env['GITHUB_ACTIONS']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables\n GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n ),\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SYNP_VERSION']\".\n INLINED_SYNP_VERSION: envAsString(process.env['INLINED_SYNP_VERSION']),\n // The location of the %localappdata% folder on Windows used to store user-specific,\n // non-roaming application data, like temporary files, cached data, and program\n // settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),\n // Flag to enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE:\n // Lazily access constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR.\n constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? // Lazily access constants.socketCachePath.\n constants.socketCachePath\n : '',\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(env['PATH']),\n // Flag to accepts risks of safe-npm and safe-npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),\n // Flag to change the base URL for all API-calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(env['SOCKET_CLI_API_BASE_URL']) ||\n envAsString(env['SOCKET_SECURITY_API_BASE_URL']),\n // Flag to set the proxy all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(env['SOCKET_CLI_API_PROXY']) ||\n envAsString(env['SOCKET_SECURITY_API_PROXY']),\n // Flag to set the API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(env['SOCKET_CLI_API_TOKEN']) ||\n envAsString(env['SOCKET_CLI_API_KEY']) ||\n envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_API_KEY']),\n // Flag containing a JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),\n // Flag to help debug Socket CLI.\n SOCKET_CLI_DEBUG: envAsBoolean(env['SOCKET_CLI_DEBUG']),\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Flag to make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),\n // Flag to view all risks of safe-npm and safe-npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(env['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () =>\n // Lazily access constants.homePath.\n path.join(constants.homePath, '.bashrc')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n // Lazily access constants.WIN32.\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyDistCliPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, 'cli.js')\n\nconst lazyDistInstrumentWithSentryPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyDistShadowBinPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, `${SHADOW_BIN}.js`)\n\nconst lazyDistShadowInjectPath = () =>\n // Lazily access constants.distPath.\n path.join(constants.distPath, `${SHADOW_INJECT}.js`)\n\nconst lazyGithubCachePath = () =>\n // Lazily access constants.socketCachePath.\n path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n ['npm', '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'node_modules/.bin')\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ||\n // Lazily access constants.WIN32.\n constants.WIN32\n ? []\n : // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n [\n '--disable-proto',\n 'throw',\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n '--frozen-intrinsics',\n '--no-deprecation',\n ],\n )\n\nconst lazyRootBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'bin')\n\nconst lazyDistPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'dist')\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data folder:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n\n // Lazily access constants.WIN32.\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? // Lazily access constants.ENV.LOCALAPPDATA\n constants.ENV.LOCALAPPDATA\n : // Lazily access constants.ENV.XDG_DATA_HOME\n constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n // Lazily access constants.homePath.\n constants.homePath,\n // Lazily access constants.DARWIN.\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, '.cache')\n\nconst lazyShadowBinPath = () =>\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, SHADOW_BIN)\n\nconst lazyZshRcPath = () =>\n // Lazily access constants.homePath.\n path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n CLI,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SHADOW_BIN,\n SHADOW_INJECT,\n SOCKET,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_BIN_NAME_ALIAS,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_SENTRY_BIN_NAME_ALIAS,\n SOCKET_CLI_LEGACY_PACKAGE_NAME,\n SOCKET_CLI_NPM_BIN_NAME,\n SOCKET_CLI_NPX_BIN_NAME,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_PACKAGE_NAME,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_CLI_SENTRY_BIN_NAME,\n SOCKET_CLI_SENTRY_NPM_BIN_NAME,\n SOCKET_CLI_SENTRY_NPX_BIN_NAME,\n SOCKET_CLI_SENTRY_PACKAGE_NAME,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_WEBSITE_URL,\n VLT,\n WITH_SENTRY,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n blessedOptions: undefined,\n distCliPath: undefined,\n distInstrumentWithSentryPath: undefined,\n distPath: undefined,\n distShadowBinPath: undefined,\n distShadowInjectPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n rootBinPath: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n blessedOptions: lazyBlessedOptions,\n distCliPath: lazyDistCliPath,\n distInstrumentWithSentryPath: lazyDistInstrumentWithSentryPath,\n distPath: lazyDistPath,\n distShadowBinPath: lazyDistShadowBinPath,\n distShadowInjectPath: lazyDistShadowInjectPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeHardenFlags: lazyNodeHardenFlags,\n rootBinPath: lazyRootBinPath,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","envAsString","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_ACTIONS","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","constants","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_DEBUG","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","path","smartCSR","term","useBCE","WIN32","logger","ENV","bashRcPath","blessedOptions","distCliPath","distInstrumentWithSentryPath","distPath","distShadowBinPath","distShadowInjectPath","githubCachePath","homePath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","rootBinPath","rootPath","shadowBinPath","socketAppDataPath","socketCachePath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAWA,iBAAA;AACA;AACA;AAEA;;AAEE;AACEA;;AAEAC;AACF;AACF;AA2IA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;;;AAGIC;AACF;;AACQC;AAAI;;AAEZ;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAEA;AACA;AACA;AACAC;AACA;AACA;;AAEE;AACAC;AACI;;AAGN;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAGA;AACA;AACAC;AAGA;AACA;AACAC;AAKA;AACAC;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AAIA;AACAC;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AACE;AACAC;AAEF;AAEIC;AACA;AACAC;AACAC;AACF;AAEF;AACE;AACAH;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEF;AAEA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;AACE;AACAA;;AAEF;AACA;AACA;AAEI;AACAb;AACE;AACAA;AAEE;AACA;AACA;AAGE;AACA;AACA;AACA;AACA;AAKV;AACE;AACAa;AAEF;AACE;AACAA;AAEF;AAEA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;;AACQI;AAAM;;AAEV;;AAEA;;;AAGF;AACE;AACAC;AACF;;AAEI;AACAlB;AACA;AACAA;AAEJ;AACF;;AAEF;AAEA;AACE;AACAa;AAEF;AACE;AACAA;AAEF;AACE;AACAA;AAEIb;;;;;;;;;;;;;AAcFmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEEnB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"1cb779b7-dfbb-4433-88c0-23c051b688c8"}
package/dist/shadow-inject.js CHANGED
@@ -9,6 +9,7 @@ var logger = require('../external/@socketsecurity/registry/lib/logger');
9
9
  var vendor = require('./vendor.js');
10
10
  var registry = require('../external/@socketsecurity/registry');
11
11
  var objects = require('../external/@socketsecurity/registry/lib/objects');
12
+ var strings = require('../external/@socketsecurity/registry/lib/strings');
12
13
 
13
14
  var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
14
15
  const DiffAction = utils.createEnum({
@@ -874,18 +875,27 @@ async function getAlertsMapFromArborist(arb, options_) {
874
875
  const options = {
875
876
  __proto__: null,
876
877
  consolidate: false,
878
+ include: undefined,
877
879
  limit: Infinity,
878
880
  nothrow: false,
879
881
  ...options_
880
882
  };
881
- const include = {
883
+ options.include = {
882
884
  __proto__: null,
885
+ // Leave 'actions' unassigned so it can be given a default value in
886
+ // subsequent functions where `options` is passed.
887
+ // actions: undefined,
888
+ blocked: true,
889
+ critical: true,
890
+ cve: true,
883
891
  existing: false,
892
+ unfixable: true,
893
+ upgradable: false,
884
894
  ...options.include
885
895
  };
886
896
  const needInfoOn = getDetailsFromDiff(arb.diff, {
887
897
  include: {
888
- unchanged: include.existing
898
+ unchanged: options.include.existing
889
899
  }
890
900
  });
891
901
  const purls = needInfoOn.map(d => utils.idToPurl(d.node.pkgid));
@@ -1056,20 +1066,21 @@ function updatePackageJsonFromNode(editablePkgJson, tree, node, newVersion, rang
1056
1066
  } = node;
1057
1067
  for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
1058
1068
  const depObject = editablePkgJson.content[depField];
1059
- if (depObject) {
1060
- const oldRange = depObject[name];
1061
- if (oldRange) {
1062
- const newRange = utils.applyRange(oldRange, newVersion, rangeStyle);
1063
- if (oldRange !== newRange) {
1064
- result = true;
1065
- editablePkgJson.update({
1066
- [depField]: {
1067
- ...depObject,
1068
- [name]: newRange
1069
- }
1070
- });
1069
+ const oldRange = objects.hasOwn(depObject, name) ? depObject[name] : undefined;
1070
+ const oldMin = strings.isNonEmptyString(oldRange) ? vendor.semverExports.minVersion(oldRange) : null;
1071
+ const newRange = oldMin &&
1072
+ // Ensure we're on the same major version...
1073
+ vendor.semverExports.major(newVersion) === vendor.semverExports.major(oldMin.version) &&
1074
+ // and not a downgrade.
1075
+ vendor.semverExports.gte(newVersion, oldMin.version) ? utils.applyRange(oldRange, newVersion, rangeStyle) : oldRange;
1076
+ if (oldRange !== newRange) {
1077
+ result = true;
1078
+ editablePkgJson.update({
1079
+ [depField]: {
1080
+ ...depObject,
1081
+ [name]: newRange
1071
1082
  }
1072
- }
1083
+ });
1073
1084
  }
1074
1085
  }
1075
1086
  return result;
@@ -1219,5 +1230,5 @@ exports.findPackageNodes = findPackageNodes;
1219
1230
  exports.getAlertsMapFromArborist = getAlertsMapFromArborist;
1220
1231
  exports.updateNode = updateNode;
1221
1232
  exports.updatePackageJsonFromNode = updatePackageJsonFromNode;
1222
- //# debugId=aa475dcb-56c6-4bc2-8b36-54e92a6963a9
1233
+ //# debugId=aa999c00-ac0b-4e97-b4fe-41280eca7c7b
1223
1234
  //# sourceMappingURL=shadow-inject.js.map
package/dist/shadow-inject.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"shadow-inject.js","sources":["../src/shadow/npm/arborist/lib/arborist/types.mts","../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/lib/dep-valid.mts","../src/shadow/npm/proc-log/index.mts","../src/shadow/npm/arborist/lib/override-set.mts","../src/shadow/npm/arborist/lib/node.mts","../src/shadow/npm/arborist/lib/edge.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import { createEnum } from '../../../../../utils/objects.mts'\n\nimport type { SafeNode } from '../node.mts'\nimport type {\n Options as ArboristOptions,\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n | 'actualTree'\n | 'auditReport'\n | 'buildIdealTree'\n | 'diff'\n | 'idealTree'\n | 'loadActual'\n | 'loadVirtual'\n | 'reify'\n> & {\n auditReport?: AuditReportInstance | null | undefined\n actualTree?: SafeNode | null | undefined\n diff: Diff | null\n idealTree?: SafeNode | null | undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<SafeNode>\n loadActual(options?: ArboristOptions): Promise<SafeNode>\n loadVirtual(options?: ArboristOptions): Promise<SafeNode>\n reify(options?: ArboristReifyOptions): Promise<SafeNode>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n | 'actual'\n | 'children'\n | 'filterSet'\n | 'ideal'\n | 'leaves'\n | 'removed'\n | 'shrinkwrapInflated'\n | 'unchanged'\n> & {\n actual: SafeNode\n children: Diff[]\n filterSet: Set<SafeNode>\n ideal: SafeNode\n leaves: SafeNode[]\n parent: Diff | null\n removed: SafeNode[]\n shrinkwrapInflated: Set<SafeNode>\n unchanged: SafeNode[]\n}\n","import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string | undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n // Lazily access constants.WIN32.\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string | undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristDepValidPath: string | undefined\nexport function getArboristDepValidPath() {\n if (_arboristDepValidPath === undefined) {\n _arboristDepValidPath = path.join(\n getArboristPackagePath(),\n 'lib/dep-valid.js',\n )\n }\n return _arboristDepValidPath\n}\n\nlet _arboristEdgeClassPath: string | undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string | undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string | undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createRequire } from 'node:module'\n\nimport { getArboristDepValidPath } from '../../paths.mts'\n\nimport type { SafeNode } from './node.mts'\n\nconst require = createRequire(import.meta.url)\n\ntype DepValidFn = (\n child: SafeNode,\n requested: string,\n accept: string | undefined,\n requester: SafeNode,\n) => boolean\n\nlet _depValid: DepValidFn | undefined\nexport function depValid(\n child: SafeNode,\n requested: string,\n accept: string | undefined,\n requester: SafeNode,\n) {\n if (_depValid === undefined) {\n _depValid = require(getArboristDepValidPath()) as DepValidFn\n }\n return _depValid(child, requested, accept, requester)\n}\n","import constants from '../../../constants.mts'\nimport { getNpmRequire } from '../../../utils/npm-paths.mts'\n\nconst { UNDEFINED_TOKEN } = constants\n\ninterface RequireKnownModules {\n npmlog: typeof import('npmlog')\n // The DefinitelyTyped definition of 'proc-log' does NOT have the log method.\n // The return type of the log method is the same as `typeof import('proc-log')`.\n 'proc-log': typeof import('proc-log')\n}\n\ntype RequireTransformer<T extends keyof RequireKnownModules> = (\n mod: RequireKnownModules[T],\n) => RequireKnownModules[T]\n\nfunction tryRequire<T extends keyof RequireKnownModules>(\n req: NodeJS.Require,\n ...ids: Array<T | [T, RequireTransformer<T>]>\n): RequireKnownModules[T] | undefined {\n for (const data of ids) {\n let id: string | undefined\n let transformer: RequireTransformer<T> | undefined\n if (Array.isArray(data)) {\n id = data[0]\n transformer = data[1] as RequireTransformer<T>\n } else {\n id = data as keyof RequireKnownModules\n transformer = mod => mod\n }\n try {\n // Check that the transformed value isn't `undefined` because older\n // versions of packages like 'proc-log' may not export a `log` method.\n const exported = transformer(req(id))\n if (exported !== undefined) {\n return exported\n }\n } catch {}\n }\n return undefined\n}\n\nexport type Logger =\n | typeof import('npmlog')\n | typeof import('proc-log')\n | undefined\n\nlet _log: Logger | {} | undefined = UNDEFINED_TOKEN\nexport function getLogger(): Logger {\n if (_log === UNDEFINED_TOKEN) {\n _log = tryRequire(\n getNpmRequire(),\n [\n 'proc-log/lib/index.js' as 'proc-log',\n // The proc-log DefinitelyTyped definition is incorrect. The type definition\n // is really that of its export log.\n mod => (mod as any).log as RequireKnownModules['proc-log'],\n ],\n 'npmlog/lib/log.js' as 'npmlog',\n )\n }\n return _log as Logger | undefined\n}\n","import { createRequire } from 'node:module'\n\nimport npa from 'npm-package-arg'\nimport semver from 'semver'\n\nimport { getArboristOverrideSetClassPath } from '../../paths.mts'\nimport { getLogger } from '../../proc-log/index.mts'\n\nimport type { SafeEdge } from './edge.mts'\nimport type { SafeNode } from './node.mts'\nimport type { AliasResult, RegistryResult } from 'npm-package-arg'\n\nconst require = createRequire(import.meta.url)\n\ninterface OverrideSetClass {\n children: Map<string, SafeOverrideSet>\n key: string | undefined\n keySpec: string | undefined\n name: string | undefined\n parent: SafeOverrideSet | undefined\n value: string | undefined\n version: string | undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, SafeOverrideSet>\n ancestry(): Generator<SafeOverrideSet>\n childrenAreEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean\n getEdgeRule(edge: SafeEdge): SafeOverrideSet\n getNodeRule(node: SafeNode): SafeOverrideSet\n getMatchingRule(node: SafeNode): SafeOverrideSet | null\n isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean\n}\n\nconst OverrideSet: OverrideSetClass = require(getArboristOverrideSetClassPath())\n\n// Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:\nexport class SafeOverrideSet extends OverrideSet {\n // Patch adding doOverrideSetsConflict is based on\n // https://github.com/npm/cli/pull/8089.\n static doOverrideSetsConflict(\n first: SafeOverrideSet | undefined,\n second: SafeOverrideSet | undefined,\n ) {\n // If override sets contain one another then we can try to use the more\n // specific one. If neither one is more specific, then we consider them to\n // be in conflict.\n return this.findSpecificOverrideSet(first, second) === undefined\n }\n\n // Patch adding findSpecificOverrideSet is based on\n // https://github.com/npm/cli/pull/8089.\n static findSpecificOverrideSet(\n first: SafeOverrideSet | undefined,\n second: SafeOverrideSet | undefined,\n ) {\n for (\n let overrideSet = second;\n overrideSet;\n overrideSet = overrideSet.parent\n ) {\n if (overrideSet.isEqual(first)) {\n return second\n }\n }\n for (\n let overrideSet = first;\n overrideSet;\n overrideSet = overrideSet.parent\n ) {\n if (overrideSet.isEqual(second)) {\n return first\n }\n }\n // The override sets are incomparable. Neither one contains the other.\n const log = getLogger()\n log?.silly('Conflicting override sets', first, second)\n return undefined\n }\n\n // Patch adding childrenAreEqual is based on\n // https://github.com/npm/cli/pull/8089.\n override childrenAreEqual(otherOverrideSet: SafeOverrideSet) {\n if (this.children.size !== otherOverrideSet.children.size) {\n return false\n }\n for (const { 0: key, 1: childOverrideSet } of this.children) {\n const otherChildOverrideSet = otherOverrideSet.children.get(key)\n if (!otherChildOverrideSet) {\n return false\n }\n if (childOverrideSet.value !== otherChildOverrideSet.value) {\n return false\n }\n if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {\n return false\n }\n }\n return true\n }\n\n override getEdgeRule(edge: SafeEdge): SafeOverrideSet {\n for (const rule of this.ruleset.values()) {\n if (rule.name !== edge.name) {\n continue\n }\n // If keySpec is * we found our override.\n if (rule.keySpec === '*') {\n return rule\n }\n // Patch replacing\n // let spec = npa(`${edge.name}@${edge.spec}`)\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // We need to use the rawSpec here, because the spec has the overrides\n // applied to it already. The rawSpec can be undefined, so we need to use\n // the fallback value of spec if it is.\n let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`)\n if (spec.type === 'alias') {\n spec = (spec as AliasResult).subSpec\n }\n if (spec.type === 'git') {\n if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec!)) {\n return rule\n }\n continue\n }\n if (spec.type === 'range' || spec.type === 'version') {\n if (\n semver.intersects((spec as RegistryResult).fetchSpec, rule.keySpec!)\n ) {\n return rule\n }\n continue\n }\n // If we got this far, the spec type is one of tag, directory or file\n // which means we have no real way to make version comparisons, so we\n // just accept the override.\n return rule\n }\n return this\n }\n\n // Patch adding isEqual is based on\n // https://github.com/npm/cli/pull/8089.\n override isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean {\n if (this === otherOverrideSet) {\n return true\n }\n if (!otherOverrideSet) {\n return false\n }\n if (\n this.key !== otherOverrideSet.key ||\n this.value !== otherOverrideSet.value\n ) {\n return false\n }\n if (!this.childrenAreEqual(otherOverrideSet)) {\n return false\n }\n if (!this.parent) {\n return !otherOverrideSet.parent\n }\n return this.parent.isEqual(otherOverrideSet.parent)\n }\n}\n","import { createRequire } from 'node:module'\n\nimport semver from 'semver'\n\nimport { SafeOverrideSet } from './override-set.mts'\nimport { getArboristNodeClassPath } from '../../paths.mts'\nimport { getLogger } from '../../proc-log/index.mts'\n\nimport type { SafeEdge } from './edge.mts'\nimport type { Node as BaseNode } from '@npmcli/arborist'\n\nconst require = createRequire(import.meta.url)\n\ntype NodeClass = Omit<\n BaseNode,\n | 'addEdgeIn'\n | 'addEdgeOut'\n | 'canDedupe'\n | 'canReplace'\n | 'canReplaceWith'\n | 'children'\n | 'deleteEdgeIn'\n | 'edgesIn'\n | 'edgesOut'\n | 'from'\n | 'hasShrinkwrap'\n | 'inDepBundle'\n | 'inShrinkwrap'\n | 'integrity'\n | 'isTop'\n | 'matches'\n | 'meta'\n | 'name'\n | 'overrides'\n | 'packageName'\n | 'parent'\n | 'recalculateOutEdgesOverrides'\n | 'resolve'\n | 'resolveParent'\n | 'root'\n | 'target'\n | 'updateOverridesEdgeInAdded'\n | 'updateOverridesEdgeInRemoved'\n | 'version'\n | 'versions'\n> & {\n name: string\n version: string\n children: Map<string, SafeNode | LinkClass>\n edgesIn: Set<SafeEdge>\n edgesOut: Map<string, SafeEdge>\n from: SafeNode | null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean | undefined\n integrity?: string | null\n isTop: boolean | undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: SafeEdge): void\n }\n overrides: SafeOverrideSet | undefined\n target: SafeNode\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string | null\n get parent(): SafeNode | null\n set parent(value: SafeNode | null)\n get resolveParent(): SafeNode | null\n get root(): SafeNode | null\n set root(value: SafeNode | null)\n new (...args: any): NodeClass\n addEdgeIn(edge: SafeEdge): void\n addEdgeOut(edge: SafeEdge): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: SafeNode, ignorePeers?: string[]): boolean\n canReplaceWith(node: SafeNode, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: SafeEdge): void\n matches(node: SafeNode): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): SafeNode\n updateOverridesEdgeInAdded(\n otherOverrideSet: SafeOverrideSet | undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: SafeOverrideSet): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nconst Node: NodeClass = require(getArboristNodeClassPath())\n\n// Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:\nexport class SafeNode extends Node {\n // Return true if it's safe to remove this node, because anything that is\n // depending on it would be fine with the thing that they would resolve to if\n // it was removed, or nothing is depending on it in the first place.\n override canDedupe(preferDedupe = false) {\n // Not allowed to mess with shrinkwraps or bundles.\n if (this.inDepBundle || this.inShrinkwrap) {\n return false\n }\n // It's a top level pkg, or a dep of one.\n if (!this.resolveParent?.resolveParent) {\n return false\n }\n // No one wants it, remove it.\n if (this.edgesIn.size === 0) {\n return true\n }\n const other = this.resolveParent.resolveParent.resolve(this.name)\n // Nothing else, need this one.\n if (!other) {\n return false\n }\n // If it's the same thing, then always fine to remove.\n if (other.matches(this)) {\n return true\n }\n // If the other thing can't replace this, then skip it.\n if (!other.canReplace(this)) {\n return false\n }\n // Patch replacing\n // if (preferDedupe || semver.gte(other.version, this.version)) {\n // return true\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If we prefer dedupe, or if the version is equal, take the other.\n if (preferDedupe || semver.eq(other.version, this.version)) {\n return true\n }\n // If our current version isn't the result of an override, then prefer to\n // take the greater version.\n if (!this.overridden && semver.gt(other.version, this.version)) {\n return true\n }\n return false\n }\n\n // Is it safe to replace one node with another? check the edges to\n // make sure no one will get upset. Note that the node might end up\n // having its own unmet dependencies, if the new node has new deps.\n // Note that there are cases where Arborist will opt to insert a node\n // into the tree even though this function returns false! This is\n // necessary when a root dependency is added or updated, or when a\n // root dependency brings peer deps along with it. In that case, we\n // will go ahead and create the invalid state, and then try to resolve\n // it with more tree construction, because it's a user request.\n override canReplaceWith(node: SafeNode, ignorePeers?: string[]): boolean {\n if (this.name !== node.name || this.packageName !== node.packageName) {\n return false\n }\n // Patch replacing\n // if (node.overrides !== this.overrides) {\n // return false\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If this node has no dependencies, then it's irrelevant to check the\n // override rules of the replacement node.\n if (this.edgesOut.size) {\n // XXX need to check for two root nodes?\n if (node.overrides) {\n if (!node.overrides.isEqual(this.overrides)) {\n return false\n }\n } else {\n if (this.overrides) {\n return false\n }\n }\n }\n // To satisfy the patch we ensure `node.overrides === this.overrides`\n // so that the condition we want to replace,\n // if (this.overrides !== node.overrides) {\n // , is not hit.`\n const oldOverrideSet = this.overrides\n let result = true\n if (oldOverrideSet !== node.overrides) {\n this.overrides = node.overrides\n }\n try {\n result = super.canReplaceWith(node, ignorePeers)\n this.overrides = oldOverrideSet\n } catch (e) {\n this.overrides = oldOverrideSet\n throw e\n }\n return result\n }\n\n // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.\n override deleteEdgeIn(edge: SafeEdge) {\n this.edgesIn.delete(edge)\n const { overrides } = edge\n if (overrides) {\n this.updateOverridesEdgeInRemoved(overrides)\n }\n }\n\n override addEdgeIn(edge: SafeEdge): void {\n // Patch replacing\n // if (edge.overrides) {\n // this.overrides = edge.overrides\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // We need to handle the case where the new edge in has an overrides field\n // which is different from the current value.\n if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {\n this.updateOverridesEdgeInAdded(edge.overrides)\n }\n this.edgesIn.add(edge)\n // Try to get metadata from the yarn.lock file.\n this.root.meta?.addEdge(edge)\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get overridden() {\n // Patch replacing\n // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)\n // is based on https://github.com/npm/cli/pull/8089.\n if (\n !this.overrides ||\n !this.overrides.value ||\n this.overrides.name !== this.name\n ) {\n return false\n }\n // The overrides rule is for a package with this name, but some override\n // rules only apply to specific versions. To make sure this package was\n // actually overridden, we check whether any edge going in had the rule\n // applied to it, in which case its overrides set is different than its\n // source node.\n for (const edge of this.edgesIn) {\n if (\n edge.overrides &&\n edge.overrides.name === this.name &&\n edge.overrides.value === this.version\n ) {\n if (!edge.overrides.isEqual(edge.from?.overrides)) {\n return true\n }\n }\n }\n return false\n }\n\n override set parent(newParent: SafeNode) {\n // Patch removing\n // if (parent.overrides) {\n // this.overrides = parent.overrides.getNodeRule(this)\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // The \"parent\" setter is a really large and complex function. To satisfy\n // the patch we hold on to the old overrides value and set `this.overrides`\n // to `undefined` so that the condition we want to remove is not hit.\n const { overrides } = this\n if (overrides) {\n this.overrides = undefined\n }\n try {\n super.parent = newParent\n this.overrides = overrides\n } catch (e) {\n this.overrides = overrides\n throw e\n }\n }\n\n // Patch adding recalculateOutEdgesOverrides is based on\n // https://github.com/npm/cli/pull/8089.\n override recalculateOutEdgesOverrides() {\n // For each edge out propagate the new overrides through.\n for (const edge of this.edgesOut.values()) {\n edge.reload(true)\n if (edge.to) {\n edge.to.updateOverridesEdgeInAdded(edge.overrides)\n }\n }\n }\n\n // @ts-ignore: Incorrectly typed to accept null.\n override set root(newRoot: SafeNode) {\n // Patch removing\n // if (!this.overrides && this.parent && this.parent.overrides) {\n // this.overrides = this.parent.overrides.getNodeRule(this)\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // The \"root\" setter is a really large and complex function. To satisfy the\n // patch we add a dummy value to `this.overrides` so that the condition we\n // want to remove is not hit.\n if (!this.overrides) {\n this.overrides = new SafeOverrideSet({ overrides: '' })\n }\n try {\n super.root = newRoot\n this.overrides = undefined\n } catch (e) {\n this.overrides = undefined\n throw e\n }\n }\n\n // Patch adding updateOverridesEdgeInAdded is based on\n // https://github.com/npm/cli/pull/7025.\n //\n // This logic isn't perfect either. When we have two edges in that have\n // different override sets, then we have to decide which set is correct. This\n // function assumes the more specific override set is applicable, so if we have\n // dependencies A->B->C and A->C and an override set that specifies what happens\n // for C under A->B, this will work even if the new A->C edge comes along and\n // tries to change the override set. The strictly correct logic is not to allow\n // two edges with different overrides to point to the same node, because even\n // if this node can satisfy both, one of its dependencies might need to be\n // different depending on the edge leading to it. However, this might cause a\n // lot of duplication, because the conflict in the dependencies might never\n // actually happen.\n override updateOverridesEdgeInAdded(\n otherOverrideSet: SafeOverrideSet | undefined,\n ) {\n if (!otherOverrideSet) {\n // Assuming there are any overrides at all, the overrides field is never\n // undefined for any node at the end state of the tree. So if the new edge's\n // overrides is undefined it will be updated later. So we can wait with\n // updating the node's overrides field.\n return false\n }\n if (!this.overrides) {\n this.overrides = otherOverrideSet\n this.recalculateOutEdgesOverrides()\n return true\n }\n if (this.overrides.isEqual(otherOverrideSet)) {\n return false\n }\n const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(\n this.overrides,\n otherOverrideSet,\n )\n if (newOverrideSet) {\n if (this.overrides.isEqual(newOverrideSet)) {\n return false\n }\n this.overrides = newOverrideSet\n this.recalculateOutEdgesOverrides()\n return true\n }\n // This is an error condition. We can only get here if the new override set\n // is in conflict with the existing.\n const log = getLogger()\n log?.silly('Conflicting override sets', this.name)\n return false\n }\n\n // Patch adding updateOverridesEdgeInRemoved is based on\n // https://github.com/npm/cli/pull/7025.\n override updateOverridesEdgeInRemoved(otherOverrideSet: SafeOverrideSet) {\n // If this edge's overrides isn't equal to this node's overrides,\n // then removing it won't change newOverrideSet later.\n if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {\n return false\n }\n let newOverrideSet\n for (const edge of this.edgesIn) {\n const { overrides: edgeOverrides } = edge\n if (newOverrideSet && edgeOverrides) {\n newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(\n edgeOverrides,\n newOverrideSet,\n )\n } else {\n newOverrideSet = edgeOverrides\n }\n }\n if (this.overrides.isEqual(newOverrideSet)) {\n return false\n }\n this.overrides = newOverrideSet\n if (newOverrideSet) {\n // Optimization: If there's any override set at all, then no non-extraneous\n // node has an empty override set. So if we temporarily have no override set\n // (for example, we removed all the edges in), there's no use updating all\n // the edges out right now. Let's just wait until we have an actual override\n // set later.\n this.recalculateOutEdgesOverrides()\n }\n return true\n }\n}\n","import { createRequire } from 'node:module'\n\nimport { depValid } from './dep-valid.mts'\nimport { SafeNode } from './node.mts'\nimport { SafeOverrideSet } from './override-set.mts'\nimport { getArboristEdgeClassPath } from '../../paths.mts'\n\nimport type { Edge as BaseEdge, DependencyProblem } from '@npmcli/arborist'\n\nconst require = createRequire(import.meta.url)\n\ntype EdgeClass = Omit<\n BaseEdge,\n | 'accept'\n | 'detach'\n | 'optional'\n | 'overrides'\n | 'peer'\n | 'peerConflicted'\n | 'rawSpec'\n | 'reload'\n | 'satisfiedBy'\n | 'spec'\n | 'to'\n> & {\n optional: boolean\n overrides: SafeOverrideSet | undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string | undefined\n get spec(): string\n get to(): SafeNode | null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: SafeNode): boolean\n}\n\nexport type EdgeOptions = {\n type: string\n name: string\n spec: string\n from: SafeNode\n accept?: string | undefined\n overrides?: SafeOverrideSet | undefined\n to?: SafeNode | undefined\n}\n\nexport type ErrorStatus = DependencyProblem | 'OK'\n\nexport type Explanation = {\n type: string\n name: string\n spec: string\n bundled: boolean\n overridden: boolean\n error: ErrorStatus | undefined\n rawSpec: string | undefined\n from: object | undefined\n} | null\n\nexport const Edge: EdgeClass = require(getArboristEdgeClassPath())\n\n// The Edge class makes heavy use of private properties which subclasses do NOT\n// have access to. So we have to recreate any functionality that relies on those\n// private properties and use our own \"safe\" prefixed non-conflicting private\n// properties. Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.\n//\n// The npm application\n// Copyright (c) npm, Inc. and Contributors\n// Licensed on the terms of The Artistic License 2.0\n//\n// An edge in the dependency graph.\n// Represents a dependency relationship of some kind.\nexport class SafeEdge extends Edge {\n #safeError: ErrorStatus | null\n #safeExplanation: Explanation | undefined\n #safeFrom: SafeNode | null\n #safeTo: SafeNode | null\n\n constructor(options: EdgeOptions) {\n const { from } = options\n // Defer to supper to validate options and assign non-private values.\n super(options)\n if (from.constructor !== SafeNode) {\n Reflect.setPrototypeOf(from, SafeNode.prototype)\n }\n this.#safeError = null\n this.#safeExplanation = null\n this.#safeFrom = from\n this.#safeTo = null\n this.reload(true)\n }\n\n override get bundled() {\n return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name)\n }\n\n override get error() {\n if (!this.#safeError) {\n if (!this.#safeTo) {\n if (this.optional) {\n this.#safeError = null\n } else {\n this.#safeError = 'MISSING'\n }\n } else if (\n this.peer &&\n this.#safeFrom === this.#safeTo.parent &&\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n !this.#safeFrom?.isTop\n ) {\n this.#safeError = 'PEER LOCAL'\n } else if (!this.satisfiedBy(this.#safeTo)) {\n this.#safeError = 'INVALID'\n }\n // Patch adding \"else if\" condition is based on\n // https://github.com/npm/cli/pull/8089.\n else if (\n this.overrides &&\n this.#safeTo.edgesOut.size &&\n SafeOverrideSet.doOverrideSetsConflict(\n this.overrides,\n this.#safeTo.overrides,\n )\n ) {\n // Any inconsistency between the edge's override set and the target's\n // override set is potentially problematic. But we only say the edge is\n // in error if the override sets are plainly conflicting. Note that if\n // the target doesn't have any dependencies of their own, then this\n // inconsistency is irrelevant.\n this.#safeError = 'INVALID'\n } else {\n this.#safeError = 'OK'\n }\n }\n if (this.#safeError === 'OK') {\n return null\n }\n return this.#safeError\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get from() {\n return this.#safeFrom\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get spec(): string {\n if (\n this.overrides?.value &&\n this.overrides.value !== '*' &&\n this.overrides.name === this.name\n ) {\n if (this.overrides.value.startsWith('$')) {\n const ref = this.overrides.value.slice(1)\n // We may be a virtual root, if we are we want to resolve reference\n // overrides from the real root, not the virtual one.\n //\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n const pkg = this.#safeFrom?.sourceReference\n ? this.#safeFrom?.sourceReference.root.package\n : this.#safeFrom?.root?.package\n if (pkg?.devDependencies?.[ref]) {\n return pkg.devDependencies[ref] as string\n }\n if (pkg?.optionalDependencies?.[ref]) {\n return pkg.optionalDependencies[ref] as string\n }\n if (pkg?.dependencies?.[ref]) {\n return pkg.dependencies[ref] as string\n }\n if (pkg?.peerDependencies?.[ref]) {\n return pkg.peerDependencies[ref] as string\n }\n throw new Error(`Unable to resolve reference ${this.overrides.value}`)\n }\n return this.overrides.value\n }\n return this.rawSpec\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get to() {\n return this.#safeTo\n }\n\n override detach() {\n this.#safeExplanation = null\n // Patch replacing\n // if (this.#to) {\n // this.#to.edgesIn.delete(this)\n // }\n // this.#from.edgesOut.delete(this.#name)\n // is based on https://github.com/npm/cli/pull/8089.\n this.#safeTo?.deleteEdgeIn(this)\n this.#safeFrom?.edgesOut.delete(this.name)\n this.#safeTo = null\n this.#safeError = 'DETACHED'\n this.#safeFrom = null\n }\n\n // Return the edge data, and an explanation of how that edge came to be here.\n // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.\n override explain() {\n if (!this.#safeExplanation) {\n const explanation: Explanation = {\n type: this.type,\n name: this.name,\n spec: this.spec,\n bundled: false,\n overridden: false,\n error: undefined,\n from: undefined,\n rawSpec: undefined,\n }\n if (this.rawSpec !== this.spec) {\n explanation.rawSpec = this.rawSpec\n explanation.overridden = true\n }\n if (this.bundled) {\n explanation.bundled = this.bundled\n }\n if (this.error) {\n explanation.error = this.error\n }\n if (this.#safeFrom) {\n explanation.from = this.#safeFrom.explain()\n }\n this.#safeExplanation = explanation\n }\n return this.#safeExplanation\n }\n\n override reload(hard = false) {\n this.#safeExplanation = null\n // Patch replacing\n // if (this.#from.overrides) {\n // is based on https://github.com/npm/cli/pull/8089.\n let needToUpdateOverrideSet = false\n let newOverrideSet\n let oldOverrideSet\n if (this.#safeFrom?.overrides) {\n newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this)\n if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {\n // If there's a new different override set we need to propagate it to\n // the nodes. If we're deleting the override set then there's no point\n // propagating it right now since it will be filled with another value\n // later.\n needToUpdateOverrideSet = true\n oldOverrideSet = this.overrides\n this.overrides = newOverrideSet\n }\n } else {\n this.overrides = undefined\n }\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n const newTo = this.#safeFrom?.resolve(this.name)\n if (newTo !== this.#safeTo) {\n // Patch replacing\n // this.#to.edgesIn.delete(this)\n // is based on https://github.com/npm/cli/pull/8089.\n this.#safeTo?.deleteEdgeIn(this)\n this.#safeTo = (newTo as SafeNode) ?? null\n this.#safeError = null\n this.#safeTo?.addEdgeIn(this)\n } else if (hard) {\n this.#safeError = null\n }\n // Patch adding \"else if\" condition based on\n // https://github.com/npm/cli/pull/8089.\n else if (needToUpdateOverrideSet && this.#safeTo) {\n // Propagate the new override set to the target node.\n this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet!)\n this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet)\n }\n }\n\n override satisfiedBy(node: SafeNode) {\n // Patch replacing\n // if (node.name !== this.#name) {\n // return false\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n if (node.name !== this.name || !this.#safeFrom) {\n return false\n }\n // NOTE: this condition means we explicitly do not support overriding\n // bundled or shrinkwrapped dependencies\n if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {\n return depValid(node, this.rawSpec, this.accept, this.#safeFrom)\n }\n // Patch replacing\n // return depValid(node, this.spec, this.#accept, this.#from)\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If there's no override we just use the spec.\n if (!this.overrides?.keySpec) {\n return depValid(node, this.spec, this.accept, this.#safeFrom)\n }\n // There's some override. If the target node satisfies the overriding spec\n // then it's okay.\n if (depValid(node, this.spec, this.accept, this.#safeFrom)) {\n return true\n }\n // If it doesn't, then it should at least satisfy the original spec.\n if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {\n return false\n }\n // It satisfies the original spec, not the overriding spec. We need to make\n // sure it doesn't use the overridden spec.\n // For example:\n // we might have an ^8.0.0 rawSpec, and an override that makes\n // keySpec=8.23.0 and the override value spec=9.0.0.\n // If the node is 9.0.0, then it's okay because it's consistent with spec.\n // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.\n // If the node is 8.23.0, then it's not okay because even though it's consistent\n // with the rawSpec, it's also consistent with the keySpec.\n // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.\n return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom)\n }\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { fetchPackagePackument } from '@socketsecurity/registry/lib/packages'\n\nimport constants from '../../constants.mts'\nimport { applyRange, getMajor } from '../../utils/semver.mts'\nimport { idToPurl } from '../../utils/spec.mts'\nimport { DiffAction } from './arborist/lib/arborist/types.mts'\nimport { Edge } from './arborist/lib/edge.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\n\nimport type { RangeStyle } from '../../utils/semver.mts'\nimport type { SafeArborist } from './arborist/lib/arborist/index.mts'\nimport type { Diff } from './arborist/lib/arborist/types.mts'\nimport type { SafeEdge } from './arborist/lib/edge.mts'\nimport type { LinkClass, SafeNode } from './arborist/lib/node.mts'\nimport type {\n AlertIncludeFilter,\n AlertsByPkgId,\n} from '../../utils/socket-package-alert.mts'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nconst { LOOP_SENTINEL, NPM, NPM_REGISTRY_URL } = constants\n\nfunction getUrlOrigin(input: string): string {\n try {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return new URL(input).origin ?? ''\n } catch {}\n return ''\n}\n\nexport function findBestPatchVersion(\n node: SafeNode,\n availableVersions: string[],\n vulnerableVersionRange?: string,\n _firstPatchedVersionIdentifier?: string | undefined,\n): string | null {\n const manifestData = getManifestData(NPM, node.name)\n let eligibleVersions\n if (manifestData && manifestData.name === manifestData.package) {\n const major = getMajor(manifestData.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(v => getMajor(v) === major)\n } else {\n const major = getMajor(node.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(\n v =>\n // Filter for versions that are within the current major version and\n // are NOT in the vulnerable range.\n getMajor(v) === major &&\n (!vulnerableVersionRange ||\n !semver.satisfies(v, vulnerableVersionRange)),\n )\n }\n return eligibleVersions ? semver.maxSatisfying(eligibleVersions, '*') : null\n}\n\nexport function findPackageNode(\n tree: SafeNode,\n name: string,\n version?: string | undefined,\n): SafeNode | undefined {\n const queue: Array<SafeNode | LinkClass> = [tree]\n const visited = new Set<SafeNode>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNode')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n return node\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return undefined\n}\n\nexport function findPackageNodes(\n tree: SafeNode,\n name: string,\n version?: string | undefined,\n): SafeNode[] {\n const matches: SafeNode[] = []\n const queue: Array<SafeNode | LinkClass> = [tree]\n const visited = new Set<SafeNode>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNodes')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n matches.push(node)\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return matches\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n consolidate?: boolean | undefined\n include?: AlertIncludeFilter | undefined\n nothrow?: boolean | undefined\n spinner?: Spinner | undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: SafeArborist,\n options_?: GetAlertsMapFromArboristOptions | undefined,\n): Promise<AlertsByPkgId> {\n const options = {\n __proto__: null,\n consolidate: false,\n limit: Infinity,\n nothrow: false,\n ...options_,\n } as GetAlertsMapFromArboristOptions\n\n const include = {\n __proto__: null,\n actions: undefined,\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ...options.include,\n } as AlertIncludeFilter\n\n const needInfoOn = getDetailsFromDiff(arb.diff, {\n include: {\n unchanged: include.existing,\n },\n })\n\n const purls = needInfoOn.map(d => idToPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } | undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n [...overridesMap.entries()].map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...options,\n })\n}\n\nexport type DiffQueryIncludeFilter = {\n unchanged?: boolean | undefined\n unknownOrigin?: boolean | undefined\n}\n\nexport type DiffQueryOptions = {\n include?: DiffQueryIncludeFilter | undefined\n}\n\nexport type PackageDetail = {\n node: SafeNode\n existing?: SafeNode | undefined\n}\n\nexport function getDetailsFromDiff(\n diff_: Diff | null,\n options?: DiffQueryOptions | undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff_` is `null` when `npm install --package-lock-only` is passed.\n if (!diff_) {\n return details\n }\n\n const include = {\n __proto__: null,\n unchanged: false,\n unknownOrigin: false,\n ...({ __proto__: null, ...options } as DiffQueryOptions).include,\n } as DiffQueryIncludeFilter\n\n const queue: Diff[] = [...diff_.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff')\n }\n const diff = queue[pos++]!\n const { action } = diff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = diff\n let existing: SafeNode | undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n } else {\n // TODO: This debug log has too much information. We should narrow it down.\n // debugLog('SKIPPING META CHANGE ON', diff)\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {\n if (\n include.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of diff.children) {\n queue[queueLength++] = child\n }\n }\n if (include.unchanged) {\n const { unchanged } = diff_!\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n include.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n\nexport function getTargetNode(nodeOrLink: SafeNode | LinkClass): SafeNode\nexport function getTargetNode<T>(nodeOrLink: T): SafeNode | null\nexport function getTargetNode(nodeOrLink: any): SafeNode | null {\n return nodeOrLink?.isLink ? nodeOrLink.target : (nodeOrLink ?? null)\n}\n\nexport function isTopLevel(tree: SafeNode, node: SafeNode): boolean {\n return getTargetNode(tree.children.get(node.name)) === node\n}\n\nexport type Packument = Exclude<\n Awaited<ReturnType<typeof fetchPackagePackument>>,\n null\n>\n\nexport function updateNode(\n node: SafeNode,\n newVersion: string,\n newVersionPackument: Packument['versions'][number],\n): void {\n // Object.defineProperty is needed to set the version property and replace\n // the old value with newVersion.\n Object.defineProperty(node, 'version', {\n configurable: true,\n enumerable: true,\n get: () => newVersion,\n })\n // Update package.version associated with the node.\n node.package.version = newVersion\n // Update node.resolved.\n const purlObj = PackageURL.fromString(idToPurl(node.name))\n node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${newVersion}.tgz`\n // Update node.integrity with the targetPackument.dist.integrity value if available\n // else delete node.integrity so a new value is resolved for the target version.\n const { integrity } = newVersionPackument.dist\n if (integrity) {\n node.integrity = integrity\n } else {\n delete node.integrity\n }\n // Update node.package.deprecated based on targetPackument.deprecated.\n if (hasOwn(newVersionPackument, 'deprecated')) {\n node.package['deprecated'] = newVersionPackument.deprecated as string\n } else {\n delete node.package['deprecated']\n }\n // Update node.package.dependencies.\n const newDeps = { ...newVersionPackument.dependencies }\n const { dependencies: oldDeps } = node.package\n node.package.dependencies = newDeps\n if (oldDeps) {\n for (const oldDepName of Object.keys(oldDeps)) {\n if (!hasOwn(newDeps, oldDepName)) {\n // Detach old edges for dependencies that don't exist on the updated\n // node.package.dependencies.\n node.edgesOut.get(oldDepName)?.detach()\n }\n }\n }\n for (const newDepName of Object.keys(newDeps)) {\n if (!hasOwn(oldDeps, newDepName)) {\n // Add new edges for dependencies that don't exist on the old\n // node.package.dependencies.\n node.addEdgeOut(\n new Edge({\n from: node,\n name: newDepName,\n spec: newDeps[newDepName],\n type: 'prod',\n }) as unknown as SafeEdge,\n )\n }\n }\n}\n\nexport function updatePackageJsonFromNode(\n editablePkgJson: EditablePackageJson,\n tree: SafeNode,\n node: SafeNode,\n newVersion: string,\n rangeStyle?: RangeStyle | undefined,\n): boolean {\n let result = false\n if (!isTopLevel(tree, node)) {\n return result\n }\n const { name } = node\n for (const depField of [\n 'dependencies',\n 'optionalDependencies',\n 'peerDependencies',\n ]) {\n const depObject = editablePkgJson.content[depField] as\n | { [key: string]: string }\n | undefined\n if (depObject) {\n const oldRange = depObject[name]\n if (oldRange) {\n const newRange = applyRange(oldRange, newVersion, rangeStyle)\n if (oldRange !== newRange) {\n result = true\n editablePkgJson.update({\n [depField]: {\n ...depObject,\n [name]: newRange,\n },\n })\n }\n }\n }\n }\n return result\n}\n","import { createRequire } from 'node:module'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../../../../../constants.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport { getAlertsMapFromArborist } from '../../../arborist-helpers.mts'\nimport { getArboristClassPath } from '../../../paths.mts'\n\nimport type { ArboristClass, ArboristReifyOptions } from './types.mts'\nimport type { SafeNode } from '../node.mts'\n\nconst require = createRequire(import.meta.url)\n\nconst {\n NPM,\n NPX,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_CLI_VIEW_ALL_RISKS,\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = require(getArboristClassPath())\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<SafeNode> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<SafeNode>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<SafeNode> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n const ipc = await getIpc()\n const binName = ipc[SOCKET_CLI_SAFE_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n await super.reify(\n {\n ...options,\n ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n // Lazily access constants.ENV.SOCKET_CLI_ACCEPT_RISKS.\n const acceptRisks = constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const progress = ipc[SOCKET_CLI_SAFE_PROGRESS]\n const spinner =\n options['silent'] || !progress\n ? undefined\n : // Lazily access constants.spinner.\n constants.spinner\n const isSafeNpm = binName === NPM\n const isSafeNpx = binName === NPX\n const alertsMap = await getAlertsMapFromArborist(this, {\n spinner,\n include:\n acceptRisks || options.dryRun || options['yes']\n ? {\n actions: ['error'],\n blocked: true,\n critical: false,\n cve: false,\n existing: true,\n unfixable: false,\n }\n : {\n existing: isSafeNpx,\n unfixable: isSafeNpm,\n },\n })\n if (alertsMap.size) {\n process.exitCode = 1\n // Lazily access constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS.\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!options['silent']) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'} risks`,\n )\n if (binName === NPX) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { SafeArborist } from './lib/arborist/index.mts'\nimport { SafeEdge } from './lib/edge.mts'\nimport { SafeNode } from './lib/node.mts'\nimport { SafeOverrideSet } from './lib/override-set.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: SafeEdge }\n cache[getArboristNodeClassPath()] = { exports: SafeNode }\n cache[getArboristOverrideSetClassPath()] = { exports: SafeOverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["add","change","remove","_arboristPkgPath","_depValid","UNDEFINED_TOKEN","id","transformer","mod","canDedupe","canReplaceWith","overrides","recalculateOutEdgesOverrides","edge","newOverrideSet","from","detach","explain","bundled","overridden","error","rawSpec","explanation","reload","needToUpdateOverrideSet","NPM_REGISTRY_URL","eligibleVersions","getMajor","visited","queue","to","matches","__proto__","consolidate","limit","nothrow","actions","unfixable","include","unchanged","unknownOrigin","length","action","actual","ideal","keep","existing","node","Object","configurable","enumerable","integrity","dependencies","name","spec","type","result","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","constants","blocked","critical","cve","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;AAsDO;AACLA;AACAC;AACAC;AACF;;ACnDA;AACO;;;AAGH;AAGA;AAIA;AACAC;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACnEA,iBAAA;AASA;AACO;;AAOHC;AACF;;AAEF;;ACvBA;AAAQC;AAAgB;AAaxB;AAIE;AACE;AACA;AACA;AACEC;AACAC;AACF;AACED;;AAEF;;AAEE;AACA;;;AAGE;AACF;;AAEJ;AACA;AACF;AAOA;AACO;;;AAMC;AACA;AACAE;AAIN;AACA;AACF;;AClDA,iBAAA;AAsBA;;AAEA;AACA;AACO;AACL;AACA;AACA;AAIE;AACA;AACA;;AAEF;;AAEA;AACA;AACA;AAIE;AAKE;AACE;AACF;AACF;AACA;AAKE;AACE;AACF;AACF;AACA;AACA;;AAEA;AACF;;AAEA;AACA;;;AAGI;AACF;AACA;AAAa;AAAQ;AAAoB;;;AAGrC;AACF;AACA;AACE;AACF;AACA;AACE;AACF;AACF;AACA;AACF;;;AAII;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACE;AACE;AACF;AACA;AACF;;AAEE;AAGE;AACF;AACA;AACF;AACA;AACA;AACA;AACA;AACF;AACA;AACF;;AAEA;AACA;;;AAGI;AACF;;AAEE;AACF;AACA;AAIE;AACF;AACA;AACE;AACF;AACA;;AAEA;;AAEF;AACF;;AC5JA,iBAAA;AA8EA;;AAEA;AACA;AACO;AACL;AACA;AACA;AACSC;AACP;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACA;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACSC;AACP;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;;;AAGI;AACF;AACF;;AAEI;AACF;AACF;AACF;AACA;AACA;AACA;AACA;AACA;;AAEA;AACE;AACF;;;;;;AAME;AACF;AACA;AACF;;AAEA;;AAEE;;AACQC;AAAU;AAClB;AACE;AACF;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;;AAEF;;AAEA;;AAEE;AACA;AACA;;AAME;AACF;AACA;AACA;AACA;AACA;AACA;AACA;;AAMI;AACE;AACF;AACF;AACF;AACA;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQA;AAAU;AAClB;;AAEA;;;;;;AAME;AACF;AACF;;AAEA;AACA;AACSC;AACP;;AAEEC;;;AAGA;AACF;AACF;;AAEA;;AAEE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AAAuCF;AAAc;AACvD;;;;;;AAME;AACF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAKI;AACA;AACA;AACA;AACA;AACF;AACA;;;AAGE;AACF;;AAEE;AACF;;AAKA;;AAEI;AACF;;;AAGA;AACF;AACA;AACA;AACA;;AAEA;AACF;;AAEA;AACA;;AAEE;AACA;AACA;AACE;AACF;AACA;AACA;;AACUA;AAAyB;;;AAMjC;AACEG;AACF;AACF;;AAEE;AACF;;AAEA;AACE;AACA;AACA;AACA;AACA;;AAEF;AACA;AACF;AACF;;AChYA,iBAAA;AAqDO;;AAEP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACL;AACA;AACA;AACA;;;AAGUC;AAAK;AACb;;AAEA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACF;;AAGE;AACF;;AAGE;AACE;;AAEI;AACF;AACE;AACF;AACF;AAGE;AACA;AACA;AAEA;AACF;AACE;AACF;AACA;AACA;AAAA;AASE;AACA;AACA;AACA;AACA;AACA;AACF;AACE;AACF;AACF;AACA;AACE;AACF;;AAEF;;AAEA;;;AAGA;;AAEA;;;;;AASM;AACA;AACA;AACA;AACA;;AAIA;AACE;AACF;AACA;AACE;AACF;AACA;AACE;AACF;AACA;AACE;AACF;;AAEF;AACA;AACF;;AAEF;;AAEA;;;AAGA;AAESC;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACA;AACF;;AAEA;AACA;AACSC;AACP;AACE;;;;AAIEC;AACAC;AACAC;AACAL;AACAM;;AAEF;AACEC;;AAEF;;AAEEA;AACF;;AAEEA;AACF;AACA;;AAEA;AACA;AACF;;AAEF;AAESC;AACP;AACA;AACA;AACA;;AAEA;AACA;AACA;;;AAGI;AACA;AACA;AACA;AACAC;;;AAGF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACF;AACA;AACA;AAAA;AAEE;AACA;AACA;AACF;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF;AACF;;AC5SA;;;AAA4BC;AAAiB;AAE7C;;AAEI;AACA;AACA;;;AAGF;AACF;AAEO;;AAOL;;AAEE;AACA;AACE;AACF;AACAC;AACF;AACE;AACA;AACE;AACF;AACAA;AAEI;AACA;AACAC;AAIN;;AAEF;AAEO;AAKL;AACA;;;AAGE;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACAC;AACA;AAIE;AACF;;AAEEC;AACF;;;AAEUC;AAAG;AACX;AACED;AACF;AACF;AACF;AACA;AACF;AAEO;;AAML;AACA;;;AAGE;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACAD;AACA;AAIEG;AACF;;AAEEF;AACF;;;AAEUC;AAAG;AACX;AACED;AACF;AACF;AACF;AACA;AACF;AASO;AAIL;AACEG;AACAC;AACAC;AACAC;;;AAIF;AACEH;AACAI;AAKAC;;AAKF;AACEC;;AAEA;AACF;AAEA;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEE;AACF;AAEA;AACEN;AACAO;AACAC;;AACMR;;AAA4B;;AAGpC;;;AAEMS;AAAoB;;;AAGtB;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIEC;AACF;AACF;AAIF;AACED;AACF;AACA;AACE;;AAKIE;AACAD;AACF;AACF;AACF;AACF;AACA;AACEjB;AACF;AACF;;;AAEUU;AAAU;AAClB;AAAkBE;;AAChB;AACA;;AAKIM;AACAD;AACF;AACF;AACF;AACF;AACA;AACF;AAIO;;AAEP;AAEO;AACL;AACF;AAOO;AAKL;AACA;AACAE;AACEC;AACAC;;AAEF;AACA;AACAH;AACA;AACA;AACAA;AACA;AACA;;AACQI;;AACR;;AAEA;;AAEA;AACA;AACA;;AAEA;AACE;AACF;AACA;AACA;AAAkB;;;AACVC;;AACRL;AACA;;AAEI;AACE;AACA;;AAEF;AACF;AACF;;AAEE;AACE;AACA;AACAA;AAEIhC;AACAsC;AACAC;AACAC;AACF;AAEJ;AACF;AACF;AAEO;;AAQL;AACE;AACF;;AACQF;AAAK;;AAMX;AAGA;AACE;AACA;;;AAGIG;;AAEE;AACE;AACA;AACF;AACF;AACF;AACF;AACF;AACF;AACA;AACF;;ACjZA,iBAAA;AAEA;;;;;;;;AAQE;AAA+DC;AAAO;AACxE;AAEO;AACLzB;AACA0B;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJd;AACA;AACF;;AAEA;AACA;AAIE;AACEhB;;;AAGF;AACA;;;AAGA;;AAGI;AACA;AACA8B;;AAEF;AACA;AAEF;AACA;AACA;;AAIM;AACAK;AACN;AACA;AACA;;;;AAMUC;AACAC;AACAC;AACAxB;AACAT;AACF;AAEES;AACAT;AACF;AACR;;;AAGE;AACA;;AAEEkC;;AAEF;;AAGN;AAQA;AAGI;AACEC;;;AAKA;AACF;;AAEF;AACF;;ACrJA,iBAAA;AAEO;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACrBAC;;;;;;;;;;","debugId":"aa475dcb-56c6-4bc2-8b36-54e92a6963a9"}
1
+ {"version":3,"file":"shadow-inject.js","sources":["../src/shadow/npm/arborist/lib/arborist/types.mts","../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/lib/dep-valid.mts","../src/shadow/npm/proc-log/index.mts","../src/shadow/npm/arborist/lib/override-set.mts","../src/shadow/npm/arborist/lib/node.mts","../src/shadow/npm/arborist/lib/edge.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import { createEnum } from '../../../../../utils/objects.mts'\n\nimport type { SafeNode } from '../node.mts'\nimport type {\n Options as ArboristOptions,\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n | 'actualTree'\n | 'auditReport'\n | 'buildIdealTree'\n | 'diff'\n | 'idealTree'\n | 'loadActual'\n | 'loadVirtual'\n | 'reify'\n> & {\n auditReport?: AuditReportInstance | null | undefined\n actualTree?: SafeNode | null | undefined\n diff: Diff | null\n idealTree?: SafeNode | null | undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<SafeNode>\n loadActual(options?: ArboristOptions): Promise<SafeNode>\n loadVirtual(options?: ArboristOptions): Promise<SafeNode>\n reify(options?: ArboristReifyOptions): Promise<SafeNode>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n | 'actual'\n | 'children'\n | 'filterSet'\n | 'ideal'\n | 'leaves'\n | 'removed'\n | 'shrinkwrapInflated'\n | 'unchanged'\n> & {\n actual: SafeNode\n children: Diff[]\n filterSet: Set<SafeNode>\n ideal: SafeNode\n leaves: SafeNode[]\n parent: Diff | null\n removed: SafeNode[]\n shrinkwrapInflated: Set<SafeNode>\n unchanged: SafeNode[]\n}\n","import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string | undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n // Lazily access constants.WIN32.\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string | undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristDepValidPath: string | undefined\nexport function getArboristDepValidPath() {\n if (_arboristDepValidPath === undefined) {\n _arboristDepValidPath = path.join(\n getArboristPackagePath(),\n 'lib/dep-valid.js',\n )\n }\n return _arboristDepValidPath\n}\n\nlet _arboristEdgeClassPath: string | undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string | undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string | undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createRequire } from 'node:module'\n\nimport { getArboristDepValidPath } from '../../paths.mts'\n\nimport type { SafeNode } from './node.mts'\n\nconst require = createRequire(import.meta.url)\n\ntype DepValidFn = (\n child: SafeNode,\n requested: string,\n accept: string | undefined,\n requester: SafeNode,\n) => boolean\n\nlet _depValid: DepValidFn | undefined\nexport function depValid(\n child: SafeNode,\n requested: string,\n accept: string | undefined,\n requester: SafeNode,\n) {\n if (_depValid === undefined) {\n _depValid = require(getArboristDepValidPath()) as DepValidFn\n }\n return _depValid(child, requested, accept, requester)\n}\n","import constants from '../../../constants.mts'\nimport { getNpmRequire } from '../../../utils/npm-paths.mts'\n\nconst { UNDEFINED_TOKEN } = constants\n\ninterface RequireKnownModules {\n npmlog: typeof import('npmlog')\n // The DefinitelyTyped definition of 'proc-log' does NOT have the log method.\n // The return type of the log method is the same as `typeof import('proc-log')`.\n 'proc-log': typeof import('proc-log')\n}\n\ntype RequireTransformer<T extends keyof RequireKnownModules> = (\n mod: RequireKnownModules[T],\n) => RequireKnownModules[T]\n\nfunction tryRequire<T extends keyof RequireKnownModules>(\n req: NodeJS.Require,\n ...ids: Array<T | [T, RequireTransformer<T>]>\n): RequireKnownModules[T] | undefined {\n for (const data of ids) {\n let id: string | undefined\n let transformer: RequireTransformer<T> | undefined\n if (Array.isArray(data)) {\n id = data[0]\n transformer = data[1] as RequireTransformer<T>\n } else {\n id = data as keyof RequireKnownModules\n transformer = mod => mod\n }\n try {\n // Check that the transformed value isn't `undefined` because older\n // versions of packages like 'proc-log' may not export a `log` method.\n const exported = transformer(req(id))\n if (exported !== undefined) {\n return exported\n }\n } catch {}\n }\n return undefined\n}\n\nexport type Logger =\n | typeof import('npmlog')\n | typeof import('proc-log')\n | undefined\n\nlet _log: Logger | {} | undefined = UNDEFINED_TOKEN\nexport function getLogger(): Logger {\n if (_log === UNDEFINED_TOKEN) {\n _log = tryRequire(\n getNpmRequire(),\n [\n 'proc-log/lib/index.js' as 'proc-log',\n // The proc-log DefinitelyTyped definition is incorrect. The type definition\n // is really that of its export log.\n mod => (mod as any).log as RequireKnownModules['proc-log'],\n ],\n 'npmlog/lib/log.js' as 'npmlog',\n )\n }\n return _log as Logger | undefined\n}\n","import { createRequire } from 'node:module'\n\nimport npa from 'npm-package-arg'\nimport semver from 'semver'\n\nimport { getArboristOverrideSetClassPath } from '../../paths.mts'\nimport { getLogger } from '../../proc-log/index.mts'\n\nimport type { SafeEdge } from './edge.mts'\nimport type { SafeNode } from './node.mts'\nimport type { AliasResult, RegistryResult } from 'npm-package-arg'\n\nconst require = createRequire(import.meta.url)\n\ninterface OverrideSetClass {\n children: Map<string, SafeOverrideSet>\n key: string | undefined\n keySpec: string | undefined\n name: string | undefined\n parent: SafeOverrideSet | undefined\n value: string | undefined\n version: string | undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, SafeOverrideSet>\n ancestry(): Generator<SafeOverrideSet>\n childrenAreEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean\n getEdgeRule(edge: SafeEdge): SafeOverrideSet\n getNodeRule(node: SafeNode): SafeOverrideSet\n getMatchingRule(node: SafeNode): SafeOverrideSet | null\n isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean\n}\n\nconst OverrideSet: OverrideSetClass = require(getArboristOverrideSetClassPath())\n\n// Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:\nexport class SafeOverrideSet extends OverrideSet {\n // Patch adding doOverrideSetsConflict is based on\n // https://github.com/npm/cli/pull/8089.\n static doOverrideSetsConflict(\n first: SafeOverrideSet | undefined,\n second: SafeOverrideSet | undefined,\n ) {\n // If override sets contain one another then we can try to use the more\n // specific one. If neither one is more specific, then we consider them to\n // be in conflict.\n return this.findSpecificOverrideSet(first, second) === undefined\n }\n\n // Patch adding findSpecificOverrideSet is based on\n // https://github.com/npm/cli/pull/8089.\n static findSpecificOverrideSet(\n first: SafeOverrideSet | undefined,\n second: SafeOverrideSet | undefined,\n ) {\n for (\n let overrideSet = second;\n overrideSet;\n overrideSet = overrideSet.parent\n ) {\n if (overrideSet.isEqual(first)) {\n return second\n }\n }\n for (\n let overrideSet = first;\n overrideSet;\n overrideSet = overrideSet.parent\n ) {\n if (overrideSet.isEqual(second)) {\n return first\n }\n }\n // The override sets are incomparable. Neither one contains the other.\n const log = getLogger()\n log?.silly('Conflicting override sets', first, second)\n return undefined\n }\n\n // Patch adding childrenAreEqual is based on\n // https://github.com/npm/cli/pull/8089.\n override childrenAreEqual(otherOverrideSet: SafeOverrideSet) {\n if (this.children.size !== otherOverrideSet.children.size) {\n return false\n }\n for (const { 0: key, 1: childOverrideSet } of this.children) {\n const otherChildOverrideSet = otherOverrideSet.children.get(key)\n if (!otherChildOverrideSet) {\n return false\n }\n if (childOverrideSet.value !== otherChildOverrideSet.value) {\n return false\n }\n if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {\n return false\n }\n }\n return true\n }\n\n override getEdgeRule(edge: SafeEdge): SafeOverrideSet {\n for (const rule of this.ruleset.values()) {\n if (rule.name !== edge.name) {\n continue\n }\n // If keySpec is * we found our override.\n if (rule.keySpec === '*') {\n return rule\n }\n // Patch replacing\n // let spec = npa(`${edge.name}@${edge.spec}`)\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // We need to use the rawSpec here, because the spec has the overrides\n // applied to it already. The rawSpec can be undefined, so we need to use\n // the fallback value of spec if it is.\n let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`)\n if (spec.type === 'alias') {\n spec = (spec as AliasResult).subSpec\n }\n if (spec.type === 'git') {\n if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec!)) {\n return rule\n }\n continue\n }\n if (spec.type === 'range' || spec.type === 'version') {\n if (\n semver.intersects((spec as RegistryResult).fetchSpec, rule.keySpec!)\n ) {\n return rule\n }\n continue\n }\n // If we got this far, the spec type is one of tag, directory or file\n // which means we have no real way to make version comparisons, so we\n // just accept the override.\n return rule\n }\n return this\n }\n\n // Patch adding isEqual is based on\n // https://github.com/npm/cli/pull/8089.\n override isEqual(otherOverrideSet: SafeOverrideSet | undefined): boolean {\n if (this === otherOverrideSet) {\n return true\n }\n if (!otherOverrideSet) {\n return false\n }\n if (\n this.key !== otherOverrideSet.key ||\n this.value !== otherOverrideSet.value\n ) {\n return false\n }\n if (!this.childrenAreEqual(otherOverrideSet)) {\n return false\n }\n if (!this.parent) {\n return !otherOverrideSet.parent\n }\n return this.parent.isEqual(otherOverrideSet.parent)\n }\n}\n","import { createRequire } from 'node:module'\n\nimport semver from 'semver'\n\nimport { SafeOverrideSet } from './override-set.mts'\nimport { getArboristNodeClassPath } from '../../paths.mts'\nimport { getLogger } from '../../proc-log/index.mts'\n\nimport type { SafeEdge } from './edge.mts'\nimport type { Node as BaseNode } from '@npmcli/arborist'\n\nconst require = createRequire(import.meta.url)\n\ntype NodeClass = Omit<\n BaseNode,\n | 'addEdgeIn'\n | 'addEdgeOut'\n | 'canDedupe'\n | 'canReplace'\n | 'canReplaceWith'\n | 'children'\n | 'deleteEdgeIn'\n | 'edgesIn'\n | 'edgesOut'\n | 'from'\n | 'hasShrinkwrap'\n | 'inDepBundle'\n | 'inShrinkwrap'\n | 'integrity'\n | 'isTop'\n | 'matches'\n | 'meta'\n | 'name'\n | 'overrides'\n | 'packageName'\n | 'parent'\n | 'recalculateOutEdgesOverrides'\n | 'resolve'\n | 'resolveParent'\n | 'root'\n | 'target'\n | 'updateOverridesEdgeInAdded'\n | 'updateOverridesEdgeInRemoved'\n | 'version'\n | 'versions'\n> & {\n name: string\n version: string\n children: Map<string, SafeNode | LinkClass>\n edgesIn: Set<SafeEdge>\n edgesOut: Map<string, SafeEdge>\n from: SafeNode | null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean | undefined\n integrity?: string | null\n isTop: boolean | undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: SafeEdge): void\n }\n overrides: SafeOverrideSet | undefined\n target: SafeNode\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string | null\n get parent(): SafeNode | null\n set parent(value: SafeNode | null)\n get resolveParent(): SafeNode | null\n get root(): SafeNode | null\n set root(value: SafeNode | null)\n new (...args: any): NodeClass\n addEdgeIn(edge: SafeEdge): void\n addEdgeOut(edge: SafeEdge): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: SafeNode, ignorePeers?: string[]): boolean\n canReplaceWith(node: SafeNode, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: SafeEdge): void\n matches(node: SafeNode): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): SafeNode\n updateOverridesEdgeInAdded(\n otherOverrideSet: SafeOverrideSet | undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: SafeOverrideSet): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nconst Node: NodeClass = require(getArboristNodeClassPath())\n\n// Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:\nexport class SafeNode extends Node {\n // Return true if it's safe to remove this node, because anything that is\n // depending on it would be fine with the thing that they would resolve to if\n // it was removed, or nothing is depending on it in the first place.\n override canDedupe(preferDedupe = false) {\n // Not allowed to mess with shrinkwraps or bundles.\n if (this.inDepBundle || this.inShrinkwrap) {\n return false\n }\n // It's a top level pkg, or a dep of one.\n if (!this.resolveParent?.resolveParent) {\n return false\n }\n // No one wants it, remove it.\n if (this.edgesIn.size === 0) {\n return true\n }\n const other = this.resolveParent.resolveParent.resolve(this.name)\n // Nothing else, need this one.\n if (!other) {\n return false\n }\n // If it's the same thing, then always fine to remove.\n if (other.matches(this)) {\n return true\n }\n // If the other thing can't replace this, then skip it.\n if (!other.canReplace(this)) {\n return false\n }\n // Patch replacing\n // if (preferDedupe || semver.gte(other.version, this.version)) {\n // return true\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If we prefer dedupe, or if the version is equal, take the other.\n if (preferDedupe || semver.eq(other.version, this.version)) {\n return true\n }\n // If our current version isn't the result of an override, then prefer to\n // take the greater version.\n if (!this.overridden && semver.gt(other.version, this.version)) {\n return true\n }\n return false\n }\n\n // Is it safe to replace one node with another? check the edges to\n // make sure no one will get upset. Note that the node might end up\n // having its own unmet dependencies, if the new node has new deps.\n // Note that there are cases where Arborist will opt to insert a node\n // into the tree even though this function returns false! This is\n // necessary when a root dependency is added or updated, or when a\n // root dependency brings peer deps along with it. In that case, we\n // will go ahead and create the invalid state, and then try to resolve\n // it with more tree construction, because it's a user request.\n override canReplaceWith(node: SafeNode, ignorePeers?: string[]): boolean {\n if (this.name !== node.name || this.packageName !== node.packageName) {\n return false\n }\n // Patch replacing\n // if (node.overrides !== this.overrides) {\n // return false\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If this node has no dependencies, then it's irrelevant to check the\n // override rules of the replacement node.\n if (this.edgesOut.size) {\n // XXX need to check for two root nodes?\n if (node.overrides) {\n if (!node.overrides.isEqual(this.overrides)) {\n return false\n }\n } else {\n if (this.overrides) {\n return false\n }\n }\n }\n // To satisfy the patch we ensure `node.overrides === this.overrides`\n // so that the condition we want to replace,\n // if (this.overrides !== node.overrides) {\n // , is not hit.`\n const oldOverrideSet = this.overrides\n let result = true\n if (oldOverrideSet !== node.overrides) {\n this.overrides = node.overrides\n }\n try {\n result = super.canReplaceWith(node, ignorePeers)\n this.overrides = oldOverrideSet\n } catch (e) {\n this.overrides = oldOverrideSet\n throw e\n }\n return result\n }\n\n // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.\n override deleteEdgeIn(edge: SafeEdge) {\n this.edgesIn.delete(edge)\n const { overrides } = edge\n if (overrides) {\n this.updateOverridesEdgeInRemoved(overrides)\n }\n }\n\n override addEdgeIn(edge: SafeEdge): void {\n // Patch replacing\n // if (edge.overrides) {\n // this.overrides = edge.overrides\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // We need to handle the case where the new edge in has an overrides field\n // which is different from the current value.\n if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {\n this.updateOverridesEdgeInAdded(edge.overrides)\n }\n this.edgesIn.add(edge)\n // Try to get metadata from the yarn.lock file.\n this.root.meta?.addEdge(edge)\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get overridden() {\n // Patch replacing\n // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)\n // is based on https://github.com/npm/cli/pull/8089.\n if (\n !this.overrides ||\n !this.overrides.value ||\n this.overrides.name !== this.name\n ) {\n return false\n }\n // The overrides rule is for a package with this name, but some override\n // rules only apply to specific versions. To make sure this package was\n // actually overridden, we check whether any edge going in had the rule\n // applied to it, in which case its overrides set is different than its\n // source node.\n for (const edge of this.edgesIn) {\n if (\n edge.overrides &&\n edge.overrides.name === this.name &&\n edge.overrides.value === this.version\n ) {\n if (!edge.overrides.isEqual(edge.from?.overrides)) {\n return true\n }\n }\n }\n return false\n }\n\n override set parent(newParent: SafeNode) {\n // Patch removing\n // if (parent.overrides) {\n // this.overrides = parent.overrides.getNodeRule(this)\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // The \"parent\" setter is a really large and complex function. To satisfy\n // the patch we hold on to the old overrides value and set `this.overrides`\n // to `undefined` so that the condition we want to remove is not hit.\n const { overrides } = this\n if (overrides) {\n this.overrides = undefined\n }\n try {\n super.parent = newParent\n this.overrides = overrides\n } catch (e) {\n this.overrides = overrides\n throw e\n }\n }\n\n // Patch adding recalculateOutEdgesOverrides is based on\n // https://github.com/npm/cli/pull/8089.\n override recalculateOutEdgesOverrides() {\n // For each edge out propagate the new overrides through.\n for (const edge of this.edgesOut.values()) {\n edge.reload(true)\n if (edge.to) {\n edge.to.updateOverridesEdgeInAdded(edge.overrides)\n }\n }\n }\n\n // @ts-ignore: Incorrectly typed to accept null.\n override set root(newRoot: SafeNode) {\n // Patch removing\n // if (!this.overrides && this.parent && this.parent.overrides) {\n // this.overrides = this.parent.overrides.getNodeRule(this)\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // The \"root\" setter is a really large and complex function. To satisfy the\n // patch we add a dummy value to `this.overrides` so that the condition we\n // want to remove is not hit.\n if (!this.overrides) {\n this.overrides = new SafeOverrideSet({ overrides: '' })\n }\n try {\n super.root = newRoot\n this.overrides = undefined\n } catch (e) {\n this.overrides = undefined\n throw e\n }\n }\n\n // Patch adding updateOverridesEdgeInAdded is based on\n // https://github.com/npm/cli/pull/7025.\n //\n // This logic isn't perfect either. When we have two edges in that have\n // different override sets, then we have to decide which set is correct. This\n // function assumes the more specific override set is applicable, so if we have\n // dependencies A->B->C and A->C and an override set that specifies what happens\n // for C under A->B, this will work even if the new A->C edge comes along and\n // tries to change the override set. The strictly correct logic is not to allow\n // two edges with different overrides to point to the same node, because even\n // if this node can satisfy both, one of its dependencies might need to be\n // different depending on the edge leading to it. However, this might cause a\n // lot of duplication, because the conflict in the dependencies might never\n // actually happen.\n override updateOverridesEdgeInAdded(\n otherOverrideSet: SafeOverrideSet | undefined,\n ) {\n if (!otherOverrideSet) {\n // Assuming there are any overrides at all, the overrides field is never\n // undefined for any node at the end state of the tree. So if the new edge's\n // overrides is undefined it will be updated later. So we can wait with\n // updating the node's overrides field.\n return false\n }\n if (!this.overrides) {\n this.overrides = otherOverrideSet\n this.recalculateOutEdgesOverrides()\n return true\n }\n if (this.overrides.isEqual(otherOverrideSet)) {\n return false\n }\n const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(\n this.overrides,\n otherOverrideSet,\n )\n if (newOverrideSet) {\n if (this.overrides.isEqual(newOverrideSet)) {\n return false\n }\n this.overrides = newOverrideSet\n this.recalculateOutEdgesOverrides()\n return true\n }\n // This is an error condition. We can only get here if the new override set\n // is in conflict with the existing.\n const log = getLogger()\n log?.silly('Conflicting override sets', this.name)\n return false\n }\n\n // Patch adding updateOverridesEdgeInRemoved is based on\n // https://github.com/npm/cli/pull/7025.\n override updateOverridesEdgeInRemoved(otherOverrideSet: SafeOverrideSet) {\n // If this edge's overrides isn't equal to this node's overrides,\n // then removing it won't change newOverrideSet later.\n if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {\n return false\n }\n let newOverrideSet\n for (const edge of this.edgesIn) {\n const { overrides: edgeOverrides } = edge\n if (newOverrideSet && edgeOverrides) {\n newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(\n edgeOverrides,\n newOverrideSet,\n )\n } else {\n newOverrideSet = edgeOverrides\n }\n }\n if (this.overrides.isEqual(newOverrideSet)) {\n return false\n }\n this.overrides = newOverrideSet\n if (newOverrideSet) {\n // Optimization: If there's any override set at all, then no non-extraneous\n // node has an empty override set. So if we temporarily have no override set\n // (for example, we removed all the edges in), there's no use updating all\n // the edges out right now. Let's just wait until we have an actual override\n // set later.\n this.recalculateOutEdgesOverrides()\n }\n return true\n }\n}\n","import { createRequire } from 'node:module'\n\nimport { depValid } from './dep-valid.mts'\nimport { SafeNode } from './node.mts'\nimport { SafeOverrideSet } from './override-set.mts'\nimport { getArboristEdgeClassPath } from '../../paths.mts'\n\nimport type { Edge as BaseEdge, DependencyProblem } from '@npmcli/arborist'\n\nconst require = createRequire(import.meta.url)\n\ntype EdgeClass = Omit<\n BaseEdge,\n | 'accept'\n | 'detach'\n | 'optional'\n | 'overrides'\n | 'peer'\n | 'peerConflicted'\n | 'rawSpec'\n | 'reload'\n | 'satisfiedBy'\n | 'spec'\n | 'to'\n> & {\n optional: boolean\n overrides: SafeOverrideSet | undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string | undefined\n get spec(): string\n get to(): SafeNode | null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: SafeNode): boolean\n}\n\nexport type EdgeOptions = {\n type: string\n name: string\n spec: string\n from: SafeNode\n accept?: string | undefined\n overrides?: SafeOverrideSet | undefined\n to?: SafeNode | undefined\n}\n\nexport type ErrorStatus = DependencyProblem | 'OK'\n\nexport type Explanation = {\n type: string\n name: string\n spec: string\n bundled: boolean\n overridden: boolean\n error: ErrorStatus | undefined\n rawSpec: string | undefined\n from: object | undefined\n} | null\n\nexport const Edge: EdgeClass = require(getArboristEdgeClassPath())\n\n// The Edge class makes heavy use of private properties which subclasses do NOT\n// have access to. So we have to recreate any functionality that relies on those\n// private properties and use our own \"safe\" prefixed non-conflicting private\n// properties. Implementation code not related to patch https://github.com/npm/cli/pull/8089\n// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.\n//\n// The npm application\n// Copyright (c) npm, Inc. and Contributors\n// Licensed on the terms of The Artistic License 2.0\n//\n// An edge in the dependency graph.\n// Represents a dependency relationship of some kind.\nexport class SafeEdge extends Edge {\n #safeError: ErrorStatus | null\n #safeExplanation: Explanation | undefined\n #safeFrom: SafeNode | null\n #safeTo: SafeNode | null\n\n constructor(options: EdgeOptions) {\n const { from } = options\n // Defer to supper to validate options and assign non-private values.\n super(options)\n if (from.constructor !== SafeNode) {\n Reflect.setPrototypeOf(from, SafeNode.prototype)\n }\n this.#safeError = null\n this.#safeExplanation = null\n this.#safeFrom = from\n this.#safeTo = null\n this.reload(true)\n }\n\n override get bundled() {\n return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name)\n }\n\n override get error() {\n if (!this.#safeError) {\n if (!this.#safeTo) {\n if (this.optional) {\n this.#safeError = null\n } else {\n this.#safeError = 'MISSING'\n }\n } else if (\n this.peer &&\n this.#safeFrom === this.#safeTo.parent &&\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n !this.#safeFrom?.isTop\n ) {\n this.#safeError = 'PEER LOCAL'\n } else if (!this.satisfiedBy(this.#safeTo)) {\n this.#safeError = 'INVALID'\n }\n // Patch adding \"else if\" condition is based on\n // https://github.com/npm/cli/pull/8089.\n else if (\n this.overrides &&\n this.#safeTo.edgesOut.size &&\n SafeOverrideSet.doOverrideSetsConflict(\n this.overrides,\n this.#safeTo.overrides,\n )\n ) {\n // Any inconsistency between the edge's override set and the target's\n // override set is potentially problematic. But we only say the edge is\n // in error if the override sets are plainly conflicting. Note that if\n // the target doesn't have any dependencies of their own, then this\n // inconsistency is irrelevant.\n this.#safeError = 'INVALID'\n } else {\n this.#safeError = 'OK'\n }\n }\n if (this.#safeError === 'OK') {\n return null\n }\n return this.#safeError\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get from() {\n return this.#safeFrom\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get spec(): string {\n if (\n this.overrides?.value &&\n this.overrides.value !== '*' &&\n this.overrides.name === this.name\n ) {\n if (this.overrides.value.startsWith('$')) {\n const ref = this.overrides.value.slice(1)\n // We may be a virtual root, if we are we want to resolve reference\n // overrides from the real root, not the virtual one.\n //\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n const pkg = this.#safeFrom?.sourceReference\n ? this.#safeFrom?.sourceReference.root.package\n : this.#safeFrom?.root?.package\n if (pkg?.devDependencies?.[ref]) {\n return pkg.devDependencies[ref] as string\n }\n if (pkg?.optionalDependencies?.[ref]) {\n return pkg.optionalDependencies[ref] as string\n }\n if (pkg?.dependencies?.[ref]) {\n return pkg.dependencies[ref] as string\n }\n if (pkg?.peerDependencies?.[ref]) {\n return pkg.peerDependencies[ref] as string\n }\n throw new Error(`Unable to resolve reference ${this.overrides.value}`)\n }\n return this.overrides.value\n }\n return this.rawSpec\n }\n\n // @ts-ignore: Incorrectly typed as a property instead of an accessor.\n override get to() {\n return this.#safeTo\n }\n\n override detach() {\n this.#safeExplanation = null\n // Patch replacing\n // if (this.#to) {\n // this.#to.edgesIn.delete(this)\n // }\n // this.#from.edgesOut.delete(this.#name)\n // is based on https://github.com/npm/cli/pull/8089.\n this.#safeTo?.deleteEdgeIn(this)\n this.#safeFrom?.edgesOut.delete(this.name)\n this.#safeTo = null\n this.#safeError = 'DETACHED'\n this.#safeFrom = null\n }\n\n // Return the edge data, and an explanation of how that edge came to be here.\n // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.\n override explain() {\n if (!this.#safeExplanation) {\n const explanation: Explanation = {\n type: this.type,\n name: this.name,\n spec: this.spec,\n bundled: false,\n overridden: false,\n error: undefined,\n from: undefined,\n rawSpec: undefined,\n }\n if (this.rawSpec !== this.spec) {\n explanation.rawSpec = this.rawSpec\n explanation.overridden = true\n }\n if (this.bundled) {\n explanation.bundled = this.bundled\n }\n if (this.error) {\n explanation.error = this.error\n }\n if (this.#safeFrom) {\n explanation.from = this.#safeFrom.explain()\n }\n this.#safeExplanation = explanation\n }\n return this.#safeExplanation\n }\n\n override reload(hard = false) {\n this.#safeExplanation = null\n // Patch replacing\n // if (this.#from.overrides) {\n // is based on https://github.com/npm/cli/pull/8089.\n let needToUpdateOverrideSet = false\n let newOverrideSet\n let oldOverrideSet\n if (this.#safeFrom?.overrides) {\n newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this)\n if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {\n // If there's a new different override set we need to propagate it to\n // the nodes. If we're deleting the override set then there's no point\n // propagating it right now since it will be filled with another value\n // later.\n needToUpdateOverrideSet = true\n oldOverrideSet = this.overrides\n this.overrides = newOverrideSet\n }\n } else {\n this.overrides = undefined\n }\n // Patch adding \"?.\" use based on\n // https://github.com/npm/cli/pull/8089.\n const newTo = this.#safeFrom?.resolve(this.name)\n if (newTo !== this.#safeTo) {\n // Patch replacing\n // this.#to.edgesIn.delete(this)\n // is based on https://github.com/npm/cli/pull/8089.\n this.#safeTo?.deleteEdgeIn(this)\n this.#safeTo = (newTo as SafeNode) ?? null\n this.#safeError = null\n this.#safeTo?.addEdgeIn(this)\n } else if (hard) {\n this.#safeError = null\n }\n // Patch adding \"else if\" condition based on\n // https://github.com/npm/cli/pull/8089.\n else if (needToUpdateOverrideSet && this.#safeTo) {\n // Propagate the new override set to the target node.\n this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet!)\n this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet)\n }\n }\n\n override satisfiedBy(node: SafeNode) {\n // Patch replacing\n // if (node.name !== this.#name) {\n // return false\n // }\n // is based on https://github.com/npm/cli/pull/8089.\n if (node.name !== this.name || !this.#safeFrom) {\n return false\n }\n // NOTE: this condition means we explicitly do not support overriding\n // bundled or shrinkwrapped dependencies\n if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {\n return depValid(node, this.rawSpec, this.accept, this.#safeFrom)\n }\n // Patch replacing\n // return depValid(node, this.spec, this.#accept, this.#from)\n // is based on https://github.com/npm/cli/pull/8089.\n //\n // If there's no override we just use the spec.\n if (!this.overrides?.keySpec) {\n return depValid(node, this.spec, this.accept, this.#safeFrom)\n }\n // There's some override. If the target node satisfies the overriding spec\n // then it's okay.\n if (depValid(node, this.spec, this.accept, this.#safeFrom)) {\n return true\n }\n // If it doesn't, then it should at least satisfy the original spec.\n if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {\n return false\n }\n // It satisfies the original spec, not the overriding spec. We need to make\n // sure it doesn't use the overridden spec.\n // For example:\n // we might have an ^8.0.0 rawSpec, and an override that makes\n // keySpec=8.23.0 and the override value spec=9.0.0.\n // If the node is 9.0.0, then it's okay because it's consistent with spec.\n // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.\n // If the node is 8.23.0, then it's not okay because even though it's consistent\n // with the rawSpec, it's also consistent with the keySpec.\n // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.\n return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom)\n }\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { fetchPackagePackument } from '@socketsecurity/registry/lib/packages'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport constants from '../../constants.mts'\nimport { applyRange, getMajor } from '../../utils/semver.mts'\nimport { idToPurl } from '../../utils/spec.mts'\nimport { DiffAction } from './arborist/lib/arborist/types.mts'\nimport { Edge } from './arborist/lib/edge.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\n\nimport type { RangeStyle } from '../../utils/semver.mts'\nimport type { SafeArborist } from './arborist/lib/arborist/index.mts'\nimport type { Diff } from './arborist/lib/arborist/types.mts'\nimport type { SafeEdge } from './arborist/lib/edge.mts'\nimport type { LinkClass, SafeNode } from './arborist/lib/node.mts'\nimport type {\n AlertIncludeFilter,\n AlertsByPkgId,\n} from '../../utils/socket-package-alert.mts'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nconst { LOOP_SENTINEL, NPM, NPM_REGISTRY_URL } = constants\n\nfunction getUrlOrigin(input: string): string {\n try {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return new URL(input).origin ?? ''\n } catch {}\n return ''\n}\n\nexport function findBestPatchVersion(\n node: SafeNode,\n availableVersions: string[],\n vulnerableVersionRange?: string,\n _firstPatchedVersionIdentifier?: string | undefined,\n): string | null {\n const manifestData = getManifestData(NPM, node.name)\n let eligibleVersions\n if (manifestData && manifestData.name === manifestData.package) {\n const major = getMajor(manifestData.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(v => getMajor(v) === major)\n } else {\n const major = getMajor(node.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(\n v =>\n // Filter for versions that are within the current major version and\n // are NOT in the vulnerable range.\n getMajor(v) === major &&\n (!vulnerableVersionRange ||\n !semver.satisfies(v, vulnerableVersionRange)),\n )\n }\n return eligibleVersions ? semver.maxSatisfying(eligibleVersions, '*') : null\n}\n\nexport function findPackageNode(\n tree: SafeNode,\n name: string,\n version?: string | undefined,\n): SafeNode | undefined {\n const queue: Array<SafeNode | LinkClass> = [tree]\n const visited = new Set<SafeNode>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNode')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n return node\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return undefined\n}\n\nexport function findPackageNodes(\n tree: SafeNode,\n name: string,\n version?: string | undefined,\n): SafeNode[] {\n const matches: SafeNode[] = []\n const queue: Array<SafeNode | LinkClass> = [tree]\n const visited = new Set<SafeNode>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNodes')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n matches.push(node)\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return matches\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n consolidate?: boolean | undefined\n include?: AlertIncludeFilter | undefined\n nothrow?: boolean | undefined\n spinner?: Spinner | undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: SafeArborist,\n options_?: GetAlertsMapFromArboristOptions | undefined,\n): Promise<AlertsByPkgId> {\n const options = {\n __proto__: null,\n consolidate: false,\n include: undefined,\n limit: Infinity,\n nothrow: false,\n ...options_,\n } as GetAlertsMapFromArboristOptions\n\n options.include = {\n __proto__: null,\n // Leave 'actions' unassigned so it can be given a default value in\n // subsequent functions where `options` is passed.\n // actions: undefined,\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ...options.include,\n } as AlertIncludeFilter\n\n const needInfoOn = getDetailsFromDiff(arb.diff, {\n include: {\n unchanged: options.include.existing,\n },\n })\n\n const purls = needInfoOn.map(d => idToPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } | undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n [...overridesMap.entries()].map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...options,\n })\n}\n\nexport type DiffQueryIncludeFilter = {\n unchanged?: boolean | undefined\n unknownOrigin?: boolean | undefined\n}\n\nexport type DiffQueryOptions = {\n include?: DiffQueryIncludeFilter | undefined\n}\n\nexport type PackageDetail = {\n node: SafeNode\n existing?: SafeNode | undefined\n}\n\nexport function getDetailsFromDiff(\n diff_: Diff | null,\n options?: DiffQueryOptions | undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff_` is `null` when `npm install --package-lock-only` is passed.\n if (!diff_) {\n return details\n }\n\n const include = {\n __proto__: null,\n unchanged: false,\n unknownOrigin: false,\n ...({ __proto__: null, ...options } as DiffQueryOptions).include,\n } as DiffQueryIncludeFilter\n\n const queue: Diff[] = [...diff_.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff')\n }\n const diff = queue[pos++]!\n const { action } = diff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = diff\n let existing: SafeNode | undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n } else {\n // TODO: This debug log has too much information. We should narrow it down.\n // debugLog('SKIPPING META CHANGE ON', diff)\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {\n if (\n include.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of diff.children) {\n queue[queueLength++] = child\n }\n }\n if (include.unchanged) {\n const { unchanged } = diff_!\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n include.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n\nexport function getTargetNode(nodeOrLink: SafeNode | LinkClass): SafeNode\nexport function getTargetNode<T>(nodeOrLink: T): SafeNode | null\nexport function getTargetNode(nodeOrLink: any): SafeNode | null {\n return nodeOrLink?.isLink ? nodeOrLink.target : (nodeOrLink ?? null)\n}\n\nexport function isTopLevel(tree: SafeNode, node: SafeNode): boolean {\n return getTargetNode(tree.children.get(node.name)) === node\n}\n\nexport type Packument = Exclude<\n Awaited<ReturnType<typeof fetchPackagePackument>>,\n null\n>\n\nexport function updateNode(\n node: SafeNode,\n newVersion: string,\n newVersionPackument: Packument['versions'][number],\n): void {\n // Object.defineProperty is needed to set the version property and replace\n // the old value with newVersion.\n Object.defineProperty(node, 'version', {\n configurable: true,\n enumerable: true,\n get: () => newVersion,\n })\n // Update package.version associated with the node.\n node.package.version = newVersion\n // Update node.resolved.\n const purlObj = PackageURL.fromString(idToPurl(node.name))\n node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${newVersion}.tgz`\n // Update node.integrity with the targetPackument.dist.integrity value if available\n // else delete node.integrity so a new value is resolved for the target version.\n const { integrity } = newVersionPackument.dist\n if (integrity) {\n node.integrity = integrity\n } else {\n delete node.integrity\n }\n // Update node.package.deprecated based on targetPackument.deprecated.\n if (hasOwn(newVersionPackument, 'deprecated')) {\n node.package['deprecated'] = newVersionPackument.deprecated as string\n } else {\n delete node.package['deprecated']\n }\n // Update node.package.dependencies.\n const newDeps = { ...newVersionPackument.dependencies }\n const { dependencies: oldDeps } = node.package\n node.package.dependencies = newDeps\n if (oldDeps) {\n for (const oldDepName of Object.keys(oldDeps)) {\n if (!hasOwn(newDeps, oldDepName)) {\n // Detach old edges for dependencies that don't exist on the updated\n // node.package.dependencies.\n node.edgesOut.get(oldDepName)?.detach()\n }\n }\n }\n for (const newDepName of Object.keys(newDeps)) {\n if (!hasOwn(oldDeps, newDepName)) {\n // Add new edges for dependencies that don't exist on the old\n // node.package.dependencies.\n node.addEdgeOut(\n new Edge({\n from: node,\n name: newDepName,\n spec: newDeps[newDepName],\n type: 'prod',\n }) as unknown as SafeEdge,\n )\n }\n }\n}\n\nexport function updatePackageJsonFromNode(\n editablePkgJson: EditablePackageJson,\n tree: SafeNode,\n node: SafeNode,\n newVersion: string,\n rangeStyle?: RangeStyle | undefined,\n): boolean {\n let result = false\n if (!isTopLevel(tree, node)) {\n return result\n }\n const { name } = node\n for (const depField of [\n 'dependencies',\n 'optionalDependencies',\n 'peerDependencies',\n ]) {\n const depObject = editablePkgJson.content[depField] as\n | { [key: string]: string }\n | undefined\n const oldRange = hasOwn(depObject, name) ? depObject[name] : undefined\n const oldMin = isNonEmptyString(oldRange)\n ? semver.minVersion(oldRange)\n : null\n const newRange =\n oldMin &&\n // Ensure we're on the same major version...\n semver.major(newVersion) === semver.major(oldMin.version) &&\n // and not a downgrade.\n semver.gte(newVersion, oldMin.version)\n ? applyRange(oldRange!, newVersion, rangeStyle)\n : oldRange!\n if (oldRange !== newRange) {\n result = true\n editablePkgJson.update({\n [depField]: {\n ...depObject,\n [name]: newRange,\n },\n })\n }\n }\n return result\n}\n","import { createRequire } from 'node:module'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../../../../../constants.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport { getAlertsMapFromArborist } from '../../../arborist-helpers.mts'\nimport { getArboristClassPath } from '../../../paths.mts'\n\nimport type { ArboristClass, ArboristReifyOptions } from './types.mts'\nimport type { SafeNode } from '../node.mts'\n\nconst require = createRequire(import.meta.url)\n\nconst {\n NPM,\n NPX,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_CLI_VIEW_ALL_RISKS,\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = require(getArboristClassPath())\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<SafeNode> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<SafeNode>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<SafeNode> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n const ipc = await getIpc()\n const binName = ipc[SOCKET_CLI_SAFE_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n await super.reify(\n {\n ...options,\n ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n // Lazily access constants.ENV.SOCKET_CLI_ACCEPT_RISKS.\n const acceptRisks = constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const progress = ipc[SOCKET_CLI_SAFE_PROGRESS]\n const spinner =\n options['silent'] || !progress\n ? undefined\n : // Lazily access constants.spinner.\n constants.spinner\n const isSafeNpm = binName === NPM\n const isSafeNpx = binName === NPX\n const alertsMap = await getAlertsMapFromArborist(this, {\n spinner,\n include:\n acceptRisks || options.dryRun || options['yes']\n ? {\n actions: ['error'],\n blocked: true,\n critical: false,\n cve: false,\n existing: true,\n unfixable: false,\n }\n : {\n existing: isSafeNpx,\n unfixable: isSafeNpm,\n },\n })\n if (alertsMap.size) {\n process.exitCode = 1\n // Lazily access constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS.\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!options['silent']) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'} risks`,\n )\n if (binName === NPX) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { SafeArborist } from './lib/arborist/index.mts'\nimport { SafeEdge } from './lib/edge.mts'\nimport { SafeNode } from './lib/node.mts'\nimport { SafeOverrideSet } from './lib/override-set.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: SafeEdge }\n cache[getArboristNodeClassPath()] = { exports: SafeNode }\n cache[getArboristOverrideSetClassPath()] = { exports: SafeOverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["add","change","remove","_arboristPkgPath","_depValid","UNDEFINED_TOKEN","id","transformer","mod","canDedupe","canReplaceWith","overrides","recalculateOutEdgesOverrides","edge","newOverrideSet","from","detach","explain","bundled","overridden","error","rawSpec","explanation","reload","needToUpdateOverrideSet","NPM_REGISTRY_URL","eligibleVersions","getMajor","visited","queue","to","matches","__proto__","consolidate","include","limit","nothrow","blocked","critical","cve","existing","unfixable","upgradable","unchanged","unknownOrigin","length","action","actual","ideal","keep","node","Object","configurable","enumerable","integrity","dependencies","name","spec","type","semver","result","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","constants","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;;AAsDO;AACLA;AACAC;AACAC;AACF;;ACnDA;AACO;;;AAGH;AAGA;AAIA;AACAC;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACnEA,iBAAA;AASA;AACO;;AAOHC;AACF;;AAEF;;ACvBA;AAAQC;AAAgB;AAaxB;AAIE;AACE;AACA;AACA;AACEC;AACAC;AACF;AACED;;AAEF;;AAEE;AACA;;;AAGE;AACF;;AAEJ;AACA;AACF;AAOA;AACO;;;AAMC;AACA;AACAE;AAIN;AACA;AACF;;AClDA,iBAAA;AAsBA;;AAEA;AACA;AACO;AACL;AACA;AACA;AAIE;AACA;AACA;;AAEF;;AAEA;AACA;AACA;AAIE;AAKE;AACE;AACF;AACF;AACA;AAKE;AACE;AACF;AACF;AACA;AACA;;AAEA;AACF;;AAEA;AACA;;;AAGI;AACF;AACA;AAAa;AAAQ;AAAoB;;;AAGrC;AACF;AACA;AACE;AACF;AACA;AACE;AACF;AACF;AACA;AACF;;;AAII;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACE;AACE;AACF;AACA;AACF;;AAEE;AAGE;AACF;AACA;AACF;AACA;AACA;AACA;AACA;AACF;AACA;AACF;;AAEA;AACA;;;AAGI;AACF;;AAEE;AACF;AACA;AAIE;AACF;AACA;AACE;AACF;AACA;;AAEA;;AAEF;AACF;;AC5JA,iBAAA;AA8EA;;AAEA;AACA;AACO;AACL;AACA;AACA;AACSC;AACP;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACA;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACSC;AACP;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;;;AAGI;AACF;AACF;;AAEI;AACF;AACF;AACF;AACA;AACA;AACA;AACA;AACA;;AAEA;AACE;AACF;;;;;;AAME;AACF;AACA;AACF;;AAEA;;AAEE;;AACQC;AAAU;AAClB;AACE;AACF;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;;AAEF;;AAEA;;AAEE;AACA;AACA;;AAME;AACF;AACA;AACA;AACA;AACA;AACA;AACA;;AAMI;AACE;AACF;AACF;AACF;AACA;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQA;AAAU;AAClB;;AAEA;;;;;;AAME;AACF;AACF;;AAEA;AACA;AACSC;AACP;;AAEEC;;;AAGA;AACF;AACF;;AAEA;;AAEE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AAAuCF;AAAc;AACvD;;;;;;AAME;AACF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAKI;AACA;AACA;AACA;AACA;AACF;AACA;;;AAGE;AACF;;AAEE;AACF;;AAKA;;AAEI;AACF;;;AAGA;AACF;AACA;AACA;AACA;;AAEA;AACF;;AAEA;AACA;;AAEE;AACA;AACA;AACE;AACF;AACA;AACA;;AACUA;AAAyB;;;AAMjC;AACEG;AACF;AACF;;AAEE;AACF;;AAEA;AACE;AACA;AACA;AACA;AACA;;AAEF;AACA;AACF;AACF;;AChYA,iBAAA;AAqDO;;AAEP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACL;AACA;AACA;AACA;;;AAGUC;AAAK;AACb;;AAEA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACF;;AAGE;AACF;;AAGE;AACE;;AAEI;AACF;AACE;AACF;AACF;AAGE;AACA;AACA;AAEA;AACF;AACE;AACF;AACA;AACA;AAAA;AASE;AACA;AACA;AACA;AACA;AACA;AACF;AACE;AACF;AACF;AACA;AACE;AACF;;AAEF;;AAEA;;;AAGA;;AAEA;;;;;AASM;AACA;AACA;AACA;AACA;;AAIA;AACE;AACF;AACA;AACE;AACF;AACA;AACE;AACF;AACA;AACE;AACF;;AAEF;AACA;AACF;;AAEF;;AAEA;;;AAGA;AAESC;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACA;AACF;;AAEA;AACA;AACSC;AACP;AACE;;;;AAIEC;AACAC;AACAC;AACAL;AACAM;;AAEF;AACEC;;AAEF;;AAEEA;AACF;;AAEEA;AACF;AACA;;AAEA;AACA;AACF;;AAEF;AAESC;AACP;AACA;AACA;AACA;;AAEA;AACA;AACA;;;AAGI;AACA;AACA;AACA;AACAC;;;AAGF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACF;AACA;AACA;AAAA;AAEE;AACA;AACA;AACF;AACF;;AAGE;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF;AACF;;AC3SA;;;AAA4BC;AAAiB;AAE7C;;AAEI;AACA;AACA;;;AAGF;AACF;AAEO;;AAOL;;AAEE;AACA;AACE;AACF;AACAC;AACF;AACE;AACA;AACE;AACF;AACAA;AAEI;AACA;AACAC;AAIN;;AAEF;AAEO;AAKL;AACA;;;AAGE;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACAC;AACA;AAIE;AACF;;AAEEC;AACF;;;AAEUC;AAAG;AACX;AACED;AACF;AACF;AACF;AACA;AACF;AAEO;;AAML;AACA;;;AAGE;AACE;AACF;AACA;AACA;AACA;AACE;AACF;AACAD;AACA;AAIEG;AACF;;AAEEF;AACF;;;AAEUC;AAAG;AACX;AACED;AACF;AACF;AACF;AACA;AACF;AASO;AAIL;AACEG;AACAC;AACAC;AACAC;AACAC;;;;AAKAJ;AACA;AACA;AACA;AACAK;AACAC;AACAC;AACAC;AACAC;AACAC;AACA;;AAGF;AACER;AACES;AACF;AACF;AAEA;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEE;AACF;AAEA;AACEX;AACAW;AACAC;;AACMZ;;AAA4B;;AAGpC;;;AAEMa;AAAoB;;;AAGtB;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIET;AACF;AACF;AAIF;AACES;AACF;AACA;AACE;;AAKIC;AACAV;AACF;AACF;AACF;AACF;AACA;AACEX;AACF;AACF;;;AAEUc;AAAU;AAClB;AAAkBE;;AAChB;AACA;;AAKIK;AACAV;AACF;AACF;AACF;AACF;AACA;AACF;AAIO;;AAEP;AAEO;AACL;AACF;AAOO;AAKL;AACA;AACAW;AACEC;AACAC;;AAEF;AACA;AACAH;AACA;AACA;AACAA;AACA;AACA;;AACQI;;AACR;;AAEA;;AAEA;AACA;AACA;;AAEA;AACE;AACF;AACA;AACA;AAAkB;;;AACVC;;AACRL;AACA;;AAEI;AACE;AACA;;AAEF;AACF;AACF;;AAEE;AACE;AACA;AACAA;AAEInC;AACAyC;AACAC;AACAC;AACF;AAEJ;AACF;AACF;AAEO;;AAQL;AACE;AACF;;AACQF;AAAK;;AAMX;AAGA;AACA;;AAKE;AACAG;AACA;AACAA;;AAIAC;;AAEE;AACE;AACA;AACF;AACF;AACF;AACF;AACA;AACF;;AC3ZA,iBAAA;AAEA;;;;;;;;AAQE;AAA+DC;AAAO;AACxE;AAEO;AACL7B;AACA8B;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJf;AACA;AACF;;AAEA;AACA;AAIE;AACEnB;;;AAGF;AACA;;;AAGA;;AAGI;AACA;AACAkC;;AAEF;AACA;AAEF;AACA;AACA;;AAIM;AACAK;AACN;AACA;AACA;;;;AAMUlC;AACAC;AACAC;AACAC;AACAC;AACF;AAEED;AACAC;AACF;AACR;;;AAGE;AACA;;AAEE+B;;AAEF;;AAGN;AAQA;AAGI;AACEC;;;AAKA;AACF;;AAEF;AACF;;ACrJA,iBAAA;AAEO;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACrBAC;;;;;;;;;;","debugId":"aa999c00-ac0b-4e97-b4fe-41280eca7c7b"}