npm - @socketsecurity/cli-with-sentry - Versions diffs - 0.15.24 → 0.15.25 - Mend

@socketsecurity/cli-with-sentry 0.15.24 → 0.15.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/shadow-inject.js CHANGED Viewed

@@ -1,23 +1,16 @@
 'use strict';
 var Module = require('node:module');
+var vendor = require('./vendor.js');
 var path = require('node:path');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var constants = require('./constants.js');
 var utils = require('./utils.js');
 var logger = require('../external/@socketsecurity/registry/lib/logger');
-var vendor = require('./vendor.js');
 var registry = require('../external/@socketsecurity/registry');
 var objects = require('../external/@socketsecurity/registry/lib/objects');
-var strings = require('../external/@socketsecurity/registry/lib/strings');
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-const DiffAction = utils.createEnum({
-  add: 'ADD',
-  change: 'CHANGE',
-  remove: 'REMOVE'
-});
 let _arboristPkgPath;
 function getArboristPackagePath() {
   if (_arboristPkgPath === undefined) {
@@ -36,13 +29,6 @@ function getArboristClassPath() {
   }
   return _arboristClassPath;
 }
-let _arboristDepValidPath;
-function getArboristDepValidPath() {
-  if (_arboristDepValidPath === undefined) {
-    _arboristDepValidPath = path.join(getArboristPackagePath(), 'lib/dep-valid.js');
-  }
-  return _arboristDepValidPath;
-}
 let _arboristEdgeClassPath;
 function getArboristEdgeClassPath() {
   if (_arboristEdgeClassPath === undefined) {
@@ -65,713 +51,11 @@ function getArboristOverrideSetClassPath() {
   return _arboristOverrideSetClassPath;
 }
-const require$6 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
-let _depValid;
-function depValid(child, requested, accept, requester) {
-  if (_depValid === undefined) {
-    _depValid = require$6(getArboristDepValidPath());
-  }
-  return _depValid(child, requested, accept, requester);
-}
-const {
-  UNDEFINED_TOKEN
-} = constants;
-function tryRequire(req, ...ids) {
-  for (const data of ids) {
-    let id;
-    let transformer;
-    if (Array.isArray(data)) {
-      id = data[0];
-      transformer = data[1];
-    } else {
-      id = data;
-      transformer = mod => mod;
-    }
-    try {
-      // Check that the transformed value isn't `undefined` because older
-      // versions of packages like 'proc-log' may not export a `log` method.
-      const exported = transformer(req(id));
-      if (exported !== undefined) {
-        return exported;
-      }
-    } catch {}
-  }
-  return undefined;
-}
-let _log = UNDEFINED_TOKEN;
-function getLogger() {
-  if (_log === UNDEFINED_TOKEN) {
-    _log = tryRequire(utils.getNpmRequire(), ['proc-log/lib/index.js',
-    // The proc-log DefinitelyTyped definition is incorrect. The type definition
-    // is really that of its export log.
-    mod => mod.log], 'npmlog/lib/log.js');
-  }
-  return _log;
-}
-const require$5 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
-const OverrideSet = require$5(getArboristOverrideSetClassPath());
-// Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
-class SafeOverrideSet extends OverrideSet {
-  // Patch adding doOverrideSetsConflict is based on
-  // https://github.com/npm/cli/pull/8089.
-  static doOverrideSetsConflict(first, second) {
-    // If override sets contain one another then we can try to use the more
-    // specific one. If neither one is more specific, then we consider them to
-    // be in conflict.
-    return this.findSpecificOverrideSet(first, second) === undefined;
-  }
-  // Patch adding findSpecificOverrideSet is based on
-  // https://github.com/npm/cli/pull/8089.
-  static findSpecificOverrideSet(first, second) {
-    for (let overrideSet = second; overrideSet; overrideSet = overrideSet.parent) {
-      if (overrideSet.isEqual(first)) {
-        return second;
-      }
-    }
-    for (let overrideSet = first; overrideSet; overrideSet = overrideSet.parent) {
-      if (overrideSet.isEqual(second)) {
-        return first;
-      }
-    }
-    // The override sets are incomparable. Neither one contains the other.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', first, second);
-    return undefined;
-  }
-  // Patch adding childrenAreEqual is based on
-  // https://github.com/npm/cli/pull/8089.
-  childrenAreEqual(otherOverrideSet) {
-    if (this.children.size !== otherOverrideSet.children.size) {
-      return false;
-    }
-    for (const {
-      0: key,
-      1: childOverrideSet
-    } of this.children) {
-      const otherChildOverrideSet = otherOverrideSet.children.get(key);
-      if (!otherChildOverrideSet) {
-        return false;
-      }
-      if (childOverrideSet.value !== otherChildOverrideSet.value) {
-        return false;
-      }
-      if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {
-        return false;
-      }
-    }
-    return true;
-  }
-  getEdgeRule(edge) {
-    for (const rule of this.ruleset.values()) {
-      if (rule.name !== edge.name) {
-        continue;
-      }
-      // If keySpec is * we found our override.
-      if (rule.keySpec === '*') {
-        return rule;
-      }
-      // Patch replacing
-      // let spec = npa(`${edge.name}@${edge.spec}`)
-      // is based on https://github.com/npm/cli/pull/8089.
-      //
-      // We need to use the rawSpec here, because the spec has the overrides
-      // applied to it already. The rawSpec can be undefined, so we need to use
-      // the fallback value of spec if it is.
-      let spec = vendor.npaExports(`${edge.name}@${edge.rawSpec || edge.spec}`);
-      if (spec.type === 'alias') {
-        spec = spec.subSpec;
-      }
-      if (spec.type === 'git') {
-        if (spec.gitRange && vendor.semverExports.intersects(spec.gitRange, rule.keySpec)) {
-          return rule;
-        }
-        continue;
-      }
-      if (spec.type === 'range' || spec.type === 'version') {
-        if (vendor.semverExports.intersects(spec.fetchSpec, rule.keySpec)) {
-          return rule;
-        }
-        continue;
-      }
-      // If we got this far, the spec type is one of tag, directory or file
-      // which means we have no real way to make version comparisons, so we
-      // just accept the override.
-      return rule;
-    }
-    return this;
-  }
-  // Patch adding isEqual is based on
-  // https://github.com/npm/cli/pull/8089.
-  isEqual(otherOverrideSet) {
-    if (this === otherOverrideSet) {
-      return true;
-    }
-    if (!otherOverrideSet) {
-      return false;
-    }
-    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
-      return false;
-    }
-    if (!this.childrenAreEqual(otherOverrideSet)) {
-      return false;
-    }
-    if (!this.parent) {
-      return !otherOverrideSet.parent;
-    }
-    return this.parent.isEqual(otherOverrideSet.parent);
-  }
-}
-const require$4 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
-const Node = require$4(getArboristNodeClassPath());
-// Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
-class SafeNode extends Node {
-  // Return true if it's safe to remove this node, because anything that is
-  // depending on it would be fine with the thing that they would resolve to if
-  // it was removed, or nothing is depending on it in the first place.
-  canDedupe(preferDedupe = false) {
-    // Not allowed to mess with shrinkwraps or bundles.
-    if (this.inDepBundle || this.inShrinkwrap) {
-      return false;
-    }
-    // It's a top level pkg, or a dep of one.
-    if (!this.resolveParent?.resolveParent) {
-      return false;
-    }
-    // No one wants it, remove it.
-    if (this.edgesIn.size === 0) {
-      return true;
-    }
-    const other = this.resolveParent.resolveParent.resolve(this.name);
-    // Nothing else, need this one.
-    if (!other) {
-      return false;
-    }
-    // If it's the same thing, then always fine to remove.
-    if (other.matches(this)) {
-      return true;
-    }
-    // If the other thing can't replace this, then skip it.
-    if (!other.canReplace(this)) {
-      return false;
-    }
-    // Patch replacing
-    // if (preferDedupe || semver.gte(other.version, this.version)) {
-    //   return true
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If we prefer dedupe, or if the version is equal, take the other.
-    if (preferDedupe || vendor.semverExports.eq(other.version, this.version)) {
-      return true;
-    }
-    // If our current version isn't the result of an override, then prefer to
-    // take the greater version.
-    if (!this.overridden && vendor.semverExports.gt(other.version, this.version)) {
-      return true;
-    }
-    return false;
-  }
-  // Is it safe to replace one node with another?  check the edges to
-  // make sure no one will get upset.  Note that the node might end up
-  // having its own unmet dependencies, if the new node has new deps.
-  // Note that there are cases where Arborist will opt to insert a node
-  // into the tree even though this function returns false!  This is
-  // necessary when a root dependency is added or updated, or when a
-  // root dependency brings peer deps along with it.  In that case, we
-  // will go ahead and create the invalid state, and then try to resolve
-  // it with more tree construction, because it's a user request.
-  canReplaceWith(node, ignorePeers) {
-    if (this.name !== node.name || this.packageName !== node.packageName) {
-      return false;
-    }
-    // Patch replacing
-    // if (node.overrides !== this.overrides) {
-    //   return false
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If this node has no dependencies, then it's irrelevant to check the
-    // override rules of the replacement node.
-    if (this.edgesOut.size) {
-      // XXX need to check for two root nodes?
-      if (node.overrides) {
-        if (!node.overrides.isEqual(this.overrides)) {
-          return false;
-        }
-      } else {
-        if (this.overrides) {
-          return false;
-        }
-      }
-    }
-    // To satisfy the patch we ensure `node.overrides === this.overrides`
-    // so that the condition we want to replace,
-    // if (this.overrides !== node.overrides) {
-    // , is not hit.`
-    const oldOverrideSet = this.overrides;
-    let result = true;
-    if (oldOverrideSet !== node.overrides) {
-      this.overrides = node.overrides;
-    }
-    try {
-      result = super.canReplaceWith(node, ignorePeers);
-      this.overrides = oldOverrideSet;
-    } catch (e) {
-      this.overrides = oldOverrideSet;
-      throw e;
-    }
-    return result;
-  }
-  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.
-  deleteEdgeIn(edge) {
-    this.edgesIn.delete(edge);
-    const {
-      overrides
-    } = edge;
-    if (overrides) {
-      this.updateOverridesEdgeInRemoved(overrides);
-    }
-  }
-  addEdgeIn(edge) {
-    // Patch replacing
-    // if (edge.overrides) {
-    //   this.overrides = edge.overrides
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // We need to handle the case where the new edge in has an overrides field
-    // which is different from the current value.
-    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
-      this.updateOverridesEdgeInAdded(edge.overrides);
-    }
-    this.edgesIn.add(edge);
-    // Try to get metadata from the yarn.lock file.
-    this.root.meta?.addEdge(edge);
-  }
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get overridden() {
-    // Patch replacing
-    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
-    // is based on https://github.com/npm/cli/pull/8089.
-    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
-      return false;
-    }
-    // The overrides rule is for a package with this name, but some override
-    // rules only apply to specific versions. To make sure this package was
-    // actually overridden, we check whether any edge going in had the rule
-    // applied to it, in which case its overrides set is different than its
-    // source node.
-    for (const edge of this.edgesIn) {
-      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
-        if (!edge.overrides.isEqual(edge.from?.overrides)) {
-          return true;
-        }
-      }
-    }
-    return false;
-  }
-  set parent(newParent) {
-    // Patch removing
-    // if (parent.overrides) {
-    //   this.overrides = parent.overrides.getNodeRule(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // The "parent" setter is a really large and complex function. To satisfy
-    // the patch we hold on to the old overrides value and set `this.overrides`
-    // to `undefined` so that the condition we want to remove is not hit.
-    const {
-      overrides
-    } = this;
-    if (overrides) {
-      this.overrides = undefined;
-    }
-    try {
-      super.parent = newParent;
-      this.overrides = overrides;
-    } catch (e) {
-      this.overrides = overrides;
-      throw e;
-    }
-  }
-  // Patch adding recalculateOutEdgesOverrides is based on
-  // https://github.com/npm/cli/pull/8089.
-  recalculateOutEdgesOverrides() {
-    // For each edge out propagate the new overrides through.
-    for (const edge of this.edgesOut.values()) {
-      edge.reload(true);
-      if (edge.to) {
-        edge.to.updateOverridesEdgeInAdded(edge.overrides);
-      }
-    }
-  }
-  // @ts-ignore: Incorrectly typed to accept null.
-  set root(newRoot) {
-    // Patch removing
-    // if (!this.overrides && this.parent && this.parent.overrides) {
-    //   this.overrides = this.parent.overrides.getNodeRule(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // The "root" setter is a really large and complex function. To satisfy the
-    // patch we add a dummy value to `this.overrides` so that the condition we
-    // want to remove is not hit.
-    if (!this.overrides) {
-      this.overrides = new SafeOverrideSet({
-        overrides: ''
-      });
-    }
-    try {
-      super.root = newRoot;
-      this.overrides = undefined;
-    } catch (e) {
-      this.overrides = undefined;
-      throw e;
-    }
-  }
-  // Patch adding updateOverridesEdgeInAdded is based on
-  // https://github.com/npm/cli/pull/7025.
-  //
-  // This logic isn't perfect either. When we have two edges in that have
-  // different override sets, then we have to decide which set is correct. This
-  // function assumes the more specific override set is applicable, so if we have
-  // dependencies A->B->C and A->C and an override set that specifies what happens
-  // for C under A->B, this will work even if the new A->C edge comes along and
-  // tries to change the override set. The strictly correct logic is not to allow
-  // two edges with different overrides to point to the same node, because even
-  // if this node can satisfy both, one of its dependencies might need to be
-  // different depending on the edge leading to it. However, this might cause a
-  // lot of duplication, because the conflict in the dependencies might never
-  // actually happen.
-  updateOverridesEdgeInAdded(otherOverrideSet) {
-    if (!otherOverrideSet) {
-      // Assuming there are any overrides at all, the overrides field is never
-      // undefined for any node at the end state of the tree. So if the new edge's
-      // overrides is undefined it will be updated later. So we can wait with
-      // updating the node's overrides field.
-      return false;
-    }
-    if (!this.overrides) {
-      this.overrides = otherOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
-    }
-    if (this.overrides.isEqual(otherOverrideSet)) {
-      return false;
-    }
-    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
-    if (newOverrideSet) {
-      if (this.overrides.isEqual(newOverrideSet)) {
-        return false;
-      }
-      this.overrides = newOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
-    }
-    // This is an error condition. We can only get here if the new override set
-    // is in conflict with the existing.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', this.name);
-    return false;
-  }
-  // Patch adding updateOverridesEdgeInRemoved is based on
-  // https://github.com/npm/cli/pull/7025.
-  updateOverridesEdgeInRemoved(otherOverrideSet) {
-    // If this edge's overrides isn't equal to this node's overrides,
-    // then removing it won't change newOverrideSet later.
-    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
-      return false;
-    }
-    let newOverrideSet;
-    for (const edge of this.edgesIn) {
-      const {
-        overrides: edgeOverrides
-      } = edge;
-      if (newOverrideSet && edgeOverrides) {
-        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
-      } else {
-        newOverrideSet = edgeOverrides;
-      }
-    }
-    if (this.overrides.isEqual(newOverrideSet)) {
-      return false;
-    }
-    this.overrides = newOverrideSet;
-    if (newOverrideSet) {
-      // Optimization: If there's any override set at all, then no non-extraneous
-      // node has an empty override set. So if we temporarily have no override set
-      // (for example, we removed all the edges in), there's no use updating all
-      // the edges out right now. Let's just wait until we have an actual override
-      // set later.
-      this.recalculateOutEdgesOverrides();
-    }
-    return true;
-  }
-}
-const require$3 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
-const Edge = require$3(getArboristEdgeClassPath());
-// The Edge class makes heavy use of private properties which subclasses do NOT
-// have access to. So we have to recreate any functionality that relies on those
-// private properties and use our own "safe" prefixed non-conflicting private
-// properties. Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
-//
-// The npm application
-// Copyright (c) npm, Inc. and Contributors
-// Licensed on the terms of The Artistic License 2.0
-//
-// An edge in the dependency graph.
-// Represents a dependency relationship of some kind.
-class SafeEdge extends Edge {
-  #safeError;
-  #safeExplanation;
-  #safeFrom;
-  #safeTo;
-  constructor(options) {
-    const {
-      from
-    } = options;
-    // Defer to supper to validate options and assign non-private values.
-    super(options);
-    if (from.constructor !== SafeNode) {
-      Reflect.setPrototypeOf(from, SafeNode.prototype);
-    }
-    this.#safeError = null;
-    this.#safeExplanation = null;
-    this.#safeFrom = from;
-    this.#safeTo = null;
-    this.reload(true);
-  }
-  get bundled() {
-    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
-  }
-  get error() {
-    if (!this.#safeError) {
-      if (!this.#safeTo) {
-        if (this.optional) {
-          this.#safeError = null;
-        } else {
-          this.#safeError = 'MISSING';
-        }
-      } else if (this.peer && this.#safeFrom === this.#safeTo.parent &&
-      // Patch adding "?." use based on
-      // https://github.com/npm/cli/pull/8089.
-      !this.#safeFrom?.isTop) {
-        this.#safeError = 'PEER LOCAL';
-      } else if (!this.satisfiedBy(this.#safeTo)) {
-        this.#safeError = 'INVALID';
-      }
-      // Patch adding "else if" condition is based on
-      // https://github.com/npm/cli/pull/8089.
-      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
-        // Any inconsistency between the edge's override set and the target's
-        // override set is potentially problematic. But we only say the edge is
-        // in error if the override sets are plainly conflicting. Note that if
-        // the target doesn't have any dependencies of their own, then this
-        // inconsistency is irrelevant.
-        this.#safeError = 'INVALID';
-      } else {
-        this.#safeError = 'OK';
-      }
-    }
-    if (this.#safeError === 'OK') {
-      return null;
-    }
-    return this.#safeError;
-  }
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get from() {
-    return this.#safeFrom;
-  }
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get spec() {
-    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
-      if (this.overrides.value.startsWith('$')) {
-        const ref = this.overrides.value.slice(1);
-        // We may be a virtual root, if we are we want to resolve reference
-        // overrides from the real root, not the virtual one.
-        //
-        // Patch adding "?." use based on
-        // https://github.com/npm/cli/pull/8089.
-        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom?.sourceReference.root.package : this.#safeFrom?.root?.package;
-        if (pkg?.devDependencies?.[ref]) {
-          return pkg.devDependencies[ref];
-        }
-        if (pkg?.optionalDependencies?.[ref]) {
-          return pkg.optionalDependencies[ref];
-        }
-        if (pkg?.dependencies?.[ref]) {
-          return pkg.dependencies[ref];
-        }
-        if (pkg?.peerDependencies?.[ref]) {
-          return pkg.peerDependencies[ref];
-        }
-        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
-      }
-      return this.overrides.value;
-    }
-    return this.rawSpec;
-  }
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get to() {
-    return this.#safeTo;
-  }
-  detach() {
-    this.#safeExplanation = null;
-    // Patch replacing
-    // if (this.#to) {
-    //   this.#to.edgesIn.delete(this)
-    // }
-    // this.#from.edgesOut.delete(this.#name)
-    // is based on https://github.com/npm/cli/pull/8089.
-    this.#safeTo?.deleteEdgeIn(this);
-    this.#safeFrom?.edgesOut.delete(this.name);
-    this.#safeTo = null;
-    this.#safeError = 'DETACHED';
-    this.#safeFrom = null;
-  }
-  // Return the edge data, and an explanation of how that edge came to be here.
-  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
-  explain() {
-    if (!this.#safeExplanation) {
-      const explanation = {
-        type: this.type,
-        name: this.name,
-        spec: this.spec,
-        bundled: false,
-        overridden: false,
-        error: undefined,
-        from: undefined,
-        rawSpec: undefined
-      };
-      if (this.rawSpec !== this.spec) {
-        explanation.rawSpec = this.rawSpec;
-        explanation.overridden = true;
-      }
-      if (this.bundled) {
-        explanation.bundled = this.bundled;
-      }
-      if (this.error) {
-        explanation.error = this.error;
-      }
-      if (this.#safeFrom) {
-        explanation.from = this.#safeFrom.explain();
-      }
-      this.#safeExplanation = explanation;
-    }
-    return this.#safeExplanation;
-  }
-  reload(hard = false) {
-    this.#safeExplanation = null;
-    // Patch replacing
-    // if (this.#from.overrides) {
-    // is based on https://github.com/npm/cli/pull/8089.
-    let needToUpdateOverrideSet = false;
-    let newOverrideSet;
-    let oldOverrideSet;
-    if (this.#safeFrom?.overrides) {
-      newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
-      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
-        // If there's a new different override set we need to propagate it to
-        // the nodes. If we're deleting the override set then there's no point
-        // propagating it right now since it will be filled with another value
-        // later.
-        needToUpdateOverrideSet = true;
-        oldOverrideSet = this.overrides;
-        this.overrides = newOverrideSet;
-      }
-    } else {
-      this.overrides = undefined;
-    }
-    // Patch adding "?." use based on
-    // https://github.com/npm/cli/pull/8089.
-    const newTo = this.#safeFrom?.resolve(this.name);
-    if (newTo !== this.#safeTo) {
-      // Patch replacing
-      // this.#to.edgesIn.delete(this)
-      // is based on https://github.com/npm/cli/pull/8089.
-      this.#safeTo?.deleteEdgeIn(this);
-      this.#safeTo = newTo ?? null;
-      this.#safeError = null;
-      this.#safeTo?.addEdgeIn(this);
-    } else if (hard) {
-      this.#safeError = null;
-    }
-    // Patch adding "else if" condition based on
-    // https://github.com/npm/cli/pull/8089.
-    else if (needToUpdateOverrideSet && this.#safeTo) {
-      // Propagate the new override set to the target node.
-      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
-      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
-    }
-  }
-  satisfiedBy(node) {
-    // Patch replacing
-    // if (node.name !== this.#name) {
-    //   return false
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    if (node.name !== this.name || !this.#safeFrom) {
-      return false;
-    }
-    // NOTE: this condition means we explicitly do not support overriding
-    // bundled or shrinkwrapped dependencies
-    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
-      return depValid(node, this.rawSpec, this.accept, this.#safeFrom);
-    }
-    // Patch replacing
-    // return depValid(node, this.spec, this.#accept, this.#from)
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If there's no override we just use the spec.
-    if (!this.overrides?.keySpec) {
-      return depValid(node, this.spec, this.accept, this.#safeFrom);
-    }
-    // There's some override. If the target node satisfies the overriding spec
-    // then it's okay.
-    if (depValid(node, this.spec, this.accept, this.#safeFrom)) {
-      return true;
-    }
-    // If it doesn't, then it should at least satisfy the original spec.
-    if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {
-      return false;
-    }
-    // It satisfies the original spec, not the overriding spec. We need to make
-    // sure it doesn't use the overridden spec.
-    // For example:
-    //   we might have an ^8.0.0 rawSpec, and an override that makes
-    //   keySpec=8.23.0 and the override value spec=9.0.0.
-    //   If the node is 9.0.0, then it's okay because it's consistent with spec.
-    //   If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
-    //   If the node is 8.23.0, then it's not okay because even though it's consistent
-    //   with the rawSpec, it's also consistent with the keySpec.
-    //   So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
-    return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom);
-  }
-}
+const DiffAction = utils.createEnum({
+  add: 'ADD',
+  change: 'CHANGE',
+  remove: 'REMOVE'
+});
 const {
   LOOP_SENTINEL,
@@ -1067,10 +351,17 @@ function updatePackageJsonFromNode(editablePkgJson, tree, node, newVersion, rang
   for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
     const depObject = editablePkgJson.content[depField];
     const oldRange = objects.hasOwn(depObject, name) ? depObject[name] : undefined;
-    const oldMin = strings.isNonEmptyString(oldRange) ? vendor.semverExports.minVersion(oldRange) : null;
+    if (typeof oldRange !== 'string' || oldRange.startsWith('catalog:')) {
+      continue;
+    }
+    const npaResult = utils.npa(oldRange);
+    if (!npaResult || npaResult.subSpec) {
+      continue;
+    }
+    const oldMin = utils.getMinVersion(npaResult.rawSpec);
     const newRange = oldMin &&
     // Ensure we're on the same major version...
-    vendor.semverExports.major(newVersion) === vendor.semverExports.major(oldMin.version) &&
+    utils.getMajor(newVersion) === oldMin.major &&
     // and not a downgrade.
     vendor.semverExports.gte(newVersion, oldMin.version) ? utils.applyRange(oldRange, newVersion, rangeStyle) : oldRange;
     if (oldRange !== newRange) {
@@ -1086,7 +377,7 @@ function updatePackageJsonFromNode(editablePkgJson, tree, node, newVersion, rang
   return result;
 }
-const require$2 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
+// @ts-ignore
 const {
   NPM,
   NPX,
@@ -1099,7 +390,7 @@ const {
     getIpc
   }
 } = constants;
-const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
+const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES$1 = {
   __proto__: null,
   audit: false,
   dryRun: true,
@@ -1112,7 +403,7 @@ const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
 };
 const kCtorArgs = Symbol('ctorArgs');
 const kRiskyReify = Symbol('riskyReify');
-const Arborist = require$2(getArboristClassPath());
+const Arborist = vendor.arboristExports;
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
@@ -1121,7 +412,7 @@ class SafeArborist extends Arborist {
     super({
       path: (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),
       ...(ctorArgs.length ? ctorArgs[0] : undefined),
-      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES$1
     }, ...ctorArgs.slice(1));
     this[kCtorArgs] = ctorArgs;
   }
@@ -1152,7 +443,7 @@ class SafeArborist extends Arborist {
     }
     await super.reify({
       ...options,
-      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
+      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES$1,
       progress: false
     },
     // @ts-ignore: TypeScript gets grumpy about rest parameters.
@@ -1201,6 +492,20 @@ class SafeArborist extends Arborist {
 }
 const require$1 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
+const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
+  __proto__: null,
+  audit: false,
+  dryRun: true,
+  fund: false,
+  ignoreScripts: true,
+  progress: false,
+  save: false,
+  saveBundle: false,
+  silent: true
+};
+const Edge = vendor.edgeExports;
+const Node = vendor.nodeExports;
+const OverrideSet = vendor.overrideSetExports;
 function installSafeArborist() {
   // Override '@npmcli/arborist' module exports with patched variants based on
   // https://github.com/npm/cli/pull/8089.
@@ -1209,13 +514,13 @@ function installSafeArborist() {
     exports: SafeArborist
   };
   cache[getArboristEdgeClassPath()] = {
-    exports: SafeEdge
+    exports: Edge
   };
   cache[getArboristNodeClassPath()] = {
-    exports: SafeNode
+    exports: Node
   };
   cache[getArboristOverrideSetClassPath()] = {
-    exports: SafeOverrideSet
+    exports: OverrideSet
   };
 }
@@ -1223,12 +528,11 @@ installSafeArborist();
 exports.Arborist = Arborist;
 exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES;
-exports.SafeArborist = SafeArborist;
 exports.findBestPatchVersion = findBestPatchVersion;
 exports.findPackageNode = findPackageNode;
 exports.findPackageNodes = findPackageNodes;
 exports.getAlertsMapFromArborist = getAlertsMapFromArborist;
 exports.updateNode = updateNode;
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode;
-//# debugId=aa999c00-ac0b-4e97-b4fe-41280eca7c7b
+//# debugId=8064dcdf-3aa8-4cd5-b56c-354d369825da
 //# sourceMappingURL=shadow-inject.js.map