@socketsecurity/cli-with-sentry 0.15.61 → 0.15.63

package/dist/cli.js

@@ -3660,29 +3660,64 @@ async function outputFixResult(result, outputKind) {
 function formatBranchName(name) {
   return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
 }
-function getBaseGitBranch() {
-  // Lazily access constants.ENV.GITHUB_REF_NAME.
-  return constants.ENV.GITHUB_REF_NAME ||
+function createSocketBranchParser(options) {
+  const pattern = getSocketBranchPattern(options);
+  return function parse(branch) {
+    const match = pattern.exec(branch);
+    if (!match) {
+      return null;
+    }
+    const {
+      1: type,
+      2: workspace,
+      3: fullName,
+      4: version,
+      5: newVersion
+    } = match;
+    return {
+      fullName,
+      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
+      type,
+      workspace,
+      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
+    };
+  };
+}
+async function getBaseGitBranch(cwd = process.cwd()) {
+  // Lazily access constants.ENV properties.
+  const {
+    GITHUB_BASE_REF,
+    GITHUB_REF_NAME,
+    GITHUB_REF_TYPE
+  } = constants.ENV;
+  // 1. In a pull request, this is always the base branch.
+  if (GITHUB_BASE_REF) {
+    return GITHUB_BASE_REF;
+  }
+  // 2. If it's a branch (not a tag), GITHUB_REF_TYPE should be 'branch'.
+  if (GITHUB_REF_TYPE === 'branch' && GITHUB_REF_NAME) {
+    return GITHUB_REF_NAME;
+  }
+  // 3. Try to resolve the default remote branch using 'git remote show origin'.
+  // This handles detached HEADs or workflows triggered by tags/releases.
+  try {
+    const stdout = (await spawn.spawn('git', ['remote', 'show', 'origin'], {
+      cwd
+    })).stdout.trim();
+    const match = /(?<=HEAD branch: ).+/.exec(stdout);
+    if (match?.[0]) {
+      return match[0].trim();
+    }
+  } catch {}
   // GitHub defaults to branch name "main"
   // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
-  'main';
-}
-function getSocketBranchPurlTypeComponent(purl) {
-  const purlObj = utils.getPurlObject(purl);
-  return formatBranchName(purlObj.type);
+  return 'main';
 }
 function getSocketBranchFullNameComponent(pkgName) {
   const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
   const fmtMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
   return `${fmtMaybeNamespace}${formatBranchName(purlObj.name)}`;
 }
-function getSocketBranchPackageVersionComponent(version) {
-  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
-  return formatBranchName(purlObj.version);
-}
-function getSocketBranchWorkspaceComponent(workspace) {
-  return workspace ? formatBranchName(workspace) : 'root';
-}
 function getSocketBranchName(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fmtType = getSocketBranchPurlTypeComponent(purlObj);
@@ -3692,6 +3727,10 @@ function getSocketBranchName(purl, newVersion, workspace) {
   const fmtNewVersion = formatBranchName(newVersion);
   return `socket/${fmtType}/${fmtWorkspace}/${fmtFullName}_${fmtVersion}_${fmtNewVersion}`;
 }
+function getSocketBranchPackageVersionComponent(version) {
+  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
+  return formatBranchName(purlObj.version);
+}
 function getSocketBranchPattern(options) {
   const {
     newVersion,
@@ -3710,33 +3749,17 @@ function getSocketBranchPattern(options) {
   const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
   return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
 }
-function createSocketBranchParser(options) {
-  const pattern = getSocketBranchPattern(options);
-  return function parse(branch) {
-    const match = pattern.exec(branch);
-    if (!match) {
-      return null;
-    }
-    const {
-      1: type,
-      2: workspace,
-      3: fullName,
-      4: version,
-      5: newVersion
-    } = match;
-    return {
-      fullName,
-      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
-      type,
-      workspace,
-      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
-    };
-  };
+function getSocketBranchPurlTypeComponent(purl) {
+  const purlObj = utils.getPurlObject(purl);
+  return formatBranchName(purlObj.type);
 }
-function getSocketPullRequestTitle(purl, newVersion, workspace) {
+function getSocketBranchWorkspaceComponent(workspace) {
+  return workspace ? formatBranchName(workspace) : 'root';
+}
+function getSocketCommitMessage(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
+  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 function getSocketPullRequestBody(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
@@ -3744,10 +3767,10 @@ function getSocketPullRequestBody(purl, newVersion, workspace) {
   const pkgOverviewUrl = utils.getSocketDevPackageOverviewUrlFromPurl(purlObj);
   return `Bump [${fullName}](${pkgOverviewUrl}) from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}.`;
 }
-function getSocketCommitMessage(purl, newVersion, workspace) {
+function getSocketPullRequestTitle(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
+  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 async function gitCleanFdx(cwd = process.cwd()) {
   const stdioIgnoreOptions = {
@@ -3780,7 +3803,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn(`catch: git push --force --set-upstream origin ${branch} failed\n`, e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3788,6 +3811,38 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
   } catch {}
   return false;
 }
+async function gitRepoInfo(cwd = process.cwd()) {
+  try {
+    const remoteUrl = (await spawn.spawn('git', ['remote', 'get-url', 'origin'], {
+      cwd
+    })).stdout.trim();
+    // 1. Handle SSH-style, e.g. git@github.com:owner/repo.git
+    const sshMatch = /^git@[^:]+:([^/]+)\/(.+?)(?:\.git)?$/.exec(remoteUrl);
+    if (sshMatch) {
+      return {
+        owner: sshMatch[1],
+        repo: sshMatch[2]
+      };
+    }
+    // 2. Handle HTTPS/URL-style, e.g. https://github.com/owner/repo.git
+    try {
+      const parsed = new URL(remoteUrl);
+      const segments = parsed.pathname.split('/');
+      const owner = segments.at(-2);
+      const repo = segments.at(-1)?.replace(/\.git$/, '');
+      if (owner && repo) {
+        return {
+          owner,
+          repo
+        };
+      }
+    } catch {}
+    debug.debugFn('git: unmatched git remote URL format', remoteUrl);
+  } catch (e) {
+    debug.debugFn('catch: git remote get-url origin failed\n', e);
+  }
+  return null;
+}
 async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
   const stdioIgnoreOptions = {
     cwd,
@@ -3810,7 +3865,7 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn('catch: unexpected\n', e);
+        debug.debugFn(`catch: git config ${prop} ${value} failed\n`, e);
       }
     }
   }));
@@ -3863,8 +3918,8 @@ function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
   if (!ciEnv) {
     return [];
   }
-  const partialPurlObj = utils.getPurlObject(partialPurl);
   const activeBranches = [];
+  const partialPurlObj = utils.getPurlObject(partialPurl);
   const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
   const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
   for (const pr of openPrs) {
@@ -3873,10 +3928,13 @@ function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
       activeBranches.push(parsedBranch);
     }
   }
-  if (activeBranches.length) {
-    debug.debugFn(`found: ${activeBranches.length} active branches\n`, activeBranches);
-  } else if (openPrs.length) {
-    debug.debugFn('miss: 0 active branches found');
+  if (debug.isDebug()) {
+    const fullName = packages.resolvePackageName(partialPurlObj);
+    if (activeBranches.length) {
+      debug.debugFn(`found: ${activeBranches.length} active branches for ${fullName}\n`, activeBranches);
+    } else if (openPrs.length) {
+      debug.debugFn(`miss: 0 active branches found for ${fullName}`);
+    }
   }
   return activeBranches;
 }
@@ -4026,7 +4084,7 @@ async function cleanupOpenPrs(owner, repo, options) {
     return match;
   }));
   if (cachesToSave.size) {
-    await Promise.allSettled([...cachesToSave].map(({
+    await Promise.allSettled(Array.from(cachesToSave).map(({
       0: key,
       1: data
     }) => writeCache(key, data)));
@@ -4075,24 +4133,6 @@ async function enablePrAutoMerge({
     enabled: false
   };
 }
-function getGithubEnvRepoInfo() {
-  // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const {
-    GITHUB_REPOSITORY
-  } = constants.ENV;
-  if (!GITHUB_REPOSITORY) {
-    debug.debugFn('miss: GITHUB_REPOSITORY env var');
-  }
-  const ownerSlashRepo = GITHUB_REPOSITORY;
-  const slashIndex = ownerSlashRepo.indexOf('/');
-  if (slashIndex === -1) {
-    return null;
-  }
-  return {
-    owner: ownerSlashRepo.slice(0, slashIndex),
-    repo: ownerSlashRepo.slice(slashIndex + 1)
-  };
-}
 async function getOpenSocketPrs(owner, repo, options) {
   return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
 }
@@ -4218,11 +4258,6 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
     __proto__: null,
     ...options
   };
-  // Lazily access constants.ENV.GITHUB_ACTIONS.
-  if (!constants.ENV.GITHUB_ACTIONS) {
-    debug.debugFn('miss: GITHUB_ACTIONS env var');
-    return null;
-  }
   const purlObj = utils.getPurlObject(purl);
   const octokit = getOctokit();
   try {
@@ -4274,19 +4309,48 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   }
 }
 
-function getCiEnv() {
+async function getEnvRepoInfo(cwd) {
+  // Lazily access constants.ENV.GITHUB_REPOSITORY.
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('miss: GITHUB_REPOSITORY env var');
+  }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
+  const slashIndex = ownerSlashRepo.indexOf('/');
+  if (slashIndex !== -1) {
+    return {
+      owner: ownerSlashRepo.slice(0, slashIndex),
+      repo: ownerSlashRepo.slice(slashIndex + 1)
+    };
+  }
+  return await gitRepoInfo(cwd);
+}
+async function getCiEnv() {
   const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
   const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
   const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
-  return isCi ? {
+  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  if (!isCi) {
+    return null;
+  }
+  const baseBranch = await getBaseGitBranch();
+  if (!baseBranch) {
+    return null;
+  }
+  const repoInfo = await getEnvRepoInfo();
+  if (!repoInfo) {
+    return null;
+  }
+  return {
     gitEmail,
     gitUser,
     githubToken,
-    repoInfo: getGithubEnvRepoInfo(),
-    baseBranch: getBaseGitBranch(),
+    repoInfo,
+    baseBranch,
     branchParser: createSocketBranchParser()
-  } : null;
+  };
 }
 async function getOpenPrsForEnvironment(env) {
   return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
@@ -4346,7 +4410,7 @@ async function npmFix(pkgEnvDetails, {
     pkgPath: rootPath
   } = pkgEnvDetails;
   spinner?.start();
-  const ciEnv = getCiEnv();
+  const ciEnv = await getCiEnv();
   const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let count = 0;
   const arb = new shadowNpmInject.Arborist({
@@ -4394,7 +4458,7 @@ async function npmFix(pkgEnvDetails, {
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
-  const sortedInfoEntries = [...infoByPartialPurl.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
+  const sortedInfoEntries = Array.from(infoByPartialPurl.entries()).sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const cleanupInfoEntriesLoop = () => {
     logger.logger.dedent();
     spinner?.dedent();
@@ -4416,11 +4480,10 @@ async function npmFix(pkgEnvDetails, {
     const infoEntry = sortedInfoEntries[i];
     const partialPurlObj = utils.getPurlObject(infoEntry[0]);
     const name = packages.resolvePackageName(partialPurlObj);
-    const infos = [...infoEntry[1].values()];
+    const infos = Array.from(infoEntry[1].values());
     if (!infos.length) {
       continue infoEntriesLoop;
     }
-    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
@@ -4434,6 +4497,7 @@ async function npmFix(pkgEnvDetails, {
       cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
+    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     const availableVersions = Object.keys(packument.versions);
     const warningsForAfter = new Set();
 
@@ -4461,6 +4525,7 @@ async function npmFix(pkgEnvDetails, {
       const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
         editable: true
       });
+      const fixedVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
@@ -4486,6 +4551,9 @@ async function npmFix(pkgEnvDetails, {
             warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
+          if (fixedVersions.has(newVersion)) {
+            continue infosLoop;
+          }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
             debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
@@ -4557,6 +4625,7 @@ async function npmFix(pkgEnvDetails, {
                 });
               }
               spinner?.success(`Fixed ${name} in ${workspace}.`);
+              fixedVersions.add(newVersion);
             } else {
               errored = true;
             }
@@ -4783,7 +4852,7 @@ async function pnpmFix(pkgEnvDetails, {
     pkgPath: rootPath
   } = pkgEnvDetails;
   spinner?.start();
-  const ciEnv = getCiEnv();
+  const ciEnv = await getCiEnv();
   const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let count = 0;
   let actualTree;
@@ -4860,6 +4929,9 @@ async function pnpmFix(pkgEnvDetails, {
       }
     };
   }
+  if (debug.isDebug()) {
+    debug.debugFn('found: cves for', Array.from(infoByPartialPurl.keys()));
+  }
 
   // Lazily access constants.packumentCache.
   const {
@@ -4869,7 +4941,7 @@ async function pnpmFix(pkgEnvDetails, {
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
-  const sortedInfoEntries = [...infoByPartialPurl.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
+  const sortedInfoEntries = Array.from(infoByPartialPurl.entries()).sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const cleanupInfoEntriesLoop = () => {
     logger.logger.dedent();
     spinner?.dedent();
@@ -4891,11 +4963,10 @@ async function pnpmFix(pkgEnvDetails, {
     const infoEntry = sortedInfoEntries[i];
     const partialPurlObj = utils.getPurlObject(infoEntry[0]);
     const name = packages.resolvePackageName(partialPurlObj);
-    const infos = [...infoEntry[1].values()];
+    const infos = Array.from(infoEntry[1].values());
     if (!infos.length) {
       continue infoEntriesLoop;
     }
-    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
@@ -4909,6 +4980,7 @@ async function pnpmFix(pkgEnvDetails, {
       cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
+    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     const availableVersions = Object.keys(packument.versions);
     const warningsForAfter = new Set();
 
@@ -4963,6 +5035,8 @@ async function pnpmFix(pkgEnvDetails, {
       const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
         editable: true
       });
+      const fixedVersions = new Set();
+
       // Get current overrides for revert logic.
       const oldPnpmSection = editablePkgJson.content[PNPM$7];
       const oldOverrides = oldPnpmSection?.[OVERRIDES$2];
@@ -4991,6 +5065,9 @@ async function pnpmFix(pkgEnvDetails, {
             warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
+          if (fixedVersions.has(newVersion)) {
+            continue infosLoop;
+          }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
             debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
@@ -5103,6 +5180,7 @@ async function pnpmFix(pkgEnvDetails, {
                 });
               }
               spinner?.success(`Fixed ${name} in ${workspace}.`);
+              fixedVersions.add(newVersion);
             } else {
               errored = true;
             }
@@ -7806,7 +7884,7 @@ function cleanupQueryStdout(stdout) {
       names.add(resolvedName);
     }
   }
-  return JSON.stringify([...names], null, 2);
+  return JSON.stringify(Array.from(names), null, 2);
 }
 function parsableToQueryStdout(stdout) {
   if (stdout === '') {
@@ -7816,7 +7894,7 @@ function parsableToQueryStdout(stdout) {
   // The matchAll regexp looks for a forward (posix) or backward (win32) slash
   // and matches one or more non-slashes until the newline.
   const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
-  return JSON.stringify([...names], null, 2);
+  return JSON.stringify(Array.from(names), null, 2);
 }
 async function npmQuery(npmExecPath, cwd) {
   let stdout = '';
@@ -14640,5 +14718,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=f55e6ed3-61c1-4ff4-b932-f2758fcef19
+//# debugId=dab0d87c-3238-422d-976b-390f87d2120a
 //# sourceMappingURL=cli.js.map