@socketsecurity/cli-with-sentry 1.0.107 → 1.0.109

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/bin/cli.js +1 -0
  2. package/dist/cli.js +11 -12
  3. package/dist/cli.js.map +1 -1
  4. package/dist/constants.js +69 -47
  5. package/dist/constants.js.map +1 -1
  6. package/dist/shadow-npm-bin.js +10 -8
  7. package/dist/shadow-npm-bin.js.map +1 -1
  8. package/dist/shadow-npm-inject.js +15 -14
  9. package/dist/shadow-npm-inject.js.map +1 -1
  10. package/dist/tsconfig.dts.tsbuildinfo +1 -1
  11. package/dist/types/commands/manifest/run-cdxgen.d.mts.map +1 -1
  12. package/dist/types/constants.d.mts +13 -8
  13. package/dist/types/constants.d.mts.map +1 -1
  14. package/dist/types/shadow/npm/arborist/lib/arborist/index.d.mts.map +1 -1
  15. package/dist/types/shadow/npm/bin.d.mts +2 -1
  16. package/dist/types/shadow/npm/bin.d.mts.map +1 -1
  17. package/dist/types/shadow/npm/install.d.mts.map +1 -1
  18. package/dist/types/shadow/npm/link.d.mts +1 -1
  19. package/dist/types/shadow/npm/link.d.mts.map +1 -1
  20. package/dist/types/utils/alert/artifact.d.mts +1 -1
  21. package/dist/types/utils/alert/artifact.d.mts.map +1 -1
  22. package/dist/types/utils/alerts-map.d.mts +1 -1
  23. package/dist/types/utils/alerts-map.d.mts.map +1 -1
  24. package/dist/types/utils/coana.d.mts +3 -2
  25. package/dist/types/utils/coana.d.mts.map +1 -1
  26. package/dist/types/utils/sdk.d.mts +1 -1
  27. package/dist/types/utils/sdk.d.mts.map +1 -1
  28. package/dist/utils.js +10 -5
  29. package/dist/utils.js.map +1 -1
  30. package/external/@socketsecurity/registry/lib/constants/env.js +3 -3
  31. package/external/@socketsecurity/registry/lib/constants/node-harden-flags.js +11 -3
  32. package/package.json +6 -6
package/dist/constants.js CHANGED
@@ -44,9 +44,11 @@ const SOCKET_CLI_BIN_NAME = 'socket';
44
44
  const SOCKET_CLI_FIX = 'SOCKET_CLI_FIX';
45
45
  const SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues';
46
46
  const SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE';
47
+ const SOCKET_CLI_SHADOW_ACCEPT_RISKS = 'SOCKET_CLI_SHADOW_ACCEPT_RISKS';
47
48
  const SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN';
48
49
  const SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN';
49
50
  const SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS';
51
+ const SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT';
50
52
  const SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS';
51
53
  const SOCKET_DEFAULT_BRANCH = 'socket-default-branch';
52
54
  const SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository';
@@ -69,7 +71,7 @@ function getNpmStdioPipeOptions() {
69
71
  }
70
72
  const LAZY_ENV = () => {
71
73
  const {
72
- env: processEnv
74
+ env
73
75
  } = process;
74
76
  const envHelpers = /*@__PURE__*/require$1('../external/@socketsecurity/registry/lib/env');
75
77
  const utils = /*@__PURE__*/require$1(path.join(constants.rootPath, 'dist/utils.js'));
@@ -78,7 +80,8 @@ const LAZY_ENV = () => {
78
80
  const envAsString = envHelpers.envAsString;
79
81
  const getConfigValueOrUndef = utils.getConfigValueOrUndef;
80
82
  const readOrDefaultSocketJson = utils.readOrDefaultSocketJson;
81
- const GITHUB_TOKEN = envAsString(processEnv['GITHUB_TOKEN']);
83
+ const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN']);
84
+ const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(true);
82
85
  // We inline some environment values so that they CANNOT be influenced by user
83
86
  // provided environment variables.
84
87
  return Object.freeze({
@@ -87,29 +90,29 @@ const LAZY_ENV = () => {
87
90
  ...registryConstants.ENV,
88
91
  // Disable using GitHub's workflow actions/cache.
89
92
  // https://github.com/actions/cache
90
- DISABLE_GITHUB_CACHE: envAsBoolean(processEnv['DISABLE_GITHUB_CACHE']),
93
+ DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),
91
94
  // The API URL. For example, https://api.github.com.
92
95
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
93
- GITHUB_API_URL: envAsString(processEnv['GITHUB_API_URL']) || 'https://api.github.com',
96
+ GITHUB_API_URL: envAsString(env['GITHUB_API_URL']) || 'https://api.github.com',
94
97
  // The name of the base ref or target branch of the pull request in a workflow
95
98
  // run. This is only set when the event that triggers a workflow run is either
96
99
  // pull_request or pull_request_target. For example, main.
97
100
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
98
- GITHUB_BASE_REF: envAsString(processEnv['GITHUB_BASE_REF']),
101
+ GITHUB_BASE_REF: envAsString(env['GITHUB_BASE_REF']),
99
102
  // The short ref name of the branch or tag that triggered the GitHub workflow
100
103
  // run. This value matches the branch or tag name shown on GitHub. For example,
101
104
  // feature-branch-1. For pull requests, the format is <pr_number>/merge.
102
105
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
103
- GITHUB_REF_NAME: envAsString(processEnv['GITHUB_REF_NAME']),
106
+ GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),
104
107
  // The type of ref that triggered the workflow run. Valid values are branch or tag.
105
108
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
106
- GITHUB_REF_TYPE: envAsString(processEnv['GITHUB_REF_TYPE']),
109
+ GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),
107
110
  // The owner and repository name. For example, octocat/Hello-World.
108
111
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
109
- GITHUB_REPOSITORY: envAsString(processEnv['GITHUB_REPOSITORY']),
112
+ GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),
110
113
  // The URL of the GitHub server. For example, https://github.com.
111
114
  // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables
112
- GITHUB_SERVER_URL: envAsString(processEnv['GITHUB_SERVER_URL']) || 'https://github.com',
115
+ GITHUB_SERVER_URL: envAsString(env['GITHUB_SERVER_URL']) || 'https://github.com',
113
116
  // The GITHUB_TOKEN secret is a GitHub App installation access token.
114
117
  // The token's permissions are limited to the repository that contains the
115
118
  // workflow.
@@ -117,7 +120,7 @@ const LAZY_ENV = () => {
117
120
  GITHUB_TOKEN,
118
121
  // Comp-time inlined @coana-tech/cli package version.
119
122
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION']".
120
- INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString("14.12.14"),
123
+ INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString("14.12.16"),
121
124
  // Comp-time inlined @cyclonedx/cdxgen package version.
122
125
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']".
123
126
  INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: envAsString("11.7.0"),
@@ -132,7 +135,7 @@ const LAZY_ENV = () => {
132
135
  INLINED_SOCKET_CLI_NAME: envAsString("@socketsecurity/cli"),
133
136
  // Comp-time inlined flag to determine if this is a published build.
134
137
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']".
135
- INLINED_SOCKET_CLI_PUBLISHED_BUILD: envAsBoolean(true),
138
+ INLINED_SOCKET_CLI_PUBLISHED_BUILD,
136
139
  // Comp-time inlined flag to determine if this is the Sentry build.
137
140
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']".
138
141
  INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(true),
@@ -141,83 +144,86 @@ const LAZY_ENV = () => {
141
144
  INLINED_SOCKET_CLI_SYNP_VERSION: envAsString("1.9.14"),
142
145
  // Comp-time inlined Socket package version.
143
146
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
144
- INLINED_SOCKET_CLI_VERSION: envAsString("1.0.107"),
147
+ INLINED_SOCKET_CLI_VERSION: envAsString("1.0.109"),
145
148
  // Comp-time inlined Socket package version hash.
146
149
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
147
- INLINED_SOCKET_CLI_VERSION_HASH: envAsString("1.0.107:bec851b:b8c5b8f6:pub"),
150
+ INLINED_SOCKET_CLI_VERSION_HASH: envAsString("1.0.109:d1eb2e9:2f232f0f:pub"),
148
151
  // The absolute location of the %localappdata% folder on Windows used to store
149
152
  // user-specific, non-roaming application data, like temporary files, cached
150
153
  // data, and program settings, that are specific to the current machine and user.
151
- LOCALAPPDATA: envAsString(processEnv[LOCALAPPDATA]),
154
+ LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),
152
155
  // Enable the module compile cache for the Node.js instance.
153
156
  // https://nodejs.org/api/cli.html#node_compile_cachedir
154
157
  NODE_COMPILE_CACHE: constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR ? constants.socketCachePath : '',
158
+ // Redefine registryConstants.ENV.NODE_ENV to account for the
159
+ // INLINED_SOCKET_CLI_PUBLISHED_BUILD environment variable.
160
+ NODE_ENV: envAsString(env['NODE_ENV']).toLowerCase() === 'production' ? 'production' : INLINED_SOCKET_CLI_PUBLISHED_BUILD ? '' : 'development',
155
161
  // Well known "root" CAs (like VeriSign) will be extended with the extra
156
162
  // certificates in file. The file should consist of one or more trusted
157
163
  // certificates in PEM format.
158
164
  // https://nodejs.org/api/cli.html#node_extra_ca_certsfile
159
- NODE_EXTRA_CA_CERTS: envAsString(processEnv['NODE_EXTRA_CA_CERTS']) ||
165
+ NODE_EXTRA_CA_CERTS: envAsString(env['NODE_EXTRA_CA_CERTS']) ||
160
166
  // Commonly used environment variable to specify the path to a single
161
167
  // PEM-encoded certificate file.
162
- envAsString(processEnv['SSL_CERT_FILE']),
168
+ envAsString(env['SSL_CERT_FILE']),
163
169
  // PATH is an environment variable that lists directories where executable
164
170
  // programs are located. When a command is run, the system searches these
165
171
  // directories to find the executable.
166
- PATH: envAsString(processEnv['PATH']),
172
+ PATH: envAsString(env['PATH']),
167
173
  // Accept risks of a Socket wrapped npm/npx run.
168
- SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(processEnv[SOCKET_CLI_ACCEPT_RISKS]),
174
+ SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),
169
175
  // Change the base URL for Socket API calls.
170
176
  // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
171
- SOCKET_CLI_API_BASE_URL: envAsString(processEnv['SOCKET_CLI_API_BASE_URL']) ||
177
+ SOCKET_CLI_API_BASE_URL: envAsString(env['SOCKET_CLI_API_BASE_URL']) ||
172
178
  // TODO: Remove legacy environment variable name.
173
- envAsString(processEnv['SOCKET_SECURITY_API_BASE_URL']) || getConfigValueOrUndef('apiBaseUrl') || 'https://api.socket.dev/v0/',
179
+ envAsString(env['SOCKET_SECURITY_API_BASE_URL']) || getConfigValueOrUndef('apiBaseUrl') || 'https://api.socket.dev/v0/',
174
180
  // Set the proxy that all requests are routed through.
175
181
  // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
176
- SOCKET_CLI_API_PROXY: envAsString(processEnv['SOCKET_CLI_API_PROXY']) ||
182
+ SOCKET_CLI_API_PROXY: envAsString(env['SOCKET_CLI_API_PROXY']) ||
177
183
  // TODO: Remove legacy environment variable name.
178
- envAsString(processEnv['SOCKET_SECURITY_API_PROXY']) ||
184
+ envAsString(env['SOCKET_SECURITY_API_PROXY']) ||
179
185
  // Commonly used environment variables to specify routing requests through
180
186
  // a proxy server.
181
- envAsString(processEnv['HTTPS_PROXY']) || envAsString(processEnv['https_proxy']) || envAsString(processEnv['HTTP_PROXY']) || envAsString(processEnv['http_proxy']),
187
+ envAsString(env['HTTPS_PROXY']) || envAsString(env['https_proxy']) || envAsString(env['HTTP_PROXY']) || envAsString(env['http_proxy']),
182
188
  // Set the timeout in milliseconds for Socket API requests.
183
189
  // https://nodejs.org/api/http.html#httprequesturl-options-callback
184
- SOCKET_CLI_API_TIMEOUT: envAsNumber(processEnv['SOCKET_CLI_API_TOKEN']),
190
+ SOCKET_CLI_API_TIMEOUT: envAsNumber(env['SOCKET_CLI_API_TOKEN']),
185
191
  // Set the Socket API token.
186
192
  // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables
187
- SOCKET_CLI_API_TOKEN: envAsString(processEnv['SOCKET_CLI_API_TOKEN']) ||
193
+ SOCKET_CLI_API_TOKEN: envAsString(env['SOCKET_CLI_API_TOKEN']) ||
188
194
  // TODO: Remove legacy environment variable names.
189
- envAsString(processEnv['SOCKET_CLI_API_KEY']) || envAsString(processEnv['SOCKET_SECURITY_API_TOKEN']) || envAsString(processEnv['SOCKET_SECURITY_API_KEY']),
195
+ envAsString(env['SOCKET_CLI_API_KEY']) || envAsString(env['SOCKET_SECURITY_API_TOKEN']) || envAsString(env['SOCKET_SECURITY_API_KEY']),
190
196
  // A JSON stringified Socket configuration object.
191
- SOCKET_CLI_CONFIG: envAsString(processEnv['SOCKET_CLI_CONFIG']),
197
+ SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),
192
198
  // The git config user.email used by Socket CLI.
193
- SOCKET_CLI_GIT_USER_EMAIL: envAsString(processEnv['SOCKET_CLI_GIT_USER_EMAIL']) || 'github-actions[bot]@users.noreply.github.com',
199
+ SOCKET_CLI_GIT_USER_EMAIL: envAsString(env['SOCKET_CLI_GIT_USER_EMAIL']) || 'github-actions[bot]@users.noreply.github.com',
194
200
  // The git config user.name used by Socket CLI.
195
- SOCKET_CLI_GIT_USER_NAME: envAsString(processEnv['SOCKET_CLI_GIT_USER_NAME']) || envAsString(processEnv['SOCKET_CLI_GIT_USERNAME']) || 'github-actions[bot]',
201
+ SOCKET_CLI_GIT_USER_NAME: envAsString(env['SOCKET_CLI_GIT_USER_NAME']) || envAsString(env['SOCKET_CLI_GIT_USERNAME']) || 'github-actions[bot]',
196
202
  // Change the base URL for GitHub REST API calls.
197
203
  // https://docs.github.com/en/rest
198
- SOCKET_CLI_GITHUB_API_URL: envAsString(processEnv['SOCKET_CLI_GITHUB_API_URL']) || readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github?.githubApiUrl || 'https://api.github.com',
204
+ SOCKET_CLI_GITHUB_API_URL: envAsString(env['SOCKET_CLI_GITHUB_API_URL']) || readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github?.githubApiUrl || 'https://api.github.com',
199
205
  // A classic GitHub personal access token with the "repo" scope or a
200
206
  // fine-grained access token with at least read/write permissions set for
201
207
  // "Contents" and "Pull Request".
202
208
  // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
203
- SOCKET_CLI_GITHUB_TOKEN: envAsString(processEnv['SOCKET_CLI_GITHUB_TOKEN']) ||
209
+ SOCKET_CLI_GITHUB_TOKEN: envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||
204
210
  // TODO: Remove undocumented legacy environment variable name.
205
- envAsString(processEnv['SOCKET_SECURITY_GITHUB_PAT']) || GITHUB_TOKEN,
211
+ envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) || GITHUB_TOKEN,
206
212
  // Make the default API token `undefined`.
207
- SOCKET_CLI_NO_API_TOKEN: envAsBoolean(processEnv['SOCKET_CLI_NO_API_TOKEN']),
213
+ SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),
208
214
  // The absolute location of the npm directory.
209
- SOCKET_CLI_NPM_PATH: envAsString(processEnv['SOCKET_CLI_NPM_PATH']),
215
+ SOCKET_CLI_NPM_PATH: envAsString(env['SOCKET_CLI_NPM_PATH']),
210
216
  // Specify the Socket organization slug.
211
- SOCKET_CLI_ORG_SLUG: envAsString(processEnv['SOCKET_CLI_ORG_SLUG']) ||
217
+ SOCKET_CLI_ORG_SLUG: envAsString(env['SOCKET_CLI_ORG_SLUG']) ||
212
218
  // Coana CLI accepts the SOCKET_ORG_SLUG environment variable.
213
- envAsString(processEnv['SOCKET_ORG_SLUG']),
219
+ envAsString(env['SOCKET_ORG_SLUG']),
214
220
  // View all risks of a Socket wrapped npm/npx run.
215
- SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(processEnv[SOCKET_CLI_VIEW_ALL_RISKS]),
221
+ SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),
216
222
  // Specifies the type of terminal or terminal emulator being used by the process.
217
- TERM: envAsString(processEnv['TERM']),
223
+ TERM: envAsString(env['TERM']),
218
224
  // The location of the base directory on Linux and MacOS used to store
219
225
  // user-specific data files, defaulting to $HOME/.local/share if not set or empty.
220
- XDG_DATA_HOME: envAsString(processEnv['XDG_DATA_HOME'])
226
+ XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME'])
221
227
  });
222
228
  };
223
229
  const lazyBashRcPath = () => path.join(constants.homePath, '.bashrc');
@@ -256,18 +262,30 @@ const lazyMinimumVersionByAgent = () => new Map([
256
262
  // vlt does not support overrides so we don't gate on it.
257
263
  [VLT, '*']]);
258
264
  const lazyNmBinPath = () => path.join(constants.rootPath, 'node_modules/.bin');
265
+ const lazyNodeDebugFlags = () => constants.ENV.SOCKET_CLI_DEBUG ? ['--trace-uncaught', '--trace-warnings'] : [];
259
266
 
260
267
  // Redefine registryConstants.nodeHardenFlags to account for the
261
268
  // INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.
262
- const lazyNodeHardenFlags = () => Object.freeze(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32 ? [] :
269
+ const lazyNodeHardenFlags = () => Object.freeze(
263
270
  // Harden Node security.
264
271
  // https://nodejs.org/en/learn/getting-started/security-best-practices
265
- ['--disable-proto', 'throw',
266
- // We have contributed the following patches to our dependencies to make
267
- // Node's --frozen-intrinsics workable.
268
- // https://github.com/SBoudrias/Inquirer.js/pull/1683
269
- // √ https://github.com/pnpm/components/pull/23
270
- '--frozen-intrinsics', '--no-deprecation']);
272
+ constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32 ? [
273
+ // https://nodejs.org/api/cli.html#--disallow-code-generation-from-strings
274
+ // '--disallow-code-generation-from-strings'
275
+ ] : [
276
+ // '--disallow-code-generation-from-strings',
277
+ // https://nodejs.org/api/cli.html#--disable-protomode
278
+ // '--disable-proto',
279
+ // 'throw',
280
+ // https://nodejs.org/api/cli.html#--frozen-intrinsics
281
+ // We have contributed the following patches to our dependencies to make
282
+ // Node's --frozen-intrinsics workable.
283
+ // √ https://github.com/SBoudrias/Inquirer.js/pull/1683
284
+ // √ https://github.com/pnpm/components/pull/23
285
+ // '--frozen-intrinsics',
286
+ // https://nodejs.org/api/cli.html#--no-deprecation
287
+ // '--no-deprecation',
288
+ ]);
271
289
  const lazyNodeMemoryFlags = () => {
272
290
  const flags = /*@__PURE__*/require$1(path.join(constants.rootPath, 'dist/flags.js'));
273
291
  const getMaxOldSpaceSizeFlag = flags.getMaxOldSpaceSizeFlag;
@@ -359,9 +377,11 @@ const constants = createConstantsObject({
359
377
  SOCKET_CLI_FIX,
360
378
  SOCKET_CLI_ISSUES_URL,
361
379
  SOCKET_CLI_OPTIMIZE,
380
+ SOCKET_CLI_SHADOW_ACCEPT_RISKS,
362
381
  SOCKET_CLI_SHADOW_API_TOKEN,
363
382
  SOCKET_CLI_SHADOW_BIN,
364
383
  SOCKET_CLI_SHADOW_PROGRESS,
384
+ SOCKET_CLI_SHADOW_SILENT,
365
385
  SOCKET_CLI_VIEW_ALL_RISKS,
366
386
  SOCKET_DEFAULT_BRANCH,
367
387
  SOCKET_DEFAULT_REPOSITORY,
@@ -388,6 +408,7 @@ const constants = createConstantsObject({
388
408
  minimumVersionByAgent: undefined,
389
409
  nmBinPath: undefined,
390
410
  nodeHardenFlags: undefined,
411
+ nodeDebugFlags: undefined,
391
412
  nodeMemoryFlags: undefined,
392
413
  npmCachePath: undefined,
393
414
  npmGlobalPrefix: undefined,
@@ -419,6 +440,7 @@ const constants = createConstantsObject({
419
440
  instrumentWithSentryPath: lazyInstrumentWithSentryPath,
420
441
  minimumVersionByAgent: lazyMinimumVersionByAgent,
421
442
  nmBinPath: lazyNmBinPath,
443
+ nodeDebugFlags: lazyNodeDebugFlags,
422
444
  nodeHardenFlags: lazyNodeHardenFlags,
423
445
  nodeMemoryFlags: lazyNodeMemoryFlags,
424
446
  npmCachePath: lazyNpmCachePath,
@@ -451,5 +473,5 @@ const constants = createConstantsObject({
451
473
  });
452
474
 
453
475
  module.exports = constants;
454
- //# debugId=b227a9c0-cf67-42c6-ac6c-2896fbb5f380
476
+ //# debugId=34b6cb52-062c-403a-b7dc-37ee15fec63a
455
477
  //# sourceMappingURL=constants.js.map
package/dist/constants.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\n// Using `path.dirname(__filename)` to resolve `__dirname` works for both 'dist'\n// AND 'src' directories because constants.js and constants.mts respectively are\n// in the root of each.\nconst __dirname = path.dirname(__filename)\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\ntype RegistryEnv = typeof registryConstants.ENV\n\ntype RegistryInternals = (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\ntype Sentry = any\n\ntype Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\ntype ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_API_URL: string\n GITHUB_BASE_REF: string\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_SERVER_URL: string\n GITHUB_TOKEN: string\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: string\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SOCKET_CLI_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n NODE_EXTRA_CA_CERTS: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TIMEOUT: number\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_GIT_USER_EMAIL: string\n SOCKET_CLI_GIT_USER_NAME: string\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_NPM_PATH: string\n SOCKET_CLI_ORG_SLUG: string\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\ntype ProcessEnv = {\n [K in keyof ENV]?: string\n}\n\ntype IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SHADOW_API_TOKEN?: string | undefined\n SOCKET_CLI_SHADOW_BIN?: string | undefined\n SOCKET_CLI_SHADOW_PROGRESS?: boolean | undefined\n}>\n\ntype Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly ENV: ENV\n readonly DOT_SOCKET_DOT_FACTS_JSON: '.socket.facts.json'\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_SHADOW_API_TOKEN: 'SOCKET_CLI_SHADOW_API_TOKEN'\n readonly SOCKET_CLI_SHADOW_BIN: 'SOCKET_CLI_SHADOW_BIN'\n readonly SOCKET_CLI_SHADOW_PROGRESS: 'SOCKET_CLI_SHADOW_PROGRESS'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_DEFAULT_BRANCH: 'socket-default-branch'\n readonly SOCKET_DEFAULT_REPOSITORY: 'socket-default-repository'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly binCliPath: string\n readonly binPath: string\n readonly blessedContribPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly blessedPath: string\n readonly coanaBinPath: string\n readonly coanaPath: string\n readonly distCliPath: string\n readonly distPath: string\n readonly externalPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly instrumentWithSentryPath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeHardenFlags: string[]\n readonly nodeMemoryFlags: string[]\n readonly npmCachePath: string\n readonly npmGlobalPrefix: string\n readonly npmNmNodeGypPath: string\n readonly processEnv: ProcessEnv\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly shadowNpmBinPath: string\n readonly shadowNpmInjectPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly socketRegistryPath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst DOT_SOCKET_DOT_FACTS_JSON = '.socket.facts.json'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN'\nconst SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN'\nconst SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_DEFAULT_BRANCH = 'socket-default-branch'\nconst SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nlet _npmStdioPipeOptions: SpawnOptions | undefined\nfunction getNpmStdioPipeOptions() {\n if (_npmStdioPipeOptions === undefined) {\n _npmStdioPipeOptions = {\n cwd: process.cwd(),\n shell: constants.WIN32,\n }\n }\n return _npmStdioPipeOptions\n}\n\nconst LAZY_ENV = () => {\n const { env: processEnv } = process\n const envHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/env')\n const utils = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/utils.js'),\n )\n const envAsBoolean = envHelpers.envAsBoolean\n const envAsNumber = envHelpers.envAsNumber\n const envAsString = envHelpers.envAsString\n const getConfigValueOrUndef = utils.getConfigValueOrUndef\n const readOrDefaultSocketJson = utils.readOrDefaultSocketJson\n const GITHUB_TOKEN = envAsString(processEnv['GITHUB_TOKEN'])\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(processEnv['DISABLE_GITHUB_CACHE']),\n // The API URL. For example, https://api.github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_API_URL:\n envAsString(processEnv['GITHUB_API_URL']) || 'https://api.github.com',\n // The name of the base ref or target branch of the pull request in a workflow\n // run. This is only set when the event that triggers a workflow run is either\n // pull_request or pull_request_target. For example, main.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_BASE_REF: envAsString(processEnv['GITHUB_BASE_REF']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_NAME: envAsString(processEnv['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_TYPE: envAsString(processEnv['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REPOSITORY: envAsString(processEnv['GITHUB_REPOSITORY']),\n // The URL of the GitHub server. For example, https://github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_SERVER_URL:\n envAsString(processEnv['GITHUB_SERVER_URL']) || 'https://github.com',\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @coana-tech/cli package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION']\".\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION'],\n ),\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n ),\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SYNP_VERSION']\".\n INLINED_SOCKET_CLI_SYNP_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_SYNP_VERSION'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // The absolute location of the %localappdata% folder on Windows used to store\n // user-specific, non-roaming application data, like temporary files, cached\n // data, and program settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(processEnv[LOCALAPPDATA]),\n // Enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE: constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? constants.socketCachePath\n : '',\n // Well known \"root\" CAs (like VeriSign) will be extended with the extra\n // certificates in file. The file should consist of one or more trusted\n // certificates in PEM format.\n // https://nodejs.org/api/cli.html#node_extra_ca_certsfile\n NODE_EXTRA_CA_CERTS:\n envAsString(processEnv['NODE_EXTRA_CA_CERTS']) ||\n // Commonly used environment variable to specify the path to a single\n // PEM-encoded certificate file.\n envAsString(processEnv['SSL_CERT_FILE']),\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(processEnv['PATH']),\n // Accept risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(processEnv[SOCKET_CLI_ACCEPT_RISKS]),\n // Change the base URL for Socket API calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(processEnv['SOCKET_CLI_API_BASE_URL']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(processEnv['SOCKET_SECURITY_API_BASE_URL']) ||\n getConfigValueOrUndef('apiBaseUrl') ||\n 'https://api.socket.dev/v0/',\n // Set the proxy that all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(processEnv['SOCKET_CLI_API_PROXY']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(processEnv['SOCKET_SECURITY_API_PROXY']) ||\n // Commonly used environment variables to specify routing requests through\n // a proxy server.\n envAsString(processEnv['HTTPS_PROXY']) ||\n envAsString(processEnv['https_proxy']) ||\n envAsString(processEnv['HTTP_PROXY']) ||\n envAsString(processEnv['http_proxy']),\n // Set the timeout in milliseconds for Socket API requests.\n // https://nodejs.org/api/http.html#httprequesturl-options-callback\n SOCKET_CLI_API_TIMEOUT: envAsNumber(processEnv['SOCKET_CLI_API_TOKEN']),\n // Set the Socket API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(processEnv['SOCKET_CLI_API_TOKEN']) ||\n // TODO: Remove legacy environment variable names.\n envAsString(processEnv['SOCKET_CLI_API_KEY']) ||\n envAsString(processEnv['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(processEnv['SOCKET_SECURITY_API_KEY']),\n // A JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(processEnv['SOCKET_CLI_CONFIG']),\n // The git config user.email used by Socket CLI.\n SOCKET_CLI_GIT_USER_EMAIL:\n envAsString(processEnv['SOCKET_CLI_GIT_USER_EMAIL']) ||\n 'github-actions[bot]@users.noreply.github.com',\n // The git config user.name used by Socket CLI.\n SOCKET_CLI_GIT_USER_NAME:\n envAsString(processEnv['SOCKET_CLI_GIT_USER_NAME']) ||\n envAsString(processEnv['SOCKET_CLI_GIT_USERNAME']) ||\n 'github-actions[bot]',\n // Change the base URL for GitHub REST API calls.\n // https://docs.github.com/en/rest\n SOCKET_CLI_GITHUB_API_URL:\n envAsString(processEnv['SOCKET_CLI_GITHUB_API_URL']) ||\n readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github\n ?.githubApiUrl ||\n 'https://api.github.com',\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(processEnv['SOCKET_CLI_GITHUB_TOKEN']) ||\n // TODO: Remove undocumented legacy environment variable name.\n envAsString(processEnv['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(\n processEnv['SOCKET_CLI_NO_API_TOKEN'],\n ),\n // The absolute location of the npm directory.\n SOCKET_CLI_NPM_PATH: envAsString(processEnv['SOCKET_CLI_NPM_PATH']),\n // Specify the Socket organization slug.\n SOCKET_CLI_ORG_SLUG:\n envAsString(processEnv['SOCKET_CLI_ORG_SLUG']) ||\n // Coana CLI accepts the SOCKET_ORG_SLUG environment variable.\n envAsString(processEnv['SOCKET_ORG_SLUG']),\n // View all risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(\n processEnv[SOCKET_CLI_VIEW_ALL_RISKS],\n ),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(processEnv['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(processEnv['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () => path.join(constants.homePath, '.bashrc')\n\nconst lazyBinPath = () => path.join(constants.rootPath, 'bin')\n\nconst lazyBinCliPath = () => path.join(constants.binPath, 'cli.js')\n\nconst lazyBlessedContribPath = () =>\n path.join(constants.externalPath, 'blessed-contrib')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyBlessedPath = () => path.join(constants.externalPath, 'blessed')\n\nconst lazyDistCliPath = () => path.join(constants.distPath, 'cli.js')\n\nconst lazyDistPath = () => path.join(constants.rootPath, 'dist')\n\nconst lazyExternalPath = () => path.join(constants.rootPath, 'external')\n\nconst lazyGithubCachePath = () => path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyInstrumentWithSentryPath = () =>\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n ['npm', '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () => path.join(constants.rootPath, 'node_modules/.bin')\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32\n ? []\n : // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n [\n '--disable-proto',\n 'throw',\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n '--frozen-intrinsics',\n '--no-deprecation',\n ],\n )\n\nconst lazyNodeMemoryFlags = () => {\n const flags = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/flags.js'),\n )\n const getMaxOldSpaceSizeFlag = flags.getMaxOldSpaceSizeFlag\n const getMaxSemiSpaceSizeFlag = flags.getMaxSemiSpaceSizeFlag\n return Object.freeze([\n `--max-old-space-size=${getMaxOldSpaceSizeFlag()}`,\n `--max-semi-space-size=${getMaxSemiSpaceSizeFlag()}`,\n ])\n}\n\nconst lazyNpmCachePath = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['config', 'get', 'cache'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmGlobalPrefix = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['prefix', '-g'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmNmNodeGypPath = () =>\n path.join(\n constants.npmRealExecPath,\n '../../node_modules/node-gyp/bin/node-gyp.js',\n )\n\nconst lazyProcessEnv = () =>\n Object.setPrototypeOf(\n Object.fromEntries(\n Object.entries(constants.ENV).reduce(\n (entries, entry) => {\n const { 0: key, 1: value } = entry\n if (key.startsWith('INLINED_SOCKET_CLI_')) {\n return entries\n }\n if (typeof value === 'string') {\n if (value) {\n entries.push(entry as [string, string])\n }\n } else if (typeof value === 'boolean' && value) {\n entries.push([key, '1'])\n }\n return entries\n },\n [] as Array<[string, string]>,\n ),\n ),\n null,\n )\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazyShadowBinPath = () => path.join(constants.rootPath, 'shadow-npm-bin')\n\nconst lazyShadowNpmBinPath = () =>\n path.join(constants.distPath, 'shadow-npm-bin.js')\n\nconst lazyShadowNpmInjectPath = () =>\n path.join(constants.distPath, 'shadow-npm-inject.js')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data directory:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? constants.ENV.LOCALAPPDATA\n : constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = /*@__PURE__*/ require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n constants.homePath,\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () => path.join(constants.rootPath, '.cache')\n\nconst lazySocketRegistryPath = () =>\n path.join(constants.externalPath, '@socketsecurity/registry')\n\nconst lazyZshRcPath = () => path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n DOT_SOCKET_DOT_FACTS_JSON,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_SHADOW_API_TOKEN,\n SOCKET_CLI_SHADOW_BIN,\n SOCKET_CLI_SHADOW_PROGRESS,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_DEFAULT_BRANCH,\n SOCKET_DEFAULT_REPOSITORY,\n SOCKET_WEBSITE_URL,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n binPath: undefined,\n binCliPath: undefined,\n blessedContribPath: undefined,\n blessedOptions: undefined,\n blessedPath: undefined,\n coanaBinPath: undefined,\n coanaPath: undefined,\n distCliPath: undefined,\n distPath: undefined,\n externalPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n instrumentWithSentryPath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n nodeMemoryFlags: undefined,\n npmCachePath: undefined,\n npmGlobalPrefix: undefined,\n npmNmNodeGypPath: undefined,\n processEnv: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n shadowNpmInjectPath: undefined,\n shadowNpmBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n socketRegistryPath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n binCliPath: lazyBinCliPath,\n binPath: lazyBinPath,\n blessedContribPath: lazyBlessedContribPath,\n blessedOptions: lazyBlessedOptions,\n blessedPath: lazyBlessedPath,\n distCliPath: lazyDistCliPath,\n distPath: lazyDistPath,\n externalPath: lazyExternalPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n instrumentWithSentryPath: lazyInstrumentWithSentryPath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeHardenFlags: lazyNodeHardenFlags,\n nodeMemoryFlags: lazyNodeMemoryFlags,\n npmCachePath: lazyNpmCachePath,\n npmGlobalPrefix: lazyNpmGlobalPrefix,\n npmNmNodeGypPath: lazyNpmNmNodeGypPath,\n processEnv: lazyProcessEnv,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n shadowNpmBinPath: lazyShadowNpmBinPath,\n shadowNpmInjectPath: lazyShadowNpmInjectPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n socketRegistryPath: lazySocketRegistryPath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","_npmStdioPipeOptions","cwd","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_BASE_REF","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","NODE_EXTRA_CA_CERTS","envAsString","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TIMEOUT","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_GIT_USER_NAME","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_NPM_PATH","SOCKET_CLI_ORG_SLUG","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","smartCSR","term","useBCE","entries","WIN32","logger","dataHome","ENV","bashRcPath","binPath","binCliPath","blessedContribPath","blessedOptions","blessedPath","coanaBinPath","coanaPath","distCliPath","distPath","externalPath","githubCachePath","homePath","instrumentWithSentryPath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","nodeMemoryFlags","npmCachePath","npmGlobalPrefix","npmNmNodeGypPath","processEnv","rootPath","shadowBinPath","shadowNpmInjectPath","shadowNpmBinPath","socketAppDataPath","socketCachePath","socketRegistryPath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAYA;AACA;AACA;AACA;AACA;AACA;AAEA;;AAEE;AACEA;;AAEAC;AACF;AACF;AAyJA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;;AAEIC;AACEC;;;AAGJ;AACA;AACF;AAEA;;AACUC;AAAgB;AACxB;AACA;AAGA;AACA;AACA;AACA;AACA;;AAEA;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;AACA;AACAC;AACA;AACA;;AAIA;AACA;AACA;AACA;AACAC;AAEE;AACA;AACAC;AACF;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAEE;AACAH;AAGF;AACA;AACAI;AAEE;AACAJ;AACA;AACA;AACAA;AAIF;AACA;AACAK;AACA;AACA;AACAC;AAEE;;AAIF;AACAC;AACA;;AAIA;AACAC;AAIA;AACA;;AAMA;AACA;AACA;AACA;AACAC;AAEE;AACAT;AAEF;AACAU;AAGA;AACAC;AACA;AACAC;AAEE;AACAZ;AACF;AACAa;AAGA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AAEA;AAEA;AAEA;AAGA;AAEIC;AACAC;AACAC;AACF;AAEF;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAGA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;;AAEA;AACA;AACA;AAIQ;AACA;AACA;AAGE;AACA;AACA;AACA;AACA;AAKV;AACE;AAGA;AACA;AACA;AAIF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AAMA;;AAKkB;AAAQ;AAAS;AACzB;AACE;AACF;AACA;AACE;AACEC;AACF;;;AAGF;AACA;AACF;AAOR;AAEA;AAEA;AAGA;AAGA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQC;AAAM;AACd;;AAIE;AACE;AACAC;AACF;AACEC;AAIF;AACF;;AAEF;AAEA;AAEA;AAGA;AAEA;;;;;;;;;;;;;AAcIC;;;;;;;;;;;;;;;;;;;;;;;AAuBAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEE/B;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAG;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"b227a9c0-cf67-42c6-ac6c-2896fbb5f380"}
1
+ {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\n// Using `path.dirname(__filename)` to resolve `__dirname` works for both 'dist'\n// AND 'src' directories because constants.js and constants.mts respectively are\n// in the root of each.\nconst __dirname = path.dirname(__filename)\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\nexport type RegistryEnv = typeof registryConstants.ENV\n\nexport type RegistryInternals =\n (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\nexport type Sentry = any\n\nexport type Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\nexport type ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_API_URL: string\n GITHUB_BASE_REF: string\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_SERVER_URL: string\n GITHUB_TOKEN: string\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: string\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SOCKET_CLI_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n NODE_EXTRA_CA_CERTS: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TIMEOUT: number\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_GIT_USER_EMAIL: string\n SOCKET_CLI_GIT_USER_NAME: string\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_NPM_PATH: string\n SOCKET_CLI_ORG_SLUG: string\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\nexport type ProcessEnv = {\n [K in keyof ENV]?: string\n}\n\nexport type IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SHADOW_ACCEPT_RISKS?: boolean | undefined\n SOCKET_CLI_SHADOW_API_TOKEN?: string | undefined\n SOCKET_CLI_SHADOW_BIN?: string | undefined\n SOCKET_CLI_SHADOW_PROGRESS?: boolean | undefined\n SOCKET_CLI_SHADOW_SILENT?: boolean | undefined\n}>\n\nexport type Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly ENV: ENV\n readonly DOT_SOCKET_DOT_FACTS_JSON: '.socket.facts.json'\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_SHADOW_ACCEPT_RISKS: 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\n readonly SOCKET_CLI_SHADOW_API_TOKEN: 'SOCKET_CLI_SHADOW_API_TOKEN'\n readonly SOCKET_CLI_SHADOW_BIN: 'SOCKET_CLI_SHADOW_BIN'\n readonly SOCKET_CLI_SHADOW_PROGRESS: 'SOCKET_CLI_SHADOW_PROGRESS'\n readonly SOCKET_CLI_SHADOW_SILENT: 'SOCKET_CLI_SHADOW_SILENT'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_DEFAULT_BRANCH: 'socket-default-branch'\n readonly SOCKET_DEFAULT_REPOSITORY: 'socket-default-repository'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly binCliPath: string\n readonly binPath: string\n readonly blessedContribPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly blessedPath: string\n readonly coanaBinPath: string\n readonly coanaPath: string\n readonly distCliPath: string\n readonly distPath: string\n readonly externalPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly instrumentWithSentryPath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeDebugFlags: string[]\n readonly nodeHardenFlags: string[]\n readonly nodeMemoryFlags: string[]\n readonly npmCachePath: string\n readonly npmGlobalPrefix: string\n readonly npmNmNodeGypPath: string\n readonly processEnv: ProcessEnv\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly shadowNpmBinPath: string\n readonly shadowNpmInjectPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly socketRegistryPath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst DOT_SOCKET_DOT_FACTS_JSON = '.socket.facts.json'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_SHADOW_ACCEPT_RISKS = 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\nconst SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN'\nconst SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN'\nconst SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS'\nconst SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_DEFAULT_BRANCH = 'socket-default-branch'\nconst SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nlet _npmStdioPipeOptions: SpawnOptions | undefined\nfunction getNpmStdioPipeOptions() {\n if (_npmStdioPipeOptions === undefined) {\n _npmStdioPipeOptions = {\n cwd: process.cwd(),\n shell: constants.WIN32,\n }\n }\n return _npmStdioPipeOptions\n}\n\nconst LAZY_ENV = () => {\n const { env } = process\n const envHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/env')\n const utils = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/utils.js'),\n )\n const envAsBoolean = envHelpers.envAsBoolean\n const envAsNumber = envHelpers.envAsNumber\n const envAsString = envHelpers.envAsString\n const getConfigValueOrUndef = utils.getConfigValueOrUndef\n const readOrDefaultSocketJson = utils.readOrDefaultSocketJson\n const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])\n const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n )\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),\n // The API URL. For example, https://api.github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_API_URL:\n envAsString(env['GITHUB_API_URL']) || 'https://api.github.com',\n // The name of the base ref or target branch of the pull request in a workflow\n // run. This is only set when the event that triggers a workflow run is either\n // pull_request or pull_request_target. For example, main.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_BASE_REF: envAsString(env['GITHUB_BASE_REF']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),\n // The URL of the GitHub server. For example, https://github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_SERVER_URL:\n envAsString(env['GITHUB_SERVER_URL']) || 'https://github.com',\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @coana-tech/cli package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION']\".\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION'],\n ),\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD,\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SYNP_VERSION']\".\n INLINED_SOCKET_CLI_SYNP_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_SYNP_VERSION'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // The absolute location of the %localappdata% folder on Windows used to store\n // user-specific, non-roaming application data, like temporary files, cached\n // data, and program settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),\n // Enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE: constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? constants.socketCachePath\n : '',\n // Redefine registryConstants.ENV.NODE_ENV to account for the\n // INLINED_SOCKET_CLI_PUBLISHED_BUILD environment variable.\n NODE_ENV:\n envAsString(env['NODE_ENV']).toLowerCase() === 'production'\n ? 'production'\n : INLINED_SOCKET_CLI_PUBLISHED_BUILD\n ? ''\n : 'development',\n // Well known \"root\" CAs (like VeriSign) will be extended with the extra\n // certificates in file. The file should consist of one or more trusted\n // certificates in PEM format.\n // https://nodejs.org/api/cli.html#node_extra_ca_certsfile\n NODE_EXTRA_CA_CERTS:\n envAsString(env['NODE_EXTRA_CA_CERTS']) ||\n // Commonly used environment variable to specify the path to a single\n // PEM-encoded certificate file.\n envAsString(env['SSL_CERT_FILE']),\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(env['PATH']),\n // Accept risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),\n // Change the base URL for Socket API calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(env['SOCKET_CLI_API_BASE_URL']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_BASE_URL']) ||\n getConfigValueOrUndef('apiBaseUrl') ||\n 'https://api.socket.dev/v0/',\n // Set the proxy that all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(env['SOCKET_CLI_API_PROXY']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_PROXY']) ||\n // Commonly used environment variables to specify routing requests through\n // a proxy server.\n envAsString(env['HTTPS_PROXY']) ||\n envAsString(env['https_proxy']) ||\n envAsString(env['HTTP_PROXY']) ||\n envAsString(env['http_proxy']),\n // Set the timeout in milliseconds for Socket API requests.\n // https://nodejs.org/api/http.html#httprequesturl-options-callback\n SOCKET_CLI_API_TIMEOUT: envAsNumber(env['SOCKET_CLI_API_TOKEN']),\n // Set the Socket API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(env['SOCKET_CLI_API_TOKEN']) ||\n // TODO: Remove legacy environment variable names.\n envAsString(env['SOCKET_CLI_API_KEY']) ||\n envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_API_KEY']),\n // A JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),\n // The git config user.email used by Socket CLI.\n SOCKET_CLI_GIT_USER_EMAIL:\n envAsString(env['SOCKET_CLI_GIT_USER_EMAIL']) ||\n 'github-actions[bot]@users.noreply.github.com',\n // The git config user.name used by Socket CLI.\n SOCKET_CLI_GIT_USER_NAME:\n envAsString(env['SOCKET_CLI_GIT_USER_NAME']) ||\n envAsString(env['SOCKET_CLI_GIT_USERNAME']) ||\n 'github-actions[bot]',\n // Change the base URL for GitHub REST API calls.\n // https://docs.github.com/en/rest\n SOCKET_CLI_GITHUB_API_URL:\n envAsString(env['SOCKET_CLI_GITHUB_API_URL']) ||\n readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github\n ?.githubApiUrl ||\n 'https://api.github.com',\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||\n // TODO: Remove undocumented legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(\n env['SOCKET_CLI_NO_API_TOKEN'],\n ),\n // The absolute location of the npm directory.\n SOCKET_CLI_NPM_PATH: envAsString(env['SOCKET_CLI_NPM_PATH']),\n // Specify the Socket organization slug.\n SOCKET_CLI_ORG_SLUG:\n envAsString(env['SOCKET_CLI_ORG_SLUG']) ||\n // Coana CLI accepts the SOCKET_ORG_SLUG environment variable.\n envAsString(env['SOCKET_ORG_SLUG']),\n // View all risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(\n env[SOCKET_CLI_VIEW_ALL_RISKS],\n ),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(env['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () => path.join(constants.homePath, '.bashrc')\n\nconst lazyBinPath = () => path.join(constants.rootPath, 'bin')\n\nconst lazyBinCliPath = () => path.join(constants.binPath, 'cli.js')\n\nconst lazyBlessedContribPath = () =>\n path.join(constants.externalPath, 'blessed-contrib')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyBlessedPath = () => path.join(constants.externalPath, 'blessed')\n\nconst lazyDistCliPath = () => path.join(constants.distPath, 'cli.js')\n\nconst lazyDistPath = () => path.join(constants.rootPath, 'dist')\n\nconst lazyExternalPath = () => path.join(constants.rootPath, 'external')\n\nconst lazyGithubCachePath = () => path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyInstrumentWithSentryPath = () =>\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n ['npm', '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () => path.join(constants.rootPath, 'node_modules/.bin')\n\nconst lazyNodeDebugFlags = () =>\n constants.ENV.SOCKET_CLI_DEBUG ? ['--trace-uncaught', '--trace-warnings'] : []\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32\n ? [\n // https://nodejs.org/api/cli.html#--disallow-code-generation-from-strings\n // '--disallow-code-generation-from-strings'\n ]\n : [\n // '--disallow-code-generation-from-strings',\n // https://nodejs.org/api/cli.html#--disable-protomode\n // '--disable-proto',\n // 'throw',\n // https://nodejs.org/api/cli.html#--frozen-intrinsics\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n // '--frozen-intrinsics',\n // https://nodejs.org/api/cli.html#--no-deprecation\n // '--no-deprecation',\n ],\n )\n\nconst lazyNodeMemoryFlags = () => {\n const flags = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/flags.js'),\n )\n const getMaxOldSpaceSizeFlag = flags.getMaxOldSpaceSizeFlag\n const getMaxSemiSpaceSizeFlag = flags.getMaxSemiSpaceSizeFlag\n return Object.freeze([\n `--max-old-space-size=${getMaxOldSpaceSizeFlag()}`,\n `--max-semi-space-size=${getMaxSemiSpaceSizeFlag()}`,\n ])\n}\n\nconst lazyNpmCachePath = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['config', 'get', 'cache'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmGlobalPrefix = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['prefix', '-g'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmNmNodeGypPath = () =>\n path.join(\n constants.npmRealExecPath,\n '../../node_modules/node-gyp/bin/node-gyp.js',\n )\n\nconst lazyProcessEnv = () =>\n Object.setPrototypeOf(\n Object.fromEntries(\n Object.entries(constants.ENV).reduce(\n (entries, entry) => {\n const { 0: key, 1: value } = entry\n if (key.startsWith('INLINED_SOCKET_CLI_')) {\n return entries\n }\n if (typeof value === 'string') {\n if (value) {\n entries.push(entry as [string, string])\n }\n } else if (typeof value === 'boolean' && value) {\n entries.push([key, '1'])\n }\n return entries\n },\n [] as Array<[string, string]>,\n ),\n ),\n null,\n )\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazyShadowBinPath = () => path.join(constants.rootPath, 'shadow-npm-bin')\n\nconst lazyShadowNpmBinPath = () =>\n path.join(constants.distPath, 'shadow-npm-bin.js')\n\nconst lazyShadowNpmInjectPath = () =>\n path.join(constants.distPath, 'shadow-npm-inject.js')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data directory:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? constants.ENV.LOCALAPPDATA\n : constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = /*@__PURE__*/ require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n constants.homePath,\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () => path.join(constants.rootPath, '.cache')\n\nconst lazySocketRegistryPath = () =>\n path.join(constants.externalPath, '@socketsecurity/registry')\n\nconst lazyZshRcPath = () => path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n DOT_SOCKET_DOT_FACTS_JSON,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_SHADOW_ACCEPT_RISKS,\n SOCKET_CLI_SHADOW_API_TOKEN,\n SOCKET_CLI_SHADOW_BIN,\n SOCKET_CLI_SHADOW_PROGRESS,\n SOCKET_CLI_SHADOW_SILENT,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_DEFAULT_BRANCH,\n SOCKET_DEFAULT_REPOSITORY,\n SOCKET_WEBSITE_URL,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n binPath: undefined,\n binCliPath: undefined,\n blessedContribPath: undefined,\n blessedOptions: undefined,\n blessedPath: undefined,\n coanaBinPath: undefined,\n coanaPath: undefined,\n distCliPath: undefined,\n distPath: undefined,\n externalPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n instrumentWithSentryPath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n nodeDebugFlags: undefined,\n nodeMemoryFlags: undefined,\n npmCachePath: undefined,\n npmGlobalPrefix: undefined,\n npmNmNodeGypPath: undefined,\n processEnv: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n shadowNpmInjectPath: undefined,\n shadowNpmBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n socketRegistryPath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n binCliPath: lazyBinCliPath,\n binPath: lazyBinPath,\n blessedContribPath: lazyBlessedContribPath,\n blessedOptions: lazyBlessedOptions,\n blessedPath: lazyBlessedPath,\n distCliPath: lazyDistCliPath,\n distPath: lazyDistPath,\n externalPath: lazyExternalPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n instrumentWithSentryPath: lazyInstrumentWithSentryPath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeDebugFlags: lazyNodeDebugFlags,\n nodeHardenFlags: lazyNodeHardenFlags,\n nodeMemoryFlags: lazyNodeMemoryFlags,\n npmCachePath: lazyNpmCachePath,\n npmGlobalPrefix: lazyNpmGlobalPrefix,\n npmNmNodeGypPath: lazyNpmNmNodeGypPath,\n processEnv: lazyProcessEnv,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n shadowNpmBinPath: lazyShadowNpmBinPath,\n shadowNpmInjectPath: lazyShadowNpmInjectPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n socketRegistryPath: lazySocketRegistryPath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","_npmStdioPipeOptions","cwd","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_BASE_REF","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","NODE_EXTRA_CA_CERTS","envAsString","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TIMEOUT","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_GIT_USER_NAME","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_NPM_PATH","SOCKET_CLI_ORG_SLUG","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","smartCSR","term","useBCE","constants","entries","WIN32","logger","dataHome","ENV","bashRcPath","binPath","binCliPath","blessedContribPath","blessedOptions","blessedPath","coanaBinPath","coanaPath","distCliPath","distPath","externalPath","githubCachePath","homePath","instrumentWithSentryPath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","nodeDebugFlags","nodeMemoryFlags","npmCachePath","npmGlobalPrefix","npmNmNodeGypPath","processEnv","rootPath","shadowBinPath","shadowNpmInjectPath","shadowNpmBinPath","socketAppDataPath","socketCachePath","socketRegistryPath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAYA;AACA;AACA;AACA;AACA;AACA;AAEA;;AAEE;AACEA;;AAEAC;AACF;AACF;AA+JA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;;AAEIC;AACEC;;;AAGJ;AACA;AACF;AAEA;;AACUC;AAAI;AACZ;AACA;AAGA;AACA;AACA;AACA;AACA;;;AAKA;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;AACA;AACAC;AACA;AACA;;AAIA;AACA;;AAOA;AACA;AACA;AACA;AACAC;AAEE;AACA;AACAC;AACF;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAEE;AACAH;AAGF;AACA;AACAI;AAEE;AACAJ;AACA;AACA;AACAA;AAIF;AACA;AACAK;AACA;AACA;AACAC;AAEE;;AAIF;AACAC;AACA;;AAIA;AACAC;AAIA;AACA;;AAMA;AACA;AACA;AACA;AACAC;AAEE;AACAT;AAEF;AACAU;AAGA;AACAC;AACA;AACAC;AAEE;AACAZ;AACF;AACAa;AAGA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AAEA;AAEA;AAEA;AAGA;AAEIC;AACAC;AACAC;AACF;AAEF;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAGA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;AAEA;;AAGA;AACA;AACA;AAEI;AACA;AACAC;AAEM;AACA;AAAA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAIV;AACE;AAGA;AACA;AACA;AAIF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AAMA;;AAKkB;AAAQ;AAAS;AACzB;AACE;AACF;AACA;AACE;AACEC;AACF;;;AAGF;AACA;AACF;AAOR;AAEA;AAEA;AAGA;AAGA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQC;AAAM;AACd;;AAIE;AACE;AACAC;AACF;AACEC;AAIF;AACF;;AAEF;AAEA;AAEA;AAGA;AAEA;;;;;;;;;;;;;AAcIC;;;;;;;;;;;;;;;;;;;;;;;;;AAyBAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEEhC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAG;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"34b6cb52-062c-403a-b7dc-37ee15fec63a"}
package/dist/shadow-npm-bin.js CHANGED
@@ -9,7 +9,7 @@ var vendor = require('./vendor.js');
9
9
  var constants = require('./constants.js');
10
10
  var utils = require('./utils.js');
11
11
 
12
- async function installLinks(realBinPath, binName) {
12
+ async function installLinks(shadowBinPath, binName) {
13
13
  const isNpx = binName === 'npx';
14
14
  // Find package manager being shadowed by this process.
15
15
  const binPath = isNpx ? utils.getNpxBinPath() : utils.getNpmBinPath();
@@ -24,20 +24,20 @@ async function installLinks(realBinPath, binName) {
24
24
  // Move our bin directory to front of PATH so its found first.
25
25
  if (!shadowed) {
26
26
  if (WIN32) {
27
- await vendor.libExports(path.join(constants.distPath, `${binName}-cli.js`), path.join(realBinPath, binName));
27
+ await vendor.libExports(path.join(constants.distPath, `${binName}-cli.js`), path.join(shadowBinPath, binName));
28
28
  }
29
29
  const {
30
30
  env
31
31
  } = process;
32
- env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`;
32
+ env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
33
33
  }
34
34
  return binPath;
35
35
  }
36
36
 
37
37
  async function shadowBin(binName, args = process.argv.slice(2), options, extra) {
38
38
  const {
39
- apiToken = utils.getPublicApiToken(),
40
39
  env: spawnEnv,
40
+ ipc,
41
41
  ...spawnOpts
42
42
  } = {
43
43
  __proto__: null,
@@ -72,7 +72,8 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
72
72
  } else {
73
73
  stdio = ['pipe', 'pipe', 'pipe', 'ipc'];
74
74
  }
75
- const spawnPromise = spawn.spawn(constants.execPath, [...constants.nodeNoWarningsFlags, ...constants.nodeHardenFlags, ...constants.nodeMemoryFlags, ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.instrumentWithSentryPath] : []), '--require', constants.shadowNpmInjectPath, await installLinks(constants.shadowBinPath, binName), ...(useDebug ? ['--trace-uncaught', '--trace-warnings'] : []), ...(useNodeOptions ? [`--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${utils.cmdFlagsToString(permArgs)}'`] : []),
75
+ const realBinPath = await installLinks(constants.shadowBinPath, binName);
76
+ const spawnPromise = spawn.spawn(constants.execPath, [...constants.nodeNoWarningsFlags, ...constants.nodeDebugFlags, ...constants.nodeHardenFlags, ...constants.nodeMemoryFlags, ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.instrumentWithSentryPath] : []), '--require', constants.shadowNpmInjectPath, realBinPath, ...(useNodeOptions ? [`--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${utils.cmdFlagsToString(permArgs)}'`] : []),
76
77
  // Add '--no-progress' to fix input being swallowed by the npm spinner.
77
78
  '--no-progress',
78
79
  // Add '--loglevel=error' if a loglevel flag is not provided and the
@@ -88,9 +89,10 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
88
89
  }, extra);
89
90
  spawnPromise.process.send({
90
91
  [constants.SOCKET_IPC_HANDSHAKE]: {
91
- [constants.SOCKET_CLI_SHADOW_API_TOKEN]: apiToken,
92
+ [constants.SOCKET_CLI_SHADOW_API_TOKEN]: utils.getPublicApiToken(),
92
93
  [constants.SOCKET_CLI_SHADOW_BIN]: binName,
93
- [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg
94
+ [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,
95
+ ...ipc
94
96
  }
95
97
  });
96
98
  return {
@@ -99,5 +101,5 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
99
101
  }
100
102
 
101
103
  module.exports = shadowBin;
102
- //# debugId=4ed31bad-0401-4b39-aaaf-c19991e5e55b
104
+ //# debugId=1e1c698d-984e-4263-9b61-fbc7a35a257e
103
105
  //# sourceMappingURL=shadow-npm-bin.js.map
package/dist/shadow-npm-bin.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"shadow-npm-bin.js","sources":["../src/shadow/npm/link.mts","../src/shadow/npm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getNpmBinPath,\n getNpxBinPath,\n isNpmBinPathShadowed,\n isNpxBinPathShadowed,\n} from '../../utils/npm-paths.mts'\n\nexport async function installLinks(\n realBinPath: string,\n binName: 'npm' | 'npx',\n): Promise<string> {\n const isNpx = binName === 'npx'\n // Find package manager being shadowed by this process.\n const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n const { WIN32 } = constants\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(realBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`\n }\n return binPath\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmLoglevelFlag,\n isNpmNodeOptionsFlag,\n isNpmProgressFlag,\n} from '@socketsecurity/registry/lib/npm'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { getPublicApiToken } from '../../utils/sdk.mts'\n\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowBinOptions = SpawnOptions & {\n apiToken?: string | undefined\n}\n\nexport type ShadowBinResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nexport default async function shadowBin(\n binName: 'npm' | 'npx',\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowBinOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n const {\n apiToken = getPublicApiToken(),\n env: spawnEnv,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowBinOptions\n const isShadowNpm = binName === 'npm'\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const binArgs = rawBinArgs.filter(\n a => !isNpmProgressFlag(a) && !isNpmNodeOptionsFlag(a),\n )\n const nodeOptionsArg = rawBinArgs.findLast(isNpmNodeOptionsFlag)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const permArgs =\n isShadowNpm && constants.SUPPORTS_NODE_PERMISSION_FLAG\n ? [\n '--permission',\n '--allow-child-process',\n // '--allow-addons',\n // '--allow-wasi',\n // Allow all reads because npm walks up directories looking for config\n // and package.json files.\n '--allow-fs-read=*',\n `--allow-fs-write=${process.cwd()}/*`,\n `--allow-fs-write=${constants.npmGlobalPrefix}/*`,\n `--allow-fs-write=${constants.npmCachePath}/*`,\n ]\n : []\n const useDebug = isDebug('stdio')\n const useNodeOptions = nodeOptionsArg || permArgs.length\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n // The default value of loglevel is \"notice\". We default to \"error\" which is\n // two levels quieter.\n const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n\n let stdio = getOwn(spawnOpts, 'stdio')\n if (typeof stdio === 'string') {\n stdio = [stdio, stdio, stdio, 'ipc']\n } else if (Array.isArray(stdio)) {\n if (!stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n } else {\n stdio = ['pipe', 'pipe', 'pipe', 'ipc']\n }\n\n const spawnPromise = spawn(\n constants.execPath,\n [\n ...constants.nodeNoWarningsFlags,\n ...constants.nodeHardenFlags,\n ...constants.nodeMemoryFlags,\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? ['--require', constants.instrumentWithSentryPath]\n : []),\n '--require',\n constants.shadowNpmInjectPath,\n await installLinks(constants.shadowBinPath, binName),\n ...(useDebug ? ['--trace-uncaught', '--trace-warnings'] : []),\n ...(useNodeOptions\n ? [\n `--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${cmdFlagsToString(permArgs)}'`,\n ]\n : []),\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=error' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n ...spawnOpts,\n env: {\n ...process.env,\n ...constants.processEnv,\n ...spawnEnv,\n },\n stdio,\n },\n extra,\n )\n\n spawnPromise.process.send({\n [constants.SOCKET_IPC_HANDSHAKE]: {\n [constants.SOCKET_CLI_SHADOW_API_TOKEN]: apiToken,\n [constants.SOCKET_CLI_SHADOW_BIN]: binName,\n [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,\n },\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","stdio","spawnPromise"],"mappings":";;;;;;;;;;;AAYO;AAIL;AACA;;;AAEQA;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;ACTe;;;AAQXA;;AAEF;AAAMC;;;AACN;AACA;AACA;AACA;AAGA;;AAEA;;AAMQ;AACA;AACA;AACA;;AAOR;AACA;;AAEA;AACA;;AAGA;AACA;;;AAGE;AACEC;AACF;AACF;;AAEA;;AAoBI;;AAEA;AACA;;AAMA;AACAF;;;;;AAKAE;;AAKJC;;AAEI;AACA;;AAEF;AACF;;AAESA;;AACX;;","debugId":"4ed31bad-0401-4b39-aaaf-c19991e5e55b"}
1
+ {"version":3,"file":"shadow-npm-bin.js","sources":["../src/shadow/npm/link.mts","../src/shadow/npm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getNpmBinPath,\n getNpxBinPath,\n isNpmBinPathShadowed,\n isNpxBinPathShadowed,\n} from '../../utils/npm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'npm' | 'npx',\n): Promise<string> {\n const isNpx = binName === 'npx'\n // Find package manager being shadowed by this process.\n const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n const { WIN32 } = constants\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n return binPath\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmLoglevelFlag,\n isNpmNodeOptionsFlag,\n isNpmProgressFlag,\n} from '@socketsecurity/registry/lib/npm'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { getPublicApiToken } from '../../utils/sdk.mts'\n\nimport type { IPC } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowBinOptions = SpawnOptions & {\n ipc?: IPC | undefined\n}\n\nexport type ShadowBinResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nexport default async function shadowBin(\n binName: 'npm' | 'npx',\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowBinOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowBinOptions\n const isShadowNpm = binName === 'npm'\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const binArgs = rawBinArgs.filter(\n a => !isNpmProgressFlag(a) && !isNpmNodeOptionsFlag(a),\n )\n const nodeOptionsArg = rawBinArgs.findLast(isNpmNodeOptionsFlag)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const permArgs =\n isShadowNpm && constants.SUPPORTS_NODE_PERMISSION_FLAG\n ? [\n '--permission',\n '--allow-child-process',\n // '--allow-addons',\n // '--allow-wasi',\n // Allow all reads because npm walks up directories looking for config\n // and package.json files.\n '--allow-fs-read=*',\n `--allow-fs-write=${process.cwd()}/*`,\n `--allow-fs-write=${constants.npmGlobalPrefix}/*`,\n `--allow-fs-write=${constants.npmCachePath}/*`,\n ]\n : []\n const useDebug = isDebug('stdio')\n const useNodeOptions = nodeOptionsArg || permArgs.length\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n // The default value of loglevel is \"notice\". We default to \"error\" which is\n // two levels quieter.\n const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n\n let stdio = getOwn(spawnOpts, 'stdio')\n if (typeof stdio === 'string') {\n stdio = [stdio, stdio, stdio, 'ipc']\n } else if (Array.isArray(stdio)) {\n if (!stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n } else {\n stdio = ['pipe', 'pipe', 'pipe', 'ipc']\n }\n\n const realBinPath = await installLinks(constants.shadowBinPath, binName)\n\n const spawnPromise = spawn(\n constants.execPath,\n [\n ...constants.nodeNoWarningsFlags,\n ...constants.nodeDebugFlags,\n ...constants.nodeHardenFlags,\n ...constants.nodeMemoryFlags,\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? ['--require', constants.instrumentWithSentryPath]\n : []),\n '--require',\n constants.shadowNpmInjectPath,\n realBinPath,\n ...(useNodeOptions\n ? [\n `--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${cmdFlagsToString(permArgs)}'`,\n ]\n : []),\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=error' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n ...spawnOpts,\n env: {\n ...process.env,\n ...constants.processEnv,\n ...spawnEnv,\n },\n stdio,\n },\n extra,\n )\n\n spawnPromise.process.send({\n [constants.SOCKET_IPC_HANDSHAKE]: {\n [constants.SOCKET_CLI_SHADOW_API_TOKEN]: getPublicApiToken(),\n [constants.SOCKET_CLI_SHADOW_BIN]: binName,\n [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,\n ...ipc,\n },\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","stdio","spawnPromise"],"mappings":";;;;;;;;;;;AAYO;AAIL;AACA;;;AAEQA;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;ACRe;;AAOXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;AACA;AAGA;;AAEA;;AAMQ;AACA;AACA;AACA;;AAOR;AACA;;AAEA;AACA;;AAGA;AACA;;;AAGE;AACEC;AACF;AACF;;AAEA;;AAIA;AAkBI;;AAEA;AACA;;AAMA;AACAF;;;;;AAKAE;;AAKJC;;AAEI;AACA;AACA;;AAEF;AACF;;AAESA;;AACX;;","debugId":"1e1c698d-984e-4263-9b61-fbc7a35a257e"}