@socketsecurity/cli-with-sentry 1.0.69 → 1.0.71

package/dist/cli.js

@@ -3002,6 +3002,83 @@ const cmdConfig = {
   }
 };
 
+async function coanaFix(fixConfig) {
+  const {
+    ghsas
+  } = fixConfig;
+  if (!ghsas.length) {
+    return {
+      ok: true,
+      data: {
+        fixed: false
+      }
+    };
+  }
+  const {
+    cwd,
+    orgSlug,
+    spinner
+  } = fixConfig;
+  spinner?.start();
+  const sockSdkCResult = await utils.setupSdk();
+  let lastCResult = sockSdkCResult;
+  const sockSdk = sockSdkCResult.ok ? sockSdkCResult.data : undefined;
+  const supportedFilesCResult = sockSdk ? await fetchSupportedScanFileNames() : undefined;
+  if (supportedFilesCResult) {
+    lastCResult = supportedFilesCResult;
+  }
+  const supportedFiles = supportedFilesCResult?.ok ? supportedFilesCResult.data : undefined;
+  const packagePaths = supportedFiles ? await utils.getPackageFilesForScan(['.'], supportedFiles, {
+    cwd
+  }) : [];
+  const uploadCResult = sockSdk ? await utils.handleApiCall(sockSdk?.uploadManifestFiles(orgSlug, packagePaths), {
+    desc: 'upload manifests'
+  }) : undefined;
+  if (uploadCResult) {
+    lastCResult = uploadCResult;
+  }
+  const tarHash = uploadCResult?.ok ? uploadCResult.data.tarHash : '';
+  if (!tarHash) {
+    spinner?.stop();
+    return lastCResult;
+  }
+  const spawnOptions = {
+    cwd,
+    spinner,
+    env: {
+      SOCKET_ORG_SLUG: orgSlug
+    }
+  };
+  let ids = ghsas;
+  if (ids.length === 1 && ids[0] === 'auto') {
+    debug.debugFn('notice', 'resolve: GitHub security alerts.');
+    const foundIdsCResult = tarHash ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash], spawnOptions) : undefined;
+    if (foundIdsCResult) {
+      lastCResult = foundIdsCResult;
+    }
+    if (foundIdsCResult?.ok) {
+      ids = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(foundIdsCResult.data)?.[0]);
+      debug.debugDir('inspect', {
+        GitHubSecurityAlerts: ids
+      });
+    }
+  }
+  const fixCResult = ids.length ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...fixConfig.unknownFlags], spawnOptions) : undefined;
+  if (fixCResult) {
+    lastCResult = fixCResult;
+  }
+  spinner?.stop();
+  debug.debugDir('inspect', {
+    lastCResult
+  });
+  return lastCResult.ok ? {
+    ok: true,
+    data: {
+      fixed: true
+    }
+  } : lastCResult;
+}
+
 function formatBranchName(name) {
   return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
 }
@@ -3775,11 +3852,13 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       // Skip to next package.
       continue infoEntriesLoop;
     }
+    debug.debugDir('inspect', {
+      infos
+    });
     const availableVersions = Object.keys(packument.versions);
     const prs = getPrsForPurl(fixEnv, infoEntry[0]);
-    const vulnVersions = new Set();
     const warningsForAfter = new Set();
-
+    let changed = false;
     // eslint-disable-next-line no-unused-labels
     for (let j = 0, {
         length: length_j
@@ -3852,7 +3931,6 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           });
           const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
           if (!(newVersion && newVersionPackument)) {
-            vulnVersions.add(oldVersion);
             warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
@@ -3916,13 +3994,12 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             }
             continue infosLoop;
           }
+          spinner?.start();
           if (!hasAnnouncedWorkspace) {
             hasAnnouncedWorkspace = true;
             workspaceLogCallCount = logger.logger.logCallCount;
           }
-          vulnVersions.add(oldVersion);
           const newId = `${name}@${utils.applyRange(refRange, newVersion, rangeStyle)}`;
-          spinner?.start();
           spinner?.info(`Installing ${newId} in ${workspace}.`);
           let error;
           let errored = false;
@@ -4084,6 +4161,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               message: 'Update failed',
               cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
             };
+          } else {
+            changed = true;
           }
           debug.debugFn('notice', 'increment: count', count + 1);
           if (++count >= limit) {
@@ -4100,7 +4179,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     for (const warningText of warningsForAfter) {
       logger.logger.warn(warningText);
     }
-    if (!warningsForAfter.size && !vulnVersions.size) {
+    if (!changed && !warningsForAfter.size) {
       logger.logger.info('No vulnerable versions found.');
     }
     if (!isLastInfoEntry) {
@@ -4146,7 +4225,33 @@ async function install$1(pkgEnvDetails, options) {
     ...options
   };
   const useDebug = debug.isDebug('stdio');
-  const args = ['--ignore-scripts', '--no-audit', '--no-fund', '--no-progress', ...(useDebug ? [] : ['--silent']), ...(extraArgs ?? [])];
+  const args = [
+  // If "true", npm does not run scripts specified in package.json files.
+  // Note that commands explicitly intended to run a particular script, such
+  // as `npm start`, `npm stop`, `npm restart`, `npm test`, and `npm run` will
+  // still run their intended script if `ignore-scripts` is set, but they will
+  // not run any pre- or post-scripts.
+  // https://docs.npmjs.com/cli/v11/commands/npm-install#ignore-scripts
+  '--ignore-scripts',
+  // When "true" submit audit reports alongside the current npm command to the
+  // default registry and all registries configured for scopes. See the
+  // documentation for `npm audit` for details on what is submitted.
+  // https://docs.npmjs.com/cli/v11/commands/npm-install#audit
+  '--no-audit',
+  // When "true" displays the message at the end of each `npm install` acknowledging
+  // the number of dependencies looking for funding. See `npm fund` for details.
+  // https://docs.npmjs.com/cli/v11/commands/npm-install#fund
+  '--no-fund',
+  // When set to "true", npm will display a progress bar during time intensive
+  // operations, if `process.stderr` is a TTY. Set to "false" to suppress the
+  // progress bar.
+  // https://docs.npmjs.com/cli/v8/using-npm/config#progress
+  '--no-progress',
+  // What level of logs to report. All logs are written to a debug log, with
+  // the path to that file printed if the execution of a command fails. The
+  // default is "notice".
+  // https://docs.npmjs.com/cli/v8/using-npm/config#loglevel
+  ...(useDebug ? [] : ['--silent']), ...(extraArgs ?? [])];
   const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
   debug.debugFn('stdio', `spawn: ${quotedCmd}`);
   const isSpinning = spinner?.isSpinning;
@@ -4293,6 +4398,9 @@ async function install(pkgEnvDetails, options) {
     ...options
   };
   const args = [
+  // Do not execute any scripts defined in the project package.json and its dependencies.
+  // https://pnpm.io/9.x/cli/install#--ignore-scripts
+  '--ignore-scripts',
   // Enable pnpm updates to pnpm-lock.yaml in CI environments.
   // https://pnpm.io/cli/install#--frozen-lockfile
   '--no-frozen-lockfile',
@@ -4341,9 +4449,7 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
   } = fixConfig;
   spinner?.start();
   let actualTree;
-  let {
-    lockSrc
-  } = pkgEnvDetails;
+  let lockSrc = pkgEnvDetails.lockSrc;
   let lockfile = utils.parsePnpmLockfile(lockSrc);
   // Update pnpm-lock.yaml if its version is older than what the installed pnpm
   // produces.
@@ -4353,10 +4459,9 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
       cwd,
       spinner
     });
-    const maybeLockSrc = maybeActualTree ? await utils.readLockfile(pkgEnvDetails.lockPath) : null;
-    if (maybeActualTree && maybeLockSrc) {
+    lockSrc = maybeActualTree ? await utils.readLockfile(pkgEnvDetails.lockPath) : null;
+    if (lockSrc && maybeActualTree) {
       actualTree = maybeActualTree;
-      lockSrc = maybeLockSrc;
       lockfile = utils.parsePnpmLockfile(lockSrc);
     } else {
       lockfile = null;
@@ -4390,16 +4495,17 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
   }
   let revertData;
   let revertOverrides;
-  let revertOverridesSrc;
+  let revertOverridesSrc = '';
   return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
     async beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, options) {
-      const isWorkspaceRoot = editablePkgJson.path === pkgEnvDetails.editablePkgJson.filename;
+      const isWorkspaceRoot = editablePkgJson.filename === pkgEnvDetails.editablePkgJson.filename;
       // Get current overrides for revert logic.
       const {
         overrides: oldOverrides
       } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
       const oldPnpmSection = editablePkgJson.content[PNPM$6];
       const overrideKey = `${packument.name}@${vulnerableVersionRange}`;
+      lockSrc = await utils.readLockfile(pkgEnvDetails.lockPath);
       revertOverrides = undefined;
       revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
       if (isWorkspaceRoot) {
@@ -4452,8 +4558,9 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
       await editablePkgJson.save({
         ignoreWhitespace: true
       });
+      lockSrc = await utils.readLockfile(pkgEnvDetails.lockPath);
       const updatedOverridesContent = utils.extractOverridesFromPnpmLockSrc(lockSrc);
-      if (updatedOverridesContent && revertOverridesSrc) {
+      if (updatedOverridesContent) {
         lockSrc = lockSrc.replace(updatedOverridesContent, revertOverridesSrc);
         await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
       }
@@ -4482,70 +4589,14 @@ async function handleFix({
   testScript,
   unknownFlags
 }) {
-  if (ghsas.length === 1 && ghsas[0] === 'auto') {
-    let lastCResult;
-    const sockSdkCResult = await utils.setupSdk();
-    lastCResult = sockSdkCResult;
-    const sockSdk = sockSdkCResult.ok ? sockSdkCResult.data : undefined;
-    const supportedFilesCResult = sockSdk ? await fetchSupportedScanFileNames() : undefined;
-    if (supportedFilesCResult) {
-      lastCResult = supportedFilesCResult;
-    }
-    const supportedFiles = supportedFilesCResult?.ok ? supportedFilesCResult.data : undefined;
-    const packagePaths = supportedFiles ? await utils.getPackageFilesForScan(['.'], supportedFiles, {
-      cwd
-    }) : [];
-    const uploadCResult = sockSdk ? await utils.handleApiCall(sockSdk?.uploadManifestFiles(orgSlug, packagePaths), {
-      desc: 'upload manifests'
-    }) : undefined;
-    if (uploadCResult) {
-      lastCResult = uploadCResult;
-    }
-    const tarHash = uploadCResult?.ok ? uploadCResult.data.tarHash : '';
-    const idsOutputCResult = tarHash ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash], {
-      cwd,
-      spinner,
-      env: {
-        SOCKET_ORG_SLUG: orgSlug
-      }
-    }) : undefined;
-    if (idsOutputCResult) {
-      lastCResult = idsOutputCResult;
-    }
-    const idsOutput = idsOutputCResult?.ok ? idsOutputCResult.data : '';
-    const ids = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(idsOutput)?.[0]);
-    const fixCResult = ids.length ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...unknownFlags], {
+  if (ghsas.length) {
+    await outputFixResult(await coanaFix({
       cwd,
+      ghsas,
+      orgSlug,
       spinner,
-      env: {
-        SOCKET_ORG_SLUG: orgSlug
-      }
-    }) : undefined;
-    if (fixCResult) {
-      lastCResult = fixCResult;
-    }
-    // const fixCResult = await spawnCoana(
-    //   [
-    //     cwd,
-    //     '--socket-mode',
-    //     DOT_SOCKET_DOT_FACTS_JSON,
-    //     '--manifests-tar-hash',
-    //     tarHash,
-    //     ...unknownFlags,
-    //   ],
-    //   { cwd, spinner, env: { SOCKET_ORG_SLUG: orgSlug } },
-    // )
-    debug.debugDir('inspect', {
-      lastCResult
-    });
-    if (!lastCResult.ok) {
-      await outputFixResult(lastCResult, outputKind);
-      return;
-    }
-    await outputFixResult({
-      ok: true,
-      data: ''
-    }, outputKind);
+      unknownFlags
+    }), outputKind);
     return;
   }
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
@@ -4590,14 +4641,17 @@ async function handleFix({
   await outputFixResult(await fixer(pkgEnvDetails, {
     autoMerge,
     cwd,
+    ghsas,
     limit,
     minSatisfying,
+    orgSlug,
     prCheck,
     purls,
     rangeStyle,
     spinner,
     test,
-    testScript
+    testScript,
+    unknownFlags
   }), outputKind);
 }
 
@@ -4709,16 +4763,29 @@ async function run$H(argv, importMeta, {
     importMeta,
     parentName
   });
-  const {
-    autopilot,
-    json,
-    markdown
-  } = cli.flags;
-  const outputKind = utils.getOutputKind(json, markdown);
+  const outputKind = utils.getOutputKind(cli.flags['json'], cli.flags['markdown']);
   let rangeStyle = cli.flags['rangeStyle'];
   if (!rangeStyle) {
     rangeStyle = 'preserve';
   }
+  const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
+  const purls = [];
+  for (const purl of rawPurls) {
+    let version;
+    try {
+      version = vendor.packageurlJsExports$1.PackageURL.fromString(purl)?.version;
+    } catch {}
+    if (version) {
+      purls.push(purl);
+    } else {
+      logger.logger.warn(`--purl ${purl} is missing a version and will be ignored.`);
+    }
+  }
+  if (rawPurls.length !== purls.length && !purls.length) {
+    process.exitCode = 1;
+    logger.logger.fail('No valid --purl values provided.');
+    return;
+  }
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
@@ -4732,49 +4799,31 @@ async function run$H(argv, importMeta, {
     logger.logger.log(DRY_RUN_NOT_SAVING);
     return;
   }
-
-  // Lazily access constants.spinner.
-  const {
-    spinner
-  } = constants;
-  const {
-    unknownFlags
-  } = cli;
+  const orgSlugCResult = await utils.getDefaultOrgSlug();
+  if (!orgSlugCResult.ok) {
+    process.exitCode = orgSlugCResult.code ?? 1;
+    logger.logger.fail('Unable to resolve a Socket account organization.\nEnsure a Socket API token is specified for the organization using the SOCKET_CLI_API_TOKEN environment variable.');
+    return;
+  }
+  const orgSlug = orgSlugCResult.data;
   let [cwd = '.'] = cli.input;
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   let autoMerge = Boolean(cli.flags['autoMerge']);
   let test = Boolean(cli.flags['test']);
-  if (autopilot) {
+  if (cli.flags['autopilot']) {
     autoMerge = true;
     test = true;
   }
-  const orgSlugCResult = await utils.getDefaultOrgSlug();
-  if (!orgSlugCResult.ok) {
-    process.exitCode = orgSlugCResult.code ?? 1;
-    logger.logger.fail('Unable to resolve a Socket account organization.\nEnsure a Socket API token is specified for the organization using the SOCKET_CLI_API_TOKEN environment variable.');
-    return;
-  }
-  const orgSlug = orgSlugCResult.data;
-  const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
-  const purls = [];
-  for (const purl of rawPurls) {
-    let version;
-    try {
-      version = vendor.packageurlJsExports$1.PackageURL.fromString(purl)?.version;
-    } catch {}
-    if (version) {
-      purls.push(purl);
-    } else {
-      logger.logger.warn(`--purl ${purl} is missing a version and will be ignored.`);
-    }
-  }
-  if (rawPurls.length !== purls.length && !purls.length) {
-    process.exitCode = 1;
-    logger.logger.fail('No valid --purl values provided.');
-    return;
-  }
+
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  // We patched in this feature with `npx custompatch meow` at
+  // socket-cli/patches/meow#13.2.0.patch.
+  const unknownFlags = cli.unknownFlags ?? [];
   const ghsas = utils.cmdFlagValueToArray(cli.flags['ghsa']);
   const limit = (cli.flags['limit'] ? parseInt(String(cli.flags['limit'] || ''), 10) : Infinity) || Infinity;
   const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
@@ -14545,5 +14594,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=515ed3c2-cd4e-41ad-a7f6-57b0b6683173
+//# debugId=6e0fd7c6-a2c8-49d0-90ec-61ff85e89df9
 //# sourceMappingURL=cli.js.map