npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.0.76 → 1.0.77 - Mend

@socketsecurity/cli-with-sentry 1.0.76 → 1.0.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/constants.js +3 -3
package/dist/constants.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/utils/glob.d.mts +1 -1
package/dist/types/utils/glob.d.mts.map +1 -1
package/dist/utils.js +18 -15
package/dist/utils.js.map +1 -1
package/dist/vendor.js +3741 -3922
package/external/@socketsecurity/registry/external/fast-glob.js +7994 -0
package/external/@socketsecurity/registry/external/streaming-iterables.js +326 -0
package/external/@socketsecurity/registry/lib/globs.js +9 -10
package/external/@socketsecurity/registry/lib/streams.js +37 -0
package/package.json +6 -6
package/external/@socketsecurity/registry/external/tinyglobby.js +0 -3888

package/dist/utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.js","sources":["../src/utils/glob.mts","../src/utils/fs.mts","../src/utils/config.mts","../src/utils/errors.mts","../src/utils/fail-msg-with-badge.mts","../src/utils/sdk.mts","../src/utils/api.mts","../src/utils/markdown.mts","../src/utils/serialize-result-json.mts","../src/utils/check-input.mts","../src/utils/get-output-kind.mts","../src/utils/output-formatting.mts","../src/utils/tildify.mts","../src/utils/meow-with-subcommands.mts","../src/utils/ms-at-home.mts","../src/commands/organization/fetch-organization-list.mts","../src/commands/scan/suggest-org-slug.mts","../src/commands/scan/suggest-to-persist-orgslug.mts","../src/utils/determine-org-slug.mts","../src/commands/ci/fetch-default-org-slug.mts","../src/utils/git.mts","../src/utils/purl.mts","../src/utils/socket-url.mts","../src/utils/map-to-object.mts","../src/utils/walk-nested-map.mts","../src/utils/path-resolve.mts","../src/utils/socketjson.mts","../src/utils/cmd.mts","../src/utils/coana.mts","../src/utils/npm-paths.mts","../src/utils/alert/artifact.mts","../src/utils/objects.mts","../src/utils/alert/fix.mts","../src/utils/alert/severity.mts","../src/utils/color-or-markdown.mts","../src/utils/semver.mts","../src/utils/translations.mts","../src/utils/socket-package-alert.mts","../src/utils/spec.mts","../src/utils/pnpm.mts","../src/utils/alerts-map.mts","../src/utils/npm-package-arg.mts","../src/shadow/npm/install.mts","../src/utils/agent.mts","../src/utils/npm-config.mts","../src/utils/lockfile.mts","../src/utils/package-environment.mts","../src/utils/completion.mts"],"sourcesContent":["import path from 'node:path'\n\nimport ignore from 'ignore'\nimport micromatch from 'micromatch'\nimport { glob as tinyGlob } from 'tinyglobby'\nimport { parse as yamlParse } from 'yaml'\n\nimport { readPackageJson } from '@socketsecurity/registry/lib/packages'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { safeReadFile } from './fs.mts'\n\nimport type { Agent } from './package-environment.mts'\nimport type { SocketYml } from '@socketsecurity/config'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\nimport type { GlobOptions } from 'tinyglobby'\n\nconst ignoredDirs = [\n // Taken from ignore-by-default:\n // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js\n '.git', // Git repository files, see <https://git-scm.com/>\n '.log', // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>\n '.nyc_output', // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>\n '.sass-cache', // Cache folder for node-sass, see <https://github.com/sass/node-sass>\n '.yarn', // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>\n 'bower_components', // Where Bower packages are installed, see <http://bower.io/>\n 'coverage', // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>\n 'node_modules', // Where Node modules are installed, see <https://nodejs.org/>\n // Taken from globby:\n // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16\n 'flow-typed',\n] as const\n\nconst ignoredDirPatterns = ignoredDirs.map(i => `*/${i}`)\n\nasync function getWorkspaceGlobs(\n agent: Agent,\n cwd = process.cwd(),\n): Promise<string[]> {\n let workspacePatterns\n if (agent === 'pnpm') {\n for (const workspacePath of [\n path.join(cwd, 'pnpm-workspace.yaml'),\n path.join(cwd, 'pnpm-workspace.yml'),\n ]) {\n // eslint-disable-next-line no-await-in-loop\n const yml = await safeReadFile(workspacePath)\n if (yml) {\n try {\n workspacePatterns = yamlParse(yml)?.packages\n } catch {}\n if (workspacePatterns) {\n break\n }\n }\n }\n } else {\n workspacePatterns = (await readPackageJson(cwd, { throws: false }))?.[\n 'workspaces'\n ]\n }\n return Array.isArray(workspacePatterns)\n ? workspacePatterns\n .filter(isNonEmptyString)\n .map(workspacePatternToGlobPattern)\n : []\n}\n\nfunction ignoreFileLinesToGlobPatterns(\n lines: string[] \| readonly string[],\n filepath: string,\n cwd: string,\n): string[] {\n const base = path.relative(cwd, path.dirname(filepath)).replace(/\\\\/g, '/')\n const patterns = []\n for (let i = 0, { length } = lines; i < length; i += 1) {\n const pattern = lines[i]!.trim()\n if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /'#'/) {\n patterns.push(\n ignorePatternToMinimatch(\n pattern.length && pattern.charCodeAt(0) === 33 /'!'/\n ? `!${path.posix.join(base, pattern.slice(1))}`\n : path.posix.join(base, pattern),\n ),\n )\n }\n }\n return patterns\n}\n\nfunction ignoreFileToGlobPatterns(\n content: string,\n filepath: string,\n cwd: string,\n): string[] {\n return ignoreFileLinesToGlobPatterns(content.split(/\\r?\\n/), filepath, cwd)\n}\n\n// Based on `@eslint/compat` convertIgnorePatternToMinimatch.\n// Apache v2.0 licensed\n// Copyright Nicholas C. Zakas\n// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28\nfunction ignorePatternToMinimatch(pattern: string): string {\n const isNegated = pattern.startsWith('!')\n const negatedPrefix = isNegated ? '!' : ''\n const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()\n // Special cases.\n if (\n patternToTest === '' \|\|\n patternToTest === '' \|\|\n patternToTest === '/' \|\|\n patternToTest === ''\n ) {\n return `${negatedPrefix}${patternToTest}`\n }\n const firstIndexOfSlash = patternToTest.indexOf('/')\n const matchEverywherePrefix =\n firstIndexOfSlash === -1 \|\| firstIndexOfSlash === patternToTest.length - 1\n ? '/'\n : ''\n const patternWithoutLeadingSlash =\n firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest\n // Escape `{` and `(` because in gitignore patterns they are just\n // literal characters without any specific syntactic meaning,\n // while in minimatch patterns they can form brace expansion or extglob syntax.\n //\n // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.\n // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.\n // Minimatch pattern `src/\\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.\n const escapedPatternWithoutLeadingSlash =\n patternWithoutLeadingSlash.replaceAll(\n /(?=((?:\\\\.\|[^{(])))\\1([{(])/guy,\n '$1\\\\$2',\n )\n const matchInsideSuffix = patternToTest.endsWith('/*') ? '/' : ''\n return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`\n}\n\nfunction workspacePatternToGlobPattern(workspace: string): string {\n const { length } = workspace\n if (!length) {\n return ''\n }\n // If the workspace ends with \"/\"\n if (workspace.charCodeAt(length - 1) === 47 /'/'/) {\n return `${workspace}//package.json`\n }\n // If the workspace ends with \"/\"\n if (\n workspace.charCodeAt(length - 1) === 42 /''/ &&\n workspace.charCodeAt(length - 2) === 42 /''/ &&\n workspace.charCodeAt(length - 3) === 47 /'/'/\n ) {\n return `${workspace}//*/package.json`\n }\n // Things like \"packages/a\" or \"packages/\"\n return `${workspace}/package.json`\n}\n\nexport function filterBySupportedScanFiles(\n filepaths: string[] \| readonly string[],\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n): string[] {\n const patterns = getSupportedFilePatterns(supportedFiles)\n return filepaths.filter(p => micromatch.some(p, patterns))\n}\n\nexport function getSupportedFilePatterns(\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n): string[] {\n const patterns: string[] = []\n for (const key of Object.keys(supportedFiles)) {\n const supported = supportedFiles[key]\n if (supported) {\n patterns.push(...Object.values(supported).map(p => `/${p.pattern}`))\n }\n }\n return patterns\n}\n\ntype GlobWithGitIgnoreOptions = GlobOptions & {\n socketConfig?: SocketYml \| undefined\n}\n\nexport async function globWithGitIgnore(\n patterns: string[] \| readonly string[],\n options: GlobWithGitIgnoreOptions,\n) {\n const {\n cwd = process.cwd(),\n socketConfig,\n ...additionalOptions\n } = { __proto__: null, ...options } as GlobWithGitIgnoreOptions\n\n const ignoreFiles = await tinyGlob(['/.gitignore'], {\n absolute: true,\n cwd,\n expandDirectories: true,\n })\n const projectIgnorePaths = socketConfig?.projectIgnorePaths\n const ignores = [\n ...ignoredDirPatterns,\n ...(Array.isArray(projectIgnorePaths)\n ? ignoreFileLinesToGlobPatterns(\n projectIgnorePaths,\n path.join(cwd, '.gitignore'),\n cwd,\n )\n : []),\n ...(\n await Promise.all(\n ignoreFiles.map(async filepath =>\n ignoreFileToGlobPatterns(\n (await safeReadFile(filepath)) ?? '',\n filepath,\n cwd,\n ),\n ),\n )\n ).flat(),\n ]\n const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /'!'/)\n const globOptions = {\n __proto__: null,\n absolute: true,\n cwd,\n dot: true,\n expandDirectories: false,\n ignore: hasNegatedPattern ? [] : ignores,\n ...additionalOptions,\n }\n\n const result = await tinyGlob(patterns as string[], globOptions)\n if (!hasNegatedPattern) {\n return result\n }\n\n // Note: the input files must be INSIDE the cwd. If you get strange looking\n // relative path errors here, most likely your path is outside the given cwd.\n const filtered = ignore()\n .add(ignores)\n .filter(\n globOptions.absolute ? result.map(p => path.relative(cwd, p)) : result,\n )\n\n return globOptions.absolute\n ? filtered.map(p => path.resolve(cwd, p))\n : filtered\n}\n\nexport async function globNodeModules(cwd = process.cwd()): Promise<string[]> {\n return await tinyGlob('/node_modules', {\n absolute: true,\n cwd,\n expandDirectories: false,\n onlyDirectories: true,\n })\n}\n\nexport async function globWorkspace(\n agent: Agent,\n cwd = process.cwd(),\n): Promise<string[]> {\n const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)\n return workspaceGlobs.length\n ? await tinyGlob(workspaceGlobs, {\n absolute: true,\n cwd,\n ignore: ['/node_modules/', '/bower_components/'],\n })\n : []\n}\n\nexport function isReportSupportedFile(\n filepath: string,\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n) {\n const patterns = getSupportedFilePatterns(supportedFiles)\n return micromatch.some(filepath, patterns)\n}\n\nexport function pathsToGlobPatterns(\n paths: string[] \| readonly string[],\n): string[] {\n // TODO: Does not support `~/` paths.\n return paths.map(p => (p === '.' \|\| p === './' ? '/' : p))\n}\n","import { promises as fs, readFileSync, statSync } from 'node:fs'\nimport path from 'node:path'\n\nimport { remove } from '@socketsecurity/registry/lib/fs'\nimport { pEach } from '@socketsecurity/registry/lib/promises'\n\nimport constants from '../constants.mts'\nimport { globNodeModules } from './glob.mts'\n\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { Abortable } from 'node:events'\nimport type {\n BigIntStats,\n ObjectEncodingOptions,\n OpenMode,\n PathLike,\n PathOrFileDescriptor,\n StatSyncOptions,\n Stats,\n} from 'node:fs'\nimport type { FileHandle } from 'node:fs/promises'\n\nexport async function removeNodeModules(cwd = process.cwd()) {\n const nodeModulesPaths = await globNodeModules(cwd)\n await pEach(\n nodeModulesPaths,\n 3,\n p => remove(p, { force: true, recursive: true }),\n { retries: 3 },\n )\n}\n\nexport type FindUpOptions = {\n cwd?: string \| undefined\n signal?: AbortSignal \| undefined\n}\n\nexport async function findUp(\n name: string \| string[],\n {\n cwd = process.cwd(),\n // Lazily access constants.abortSignal.\n signal = constants.abortSignal,\n }: FindUpOptions,\n): Promise<string \| undefined> {\n let dir = path.resolve(cwd)\n const { root } = path.parse(dir)\n const names = [name].flat()\n while (dir && dir !== root) {\n for (const name of names) {\n if (signal?.aborted) {\n return undefined\n }\n const filePath = path.join(dir, name)\n try {\n // eslint-disable-next-line no-await-in-loop\n const stats = await fs.stat(filePath)\n if (stats.isFile()) {\n return filePath\n }\n } catch {}\n }\n dir = path.dirname(dir)\n }\n return undefined\n}\n\nexport type ReadFileOptions = Remap<\n ObjectEncodingOptions &\n Abortable & {\n flag?: OpenMode \| undefined\n }\n>\n\nexport async function readFileBinary(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| undefined,\n): Promise<Buffer> {\n return (await fs.readFile(filepath, {\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...options,\n encoding: 'binary',\n } as ReadFileOptions)) as Buffer\n}\n\nexport async function readFileUtf8(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| undefined,\n): Promise<string> {\n return await fs.readFile(filepath, {\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...options,\n encoding: 'utf8',\n })\n}\n\nexport async function safeReadFile(\n filepath: PathLike \| FileHandle,\n options?: 'utf8' \| 'utf-8' \| { encoding: 'utf8' \| 'utf-8' } \| undefined,\n): Promise<string \| undefined>\n\nexport async function safeReadFile(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| NodeJS.BufferEncoding \| undefined,\n): Promise<Awaited<ReturnType<typeof fs.readFile>> \| undefined> {\n try {\n return await fs.readFile(filepath, {\n encoding: 'utf8',\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...(typeof options === 'string' ? { encoding: options } : options),\n })\n } catch {}\n return undefined\n}\n\nexport function safeReadFileSync(\n filepath: PathOrFileDescriptor,\n options?: 'utf8' \| 'utf-8' \| { encoding: 'utf8' \| 'utf-8' } \| undefined,\n): string \| undefined\n\nexport function safeReadFileSync(\n filepath: PathOrFileDescriptor,\n options?:\n \| {\n encoding?: NodeJS.BufferEncoding \| undefined\n flag?: string \| undefined\n }\n \| NodeJS.BufferEncoding\n \| undefined,\n): ReturnType<typeof readFileSync> \| undefined {\n try {\n return readFileSync(filepath, {\n encoding: 'utf8',\n ...(typeof options === 'string' ? { encoding: options } : options),\n })\n } catch {}\n return undefined\n}\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: undefined,\n): Stats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: StatSyncOptions & {\n bigint?: false \| undefined\n },\n): Stats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options: StatSyncOptions & {\n bigint: true\n },\n): BigIntStats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options: StatSyncOptions & {\n bigint: boolean\n },\n): Stats \| BigIntStats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: StatSyncOptions,\n): Stats \| BigIntStats \| undefined {\n try {\n return statSync(filepath, { throwIfNoEntry: false, ...options })\n } catch {}\n return undefined\n}\n","import { mkdirSync, writeFileSync } from 'node:fs'\nimport path from 'node:path'\n\nimport config from '@socketsecurity/config'\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport constants from '../constants.mts'\nimport { safeReadFileSync } from './fs.mts'\n\nimport type { CResult } from '../types.mts'\n\nexport interface LocalConfig {\n apiBaseUrl?: string \| null \| undefined\n // @deprecated ; use apiToken. when loading a config, if this prop exists it\n // is deleted and set to apiToken instead, and then persisted.\n // should only happen once for legacy users.\n apiKey?: string \| null \| undefined\n apiProxy?: string \| null \| undefined\n apiToken?: string \| null \| undefined\n defaultOrg?: string\n enforcedOrgs?: string[] \| readonly string[] \| null \| undefined\n skipAskToPersistDefaultOrg?: boolean\n org?: string // convenience alias for defaultOrg\n}\n\nconst sensitiveConfigKeyLookup: Set<keyof LocalConfig> = new Set(['apiToken'])\n\nconst supportedConfig: Map<keyof LocalConfig, string> = new Map([\n ['apiBaseUrl', 'Base URL of the API endpoint'],\n ['apiProxy', 'A proxy through which to access the API'],\n ['apiToken', 'The API token required to access most API endpoints'],\n [\n 'defaultOrg',\n 'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.',\n ],\n [\n 'enforcedOrgs',\n 'Orgs in this list have their security policies enforced on this machine',\n ],\n [\n 'skipAskToPersistDefaultOrg',\n 'This flag prevents the CLI from asking you to persist the org slug when you selected one interactively',\n ],\n ['org', 'Alias for defaultOrg'],\n])\n\nconst supportedConfigEntries = [...supportedConfig.entries()].sort((a, b) =>\n naturalCompare(a[0], b[0]),\n)\nconst supportedConfigKeys = supportedConfigEntries.map(p => p[0])\n\nfunction getConfigValues(): LocalConfig {\n if (_cachedConfig === undefined) {\n // Order: env var > --config flag > file\n _cachedConfig = {} as LocalConfig\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (socketAppDataPath) {\n const raw = safeReadFileSync(socketAppDataPath)\n if (raw) {\n try {\n Object.assign(\n _cachedConfig,\n JSON.parse(Buffer.from(raw, 'base64').toString()),\n )\n } catch {\n logger.warn(`Failed to parse config at ${socketAppDataPath}`)\n }\n // Normalize apiKey to apiToken and persist it.\n // This is a one time migration per user.\n if (_cachedConfig['apiKey']) {\n const token = _cachedConfig['apiKey']\n delete _cachedConfig['apiKey']\n updateConfigValue('apiToken', token)\n }\n } else {\n mkdirSync(path.dirname(socketAppDataPath), { recursive: true })\n }\n }\n }\n return _cachedConfig\n}\n\nfunction normalizeConfigKey(\n key: keyof LocalConfig,\n): CResult<keyof LocalConfig> {\n // Note: apiKey was the old name of the token. When we load a config with\n // property apiKey, we'll copy that to apiToken and delete the old property.\n // We added `org` as a convenience alias for `defaultOrg`\n const normalizedKey =\n key === 'apiKey' ? 'apiToken' : key === 'org' ? 'defaultOrg' : key\n if (!isSupportedConfigKey(normalizedKey)) {\n return {\n ok: false,\n message: `Invalid config key: ${normalizedKey}`,\n data: undefined,\n }\n }\n return { ok: true, data: normalizedKey }\n}\n\nexport function findSocketYmlSync(dir = process.cwd()) {\n let prevDir = null\n while (dir !== prevDir) {\n let ymlPath = path.join(dir, 'socket.yml')\n let yml = safeReadFileSync(ymlPath)\n if (yml === undefined) {\n ymlPath = path.join(dir, 'socket.yaml')\n yml = safeReadFileSync(ymlPath)\n }\n if (typeof yml === 'string') {\n try {\n return {\n path: ymlPath,\n parsed: config.parseSocketConfig(yml),\n }\n } catch {\n throw new Error(`Found file but was unable to parse ${ymlPath}`)\n }\n }\n prevDir = dir\n dir = path.join(dir, '..')\n }\n return null\n}\n\nexport function getConfigValue<Key extends keyof LocalConfig>(\n key: Key,\n): CResult<LocalConfig[Key]> {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(key)\n if (!keyResult.ok) {\n return keyResult\n }\n return { ok: true, data: localConfig[keyResult.data as Key] }\n}\n\n// This version squashes errors, returning undefined instead.\n// Should be used when we can reasonably predict the call can't fail.\nexport function getConfigValueOrUndef<Key extends keyof LocalConfig>(\n key: Key,\n): LocalConfig[Key] \| undefined {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(key)\n if (!keyResult.ok) {\n return undefined\n }\n return localConfig[keyResult.data as Key]\n}\n\n// Ensure export because dist/utils.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getConfigValueOrUndef = getConfigValueOrUndef\n\nexport function getSupportedConfigEntries() {\n return [...supportedConfigEntries]\n}\n\nexport function getSupportedConfigKeys() {\n return [...supportedConfigKeys]\n}\n\nexport function isReadOnlyConfig() {\n return _readOnlyConfig\n}\n\nexport function isSensitiveConfigKey(key: string): key is keyof LocalConfig {\n return sensitiveConfigKeyLookup.has(key as keyof LocalConfig)\n}\n\nexport function isSupportedConfigKey(key: string): key is keyof LocalConfig {\n return supportedConfig.has(key as keyof LocalConfig)\n}\n\nlet _cachedConfig: LocalConfig \| undefined\n// When using --config or SOCKET_CLI_CONFIG, do not persist the config.\nlet _readOnlyConfig = false\n\nexport function overrideCachedConfig(jsonConfig: unknown): CResult<undefined> {\n debugFn('notice', 'override: full config (not stored)')\n\n let config\n try {\n config = JSON.parse(String(jsonConfig))\n if (!config \|\| typeof config !== 'object') {\n // `null` is valid json, so are primitive values.\n // They're not valid config objects :)\n return {\n ok: false,\n message: 'Could not parse Config as JSON',\n cause:\n \"Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again.\",\n }\n }\n } catch {\n // Force set an empty config to prevent accidentally using system settings.\n _cachedConfig = {} as LocalConfig\n _readOnlyConfig = true\n\n return {\n ok: false,\n message: 'Could not parse Config as JSON',\n cause:\n \"Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again.\",\n }\n }\n\n // @ts-ignore Override an illegal object.\n _cachedConfig = config as LocalConfig\n _readOnlyConfig = true\n\n // Normalize apiKey to apiToken.\n if (_cachedConfig['apiKey']) {\n if (_cachedConfig['apiToken']) {\n logger.warn(\n 'Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.',\n )\n }\n _cachedConfig['apiToken'] = _cachedConfig['apiKey']\n delete _cachedConfig['apiKey']\n }\n\n return { ok: true, data: undefined }\n}\n\nexport function overrideConfigApiToken(apiToken: unknown) {\n debugFn('notice', 'override: API token (not stored)')\n // Set token to the local cached config and mark it read-only so it doesn't persist.\n _cachedConfig = {\n ...config,\n ...(apiToken === undefined ? {} : { apiToken: String(apiToken) }),\n } as LocalConfig\n _readOnlyConfig = true\n}\n\nlet _pendingSave = false\nexport function updateConfigValue<Key extends keyof LocalConfig>(\n configKey: keyof LocalConfig,\n value: LocalConfig[Key],\n): CResult<undefined \| string> {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(configKey)\n if (!keyResult.ok) {\n return keyResult\n }\n const key: Key = keyResult.data as Key\n // Implicitly deleting when serializing.\n let wasDeleted = value === undefined\n if (key === 'skipAskToPersistDefaultOrg') {\n if (value === 'true' \|\| value === 'false') {\n localConfig['skipAskToPersistDefaultOrg'] = value === 'true'\n } else {\n delete localConfig['skipAskToPersistDefaultOrg']\n wasDeleted = true\n }\n } else {\n if (value === 'undefined' \|\| value === 'true' \|\| value === 'false') {\n logger.warn(\n `Note: The value is set to \"${value}\", as a string (!). Use \\`socket config unset\\` to reset a key.`,\n )\n }\n localConfig[key] = value\n }\n if (_readOnlyConfig) {\n return {\n ok: true,\n message: `Config key '${key}' was ${wasDeleted ? 'deleted' : `updated`}`,\n data: 'Change applied but not persisted; current config is overridden through env var or flag',\n }\n }\n\n if (!_pendingSave) {\n _pendingSave = true\n process.nextTick(() => {\n _pendingSave = false\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (socketAppDataPath) {\n writeFileSync(\n socketAppDataPath,\n Buffer.from(JSON.stringify(localConfig)).toString('base64'),\n )\n }\n })\n }\n\n return {\n ok: true,\n message: `Config key '${key}' was ${wasDeleted ? 'deleted' : `updated`}`,\n data: undefined,\n }\n}\n","import { setTimeout as wait } from 'node:timers/promises'\n\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\n\nimport constants from '../constants.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getSentry },\n} = constants\n\ntype EventHintOrCaptureContext = { [key: string]: any } \| Function\n\nexport class AuthError extends Error {}\n\nexport class InputError extends Error {\n public body: string \| undefined\n\n constructor(message: string, body?: string) {\n super(message)\n this.body = body\n }\n}\n\nexport async function captureException(\n exception: unknown,\n hint?: EventHintOrCaptureContext \| undefined,\n): Promise<string> {\n const result = captureExceptionSync(exception, hint)\n // \"Sleep\" for a second, just in case, hopefully enough time to initiate fetch.\n await wait(1000)\n return result\n}\n\nexport function captureExceptionSync(\n exception: unknown,\n hint?: EventHintOrCaptureContext \| undefined,\n): string {\n const Sentry = getSentry()\n if (!Sentry) {\n return ''\n }\n debugFn('notice', 'send: exception to Sentry')\n return Sentry.captureException(exception, hint) as string\n}\n\nexport function isErrnoException(\n value: unknown,\n): value is NodeJS.ErrnoException {\n if (!(value instanceof Error)) {\n return false\n }\n return (value as NodeJS.ErrnoException).code !== undefined\n}\n","import colors from 'yoctocolors-cjs'\n\nexport function failMsgWithBadge(\n badge: string,\n message: string \| undefined,\n): string {\n const prefix = colors.bgRed(\n colors.bold(colors.white(` ${badge}${message ? ': ' : ''}`)),\n )\n const postfix = message ? ` ${colors.bold(message)}` : ''\n return `${prefix}${postfix}`\n}\n","import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent'\n\nimport isInteractive from '@socketregistry/is-interactive/index.cjs'\nimport { password } from '@socketsecurity/registry/lib/prompts'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\nimport { SocketSdk, createUserAgentFromPkgJson } from '@socketsecurity/sdk'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\n\nconst TOKEN_PREFIX = 'sktsec_'\n\nconst { length: TOKEN_PREFIX_LENGTH } = TOKEN_PREFIX\n\n// The API server that should be used for operations.\nfunction getDefaultApiBaseUrl(): string \| undefined {\n const baseUrl =\n // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.\n constants.ENV.SOCKET_CLI_API_BASE_URL \|\| getConfigValueOrUndef('apiBaseUrl')\n return isUrl(baseUrl) ? baseUrl : undefined\n}\n\n// The API server that should be used for operations.\nfunction getDefaultProxyUrl(): string \| undefined {\n const apiProxy =\n // Lazily access constants.ENV.SOCKET_CLI_API_PROXY.\n constants.ENV.SOCKET_CLI_API_PROXY \|\| getConfigValueOrUndef('apiProxy')\n return isUrl(apiProxy) ? apiProxy : undefined\n}\n\nfunction isUrl(value: any): value is string {\n if (isNonEmptyString(value)) {\n try {\n // eslint-disable-next-line no-new\n new URL(value)\n return true\n } catch {}\n }\n return false\n}\n\n// This API key should be stored globally for the duration of the CLI execution.\nlet _defaultToken: string \| undefined\nexport function getDefaultToken(): string \| undefined {\n // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.\n if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {\n _defaultToken = undefined\n } else {\n const key =\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n constants.ENV.SOCKET_CLI_API_TOKEN \|\|\n getConfigValueOrUndef('apiToken') \|\|\n _defaultToken\n _defaultToken = isNonEmptyString(key) ? key : undefined\n }\n return _defaultToken\n}\n\nexport function getVisibleTokenPrefix(): string {\n const apiToken = getDefaultToken()\n return apiToken\n ? apiToken.slice(TOKEN_PREFIX_LENGTH, TOKEN_PREFIX_LENGTH + 5)\n : ''\n}\n\nexport function hasDefaultToken(): boolean {\n return !!getDefaultToken()\n}\n\nexport function getPublicToken(): string {\n return (\n getDefaultToken() \|\|\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n constants.ENV.SOCKET_CLI_API_TOKEN \|\|\n // Lazily access constants.SOCKET_PUBLIC_API_TOKEN.\n constants.SOCKET_PUBLIC_API_TOKEN\n )\n}\n\nexport type SetupSdkOptions = {\n apiToken?: string \| undefined\n apiBaseUrl?: string \| undefined\n apiProxy?: string \| undefined\n}\n\nexport async function setupSdk(\n options?: SetupSdkOptions \| undefined,\n): Promise<CResult<SocketSdk>> {\n const opts = { __proto__: null, ...options } as SetupSdkOptions\n let { apiToken = getDefaultToken() } = opts\n\n if (typeof apiToken !== 'string' && isInteractive()) {\n apiToken = await password({\n message:\n 'Enter your Socket.dev API key (not saved, use socket login to persist)',\n })\n _defaultToken = apiToken\n }\n\n if (!apiToken) {\n return {\n ok: false,\n message: 'Auth Error',\n cause: 'You need to provide an API Token. Run `socket login` first.',\n }\n }\n\n let { apiProxy } = opts\n if (!isUrl(apiProxy)) {\n apiProxy = getDefaultProxyUrl()\n }\n\n const { apiBaseUrl = getDefaultApiBaseUrl() } = opts\n const ProxyAgent = apiProxy?.startsWith('http:')\n ? HttpProxyAgent\n : HttpsProxyAgent\n\n return {\n ok: true,\n data: new SocketSdk(apiToken, {\n agent: apiProxy ? new ProxyAgent({ proxy: apiProxy }) : undefined,\n baseUrl: apiBaseUrl,\n userAgent: createUserAgentFromPkgJson({\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_NAME.\n name: constants.ENV.INLINED_SOCKET_CLI_NAME,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION.\n version: constants.ENV.INLINED_SOCKET_CLI_VERSION,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE.\n homepage: constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE,\n }),\n }),\n }\n}\n","import { messageWithCauses } from 'pony-cause'\n\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport { AuthError } from './errors.mts'\nimport constants from '../constants.mts'\nimport { failMsgWithBadge } from './fail-msg-with-badge.mts'\nimport { getDefaultToken } from './sdk.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\nimport type {\n SocketSdkErrorResult,\n SocketSdkOperations,\n SocketSdkResult,\n SocketSdkSuccessResult,\n} from '@socketsecurity/sdk'\n\nconst NO_ERROR_MESSAGE = 'No error message returned'\n\n// TODO: this function is removed after v1.0.0\nexport function handleUnsuccessfulApiResponse<T extends SocketSdkOperations>(\n _name: T,\n error: string,\n cause: string,\n status: number,\n): never {\n const message = `${error \|\| NO_ERROR_MESSAGE}${cause ? ` (reason: ${cause})` : ''}`\n if (status === 401 \|\| status === 403) {\n // Lazily access constants.spinner.\n const { spinner } = constants\n\n spinner.stop()\n\n throw new AuthError(message)\n }\n logger.fail(failMsgWithBadge('Socket API returned an error', message))\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n}\n\nexport type HandleApiCallOptions = {\n desc?: string \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function handleApiCall<T extends SocketSdkOperations>(\n value: Promise<SocketSdkResult<T>>,\n options?: HandleApiCallOptions \| undefined,\n): Promise<CResult<SocketSdkSuccessResult<T>['data']>> {\n const { desc, spinner } = {\n __proto__: null,\n ...options,\n } as HandleApiCallOptions\n\n if (desc) {\n spinner?.start(`Requesting ${desc} from API...`)\n } else {\n spinner?.start()\n }\n\n let sdkResult: SocketSdkResult<T>\n try {\n sdkResult = await value\n if (desc) {\n // TODO: info, not success (looks weird when response is non-200)\n spinner?.successAndStop(\n `Received API response (after requesting ${desc}).`,\n )\n } else {\n spinner?.stop()\n }\n } catch (e) {\n if (desc) {\n spinner?.failAndStop(`An error was thrown while requesting ${desc}`)\n debugFn('error', `caught: ${desc} error`)\n } else {\n spinner?.stop()\n debugFn('error', `caught: error`)\n }\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: messageWithCauses(e as Error),\n }\n } finally {\n spinner?.stop()\n }\n\n // Note: TS can't narrow down the type of result due to generics.\n if (sdkResult.success === false) {\n const errorResult = sdkResult as SocketSdkErrorResult<T>\n const message = `${errorResult.error \|\| NO_ERROR_MESSAGE}`\n const { cause: reason } = errorResult\n\n if (desc) {\n debugFn('error', `fail: ${desc} bad response`)\n } else {\n debugFn('error', 'fail: bad response')\n }\n debugDir('inspect', { sdkResult })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${reason ? ` ( Reason: ${reason} )` : ''}`,\n data: {\n code: sdkResult.status,\n },\n }\n } else {\n const { data } = sdkResult as SocketSdkSuccessResult<T>\n return {\n ok: true,\n data,\n }\n }\n}\n\nexport async function handleApiCallNoSpinner<T extends SocketSdkOperations>(\n value: Promise<SocketSdkResult<T>>,\n description: string,\n): Promise<CResult<SocketSdkSuccessResult<T>['data']>> {\n let result: SocketSdkResult<T>\n try {\n result = await value\n } catch (e) {\n const message = `${e \|\| NO_ERROR_MESSAGE}`\n const reason = `${e \|\| NO_ERROR_MESSAGE}`\n\n debugFn('error', `caught: ${description} error`)\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${reason ? ` ( Reason: ${reason} )` : ''}`,\n }\n }\n\n // Note: TS can't narrow down the type of result due to generics\n if (result.success === false) {\n const error = result as SocketSdkErrorResult<T>\n const message = `${error.error \|\| NO_ERROR_MESSAGE}`\n\n debugFn('error', `fail: ${description} bad response`)\n debugDir('inspect', { error })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${error.cause ? ` ( Reason: ${error.cause} )` : ''}`,\n data: {\n code: result.status,\n },\n }\n } else {\n const ok = result as SocketSdkSuccessResult<T>\n return {\n ok: true,\n data: ok.data,\n }\n }\n}\n\nexport async function getErrorMessageForHttpStatusCode(code: number) {\n if (code === 400) {\n return 'One of the options passed might be incorrect'\n }\n if (code === 403 \|\| code === 401) {\n return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with'\n }\n if (code === 404) {\n return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. If unexpected, this could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.'\n }\n if (code === 500) {\n return 'There was an unknown server side problem with your request. This ought to be temporary. Please let us know if this problem persists.'\n }\n return `Server responded with status code ${code}`\n}\n\n// The API server that should be used for operations.\nexport function getDefaultApiBaseUrl(): string \| undefined {\n const baseUrl =\n // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.\n constants.ENV.SOCKET_CLI_API_BASE_URL \|\| getConfigValueOrUndef('apiBaseUrl')\n if (isNonEmptyString(baseUrl)) {\n return baseUrl\n }\n // Lazily access constants.API_V0_URL.\n const API_V0_URL = constants.API_V0_URL\n return API_V0_URL\n}\n\nexport async function queryApi(path: string, apiToken: string) {\n const baseUrl = getDefaultApiBaseUrl() \|\| ''\n if (!baseUrl) {\n logger.warn(\n 'API endpoint is not set and default was empty. Request is likely to fail.',\n )\n }\n\n return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {\n method: 'GET',\n headers: {\n Authorization: `Basic ${btoa(`${apiToken}:`)}`,\n },\n })\n}\n\nexport async function queryApiSafeText(\n path: string,\n fetchSpinnerDesc?: string,\n): Promise<CResult<string>> {\n const apiToken = getDefaultToken()\n if (!apiToken) {\n return {\n ok: false,\n message: 'Authentication Error',\n cause:\n 'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.',\n }\n }\n\n // Lazily access constants.spinner.\n const { spinner } = constants\n\n if (fetchSpinnerDesc) {\n spinner.start(`Requesting ${fetchSpinnerDesc} from API...`)\n }\n\n let result\n try {\n result = await queryApi(path, apiToken)\n if (fetchSpinnerDesc) {\n spinner.successAndStop(\n `Received API response (after requesting ${fetchSpinnerDesc}).`,\n )\n }\n } catch (e) {\n if (fetchSpinnerDesc) {\n spinner.failAndStop(\n `An error was thrown while requesting ${fetchSpinnerDesc}.`,\n )\n }\n\n const cause = (e as undefined \| { message: string })?.message\n\n debugFn('error', 'caught: queryApi() error')\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'API Request failed to complete',\n ...(cause ? { cause } : {}),\n }\n }\n\n if (!result.ok) {\n const cause = await getErrorMessageForHttpStatusCode(result.status)\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${result.statusText}${cause ? ` (cause: ${cause})` : ''}`,\n }\n }\n\n try {\n const data = await result.text()\n\n return {\n ok: true,\n data,\n }\n } catch (e) {\n debugFn('error', 'caught: await result.text() error')\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'API Request failed to complete',\n cause: 'There was an unexpected error trying to read the response text',\n }\n }\n}\n\nexport async function queryApiSafeJson<T>(\n path: string,\n fetchSpinnerDesc = '',\n): Promise<CResult<T>> {\n const result = await queryApiSafeText(path, fetchSpinnerDesc)\n\n if (!result.ok) {\n return result\n }\n\n try {\n return {\n ok: true,\n data: JSON.parse(result.data) as T,\n }\n } catch (e) {\n return {\n ok: false,\n message: 'Server returned invalid JSON',\n cause: `Please report this. JSON.parse threw an error over the following response: \\`${(result.data?.slice?.(0, 100) \|\| '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\\``,\n }\n }\n}\n","export function mdTableStringNumber(\n title1: string,\n title2: string,\n obj: Record<string, number \| string>,\n): string {\n // \| Date \| Counts \|\n // \| ----------- \| ------ \|\n // \| Header \| 201464 \|\n // \| Paragraph \| 18 \|\n let mw1 = title1.length\n let mw2 = title2.length\n for (const [key, value] of Object.entries(obj)) {\n mw1 = Math.max(mw1, key.length)\n mw2 = Math.max(mw2, String(value ?? '').length)\n }\n\n const lines = []\n lines.push(`\| ${title1.padEnd(mw1, ' ')} \| ${title2.padEnd(mw2)} \|`)\n lines.push(`\| ${'-'.repeat(mw1)} \| ${'-'.repeat(mw2)} \|`)\n for (const [key, value] of Object.entries(obj)) {\n lines.push(\n `\| ${key.padEnd(mw1, ' ')} \| ${String(value ?? '').padStart(mw2, ' ')} \|`,\n )\n }\n lines.push(`\| ${'-'.repeat(mw1)} \| ${'-'.repeat(mw2)} \|`)\n\n return lines.join('\\n')\n}\n\nexport function mdTable<T extends Array<Record<string, string>>>(\n logs: T,\n // This is saying \"an array of strings and the strings are a valid key of elements of T\"\n // In turn, T is defined above as the audit log event type from our OpenAPI docs.\n cols: Array<string & keyof T[number]>,\n titles: string[] = cols,\n): string {\n // Max col width required to fit all data in that column\n const cws = cols.map(col => col.length)\n\n for (const log of logs) {\n for (let i = 0, { length } = cols; i < length; i += 1) {\n // @ts-ignore\n const val: unknown = log[cols[i] ?? ''] ?? ''\n cws[i] = Math.max(\n cws[i] ?? 0,\n String(val).length,\n (titles[i] \|\| '').length,\n )\n }\n }\n\n let div = '\|'\n for (const cw of cws) {\n div += ' ' + '-'.repeat(cw) + ' \|'\n }\n\n let header = '\|'\n for (let i = 0, { length } = titles; i < length; i += 1) {\n header += ' ' + String(titles[i]).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n\n let body = ''\n for (const log of logs) {\n body += '\|'\n for (let i = 0, { length } = cols; i < length; i += 1) {\n // @ts-ignore\n const val: unknown = log[cols[i] ?? ''] ?? ''\n body += ' ' + String(val).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n body += '\\n'\n }\n\n return [div, header, div, body.trim(), div].filter(s => s.trim()).join('\\n')\n}\n\nexport function mdTableOfPairs(\n arr: Array<[string, string]>,\n // This is saying \"an array of strings and the strings are a valid key of elements of T\"\n // In turn, T is defined above as the audit log event type from our OpenAPI docs.\n cols: string[],\n): string {\n // Max col width required to fit all data in that column\n const cws = cols.map(col => col.length)\n\n for (const [key, val] of arr) {\n cws[0] = Math.max(cws[0] ?? 0, String(key).length)\n cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length)\n }\n\n let div = '\|'\n for (const cw of cws) {\n div += ' ' + '-'.repeat(cw) + ' \|'\n }\n\n let header = '\|'\n for (let i = 0, { length } = cols; i < length; i += 1) {\n header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n\n let body = ''\n for (const [key, val] of arr) {\n body += '\|'\n body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' \|'\n body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' \|'\n body += '\\n'\n }\n\n return [div, header, div, body.trim(), div].filter(s => s.trim()).join('\\n')\n}\n","import { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport type { CResult } from '../types.mts'\n\n// Serialize the final result object before printing it\n// All commands that support the --json flag should call this before printing\nexport function serializeResultJson(data: CResult<unknown>): string {\n if (typeof data !== 'object' \|\| !data) {\n process.exitCode = 1\n debugFn('inspect', 'typeof data=', typeof data)\n\n if (typeof data !== 'object' && data) {\n debugFn('inspect', 'data:\\n', data)\n }\n\n // We should not allow the JSON value to be \"null\", or a boolean/number/string,\n // even if they are valid \"json\".\n const message =\n 'There was a problem converting the data set to JSON. The JSON was not an object. Please try again without --json'\n\n return (\n JSON.stringify({\n ok: false,\n message: 'Unable to serialize JSON',\n data: message,\n }).trim() + '\\n'\n )\n }\n\n try {\n return JSON.stringify(data, null, 2).trim() + '\\n'\n } catch (e) {\n process.exitCode = 1\n\n // This could be caused by circular references, which is an \"us\" problem\n const message =\n 'There was a problem converting the data set to JSON. Please try again without --json'\n logger.fail(message)\n debugDir('inspect', { error: e })\n return (\n JSON.stringify({\n ok: false,\n message: 'Unable to serialize JSON',\n data: message,\n }).trim() + '\\n'\n )\n }\n}\n","import colors from 'yoctocolors-cjs'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { stripAnsi } from '@socketsecurity/registry/lib/strings'\n\nimport { failMsgWithBadge } from './fail-msg-with-badge.mts'\nimport { serializeResultJson } from './serialize-result-json.mts'\n\nimport type { OutputKind } from '../types.mts'\n\nexport function checkCommandInput(\n outputKind: OutputKind,\n ...checks: Array<{\n fail: string\n message: string\n pass: string\n test: boolean\n nook?: boolean \| undefined\n }>\n): boolean {\n if (checks.every(d => d.test)) {\n return true\n }\n\n const msg = ['Please review the input requirements and try again', '']\n for (const d of checks) {\n // If nook, then ignore when test is ok\n if (d.nook && d.test) {\n continue\n }\n const lines = d.message.split('\\n')\n const { length: lineCount } = lines\n if (!lineCount) {\n continue\n }\n // If the message has newlines then format the first line with the input\n // expectation and the rest indented below it.\n msg.push(\n ` - ${lines[0]} (${d.test ? colors.green(d.pass) : colors.red(d.fail)})`,\n )\n if (lineCount > 1) {\n msg.push(...lines.slice(1).map(str => ` ${str}`))\n }\n msg.push('')\n }\n\n // Use exit status of 2 to indicate incorrect usage, generally invalid\n // options or missing arguments.\n // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html\n process.exitCode = 2\n\n if (outputKind === 'json') {\n logger.log(\n serializeResultJson({\n ok: false,\n message: 'Input error',\n data: stripAnsi(msg.join('\\n')),\n }),\n )\n } else {\n logger.fail(failMsgWithBadge('Input error', msg.join('\\n')))\n }\n\n return false\n}\n","import type { OutputKind } from '../types.mts'\n\nexport function getOutputKind(json: unknown, markdown: unknown): OutputKind {\n if (json) {\n return 'json'\n }\n if (markdown) {\n return 'markdown'\n }\n return 'text'\n}\n","import { isObject } from '@socketsecurity/registry/lib/objects'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport type { MeowFlags } from '../flags.mts'\n\ntype HelpListOptions = {\n indent?: number \| undefined\n keyPrefix?: string \| undefined\n padName?: number \| undefined\n}\n\ntype ListDescription =\n \| { description: string }\n \| { description: string; hidden: boolean }\n\nexport function getFlagListOutput(\n list: MeowFlags,\n options?: HelpListOptions \| undefined,\n): string {\n const { keyPrefix = '--' } = {\n __proto__: null,\n ...options,\n } as HelpListOptions\n return getHelpListOutput(\n {\n ...list,\n },\n { ...options, keyPrefix },\n )\n}\n\nexport function getHelpListOutput(\n list: Record<string, ListDescription>,\n options?: HelpListOptions \| undefined,\n): string {\n const {\n indent = 6,\n keyPrefix = '',\n padName = 18,\n } = {\n __proto__: null,\n ...options,\n } as HelpListOptions\n let result = ''\n const names = Object.keys(list).sort(naturalCompare)\n for (const name of names) {\n const entry = list[name]\n if (entry && 'hidden' in entry && entry?.hidden) {\n continue\n }\n const description = (isObject(entry) ? entry.description : entry) \|\| ''\n result +=\n ''.padEnd(indent) +\n (keyPrefix + name).padEnd(padName) +\n description +\n '\\n'\n }\n return result.trim() \|\| '(none)'\n}\n","import path from 'node:path'\n\nimport { escapeRegExp } from '@socketsecurity/registry/lib/regexps'\n\nimport constants from '../constants.mts'\n\n// Replace the start of a path with ~/ when it starts with your home dir.\n// A common way to abbreviate the user home dir (though not strictly posix).\nexport function tildify(cwd: string) {\n return cwd.replace(\n new RegExp(`^${escapeRegExp(constants.homePath)}(?:${path.sep}\|$)`, 'i'),\n '~/',\n )\n}\n","import meow from 'meow'\n\nimport { joinAnd } from '@socketsecurity/registry/lib/arrays'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { hasOwn, toSortedObject } from '@socketsecurity/registry/lib/objects'\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport {\n getConfigValueOrUndef,\n isReadOnlyConfig,\n overrideCachedConfig,\n overrideConfigApiToken,\n} from './config.mts'\nimport { getFlagListOutput, getHelpListOutput } from './output-formatting.mts'\nimport constants from '../constants.mts'\nimport { commonFlags } from '../flags.mts'\nimport { getVisibleTokenPrefix } from './sdk.mts'\nimport { tildify } from './tildify.mts'\n\nimport type { MeowFlags } from '../flags.mts'\nimport type { Options, Result } from 'meow'\n\nexport interface CliAlias {\n description: string\n argv: readonly string[]\n hidden?: boolean \| undefined\n}\n\nexport type CliAliases = Record<string, CliAlias>\n\nexport type CliSubcommandRun = (\n argv: string[] \| readonly string[],\n importMeta: ImportMeta,\n context: { parentName: string },\n) => Promise<void> \| void\n\nexport interface CliSubcommand {\n description: string\n hidden?: boolean \| undefined\n run: CliSubcommandRun\n}\n\n// Property names are picked such that the name is at the top when the props\n// get ordered by alphabet while flags is near the bottom and the help text\n// at the bottom, because they tend ot occupy the most lines of code.\nexport interface CliCommandConfig {\n commandName: string // tmp optional while we migrate\n description: string\n hidden: boolean\n flags: MeowFlags // tmp optional while we migrate\n help: (command: string, config: CliCommandConfig) => string\n}\n\nexport interface MeowOptions extends Options<any> {\n aliases?: CliAliases \| undefined\n argv: readonly string[]\n name: string\n // When no sub-command is given, default to this sub-command\n defaultSub?: string\n}\n\n// For debugging. Whenever you call meowOrExit it will store the command here\n// This module exports a getter that returns the current value.\nlet lastSeenCommand = ''\n\nexport function getLastSeenCommand(): string {\n return lastSeenCommand\n}\n\nexport async function meowWithSubcommands(\n subcommands: Record<string, CliSubcommand>,\n options: MeowOptions,\n): Promise<void> {\n const {\n aliases = {},\n argv,\n defaultSub,\n importMeta,\n name,\n ...additionalOptions\n } = { __proto__: null, ...options }\n const [commandOrAliasName_, ...rawCommandArgv] = argv\n let commandOrAliasName = commandOrAliasName_\n if (!commandOrAliasName && defaultSub) {\n commandOrAliasName = defaultSub\n }\n\n const flags: MeowFlags = {\n ...commonFlags,\n version: {\n type: 'boolean',\n hidden: true,\n description: 'Print the app version',\n },\n ...additionalOptions.flags,\n }\n\n // No further args or first arg is a flag (shrug)\n const isRootCommand =\n name === 'socket' &&\n (!commandOrAliasName \|\| commandOrAliasName?.startsWith('-'))\n\n // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`\n if (!isRootCommand) {\n if (commandOrAliasName?.startsWith('pkg:')) {\n logger.info('Note: Invoking `socket package score` now...')\n return await meowWithSubcommands(subcommands, {\n ...options,\n argv: ['package', 'deep', ...argv],\n })\n }\n // Support `socket npm/babel` or whatever as a shorthand, too.\n // Accept any ecosystem and let the remote sort it out.\n if (/^[a-z]+\\//.test(commandOrAliasName \|\| '')) {\n logger.info('Note: Invoking `socket package score` now...')\n return await meowWithSubcommands(subcommands, {\n ...options,\n argv: [\n 'package',\n 'deep',\n `pkg:${commandOrAliasName}`,\n ...rawCommandArgv,\n ],\n })\n }\n }\n\n if (isRootCommand) {\n flags['help'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Give you detailed help information about any sub-command',\n }\n flags['config'] = {\n type: 'string',\n hidden: false, // Only show on root\n description: 'Allows you to temp overrides the internal CLI config',\n }\n flags['dryRun'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Do input validation for a sub-command and then exit',\n }\n flags['version'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Show version of CLI',\n }\n delete flags['json']\n delete flags['markdown']\n } else {\n delete flags['help']\n delete flags['version']\n }\n\n // This is basically a dry-run parse of cli args and flags. We use this to\n // determine config overrides and expected output mode.\n const cli1 = meow(`(this should never be printed)`, {\n argv,\n importMeta,\n ...additionalOptions,\n flags,\n // Do not strictly check for flags here.\n allowUnknownFlags: true,\n booleanDefault: undefined, // We want to detect whether a bool flag is given at all.\n // We will emit help when we're ready\n // Plus, if we allow this then meow() can just exit here.\n autoHelp: false,\n autoVersion: false,\n })\n\n const orgFlag = String(cli1.flags['org'] \|\| '') \|\| undefined\n\n // Hard override the config if instructed to do so.\n // The env var overrides the --flag, which overrides the persisted config\n // Also, when either of these are used, config updates won't persist.\n let configOverrideResult\n // Lazily access constants.ENV.SOCKET_CLI_CONFIG.\n if (constants.ENV.SOCKET_CLI_CONFIG) {\n configOverrideResult = overrideCachedConfig(\n // Lazily access constants.ENV.SOCKET_CLI_CONFIG.\n constants.ENV.SOCKET_CLI_CONFIG,\n )\n } else if (cli1.flags['config']) {\n configOverrideResult = overrideCachedConfig(\n String(cli1.flags['config'] \|\| ''),\n )\n }\n\n // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.\n if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {\n // This overrides the config override and even the explicit token env var.\n // The config will be marked as readOnly to prevent persisting it.\n overrideConfigApiToken(undefined)\n } else {\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n const tokenOverride = constants.ENV.SOCKET_CLI_API_TOKEN\n if (tokenOverride) {\n // This will set the token (even if there was a config override) and\n // set it to readOnly, making sure the temp token won't be persisted.\n overrideConfigApiToken(tokenOverride)\n }\n }\n\n if (configOverrideResult?.ok === false) {\n emitBanner(name, orgFlag)\n logger.error('') // spacing in stderr\n logger.fail(configOverrideResult.message)\n process.exitCode = 2\n return\n }\n\n // If we got at least some args, then lets find out if we can find a command.\n if (commandOrAliasName) {\n const alias = aliases[commandOrAliasName]\n // First: Resolve argv data from alias if its an alias that's been given.\n const [commandName, ...commandArgv] = alias\n ? [...alias.argv, ...rawCommandArgv]\n : [commandOrAliasName, ...rawCommandArgv]\n // Second: Find a command definition using that data.\n const commandDefinition = commandName ? subcommands[commandName] : undefined\n // Third: If a valid command has been found, then we run it...\n if (commandDefinition) {\n return await commandDefinition.run(commandArgv, importMeta, {\n parentName: name,\n })\n }\n }\n\n function formatCommandsForHelp(isRootCommand: boolean) {\n if (!isRootCommand) {\n return getHelpListOutput({\n ...toSortedObject(\n Object.fromEntries(\n Object.entries(subcommands).filter(\n ({ 1: subcommand }) => !subcommand.hidden,\n ),\n ),\n ),\n ...toSortedObject(\n Object.fromEntries(\n Object.entries(aliases).filter(({ 1: alias }) => {\n const { hidden } = alias\n const cmdName = hidden ? '' : alias.argv[0]\n const subcommand = cmdName ? subcommands[cmdName] : undefined\n return subcommand && !subcommand.hidden\n }),\n ),\n ),\n })\n }\n\n // \"Bucket\" some commands for easier usage.\n const commands = new Set([\n 'analytics',\n 'audit-log',\n 'config',\n 'fix',\n 'install',\n 'login',\n 'logout',\n 'manifest',\n 'npm',\n 'npx',\n 'optimize',\n 'organization',\n 'package',\n 'raw-npm',\n 'raw-npx',\n 'repos',\n 'scan',\n 'threat-feed',\n 'uninstall',\n 'wrapper',\n ])\n Object.entries(subcommands)\n .filter(([_name, subcommand]) => !subcommand.hidden)\n .map(([name]) => name)\n .forEach(name => {\n if (commands.has(name)) {\n commands.delete(name)\n } else {\n logger.fail(\n 'Received a visible command that was not added to the list here:',\n name,\n )\n }\n })\n if (commands.size) {\n logger.fail(\n 'Found commands in the list that were not marked as public or not defined at all:',\n // Node < 22 will print 'Object (n)' before the array. So to have consistent\n // test snapshots we use joinAnd.\n joinAnd(\n Array.from(commands)\n .sort(naturalCompare)\n .map(c => `'${c}'`),\n ),\n )\n }\n\n const out = []\n out.push('All commands have their own --help page')\n out.push('')\n out.push(' Main commands')\n out.push('')\n out.push(\n ' socket login Setup the CLI with an API Token and defaults',\n )\n out.push(' socket scan create Create a new Scan and report')\n out.push(\n ' socket npm/eslint@1.0.0 Request the security score of a particular package',\n )\n out.push(\n ' socket ci Shorthand for CI; socket scan create --report --no-interactive',\n )\n out.push('')\n out.push(' Socket API')\n out.push('')\n out.push(' analytics Look up analytics data')\n out.push(\n ' audit-log Look up the audit log for an organization',\n )\n out.push(\n ' organization Manage organization account details',\n )\n out.push(\n ' package Look up published package details',\n )\n out.push(' repository Manage registered repositories')\n out.push(' scan Manage Socket scans')\n out.push(' threat-feed [beta] View the threat feed')\n out.push('')\n out.push(' Local tools')\n out.push('')\n out.push(\n ' fix Update dependencies with \"fixable\" Socket alerts',\n )\n out.push(\n ' manifest Generate a dependency manifest for certain languages',\n )\n out.push(' npm npm wrapper functionality')\n out.push(' npx npx wrapper functionality')\n out.push(\n ' optimize Optimize dependencies with @socketregistry overrides',\n )\n out.push(\n ' raw-npm Temporarily disable the Socket npm wrapper',\n )\n out.push(\n ' raw-npx Temporarily disable the Socket npx wrapper',\n )\n out.push('')\n out.push(' CLI configuration')\n out.push('')\n out.push(\n ' config Manage the CLI configuration directly',\n )\n out.push(\n ' install Manually install CLI tab completion on your system',\n )\n out.push(' login Socket API login and CLI setup')\n out.push(' logout Socket API logout')\n out.push(\n ' uninstall Remove the CLI tab completion from your system',\n )\n out.push(\n ' wrapper Enable or disable the Socket npm/npx wrapper',\n )\n\n return out.join('\\n')\n }\n\n // Parse it again. Config overrides should now be applied (may affect help).\n // Note: this is displayed as help screen if the command does not override it\n // (which is the case for most sub-commands with sub-commands)\n const cli2 = meow(\n `\n Usage\n $ ${name} <command>\n${isRootCommand ? '' : '\\n Commands'}\n ${formatCommandsForHelp(isRootCommand)}\n\n${isRootCommand ? ' Options' : ' Options'}${isRootCommand ? ' (Note: all CLI commands have these flags even when not displayed in their help)\\n' : ''}\n ${getFlagListOutput(flags, { padName: 25 })}\n\n Examples\n $ ${name} --help\n${isRootCommand ? ` $ ${name} scan create --json` : ''}${isRootCommand ? `\\n $ ${name} package score npm left-pad --markdown` : ''}`,\n {\n argv,\n importMeta,\n ...additionalOptions,\n flags,\n // Do not strictly check for flags here.\n allowUnknownFlags: true,\n // We will emit help when we're ready.\n // Plus, if we allow this then meow() can just exit here.\n autoHelp: false,\n autoVersion: false,\n // We want to detect whether a bool flag is given at all.\n booleanDefault: undefined,\n },\n )\n\n // ...else we provide basic instructions and help.\n if (!cli2.flags['nobanner']) {\n emitBanner(name, orgFlag)\n // meow will add newline so don't add stderr spacing here\n }\n if (!cli2.flags['help'] && cli2.flags['dryRun']) {\n process.exitCode = 0\n // Lazily access constants.DRY_RUN_LABEL.\n logger.log(`${constants.DRY_RUN_LABEL}: No-op, call a sub-command; ok`)\n } else {\n // When you explicitly request --help, the command should be successful\n // so we exit(0). If we do it because we need more input, we exit(2).\n cli2.showHelp(cli2.flags['help'] ? 0 : 2)\n }\n}\n\n/\n Note: meow will exit immediately if it calls its .showHelp()\n /\nexport function meowOrExit({\n allowUnknownFlags = true,\n argv,\n config,\n importMeta,\n parentName,\n}: {\n allowUnknownFlags?: boolean \| undefined\n argv: readonly string[]\n config: CliCommandConfig\n parentName: string\n importMeta: ImportMeta\n}): Result<MeowFlags> {\n const command = `${parentName} ${config.commandName}`\n lastSeenCommand = command\n\n // This exits if .printHelp() is called either by meow itself or by us.\n const cli = meow({\n argv,\n autoHelp: false, // meow will exit(0) before printing the banner.\n autoVersion: false,\n booleanDefault: undefined, // We want to detect whether a bool flag is given at all.\n collectUnknownFlags: true,\n description: config.description,\n flags: config.flags,\n help: config.help(command, config),\n importMeta,\n })\n\n if (!cli.flags['nobanner']) {\n emitBanner(command, String(cli.flags['org'] \|\| '') \|\| undefined)\n // Add spacing in stderr. meow.help adds a newline too so we do it here\n logger.error('')\n }\n\n // As per https://github.com/sindresorhus/meow/issues/178\n // Setting `allowUnknownFlags: false` makes it reject camel cased flags.\n // if (!allowUnknownFlags) {\n // // Run meow specifically with the flag setting. It will exit(2) if an\n // // invalid flag is set and print a message.\n // meow({\n // argv,\n // allowUnknownFlags: false,\n // autoHelp: false,\n // autoVersion: false,\n // description: config.description,\n // flags: config.flags,\n // help: config.help(command, config),\n // importMeta,\n // })\n // }\n\n if (cli.flags['help']) {\n cli.showHelp(0)\n }\n\n // meow doesn't detect 'version' as an unknown flag, so we do the leg work here.\n if (!hasOwn(config.flags, 'version') && cli.flags['version']) {\n // Use `console.error` here instead of `logger.error` to match meow behavior.\n console.error('Unknown flag\\n--version')\n // eslint-disable-next-line n/no-process-exit\n process.exit(2)\n }\n\n // Now test for help state. Run meow again. If it exits now, it must be due\n // to wanting to print the help screen. But it would exit(0) and we want a\n // consistent exit(2) for that case (missing input).\n // TODO: Move away from meow.\n process.exitCode = 2\n meow({\n argv,\n // As per https://github.com/sindresorhus/meow/issues/178\n // Setting `allowUnknownFlags: false` makes it reject camel cased flags.\n allowUnknownFlags: Boolean(allowUnknownFlags),\n autoHelp: false,\n autoVersion: false,\n description: config.description,\n help: config.help(command, config),\n importMeta,\n flags: config.flags,\n })\n // Ok, no help, reset to default.\n process.exitCode = 0\n\n return cli\n}\n\nexport function emitBanner(name: string, orgFlag: string \| undefined) {\n // Print a banner at the top of each command.\n // This helps with brand recognition and marketing.\n // It also helps with debugging since it contains version and command details.\n // Note: print over stderr to preserve stdout for flags like --json and\n // --markdown. If we don't do this, you can't use --json in particular\n // and pipe the result to other tools. By emitting the banner over stderr\n // you can do something like `socket scan view xyz \| jq \| process`.\n // The spinner also emits over stderr for example.\n logger.error(getAsciiHeader(name, orgFlag))\n}\n\nfunction getAsciiHeader(command: string, orgFlag: string \| undefined) {\n // Note: In tests we return <redacted> because otherwise snapshots will fail.\n const { REDACTED } = constants\n // Lazily access constants.ENV.VITEST.\n const redacting = constants.ENV.VITEST\n const cliVersion = redacting\n ? REDACTED\n : // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH.\n constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH\n const nodeVersion = redacting ? REDACTED : process.version\n const defaultOrg = getConfigValueOrUndef('defaultOrg')\n const readOnlyConfig = isReadOnlyConfig() ? '' : '.'\n const shownToken = redacting\n ? REDACTED\n : getVisibleTokenPrefix() \|\| '(not set)'\n const relCwd = redacting ? REDACTED : normalizePath(tildify(process.cwd()))\n // Note: we must redact org when creating snapshots because dev machine probably\n // has a default org set but CI won't. Showing --org is fine either way.\n const orgPart = orgFlag\n ? `--org: ${orgFlag}`\n : redacting\n ? 'org: <redacted>'\n : defaultOrg\n ? `default org: ${defaultOrg}`\n : '(org not set)'\n // Note: We could draw these with ascii box art instead but I worry about\n // portability and paste-ability. \"simple\" ascii chars just work.\n const body = `\n _____ _ _ /---------------\n \| __\|___ ___\| \|_ ___\| \|_ \| Socket.dev CLI ver ${cliVersion}\n \|__ \| ${readOnlyConfig} \| _\| '_\| -_\| _\| \| Node: ${nodeVersion}, API token: ${shownToken}, ${orgPart}\n \|_____\|___\|___\|_,_\|___\|_\|.dev \| Command: \\`${command}\\`, cwd: ${relCwd}\n `.trim()\n\n return ` ${body}` // Note: logger will auto-append a newline\n}\n","export function msAtHome(isoTimeStamp: string): string {\n const timeStart = Date.parse(isoTimeStamp)\n const timeEnd = Date.now()\n\n const rtf = new Intl.RelativeTimeFormat('en', {\n numeric: 'always',\n style: 'short',\n })\n\n const delta = timeEnd - timeStart\n if (delta < 60 * 60 * 1000) {\n return rtf.format(-Math.round(delta / (60 * 1000)), 'minute')\n // return Math.round(delta / (60 * 1000)) + ' min ago'\n } else if (delta < 24 * 60 * 60 * 1000) {\n return rtf.format(-(delta / (60 * 60 * 1000)).toFixed(1), 'hour')\n // return (delta / (60 * 60 * 1000)).toFixed(1) + ' hr ago'\n } else if (delta < 7 * 24 * 60 * 60 * 1000) {\n return rtf.format(-(delta / (24 * 60 * 60 * 1000)).toFixed(1), 'day')\n // return (delta / (24 * 60 * 60 * 1000)).toFixed(1) + ' day ago'\n } else {\n return isoTimeStamp.slice(0, 10)\n }\n}\n","import { handleApiCall } from '../../utils/api.mts'\nimport { setupSdk } from '../../utils/sdk.mts'\n\nimport type { CResult } from '../../types.mts'\nimport type { SetupSdkOptions } from '../../utils/sdk.mts'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport type FetchOrganizationOptions = {\n sdkOptions?: SetupSdkOptions \| undefined\n}\n\nexport async function fetchOrganization(\n options?: FetchOrganizationOptions \| undefined,\n): Promise<CResult<SocketSdkSuccessResult<'getOrganizations'>['data']>> {\n const { sdkOptions } = {\n __proto__: null,\n ...options,\n } as FetchOrganizationOptions\n\n const sockSdkCResult = await setupSdk(sdkOptions)\n if (!sockSdkCResult.ok) {\n return sockSdkCResult\n }\n const sockSdk = sockSdkCResult.data\n\n return await handleApiCall(sockSdk.getOrganizations(), {\n desc: 'organization list',\n })\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\nimport { select } from '@socketsecurity/registry/lib/prompts'\n\nimport { fetchOrganization } from '../organization/fetch-organization-list.mts'\n\nexport async function suggestOrgSlug(): Promise<string \| void> {\n const orgsCResult = await fetchOrganization()\n if (!orgsCResult.ok) {\n logger.fail(\n 'Failed to lookup organization list from API, unable to suggest',\n )\n return undefined\n }\n\n // Ignore a failed request here. It was not the primary goal of\n // running this command and reporting it only leads to end-user confusion.\n const { organizations } = orgsCResult.data\n const proceed = await select<string>({\n message:\n 'Missing org name; do you want to use any of these orgs for this scan?',\n choices: [\n ...Object.values(organizations).map(o => {\n const name = o.name ?? o.slug\n return {\n name: `Yes [${name}]`,\n value: name,\n description: `Use \"${name}\" as the organization`,\n }\n }),\n {\n name: 'No',\n value: '',\n description:\n 'Do not use any of these organizations (will end in a no-op)',\n },\n ],\n })\n\n if (proceed) {\n return proceed\n }\n return undefined\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\nimport { select } from '@socketsecurity/registry/lib/prompts'\n\nimport { getConfigValue, updateConfigValue } from '../../utils/config.mts'\n\nexport async function suggestToPersistOrgSlug(orgSlug: string): Promise<void> {\n const skipAsk = getConfigValue('skipAskToPersistDefaultOrg')\n if (!skipAsk.ok \|\| skipAsk.data) {\n // Don't ask to store it when disabled before, or when reading config fails.\n return\n }\n\n const result = await select<string>({\n message: `Would you like to use this org (${orgSlug}) as the default org for future calls?`,\n choices: [\n {\n name: 'Yes',\n value: 'yes',\n description: 'Stores it in your config',\n },\n {\n name: 'No',\n value: 'no',\n description: 'Do not persist this org as default org',\n },\n {\n name: \"No and don't ask again\",\n value: 'sush',\n description:\n 'Do not store as default org and do not ask again to persist it',\n },\n ],\n })\n if (result === 'yes') {\n const updateResult = updateConfigValue('defaultOrg', orgSlug)\n if (updateResult.ok) {\n logger.success('Updated default org config to:', orgSlug)\n } else {\n logger.fail(\n '(Non blocking) Failed to update default org in config:',\n updateResult.cause,\n )\n }\n } else if (result === 'sush') {\n const updateResult = updateConfigValue('skipAskToPersistDefaultOrg', true)\n if (updateResult.ok) {\n logger.info('Default org not changed. Will not ask to persist again.')\n } else {\n logger.fail(\n `(Non blocking) Failed to store preference; will ask to persist again next time. Reason: ${updateResult.cause}`,\n )\n }\n }\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport { suggestOrgSlug } from '../commands/scan/suggest-org-slug.mts'\nimport { suggestToPersistOrgSlug } from '../commands/scan/suggest-to-persist-orgslug.mts'\n\nexport async function determineOrgSlug(\n orgFlag: string,\n interactive: boolean,\n dryRun: boolean,\n): Promise<[string, string \| undefined]> {\n const defaultOrgSlug = getConfigValueOrUndef('defaultOrg')\n let orgSlug = String(orgFlag \|\| defaultOrgSlug \|\| '')\n if (!orgSlug) {\n if (!interactive) {\n logger.warn(\n 'Note: This command requires an org slug because the remote API endpoint does.',\n )\n logger.warn('')\n logger.warn(\n 'It seems no default org was setup and the `--org` flag was not used.',\n )\n logger.warn(\n \"Additionally, `--no-interactive` was set so we can't ask for it.\",\n )\n logger.warn(\n 'Since v1.0.0 the org _argument_ for all commands was dropped in favor of an',\n )\n logger.warn(\n 'implicit default org setting, which will be setup when you run `socket login`.',\n )\n logger.warn('')\n logger.warn(\n 'Note: When running in CI, you probably want to set the `--org` flag.',\n )\n logger.warn('')\n logger.warn(\n 'For details, see: https://docs.socket.dev/docs/v1-migration-guide',\n )\n logger.warn('')\n logger.warn(\n 'This command will exit now because the org slug is required to proceed.',\n )\n return ['', undefined]\n }\n\n // ask from server\n logger.warn(\n 'Unable to determine the target org. Trying to auto-discover it now...',\n )\n logger.info(\n 'Note: you can run `socket login` to set a default org. You can also override it with the --org flag.',\n )\n logger.error('') // spacing in stderr\n if (dryRun) {\n logger.fail('Skipping auto-discovery of org in dry-run mode')\n } else {\n orgSlug = (await suggestOrgSlug()) \|\| ''\n\n if (orgSlug) {\n await suggestToPersistOrgSlug(orgSlug)\n }\n }\n }\n\n return [orgSlug, defaultOrgSlug]\n}\n","import { debugFn } from '@socketsecurity/registry/lib/debug'\n\nimport constants from '../../constants.mts'\nimport { getConfigValueOrUndef } from '../../utils/config.mts'\nimport { fetchOrganization } from '../organization/fetch-organization-list.mts'\n\nimport type { CResult } from '../../types.mts'\n\n// Use the config defaultOrg when set, otherwise discover from remote.\nexport async function getDefaultOrgSlug(): Promise<CResult<string>> {\n const defaultOrgResult = getConfigValueOrUndef('defaultOrg')\n if (defaultOrgResult) {\n debugFn('notice', 'use: default org', defaultOrgResult)\n return { ok: true, data: defaultOrgResult }\n }\n\n // Lazily access constants.ENV.SOCKET_CLI_ORG_SLUG.\n const envOrgSlug = constants.ENV.SOCKET_CLI_ORG_SLUG\n if (envOrgSlug) {\n debugFn('notice', 'use: org from environment variable', envOrgSlug)\n return { ok: true, data: envOrgSlug }\n }\n\n const orgsCResult = await fetchOrganization()\n if (!orgsCResult.ok) {\n return orgsCResult\n }\n\n const { organizations } = orgsCResult.data\n const keys = Object.keys(organizations)\n if (!keys.length) {\n return {\n ok: false,\n message: 'Failed to establish identity',\n data: `API did not return any organization associated with the current API token. Unable to continue.`,\n }\n }\n\n const slug = (organizations as any)[keys[0]!]?.name ?? undefined\n if (!slug) {\n return {\n ok: false,\n message: 'Failed to establish identity',\n data: `Was unable to determine the default organization for the current API token. Unable to continue.`,\n }\n }\n\n debugFn('notice', 'resolve: org', slug)\n\n return {\n ok: true,\n message: 'Retrieved default org from server',\n data: slug,\n }\n}\n","import { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\nimport { isSpawnError, spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nexport async function getBaseBranch(cwd = process.cwd()): Promise<string> {\n // Lazily access constants.ENV properties.\n const { GITHUB_BASE_REF, GITHUB_REF_NAME, GITHUB_REF_TYPE } = constants.ENV\n // 1. In a pull request, this is always the base branch.\n if (GITHUB_BASE_REF) {\n return GITHUB_BASE_REF\n }\n // 2. If it's a branch (not a tag), GITHUB_REF_TYPE should be 'branch'.\n if (GITHUB_REF_TYPE === 'branch' && GITHUB_REF_NAME) {\n return GITHUB_REF_NAME\n }\n // 3. Try to resolve the default remote branch using 'git remote show origin'.\n // This handles detached HEADs or workflows triggered by tags/releases.\n try {\n const originDetails = (\n await spawn('git', ['remote', 'show', 'origin'], { cwd })\n ).stdout\n\n const match = /(?<=HEAD branch: ).+/.exec(originDetails)\n if (match?.[0]) {\n return match[0].trim()\n }\n } catch {}\n // GitHub and GitLab default to branch name \"main\"\n // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch\n return 'main'\n}\n\nexport type RepoInfo = {\n owner: string\n repo: string\n}\n\nexport async function getRepoInfo(\n cwd = process.cwd(),\n): Promise<RepoInfo \| null> {\n let info = null\n try {\n const remoteUrl = (\n await spawn('git', ['remote', 'get-url', 'origin'], { cwd })\n ).stdout\n info = parseGitRemoteUrl(remoteUrl)\n if (!info) {\n debugFn('error', 'git: unmatched git remote URL format')\n debugDir('inspect', { remoteUrl })\n }\n } catch (e) {\n debugFn('error', 'caught: `git remote get-url origin` failed')\n debugDir('inspect', { error: e })\n }\n return info\n}\n\nexport async function getRepoName(cwd = process.cwd()): Promise<string \| null> {\n const repoInfo = await getRepoInfo(cwd)\n return repoInfo?.repo ?? null\n}\n\nexport async function getRepoOwner(\n cwd = process.cwd(),\n): Promise<string \| null> {\n const repoInfo = await getRepoInfo(cwd)\n return repoInfo?.owner ?? null\n}\n\nexport async function gitBranch(cwd = process.cwd()): Promise<string \| null> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n // Try symbolic-ref first which returns the branch name or fails in a\n // detached HEAD state.\n try {\n return (\n await spawn('git', ['symbolic-ref', '--short', 'HEAD'], stdioPipeOptions)\n ).stdout\n } catch {}\n // Fallback to using rev-parse to get the short commit hash in a\n // detached HEAD state.\n try {\n return (\n await spawn('git', ['rev-parse', '--short', 'HEAD'], stdioPipeOptions)\n ).stdout\n } catch {}\n return null\n}\n\nexport type GitCreateAndPushBranchOptions = {\n cwd?: string \| undefined\n email?: string \| undefined\n user?: string \| undefined\n}\n\nexport async function gitCleanFdx(cwd = process.cwd()): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = '`git clean -fdx`'\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['clean', '-fdx'], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCheckoutBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git checkout ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['checkout', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCreateBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n if (await gitLocalBranchExists(branch)) {\n return true\n }\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git branch ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['branch', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitPushBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git push --force --set-upstream origin ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn(\n 'git',\n ['push', '--force', '--set-upstream', 'origin', branch],\n stdioIgnoreOptions,\n )\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n if (isSpawnError(e) && e.code === 128) {\n debugFn(\n 'error',\n \"denied: token requires write permissions for 'contents' and 'pull-requests'\",\n )\n }\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCommit(\n commitMsg: string,\n filepaths: string[],\n options?: GitCreateAndPushBranchOptions \| undefined,\n): Promise<boolean> {\n if (!filepaths.length) {\n debugFn('notice', `miss: no filepaths to add`)\n return false\n }\n const {\n cwd = process.cwd(),\n // Lazily access constants.ENV.SOCKET_CLI_GIT_USER_EMAIL.\n email = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL,\n // Lazily access constants.ENV.SOCKET_CLI_GIT_USER_NAME.\n user = constants.ENV.SOCKET_CLI_GIT_USER_NAME,\n } = { __proto__: null, ...options } as GitCreateAndPushBranchOptions\n\n await gitEnsureIdentity(user, email, cwd)\n\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedAddCmd = `\\`git add ${filepaths.join(' ')}\\``\n debugFn('stdio', `spawn: ${quotedAddCmd}`)\n try {\n await spawn('git', ['add', ...filepaths], stdioIgnoreOptions)\n } catch (e) {\n debugFn('error', `caught: ${quotedAddCmd} failed`)\n debugDir('inspect', { error: e })\n }\n\n const quotedCommitCmd = `\\`git commit -m ${commitMsg}\\``\n debugFn('stdio', `spawn: ${quotedCommitCmd}`)\n try {\n await spawn('git', ['commit', '-m', commitMsg], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCommitCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitDeleteBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git branch -D ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if branch does not exist.\n await spawn('git', ['branch', '-D', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n return false\n}\n\nexport async function gitEnsureIdentity(\n name: string,\n email: string,\n cwd = process.cwd(),\n): Promise<void> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n const identEntries: Array<[string, string]> = [\n ['user.email', name],\n ['user.name', email],\n ]\n await Promise.all(\n identEntries.map(async ({ 0: prop, 1: value }) => {\n let configValue\n {\n const quotedCmd = `\\`git config --get ${prop}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if the config property is not set.\n configValue = (\n await spawn('git', ['config', '--get', prop], stdioPipeOptions)\n ).stdout\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n }\n if (configValue !== value) {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git config ${prop} ${value}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['config', prop, value], stdioIgnoreOptions)\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n }\n }),\n )\n}\n\nexport async function gitLocalBranchExists(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git show-ref --quiet refs/heads/${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if the branch does not exist.\n await spawn(\n 'git',\n ['show-ref', '--quiet', `refs/heads/${branch}`],\n stdioIgnoreOptions,\n )\n return true\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n return false\n}\n\nexport async function gitRemoteBranchExists(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n try {\n return (\n (\n await spawn(\n 'git',\n ['ls-remote', '--heads', 'origin', branch],\n stdioPipeOptions,\n )\n ).stdout.length > 0\n )\n } catch {}\n return false\n}\n\nexport async function gitResetAndClean(\n branch = 'HEAD',\n cwd = process.cwd(),\n): Promise<void> {\n // Discards tracked changes.\n await gitResetHard(branch, cwd)\n // Deletes all untracked files and directories.\n await gitCleanFdx(cwd)\n}\n\nexport async function gitResetHard(\n branch = 'HEAD',\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git reset --hard ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['reset', '--hard', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitUnstagedModifiedFiles(\n cwd = process.cwd(),\n): Promise<CResult<string[]>> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n const quotedCmd = `\\`git diff --name-only\\``\n try {\n const changedFilesDetails = (\n await spawn('git', ['diff', '--name-only'], stdioPipeOptions)\n ).stdout\n const relPaths = changedFilesDetails.split('\\n')\n return {\n ok: true,\n data: relPaths.map(p => normalizePath(p)),\n }\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n return {\n ok: false,\n message: 'Git Error',\n cause: 'Unexpected error while trying to ask git whether repo is dirty',\n }\n }\n}\n\nconst parsedGitRemoteUrlCache = new Map<string, RepoInfo \| null>()\n\nexport function parseGitRemoteUrl(remoteUrl: string): RepoInfo \| null {\n let result = parsedGitRemoteUrlCache.get(remoteUrl) ?? null\n if (result) {\n return { ...result }\n }\n // Handle SSH-style\n const sshMatch = /^git@[^:]+:([^/]+)\\/(.+?)(?:\\.git)?$/.exec(remoteUrl)\n // 1. Handle SSH-style, e.g. git@github.com:owner/repo.git\n if (sshMatch) {\n result = { owner: sshMatch[1]!, repo: sshMatch[2]! }\n } else {\n // 2. Handle HTTPS/URL-style, e.g. https://github.com/owner/repo.git\n try {\n const parsed = new URL(remoteUrl)\n // Remove leading slashes from pathname and split by \"/\" to extract segments.\n const segments = parsed.pathname.replace(/^\\/+/, '').split('/')\n // The second-to-last segment is expected to be the owner (e.g., \"owner\" in /owner/repo.git).\n const owner = segments.at(-2)\n // The last segment is expected to be the repo name, so we remove the \".git\" suffix if present.\n const repo = segments.at(-1)?.replace(/\\.git$/, '')\n if (owner && repo) {\n result = { owner, repo }\n }\n } catch {}\n }\n parsedGitRemoteUrlCache.set(remoteUrl, result)\n return result ? { ...result } : result\n}\n","import { PackageURL } from '@socketregistry/packageurl-js'\n\nimport type { PURL_Type, SocketArtifact } from './alert/artifact.mts'\n\nexport function getPurlObject(purl: string): PackageURL & { type: PURL_Type }\nexport function getPurlObject(\n purl: PackageURL,\n): PackageURL & { type: PURL_Type }\nexport function getPurlObject(\n purl: SocketArtifact,\n): SocketArtifact & { type: PURL_Type }\nexport function getPurlObject(\n purl: string \| PackageURL \| SocketArtifact,\n): (PackageURL \| SocketArtifact) & { type: PURL_Type }\nexport function getPurlObject(\n purl: string \| PackageURL \| SocketArtifact,\n): (PackageURL \| SocketArtifact) & { type: PURL_Type } {\n return typeof purl === 'string'\n ? (PackageURL.fromString(purl) as PackageURL & { type: PURL_Type })\n : (purl as (PackageURL \| SocketArtifact) & { type: PURL_Type })\n}\n","import constants from '../constants.mts'\nimport { getPurlObject } from './purl.mts'\n\nimport type { PURL_Type, SocketArtifact } from './alert/artifact.mts'\nimport type { PackageURL } from '@socketregistry/packageurl-js'\n\nconst { SOCKET_WEBSITE_URL } = constants\n\nexport function getPkgFullNameFromPurl(\n purl: string \| PackageURL \| SocketArtifact,\n): string {\n const purlObj = getPurlObject(purl)\n const { name, namespace } = purlObj\n return namespace\n ? `${namespace}${purlObj.type === 'maven' ? ':' : '/'}${name}`\n : name!\n}\n\nexport function getSocketDevAlertUrl(alertType: string): string {\n return `${SOCKET_WEBSITE_URL}/alerts/${alertType}`\n}\n\nexport function getSocketDevPackageOverviewUrlFromPurl(\n purl: string \| PackageURL \| SocketArtifact,\n): string {\n const purlObj = getPurlObject(purl)\n const fullName = getPkgFullNameFromPurl(purlObj)\n return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version)\n}\n\nexport function getSocketDevPackageOverviewUrl(\n ecosystem: PURL_Type,\n fullName: string,\n version?: string \| undefined,\n): string {\n const url = `${SOCKET_WEBSITE_URL}/${ecosystem}/package/${fullName}`\n return ecosystem === 'golang'\n ? `${url}${version ? `?section=overview&version=${version}` : ''}`\n : `${url}${version ? `/overview/${version}` : ''}`\n}\n","interface NestedRecord<T> {\n [key: string]: T \| NestedRecord<T>\n}\n\n/*\n Convert a Map<string, Map\|string> to a nested object of similar shape.\n * The goal is to serialize it with JSON.stringify, which Map can't do.\n /\nexport function mapToObject<T>(\n map: Map<string, T \| Map<string, T \| Map<string, T>>>,\n): NestedRecord<T> {\n return Object.fromEntries(\n Array.from(map.entries()).map(([k, v]) => [\n k,\n v instanceof Map ? mapToObject(v) : v,\n ]),\n )\n}\n","type NestedMap<T> = Map<string, T \| NestedMap<T>>\n\nexport function walkNestedMap<T>(\n map: NestedMap<T>,\n keys: string[] = [],\n): Generator<{ keys: string[]; value: T }> {\n for (const [key, value] of map.entries()) {\n if (value instanceof Map) {\n yield* walkNestedMap(value as NestedMap<T>, keys.concat(key))\n } else {\n yield { keys: keys.concat(key), value: value }\n }\n }\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\n\nimport which from 'which'\n\nimport { resolveBinPathSync } from '@socketsecurity/registry/lib/npm'\n\nimport constants from '../constants.mts'\nimport { safeStatsSync } from './fs.mts'\nimport {\n filterBySupportedScanFiles,\n globWithGitIgnore,\n pathsToGlobPatterns,\n} from './glob.mts'\n\nimport type { SocketYml } from '@socketsecurity/config'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport function findBinPathDetailsSync(binName: string): {\n name: string\n path: string \| undefined\n shadowed: boolean\n} {\n const binPaths =\n which.sync(binName, {\n all: true,\n nothrow: true,\n }) ?? []\n // Lazily access constants.shadowBinPath.\n const { shadowBinPath } = constants\n let shadowIndex = -1\n let theBinPath: string \| undefined\n for (let i = 0, { length } = binPaths; i < length; i += 1) {\n const binPath = binPaths[i]!\n // Skip our bin directory if it's in the front.\n if (path.dirname(binPath) === shadowBinPath) {\n shadowIndex = i\n } else {\n theBinPath = resolveBinPathSync(binPath)\n break\n }\n }\n return { name: binName, path: theBinPath, shadowed: shadowIndex !== -1 }\n}\n\nexport function findNpmPathSync(npmBinPath: string): string \| undefined {\n // Lazily access constants.WIN32.\n const { WIN32 } = constants\n let thePath = npmBinPath\n while (true) {\n const libNmNpmPath = path.join(thePath, 'lib/node_modules/npm')\n // mise puts its npm bin in a path like:\n // /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/bin/npm.\n // HOWEVER, the location of the npm install is:\n // /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/lib/node_modules/npm.\n if (\n // Use existsSync here because statsSync, even with { throwIfNoEntry: false },\n // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.\n // See https://github.com/nodejs/node/issues/56993.\n existsSync(libNmNpmPath) &&\n safeStatsSync(libNmNpmPath)?.isDirectory()\n ) {\n thePath = path.join(libNmNpmPath, 'npm')\n }\n const nmPath = path.join(thePath, 'node_modules')\n if (\n // npm bin paths may look like:\n // /usr/local/share/npm/bin/npm\n // /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm\n // C:\\Users\\SomeUsername\\AppData\\Roaming\\npm\\bin\\npm.cmd\n // OR\n // C:\\Program Files\\nodejs\\npm.cmd\n //\n // In practically all cases the npm path contains a node_modules folder:\n // /usr/local/share/npm/bin/npm/node_modules\n // C:\\Program Files\\nodejs\\node_modules\n existsSync(nmPath) &&\n safeStatsSync(nmPath)?.isDirectory() &&\n // Optimistically look for the default location.\n (path.basename(thePath) === 'npm' \|\|\n // Chocolatey installs npm bins in the same directory as node bins.\n (WIN32 && existsSync(path.join(thePath, 'npm.cmd'))))\n ) {\n return thePath\n }\n const parent = path.dirname(thePath)\n if (parent === thePath) {\n return undefined\n }\n thePath = parent\n }\n}\n\nexport type PackageFilesForScanOptions = {\n cwd?: string \| undefined\n config?: SocketYml \| undefined\n}\n\nexport async function getPackageFilesForScan(\n inputPaths: string[],\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n options?: PackageFilesForScanOptions \| undefined,\n): Promise<string[]> {\n const { config: socketConfig, cwd = process.cwd() } = {\n __proto__: null,\n ...options,\n } as PackageFilesForScanOptions\n\n const filepaths = await globWithGitIgnore(pathsToGlobPatterns(inputPaths), {\n cwd,\n socketConfig,\n })\n\n return filterBySupportedScanFiles(filepaths!, supportedFiles)\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\n\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport type { CResult } from '../types.mts'\n\nexport interface SocketJson {\n ' _____ _ _ ': string\n '\| __\|___ ___\| \|_ ___\| \|_ ': string\n \"\|__ \| . \| _\| '_\| -_\| _\| \": string\n '\|_____\|___\|___\|_,_\|___\|_\|.dev': string\n version: number\n\n defaults?: {\n manifest?: {\n conda?: {\n disabled?: boolean\n infile?: string\n outfile?: string\n stdin?: boolean\n stdout?: boolean\n target?: string\n verbose?: boolean\n }\n gradle?: {\n disabled?: boolean\n bin?: string\n gradleOpts?: string\n verbose?: boolean\n }\n sbt?: {\n disabled?: boolean\n infile?: string\n stdin?: boolean\n bin?: string\n outfile?: string\n sbtOpts?: string\n stdout?: boolean\n verbose?: boolean\n }\n }\n scan?: {\n create?: {\n autoManifest?: boolean\n repo?: string\n report?: boolean\n branch?: string\n }\n github?: {\n all?: boolean\n githubApiUrl?: string\n orgGithub?: string\n repos?: string\n }\n }\n }\n}\n\nexport async function readOrDefaultSocketJson(cwd: string) {\n const result = await readSocketJson(cwd, true)\n if (result.ok) {\n return result.data\n }\n // This should be unreachable but it makes TS happy\n return getDefaultSocketJson()\n}\n\nexport function getDefaultSocketJson(): SocketJson {\n return {\n ' _____ _ _ ':\n 'Local config file for Socket CLI tool ( https://npmjs.org/socket ), to work with https://socket.dev',\n '\| __\|___ ___\| \|_ ___\| \|_ ':\n ' The config in this file is used to set as defaults for flags or command args when using the CLI',\n \"\|__ \| . \| _\| '_\| -_\| _\| \":\n ' in this dir, often a repo root. You can choose commit or .ignore this file, both works.',\n '\|_____\|___\|___\|_,_\|___\|_\|.dev':\n 'Warning: This file may be overwritten without warning by `socket manifest setup` or other commands',\n version: 1,\n }\n}\n\nexport async function readSocketJson(\n cwd: string,\n defaultOnError = false,\n): Promise<CResult<SocketJson>> {\n const sockJsonPath = path.join(cwd, 'socket.json')\n if (!fs.existsSync(sockJsonPath)) {\n debugFn('notice', `miss: file not found ${sockJsonPath}`)\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n let json = null\n try {\n json = await fs.promises.readFile(sockJsonPath, 'utf8')\n } catch (e) {\n debugDir('inspect', { error: e })\n\n if (defaultOnError) {\n logger.warn('Warning: failed to read file, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n const msg = (e as { message: string })?.message \|\| '(none)'\n return {\n ok: false,\n message: 'Failed to read file',\n cause: `An error was thrown while trying to read your socket.json: ${msg}`,\n }\n }\n\n let obj\n try {\n obj = JSON.parse(json)\n } catch {\n debugFn('error', 'fail: parse JSON')\n debugDir('inspect', { json })\n\n if (defaultOnError) {\n logger.warn('Warning: failed to parse file, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n return {\n ok: false,\n message: 'Failed to parse socket.json',\n cause: 'socket.json does not contain valid JSON, please verify',\n }\n }\n\n if (!obj) {\n logger.warn('Warning: file contents was empty, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n // Do we really care to validate? All properties are optional so code will have\n // to check every step of the way regardless. Who cares about validation here...?\n\n return { ok: true, data: obj }\n}\n\nexport async function writeSocketJson(\n cwd: string,\n sockJson: SocketJson,\n): Promise<CResult<undefined>> {\n let json = ''\n try {\n json = JSON.stringify(sockJson, null, 2)\n } catch (e) {\n debugFn('error', 'fail: stringify JSON')\n debugDir('inspect', { error: e })\n debugDir('inspect', { sockJson })\n return {\n ok: false,\n message: 'Failed to serialize to JSON',\n cause:\n 'There was an unexpected problem converting the socket json object to a JSON string. Unable to store it.',\n }\n }\n\n const filepath = path.join(cwd, 'socket.json')\n await fs.promises.writeFile(filepath, json + '\\n', 'utf8')\n\n return { ok: true, data: undefined }\n}\n","const helpFlags = new Set(['--help', '-h'])\n\nexport function cmdFlagsToString(args: string[]) {\n const result = []\n for (let i = 0, { length } = args; i < length; i += 1) {\n if (args[i]!.startsWith('--')) {\n // Check if the next item exists and is NOT another flag.\n if (i + 1 < length && !args[i + 1]!.startsWith('--')) {\n result.push(`${args[i]}=${args[i + 1]}`)\n i += 1\n } else {\n result.push(args[i])\n }\n }\n }\n return result.join(' ')\n}\n\nexport function cmdFlagValueToArray(flagValue: any): string[] {\n if (typeof flagValue === 'string') {\n return flagValue.trim().split(/, /)\n }\n if (Array.isArray(flagValue)) {\n return flagValue.flatMap(v => v.split(/, /))\n }\n return []\n}\n\nexport function cmdPrefixMessage(cmdName: string, text: string): string {\n const cmdPrefix = cmdName ? `${cmdName}: ` : ''\n return `${cmdPrefix}${text}`\n}\n\nexport function isHelpFlag(cmdArg: string) {\n return helpFlags.has(cmdArg)\n}\n","import { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../constants.mts'\nimport { getDefaultToken } from './sdk.mts'\nimport { getDefaultOrgSlug } from '../commands/ci/fetch-default-org-slug.mts'\n\nimport type { CResult } from '../types.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport async function spawnCoana(\n args: string[] \| readonly string[],\n options?: SpawnOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<CResult<unknown>> {\n const { env: spawnEnv } = { __proto__: null, ...options } as SpawnOptions\n const orgSlugCResult = await getDefaultOrgSlug()\n const SOCKET_CLI_API_TOKEN = getDefaultToken()\n const SOCKET_ORG_SLUG = orgSlugCResult.ok ? orgSlugCResult.data : undefined\n try {\n const output = await spawn(\n constants.execPath,\n [\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n // Lazily access constants.nodeMemoryFlags.\n ...constants.nodeMemoryFlags,\n // Lazily access constants.coanaBinPath.\n constants.coanaBinPath,\n ...args,\n ],\n {\n ...options,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n SOCKET_CLI_API_TOKEN,\n SOCKET_ORG_SLUG,\n ...spawnEnv,\n },\n },\n extra,\n )\n return { ok: true, data: output.stdout }\n } catch (e) {\n const stderr = (e as any)?.stderr\n const message = stderr ? stderr : (e as Error)?.message\n return { ok: false, data: e, message }\n }\n}\n","import { existsSync } from 'node:fs'\nimport Module from 'node:module'\nimport path from 'node:path'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../constants.mts'\nimport { findBinPathDetailsSync, findNpmPathSync } from './path-resolve.mts'\n\nconst { NODE_MODULES, NPM, NPX, SOCKET_CLI_ISSUES_URL } = constants\n\nfunction exitWithBinPathError(binName: string): never {\n logger.fail(\n `Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`,\n )\n // The exit code 127 indicates that the command or binary being executed\n // could not be found.\n // eslint-disable-next-line n/no-process-exit\n process.exit(127)\n}\n\nlet _npmBinPath: string \| undefined\nexport function getNpmBinPath(): string {\n if (_npmBinPath === undefined) {\n _npmBinPath = getNpmBinPathDetails().path\n if (!_npmBinPath) {\n exitWithBinPathError(NPM)\n }\n }\n return _npmBinPath\n}\n\nlet _npmBinPathDetails: ReturnType<typeof findBinPathDetailsSync> \| undefined\nfunction getNpmBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n if (_npmBinPathDetails === undefined) {\n _npmBinPathDetails = findBinPathDetailsSync(NPM)\n }\n return _npmBinPathDetails\n}\n\nlet _npmPath: string \| undefined\nexport function getNpmPath() {\n if (_npmPath === undefined) {\n const npmBinPath = getNpmBinPath()\n _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined\n if (!_npmPath) {\n let message = 'Unable to find npm CLI install directory.'\n if (npmBinPath) {\n message += `\\nSearched parent directories of ${path.dirname(npmBinPath)}.`\n }\n message += `\\n\\nThis is may be a bug with socket-npm related to changes to the npm CLI.\\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`\n logger.fail(message)\n // The exit code 127 indicates that the command or binary being executed\n // could not be found.\n // eslint-disable-next-line n/no-process-exit\n process.exit(127)\n }\n }\n return _npmPath\n}\n\nlet _npmRequire: NodeJS.Require \| undefined\nexport function getNpmRequire(): NodeJS.Require {\n if (_npmRequire === undefined) {\n const npmPath = getNpmPath()\n const npmNmPath = path.join(npmPath, NODE_MODULES, NPM)\n _npmRequire = Module.createRequire(\n path.join(\n existsSync(npmNmPath) ? npmNmPath : npmPath,\n '<dummy-basename>',\n ),\n )\n }\n return _npmRequire\n}\n\nlet _npxBinPath: string \| undefined\nexport function getNpxBinPath(): string {\n if (_npxBinPath === undefined) {\n _npxBinPath = getNpxBinPathDetails().path\n if (!_npxBinPath) {\n exitWithBinPathError(NPX)\n }\n }\n return _npxBinPath\n}\n\nlet _npxBinPathDetails: ReturnType<typeof findBinPathDetailsSync> \| undefined\nfunction getNpxBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n if (_npxBinPathDetails === undefined) {\n _npxBinPathDetails = findBinPathDetailsSync(NPX)\n }\n return _npxBinPathDetails\n}\n\nexport function isNpmBinPathShadowed() {\n return getNpmBinPathDetails().shadowed\n}\n\nexport function isNpxBinPathShadowed() {\n return getNpxBinPathDetails().shadowed\n}\n","import constants from '../../constants.mts'\n\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { components, operations } from '@socketsecurity/sdk/types/api'\n\nexport type ALERT_ACTION = 'error' \| 'monitor' \| 'warn' \| 'ignore'\n\nexport type ALERT_TYPE = keyof NonNullable<\n operations['getOrgSecurityPolicy']['responses']['200']['content']['application/json']['securityPolicyRules']\n>\n\nexport type CVE_ALERT_TYPE = 'cve' \| 'mediumCVE' \| 'mildCVE' \| 'criticalCVE'\n\nexport type ArtifactAlertCve = Remap<\n Omit<CompactSocketArtifactAlert, 'type'> & {\n type: CVE_ALERT_TYPE\n }\n>\n\nexport type ArtifactAlertCveFixable = Remap<\n Omit<CompactSocketArtifactAlert, 'props' \| 'type'> & {\n type: CVE_ALERT_TYPE\n props: CveProps\n }\n>\n\nexport type ArtifactAlertUpgrade = Remap<\n Omit<CompactSocketArtifactAlert, 'type'> & {\n type: 'socketUpgradeAvailable'\n }\n>\n\nexport type CompactSocketArtifactAlert = Remap<\n Omit<SocketArtifactAlert, 'category' \| 'end' \| 'file' \| 'start'>\n>\n\nexport type CompactSocketArtifact = Remap<\n Omit<SocketArtifact, 'alerts' \| 'batchIndex' \| 'size'> & {\n alerts: CompactSocketArtifactAlert[]\n }\n>\n\nexport type CveProps = {\n firstPatchedVersionIdentifier?: string\n vulnerableVersionRange: string\n [key: string]: any\n}\n\nexport type PURL_Type = components['schemas']['SocketPURL_Type']\n\nexport type SocketArtifact = Remap<\n Omit<components['schemas']['SocketArtifact'], 'alerts'> & {\n alerts?: SocketArtifactAlert[]\n }\n>\n\nexport type SocketArtifactAlert = Remap<\n Omit<components['schemas']['SocketAlert'], 'action' \| 'props' \| 'type'> & {\n type: ALERT_TYPE\n action?: 'error' \| 'monitor' \| 'warn' \| 'ignore'\n props?: any \| undefined\n }\n>\n\nconst {\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n} = constants\n\nexport function isArtifactAlertCve(\n alert: CompactSocketArtifactAlert,\n): alert is ArtifactAlertCve {\n const { type } = alert\n return (\n type === ALERT_TYPE_CVE \|\|\n type === ALERT_TYPE_MEDIUM_CVE \|\|\n type === ALERT_TYPE_MILD_CVE \|\|\n type === ALERT_TYPE_CRITICAL_CVE\n )\n}\n","export function createEnum<const T extends Record<string, any>>(\n obj: T,\n): Readonly<T> {\n return Object.freeze({ __proto__: null, ...obj }) as any\n}\n\nexport function pick<T extends Record<string, any>, K extends keyof T>(\n input: T,\n keys: K[] \| readonly K[],\n): Pick<T, K> {\n const result: Partial<Pick<T, K>> = {}\n for (const key of keys) {\n result[key] = input[key]\n }\n return result as Pick<T, K>\n}\n","import { createEnum } from '../objects.mts'\n\nexport const ALERT_FIX_TYPE = createEnum({\n cve: 'cve',\n remove: 'remove',\n upgrade: 'upgrade',\n})\n","import { createEnum, pick } from '../objects.mts'\nimport { stringJoinWithSeparateFinalSeparator } from '../strings.mts'\n\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport const ALERT_SEVERITY = createEnum({\n critical: 'critical',\n high: 'high',\n middle: 'middle',\n low: 'low',\n})\n\nexport type SocketSdkAlertList =\n SocketSdkSuccessResult<'getIssuesByNPMPackage'>['data']\n\nexport type SocketSdkAlert = SocketSdkAlertList[number]['value'] extends\n \| infer U\n \| undefined\n ? U\n : never\n\n// Ordered from most severe to least.\nexport const ALERT_SEVERITIES_SORTED: ReadonlyArray<\n SocketSdkAlert['severity']\n> = Object.freeze(['critical', 'high', 'middle', 'low'])\n\nfunction getDesiredSeverities(\n lowestToInclude: SocketSdkAlert['severity'] \| undefined,\n): Array<SocketSdkAlert['severity']> {\n const result: Array<SocketSdkAlert['severity']> = []\n for (const severity of ALERT_SEVERITIES_SORTED) {\n result.push(severity)\n if (severity === lowestToInclude) {\n break\n }\n }\n return result\n}\n\nexport function formatSeverityCount(\n severityCount: Record<SocketSdkAlert['severity'], number>,\n): string {\n const summary: string[] = []\n for (const severity of ALERT_SEVERITIES_SORTED) {\n if (severityCount[severity]) {\n summary.push(`${severityCount[severity]} ${severity}`)\n }\n }\n return stringJoinWithSeparateFinalSeparator(summary)\n}\n\nexport function getSeverityCount(\n issues: SocketSdkAlertList,\n lowestToInclude: SocketSdkAlert['severity'] \| undefined,\n): Record<SocketSdkAlert['severity'], number> {\n const severityCount = pick(\n { low: 0, middle: 0, high: 0, critical: 0 },\n getDesiredSeverities(lowestToInclude),\n ) as Record<SocketSdkAlert['severity'], number>\n\n for (const issue of issues) {\n const { value } = issue\n if (!value) {\n continue\n }\n const { severity } = value\n if (severityCount[severity] !== undefined) {\n severityCount[severity] += 1\n }\n }\n return severityCount\n}\n","import terminalLink from 'terminal-link'\nimport colors from 'yoctocolors-cjs'\n\nimport indentString from '@socketregistry/indent-string/index.cjs'\n\nexport class ColorOrMarkdown {\n public useMarkdown: boolean\n\n constructor(useMarkdown: boolean) {\n this.useMarkdown = !!useMarkdown\n }\n\n bold(text: string): string {\n return this.useMarkdown ? `${text}` : colors.bold(`${text}`)\n }\n\n header(text: string, level = 1): string {\n return this.useMarkdown\n ? `\\n${''.padStart(level, '#')} ${text}\\n`\n : colors.underline(`\\n${level === 1 ? colors.bold(text) : text}\\n`)\n }\n\n hyperlink(\n text: string,\n url: string \| undefined,\n {\n fallback = true,\n fallbackToUrl,\n }: {\n fallback?: boolean \| undefined\n fallbackToUrl?: boolean \| undefined\n } = {},\n ) {\n if (url) {\n return this.useMarkdown\n ? `[${text}](${url})`\n : terminalLink(text, url, {\n fallback: fallbackToUrl ? (_text, url) => url : fallback,\n })\n }\n return text\n }\n\n indent(\n ...args: Parameters<typeof indentString>\n ): ReturnType<typeof indentString> {\n return indentString(...args)\n }\n\n italic(text: string): string {\n return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`)\n }\n\n json(value: any): string {\n return this.useMarkdown\n ? '```json\\n' + JSON.stringify(value) + '\\n```'\n : JSON.stringify(value)\n }\n\n list(items: string[]): string {\n const indentedContent = items.map(item => this.indent(item).trimStart())\n return this.useMarkdown\n ? `* ${indentedContent.join('\\n* ')}\\n`\n : `${indentedContent.join('\\n')}\\n`\n }\n}\n","import semver from 'semver'\n\nimport type { SemVer } from 'semver'\n\nexport const RangeStyles = [\n 'caret',\n 'gt',\n 'gte',\n 'lt',\n 'lte',\n 'pin',\n 'preserve',\n 'tilde',\n]\n\nexport type RangeStyle =\n \| 'caret'\n \| 'gt'\n \| 'gte'\n \| 'lt'\n \| 'lte'\n \| 'pin'\n \| 'preserve'\n \| 'tilde'\n\nexport type { SemVer }\n\nexport function applyRange(\n refRange: string,\n version: string,\n style: RangeStyle = 'preserve',\n): string {\n switch (style) {\n case 'caret':\n return `^${version}`\n case 'gt':\n return `>${version}`\n case 'gte':\n return `>=${version}`\n case 'lt':\n return `<${version}`\n case 'lte':\n return `<=${version}`\n case 'preserve': {\n const range = new semver.Range(refRange)\n const { raw } = range\n const comparators = range.set.flat()\n const { length } = comparators\n if (length === 1) {\n const char = /^[<>]=?/.exec(raw)?.[0]\n if (char) {\n return `${char}${version}`\n }\n } else if (length === 2) {\n const char = /^[~^]/.exec(raw)?.[0]\n if (char) {\n return `${char}${version}`\n }\n }\n return version\n }\n case 'tilde':\n return `~${version}`\n case 'pin':\n default:\n return version\n }\n}\n\nexport function getMajor(version: unknown): number \| null {\n try {\n const coerced = semver.coerce(version as string)\n return coerced ? semver.major(coerced) : null\n } catch {}\n return null\n}\n\nexport function getMinVersion(range: unknown): SemVer \| null {\n try {\n return semver.minVersion(range as string)\n } catch {}\n return null\n}\n","import { createRequire } from 'node:module'\nimport path from 'node:path'\n\nimport constants from '../constants.mts'\n\nconst require = createRequire(import.meta.url)\n\nlet _translations: typeof import('../../translations.json') \| undefined\n\nexport function getTranslations() {\n if (_translations === undefined) {\n _translations = /@__PURE__/ require(\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'translations.json'),\n )\n }\n return _translations!\n}\n","import semver from 'semver'\nimport colors from 'yoctocolors-cjs'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { resolvePackageName } from '@socketsecurity/registry/lib/packages'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport { isArtifactAlertCve } from './alert/artifact.mts'\nimport { ALERT_FIX_TYPE } from './alert/fix.mts'\nimport { ALERT_SEVERITY } from './alert/severity.mts'\nimport { ColorOrMarkdown } from './color-or-markdown.mts'\nimport { findSocketYmlSync } from './config.mts'\nimport { createEnum } from './objects.mts'\nimport { getPurlObject } from './purl.mts'\nimport { getMajor } from './semver.mts'\nimport { getSocketDevPackageOverviewUrl } from './socket-url.mts'\nimport { getTranslations } from './translations.mts'\n\nimport type {\n ALERT_ACTION,\n ALERT_TYPE,\n CompactSocketArtifact,\n CompactSocketArtifactAlert,\n CveProps,\n PURL_Type,\n} from './alert/artifact.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nexport const ALERT_SEVERITY_COLOR = createEnum({\n critical: 'magenta',\n high: 'red',\n middle: 'yellow',\n low: 'white',\n})\n\nexport const ALERT_SEVERITY_ORDER = createEnum({\n critical: 0,\n high: 1,\n middle: 2,\n low: 3,\n none: 4,\n})\n\nexport type SocketPackageAlert = {\n name: string\n version: string\n key: string\n type: string\n blocked: boolean\n critical: boolean\n ecosystem: PURL_Type\n fixable: boolean\n raw: CompactSocketArtifactAlert\n upgradable: boolean\n}\n\nexport type AlertsByPurl = Map<string, SocketPackageAlert[]>\n\nconst MIN_ABOVE_THE_FOLD_COUNT = 3\n\nconst MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1\n\nconst format = new ColorOrMarkdown(false)\n\nexport type RiskCounts = {\n critical: number\n high: number\n middle: number\n low: number\n}\n\nfunction getHiddenRiskCounts(hiddenAlerts: SocketPackageAlert[]): RiskCounts {\n const riskCounts = {\n critical: 0,\n high: 0,\n middle: 0,\n low: 0,\n }\n for (const alert of hiddenAlerts) {\n switch (getAlertSeverityOrder(alert)) {\n case ALERT_SEVERITY_ORDER.critical:\n riskCounts.critical += 1\n break\n case ALERT_SEVERITY_ORDER.high:\n riskCounts.high += 1\n break\n case ALERT_SEVERITY_ORDER.middle:\n riskCounts.middle += 1\n break\n case ALERT_SEVERITY_ORDER.low:\n riskCounts.low += 1\n break\n }\n }\n return riskCounts\n}\n\nfunction getHiddenRisksDescription(riskCounts: RiskCounts): string {\n const descriptions: string[] = []\n if (riskCounts.critical) {\n descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)\n }\n if (riskCounts.high) {\n descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)\n }\n if (riskCounts.middle) {\n descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)\n }\n if (riskCounts.low) {\n descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)\n }\n return `(${descriptions.join('; ')})`\n}\n\nexport type AlertIncludeFilter = {\n actions?: ALERT_ACTION[] \| undefined\n blocked?: boolean \| undefined\n critical?: boolean \| undefined\n cve?: boolean \| undefined\n existing?: boolean \| undefined\n unfixable?: boolean \| undefined\n upgradable?: boolean \| undefined\n}\n\nexport type AddArtifactToAlertsMapOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function addArtifactToAlertsMap<T extends AlertsByPurl>(\n artifact: CompactSocketArtifact,\n alertsByPurl: T,\n options?: AddArtifactToAlertsMapOptions \| undefined,\n): Promise<T> {\n // Make TypeScript happy.\n if (!artifact.name \|\| !artifact.version \|\| !artifact.alerts?.length) {\n return alertsByPurl\n }\n const {\n consolidate = false,\n include: _include,\n overrides,\n } = {\n __proto__: null,\n ...options,\n } as AddArtifactToAlertsMapOptions\n\n const socketYml = findSocketYmlSync()\n const localRules = socketYml?.parsed.issueRules\n\n const include = {\n __proto__: null,\n actions: localRules ? undefined : 'error,monitor,warn',\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ..._include,\n } as AlertIncludeFilter\n\n const name = resolvePackageName(\n artifact as {\n name: string\n namespace?: string \| undefined\n },\n )\n const { type: ecosystem, version } = artifact\n const enabledState = {\n __proto__: null,\n ...localRules,\n } as Partial<Record<ALERT_TYPE, boolean>>\n let sockPkgAlerts: SocketPackageAlert[] = []\n for (const alert of artifact.alerts) {\n const action = alert.action ?? ''\n const enabledFlag = enabledState[alert.type]\n if (\n (action === 'ignore' && enabledFlag !== true) \|\|\n enabledFlag === false\n ) {\n continue\n }\n const blocked = action === 'error'\n const critical = alert.severity === ALERT_SEVERITY.critical\n const cve = isArtifactAlertCve(alert)\n const fixType = alert.fix?.type ?? ''\n const fixableCve = fixType === ALERT_FIX_TYPE.cve\n const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade\n const fixable = fixableCve \|\| fixableUpgrade\n const upgradable = fixableUpgrade && !hasOwn(overrides, name)\n if (\n (include.blocked && blocked) \|\|\n (include.critical && critical) \|\|\n (include.cve && cve) \|\|\n (include.unfixable && !fixable) \|\|\n (include.upgradable && upgradable)\n ) {\n sockPkgAlerts.push({\n name,\n version,\n key: alert.key,\n type: alert.type,\n blocked,\n critical,\n ecosystem,\n fixable,\n raw: alert,\n upgradable,\n })\n }\n }\n if (!sockPkgAlerts.length) {\n return alertsByPurl\n }\n const purl = `pkg:${ecosystem}/${name}@${version}`\n const major = getMajor(version)!\n if (consolidate) {\n type HighestVersionByMajor = Map<\n number,\n { alert: SocketPackageAlert; version: string }\n >\n const highestForCve: HighestVersionByMajor = new Map()\n const highestForUpgrade: HighestVersionByMajor = new Map()\n const unfixableAlerts: SocketPackageAlert[] = []\n for (const sockPkgAlert of sockPkgAlerts) {\n const alert = sockPkgAlert.raw\n const fixType = alert.fix?.type ?? ''\n if (fixType === ALERT_FIX_TYPE.cve) {\n // An alert with alert.fix.type of 'cve' should have a\n // alert.props.firstPatchedVersionIdentifier property value.\n // We're just being cautious.\n const firstPatchedVersionIdentifier = (alert.props as CveProps)\n ?.firstPatchedVersionIdentifier\n const patchedMajor = firstPatchedVersionIdentifier\n ? getMajor(firstPatchedVersionIdentifier)\n : null\n if (typeof patchedMajor === 'number') {\n // Consolidate to the highest \"first patched version\" by each major\n // version number.\n const highest = highestForCve.get(patchedMajor)?.version ?? '0.0.0'\n if (semver.gt(firstPatchedVersionIdentifier!, highest)) {\n highestForCve.set(patchedMajor, {\n alert: sockPkgAlert,\n version: firstPatchedVersionIdentifier!,\n })\n }\n } else {\n unfixableAlerts.push(sockPkgAlert)\n }\n } else if (fixType === ALERT_FIX_TYPE.upgrade) {\n // For Socket Optimize upgrades we assume the highest version available\n // is compatible. This may change in the future.\n const highest = highestForUpgrade.get(major)?.version ?? '0.0.0'\n if (semver.gt(version, highest)) {\n highestForUpgrade.set(major, { alert: sockPkgAlert, version })\n }\n } else {\n unfixableAlerts.push(sockPkgAlert)\n }\n }\n sockPkgAlerts = [\n // Sort CVE alerts by severity: critical, high, middle, then low.\n ...Array.from(highestForCve.values())\n .map(d => d.alert)\n .sort(alertSeverityComparator),\n ...Array.from(highestForUpgrade.values()).map(d => d.alert),\n ...unfixableAlerts,\n ]\n } else {\n sockPkgAlerts.sort((a, b) => naturalCompare(a.type, b.type))\n }\n if (sockPkgAlerts.length) {\n alertsByPurl.set(purl, sockPkgAlerts)\n }\n return alertsByPurl\n}\n\nexport function alertsHaveBlocked(alerts: SocketPackageAlert[]): boolean {\n return alerts.find(a => a.blocked) !== undefined\n}\n\nexport function alertsHaveSeverity(\n alerts: SocketPackageAlert[],\n severity: `${keyof typeof ALERT_SEVERITY}`,\n): boolean {\n return alerts.find(a => a.raw.severity === severity) !== undefined\n}\n\nexport function alertSeverityComparator(\n a: SocketPackageAlert,\n b: SocketPackageAlert,\n): number {\n // Put the most severe first.\n return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)\n}\n\nexport function getAlertSeverityOrder(alert: SocketPackageAlert): number {\n // The more severe, the lower the sort number.\n const { severity } = alert.raw\n return severity === ALERT_SEVERITY.critical\n ? 0\n : severity === ALERT_SEVERITY.high\n ? 1\n : severity === ALERT_SEVERITY.middle\n ? 2\n : severity === ALERT_SEVERITY.low\n ? 3\n : 4\n}\n\nexport function getAlertsSeverityOrder(alerts: SocketPackageAlert[]): number {\n return alertsHaveBlocked(alerts) \|\|\n alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)\n ? 0\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)\n ? 1\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)\n ? 2\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)\n ? 3\n : 4\n}\n\nexport type CveExcludeFilter = {\n upgradable?: boolean \| undefined\n}\n\nexport type CveInfoByAlertKey = Map<\n string,\n {\n firstPatchedVersionIdentifier: string\n vulnerableVersionRange: string\n }\n>\n\nexport type CveInfoByPartialPurl = Map<string, CveInfoByAlertKey>\n\nexport type GetCveInfoByPackageOptions = {\n exclude?: CveExcludeFilter \| undefined\n}\n\nexport function getCveInfoFromAlertsMap(\n alertsMap: AlertsByPurl,\n options?: GetCveInfoByPackageOptions \| undefined,\n): CveInfoByPartialPurl \| null {\n const { exclude: exclude_ } = {\n __proto__: null,\n ...options,\n } as GetCveInfoByPackageOptions\n const exclude = {\n __proto__: null,\n ...exclude_,\n } as CveExcludeFilter\n\n let infoByPartialPurl: CveInfoByPartialPurl \| null = null\n // eslint-disable-next-line no-unused-labels\n alertsMapLoop: for (const { 0: purl, 1: sockPkgAlerts } of alertsMap) {\n const purlObj = getPurlObject(purl)\n const partialPurl = new PackageURL(\n purlObj.type,\n purlObj.namespace,\n purlObj.name,\n ).toString()\n const name = resolvePackageName(purlObj)\n sockPkgAlertsLoop: for (const sockPkgAlert of sockPkgAlerts) {\n const alert = sockPkgAlert.raw\n if (\n alert.fix?.type !== ALERT_FIX_TYPE.cve \|\|\n (exclude.upgradable &&\n getManifestData(sockPkgAlert.ecosystem as any, name))\n ) {\n continue sockPkgAlertsLoop\n }\n if (!infoByPartialPurl) {\n infoByPartialPurl = new Map()\n }\n let infos = infoByPartialPurl.get(partialPurl)\n if (!infos) {\n infos = new Map()\n infoByPartialPurl.set(partialPurl, infos)\n }\n const { key } = alert\n if (!infos.has(key)) {\n // An alert with alert.fix.type of 'cve' should have a\n // alert.props.firstPatchedVersionIdentifier property value.\n // We're just being cautious.\n const firstPatchedVersionIdentifier = (alert.props as CveProps)\n ?.firstPatchedVersionIdentifier\n const vulnerableVersionRange = (alert.props as CveProps)\n ?.vulnerableVersionRange\n let error: unknown\n if (firstPatchedVersionIdentifier && vulnerableVersionRange) {\n try {\n infos.set(key, {\n firstPatchedVersionIdentifier,\n vulnerableVersionRange: new semver.Range(\n // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that\n // semver.Range will parse it without erroring.\n vulnerableVersionRange\n .replace(/, +/g, ' ')\n .replace(/; +/g, ' \|\| '),\n ).format(),\n })\n continue sockPkgAlertsLoop\n } catch (e) {\n error = e\n }\n }\n\n debugFn('error', 'fail: invalid SocketPackageAlert')\n debugDir('inspect', { alert })\n\n if (error) {\n debugDir('inspect', { error: (error as Error).message ?? error })\n }\n }\n }\n }\n return infoByPartialPurl\n}\n\nexport function getSeverityLabel(\n severity: `${keyof typeof ALERT_SEVERITY}`,\n): string {\n return severity === 'middle' ? 'moderate' : severity\n}\n\nexport type LogAlertsMapOptions = {\n hideAt?: `${keyof typeof ALERT_SEVERITY}` \| 'none' \| undefined\n output?: NodeJS.WriteStream \| undefined\n}\n\nexport function logAlertsMap(\n alertsMap: AlertsByPurl,\n options: LogAlertsMapOptions,\n) {\n const { hideAt = 'middle', output = process.stderr } = {\n __proto__: null,\n ...options,\n } as LogAlertsMapOptions\n\n const translations = getTranslations()\n const sortedEntries = Array.from(alertsMap.entries()).sort(\n (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]),\n )\n\n const aboveTheFoldPurls = new Set<string>()\n const viewableAlertsByPurl = new Map<string, SocketPackageAlert[]>()\n const hiddenAlertsByPurl = new Map<string, SocketPackageAlert[]>()\n\n for (let i = 0, { length } = sortedEntries; i < length; i += 1) {\n const { 0: purl, 1: alerts } = sortedEntries[i]!\n const hiddenAlerts: typeof alerts = []\n const viewableAlerts = alerts.filter(a => {\n const keep =\n a.blocked \|\| getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]\n if (!keep) {\n hiddenAlerts.push(a)\n }\n return keep\n })\n if (hiddenAlerts.length) {\n hiddenAlertsByPurl.set(purl, hiddenAlerts.sort(alertSeverityComparator))\n }\n if (!viewableAlerts.length) {\n continue\n }\n viewableAlerts.sort(alertSeverityComparator)\n viewableAlertsByPurl.set(purl, viewableAlerts)\n if (\n viewableAlerts.find(\n (a: SocketPackageAlert) =>\n a.blocked \|\| getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle,\n )\n ) {\n aboveTheFoldPurls.add(purl)\n }\n }\n\n // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.\n for (const { 0: purl } of viewableAlertsByPurl.entries()) {\n if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {\n break\n }\n aboveTheFoldPurls.add(purl)\n }\n // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.\n for (const { 0: purl, 1: hiddenAlerts } of hiddenAlertsByPurl.entries()) {\n if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {\n break\n }\n aboveTheFoldPurls.add(purl)\n const viewableAlerts = viewableAlertsByPurl.get(purl) ?? []\n if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {\n const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length\n let removedHiddenAlerts: SocketPackageAlert[] \| undefined\n if (hiddenAlerts.length - neededCount > 0) {\n removedHiddenAlerts = hiddenAlerts.splice(\n 0,\n MIN_ABOVE_THE_FOLD_ALERT_COUNT,\n )\n } else {\n removedHiddenAlerts = hiddenAlerts\n hiddenAlertsByPurl.delete(purl)\n }\n viewableAlertsByPurl.set(purl, [\n ...viewableAlerts,\n ...removedHiddenAlerts,\n ])\n }\n }\n\n const mentionedPurlsWithHiddenAlerts = new Set<string>()\n for (\n let i = 0,\n prevAboveTheFold = true,\n entries = Array.from(viewableAlertsByPurl.entries()),\n { length } = entries;\n i < length;\n i += 1\n ) {\n const { 0: purl, 1: alerts } = entries[i]!\n const lines = new Set<string>()\n for (const alert of alerts) {\n const { type } = alert\n const severity = alert.raw.severity ?? ''\n const attributes = [\n ...(severity\n ? [colors[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))]\n : []),\n ...(alert.blocked ? [colors.bold(colors.red('blocked'))] : []),\n ...(alert.fixable ? ['fixable'] : []),\n ]\n const maybeAttributes = attributes.length\n ? ` ${colors.italic(`(${attributes.join('; ')})`)}`\n : ''\n // Based data from { pageProps: { alertTypes } } of:\n // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json\n const info = (translations.alerts as any)[type]\n const title = info?.title ?? type\n const maybeDesc = info?.description ? ` - ${info.description}` : ''\n const content = `${title}${maybeAttributes}${maybeDesc}`\n // TODO: emoji seems to mis-align terminals sometimes\n lines.add(` ${content}`)\n }\n const purlObj = getPurlObject(purl)\n const pkgName = resolvePackageName(purlObj)\n const hyperlink = format.hyperlink(\n pkgName,\n getSocketDevPackageOverviewUrl(purlObj.type, pkgName, purlObj.version),\n )\n const isAboveTheFold = aboveTheFoldPurls.has(purl)\n if (isAboveTheFold) {\n aboveTheFoldPurls.add(purl)\n output.write(`${i ? '\\n' : ''}${hyperlink}:\\n`)\n } else {\n output.write(`${prevAboveTheFold ? '\\n' : ''}${hyperlink}:\\n`)\n }\n for (const line of lines) {\n output.write(`${line}\\n`)\n }\n const hiddenAlerts = hiddenAlertsByPurl.get(purl) ?? []\n const { length: hiddenAlertsCount } = hiddenAlerts\n if (hiddenAlertsCount) {\n mentionedPurlsWithHiddenAlerts.add(purl)\n if (hiddenAlertsCount === 1) {\n output.write(\n ` ${colors.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0]!.raw.severity ?? 'low')} risk alert`)}\\n`,\n )\n } else {\n output.write(\n ` ${colors.dim(`+${hiddenAlertsCount} Hidden alerts ${colors.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\\n`,\n )\n }\n }\n prevAboveTheFold = isAboveTheFold\n }\n\n const additionalHiddenCount =\n hiddenAlertsByPurl.size - mentionedPurlsWithHiddenAlerts.size\n if (additionalHiddenCount) {\n const totalRiskCounts = {\n critical: 0,\n high: 0,\n middle: 0,\n low: 0,\n }\n for (const { 0: purl, 1: alerts } of hiddenAlertsByPurl.entries()) {\n if (mentionedPurlsWithHiddenAlerts.has(purl)) {\n continue\n }\n const riskCounts = getHiddenRiskCounts(alerts)\n totalRiskCounts.critical += riskCounts.critical\n totalRiskCounts.high += riskCounts.high\n totalRiskCounts.middle += riskCounts.middle\n totalRiskCounts.low += riskCounts.low\n }\n output.write(\n `${aboveTheFoldPurls.size ? '\\n' : ''}${colors.dim(`${aboveTheFoldPurls.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${colors.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\\n`,\n )\n }\n output.write('\\n')\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\n\nimport { stripPnpmPeerSuffix } from './pnpm.mts'\n\nexport function idToNpmPurl(id: string): string {\n return `pkg:npm/${id}`\n}\n\nexport function idToPurl(id: string, type: string): string {\n return `pkg:${type}/${id}`\n}\n\nexport function resolvePackageVersion(purlObj: PackageURL): string {\n const { version } = purlObj\n if (!version) {\n return ''\n }\n const { type } = purlObj\n return (\n semver.coerce(type === 'npm' ? stripPnpmPeerSuffix(version) : version)\n ?.version ?? ''\n )\n}\n","import { existsSync } from 'node:fs'\n\nimport yaml from 'js-yaml'\nimport semver from 'semver'\n\nimport { isObjectObject } from '@socketsecurity/registry/lib/objects'\nimport { stripBom } from '@socketsecurity/registry/lib/strings'\n\nimport { readFileUtf8 } from './fs.mts'\nimport { idToNpmPurl } from './spec.mts'\n\nimport type { LockfileObject, PackageSnapshot } from '@pnpm/lockfile.fs'\nimport type { SemVer } from 'semver'\n\nexport function extractOverridesFromPnpmLockSrc(lockfileContent: any): string {\n let match\n if (typeof lockfileContent === 'string') {\n match = /^overrides:(?:\\r?\\n {2}.+)+(?:\\r?\\n)/m.exec(lockfileContent)?.[0]\n }\n return match ?? ''\n}\n\nexport async function extractPurlsFromPnpmLockfile(\n lockfile: LockfileObject,\n): Promise<string[]> {\n const packages = lockfile?.packages ?? {}\n const seen = new Set<string>()\n const visit = (pkgPath: string) => {\n if (seen.has(pkgPath)) {\n return\n }\n const pkg = (packages as any)[pkgPath] as PackageSnapshot\n if (!pkg) {\n return\n }\n seen.add(pkgPath)\n const deps: { [name: string]: string } = {\n __proto__: null,\n ...pkg.dependencies,\n ...pkg.optionalDependencies,\n ...(pkg as any).devDependencies,\n }\n for (const depName in deps) {\n const ref = deps[depName]!\n const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`\n visit(subKey)\n }\n }\n for (const pkgPath of Object.keys(packages)) {\n visit(pkgPath)\n }\n return Array.from(seen).map(p =>\n idToNpmPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))),\n )\n}\n\nexport function isPnpmDepPath(maybeDepPath: string): boolean {\n return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47 /'/'/\n}\n\nexport function parsePnpmLockfile(\n lockfileContent: unknown,\n): LockfileObject \| null {\n let result\n if (typeof lockfileContent === 'string') {\n try {\n result = yaml.load(stripBom(lockfileContent))\n } catch {}\n }\n return isObjectObject(result) ? (result as LockfileObject) : null\n}\n\nexport function parsePnpmLockfileVersion(version: unknown): SemVer \| null {\n try {\n return semver.coerce(version as string)\n } catch {}\n return null\n}\n\nexport async function readPnpmLockfile(\n lockfilePath: string,\n): Promise<string \| null> {\n return existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null\n}\n\nexport function stripLeadingPnpmDepPathSlash(depPath: string): string {\n return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath\n}\n\nexport function stripPnpmPeerSuffix(depPath: string): string {\n const parenIndex = depPath.indexOf('(')\n const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex\n return index === -1 ? depPath : depPath.slice(0, index)\n}\n","import { arrayUnique } from '@socketsecurity/registry/lib/arrays'\nimport { debugDir } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport { extractPurlsFromPnpmLockfile } from './pnpm.mts'\nimport { getPublicToken, setupSdk } from './sdk.mts'\nimport { addArtifactToAlertsMap } from './socket-package-alert.mts'\n\nimport type { CompactSocketArtifact } from './alert/artifact.mts'\nimport type {\n AlertIncludeFilter,\n AlertsByPurl,\n} from './socket-package-alert.mts'\nimport type { LockfileObject } from '@pnpm/lockfile.fs'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nexport type GetAlertsMapFromPnpmLockfileOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromPnpmLockfile(\n lockfile: LockfileObject,\n options?: GetAlertsMapFromPnpmLockfileOptions \| undefined,\n): Promise<AlertsByPurl> {\n const purls = await extractPurlsFromPnpmLockfile(lockfile)\n return await getAlertsMapFromPurls(purls, {\n overrides: lockfile.overrides,\n ...options,\n })\n}\n\nexport type GetAlertsMapFromPurlsOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromPurls(\n purls: string[] \| readonly string[],\n options?: GetAlertsMapFromPurlsOptions \| undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n include: undefined,\n nothrow: false,\n ...options,\n } as GetAlertsMapFromPurlsOptions\n\n opts.include = {\n __proto__: null,\n // Leave 'actions' unassigned so it can be given a default value in\n // subsequent functions where `options` is passed.\n // actions: undefined,\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ...opts.include,\n } as AlertIncludeFilter\n\n const uniqPurls = arrayUnique(purls)\n debugDir('silly', { purls: uniqPurls })\n\n let { length: remaining } = uniqPurls\n const alertsByPurl: AlertsByPurl = new Map()\n\n if (!remaining) {\n return alertsByPurl\n }\n\n const { spinner } = opts\n const getText = () => `Looking up data for ${remaining} packages`\n\n spinner?.start(getText())\n\n const sockSdkCResult = await setupSdk({ apiToken: getPublicToken() })\n if (!sockSdkCResult.ok) {\n spinner?.stop()\n throw new Error('Auth error: Try to run `socket login` first')\n }\n const sockSdk = sockSdkCResult.data\n\n const alertsMapOptions = {\n overrides: opts.overrides,\n consolidate: opts.consolidate,\n include: opts.include,\n spinner,\n }\n\n for await (const batchResult of sockSdk.batchPackageStream(\n {\n components: uniqPurls.map(purl => ({ purl })),\n },\n {\n queryParams: {\n alerts: 'true',\n compact: 'true',\n ...(opts.include.actions\n ? { actions: opts.include.actions.join(',') }\n : {}),\n ...(opts.include.unfixable ? {} : { fixable: 'true' }),\n },\n },\n )) {\n if (batchResult.success) {\n await addArtifactToAlertsMap(\n batchResult.data as CompactSocketArtifact,\n alertsByPurl,\n alertsMapOptions,\n )\n } else if (!opts.nothrow) {\n const statusCode = batchResult.status ?? 'unknown'\n const statusMessage = batchResult.error ?? 'No status message'\n throw new Error(\n `Socket API server error (${statusCode}): ${statusMessage}`,\n )\n } else {\n spinner?.stop()\n logger.fail(\n `Received a ${batchResult.status} response from Socket API which we consider a permanent failure:`,\n batchResult.error,\n batchResult.cause ? `( ${batchResult.cause} )` : '',\n )\n debugDir('inspect', { batchResult })\n break\n }\n remaining -= 1\n if (remaining > 0) {\n spinner?.start(getText())\n }\n }\n\n spinner?.stop()\n\n return alertsByPurl\n}\n","import npmPackageArg from 'npm-package-arg'\n\nexport type {\n AliasResult,\n FileResult,\n HostedGit,\n HostedGitResult,\n RegistryResult,\n Result,\n URLResult,\n} from 'npm-package-arg'\n\nexport function npa(\n ...args: Parameters<typeof npmPackageArg>\n): ReturnType<typeof npmPackageArg> \| null {\n try {\n return Reflect.apply(npmPackageArg, undefined, args)\n } catch {}\n return null\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmAuditFlag,\n isNpmFundFlag,\n isNpmLoglevelFlag,\n isNpmProgressFlag,\n resolveBinPathSync,\n} from '@socketsecurity/registry/lib/npm'\nimport { isObject } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../../constants.mts'\nimport { getNpmBinPath } from '../../utils/npm-paths.mts'\n\nimport type { SpawnResult } from '@socketsecurity/registry/lib/spawn'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nconst {\n NPM,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_IPC_HANDSHAKE,\n} = constants\n\ntype SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>\n\nexport type SafeNpmInstallOptions = SpawnOption & {\n agentExecPath?: string \| undefined\n args?: string[] \| readonly string[] \| undefined\n ipc?: object \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport function safeNpmInstall(\n options?: SafeNpmInstallOptions,\n): SpawnResult<string, Record<any, any> \| undefined> {\n const {\n agentExecPath = getNpmBinPath(),\n args = [],\n ipc,\n spinner,\n ...spawnOptions\n } = { __proto__: null, ...options } as SafeNpmInstallOptions\n let stdio = spawnOptions.stdio\n const useIpc = isObject(ipc)\n // Include 'ipc' in the spawnOptions.stdio when an options.ipc object is provided.\n // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166\n // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.\n if (typeof stdio === 'string') {\n stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio]\n } else if (useIpc && Array.isArray(stdio) && !stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n const useDebug = isDebug('stdio')\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const binArgs = rawBinArgs.filter(\n a => !isNpmAuditFlag(a) && !isNpmFundFlag(a) && !isNpmProgressFlag(a),\n )\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : []\n const spawnPromise = spawn(\n // Lazily access constants.execPath.\n constants.execPath,\n [\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n // Lazily access constants.nodeHardenFlags.\n ...constants.nodeHardenFlags,\n // Lazily access constants.nodeMemoryFlags.\n ...constants.nodeMemoryFlags,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? [\n '--require',\n // Lazily access constants.instrumentWithSentryPath.\n constants.instrumentWithSentryPath,\n ]\n : []),\n '--require',\n // Lazily access constants.shadowNpmInjectPath.\n constants.shadowNpmInjectPath,\n resolveBinPathSync(agentExecPath),\n 'install',\n // Avoid code paths for 'audit' and 'fund'.\n '--no-audit',\n '--no-fund',\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=silent' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n spinner,\n ...spawnOptions,\n stdio,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n ...spawnOptions.env,\n },\n },\n )\n if (useIpc) {\n spawnPromise.process.send({\n [SOCKET_IPC_HANDSHAKE]: {\n [SOCKET_CLI_SAFE_BIN]: NPM,\n [SOCKET_CLI_SAFE_PROGRESS]: progressArg,\n ...ipc,\n },\n })\n }\n return spawnPromise\n}\n","import { spawn } from '@socketsecurity/registry/lib/spawn'\nimport { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nimport constants from '../constants.mts'\nimport { cmdFlagsToString } from './cmd.mts'\nimport { safeNpmInstall } from '../shadow/npm/install.mts'\n\nimport type { EnvDetails } from './package-environment.mts'\n\nconst { NPM, PNPM } = constants\n\ntype SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>\n\nexport type AgentInstallOptions = SpawnOption & {\n args?: string[] \| readonly string[] \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport type AgentSpawnResult = ReturnType<typeof spawn>\n\nexport function runAgentInstall(\n pkgEnvDetails: EnvDetails,\n options?: AgentInstallOptions \| undefined,\n): AgentSpawnResult {\n const { agent, agentExecPath } = pkgEnvDetails\n // All package managers support the \"install\" command.\n if (agent === NPM) {\n return safeNpmInstall({\n agentExecPath,\n ...options,\n })\n }\n const {\n args = [],\n spinner,\n ...spawnOptions\n } = { __proto__: null, ...options } as AgentInstallOptions\n const skipNodeHardenFlags =\n agent === PNPM && pkgEnvDetails.agentVersion.major < 11\n return spawn(agentExecPath, ['install', ...args], {\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n spinner,\n stdio: 'inherit',\n ...spawnOptions,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n NODE_OPTIONS: cmdFlagsToString([\n ...(skipNodeHardenFlags\n ? []\n : // Lazily access constants.nodeHardenFlags.\n constants.nodeHardenFlags),\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n ]),\n ...spawnOptions.env,\n },\n })\n}\n","import NpmConfig from '@npmcli/config'\nimport {\n definitions as npmConfigDefinitions,\n flatten as npmConfigFlatten,\n shorthands as npmConfigShorthands,\n // @ts-ignore: TypeScript types unavailable.\n} from '@npmcli/config/lib/definitions'\n\nimport { getNpmPath } from './npm-paths.mts'\n\nimport type { ArboristOptions } from '../shadow/npm/arborist/types.mts'\nimport type { SemVer } from 'semver'\n\nexport type NpmConfigOptions = {\n cwd?: string \| undefined\n env?: NodeJS.ProcessEnv \| undefined\n execPath?: string \| undefined\n nodeVersion?: string \| undefined\n npmCommand?: string \| undefined\n npmPath?: string \| undefined\n npmVersion?: SemVer \| string \| undefined\n platform?: NodeJS.Platform \| undefined\n}\n\nexport async function getNpmConfig(\n options?: NpmConfigOptions \| undefined,\n): Promise<ArboristOptions> {\n const {\n cwd = process.cwd(),\n env = process.env,\n execPath = process.execPath,\n nodeVersion = process.version,\n npmCommand = 'install',\n npmPath = getNpmPath(),\n npmVersion,\n platform = process.platform,\n } = { __proto__: null, ...options } as NpmConfigOptions\n const config = new NpmConfig({\n argv: [],\n cwd,\n definitions: npmConfigDefinitions,\n execPath,\n env: { ...env },\n flatten: npmConfigFlatten,\n npmPath,\n platform,\n shorthands: npmConfigShorthands,\n })\n await config.load()\n const flatConfig = { __proto__: null, ...config.flat } as ArboristOptions\n\n if (nodeVersion) {\n flatConfig.nodeVersion = nodeVersion\n }\n if (npmCommand) {\n flatConfig.npmCommand = npmCommand\n }\n if (npmVersion) {\n flatConfig.npmVersion = npmVersion.toString()\n }\n return flatConfig\n}\n","import { existsSync } from 'node:fs'\n\nimport { readFileUtf8 } from './fs.mts'\n\nexport async function readLockfile(\n lockfilePath: string,\n): Promise<string \| null> {\n return existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\n\nimport browserslist from 'browserslist'\nimport semver from 'semver'\nimport which from 'which'\n\nimport { parse as parseBunLockb } from '@socketregistry/hyrious__bun.lockb/index.cjs'\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { Logger } from '@socketsecurity/registry/lib/logger'\nimport { readPackageJson } from '@socketsecurity/registry/lib/packages'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { cmdPrefixMessage } from './cmd.mts'\nimport { findUp, readFileBinary, readFileUtf8 } from './fs.mts'\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { SemVer } from 'semver'\n\nconst {\n BINARY_LOCK_EXT,\n BUN,\n HIDDEN_PACKAGE_LOCK_JSON,\n LOCK_EXT,\n NPM,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n PACKAGE_JSON,\n PNPM,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n} = constants\n\nexport const AGENTS = [BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT] as const\n\nconst binByAgent = new Map<Agent, string>([\n [BUN, BUN],\n [NPM, NPM],\n [PNPM, PNPM],\n [YARN_BERRY, YARN],\n [YARN_CLASSIC, YARN],\n [VLT, VLT],\n])\n\nexport type Agent = (typeof AGENTS)[number]\n\nexport type EnvBase = {\n agent: Agent\n agentExecPath: string\n agentSupported: boolean\n features: {\n // Fixed by https://github.com/npm/cli/pull/8089.\n // Landed in npm v11.2.0.\n npmBuggyOverrides: boolean\n }\n nodeSupported: boolean\n nodeVersion: SemVer\n npmExecPath: string\n pkgRequirements: {\n agent: string\n node: string\n }\n pkgSupports: {\n agent: boolean\n node: boolean\n }\n}\n\nexport type EnvDetails = Readonly<\n Remap<\n EnvBase & {\n agentVersion: SemVer\n editablePkgJson: EditablePackageJson\n lockName: string\n lockPath: string\n lockSrc: string\n pkgPath: string\n }\n >\n>\n\nexport type DetectAndValidateOptions = {\n cmdName?: string \| undefined\n logger?: Logger \| undefined\n prod?: boolean \| undefined\n}\n\nexport type DetectOptions = {\n cwd?: string \| undefined\n onUnknown?: (pkgManager: string \| undefined) => void\n}\n\nexport type PartialEnvDetails = Readonly<\n Remap<\n EnvBase & {\n agentVersion: SemVer \| undefined\n editablePkgJson: EditablePackageJson \| undefined\n lockName: string \| undefined\n lockPath: string \| undefined\n lockSrc: string \| undefined\n pkgPath: string \| undefined\n }\n >\n>\n\nexport type ReadLockFile =\n \| ((lockPath: string) => Promise<string \| undefined>)\n \| ((lockPath: string, agentExecPath: string) => Promise<string \| undefined>)\n \| ((\n lockPath: string,\n agentExecPath: string,\n cwd: string,\n ) => Promise<string \| undefined>)\n\nconst readLockFileByAgent: Map<Agent, ReadLockFile> = (() => {\n function wrapReader<T extends (...args: any[]) => Promise<any>>(\n reader: T,\n ): (...args: Parameters<T>) => Promise<Awaited<ReturnType<T>> \| undefined> {\n return async (...args: any[]): Promise<any> => {\n try {\n return await reader(...args)\n } catch {}\n return undefined\n }\n }\n\n const binaryReader = wrapReader(readFileBinary)\n\n const defaultReader = wrapReader(\n async (lockPath: string) => await readFileUtf8(lockPath),\n )\n\n return new Map([\n [\n BUN,\n wrapReader(\n async (\n lockPath: string,\n agentExecPath: string,\n cwd = process.cwd(),\n ) => {\n const ext = path.extname(lockPath)\n if (ext === LOCK_EXT) {\n return await defaultReader(lockPath)\n }\n if (ext === BINARY_LOCK_EXT) {\n const lockBuffer = await binaryReader(lockPath)\n if (lockBuffer) {\n try {\n return parseBunLockb(lockBuffer)\n } catch {}\n }\n // To print a Yarn lockfile to your console without writing it to disk\n // use `bun bun.lockb`.\n // https://bun.sh/guides/install/yarnlock\n return (\n await spawn(agentExecPath, [lockPath], {\n cwd,\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n })\n ).stdout\n }\n return undefined\n },\n ),\n ],\n [NPM, defaultReader],\n [PNPM, defaultReader],\n [VLT, defaultReader],\n [YARN_BERRY, defaultReader],\n [YARN_CLASSIC, defaultReader],\n ])\n})()\n\n// The order of LOCKS properties IS significant as it affects iteration order.\nconst LOCKS: Record<string, Agent> = {\n [`bun${LOCK_EXT}`]: BUN,\n [`bun${BINARY_LOCK_EXT}`]: BUN,\n // If both package-lock.json and npm-shrinkwrap.json are present in the root\n // of a project, npm-shrinkwrap.json will take precedence and package-lock.json\n // will be ignored.\n // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson\n 'npm-shrinkwrap.json': NPM,\n 'package-lock.json': NPM,\n 'pnpm-lock.yaml': PNPM,\n 'pnpm-lock.yml': PNPM,\n [`yarn${LOCK_EXT}`]: YARN_CLASSIC,\n 'vlt-lock.json': VLT,\n // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:\n // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles\n //\n // Unlike the other LOCKS keys this key contains a directory AND filename so\n // it has to be handled differently.\n 'node_modules/.package-lock.json': NPM,\n}\n\nasync function getAgentExecPath(agent: Agent): Promise<string> {\n const binName = binByAgent.get(agent)!\n if (binName === NPM) {\n // Lazily access constants.npmExecPath.\n return constants.npmExecPath\n }\n return (await which(binName, { nothrow: true })) ?? binName\n}\n\nasync function getAgentVersion(\n agentExecPath: string,\n cwd: string,\n): Promise<SemVer \| undefined> {\n let result\n try {\n result =\n // Coerce version output into a valid semver version by passing it through\n // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),\n // and tildes (~).\n semver.coerce(\n // All package managers support the \"--version\" flag.\n\n (\n await spawn(agentExecPath, ['--version'], {\n cwd,\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n })\n ).stdout,\n ) ?? undefined\n } catch (e) {\n debugFn('error', 'caught: unexpected error')\n debugDir('inspect', { error: e })\n }\n return result\n}\n\nexport async function detectPackageEnvironment({\n cwd = process.cwd(),\n onUnknown,\n}: DetectOptions = {}): Promise<EnvDetails \| PartialEnvDetails> {\n let lockPath = await findUp(Object.keys(LOCKS), { cwd })\n let lockName = lockPath ? path.basename(lockPath) : undefined\n const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON\n const pkgJsonPath = lockPath\n ? path.resolve(\n lockPath,\n `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`,\n )\n : await findUp(PACKAGE_JSON, { cwd })\n const pkgPath =\n pkgJsonPath && existsSync(pkgJsonPath)\n ? path.dirname(pkgJsonPath)\n : undefined\n const editablePkgJson = pkgPath\n ? await readPackageJson(pkgPath, { editable: true })\n : undefined\n // Read Corepack `packageManager` field in package.json:\n // https://nodejs.org/api/packages.html#packagemanager\n const pkgManager = isNonEmptyString(editablePkgJson?.content?.packageManager)\n ? editablePkgJson.content.packageManager\n : undefined\n\n let agent: Agent \| undefined\n if (pkgManager) {\n // A valid \"packageManager\" field value is \"<package manager name>@<version>\".\n // https://nodejs.org/api/packages.html#packagemanager\n const atSignIndex = pkgManager.lastIndexOf('@')\n if (atSignIndex !== -1) {\n const name = pkgManager.slice(0, atSignIndex) as Agent\n const version = pkgManager.slice(atSignIndex + 1)\n if (version && AGENTS.includes(name)) {\n agent = name\n }\n }\n }\n if (\n agent === undefined &&\n !isHiddenLockFile &&\n typeof pkgJsonPath === 'string' &&\n typeof lockName === 'string'\n ) {\n agent = LOCKS[lockName] as Agent\n }\n if (agent === undefined) {\n agent = NPM\n onUnknown?.(pkgManager)\n }\n const agentExecPath = await getAgentExecPath(agent)\n const agentVersion = await getAgentVersion(agentExecPath, cwd)\n if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {\n agent = YARN_BERRY\n }\n // Lazily access constants.maintainedNodeVersions.\n const { maintainedNodeVersions } = constants\n // Lazily access constants.minimumVersionByAgent.\n const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent)!\n const minSupportedNodeMajor = semver.major(maintainedNodeVersions.last)\n const minSupportedNodeVersion = `${minSupportedNodeMajor}.0.0`\n const minSupportedNodeRange = `>=${minSupportedNodeMajor}`\n const nodeVersion = semver.coerce(process.version)!\n let lockSrc: string \| undefined\n let pkgAgentRange: string \| undefined\n let pkgNodeRange: string \| undefined\n let pkgMinAgentVersion = minSupportedAgentVersion\n let pkgMinNodeVersion = minSupportedNodeVersion\n if (editablePkgJson?.content) {\n const { engines } = editablePkgJson.content\n const engineAgentRange = engines?.[agent]\n const engineNodeRange = engines?.['node']\n if (isNonEmptyString(engineAgentRange)) {\n pkgAgentRange = engineAgentRange\n // Roughly check agent range as semver.coerce will strip leading\n // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).\n const coerced = semver.coerce(pkgAgentRange)\n if (coerced && semver.lt(coerced, pkgMinAgentVersion)) {\n pkgMinAgentVersion = coerced.version\n }\n }\n if (isNonEmptyString(engineNodeRange)) {\n pkgNodeRange = engineNodeRange\n // Roughly check Node range as semver.coerce will strip leading\n // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).\n const coerced = semver.coerce(pkgNodeRange)\n if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {\n pkgMinNodeVersion = coerced.version\n }\n }\n const browserslistQuery = editablePkgJson.content['browserslist'] as\n \| string[]\n \| undefined\n if (Array.isArray(browserslistQuery)) {\n // List Node targets in ascending version order.\n const browserslistNodeTargets = browserslist(browserslistQuery)\n .filter(v => /^node /i.test(v))\n .map(v => v.slice(5 /'node '.length*/))\n .sort(naturalCompare)\n if (browserslistNodeTargets.length) {\n // browserslistNodeTargets[0] is the lowest Node target version.\n const coerced = semver.coerce(browserslistNodeTargets[0])\n if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {\n pkgMinNodeVersion = coerced.version\n }\n }\n }\n lockSrc =\n typeof lockPath === 'string'\n ? await readLockFileByAgent.get(agent)!(lockPath, agentExecPath, cwd)\n : undefined\n } else {\n lockName = undefined\n lockPath = undefined\n }\n\n // Does the system agent version meet our minimum supported agent version?\n const agentSupported =\n !!agentVersion &&\n semver.satisfies(agentVersion, `>=${minSupportedAgentVersion}`)\n // Does the system Node version meet our minimum supported Node version?\n const nodeSupported = semver.satisfies(nodeVersion, minSupportedNodeRange)\n\n const npmExecPath =\n agent === NPM ? agentExecPath : await getAgentExecPath(NPM)\n const npmBuggyOverrides =\n agent === NPM &&\n !!agentVersion &&\n semver.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION)\n\n const pkgMinAgentRange = `>=${pkgMinAgentVersion}`\n const pkgMinNodeRange = `>=${semver.major(pkgMinNodeVersion)}`\n\n return {\n agent,\n agentExecPath,\n agentSupported,\n agentVersion,\n editablePkgJson,\n features: { npmBuggyOverrides },\n lockName,\n lockPath,\n lockSrc,\n nodeSupported,\n nodeVersion,\n npmExecPath,\n pkgPath,\n pkgRequirements: {\n agent: pkgAgentRange ?? pkgMinAgentRange,\n node: pkgNodeRange ?? pkgMinNodeRange,\n },\n pkgSupports: {\n // Does our minimum supported agent version meet the package's requirements?\n agent: semver.satisfies(minSupportedAgentVersion, pkgMinAgentRange),\n // Does our supported Node versions meet the package's requirements?\n node: maintainedNodeVersions.some(v =>\n semver.satisfies(v, pkgMinNodeRange),\n ),\n },\n }\n}\n\nexport async function detectAndValidatePackageEnvironment(\n cwd: string,\n options?: DetectAndValidateOptions \| undefined,\n): Promise<CResult<EnvDetails>> {\n const {\n cmdName = '',\n logger,\n prod,\n } = {\n __proto__: null,\n ...options,\n } as DetectAndValidateOptions\n const details = await detectPackageEnvironment({\n cwd,\n onUnknown(pkgManager: string \| undefined) {\n logger?.warn(\n cmdPrefixMessage(\n cmdName,\n `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`,\n ),\n )\n },\n })\n const { agent, nodeVersion, pkgRequirements } = details\n const agentVersion = details.agentVersion ?? 'unknown'\n if (!details.agentSupported) {\n const minVersion = constants.minimumVersionByAgent.get(agent)!\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`,\n ),\n }\n }\n if (!details.nodeSupported) {\n const minVersion = constants.maintainedNodeVersions.last\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`,\n ),\n }\n }\n if (!details.pkgSupports.agent) {\n return {\n ok: false,\n message: 'Engine Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Package engine \"${agent}\" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`,\n ),\n }\n }\n if (!details.pkgSupports.node) {\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Package engine \"node\" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`,\n ),\n }\n }\n const lockName = details.lockName ?? 'lock file'\n if (details.lockName === undefined \|\| details.lockSrc === undefined) {\n return {\n ok: false,\n message: 'Missing Lock File',\n cause: cmdPrefixMessage(cmdName, `No ${lockName} found`),\n }\n }\n if (details.lockSrc.trim() === '') {\n return {\n ok: false,\n message: 'Empty Lock File',\n cause: cmdPrefixMessage(cmdName, `${lockName} is empty`),\n }\n }\n if (details.pkgPath === undefined) {\n return {\n ok: false,\n message: 'Missing package.json',\n cause: cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`),\n }\n }\n if (prod && (agent === BUN \|\| agent === YARN_BERRY)) {\n return {\n ok: false,\n message: 'Bad input',\n cause: cmdPrefixMessage(\n cmdName,\n `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`,\n ),\n }\n }\n if (\n details.lockPath &&\n path.relative(cwd, details.lockPath).startsWith('.')\n ) {\n // Note: In tests we return <redacted> because otherwise snapshots will fail.\n const { REDACTED } = constants\n // Lazily access constants.ENV.VITEST.\n const redacting = constants.ENV.VITEST\n logger?.warn(\n cmdPrefixMessage(\n cmdName,\n `Package ${lockName} found at ${redacting ? REDACTED : details.lockPath}`,\n ),\n )\n }\n return { ok: true, data: details as EnvDetails }\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\n\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\n\nexport const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion'\n\nexport function getCompletionSourcingCommand(): CResult<string> {\n // Note: this is exported to distPath in .config/rollup.dist.config.mjs\n const completionScriptExportPath = path.join(\n // Lazily access constants.distPath.\n constants.distPath,\n 'socket-completion.bash',\n )\n\n if (!fs.existsSync(completionScriptExportPath)) {\n return {\n ok: false,\n message: 'Tab Completion script not found',\n cause: `Expected to find completion script at \\`${completionScriptExportPath}\\` but it was not there`,\n }\n }\n\n return { ok: true, data: `source ${completionScriptExportPath}` }\n}\n\nexport function getBashrcDetails(targetCommandName: string): CResult<{\n completionCommand: string\n sourcingCommand: string\n toAddToBashrc: string\n targetName: string\n targetPath: string\n}> {\n const sourcingCommand = getCompletionSourcingCommand()\n if (!sourcingCommand.ok) {\n return sourcingCommand\n }\n\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (!socketAppDataPath) {\n return {\n ok: false,\n message: 'Could not determine config directory',\n cause: 'Failed to get config path',\n }\n }\n\n // _socket_completion is the function defined in our completion bash script\n const completionCommand = `${COMPLETION_CMD_PREFIX} ${targetCommandName}`\n\n // Location of completion script in config after installing\n const completionScriptPath = path.join(\n path.dirname(socketAppDataPath),\n 'completion',\n 'socket-completion.bash',\n )\n\n const bashrcContent = `# Socket CLI completion for \"${targetCommandName}\"\nif [ -f \"${completionScriptPath}\" ]; then\n # Load the tab completion script\n source \"${completionScriptPath}\"\n # Tell bash to use this function for tab completion of this function\n ${completionCommand}\nfi\n`\n\n return {\n ok: true,\n data: {\n sourcingCommand: sourcingCommand.data,\n completionCommand,\n toAddToBashrc: bashrcContent,\n targetName: targetCommandName,\n targetPath: completionScriptPath,\n },\n }\n}\n"],"names":["workspacePatterns","throws","length","cwd","__proto__","absolute","expandDirectories","dot","ignore","onlyDirectories","force","recursive","retries","root","dir","encoding","throwIfNoEntry","socketAppDataPath","logger","updateConfigValue","mkdirSync","ok","data","yml","path","parsed","prevDir","exports","debugFn","message","cause","_readOnlyConfig","_cachedConfig","localConfig","wasDeleted","_pendingSave","writeFileSync","getSentry","constructor","_defaultToken","constants","apiProxy","agent","proxy","baseUrl","name","version","homepage","spinner","error","sdkResult","method","headers","Authorization","result","mw2","lines","cols","cws","body","msg","keyPrefix","indent","padName","commandOrAliasName","type","hidden","description","argv","allowUnknownFlags","booleanDefault","autoHelp","autoVersion","configOverrideResult","emitBanner","parentName","Object","commands","out","cli2","collectUnknownFlags","importMeta","cli","console","process","meow","REDACTED","numeric","style","sdkOptions","desc","organizations","choices","value","orgSlug","GITHUB_REF_TYPE","info","remoteUrl","stdio","email","user","configValue","owner","repo","parsedGitRemoteUrlCache","SOCKET_WEBSITE_URL","namespace","keys","all","nothrow","shadowBinPath","shadowIndex","theBinPath","WIN32","existsSync","thePath","config","socketConfig","obj","json","sockJson","i","env","SOCKET_CLI_ISSUES_URL","_npmBinPath","_npmBinPathDetails","_npxBinPath","_npxBinPathDetails","ALERT_TYPE_MILD_CVE","cve","remove","upgrade","critical","high","middle","low","header","hyperlink","fallback","fallbackToUrl","raw","none","descriptions","consolidate","include","overrides","actions","existing","upgradable","highestForCve","alert","unfixableAlerts","highestForUpgrade","sockPkgAlerts","alertsByPurl","severity","exclude","sockPkgAlertsLoop","infoByPartialPurl","infos","key","vulnerableVersionRange","hideAt","hiddenAlerts","viewableAlerts","viewableAlertsByPurl","aboveTheFoldPurls","removedHiddenAlerts","hiddenAlertsByPurl","output","mentionedPurlsWithHiddenAlerts","prevAboveTheFold","totalRiskCounts","seen","blocked","unfixable","purls","components","purl","queryParams","alerts","compact","fixable","batchResult","remaining","SOCKET_IPC_HANDSHAKE","args","spawnPromise","PNPM","agentExecPath","NODE_OPTIONS","npmCommand","definitions","flatten","shorthands","flatConfig","YARN_CLASSIC","semver","onUnknown","editable","maintainedNodeVersions","engines","pkgAgentRange","pkgNodeRange","lockName","lockPath","features","npmBuggyOverrides","pkgRequirements","pkgSupports","node","cmdName","prod","toAddToBashrc","targetName","targetPath"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA;AACE;AACA;AACA;AAAQ;AACR;AAAQ;AACR;AAAe;AACf;AAAe;AACf;AAAS;AACT;AAAoB;AACpB;AAAY;AACZ;AAAgB;AAChB;AACA;AACA;AAGF;AAEA;AAIE;;;AAMI;AACA;AACA;;AAEIA;;AAEF;AACE;AACF;AACF;AACF;AACF;AACEA;AAAkDC;;AAGpD;AACA;AAKF;AAEA;;;AAOE;AAAkBC;;;AAEhB;;AAQA;AACF;AACA;AACF;AAEA;AAKE;AACF;;AAEA;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACA;AACA;AAME;AACF;AACA;AACA;AAIA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;;;AAQF;AAEA;;AACUA;AAAO;;AAEb;AACF;AACA;;;AAGA;AACA;AACA;;AAMA;AACA;;AAEF;AAEO;AAIL;AACA;AACF;AAEO;;;AAKH;AACA;;AAEA;AACF;AACA;AACF;AAMO;;AAKHC;;;AAGF;AAAMC;;;;AAGJC;;AAEAC;AACF;AACA;AACA;AAqBA;AACA;AACEF;AACAC;;AAEAE;AACAD;AACAE;;;;;AAMA;AACF;;AAEA;AACA;AACA;;AASF;AAEO;AACL;AACEH;;AAEAC;AACAG;AACF;AACF;AAEO;;;AAOCJ;;AAEAG;;AAGR;AAEO;AAIL;AACA;AACF;AAEO;AAGL;AACA;AACF;;ACxQO;AACL;;AAImBE;AAAaC;AAAgB;AAC5CC;AAAW;AAEjB;AAOO;AAGHT;AACA;;AAEa;AAEf;;AACQU;AAAK;;AAEb;AACE;;AAEI;AACF;;;AAGE;;AAEA;AACE;AACF;;AAEJ;AACAC;AACF;AACA;AACF;AASO;AAIL;AACE;;AAEA;AACAC;AACF;AACF;AAEO;AAIL;AACE;;AAEA;AACAA;AACF;AACF;AAOO;;AAKH;AACEA;AACA;;AAEA;AAAoCA;AAAkB;AACxD;;AAEF;AACF;AAOO;;;AAYDA;AACA;AAAoCA;AAAkB;AACxD;;AAEF;AACF;AA4BO;;;AAKyBC;;AAAkC;;AAEhE;AACF;;ACrJA;AAEA;AAmBA;AAGA;AAEA;;AAEI;;AAEA;;AACQC;AAAkB;AAC1B;AACE;AACA;;;AAME;AACEC;AACF;AACA;AACA;AACA;AACE;;AAEAC;AACF;AACF;AACEC;AAA6CT;AAAgB;AAC/D;AACF;AACF;AACA;AACF;AAEA;AAGE;AACA;AACA;AACA;AAEA;;AAEIU;;AAEAC;;AAEJ;;AACSD;AAAUC;;AACrB;AAEO;;;;AAIH;;;AAGEC;AACF;AACA;;;AAGMC;AACAC;;AAEJ;AACE;AACF;AACF;AACAC;;AAEF;AACA;AACF;AAEO;AAGL;AACA;AACA;AACE;AACF;;AACSL;AAAUC;;AACrB;;AAEA;AACA;AACO;AAGL;AACA;AACA;AACE;AACF;AACA;AACF;;AAEA;AACA;AACAK;AAEO;;AAEP;AAEO;;AAEP;AAEO;AACL;AACF;AAEO;AACL;AACF;AAEO;AACL;AACF;AAEA;AACA;AACA;AAEO;AACLC;AAEA;;;AAGE;AACE;AACA;;AAEEP;AACAQ;AACAC;;AAGJ;AACF;AACE;;AAEAC;;AAGEV;AACAQ;AACAC;;AAGJ;;AAEA;AACAE;AACAD;;AAEA;AACA;AACE;AACEb;AAGF;AACAc;;AAEF;;AAESX;AAAUC;;AACrB;AAEO;AACLM;AACA;AACAI;AACE;AACA;;;;AAEFD;AACF;AAEA;AACO;AAIL;AACA;AACA;AACE;AACF;AACA;AACA;AACA;;AAEE;AACEE;AACF;;AAEEC;AACF;AACF;;AAEIhB;AAGF;AACAe;AACF;AACA;;AAEIZ;;AAEAC;;AAEJ;;AAGEa;;AAEEA;AACA;;AACQlB;AAAkB;AAC1B;AACEmB;AAIF;AACF;AACF;;AAGEf;;AAEAC;;AAEJ;;AC/RA;;AAEE;AAA+De;AAAU;AAC3E;AAIO;AAEA;AAGLC;;;AAGA;AACF;AAEO;AAIL;AACA;;AAEA;AACF;AAEO;AAIL;;AAEE;AACF;AACAV;AACA;AACF;;AC1CO;;AAOL;AACA;AACF;;ACCA;AAEA;AAAQ1B;AAA4B;;AAEpC;AACA;AACE;AACE;;AAEF;AACF;;AAEA;AACA;AACE;AACE;;AAEF;AACF;AAEA;AACE;;AAEI;;AAEA;;AAEJ;AACA;AACF;;AAEA;AACA;AACO;AACL;AACA;AACEqC;AACF;AACE;AACE;;;AAKJ;AACA;AACF;AAEO;AACL;AACA;AAGF;AAEO;AACL;AACF;AAEO;;AAGH;;AAEA;AACAC;AAEJ;AAQO;AAGL;AAAepC;;;;;AACoB;;;AAI/ByB;AAEF;AACAU;AACF;;;AAIIlB;AACAQ;AACAC;;AAEJ;;AAEMW;AAAS;AACf;;AAEA;;;AAE4C;;;AAM1CpB;AACAC;AACEoB;AAAmCC;;AACnCC;;AAEE;AACAC;AACA;AACAC;AACA;AACAC;;;;AAIR;;ACjHA;AA4BO;;;AAISC;AAAQ;AACpB5C;;;AAIF;AACE4C;AACF;;AAEA;AAEA;;;AAGE;AACE;AACAA;AAGF;;AAEA;;AAEA;AACEA;AACApB;AACF;;AAEEA;AACF;;AACsBqB;AAAS;;AAG7B5B;AACAQ;;;AAGJ;;AAEA;;AAEA;AACA;;;;AAGUC;AAAc;AAEtB;AACEF;AACF;AACEA;AACF;;AACsBsB;AAAU;;AAG9B7B;AACAQ;;AAEAP;;AAEA;;AAEJ;;AACUA;AAAK;;AAEXD;AACAC;;AAEJ;AACF;AAEO;AAIL;;;;AAIE;AACA;AAEAM;;AACsBqB;AAAS;;AAG7B5B;AACAQ;;;AAGJ;;AAEA;AACA;;;AAIED;;AACsBqB;AAAM;;AAG1B5B;AACAQ;AACAC;AACAR;;AAEA;;AAEJ;;;AAGID;;;AAGJ;AACF;AAEO;;AAEH;AACF;AACA;AACE;AACF;;AAEE;AACF;;AAEE;AACF;;AAEF;;AAEA;AACO;AACL;AACE;;AAEF;AACE;AACF;AACA;AACA;AACA;AACF;AAEO;AACL;;AAEEH;AAGF;AAEA;AACEiC;AACAC;AACEC;AACF;AACF;AACF;AAEO;AAIL;;;AAGIhC;AACAQ;AACAC;;AAGJ;;AAEA;;AACQkB;AAAQ;AAEhB;AACEA;AACF;AAEA;;AAEEM;AACA;AACEN;AAGF;;AAEA;AACEA;AAGF;AAEA;AAEApB;;AACsBqB;AAAS;;AAG7B5B;AACAQ;AACA;AAAcC;;;AAElB;AAEA;;;AAGIT;AACAQ;AACAC;;AAEJ;;AAGE;;AAGET;AACAC;;;AAGFM;;AACsBqB;AAAS;;AAG7B5B;AACAQ;AACAC;;AAEJ;AACF;AAEO;;AAML;AACE;AACF;;;AAIIT;AACAC;;;;AAIAD;AACAQ;AACAC;;AAEJ;AACF;;ACzTO;AAKL;AACA;AACA;AACA;AACA;AACA;AACA;;AAEEyB;AACF;;;AAIAC;AACA;;AAIA;AACAA;AAEA;AACF;AAEO;AAEL;AACA;AACAC;AAGA;;AAGA;AACE;AAAkBvD;;AAChB;AACA;AACAwD;AAKF;AACF;;AAGA;;AAEA;;AAGA;AAAkBxD;;;AAElB;;AAGA;AACEyD;AACA;AAAkBzD;;AAChB;AACA;;AAEF;AACAyD;AACF;AAEA;AACF;AAEO;AAEL;AACA;AACAF;AAEA;;;;;AAMA;;AAGA;;AAEA;;AAGA;AAAkBvD;;;AAElB;;;AAIEyD;;;AAGAA;AACF;AAEA;AACF;;ACvGA;AACA;AACO;AACL;;AAEE/B;AAEA;AACEA;AACF;;AAEA;AACA;;;AAMIP;AACAQ;AACAP;AACF;AAEJ;;AAGE;;;;AAIA;;AAGAJ;;AACsB+B;AAAS;;AAG3B5B;AACAQ;AACAP;AACF;AAEJ;AACF;;ACtCO;;AAWH;AACF;AAEA;AACA;AACE;AACA;AACE;AACF;;;AAEQpB;AAAkB;;AAExB;AACF;AACA;AACA;AACA0D;;AAIEA;AACF;AACAA;AACF;;AAEA;AACA;AACA;;;AAIE1C;AAEIG;AACAQ;;AAEF;AAEJ;AACEX;AACF;AAEA;AACF;;AC9DO;AACL;AACE;AACF;AACA;AACE;AACF;AACA;AACF;;ACKO;;AAIG2C;AAAiB;AACvBzD;;;AAGF;;AAGE;AACE;AAAYyD;AAAU;AAE5B;AAEO;;AAKHC;AACAD;AACAE;AACF;AACE3D;;;;AAIF;AACA;AACE;;AAEE;AACF;AACA;;AAMF;AACA;AACF;;ACpDA;AACA;AACO;;AAKP;;ACyDO;;;;;;;;AAWL;AAAMA;;;AACN;;AAEA;AACE4D;AACF;AAEA;AACE;AACAlB;AACEmB;AACAC;AACAC;;AAEF;;;AAGF;AACA;;AAIA;;AAEE;AACEjD;AACA;AACE;AACAkD;AACF;AACF;AACA;AACA;;AAEElD;AACA;AACE;;AAOF;AACF;AACF;AAEA;;AAEI+C;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;;AAIJ;;;AAGA;;AAEA;AACA;AACA;;;AAGE;;AAEA;AACAE;AACAC;AAA2B;AAC3B;AACA;AACAC;AACAC;AACF;AAEA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACEC;AACE;AACAjC;;AAGFiC;AAGF;;AAEA;AACA;AACE;AACA;;AAEF;AACE;AACA;AACA;AACE;AACA;;AAEF;AACF;AAEA;AACEC;AACAxD;AACAA;;AAEA;AACF;;AAEA;AACA;AACE;AACA;;AAIA;;AAEA;AACA;;AAEIyD;AACF;AACF;AACF;;;AAII;AACE;AAGS;AAAc;AAIvB;AAEsC;AAAS;;AACjCT;AAAO;;;AAGf;AACF;AAGN;AACF;;AAEA;;AAuBAU;AAII;AACEC;AACF;AACE3D;AAIF;AACF;;;AAIE;AACA;;AAOJ;;AAGA4D;AACAA;AACAA;AACAA;AACAA;AAGAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AAGAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AAGAA;AAIA;AACF;;AAEA;AACA;AACA;;AAGF;AACA;AACA;AACA;;AAEA;AACA;AAAmCf;AAAY;;AAE/C;AACA;AACA;;;AAIM;;AAEA;AACAM;AACA;AACA;AACAE;AACAC;AACA;AACAF;AACF;;AAGF;AACA;AACEI;AACA;AACF;AACA;;AAEE;;AAEF;AACE;AACA;AACAK;AACF;AACF;;AAEA;AACA;AACA;AACO;AACLV;;;;AAIAM;AAOF;;;AAIE;;;AAGEJ;AAAiB;AACjBC;AACAF;AAA2B;AAC3BU;;;;AAIAC;AACF;AAEA;AACEP;AACA;AACAxD;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACEgE;AACF;;AAEA;AACA;AACE;AACAC;AACA;AACAC;AACF;;AAEA;AACA;AACA;AACA;;AAEAC;;AAEE;AACA;AACAhB;AACAE;AACAC;;;;;AAKF;AACA;;AAGA;AACF;AAEO;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEF;AAEA;AACE;;AACQc;AAAS;AACjB;AACA;AACA;AAEI;;;AAGJ;;;AAKA;AACA;AACA;AACA;AAOA;AACA;AACA;AACF;AACA;AACA;AACA;AACA;;AAGA;;AC/iBO;AACL;AACA;;AAGEC;AACAC;AACF;AAEA;AACA;AACE;AACA;;;AAGA;AACF;;AAEE;AACF;AACE;AACF;AACF;;ACXO;;AAGGC;AAAW;AACjBrF;;;AAIF;AACA;AACE;AACF;AACA;;AAGEsF;AACF;AACF;;ACvBO;AACL;AACA;AACExE;AAGA;AACF;;AAEA;AACA;;AACQyE;;AACR;AACE9D;AAEA+D;;;;AAKMC;;;AAGJ;AAEEhD;AACAgD;AACA1B;;AAIN;AAEA;AACE;AACF;AACA;AACF;;ACrCO;AACL;;AAEE;AACA;AACF;AAEA;;AAEEyB;AAEI/C;AACAgD;AACA1B;AACF;AAEEtB;AACAgD;AACA1B;AACF;AAEEtB;AACAgD;AACA1B;;AAIN;;AAEE;;AAEEjD;AACF;;AAKA;AACF;AACE;;AAEEA;AACF;;AAIA;AACF;AACF;;AC/CO;AAKL;;;;AAIIA;AAGAA;AACAA;AAGAA;AAGAA;AAGAA;AAGAA;AACAA;AAGAA;AACAA;AAGAA;AACAA;AAGA;AACF;;AAEA;AACAA;AAGAA;AAGAA;AACA;AACEA;AACF;AACE4E;AAEA;;AAEA;AACF;AACF;AAEA;AACF;;AC1DA;AACO;AACL;AACA;AACElE;;AACSP;AAAUC;;AACrB;;AAEA;AACA;AACA;AACEM;;AACSP;AAAUC;;AACrB;AAEA;AACA;AACE;AACF;;AAEQqE;;AACR;AACA;;AAEItE;AACAQ;AACAP;;AAEJ;AAEA;;;AAGID;AACAQ;AACAP;;AAEJ;AAEAM;;AAGEP;AACAQ;AACAP;;AAEJ;;AC7CO;AACL;;;;AAC0CyE;;AAC1C;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACqD5F;;AAGrD;AACA;AACE;AACF;;AAEF;AACA;AACA;AACF;AAOO;;;AAKH;AACwDA;;AAExD6F;;AAEEpE;;AACsBqE;AAAU;AAClC;;AAEArE;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AACL;AACA;AACF;AASO;AACL;AAAyC9C;;AACzC;AACA;;AAEE;;AAIF;AACA;;AAEE;;AAIF;AACF;AAQO;AACL;;AAEE+F;;;AAGFtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;AACE;AACF;AACA;;AAEEiD;;AAEF;AACAtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AAKA;;AAEAA;;AAEEA;AAIF;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAKL;AACErB;AACA;AACF;;AAEEzB;AACA;AACAgG;AACA;AACAC;AACF;AAAMhG;;;AAEN;AAEA;;AAEE8F;;;AAGFtE;;AAEE;;AAEAA;;AACsBqB;AAAS;AACjC;AAEA;AACArB;;AAEE;AACA;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AACA;AACA;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACA;AACF;AAEO;AAKL;AAAyC9C;;AACzC;;AAK4B;AAAS;AAAS;AAC1C;AACA;AACE;AACAyB;;AAEE;AACAyE;;AAIA;AACEzE;;AACsBqB;AAAS;AACjC;AACF;AACF;;AAEE;;AAEEiD;;AAEF;AACAtE;;AAEE;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACF;AACF;AAEJ;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AACA;AAKA;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACA;AACF;AAEO;AAIL;AAAyC9C;;;;;AAYzC;AACF;AAEO;AAIL;AACA;AACA;;AAEF;AAEO;AAIL;;AAEE+F;;AAEF;AACAtE;;AAEE;AACA;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAGL;AAAyC9C;;;;AAGvC;AAGA;;AAEEkB;;;;AAIFO;;AACsBqB;AAAS;;AAE7B5B;AACAQ;AACAC;;AAEJ;AACF;AAEA;AAEO;;AAEL;;;;AAEA;AACA;AACA;AACA;AACA;AACEwB;AAAWgD;;;AACb;AACE;;AAEE;AACA;AACA;AACA;;AAEA;AACA;;AAEEhD;;AAAkBiD;;AACpB;;AAEJ;AACAC;AACA;;AAA4B;AAC9B;;ACpaO;AAGL;AAGF;;ACdA;AAAQC;AAAmB;AAEpB;AAGL;;;AACcC;AAAU;AACxB;AAGF;AAMO;AAGL;AACA;;AAEF;AAEO;;;AASP;;ACnCA;AACA;AACA;AACA;AACO;AAGL;AAMF;;ACfO;AAIL;;;AAGE;;AACUC;AAAwBd;;AAClC;AACF;AACF;;ACKO;AAKL;AAEIe;AACAC;;AAEJ;;AACQC;AAAc;;AAEtB;AACA;AAAkB5G;;AAChB;AACA;;AAEE6G;AACF;AACEC;AACA;AACF;AACF;;AACSnE;AAAerB;;;AAC1B;AAEO;AACL;;AACQyF;AAAM;;AAEd;;AAEE;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACAC;;AAIF;;AAEA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA;AACC1F;AACC;AACCyF;AAEH;AACF;AACA;;AAEE;AACF;AACAE;AACF;AACF;AAOO;;AAKGC;AAAsBjH;AAAoB;AAChDC;;;;;AAMAiH;AACF;AAEA;AACF;;ACtDO;;;;AAIL;AACA;;AAEF;AAEO;;AAEH;AAEA;AAEA;AAEA;AAEAvE;;AAEJ;AAEO;;AAKL;AACElB;;AACSP;;;AACX;;;;;;AAMwB4B;AAAS;AAE/B;AACE/B;;AACSG;;;AACX;AACA;;AAEEA;AACAQ;;;AAGJ;AAEA;;AAEEyF;AACF;AACE1F;;AACsB2F;AAAK;AAE3B;AACErG;;AACSG;;;AACX;;AAGEA;AACAQ;AACAC;;AAEJ;;AAGEZ;;AACSG;;;AACX;;AAEA;AACA;;;AAESA;AAAUC;;AACrB;AAEO;;;;;AAQHM;;AACsBqB;AAAS;;AACTuE;AAAS;;AAE7BnG;AACAQ;AACAC;;AAGJ;;AAGA;;AAEST;AAAUC;;AACrB;;ACpKA;AAEO;;AAEL;AAAkBpB;;;AAEd;AACA;AACEoD;AACAmE;AACF;AACEnE;AACF;AACF;AACF;AACA;AACF;AAEO;AACL;;AAEA;AACA;AACE;AACF;AACA;AACF;AAEO;;AAEL;AACF;AAEO;AACL;AACF;;ACvBO;;AAKGoE;AAAc;AAAMtH;;;AAC5B;AACA;;;;AAMM;;AAEA;;AAEA;AACAoC;AAIA;AACAkF;;AAEE;;;;;AAKF;;;AAIKrG;;;;AAET;;;AAESA;AAAWC;AAASO;;AAC/B;AACF;;AC3CA;;;;AAAgC8F;AAAsB;AAEtD;AACEzG;AAGA;AACA;AACA;AACAkE;AACF;AAEA;AACO;;AAEHwC;;;AAGA;AACF;AACA;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEA;AACO;;AAEH;;;;AAIE;;AAEA;;AAEA3G;AACA;AACA;AACA;AACAkE;AACF;AACF;AACA;AACF;AAEA;AACO;;AAEH;;;AAQF;AACA;AACF;AAEA;AACO;;AAEH0C;;;AAGA;AACF;AACA;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEO;AACL;AACF;AAEO;AACL;AACF;;ACrCA;;;;AAIEC;AACF;AAEO;;AAGG/D;AAAK;AACb;AAMF;;ACjFO;;AAGkB7D;;AAAwB;AACjD;;ACFO;AACL6H;AACAC;AACAC;AACF;;ACDO;AACLC;AACAC;AACAC;AACAC;AACF;;ACLO;;AAIH;AACF;;AAGE;AACF;AAEAC;AACE;AAGF;AAEAC;AAIIC;AACAC;;AAMF;AACE;;AAII;AACN;AACA;AACF;;AAKE;AACF;;AAGE;AACF;;;AAMA;;AAGE;;AAIF;AACF;;;ACtCO;AAKL;AACE;;AAEA;;AAEA;;AAEA;;AAEA;;AAEA;AAAiB;;;AAEPC;AAAI;;;AAEJ1I;AAAO;;;AAGb;AACE;AACF;AACF;;AAEE;AACE;AACF;AACF;AACA;AACF;AACA;;AAEA;AACA;AACE;AACJ;AACF;AAEO;;AAEH;;;AAGF;AACF;AAEO;;AAEH;;AAEF;AACF;;AC7EA;AAEA;AAEO;;;AAGD;;AAGJ;AACA;AACF;;ACcO;AACLkI;AACAC;AACAC;AACAC;AACF;AAEO;AACLH;AACAC;AACAC;AACAC;AACAM;AACF;AAiBA;AAEA;AAEA;AASA;AACE;AACET;AACAC;AACAC;AACAC;;AAEF;;;;AAIM;;;AAGA;;;AAGA;;;AAGA;AACJ;AACF;AACA;AACF;AAEA;;;AAGIO;AACF;;AAEEA;AACF;;AAEEA;AACF;;AAEEA;AACF;AACA;AACF;AAmBO;AAKL;AACA;AACE;AACF;;AAEEC;AACAC;AACAC;AACF;AACE7I;;;AAIF;AACA;AAEA;AACEA;AACA8I;AAEAd;AACAH;AACAkB;AAEAC;;;AAIF;;AAMQnF;AAAiBnB;AAAQ;AACjC;AACE1C;;;;AAIF;AACE;AACA;;AAKE;AACF;AACA;;AAEA;;AAEA;AACA;AACA;;AAEA;;;;;;;;;;AAgBIwI;AACAQ;AACF;AACF;AACF;AACA;AACE;AACF;;AAEA;AACA;AAKE;AACA;;AAEA;AACE;;AAEA;AACE;AACA;AACA;AACA;;AAKA;AACE;AACA;;;AAGEC;AACEC;AACAxG;AACF;AACF;AACF;AACEyG;AACF;AACF;AACE;AACA;;;AAGEC;AAA+BF;AAAqBxG;AAAQ;AAC9D;AACF;AACEyG;AACF;AACF;AACAE;AACE;;AAOJ;AACEA;AACF;;AAEEC;AACF;AACA;AACF;AAEO;;AAEP;AAEO;AAIL;AACF;AAEO;AAIL;;AAEF;AAEO;AACL;;AACQC;;AACR;AASF;AAEO;;AAWP;AAoBO;;AAIGC;AAAkB;AACxBxJ;;;AAGF;AACEA;;;;AAKF;;AAC4B;AAAS;;AACnC;;AAMA;AACAyJ;AACE;;AAME;AACF;;AAEEC;AACF;AACA;;AAEEC;AACAD;AACF;;AACQE;AAAI;AACZ;AACE;AACA;AACA;AACA;AAEA;AAEA;;;AAGID;;AAEEE;AACE;AACA;AACAA;AAIJ;AACA;;AAEAhH;AACF;AACF;AAEArB;;AACsB0H;AAAM;AAE5B;;AACwBrG;AAAyC;AACjE;AACF;AACF;AACF;AACA;AACF;AAEO;AAGL;AACF;AAOO;;AAIGiH;;AAA2C;AACjD9J;;;AAIF;AACA;AAIA;AACA;AACA;AAEA;AAAkBF;;;AACR;AAAS;AAAU;;AAE3B;AACE;;AAGEiK;AACF;AACA;AACF;;;AAGA;AACA;AACE;AACF;AACAC;AACAC;AACA;AAMEC;AACF;AACF;;AAEA;AACA;AAAa;AAAQ;AACnB;AACE;AACF;AACAA;AACF;AACA;AACA;AAAa;AAAS;AAAgB;AACpC;AACE;AACF;AACAA;;AAEA;AACE;AACA;AACA;;AAKA;AACEC;AACAC;AACF;AACAH;AAIF;AACF;AAEA;;AAKMnK;;;AAII;AAAS;AAAU;AAC3B;AACA;;AACU+D;AAAK;;;;AAYb;AACA;AACA;AACA;AACA;;AAEA;AACAT;AACF;AACA;AACA;;AAKA;AACA;AACE8G;AACAG;AACF;AACEA;AACF;AACA;AACEA;AACF;;;AAEQvK;AAA0B;AAClC;AACEwK;;;AAKA;;AAIA;AACF;AACAC;AACF;;AAIA;AACE;AACEvC;AACAC;AACAC;AACAC;;AAEF;AAAa;AAAS;AAAU;AAC9B;AACE;AACF;AACA;AACAqC;AACAA;AACAA;AACAA;AACF;AACAH;AAGF;AACAA;AACF;;AC1lBO;;AAEP;AAEO;AACL;AACF;;ACEO;AACL;AACA;;AAEA;;AAEF;AAEO;AAGL;AACA;;AAEE;AACE;AACF;AACA;;AAEE;AACF;AACAI;AACA;AACEzK;;;AAGA;;AAEF;AACE;AACA;;AAEF;;;;AAIF;;AAIF;AAEO;AACL;AACF;AAEO;AAGL;AACA;;;;AAIA;AACA;AACF;AAEO;;AAEH;;AAEF;AACF;AAQO;AACL;AACF;AAEO;AACL;AACA;AACA;AACF;;ACrEO;AAIL;AACA;;;AAGA;AACF;AAUO;AAIL;AACEA;AACA2I;AACAC;AACAnC;;;;AAKAzG;AACA;AACA;AACA;AACA0K;AACA1C;AACAH;AACAkB;AACA4B;AACA3B;AACA;;AAGF;;AACoB4B;AAAiB;;AAE/B9K;AAAkB;AACxB;;AAGE;AACF;;AAEQ8C;AAAQ;AAChB;AAEAA;AAEA;;AAAmE;AACnE;;AAEE;AACF;AACA;AAEA;;;;AAIEA;;AAGF;AAEIiI;AAAqCC;AAAK;AAC5C;AAEEC;AACEC;AACAC;AACA;;;;AAGoCC;;AACtC;AACF;;;AAQA;AACE;AACA;;AAIF;;;;AAOwBC;AAAY;AAClC;AACF;AACAC;;AAEExI;AACF;AACF;;AAIA;AACF;;ACpIO;;;;AAML;AACF;;ACFA;;;;AAIEyI;AACF;AAWO;;;AAKHC;;;;AAIF;AAAMtL;;;AACN;AACA;AACA;AACA;AACA;AACA;AACE8F;AACF;AACEA;AACF;AACA;AACA;AACA;;;AAKA;;;;AAIE;;AAGE;;AAEA;;AAEA;;AAEA;AACA;AAGM;AACA1D;AAIN;;AAIA;AACA;AAEA;;AAEA;AACA;;;AAOA;;AAEAkF;;AAEE;;AAEA;AACF;AACF;AAEF;AACEiE;AACE;;;;AAIA;AACF;AACF;AACA;AACF;;AC9GA;;AAAaC;AAAK;AAWX;;;AAIUC;AAAc;AAC7B;;AAEE;;;AAGA;AACF;;AAEEH;;;AAGF;AAAMtL;;;AACN;;AAGE;;;AAGA8F;AACA;AACAwB;;AAEE;;AAEAoE;AAGM;;AAEJ;AACA;AAEF;AACF;AACF;AACF;;ACpCO;;AAIH3L;;;;AAIA4L;;;;AAIF;AAAM3L;;;AACN;AACEgE;;AAEA4H;;AAEAtE;;;AACAuE;;;AAGAC;AACF;AACA;AACA;AAAqB9L;AAAiB;;AAEtC;;AAEA;AACA;;AAEA;AACA;AACE+L;AACF;AACA;AACF;;ACzDO;;AAIP;;ACgBA;;;;;;;;;;;;AAYEC;AACF;AAEO;AAEP;AA+EA;;;;AAMQ;;AAEF;;AAEJ;AAEA;AAEA;;AAaQ;;AAEE;AACF;;AAEE;AACA;;;;AAIA;AACA;AACA;AACA;;;AAII;;;AAIN;AACA;AACF;AASR;;AAEA;AACA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF;AAEA;AACE;;AAEE;;AAEF;AACA;AAA+BvF;;AACjC;AAEA;AAIE;;;AAGI;AACA;AACA;AACAwF;AACE;;;;AAKI;;AAEF;;AAINzK;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AACL9C;AACAmM;AACa;;AACqCnM;AAAI;;AAEtD;;AAMiCA;AAAI;AACrC;;AAKqCoM;;AAErC;AACA;AACA;AAIA;AACA;AACE;AACA;AACA;AACA;;;;AAII7J;AACF;AACF;AACF;AACA;AAMEA;AACF;;AAEEA;;AAEF;AACA;;AAEA;AACEA;AACF;AACA;;AACQ8J;AAAuB;AAC/B;;;AAGA;AACA;;AAEA;AACA;AACA;;;;;AAIUC;;AACR;AACA;AACA;AACEC;AACA;AACA;AACA;;;AAGA;AACF;AACA;AACEC;AACA;AACA;AACA;;;AAGA;AACF;AACA;AAGA;AACE;AACA;;AAKE;;;;AAIA;AACF;AACF;;AAKF;AACEC;AACAC;AACF;;AAEA;AACA;AAGA;;AAGA;AAEA;AAKA;;;;;;;;AASEC;AAAYC;;;;;;;;;AAQZC;;;;AAIAC;AACE;;AAEA;AACAC;AAGF;;AAEJ;AAEO;;AAKHC;;AAEAC;AACF;AACEhN;;;AAGF;;;AAGIc;AAMF;AACF;;;;AAC4B8L;AAAgB;AAC5C;AACA;;;AAGI3L;AACAQ;;;AAMJ;AACA;AACE;;AAEER;AACAQ;;;AAMJ;AACA;;AAEIR;AACAQ;AACAC;;AAKJ;AACA;;AAEIT;AACAQ;;;AAMJ;AACA;;;AAGIR;AACAQ;AACAC;;AAEJ;;;AAGIT;AACAQ;AACAC;;AAEJ;AACA;;AAEIT;AACAQ;AACAC;;AAEJ;;;AAGIT;AACAQ;AACAC;;AAKJ;AACA;AAIE;;AACQwD;AAAS;AACjB;AACA;AACApE;AAMF;;AACSG;AAAUC;;AACrB;;AC/fO;AAEA;AACL;AACA;AACE;AACAkB;AAIF;;AAEInB;AACAQ;;;AAGJ;;AAESR;;;AACX;AAEO;AAOL;AACA;AACE;AACF;;AAEA;;AACQJ;AAAkB;;;AAGtBI;AACAQ;AACAC;;AAEJ;;AAEA;AACA;;AAEA;AACA;;AAOF;AACA;AACA;AACA;AACA;AACA;AACA;;AAGIT;AACAC;;;AAGE+L;AACAC;AACAC;AACF;;AAEJ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;","debugId":"c368a863-2443-4cfa-bdcd-6e586539fc84"}
1	+ {"version":3,"file":"utils.js","sources":["../src/utils/glob.mts","../src/utils/fs.mts","../src/utils/config.mts","../src/utils/errors.mts","../src/utils/fail-msg-with-badge.mts","../src/utils/sdk.mts","../src/utils/api.mts","../src/utils/markdown.mts","../src/utils/serialize-result-json.mts","../src/utils/check-input.mts","../src/utils/get-output-kind.mts","../src/utils/output-formatting.mts","../src/utils/tildify.mts","../src/utils/meow-with-subcommands.mts","../src/utils/ms-at-home.mts","../src/commands/organization/fetch-organization-list.mts","../src/commands/scan/suggest-org-slug.mts","../src/commands/scan/suggest-to-persist-orgslug.mts","../src/utils/determine-org-slug.mts","../src/commands/ci/fetch-default-org-slug.mts","../src/utils/git.mts","../src/utils/purl.mts","../src/utils/socket-url.mts","../src/utils/map-to-object.mts","../src/utils/walk-nested-map.mts","../src/utils/path-resolve.mts","../src/utils/socketjson.mts","../src/utils/cmd.mts","../src/utils/coana.mts","../src/utils/npm-paths.mts","../src/utils/alert/artifact.mts","../src/utils/objects.mts","../src/utils/alert/fix.mts","../src/utils/alert/severity.mts","../src/utils/color-or-markdown.mts","../src/utils/semver.mts","../src/utils/translations.mts","../src/utils/socket-package-alert.mts","../src/utils/spec.mts","../src/utils/pnpm.mts","../src/utils/alerts-map.mts","../src/utils/npm-package-arg.mts","../src/shadow/npm/install.mts","../src/utils/agent.mts","../src/utils/npm-config.mts","../src/utils/lockfile.mts","../src/utils/package-environment.mts","../src/utils/completion.mts"],"sourcesContent":["import path from 'node:path'\n\nimport { glob, globStream } from 'fast-glob'\nimport ignore from 'ignore'\nimport micromatch from 'micromatch'\nimport { parse as yamlParse } from 'yaml'\n\nimport { readPackageJson } from '@socketsecurity/registry/lib/packages'\nimport { transform } from '@socketsecurity/registry/lib/streams'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { safeReadFile } from './fs.mts'\n\nimport type { Agent } from './package-environment.mts'\nimport type { SocketYml } from '@socketsecurity/config'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\nimport type { Options as GlobOptions } from 'fast-glob'\n\nconst ignoredDirs = [\n // Taken from ignore-by-default:\n // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js\n '.git', // Git repository files, see <https://git-scm.com/>\n '.log', // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>\n '.nyc_output', // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>\n '.sass-cache', // Cache folder for node-sass, see <https://github.com/sass/node-sass>\n '.yarn', // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>\n 'bower_components', // Where Bower packages are installed, see <http://bower.io/>\n 'coverage', // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>\n 'node_modules', // Where Node modules are installed, see <https://nodejs.org/>\n // Taken from globby:\n // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16\n 'flow-typed',\n] as const\n\nconst ignoredDirPatterns = ignoredDirs.map(i => `*/${i}`)\n\nasync function getWorkspaceGlobs(\n agent: Agent,\n cwd = process.cwd(),\n): Promise<string[]> {\n let workspacePatterns\n if (agent === 'pnpm') {\n for (const workspacePath of [\n path.join(cwd, 'pnpm-workspace.yaml'),\n path.join(cwd, 'pnpm-workspace.yml'),\n ]) {\n // eslint-disable-next-line no-await-in-loop\n const yml = await safeReadFile(workspacePath)\n if (yml) {\n try {\n workspacePatterns = yamlParse(yml)?.packages\n } catch {}\n if (workspacePatterns) {\n break\n }\n }\n }\n } else {\n workspacePatterns = (await readPackageJson(cwd, { throws: false }))?.[\n 'workspaces'\n ]\n }\n return Array.isArray(workspacePatterns)\n ? workspacePatterns\n .filter(isNonEmptyString)\n .map(workspacePatternToGlobPattern)\n : []\n}\n\nfunction ignoreFileLinesToGlobPatterns(\n lines: string[] \| readonly string[],\n filepath: string,\n cwd: string,\n): string[] {\n const base = path.relative(cwd, path.dirname(filepath)).replace(/\\\\/g, '/')\n const patterns = []\n for (let i = 0, { length } = lines; i < length; i += 1) {\n const pattern = lines[i]!.trim()\n if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /'#'/) {\n patterns.push(\n ignorePatternToMinimatch(\n pattern.length && pattern.charCodeAt(0) === 33 /'!'/\n ? `!${path.posix.join(base, pattern.slice(1))}`\n : path.posix.join(base, pattern),\n ),\n )\n }\n }\n return patterns\n}\n\nfunction ignoreFileToGlobPatterns(\n content: string,\n filepath: string,\n cwd: string,\n): string[] {\n return ignoreFileLinesToGlobPatterns(content.split(/\\r?\\n/), filepath, cwd)\n}\n\n// Based on `@eslint/compat` convertIgnorePatternToMinimatch.\n// Apache v2.0 licensed\n// Copyright Nicholas C. Zakas\n// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28\nfunction ignorePatternToMinimatch(pattern: string): string {\n const isNegated = pattern.startsWith('!')\n const negatedPrefix = isNegated ? '!' : ''\n const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()\n // Special cases.\n if (\n patternToTest === '' \|\|\n patternToTest === '' \|\|\n patternToTest === '/' \|\|\n patternToTest === ''\n ) {\n return `${negatedPrefix}${patternToTest}`\n }\n const firstIndexOfSlash = patternToTest.indexOf('/')\n const matchEverywherePrefix =\n firstIndexOfSlash === -1 \|\| firstIndexOfSlash === patternToTest.length - 1\n ? '/'\n : ''\n const patternWithoutLeadingSlash =\n firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest\n // Escape `{` and `(` because in gitignore patterns they are just\n // literal characters without any specific syntactic meaning,\n // while in minimatch patterns they can form brace expansion or extglob syntax.\n //\n // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.\n // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.\n // Minimatch pattern `src/\\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.\n const escapedPatternWithoutLeadingSlash =\n patternWithoutLeadingSlash.replaceAll(\n /(?=((?:\\\\.\|[^{(])))\\1([{(])/guy,\n '$1\\\\$2',\n )\n const matchInsideSuffix = patternToTest.endsWith('/*') ? '/' : ''\n return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`\n}\n\nfunction workspacePatternToGlobPattern(workspace: string): string {\n const { length } = workspace\n if (!length) {\n return ''\n }\n // If the workspace ends with \"/\"\n if (workspace.charCodeAt(length - 1) === 47 /'/'/) {\n return `${workspace}//package.json`\n }\n // If the workspace ends with \"/\"\n if (\n workspace.charCodeAt(length - 1) === 42 /''/ &&\n workspace.charCodeAt(length - 2) === 42 /''/ &&\n workspace.charCodeAt(length - 3) === 47 /'/'/\n ) {\n return `${workspace}//*/package.json`\n }\n // Things like \"packages/a\" or \"packages/\"\n return `${workspace}/package.json`\n}\n\nexport function filterBySupportedScanFiles(\n filepaths: string[] \| readonly string[],\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n): string[] {\n const patterns = getSupportedFilePatterns(supportedFiles)\n return filepaths.filter(p => micromatch.some(p, patterns))\n}\n\nexport function getSupportedFilePatterns(\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n): string[] {\n const patterns: string[] = []\n for (const key of Object.keys(supportedFiles)) {\n const supported = supportedFiles[key]\n if (supported) {\n patterns.push(...Object.values(supported).map(p => `/${p.pattern}`))\n }\n }\n return patterns\n}\n\ntype GlobWithGitIgnoreOptions = GlobOptions & {\n socketConfig?: SocketYml \| undefined\n}\n\nexport async function globWithGitIgnore(\n patterns: string[] \| readonly string[],\n options: GlobWithGitIgnoreOptions,\n): Promise<string[]> {\n const {\n cwd = process.cwd(),\n socketConfig,\n ...additionalOptions\n } = { __proto__: null, ...options } as GlobWithGitIgnoreOptions\n\n const projectIgnorePaths = socketConfig?.projectIgnorePaths\n\n const ignores = [\n ...ignoredDirPatterns,\n ...(Array.isArray(projectIgnorePaths)\n ? ignoreFileLinesToGlobPatterns(\n projectIgnorePaths,\n path.join(cwd, '.gitignore'),\n cwd,\n )\n : []),\n ]\n\n const ignoreFilesStream = globStream(['/.gitignore'], {\n absolute: true,\n cwd,\n })\n\n for await (const ignorePattern of transform(\n 8, // Concurrency level.\n async (filepath: string) =>\n ignoreFileToGlobPatterns(\n (await safeReadFile(filepath)) ?? '',\n filepath,\n cwd,\n ),\n ignoreFilesStream,\n )) {\n ignores.push(...ignorePattern)\n }\n\n const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /'!'/)\n const globOptions = {\n __proto__: null,\n absolute: true,\n cwd,\n dot: true,\n ignore: hasNegatedPattern ? ['/.git', '/node_modules'] : ignores,\n ...additionalOptions,\n } as GlobOptions\n\n const result: string[] = await glob(patterns as string[], globOptions)\n if (!hasNegatedPattern) {\n return result\n }\n\n // Note: the input files must be INSIDE the cwd. If you get strange looking\n // relative path errors here, most likely your path is outside the given cwd.\n const filtered = ignore()\n .add(ignores)\n .filter(\n globOptions.absolute ? result.map(p => path.relative(cwd, p)) : result,\n )\n\n return globOptions.absolute\n ? filtered.map(p => path.resolve(cwd, p))\n : filtered\n}\n\nexport async function globNodeModules(cwd = process.cwd()): Promise<string[]> {\n return await glob('/node_modules', {\n absolute: true,\n cwd,\n onlyDirectories: true,\n })\n}\n\nexport async function globWorkspace(\n agent: Agent,\n cwd = process.cwd(),\n): Promise<string[]> {\n const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)\n return workspaceGlobs.length\n ? await glob(workspaceGlobs, {\n absolute: true,\n cwd,\n ignore: ['/node_modules/', '/bower_components/'],\n })\n : []\n}\n\nexport function isReportSupportedFile(\n filepath: string,\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n) {\n const patterns = getSupportedFilePatterns(supportedFiles)\n return micromatch.some(filepath, patterns)\n}\n\nexport function pathsToGlobPatterns(\n paths: string[] \| readonly string[],\n): string[] {\n // TODO: Does not support `~/` paths.\n return paths.map(p => (p === '.' \|\| p === './' ? '/' : p))\n}\n","import { promises as fs, readFileSync, statSync } from 'node:fs'\nimport path from 'node:path'\n\nimport { remove } from '@socketsecurity/registry/lib/fs'\nimport { pEach } from '@socketsecurity/registry/lib/promises'\n\nimport constants from '../constants.mts'\nimport { globNodeModules } from './glob.mts'\n\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { Abortable } from 'node:events'\nimport type {\n BigIntStats,\n ObjectEncodingOptions,\n OpenMode,\n PathLike,\n PathOrFileDescriptor,\n StatSyncOptions,\n Stats,\n} from 'node:fs'\nimport type { FileHandle } from 'node:fs/promises'\n\nexport async function removeNodeModules(cwd = process.cwd()) {\n const nodeModulesPaths = await globNodeModules(cwd)\n await pEach(\n nodeModulesPaths,\n 3,\n p => remove(p, { force: true, recursive: true }),\n { retries: 3 },\n )\n}\n\nexport type FindUpOptions = {\n cwd?: string \| undefined\n signal?: AbortSignal \| undefined\n}\n\nexport async function findUp(\n name: string \| string[],\n {\n cwd = process.cwd(),\n // Lazily access constants.abortSignal.\n signal = constants.abortSignal,\n }: FindUpOptions,\n): Promise<string \| undefined> {\n let dir = path.resolve(cwd)\n const { root } = path.parse(dir)\n const names = [name].flat()\n while (dir && dir !== root) {\n for (const name of names) {\n if (signal?.aborted) {\n return undefined\n }\n const filePath = path.join(dir, name)\n try {\n // eslint-disable-next-line no-await-in-loop\n const stats = await fs.stat(filePath)\n if (stats.isFile()) {\n return filePath\n }\n } catch {}\n }\n dir = path.dirname(dir)\n }\n return undefined\n}\n\nexport type ReadFileOptions = Remap<\n ObjectEncodingOptions &\n Abortable & {\n flag?: OpenMode \| undefined\n }\n>\n\nexport async function readFileBinary(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| undefined,\n): Promise<Buffer> {\n return (await fs.readFile(filepath, {\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...options,\n encoding: 'binary',\n } as ReadFileOptions)) as Buffer\n}\n\nexport async function readFileUtf8(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| undefined,\n): Promise<string> {\n return await fs.readFile(filepath, {\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...options,\n encoding: 'utf8',\n })\n}\n\nexport async function safeReadFile(\n filepath: PathLike \| FileHandle,\n options?: 'utf8' \| 'utf-8' \| { encoding: 'utf8' \| 'utf-8' } \| undefined,\n): Promise<string \| undefined>\n\nexport async function safeReadFile(\n filepath: PathLike \| FileHandle,\n options?: ReadFileOptions \| NodeJS.BufferEncoding \| undefined,\n): Promise<Awaited<ReturnType<typeof fs.readFile>> \| undefined> {\n try {\n return await fs.readFile(filepath, {\n encoding: 'utf8',\n // Lazily access constants.abortSignal.\n signal: constants.abortSignal,\n ...(typeof options === 'string' ? { encoding: options } : options),\n })\n } catch {}\n return undefined\n}\n\nexport function safeReadFileSync(\n filepath: PathOrFileDescriptor,\n options?: 'utf8' \| 'utf-8' \| { encoding: 'utf8' \| 'utf-8' } \| undefined,\n): string \| undefined\n\nexport function safeReadFileSync(\n filepath: PathOrFileDescriptor,\n options?:\n \| {\n encoding?: NodeJS.BufferEncoding \| undefined\n flag?: string \| undefined\n }\n \| NodeJS.BufferEncoding\n \| undefined,\n): ReturnType<typeof readFileSync> \| undefined {\n try {\n return readFileSync(filepath, {\n encoding: 'utf8',\n ...(typeof options === 'string' ? { encoding: options } : options),\n })\n } catch {}\n return undefined\n}\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: undefined,\n): Stats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: StatSyncOptions & {\n bigint?: false \| undefined\n },\n): Stats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options: StatSyncOptions & {\n bigint: true\n },\n): BigIntStats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options: StatSyncOptions & {\n bigint: boolean\n },\n): Stats \| BigIntStats \| undefined\n\nexport function safeStatsSync(\n filepath: PathLike,\n options?: StatSyncOptions,\n): Stats \| BigIntStats \| undefined {\n try {\n return statSync(filepath, { throwIfNoEntry: false, ...options })\n } catch {}\n return undefined\n}\n","import { mkdirSync, writeFileSync } from 'node:fs'\nimport path from 'node:path'\n\nimport config from '@socketsecurity/config'\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport constants from '../constants.mts'\nimport { safeReadFileSync } from './fs.mts'\n\nimport type { CResult } from '../types.mts'\n\nexport interface LocalConfig {\n apiBaseUrl?: string \| null \| undefined\n // @deprecated ; use apiToken. when loading a config, if this prop exists it\n // is deleted and set to apiToken instead, and then persisted.\n // should only happen once for legacy users.\n apiKey?: string \| null \| undefined\n apiProxy?: string \| null \| undefined\n apiToken?: string \| null \| undefined\n defaultOrg?: string\n enforcedOrgs?: string[] \| readonly string[] \| null \| undefined\n skipAskToPersistDefaultOrg?: boolean\n org?: string // convenience alias for defaultOrg\n}\n\nconst sensitiveConfigKeyLookup: Set<keyof LocalConfig> = new Set(['apiToken'])\n\nconst supportedConfig: Map<keyof LocalConfig, string> = new Map([\n ['apiBaseUrl', 'Base URL of the API endpoint'],\n ['apiProxy', 'A proxy through which to access the API'],\n ['apiToken', 'The API token required to access most API endpoints'],\n [\n 'defaultOrg',\n 'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.',\n ],\n [\n 'enforcedOrgs',\n 'Orgs in this list have their security policies enforced on this machine',\n ],\n [\n 'skipAskToPersistDefaultOrg',\n 'This flag prevents the CLI from asking you to persist the org slug when you selected one interactively',\n ],\n ['org', 'Alias for defaultOrg'],\n])\n\nconst supportedConfigEntries = [...supportedConfig.entries()].sort((a, b) =>\n naturalCompare(a[0], b[0]),\n)\nconst supportedConfigKeys = supportedConfigEntries.map(p => p[0])\n\nfunction getConfigValues(): LocalConfig {\n if (_cachedConfig === undefined) {\n // Order: env var > --config flag > file\n _cachedConfig = {} as LocalConfig\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (socketAppDataPath) {\n const raw = safeReadFileSync(socketAppDataPath)\n if (raw) {\n try {\n Object.assign(\n _cachedConfig,\n JSON.parse(Buffer.from(raw, 'base64').toString()),\n )\n } catch {\n logger.warn(`Failed to parse config at ${socketAppDataPath}`)\n }\n // Normalize apiKey to apiToken and persist it.\n // This is a one time migration per user.\n if (_cachedConfig['apiKey']) {\n const token = _cachedConfig['apiKey']\n delete _cachedConfig['apiKey']\n updateConfigValue('apiToken', token)\n }\n } else {\n mkdirSync(path.dirname(socketAppDataPath), { recursive: true })\n }\n }\n }\n return _cachedConfig\n}\n\nfunction normalizeConfigKey(\n key: keyof LocalConfig,\n): CResult<keyof LocalConfig> {\n // Note: apiKey was the old name of the token. When we load a config with\n // property apiKey, we'll copy that to apiToken and delete the old property.\n // We added `org` as a convenience alias for `defaultOrg`\n const normalizedKey =\n key === 'apiKey' ? 'apiToken' : key === 'org' ? 'defaultOrg' : key\n if (!isSupportedConfigKey(normalizedKey)) {\n return {\n ok: false,\n message: `Invalid config key: ${normalizedKey}`,\n data: undefined,\n }\n }\n return { ok: true, data: normalizedKey }\n}\n\nexport function findSocketYmlSync(dir = process.cwd()) {\n let prevDir = null\n while (dir !== prevDir) {\n let ymlPath = path.join(dir, 'socket.yml')\n let yml = safeReadFileSync(ymlPath)\n if (yml === undefined) {\n ymlPath = path.join(dir, 'socket.yaml')\n yml = safeReadFileSync(ymlPath)\n }\n if (typeof yml === 'string') {\n try {\n return {\n path: ymlPath,\n parsed: config.parseSocketConfig(yml),\n }\n } catch {\n throw new Error(`Found file but was unable to parse ${ymlPath}`)\n }\n }\n prevDir = dir\n dir = path.join(dir, '..')\n }\n return null\n}\n\nexport function getConfigValue<Key extends keyof LocalConfig>(\n key: Key,\n): CResult<LocalConfig[Key]> {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(key)\n if (!keyResult.ok) {\n return keyResult\n }\n return { ok: true, data: localConfig[keyResult.data as Key] }\n}\n\n// This version squashes errors, returning undefined instead.\n// Should be used when we can reasonably predict the call can't fail.\nexport function getConfigValueOrUndef<Key extends keyof LocalConfig>(\n key: Key,\n): LocalConfig[Key] \| undefined {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(key)\n if (!keyResult.ok) {\n return undefined\n }\n return localConfig[keyResult.data as Key]\n}\n\n// Ensure export because dist/utils.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getConfigValueOrUndef = getConfigValueOrUndef\n\nexport function getSupportedConfigEntries() {\n return [...supportedConfigEntries]\n}\n\nexport function getSupportedConfigKeys() {\n return [...supportedConfigKeys]\n}\n\nexport function isReadOnlyConfig() {\n return _readOnlyConfig\n}\n\nexport function isSensitiveConfigKey(key: string): key is keyof LocalConfig {\n return sensitiveConfigKeyLookup.has(key as keyof LocalConfig)\n}\n\nexport function isSupportedConfigKey(key: string): key is keyof LocalConfig {\n return supportedConfig.has(key as keyof LocalConfig)\n}\n\nlet _cachedConfig: LocalConfig \| undefined\n// When using --config or SOCKET_CLI_CONFIG, do not persist the config.\nlet _readOnlyConfig = false\n\nexport function overrideCachedConfig(jsonConfig: unknown): CResult<undefined> {\n debugFn('notice', 'override: full config (not stored)')\n\n let config\n try {\n config = JSON.parse(String(jsonConfig))\n if (!config \|\| typeof config !== 'object') {\n // `null` is valid json, so are primitive values.\n // They're not valid config objects :)\n return {\n ok: false,\n message: 'Could not parse Config as JSON',\n cause:\n \"Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again.\",\n }\n }\n } catch {\n // Force set an empty config to prevent accidentally using system settings.\n _cachedConfig = {} as LocalConfig\n _readOnlyConfig = true\n\n return {\n ok: false,\n message: 'Could not parse Config as JSON',\n cause:\n \"Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again.\",\n }\n }\n\n // @ts-ignore Override an illegal object.\n _cachedConfig = config as LocalConfig\n _readOnlyConfig = true\n\n // Normalize apiKey to apiToken.\n if (_cachedConfig['apiKey']) {\n if (_cachedConfig['apiToken']) {\n logger.warn(\n 'Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.',\n )\n }\n _cachedConfig['apiToken'] = _cachedConfig['apiKey']\n delete _cachedConfig['apiKey']\n }\n\n return { ok: true, data: undefined }\n}\n\nexport function overrideConfigApiToken(apiToken: unknown) {\n debugFn('notice', 'override: API token (not stored)')\n // Set token to the local cached config and mark it read-only so it doesn't persist.\n _cachedConfig = {\n ...config,\n ...(apiToken === undefined ? {} : { apiToken: String(apiToken) }),\n } as LocalConfig\n _readOnlyConfig = true\n}\n\nlet _pendingSave = false\nexport function updateConfigValue<Key extends keyof LocalConfig>(\n configKey: keyof LocalConfig,\n value: LocalConfig[Key],\n): CResult<undefined \| string> {\n const localConfig = getConfigValues()\n const keyResult = normalizeConfigKey(configKey)\n if (!keyResult.ok) {\n return keyResult\n }\n const key: Key = keyResult.data as Key\n // Implicitly deleting when serializing.\n let wasDeleted = value === undefined\n if (key === 'skipAskToPersistDefaultOrg') {\n if (value === 'true' \|\| value === 'false') {\n localConfig['skipAskToPersistDefaultOrg'] = value === 'true'\n } else {\n delete localConfig['skipAskToPersistDefaultOrg']\n wasDeleted = true\n }\n } else {\n if (value === 'undefined' \|\| value === 'true' \|\| value === 'false') {\n logger.warn(\n `Note: The value is set to \"${value}\", as a string (!). Use \\`socket config unset\\` to reset a key.`,\n )\n }\n localConfig[key] = value\n }\n if (_readOnlyConfig) {\n return {\n ok: true,\n message: `Config key '${key}' was ${wasDeleted ? 'deleted' : `updated`}`,\n data: 'Change applied but not persisted; current config is overridden through env var or flag',\n }\n }\n\n if (!_pendingSave) {\n _pendingSave = true\n process.nextTick(() => {\n _pendingSave = false\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (socketAppDataPath) {\n writeFileSync(\n socketAppDataPath,\n Buffer.from(JSON.stringify(localConfig)).toString('base64'),\n )\n }\n })\n }\n\n return {\n ok: true,\n message: `Config key '${key}' was ${wasDeleted ? 'deleted' : `updated`}`,\n data: undefined,\n }\n}\n","import { setTimeout as wait } from 'node:timers/promises'\n\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\n\nimport constants from '../constants.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getSentry },\n} = constants\n\ntype EventHintOrCaptureContext = { [key: string]: any } \| Function\n\nexport class AuthError extends Error {}\n\nexport class InputError extends Error {\n public body: string \| undefined\n\n constructor(message: string, body?: string) {\n super(message)\n this.body = body\n }\n}\n\nexport async function captureException(\n exception: unknown,\n hint?: EventHintOrCaptureContext \| undefined,\n): Promise<string> {\n const result = captureExceptionSync(exception, hint)\n // \"Sleep\" for a second, just in case, hopefully enough time to initiate fetch.\n await wait(1000)\n return result\n}\n\nexport function captureExceptionSync(\n exception: unknown,\n hint?: EventHintOrCaptureContext \| undefined,\n): string {\n const Sentry = getSentry()\n if (!Sentry) {\n return ''\n }\n debugFn('notice', 'send: exception to Sentry')\n return Sentry.captureException(exception, hint) as string\n}\n\nexport function isErrnoException(\n value: unknown,\n): value is NodeJS.ErrnoException {\n if (!(value instanceof Error)) {\n return false\n }\n return (value as NodeJS.ErrnoException).code !== undefined\n}\n","import colors from 'yoctocolors-cjs'\n\nexport function failMsgWithBadge(\n badge: string,\n message: string \| undefined,\n): string {\n const prefix = colors.bgRed(\n colors.bold(colors.white(` ${badge}${message ? ': ' : ''}`)),\n )\n const postfix = message ? ` ${colors.bold(message)}` : ''\n return `${prefix}${postfix}`\n}\n","import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent'\n\nimport isInteractive from '@socketregistry/is-interactive/index.cjs'\nimport { password } from '@socketsecurity/registry/lib/prompts'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\nimport { SocketSdk, createUserAgentFromPkgJson } from '@socketsecurity/sdk'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\n\nconst TOKEN_PREFIX = 'sktsec_'\n\nconst { length: TOKEN_PREFIX_LENGTH } = TOKEN_PREFIX\n\n// The API server that should be used for operations.\nfunction getDefaultApiBaseUrl(): string \| undefined {\n const baseUrl =\n // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.\n constants.ENV.SOCKET_CLI_API_BASE_URL \|\| getConfigValueOrUndef('apiBaseUrl')\n return isUrl(baseUrl) ? baseUrl : undefined\n}\n\n// The API server that should be used for operations.\nfunction getDefaultProxyUrl(): string \| undefined {\n const apiProxy =\n // Lazily access constants.ENV.SOCKET_CLI_API_PROXY.\n constants.ENV.SOCKET_CLI_API_PROXY \|\| getConfigValueOrUndef('apiProxy')\n return isUrl(apiProxy) ? apiProxy : undefined\n}\n\nfunction isUrl(value: any): value is string {\n if (isNonEmptyString(value)) {\n try {\n // eslint-disable-next-line no-new\n new URL(value)\n return true\n } catch {}\n }\n return false\n}\n\n// This API key should be stored globally for the duration of the CLI execution.\nlet _defaultToken: string \| undefined\nexport function getDefaultToken(): string \| undefined {\n // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.\n if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {\n _defaultToken = undefined\n } else {\n const key =\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n constants.ENV.SOCKET_CLI_API_TOKEN \|\|\n getConfigValueOrUndef('apiToken') \|\|\n _defaultToken\n _defaultToken = isNonEmptyString(key) ? key : undefined\n }\n return _defaultToken\n}\n\nexport function getVisibleTokenPrefix(): string {\n const apiToken = getDefaultToken()\n return apiToken\n ? apiToken.slice(TOKEN_PREFIX_LENGTH, TOKEN_PREFIX_LENGTH + 5)\n : ''\n}\n\nexport function hasDefaultToken(): boolean {\n return !!getDefaultToken()\n}\n\nexport function getPublicToken(): string {\n return (\n getDefaultToken() \|\|\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n constants.ENV.SOCKET_CLI_API_TOKEN \|\|\n // Lazily access constants.SOCKET_PUBLIC_API_TOKEN.\n constants.SOCKET_PUBLIC_API_TOKEN\n )\n}\n\nexport type SetupSdkOptions = {\n apiToken?: string \| undefined\n apiBaseUrl?: string \| undefined\n apiProxy?: string \| undefined\n}\n\nexport async function setupSdk(\n options?: SetupSdkOptions \| undefined,\n): Promise<CResult<SocketSdk>> {\n const opts = { __proto__: null, ...options } as SetupSdkOptions\n let { apiToken = getDefaultToken() } = opts\n\n if (typeof apiToken !== 'string' && isInteractive()) {\n apiToken = await password({\n message:\n 'Enter your Socket.dev API key (not saved, use socket login to persist)',\n })\n _defaultToken = apiToken\n }\n\n if (!apiToken) {\n return {\n ok: false,\n message: 'Auth Error',\n cause: 'You need to provide an API Token. Run `socket login` first.',\n }\n }\n\n let { apiProxy } = opts\n if (!isUrl(apiProxy)) {\n apiProxy = getDefaultProxyUrl()\n }\n\n const { apiBaseUrl = getDefaultApiBaseUrl() } = opts\n const ProxyAgent = apiProxy?.startsWith('http:')\n ? HttpProxyAgent\n : HttpsProxyAgent\n\n return {\n ok: true,\n data: new SocketSdk(apiToken, {\n agent: apiProxy ? new ProxyAgent({ proxy: apiProxy }) : undefined,\n baseUrl: apiBaseUrl,\n userAgent: createUserAgentFromPkgJson({\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_NAME.\n name: constants.ENV.INLINED_SOCKET_CLI_NAME,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION.\n version: constants.ENV.INLINED_SOCKET_CLI_VERSION,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE.\n homepage: constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE,\n }),\n }),\n }\n}\n","import { messageWithCauses } from 'pony-cause'\n\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport { AuthError } from './errors.mts'\nimport constants from '../constants.mts'\nimport { failMsgWithBadge } from './fail-msg-with-badge.mts'\nimport { getDefaultToken } from './sdk.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\nimport type {\n SocketSdkErrorResult,\n SocketSdkOperations,\n SocketSdkResult,\n SocketSdkSuccessResult,\n} from '@socketsecurity/sdk'\n\nconst NO_ERROR_MESSAGE = 'No error message returned'\n\n// TODO: this function is removed after v1.0.0\nexport function handleUnsuccessfulApiResponse<T extends SocketSdkOperations>(\n _name: T,\n error: string,\n cause: string,\n status: number,\n): never {\n const message = `${error \|\| NO_ERROR_MESSAGE}${cause ? ` (reason: ${cause})` : ''}`\n if (status === 401 \|\| status === 403) {\n // Lazily access constants.spinner.\n const { spinner } = constants\n\n spinner.stop()\n\n throw new AuthError(message)\n }\n logger.fail(failMsgWithBadge('Socket API returned an error', message))\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n}\n\nexport type HandleApiCallOptions = {\n desc?: string \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function handleApiCall<T extends SocketSdkOperations>(\n value: Promise<SocketSdkResult<T>>,\n options?: HandleApiCallOptions \| undefined,\n): Promise<CResult<SocketSdkSuccessResult<T>['data']>> {\n const { desc, spinner } = {\n __proto__: null,\n ...options,\n } as HandleApiCallOptions\n\n if (desc) {\n spinner?.start(`Requesting ${desc} from API...`)\n } else {\n spinner?.start()\n }\n\n let sdkResult: SocketSdkResult<T>\n try {\n sdkResult = await value\n if (desc) {\n // TODO: info, not success (looks weird when response is non-200)\n spinner?.successAndStop(\n `Received API response (after requesting ${desc}).`,\n )\n } else {\n spinner?.stop()\n }\n } catch (e) {\n if (desc) {\n spinner?.failAndStop(`An error was thrown while requesting ${desc}`)\n debugFn('error', `caught: ${desc} error`)\n } else {\n spinner?.stop()\n debugFn('error', `caught: error`)\n }\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: messageWithCauses(e as Error),\n }\n } finally {\n spinner?.stop()\n }\n\n // Note: TS can't narrow down the type of result due to generics.\n if (sdkResult.success === false) {\n const errorResult = sdkResult as SocketSdkErrorResult<T>\n const message = `${errorResult.error \|\| NO_ERROR_MESSAGE}`\n const { cause: reason } = errorResult\n\n if (desc) {\n debugFn('error', `fail: ${desc} bad response`)\n } else {\n debugFn('error', 'fail: bad response')\n }\n debugDir('inspect', { sdkResult })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${reason ? ` ( Reason: ${reason} )` : ''}`,\n data: {\n code: sdkResult.status,\n },\n }\n } else {\n const { data } = sdkResult as SocketSdkSuccessResult<T>\n return {\n ok: true,\n data,\n }\n }\n}\n\nexport async function handleApiCallNoSpinner<T extends SocketSdkOperations>(\n value: Promise<SocketSdkResult<T>>,\n description: string,\n): Promise<CResult<SocketSdkSuccessResult<T>['data']>> {\n let result: SocketSdkResult<T>\n try {\n result = await value\n } catch (e) {\n const message = `${e \|\| NO_ERROR_MESSAGE}`\n const reason = `${e \|\| NO_ERROR_MESSAGE}`\n\n debugFn('error', `caught: ${description} error`)\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${reason ? ` ( Reason: ${reason} )` : ''}`,\n }\n }\n\n // Note: TS can't narrow down the type of result due to generics\n if (result.success === false) {\n const error = result as SocketSdkErrorResult<T>\n const message = `${error.error \|\| NO_ERROR_MESSAGE}`\n\n debugFn('error', `fail: ${description} bad response`)\n debugDir('inspect', { error })\n\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${message}${error.cause ? ` ( Reason: ${error.cause} )` : ''}`,\n data: {\n code: result.status,\n },\n }\n } else {\n const ok = result as SocketSdkSuccessResult<T>\n return {\n ok: true,\n data: ok.data,\n }\n }\n}\n\nexport async function getErrorMessageForHttpStatusCode(code: number) {\n if (code === 400) {\n return 'One of the options passed might be incorrect'\n }\n if (code === 403 \|\| code === 401) {\n return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with'\n }\n if (code === 404) {\n return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. If unexpected, this could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.'\n }\n if (code === 500) {\n return 'There was an unknown server side problem with your request. This ought to be temporary. Please let us know if this problem persists.'\n }\n return `Server responded with status code ${code}`\n}\n\n// The API server that should be used for operations.\nexport function getDefaultApiBaseUrl(): string \| undefined {\n const baseUrl =\n // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.\n constants.ENV.SOCKET_CLI_API_BASE_URL \|\| getConfigValueOrUndef('apiBaseUrl')\n if (isNonEmptyString(baseUrl)) {\n return baseUrl\n }\n // Lazily access constants.API_V0_URL.\n const API_V0_URL = constants.API_V0_URL\n return API_V0_URL\n}\n\nexport async function queryApi(path: string, apiToken: string) {\n const baseUrl = getDefaultApiBaseUrl() \|\| ''\n if (!baseUrl) {\n logger.warn(\n 'API endpoint is not set and default was empty. Request is likely to fail.',\n )\n }\n\n return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {\n method: 'GET',\n headers: {\n Authorization: `Basic ${btoa(`${apiToken}:`)}`,\n },\n })\n}\n\nexport async function queryApiSafeText(\n path: string,\n fetchSpinnerDesc?: string,\n): Promise<CResult<string>> {\n const apiToken = getDefaultToken()\n if (!apiToken) {\n return {\n ok: false,\n message: 'Authentication Error',\n cause:\n 'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.',\n }\n }\n\n // Lazily access constants.spinner.\n const { spinner } = constants\n\n if (fetchSpinnerDesc) {\n spinner.start(`Requesting ${fetchSpinnerDesc} from API...`)\n }\n\n let result\n try {\n result = await queryApi(path, apiToken)\n if (fetchSpinnerDesc) {\n spinner.successAndStop(\n `Received API response (after requesting ${fetchSpinnerDesc}).`,\n )\n }\n } catch (e) {\n if (fetchSpinnerDesc) {\n spinner.failAndStop(\n `An error was thrown while requesting ${fetchSpinnerDesc}.`,\n )\n }\n\n const cause = (e as undefined \| { message: string })?.message\n\n debugFn('error', 'caught: queryApi() error')\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'API Request failed to complete',\n ...(cause ? { cause } : {}),\n }\n }\n\n if (!result.ok) {\n const cause = await getErrorMessageForHttpStatusCode(result.status)\n return {\n ok: false,\n message: 'Socket API returned an error',\n cause: `${result.statusText}${cause ? ` (cause: ${cause})` : ''}`,\n }\n }\n\n try {\n const data = await result.text()\n\n return {\n ok: true,\n data,\n }\n } catch (e) {\n debugFn('error', 'caught: await result.text() error')\n debugDir('inspect', { error: e })\n\n return {\n ok: false,\n message: 'API Request failed to complete',\n cause: 'There was an unexpected error trying to read the response text',\n }\n }\n}\n\nexport async function queryApiSafeJson<T>(\n path: string,\n fetchSpinnerDesc = '',\n): Promise<CResult<T>> {\n const result = await queryApiSafeText(path, fetchSpinnerDesc)\n\n if (!result.ok) {\n return result\n }\n\n try {\n return {\n ok: true,\n data: JSON.parse(result.data) as T,\n }\n } catch (e) {\n return {\n ok: false,\n message: 'Server returned invalid JSON',\n cause: `Please report this. JSON.parse threw an error over the following response: \\`${(result.data?.slice?.(0, 100) \|\| '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\\``,\n }\n }\n}\n","export function mdTableStringNumber(\n title1: string,\n title2: string,\n obj: Record<string, number \| string>,\n): string {\n // \| Date \| Counts \|\n // \| ----------- \| ------ \|\n // \| Header \| 201464 \|\n // \| Paragraph \| 18 \|\n let mw1 = title1.length\n let mw2 = title2.length\n for (const [key, value] of Object.entries(obj)) {\n mw1 = Math.max(mw1, key.length)\n mw2 = Math.max(mw2, String(value ?? '').length)\n }\n\n const lines = []\n lines.push(`\| ${title1.padEnd(mw1, ' ')} \| ${title2.padEnd(mw2)} \|`)\n lines.push(`\| ${'-'.repeat(mw1)} \| ${'-'.repeat(mw2)} \|`)\n for (const [key, value] of Object.entries(obj)) {\n lines.push(\n `\| ${key.padEnd(mw1, ' ')} \| ${String(value ?? '').padStart(mw2, ' ')} \|`,\n )\n }\n lines.push(`\| ${'-'.repeat(mw1)} \| ${'-'.repeat(mw2)} \|`)\n\n return lines.join('\\n')\n}\n\nexport function mdTable<T extends Array<Record<string, string>>>(\n logs: T,\n // This is saying \"an array of strings and the strings are a valid key of elements of T\"\n // In turn, T is defined above as the audit log event type from our OpenAPI docs.\n cols: Array<string & keyof T[number]>,\n titles: string[] = cols,\n): string {\n // Max col width required to fit all data in that column\n const cws = cols.map(col => col.length)\n\n for (const log of logs) {\n for (let i = 0, { length } = cols; i < length; i += 1) {\n // @ts-ignore\n const val: unknown = log[cols[i] ?? ''] ?? ''\n cws[i] = Math.max(\n cws[i] ?? 0,\n String(val).length,\n (titles[i] \|\| '').length,\n )\n }\n }\n\n let div = '\|'\n for (const cw of cws) {\n div += ' ' + '-'.repeat(cw) + ' \|'\n }\n\n let header = '\|'\n for (let i = 0, { length } = titles; i < length; i += 1) {\n header += ' ' + String(titles[i]).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n\n let body = ''\n for (const log of logs) {\n body += '\|'\n for (let i = 0, { length } = cols; i < length; i += 1) {\n // @ts-ignore\n const val: unknown = log[cols[i] ?? ''] ?? ''\n body += ' ' + String(val).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n body += '\\n'\n }\n\n return [div, header, div, body.trim(), div].filter(s => s.trim()).join('\\n')\n}\n\nexport function mdTableOfPairs(\n arr: Array<[string, string]>,\n // This is saying \"an array of strings and the strings are a valid key of elements of T\"\n // In turn, T is defined above as the audit log event type from our OpenAPI docs.\n cols: string[],\n): string {\n // Max col width required to fit all data in that column\n const cws = cols.map(col => col.length)\n\n for (const [key, val] of arr) {\n cws[0] = Math.max(cws[0] ?? 0, String(key).length)\n cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length)\n }\n\n let div = '\|'\n for (const cw of cws) {\n div += ' ' + '-'.repeat(cw) + ' \|'\n }\n\n let header = '\|'\n for (let i = 0, { length } = cols; i < length; i += 1) {\n header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' \|'\n }\n\n let body = ''\n for (const [key, val] of arr) {\n body += '\|'\n body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' \|'\n body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' \|'\n body += '\\n'\n }\n\n return [div, header, div, body.trim(), div].filter(s => s.trim()).join('\\n')\n}\n","import { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport type { CResult } from '../types.mts'\n\n// Serialize the final result object before printing it\n// All commands that support the --json flag should call this before printing\nexport function serializeResultJson(data: CResult<unknown>): string {\n if (typeof data !== 'object' \|\| !data) {\n process.exitCode = 1\n debugFn('inspect', 'typeof data=', typeof data)\n\n if (typeof data !== 'object' && data) {\n debugFn('inspect', 'data:\\n', data)\n }\n\n // We should not allow the JSON value to be \"null\", or a boolean/number/string,\n // even if they are valid \"json\".\n const message =\n 'There was a problem converting the data set to JSON. The JSON was not an object. Please try again without --json'\n\n return (\n JSON.stringify({\n ok: false,\n message: 'Unable to serialize JSON',\n data: message,\n }).trim() + '\\n'\n )\n }\n\n try {\n return JSON.stringify(data, null, 2).trim() + '\\n'\n } catch (e) {\n process.exitCode = 1\n\n // This could be caused by circular references, which is an \"us\" problem\n const message =\n 'There was a problem converting the data set to JSON. Please try again without --json'\n logger.fail(message)\n debugDir('inspect', { error: e })\n return (\n JSON.stringify({\n ok: false,\n message: 'Unable to serialize JSON',\n data: message,\n }).trim() + '\\n'\n )\n }\n}\n","import colors from 'yoctocolors-cjs'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { stripAnsi } from '@socketsecurity/registry/lib/strings'\n\nimport { failMsgWithBadge } from './fail-msg-with-badge.mts'\nimport { serializeResultJson } from './serialize-result-json.mts'\n\nimport type { OutputKind } from '../types.mts'\n\nexport function checkCommandInput(\n outputKind: OutputKind,\n ...checks: Array<{\n fail: string\n message: string\n pass: string\n test: boolean\n nook?: boolean \| undefined\n }>\n): boolean {\n if (checks.every(d => d.test)) {\n return true\n }\n\n const msg = ['Please review the input requirements and try again', '']\n for (const d of checks) {\n // If nook, then ignore when test is ok\n if (d.nook && d.test) {\n continue\n }\n const lines = d.message.split('\\n')\n const { length: lineCount } = lines\n if (!lineCount) {\n continue\n }\n // If the message has newlines then format the first line with the input\n // expectation and the rest indented below it.\n msg.push(\n ` - ${lines[0]} (${d.test ? colors.green(d.pass) : colors.red(d.fail)})`,\n )\n if (lineCount > 1) {\n msg.push(...lines.slice(1).map(str => ` ${str}`))\n }\n msg.push('')\n }\n\n // Use exit status of 2 to indicate incorrect usage, generally invalid\n // options or missing arguments.\n // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html\n process.exitCode = 2\n\n if (outputKind === 'json') {\n logger.log(\n serializeResultJson({\n ok: false,\n message: 'Input error',\n data: stripAnsi(msg.join('\\n')),\n }),\n )\n } else {\n logger.fail(failMsgWithBadge('Input error', msg.join('\\n')))\n }\n\n return false\n}\n","import type { OutputKind } from '../types.mts'\n\nexport function getOutputKind(json: unknown, markdown: unknown): OutputKind {\n if (json) {\n return 'json'\n }\n if (markdown) {\n return 'markdown'\n }\n return 'text'\n}\n","import { isObject } from '@socketsecurity/registry/lib/objects'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport type { MeowFlags } from '../flags.mts'\n\ntype HelpListOptions = {\n indent?: number \| undefined\n keyPrefix?: string \| undefined\n padName?: number \| undefined\n}\n\ntype ListDescription =\n \| { description: string }\n \| { description: string; hidden: boolean }\n\nexport function getFlagListOutput(\n list: MeowFlags,\n options?: HelpListOptions \| undefined,\n): string {\n const { keyPrefix = '--' } = {\n __proto__: null,\n ...options,\n } as HelpListOptions\n return getHelpListOutput(\n {\n ...list,\n },\n { ...options, keyPrefix },\n )\n}\n\nexport function getHelpListOutput(\n list: Record<string, ListDescription>,\n options?: HelpListOptions \| undefined,\n): string {\n const {\n indent = 6,\n keyPrefix = '',\n padName = 18,\n } = {\n __proto__: null,\n ...options,\n } as HelpListOptions\n let result = ''\n const names = Object.keys(list).sort(naturalCompare)\n for (const name of names) {\n const entry = list[name]\n if (entry && 'hidden' in entry && entry?.hidden) {\n continue\n }\n const description = (isObject(entry) ? entry.description : entry) \|\| ''\n result +=\n ''.padEnd(indent) +\n (keyPrefix + name).padEnd(padName) +\n description +\n '\\n'\n }\n return result.trim() \|\| '(none)'\n}\n","import path from 'node:path'\n\nimport { escapeRegExp } from '@socketsecurity/registry/lib/regexps'\n\nimport constants from '../constants.mts'\n\n// Replace the start of a path with ~/ when it starts with your home dir.\n// A common way to abbreviate the user home dir (though not strictly posix).\nexport function tildify(cwd: string) {\n return cwd.replace(\n new RegExp(`^${escapeRegExp(constants.homePath)}(?:${path.sep}\|$)`, 'i'),\n '~/',\n )\n}\n","import meow from 'meow'\n\nimport { joinAnd } from '@socketsecurity/registry/lib/arrays'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { hasOwn, toSortedObject } from '@socketsecurity/registry/lib/objects'\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport {\n getConfigValueOrUndef,\n isReadOnlyConfig,\n overrideCachedConfig,\n overrideConfigApiToken,\n} from './config.mts'\nimport { getFlagListOutput, getHelpListOutput } from './output-formatting.mts'\nimport constants from '../constants.mts'\nimport { commonFlags } from '../flags.mts'\nimport { getVisibleTokenPrefix } from './sdk.mts'\nimport { tildify } from './tildify.mts'\n\nimport type { MeowFlags } from '../flags.mts'\nimport type { Options, Result } from 'meow'\n\nexport interface CliAlias {\n description: string\n argv: readonly string[]\n hidden?: boolean \| undefined\n}\n\nexport type CliAliases = Record<string, CliAlias>\n\nexport type CliSubcommandRun = (\n argv: string[] \| readonly string[],\n importMeta: ImportMeta,\n context: { parentName: string },\n) => Promise<void> \| void\n\nexport interface CliSubcommand {\n description: string\n hidden?: boolean \| undefined\n run: CliSubcommandRun\n}\n\n// Property names are picked such that the name is at the top when the props\n// get ordered by alphabet while flags is near the bottom and the help text\n// at the bottom, because they tend ot occupy the most lines of code.\nexport interface CliCommandConfig {\n commandName: string // tmp optional while we migrate\n description: string\n hidden: boolean\n flags: MeowFlags // tmp optional while we migrate\n help: (command: string, config: CliCommandConfig) => string\n}\n\nexport interface MeowOptions extends Options<any> {\n aliases?: CliAliases \| undefined\n argv: readonly string[]\n name: string\n // When no sub-command is given, default to this sub-command\n defaultSub?: string\n}\n\n// For debugging. Whenever you call meowOrExit it will store the command here\n// This module exports a getter that returns the current value.\nlet lastSeenCommand = ''\n\nexport function getLastSeenCommand(): string {\n return lastSeenCommand\n}\n\nexport async function meowWithSubcommands(\n subcommands: Record<string, CliSubcommand>,\n options: MeowOptions,\n): Promise<void> {\n const {\n aliases = {},\n argv,\n defaultSub,\n importMeta,\n name,\n ...additionalOptions\n } = { __proto__: null, ...options }\n const [commandOrAliasName_, ...rawCommandArgv] = argv\n let commandOrAliasName = commandOrAliasName_\n if (!commandOrAliasName && defaultSub) {\n commandOrAliasName = defaultSub\n }\n\n const flags: MeowFlags = {\n ...commonFlags,\n version: {\n type: 'boolean',\n hidden: true,\n description: 'Print the app version',\n },\n ...additionalOptions.flags,\n }\n\n // No further args or first arg is a flag (shrug)\n const isRootCommand =\n name === 'socket' &&\n (!commandOrAliasName \|\| commandOrAliasName?.startsWith('-'))\n\n // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`\n if (!isRootCommand) {\n if (commandOrAliasName?.startsWith('pkg:')) {\n logger.info('Note: Invoking `socket package score` now...')\n return await meowWithSubcommands(subcommands, {\n ...options,\n argv: ['package', 'deep', ...argv],\n })\n }\n // Support `socket npm/babel` or whatever as a shorthand, too.\n // Accept any ecosystem and let the remote sort it out.\n if (/^[a-z]+\\//.test(commandOrAliasName \|\| '')) {\n logger.info('Note: Invoking `socket package score` now...')\n return await meowWithSubcommands(subcommands, {\n ...options,\n argv: [\n 'package',\n 'deep',\n `pkg:${commandOrAliasName}`,\n ...rawCommandArgv,\n ],\n })\n }\n }\n\n if (isRootCommand) {\n flags['help'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Give you detailed help information about any sub-command',\n }\n flags['config'] = {\n type: 'string',\n hidden: false, // Only show on root\n description: 'Allows you to temp overrides the internal CLI config',\n }\n flags['dryRun'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Do input validation for a sub-command and then exit',\n }\n flags['version'] = {\n type: 'boolean',\n hidden: false, // Only show on root\n description: 'Show version of CLI',\n }\n delete flags['json']\n delete flags['markdown']\n } else {\n delete flags['help']\n delete flags['version']\n }\n\n // This is basically a dry-run parse of cli args and flags. We use this to\n // determine config overrides and expected output mode.\n const cli1 = meow(`(this should never be printed)`, {\n argv,\n importMeta,\n ...additionalOptions,\n flags,\n // Do not strictly check for flags here.\n allowUnknownFlags: true,\n booleanDefault: undefined, // We want to detect whether a bool flag is given at all.\n // We will emit help when we're ready\n // Plus, if we allow this then meow() can just exit here.\n autoHelp: false,\n autoVersion: false,\n })\n\n const orgFlag = String(cli1.flags['org'] \|\| '') \|\| undefined\n\n // Hard override the config if instructed to do so.\n // The env var overrides the --flag, which overrides the persisted config\n // Also, when either of these are used, config updates won't persist.\n let configOverrideResult\n // Lazily access constants.ENV.SOCKET_CLI_CONFIG.\n if (constants.ENV.SOCKET_CLI_CONFIG) {\n configOverrideResult = overrideCachedConfig(\n // Lazily access constants.ENV.SOCKET_CLI_CONFIG.\n constants.ENV.SOCKET_CLI_CONFIG,\n )\n } else if (cli1.flags['config']) {\n configOverrideResult = overrideCachedConfig(\n String(cli1.flags['config'] \|\| ''),\n )\n }\n\n // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.\n if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {\n // This overrides the config override and even the explicit token env var.\n // The config will be marked as readOnly to prevent persisting it.\n overrideConfigApiToken(undefined)\n } else {\n // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.\n const tokenOverride = constants.ENV.SOCKET_CLI_API_TOKEN\n if (tokenOverride) {\n // This will set the token (even if there was a config override) and\n // set it to readOnly, making sure the temp token won't be persisted.\n overrideConfigApiToken(tokenOverride)\n }\n }\n\n if (configOverrideResult?.ok === false) {\n emitBanner(name, orgFlag)\n logger.error('') // spacing in stderr\n logger.fail(configOverrideResult.message)\n process.exitCode = 2\n return\n }\n\n // If we got at least some args, then lets find out if we can find a command.\n if (commandOrAliasName) {\n const alias = aliases[commandOrAliasName]\n // First: Resolve argv data from alias if its an alias that's been given.\n const [commandName, ...commandArgv] = alias\n ? [...alias.argv, ...rawCommandArgv]\n : [commandOrAliasName, ...rawCommandArgv]\n // Second: Find a command definition using that data.\n const commandDefinition = commandName ? subcommands[commandName] : undefined\n // Third: If a valid command has been found, then we run it...\n if (commandDefinition) {\n return await commandDefinition.run(commandArgv, importMeta, {\n parentName: name,\n })\n }\n }\n\n function formatCommandsForHelp(isRootCommand: boolean) {\n if (!isRootCommand) {\n return getHelpListOutput({\n ...toSortedObject(\n Object.fromEntries(\n Object.entries(subcommands).filter(\n ({ 1: subcommand }) => !subcommand.hidden,\n ),\n ),\n ),\n ...toSortedObject(\n Object.fromEntries(\n Object.entries(aliases).filter(({ 1: alias }) => {\n const { hidden } = alias\n const cmdName = hidden ? '' : alias.argv[0]\n const subcommand = cmdName ? subcommands[cmdName] : undefined\n return subcommand && !subcommand.hidden\n }),\n ),\n ),\n })\n }\n\n // \"Bucket\" some commands for easier usage.\n const commands = new Set([\n 'analytics',\n 'audit-log',\n 'config',\n 'fix',\n 'install',\n 'login',\n 'logout',\n 'manifest',\n 'npm',\n 'npx',\n 'optimize',\n 'organization',\n 'package',\n 'raw-npm',\n 'raw-npx',\n 'repos',\n 'scan',\n 'threat-feed',\n 'uninstall',\n 'wrapper',\n ])\n Object.entries(subcommands)\n .filter(([_name, subcommand]) => !subcommand.hidden)\n .map(([name]) => name)\n .forEach(name => {\n if (commands.has(name)) {\n commands.delete(name)\n } else {\n logger.fail(\n 'Received a visible command that was not added to the list here:',\n name,\n )\n }\n })\n if (commands.size) {\n logger.fail(\n 'Found commands in the list that were not marked as public or not defined at all:',\n // Node < 22 will print 'Object (n)' before the array. So to have consistent\n // test snapshots we use joinAnd.\n joinAnd(\n Array.from(commands)\n .sort(naturalCompare)\n .map(c => `'${c}'`),\n ),\n )\n }\n\n const out = []\n out.push('All commands have their own --help page')\n out.push('')\n out.push(' Main commands')\n out.push('')\n out.push(\n ' socket login Setup the CLI with an API Token and defaults',\n )\n out.push(' socket scan create Create a new Scan and report')\n out.push(\n ' socket npm/eslint@1.0.0 Request the security score of a particular package',\n )\n out.push(\n ' socket ci Shorthand for CI; socket scan create --report --no-interactive',\n )\n out.push('')\n out.push(' Socket API')\n out.push('')\n out.push(' analytics Look up analytics data')\n out.push(\n ' audit-log Look up the audit log for an organization',\n )\n out.push(\n ' organization Manage organization account details',\n )\n out.push(\n ' package Look up published package details',\n )\n out.push(' repository Manage registered repositories')\n out.push(' scan Manage Socket scans')\n out.push(' threat-feed [beta] View the threat feed')\n out.push('')\n out.push(' Local tools')\n out.push('')\n out.push(\n ' fix Update dependencies with \"fixable\" Socket alerts',\n )\n out.push(\n ' manifest Generate a dependency manifest for certain languages',\n )\n out.push(' npm npm wrapper functionality')\n out.push(' npx npx wrapper functionality')\n out.push(\n ' optimize Optimize dependencies with @socketregistry overrides',\n )\n out.push(\n ' raw-npm Temporarily disable the Socket npm wrapper',\n )\n out.push(\n ' raw-npx Temporarily disable the Socket npx wrapper',\n )\n out.push('')\n out.push(' CLI configuration')\n out.push('')\n out.push(\n ' config Manage the CLI configuration directly',\n )\n out.push(\n ' install Manually install CLI tab completion on your system',\n )\n out.push(' login Socket API login and CLI setup')\n out.push(' logout Socket API logout')\n out.push(\n ' uninstall Remove the CLI tab completion from your system',\n )\n out.push(\n ' wrapper Enable or disable the Socket npm/npx wrapper',\n )\n\n return out.join('\\n')\n }\n\n // Parse it again. Config overrides should now be applied (may affect help).\n // Note: this is displayed as help screen if the command does not override it\n // (which is the case for most sub-commands with sub-commands)\n const cli2 = meow(\n `\n Usage\n $ ${name} <command>\n${isRootCommand ? '' : '\\n Commands'}\n ${formatCommandsForHelp(isRootCommand)}\n\n${isRootCommand ? ' Options' : ' Options'}${isRootCommand ? ' (Note: all CLI commands have these flags even when not displayed in their help)\\n' : ''}\n ${getFlagListOutput(flags, { padName: 25 })}\n\n Examples\n $ ${name} --help\n${isRootCommand ? ` $ ${name} scan create --json` : ''}${isRootCommand ? `\\n $ ${name} package score npm left-pad --markdown` : ''}`,\n {\n argv,\n importMeta,\n ...additionalOptions,\n flags,\n // Do not strictly check for flags here.\n allowUnknownFlags: true,\n // We will emit help when we're ready.\n // Plus, if we allow this then meow() can just exit here.\n autoHelp: false,\n autoVersion: false,\n // We want to detect whether a bool flag is given at all.\n booleanDefault: undefined,\n },\n )\n\n // ...else we provide basic instructions and help.\n if (!cli2.flags['nobanner']) {\n emitBanner(name, orgFlag)\n // meow will add newline so don't add stderr spacing here\n }\n if (!cli2.flags['help'] && cli2.flags['dryRun']) {\n process.exitCode = 0\n // Lazily access constants.DRY_RUN_LABEL.\n logger.log(`${constants.DRY_RUN_LABEL}: No-op, call a sub-command; ok`)\n } else {\n // When you explicitly request --help, the command should be successful\n // so we exit(0). If we do it because we need more input, we exit(2).\n cli2.showHelp(cli2.flags['help'] ? 0 : 2)\n }\n}\n\n/\n Note: meow will exit immediately if it calls its .showHelp()\n /\nexport function meowOrExit({\n allowUnknownFlags = true,\n argv,\n config,\n importMeta,\n parentName,\n}: {\n allowUnknownFlags?: boolean \| undefined\n argv: readonly string[]\n config: CliCommandConfig\n parentName: string\n importMeta: ImportMeta\n}): Result<MeowFlags> {\n const command = `${parentName} ${config.commandName}`\n lastSeenCommand = command\n\n // This exits if .printHelp() is called either by meow itself or by us.\n const cli = meow({\n argv,\n autoHelp: false, // meow will exit(0) before printing the banner.\n autoVersion: false,\n booleanDefault: undefined, // We want to detect whether a bool flag is given at all.\n collectUnknownFlags: true,\n description: config.description,\n flags: config.flags,\n help: config.help(command, config),\n importMeta,\n })\n\n if (!cli.flags['nobanner']) {\n emitBanner(command, String(cli.flags['org'] \|\| '') \|\| undefined)\n // Add spacing in stderr. meow.help adds a newline too so we do it here\n logger.error('')\n }\n\n // As per https://github.com/sindresorhus/meow/issues/178\n // Setting `allowUnknownFlags: false` makes it reject camel cased flags.\n // if (!allowUnknownFlags) {\n // // Run meow specifically with the flag setting. It will exit(2) if an\n // // invalid flag is set and print a message.\n // meow({\n // argv,\n // allowUnknownFlags: false,\n // autoHelp: false,\n // autoVersion: false,\n // description: config.description,\n // flags: config.flags,\n // help: config.help(command, config),\n // importMeta,\n // })\n // }\n\n if (cli.flags['help']) {\n cli.showHelp(0)\n }\n\n // meow doesn't detect 'version' as an unknown flag, so we do the leg work here.\n if (!hasOwn(config.flags, 'version') && cli.flags['version']) {\n // Use `console.error` here instead of `logger.error` to match meow behavior.\n console.error('Unknown flag\\n--version')\n // eslint-disable-next-line n/no-process-exit\n process.exit(2)\n }\n\n // Now test for help state. Run meow again. If it exits now, it must be due\n // to wanting to print the help screen. But it would exit(0) and we want a\n // consistent exit(2) for that case (missing input).\n // TODO: Move away from meow.\n process.exitCode = 2\n meow({\n argv,\n // As per https://github.com/sindresorhus/meow/issues/178\n // Setting `allowUnknownFlags: false` makes it reject camel cased flags.\n allowUnknownFlags: Boolean(allowUnknownFlags),\n autoHelp: false,\n autoVersion: false,\n description: config.description,\n help: config.help(command, config),\n importMeta,\n flags: config.flags,\n })\n // Ok, no help, reset to default.\n process.exitCode = 0\n\n return cli\n}\n\nexport function emitBanner(name: string, orgFlag: string \| undefined) {\n // Print a banner at the top of each command.\n // This helps with brand recognition and marketing.\n // It also helps with debugging since it contains version and command details.\n // Note: print over stderr to preserve stdout for flags like --json and\n // --markdown. If we don't do this, you can't use --json in particular\n // and pipe the result to other tools. By emitting the banner over stderr\n // you can do something like `socket scan view xyz \| jq \| process`.\n // The spinner also emits over stderr for example.\n logger.error(getAsciiHeader(name, orgFlag))\n}\n\nfunction getAsciiHeader(command: string, orgFlag: string \| undefined) {\n // Note: In tests we return <redacted> because otherwise snapshots will fail.\n const { REDACTED } = constants\n // Lazily access constants.ENV.VITEST.\n const redacting = constants.ENV.VITEST\n const cliVersion = redacting\n ? REDACTED\n : // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH.\n constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH\n const nodeVersion = redacting ? REDACTED : process.version\n const defaultOrg = getConfigValueOrUndef('defaultOrg')\n const readOnlyConfig = isReadOnlyConfig() ? '' : '.'\n const shownToken = redacting\n ? REDACTED\n : getVisibleTokenPrefix() \|\| '(not set)'\n const relCwd = redacting ? REDACTED : normalizePath(tildify(process.cwd()))\n // Note: we must redact org when creating snapshots because dev machine probably\n // has a default org set but CI won't. Showing --org is fine either way.\n const orgPart = orgFlag\n ? `--org: ${orgFlag}`\n : redacting\n ? 'org: <redacted>'\n : defaultOrg\n ? `default org: ${defaultOrg}`\n : '(org not set)'\n // Note: We could draw these with ascii box art instead but I worry about\n // portability and paste-ability. \"simple\" ascii chars just work.\n const body = `\n _____ _ _ /---------------\n \| __\|___ ___\| \|_ ___\| \|_ \| Socket.dev CLI ver ${cliVersion}\n \|__ \| ${readOnlyConfig} \| _\| '_\| -_\| _\| \| Node: ${nodeVersion}, API token: ${shownToken}, ${orgPart}\n \|_____\|___\|___\|_,_\|___\|_\|.dev \| Command: \\`${command}\\`, cwd: ${relCwd}\n `.trim()\n\n return ` ${body}` // Note: logger will auto-append a newline\n}\n","export function msAtHome(isoTimeStamp: string): string {\n const timeStart = Date.parse(isoTimeStamp)\n const timeEnd = Date.now()\n\n const rtf = new Intl.RelativeTimeFormat('en', {\n numeric: 'always',\n style: 'short',\n })\n\n const delta = timeEnd - timeStart\n if (delta < 60 * 60 * 1000) {\n return rtf.format(-Math.round(delta / (60 * 1000)), 'minute')\n // return Math.round(delta / (60 * 1000)) + ' min ago'\n } else if (delta < 24 * 60 * 60 * 1000) {\n return rtf.format(-(delta / (60 * 60 * 1000)).toFixed(1), 'hour')\n // return (delta / (60 * 60 * 1000)).toFixed(1) + ' hr ago'\n } else if (delta < 7 * 24 * 60 * 60 * 1000) {\n return rtf.format(-(delta / (24 * 60 * 60 * 1000)).toFixed(1), 'day')\n // return (delta / (24 * 60 * 60 * 1000)).toFixed(1) + ' day ago'\n } else {\n return isoTimeStamp.slice(0, 10)\n }\n}\n","import { handleApiCall } from '../../utils/api.mts'\nimport { setupSdk } from '../../utils/sdk.mts'\n\nimport type { CResult } from '../../types.mts'\nimport type { SetupSdkOptions } from '../../utils/sdk.mts'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport type FetchOrganizationOptions = {\n sdkOptions?: SetupSdkOptions \| undefined\n}\n\nexport async function fetchOrganization(\n options?: FetchOrganizationOptions \| undefined,\n): Promise<CResult<SocketSdkSuccessResult<'getOrganizations'>['data']>> {\n const { sdkOptions } = {\n __proto__: null,\n ...options,\n } as FetchOrganizationOptions\n\n const sockSdkCResult = await setupSdk(sdkOptions)\n if (!sockSdkCResult.ok) {\n return sockSdkCResult\n }\n const sockSdk = sockSdkCResult.data\n\n return await handleApiCall(sockSdk.getOrganizations(), {\n desc: 'organization list',\n })\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\nimport { select } from '@socketsecurity/registry/lib/prompts'\n\nimport { fetchOrganization } from '../organization/fetch-organization-list.mts'\n\nexport async function suggestOrgSlug(): Promise<string \| void> {\n const orgsCResult = await fetchOrganization()\n if (!orgsCResult.ok) {\n logger.fail(\n 'Failed to lookup organization list from API, unable to suggest',\n )\n return undefined\n }\n\n // Ignore a failed request here. It was not the primary goal of\n // running this command and reporting it only leads to end-user confusion.\n const { organizations } = orgsCResult.data\n const proceed = await select<string>({\n message:\n 'Missing org name; do you want to use any of these orgs for this scan?',\n choices: [\n ...Object.values(organizations).map(o => {\n const name = o.name ?? o.slug\n return {\n name: `Yes [${name}]`,\n value: name,\n description: `Use \"${name}\" as the organization`,\n }\n }),\n {\n name: 'No',\n value: '',\n description:\n 'Do not use any of these organizations (will end in a no-op)',\n },\n ],\n })\n\n if (proceed) {\n return proceed\n }\n return undefined\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\nimport { select } from '@socketsecurity/registry/lib/prompts'\n\nimport { getConfigValue, updateConfigValue } from '../../utils/config.mts'\n\nexport async function suggestToPersistOrgSlug(orgSlug: string): Promise<void> {\n const skipAsk = getConfigValue('skipAskToPersistDefaultOrg')\n if (!skipAsk.ok \|\| skipAsk.data) {\n // Don't ask to store it when disabled before, or when reading config fails.\n return\n }\n\n const result = await select<string>({\n message: `Would you like to use this org (${orgSlug}) as the default org for future calls?`,\n choices: [\n {\n name: 'Yes',\n value: 'yes',\n description: 'Stores it in your config',\n },\n {\n name: 'No',\n value: 'no',\n description: 'Do not persist this org as default org',\n },\n {\n name: \"No and don't ask again\",\n value: 'sush',\n description:\n 'Do not store as default org and do not ask again to persist it',\n },\n ],\n })\n if (result === 'yes') {\n const updateResult = updateConfigValue('defaultOrg', orgSlug)\n if (updateResult.ok) {\n logger.success('Updated default org config to:', orgSlug)\n } else {\n logger.fail(\n '(Non blocking) Failed to update default org in config:',\n updateResult.cause,\n )\n }\n } else if (result === 'sush') {\n const updateResult = updateConfigValue('skipAskToPersistDefaultOrg', true)\n if (updateResult.ok) {\n logger.info('Default org not changed. Will not ask to persist again.')\n } else {\n logger.fail(\n `(Non blocking) Failed to store preference; will ask to persist again next time. Reason: ${updateResult.cause}`,\n )\n }\n }\n}\n","import { logger } from '@socketsecurity/registry/lib/logger'\n\nimport { getConfigValueOrUndef } from './config.mts'\nimport { suggestOrgSlug } from '../commands/scan/suggest-org-slug.mts'\nimport { suggestToPersistOrgSlug } from '../commands/scan/suggest-to-persist-orgslug.mts'\n\nexport async function determineOrgSlug(\n orgFlag: string,\n interactive: boolean,\n dryRun: boolean,\n): Promise<[string, string \| undefined]> {\n const defaultOrgSlug = getConfigValueOrUndef('defaultOrg')\n let orgSlug = String(orgFlag \|\| defaultOrgSlug \|\| '')\n if (!orgSlug) {\n if (!interactive) {\n logger.warn(\n 'Note: This command requires an org slug because the remote API endpoint does.',\n )\n logger.warn('')\n logger.warn(\n 'It seems no default org was setup and the `--org` flag was not used.',\n )\n logger.warn(\n \"Additionally, `--no-interactive` was set so we can't ask for it.\",\n )\n logger.warn(\n 'Since v1.0.0 the org _argument_ for all commands was dropped in favor of an',\n )\n logger.warn(\n 'implicit default org setting, which will be setup when you run `socket login`.',\n )\n logger.warn('')\n logger.warn(\n 'Note: When running in CI, you probably want to set the `--org` flag.',\n )\n logger.warn('')\n logger.warn(\n 'For details, see: https://docs.socket.dev/docs/v1-migration-guide',\n )\n logger.warn('')\n logger.warn(\n 'This command will exit now because the org slug is required to proceed.',\n )\n return ['', undefined]\n }\n\n // ask from server\n logger.warn(\n 'Unable to determine the target org. Trying to auto-discover it now...',\n )\n logger.info(\n 'Note: you can run `socket login` to set a default org. You can also override it with the --org flag.',\n )\n logger.error('') // spacing in stderr\n if (dryRun) {\n logger.fail('Skipping auto-discovery of org in dry-run mode')\n } else {\n orgSlug = (await suggestOrgSlug()) \|\| ''\n\n if (orgSlug) {\n await suggestToPersistOrgSlug(orgSlug)\n }\n }\n }\n\n return [orgSlug, defaultOrgSlug]\n}\n","import { debugFn } from '@socketsecurity/registry/lib/debug'\n\nimport constants from '../../constants.mts'\nimport { getConfigValueOrUndef } from '../../utils/config.mts'\nimport { fetchOrganization } from '../organization/fetch-organization-list.mts'\n\nimport type { CResult } from '../../types.mts'\n\n// Use the config defaultOrg when set, otherwise discover from remote.\nexport async function getDefaultOrgSlug(): Promise<CResult<string>> {\n const defaultOrgResult = getConfigValueOrUndef('defaultOrg')\n if (defaultOrgResult) {\n debugFn('notice', 'use: default org', defaultOrgResult)\n return { ok: true, data: defaultOrgResult }\n }\n\n // Lazily access constants.ENV.SOCKET_CLI_ORG_SLUG.\n const envOrgSlug = constants.ENV.SOCKET_CLI_ORG_SLUG\n if (envOrgSlug) {\n debugFn('notice', 'use: org from environment variable', envOrgSlug)\n return { ok: true, data: envOrgSlug }\n }\n\n const orgsCResult = await fetchOrganization()\n if (!orgsCResult.ok) {\n return orgsCResult\n }\n\n const { organizations } = orgsCResult.data\n const keys = Object.keys(organizations)\n if (!keys.length) {\n return {\n ok: false,\n message: 'Failed to establish identity',\n data: `API did not return any organization associated with the current API token. Unable to continue.`,\n }\n }\n\n const slug = (organizations as any)[keys[0]!]?.name ?? undefined\n if (!slug) {\n return {\n ok: false,\n message: 'Failed to establish identity',\n data: `Was unable to determine the default organization for the current API token. Unable to continue.`,\n }\n }\n\n debugFn('notice', 'resolve: org', slug)\n\n return {\n ok: true,\n message: 'Retrieved default org from server',\n data: slug,\n }\n}\n","import { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\nimport { isSpawnError, spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nexport async function getBaseBranch(cwd = process.cwd()): Promise<string> {\n // Lazily access constants.ENV properties.\n const { GITHUB_BASE_REF, GITHUB_REF_NAME, GITHUB_REF_TYPE } = constants.ENV\n // 1. In a pull request, this is always the base branch.\n if (GITHUB_BASE_REF) {\n return GITHUB_BASE_REF\n }\n // 2. If it's a branch (not a tag), GITHUB_REF_TYPE should be 'branch'.\n if (GITHUB_REF_TYPE === 'branch' && GITHUB_REF_NAME) {\n return GITHUB_REF_NAME\n }\n // 3. Try to resolve the default remote branch using 'git remote show origin'.\n // This handles detached HEADs or workflows triggered by tags/releases.\n try {\n const originDetails = (\n await spawn('git', ['remote', 'show', 'origin'], { cwd })\n ).stdout\n\n const match = /(?<=HEAD branch: ).+/.exec(originDetails)\n if (match?.[0]) {\n return match[0].trim()\n }\n } catch {}\n // GitHub and GitLab default to branch name \"main\"\n // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch\n return 'main'\n}\n\nexport type RepoInfo = {\n owner: string\n repo: string\n}\n\nexport async function getRepoInfo(\n cwd = process.cwd(),\n): Promise<RepoInfo \| null> {\n let info = null\n try {\n const remoteUrl = (\n await spawn('git', ['remote', 'get-url', 'origin'], { cwd })\n ).stdout\n info = parseGitRemoteUrl(remoteUrl)\n if (!info) {\n debugFn('error', 'git: unmatched git remote URL format')\n debugDir('inspect', { remoteUrl })\n }\n } catch (e) {\n debugFn('error', 'caught: `git remote get-url origin` failed')\n debugDir('inspect', { error: e })\n }\n return info\n}\n\nexport async function getRepoName(cwd = process.cwd()): Promise<string \| null> {\n const repoInfo = await getRepoInfo(cwd)\n return repoInfo?.repo ?? null\n}\n\nexport async function getRepoOwner(\n cwd = process.cwd(),\n): Promise<string \| null> {\n const repoInfo = await getRepoInfo(cwd)\n return repoInfo?.owner ?? null\n}\n\nexport async function gitBranch(cwd = process.cwd()): Promise<string \| null> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n // Try symbolic-ref first which returns the branch name or fails in a\n // detached HEAD state.\n try {\n return (\n await spawn('git', ['symbolic-ref', '--short', 'HEAD'], stdioPipeOptions)\n ).stdout\n } catch {}\n // Fallback to using rev-parse to get the short commit hash in a\n // detached HEAD state.\n try {\n return (\n await spawn('git', ['rev-parse', '--short', 'HEAD'], stdioPipeOptions)\n ).stdout\n } catch {}\n return null\n}\n\nexport type GitCreateAndPushBranchOptions = {\n cwd?: string \| undefined\n email?: string \| undefined\n user?: string \| undefined\n}\n\nexport async function gitCleanFdx(cwd = process.cwd()): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = '`git clean -fdx`'\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['clean', '-fdx'], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCheckoutBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git checkout ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['checkout', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCreateBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n if (await gitLocalBranchExists(branch)) {\n return true\n }\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git branch ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['branch', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitPushBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git push --force --set-upstream origin ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn(\n 'git',\n ['push', '--force', '--set-upstream', 'origin', branch],\n stdioIgnoreOptions,\n )\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n if (isSpawnError(e) && e.code === 128) {\n debugFn(\n 'error',\n \"denied: token requires write permissions for 'contents' and 'pull-requests'\",\n )\n }\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitCommit(\n commitMsg: string,\n filepaths: string[],\n options?: GitCreateAndPushBranchOptions \| undefined,\n): Promise<boolean> {\n if (!filepaths.length) {\n debugFn('notice', `miss: no filepaths to add`)\n return false\n }\n const {\n cwd = process.cwd(),\n // Lazily access constants.ENV.SOCKET_CLI_GIT_USER_EMAIL.\n email = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL,\n // Lazily access constants.ENV.SOCKET_CLI_GIT_USER_NAME.\n user = constants.ENV.SOCKET_CLI_GIT_USER_NAME,\n } = { __proto__: null, ...options } as GitCreateAndPushBranchOptions\n\n await gitEnsureIdentity(user, email, cwd)\n\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedAddCmd = `\\`git add ${filepaths.join(' ')}\\``\n debugFn('stdio', `spawn: ${quotedAddCmd}`)\n try {\n await spawn('git', ['add', ...filepaths], stdioIgnoreOptions)\n } catch (e) {\n debugFn('error', `caught: ${quotedAddCmd} failed`)\n debugDir('inspect', { error: e })\n }\n\n const quotedCommitCmd = `\\`git commit -m ${commitMsg}\\``\n debugFn('stdio', `spawn: ${quotedCommitCmd}`)\n try {\n await spawn('git', ['commit', '-m', commitMsg], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCommitCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitDeleteBranch(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git branch -D ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if branch does not exist.\n await spawn('git', ['branch', '-D', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n return false\n}\n\nexport async function gitEnsureIdentity(\n name: string,\n email: string,\n cwd = process.cwd(),\n): Promise<void> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n const identEntries: Array<[string, string]> = [\n ['user.email', name],\n ['user.name', email],\n ]\n await Promise.all(\n identEntries.map(async ({ 0: prop, 1: value }) => {\n let configValue\n {\n const quotedCmd = `\\`git config --get ${prop}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if the config property is not set.\n configValue = (\n await spawn('git', ['config', '--get', prop], stdioPipeOptions)\n ).stdout\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n }\n if (configValue !== value) {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git config ${prop} ${value}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['config', prop, value], stdioIgnoreOptions)\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n }\n }),\n )\n}\n\nexport async function gitLocalBranchExists(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git show-ref --quiet refs/heads/${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n // Will throw with exit code 1 if the branch does not exist.\n await spawn(\n 'git',\n ['show-ref', '--quiet', `refs/heads/${branch}`],\n stdioIgnoreOptions,\n )\n return true\n } catch (e) {\n if (isDebug('stdio')) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n }\n return false\n}\n\nexport async function gitRemoteBranchExists(\n branch: string,\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n try {\n return (\n (\n await spawn(\n 'git',\n ['ls-remote', '--heads', 'origin', branch],\n stdioPipeOptions,\n )\n ).stdout.length > 0\n )\n } catch {}\n return false\n}\n\nexport async function gitResetAndClean(\n branch = 'HEAD',\n cwd = process.cwd(),\n): Promise<void> {\n // Discards tracked changes.\n await gitResetHard(branch, cwd)\n // Deletes all untracked files and directories.\n await gitCleanFdx(cwd)\n}\n\nexport async function gitResetHard(\n branch = 'HEAD',\n cwd = process.cwd(),\n): Promise<boolean> {\n const stdioIgnoreOptions: SpawnOptions = {\n cwd,\n stdio: isDebug('stdio') ? 'inherit' : 'ignore',\n }\n const quotedCmd = `\\`git reset --hard ${branch}\\``\n debugFn('stdio', `spawn: ${quotedCmd}`)\n try {\n await spawn('git', ['reset', '--hard', branch], stdioIgnoreOptions)\n return true\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n }\n return false\n}\n\nexport async function gitUnstagedModifiedFiles(\n cwd = process.cwd(),\n): Promise<CResult<string[]>> {\n const stdioPipeOptions: SpawnOptions = { cwd }\n const quotedCmd = `\\`git diff --name-only\\``\n try {\n const changedFilesDetails = (\n await spawn('git', ['diff', '--name-only'], stdioPipeOptions)\n ).stdout\n const relPaths = changedFilesDetails.split('\\n')\n return {\n ok: true,\n data: relPaths.map(p => normalizePath(p)),\n }\n } catch (e) {\n debugFn('error', `caught: ${quotedCmd} failed`)\n debugDir('inspect', { error: e })\n return {\n ok: false,\n message: 'Git Error',\n cause: 'Unexpected error while trying to ask git whether repo is dirty',\n }\n }\n}\n\nconst parsedGitRemoteUrlCache = new Map<string, RepoInfo \| null>()\n\nexport function parseGitRemoteUrl(remoteUrl: string): RepoInfo \| null {\n let result = parsedGitRemoteUrlCache.get(remoteUrl) ?? null\n if (result) {\n return { ...result }\n }\n // Handle SSH-style\n const sshMatch = /^git@[^:]+:([^/]+)\\/(.+?)(?:\\.git)?$/.exec(remoteUrl)\n // 1. Handle SSH-style, e.g. git@github.com:owner/repo.git\n if (sshMatch) {\n result = { owner: sshMatch[1]!, repo: sshMatch[2]! }\n } else {\n // 2. Handle HTTPS/URL-style, e.g. https://github.com/owner/repo.git\n try {\n const parsed = new URL(remoteUrl)\n // Remove leading slashes from pathname and split by \"/\" to extract segments.\n const segments = parsed.pathname.replace(/^\\/+/, '').split('/')\n // The second-to-last segment is expected to be the owner (e.g., \"owner\" in /owner/repo.git).\n const owner = segments.at(-2)\n // The last segment is expected to be the repo name, so we remove the \".git\" suffix if present.\n const repo = segments.at(-1)?.replace(/\\.git$/, '')\n if (owner && repo) {\n result = { owner, repo }\n }\n } catch {}\n }\n parsedGitRemoteUrlCache.set(remoteUrl, result)\n return result ? { ...result } : result\n}\n","import { PackageURL } from '@socketregistry/packageurl-js'\n\nimport type { PURL_Type, SocketArtifact } from './alert/artifact.mts'\n\nexport function getPurlObject(purl: string): PackageURL & { type: PURL_Type }\nexport function getPurlObject(\n purl: PackageURL,\n): PackageURL & { type: PURL_Type }\nexport function getPurlObject(\n purl: SocketArtifact,\n): SocketArtifact & { type: PURL_Type }\nexport function getPurlObject(\n purl: string \| PackageURL \| SocketArtifact,\n): (PackageURL \| SocketArtifact) & { type: PURL_Type }\nexport function getPurlObject(\n purl: string \| PackageURL \| SocketArtifact,\n): (PackageURL \| SocketArtifact) & { type: PURL_Type } {\n return typeof purl === 'string'\n ? (PackageURL.fromString(purl) as PackageURL & { type: PURL_Type })\n : (purl as (PackageURL \| SocketArtifact) & { type: PURL_Type })\n}\n","import constants from '../constants.mts'\nimport { getPurlObject } from './purl.mts'\n\nimport type { PURL_Type, SocketArtifact } from './alert/artifact.mts'\nimport type { PackageURL } from '@socketregistry/packageurl-js'\n\nconst { SOCKET_WEBSITE_URL } = constants\n\nexport function getPkgFullNameFromPurl(\n purl: string \| PackageURL \| SocketArtifact,\n): string {\n const purlObj = getPurlObject(purl)\n const { name, namespace } = purlObj\n return namespace\n ? `${namespace}${purlObj.type === 'maven' ? ':' : '/'}${name}`\n : name!\n}\n\nexport function getSocketDevAlertUrl(alertType: string): string {\n return `${SOCKET_WEBSITE_URL}/alerts/${alertType}`\n}\n\nexport function getSocketDevPackageOverviewUrlFromPurl(\n purl: string \| PackageURL \| SocketArtifact,\n): string {\n const purlObj = getPurlObject(purl)\n const fullName = getPkgFullNameFromPurl(purlObj)\n return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version)\n}\n\nexport function getSocketDevPackageOverviewUrl(\n ecosystem: PURL_Type,\n fullName: string,\n version?: string \| undefined,\n): string {\n const url = `${SOCKET_WEBSITE_URL}/${ecosystem}/package/${fullName}`\n return ecosystem === 'golang'\n ? `${url}${version ? `?section=overview&version=${version}` : ''}`\n : `${url}${version ? `/overview/${version}` : ''}`\n}\n","interface NestedRecord<T> {\n [key: string]: T \| NestedRecord<T>\n}\n\n/*\n Convert a Map<string, Map\|string> to a nested object of similar shape.\n * The goal is to serialize it with JSON.stringify, which Map can't do.\n /\nexport function mapToObject<T>(\n map: Map<string, T \| Map<string, T \| Map<string, T>>>,\n): NestedRecord<T> {\n return Object.fromEntries(\n Array.from(map.entries()).map(([k, v]) => [\n k,\n v instanceof Map ? mapToObject(v) : v,\n ]),\n )\n}\n","type NestedMap<T> = Map<string, T \| NestedMap<T>>\n\nexport function walkNestedMap<T>(\n map: NestedMap<T>,\n keys: string[] = [],\n): Generator<{ keys: string[]; value: T }> {\n for (const [key, value] of map.entries()) {\n if (value instanceof Map) {\n yield* walkNestedMap(value as NestedMap<T>, keys.concat(key))\n } else {\n yield { keys: keys.concat(key), value: value }\n }\n }\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\n\nimport which from 'which'\n\nimport { resolveBinPathSync } from '@socketsecurity/registry/lib/npm'\n\nimport constants from '../constants.mts'\nimport { safeStatsSync } from './fs.mts'\nimport {\n filterBySupportedScanFiles,\n globWithGitIgnore,\n pathsToGlobPatterns,\n} from './glob.mts'\n\nimport type { SocketYml } from '@socketsecurity/config'\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport function findBinPathDetailsSync(binName: string): {\n name: string\n path: string \| undefined\n shadowed: boolean\n} {\n const binPaths =\n which.sync(binName, {\n all: true,\n nothrow: true,\n }) ?? []\n // Lazily access constants.shadowBinPath.\n const { shadowBinPath } = constants\n let shadowIndex = -1\n let theBinPath: string \| undefined\n for (let i = 0, { length } = binPaths; i < length; i += 1) {\n const binPath = binPaths[i]!\n // Skip our bin directory if it's in the front.\n if (path.dirname(binPath) === shadowBinPath) {\n shadowIndex = i\n } else {\n theBinPath = resolveBinPathSync(binPath)\n break\n }\n }\n return { name: binName, path: theBinPath, shadowed: shadowIndex !== -1 }\n}\n\nexport function findNpmPathSync(npmBinPath: string): string \| undefined {\n // Lazily access constants.WIN32.\n const { WIN32 } = constants\n let thePath = npmBinPath\n while (true) {\n const libNmNpmPath = path.join(thePath, 'lib/node_modules/npm')\n // mise puts its npm bin in a path like:\n // /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/bin/npm.\n // HOWEVER, the location of the npm install is:\n // /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/lib/node_modules/npm.\n if (\n // Use existsSync here because statsSync, even with { throwIfNoEntry: false },\n // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.\n // See https://github.com/nodejs/node/issues/56993.\n existsSync(libNmNpmPath) &&\n safeStatsSync(libNmNpmPath)?.isDirectory()\n ) {\n thePath = path.join(libNmNpmPath, 'npm')\n }\n const nmPath = path.join(thePath, 'node_modules')\n if (\n // npm bin paths may look like:\n // /usr/local/share/npm/bin/npm\n // /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm\n // C:\\Users\\SomeUsername\\AppData\\Roaming\\npm\\bin\\npm.cmd\n // OR\n // C:\\Program Files\\nodejs\\npm.cmd\n //\n // In practically all cases the npm path contains a node_modules folder:\n // /usr/local/share/npm/bin/npm/node_modules\n // C:\\Program Files\\nodejs\\node_modules\n existsSync(nmPath) &&\n safeStatsSync(nmPath)?.isDirectory() &&\n // Optimistically look for the default location.\n (path.basename(thePath) === 'npm' \|\|\n // Chocolatey installs npm bins in the same directory as node bins.\n (WIN32 && existsSync(path.join(thePath, 'npm.cmd'))))\n ) {\n return thePath\n }\n const parent = path.dirname(thePath)\n if (parent === thePath) {\n return undefined\n }\n thePath = parent\n }\n}\n\nexport type PackageFilesForScanOptions = {\n cwd?: string \| undefined\n config?: SocketYml \| undefined\n}\n\nexport async function getPackageFilesForScan(\n inputPaths: string[],\n supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],\n options?: PackageFilesForScanOptions \| undefined,\n): Promise<string[]> {\n const { config: socketConfig, cwd = process.cwd() } = {\n __proto__: null,\n ...options,\n } as PackageFilesForScanOptions\n\n const filepaths = await globWithGitIgnore(pathsToGlobPatterns(inputPaths), {\n cwd,\n socketConfig,\n })\n\n return filterBySupportedScanFiles(filepaths!, supportedFiles)\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\n\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport type { CResult } from '../types.mts'\n\nexport interface SocketJson {\n ' _____ _ _ ': string\n '\| __\|___ ___\| \|_ ___\| \|_ ': string\n \"\|__ \| . \| _\| '_\| -_\| _\| \": string\n '\|_____\|___\|___\|_,_\|___\|_\|.dev': string\n version: number\n\n defaults?: {\n manifest?: {\n conda?: {\n disabled?: boolean\n infile?: string\n outfile?: string\n stdin?: boolean\n stdout?: boolean\n target?: string\n verbose?: boolean\n }\n gradle?: {\n disabled?: boolean\n bin?: string\n gradleOpts?: string\n verbose?: boolean\n }\n sbt?: {\n disabled?: boolean\n infile?: string\n stdin?: boolean\n bin?: string\n outfile?: string\n sbtOpts?: string\n stdout?: boolean\n verbose?: boolean\n }\n }\n scan?: {\n create?: {\n autoManifest?: boolean\n repo?: string\n report?: boolean\n branch?: string\n }\n github?: {\n all?: boolean\n githubApiUrl?: string\n orgGithub?: string\n repos?: string\n }\n }\n }\n}\n\nexport async function readOrDefaultSocketJson(cwd: string) {\n const result = await readSocketJson(cwd, true)\n if (result.ok) {\n return result.data\n }\n // This should be unreachable but it makes TS happy\n return getDefaultSocketJson()\n}\n\nexport function getDefaultSocketJson(): SocketJson {\n return {\n ' _____ _ _ ':\n 'Local config file for Socket CLI tool ( https://npmjs.org/socket ), to work with https://socket.dev',\n '\| __\|___ ___\| \|_ ___\| \|_ ':\n ' The config in this file is used to set as defaults for flags or command args when using the CLI',\n \"\|__ \| . \| _\| '_\| -_\| _\| \":\n ' in this dir, often a repo root. You can choose commit or .ignore this file, both works.',\n '\|_____\|___\|___\|_,_\|___\|_\|.dev':\n 'Warning: This file may be overwritten without warning by `socket manifest setup` or other commands',\n version: 1,\n }\n}\n\nexport async function readSocketJson(\n cwd: string,\n defaultOnError = false,\n): Promise<CResult<SocketJson>> {\n const sockJsonPath = path.join(cwd, 'socket.json')\n if (!fs.existsSync(sockJsonPath)) {\n debugFn('notice', `miss: file not found ${sockJsonPath}`)\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n let json = null\n try {\n json = await fs.promises.readFile(sockJsonPath, 'utf8')\n } catch (e) {\n debugDir('inspect', { error: e })\n\n if (defaultOnError) {\n logger.warn('Warning: failed to read file, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n const msg = (e as { message: string })?.message \|\| '(none)'\n return {\n ok: false,\n message: 'Failed to read file',\n cause: `An error was thrown while trying to read your socket.json: ${msg}`,\n }\n }\n\n let obj\n try {\n obj = JSON.parse(json)\n } catch {\n debugFn('error', 'fail: parse JSON')\n debugDir('inspect', { json })\n\n if (defaultOnError) {\n logger.warn('Warning: failed to parse file, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n return {\n ok: false,\n message: 'Failed to parse socket.json',\n cause: 'socket.json does not contain valid JSON, please verify',\n }\n }\n\n if (!obj) {\n logger.warn('Warning: file contents was empty, using default')\n return { ok: true, data: getDefaultSocketJson() }\n }\n\n // Do we really care to validate? All properties are optional so code will have\n // to check every step of the way regardless. Who cares about validation here...?\n\n return { ok: true, data: obj }\n}\n\nexport async function writeSocketJson(\n cwd: string,\n sockJson: SocketJson,\n): Promise<CResult<undefined>> {\n let json = ''\n try {\n json = JSON.stringify(sockJson, null, 2)\n } catch (e) {\n debugFn('error', 'fail: stringify JSON')\n debugDir('inspect', { error: e })\n debugDir('inspect', { sockJson })\n return {\n ok: false,\n message: 'Failed to serialize to JSON',\n cause:\n 'There was an unexpected problem converting the socket json object to a JSON string. Unable to store it.',\n }\n }\n\n const filepath = path.join(cwd, 'socket.json')\n await fs.promises.writeFile(filepath, json + '\\n', 'utf8')\n\n return { ok: true, data: undefined }\n}\n","const helpFlags = new Set(['--help', '-h'])\n\nexport function cmdFlagsToString(args: string[]) {\n const result = []\n for (let i = 0, { length } = args; i < length; i += 1) {\n if (args[i]!.startsWith('--')) {\n // Check if the next item exists and is NOT another flag.\n if (i + 1 < length && !args[i + 1]!.startsWith('--')) {\n result.push(`${args[i]}=${args[i + 1]}`)\n i += 1\n } else {\n result.push(args[i])\n }\n }\n }\n return result.join(' ')\n}\n\nexport function cmdFlagValueToArray(flagValue: any): string[] {\n if (typeof flagValue === 'string') {\n return flagValue.trim().split(/, /)\n }\n if (Array.isArray(flagValue)) {\n return flagValue.flatMap(v => v.split(/, /))\n }\n return []\n}\n\nexport function cmdPrefixMessage(cmdName: string, text: string): string {\n const cmdPrefix = cmdName ? `${cmdName}: ` : ''\n return `${cmdPrefix}${text}`\n}\n\nexport function isHelpFlag(cmdArg: string) {\n return helpFlags.has(cmdArg)\n}\n","import { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../constants.mts'\nimport { getDefaultToken } from './sdk.mts'\nimport { getDefaultOrgSlug } from '../commands/ci/fetch-default-org-slug.mts'\n\nimport type { CResult } from '../types.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport async function spawnCoana(\n args: string[] \| readonly string[],\n options?: SpawnOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<CResult<unknown>> {\n const { env: spawnEnv } = { __proto__: null, ...options } as SpawnOptions\n const orgSlugCResult = await getDefaultOrgSlug()\n const SOCKET_CLI_API_TOKEN = getDefaultToken()\n const SOCKET_ORG_SLUG = orgSlugCResult.ok ? orgSlugCResult.data : undefined\n try {\n const output = await spawn(\n constants.execPath,\n [\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n // Lazily access constants.nodeMemoryFlags.\n ...constants.nodeMemoryFlags,\n // Lazily access constants.coanaBinPath.\n constants.coanaBinPath,\n ...args,\n ],\n {\n ...options,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n SOCKET_CLI_API_TOKEN,\n SOCKET_ORG_SLUG,\n ...spawnEnv,\n },\n },\n extra,\n )\n return { ok: true, data: output.stdout }\n } catch (e) {\n const stderr = (e as any)?.stderr\n const message = stderr ? stderr : (e as Error)?.message\n return { ok: false, data: e, message }\n }\n}\n","import { existsSync } from 'node:fs'\nimport Module from 'node:module'\nimport path from 'node:path'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../constants.mts'\nimport { findBinPathDetailsSync, findNpmPathSync } from './path-resolve.mts'\n\nconst { NODE_MODULES, NPM, NPX, SOCKET_CLI_ISSUES_URL } = constants\n\nfunction exitWithBinPathError(binName: string): never {\n logger.fail(\n `Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`,\n )\n // The exit code 127 indicates that the command or binary being executed\n // could not be found.\n // eslint-disable-next-line n/no-process-exit\n process.exit(127)\n}\n\nlet _npmBinPath: string \| undefined\nexport function getNpmBinPath(): string {\n if (_npmBinPath === undefined) {\n _npmBinPath = getNpmBinPathDetails().path\n if (!_npmBinPath) {\n exitWithBinPathError(NPM)\n }\n }\n return _npmBinPath\n}\n\nlet _npmBinPathDetails: ReturnType<typeof findBinPathDetailsSync> \| undefined\nfunction getNpmBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n if (_npmBinPathDetails === undefined) {\n _npmBinPathDetails = findBinPathDetailsSync(NPM)\n }\n return _npmBinPathDetails\n}\n\nlet _npmPath: string \| undefined\nexport function getNpmPath() {\n if (_npmPath === undefined) {\n const npmBinPath = getNpmBinPath()\n _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined\n if (!_npmPath) {\n let message = 'Unable to find npm CLI install directory.'\n if (npmBinPath) {\n message += `\\nSearched parent directories of ${path.dirname(npmBinPath)}.`\n }\n message += `\\n\\nThis is may be a bug with socket-npm related to changes to the npm CLI.\\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`\n logger.fail(message)\n // The exit code 127 indicates that the command or binary being executed\n // could not be found.\n // eslint-disable-next-line n/no-process-exit\n process.exit(127)\n }\n }\n return _npmPath\n}\n\nlet _npmRequire: NodeJS.Require \| undefined\nexport function getNpmRequire(): NodeJS.Require {\n if (_npmRequire === undefined) {\n const npmPath = getNpmPath()\n const npmNmPath = path.join(npmPath, NODE_MODULES, NPM)\n _npmRequire = Module.createRequire(\n path.join(\n existsSync(npmNmPath) ? npmNmPath : npmPath,\n '<dummy-basename>',\n ),\n )\n }\n return _npmRequire\n}\n\nlet _npxBinPath: string \| undefined\nexport function getNpxBinPath(): string {\n if (_npxBinPath === undefined) {\n _npxBinPath = getNpxBinPathDetails().path\n if (!_npxBinPath) {\n exitWithBinPathError(NPX)\n }\n }\n return _npxBinPath\n}\n\nlet _npxBinPathDetails: ReturnType<typeof findBinPathDetailsSync> \| undefined\nfunction getNpxBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n if (_npxBinPathDetails === undefined) {\n _npxBinPathDetails = findBinPathDetailsSync(NPX)\n }\n return _npxBinPathDetails\n}\n\nexport function isNpmBinPathShadowed() {\n return getNpmBinPathDetails().shadowed\n}\n\nexport function isNpxBinPathShadowed() {\n return getNpxBinPathDetails().shadowed\n}\n","import constants from '../../constants.mts'\n\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { components, operations } from '@socketsecurity/sdk/types/api'\n\nexport type ALERT_ACTION = 'error' \| 'monitor' \| 'warn' \| 'ignore'\n\nexport type ALERT_TYPE = keyof NonNullable<\n operations['getOrgSecurityPolicy']['responses']['200']['content']['application/json']['securityPolicyRules']\n>\n\nexport type CVE_ALERT_TYPE = 'cve' \| 'mediumCVE' \| 'mildCVE' \| 'criticalCVE'\n\nexport type ArtifactAlertCve = Remap<\n Omit<CompactSocketArtifactAlert, 'type'> & {\n type: CVE_ALERT_TYPE\n }\n>\n\nexport type ArtifactAlertCveFixable = Remap<\n Omit<CompactSocketArtifactAlert, 'props' \| 'type'> & {\n type: CVE_ALERT_TYPE\n props: CveProps\n }\n>\n\nexport type ArtifactAlertUpgrade = Remap<\n Omit<CompactSocketArtifactAlert, 'type'> & {\n type: 'socketUpgradeAvailable'\n }\n>\n\nexport type CompactSocketArtifactAlert = Remap<\n Omit<SocketArtifactAlert, 'category' \| 'end' \| 'file' \| 'start'>\n>\n\nexport type CompactSocketArtifact = Remap<\n Omit<SocketArtifact, 'alerts' \| 'batchIndex' \| 'size'> & {\n alerts: CompactSocketArtifactAlert[]\n }\n>\n\nexport type CveProps = {\n firstPatchedVersionIdentifier?: string\n vulnerableVersionRange: string\n [key: string]: any\n}\n\nexport type PURL_Type = components['schemas']['SocketPURL_Type']\n\nexport type SocketArtifact = Remap<\n Omit<components['schemas']['SocketArtifact'], 'alerts'> & {\n alerts?: SocketArtifactAlert[]\n }\n>\n\nexport type SocketArtifactAlert = Remap<\n Omit<components['schemas']['SocketAlert'], 'action' \| 'props' \| 'type'> & {\n type: ALERT_TYPE\n action?: 'error' \| 'monitor' \| 'warn' \| 'ignore'\n props?: any \| undefined\n }\n>\n\nconst {\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n} = constants\n\nexport function isArtifactAlertCve(\n alert: CompactSocketArtifactAlert,\n): alert is ArtifactAlertCve {\n const { type } = alert\n return (\n type === ALERT_TYPE_CVE \|\|\n type === ALERT_TYPE_MEDIUM_CVE \|\|\n type === ALERT_TYPE_MILD_CVE \|\|\n type === ALERT_TYPE_CRITICAL_CVE\n )\n}\n","export function createEnum<const T extends Record<string, any>>(\n obj: T,\n): Readonly<T> {\n return Object.freeze({ __proto__: null, ...obj }) as any\n}\n\nexport function pick<T extends Record<string, any>, K extends keyof T>(\n input: T,\n keys: K[] \| readonly K[],\n): Pick<T, K> {\n const result: Partial<Pick<T, K>> = {}\n for (const key of keys) {\n result[key] = input[key]\n }\n return result as Pick<T, K>\n}\n","import { createEnum } from '../objects.mts'\n\nexport const ALERT_FIX_TYPE = createEnum({\n cve: 'cve',\n remove: 'remove',\n upgrade: 'upgrade',\n})\n","import { createEnum, pick } from '../objects.mts'\nimport { stringJoinWithSeparateFinalSeparator } from '../strings.mts'\n\nimport type { SocketSdkSuccessResult } from '@socketsecurity/sdk'\n\nexport const ALERT_SEVERITY = createEnum({\n critical: 'critical',\n high: 'high',\n middle: 'middle',\n low: 'low',\n})\n\nexport type SocketSdkAlertList =\n SocketSdkSuccessResult<'getIssuesByNPMPackage'>['data']\n\nexport type SocketSdkAlert = SocketSdkAlertList[number]['value'] extends\n \| infer U\n \| undefined\n ? U\n : never\n\n// Ordered from most severe to least.\nexport const ALERT_SEVERITIES_SORTED: ReadonlyArray<\n SocketSdkAlert['severity']\n> = Object.freeze(['critical', 'high', 'middle', 'low'])\n\nfunction getDesiredSeverities(\n lowestToInclude: SocketSdkAlert['severity'] \| undefined,\n): Array<SocketSdkAlert['severity']> {\n const result: Array<SocketSdkAlert['severity']> = []\n for (const severity of ALERT_SEVERITIES_SORTED) {\n result.push(severity)\n if (severity === lowestToInclude) {\n break\n }\n }\n return result\n}\n\nexport function formatSeverityCount(\n severityCount: Record<SocketSdkAlert['severity'], number>,\n): string {\n const summary: string[] = []\n for (const severity of ALERT_SEVERITIES_SORTED) {\n if (severityCount[severity]) {\n summary.push(`${severityCount[severity]} ${severity}`)\n }\n }\n return stringJoinWithSeparateFinalSeparator(summary)\n}\n\nexport function getSeverityCount(\n issues: SocketSdkAlertList,\n lowestToInclude: SocketSdkAlert['severity'] \| undefined,\n): Record<SocketSdkAlert['severity'], number> {\n const severityCount = pick(\n { low: 0, middle: 0, high: 0, critical: 0 },\n getDesiredSeverities(lowestToInclude),\n ) as Record<SocketSdkAlert['severity'], number>\n\n for (const issue of issues) {\n const { value } = issue\n if (!value) {\n continue\n }\n const { severity } = value\n if (severityCount[severity] !== undefined) {\n severityCount[severity] += 1\n }\n }\n return severityCount\n}\n","import terminalLink from 'terminal-link'\nimport colors from 'yoctocolors-cjs'\n\nimport indentString from '@socketregistry/indent-string/index.cjs'\n\nexport class ColorOrMarkdown {\n public useMarkdown: boolean\n\n constructor(useMarkdown: boolean) {\n this.useMarkdown = !!useMarkdown\n }\n\n bold(text: string): string {\n return this.useMarkdown ? `${text}` : colors.bold(`${text}`)\n }\n\n header(text: string, level = 1): string {\n return this.useMarkdown\n ? `\\n${''.padStart(level, '#')} ${text}\\n`\n : colors.underline(`\\n${level === 1 ? colors.bold(text) : text}\\n`)\n }\n\n hyperlink(\n text: string,\n url: string \| undefined,\n {\n fallback = true,\n fallbackToUrl,\n }: {\n fallback?: boolean \| undefined\n fallbackToUrl?: boolean \| undefined\n } = {},\n ) {\n if (url) {\n return this.useMarkdown\n ? `[${text}](${url})`\n : terminalLink(text, url, {\n fallback: fallbackToUrl ? (_text, url) => url : fallback,\n })\n }\n return text\n }\n\n indent(\n ...args: Parameters<typeof indentString>\n ): ReturnType<typeof indentString> {\n return indentString(...args)\n }\n\n italic(text: string): string {\n return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`)\n }\n\n json(value: any): string {\n return this.useMarkdown\n ? '```json\\n' + JSON.stringify(value) + '\\n```'\n : JSON.stringify(value)\n }\n\n list(items: string[]): string {\n const indentedContent = items.map(item => this.indent(item).trimStart())\n return this.useMarkdown\n ? `* ${indentedContent.join('\\n* ')}\\n`\n : `${indentedContent.join('\\n')}\\n`\n }\n}\n","import semver from 'semver'\n\nimport type { SemVer } from 'semver'\n\nexport const RangeStyles = [\n 'caret',\n 'gt',\n 'gte',\n 'lt',\n 'lte',\n 'pin',\n 'preserve',\n 'tilde',\n]\n\nexport type RangeStyle =\n \| 'caret'\n \| 'gt'\n \| 'gte'\n \| 'lt'\n \| 'lte'\n \| 'pin'\n \| 'preserve'\n \| 'tilde'\n\nexport type { SemVer }\n\nexport function applyRange(\n refRange: string,\n version: string,\n style: RangeStyle = 'preserve',\n): string {\n switch (style) {\n case 'caret':\n return `^${version}`\n case 'gt':\n return `>${version}`\n case 'gte':\n return `>=${version}`\n case 'lt':\n return `<${version}`\n case 'lte':\n return `<=${version}`\n case 'preserve': {\n const range = new semver.Range(refRange)\n const { raw } = range\n const comparators = range.set.flat()\n const { length } = comparators\n if (length === 1) {\n const char = /^[<>]=?/.exec(raw)?.[0]\n if (char) {\n return `${char}${version}`\n }\n } else if (length === 2) {\n const char = /^[~^]/.exec(raw)?.[0]\n if (char) {\n return `${char}${version}`\n }\n }\n return version\n }\n case 'tilde':\n return `~${version}`\n case 'pin':\n default:\n return version\n }\n}\n\nexport function getMajor(version: unknown): number \| null {\n try {\n const coerced = semver.coerce(version as string)\n return coerced ? semver.major(coerced) : null\n } catch {}\n return null\n}\n\nexport function getMinVersion(range: unknown): SemVer \| null {\n try {\n return semver.minVersion(range as string)\n } catch {}\n return null\n}\n","import { createRequire } from 'node:module'\nimport path from 'node:path'\n\nimport constants from '../constants.mts'\n\nconst require = createRequire(import.meta.url)\n\nlet _translations: typeof import('../../translations.json') \| undefined\n\nexport function getTranslations() {\n if (_translations === undefined) {\n _translations = /@__PURE__/ require(\n // Lazily access constants.rootPath.\n path.join(constants.rootPath, 'translations.json'),\n )\n }\n return _translations!\n}\n","import semver from 'semver'\nimport colors from 'yoctocolors-cjs'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { resolvePackageName } from '@socketsecurity/registry/lib/packages'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\n\nimport { isArtifactAlertCve } from './alert/artifact.mts'\nimport { ALERT_FIX_TYPE } from './alert/fix.mts'\nimport { ALERT_SEVERITY } from './alert/severity.mts'\nimport { ColorOrMarkdown } from './color-or-markdown.mts'\nimport { findSocketYmlSync } from './config.mts'\nimport { createEnum } from './objects.mts'\nimport { getPurlObject } from './purl.mts'\nimport { getMajor } from './semver.mts'\nimport { getSocketDevPackageOverviewUrl } from './socket-url.mts'\nimport { getTranslations } from './translations.mts'\n\nimport type {\n ALERT_ACTION,\n ALERT_TYPE,\n CompactSocketArtifact,\n CompactSocketArtifactAlert,\n CveProps,\n PURL_Type,\n} from './alert/artifact.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nexport const ALERT_SEVERITY_COLOR = createEnum({\n critical: 'magenta',\n high: 'red',\n middle: 'yellow',\n low: 'white',\n})\n\nexport const ALERT_SEVERITY_ORDER = createEnum({\n critical: 0,\n high: 1,\n middle: 2,\n low: 3,\n none: 4,\n})\n\nexport type SocketPackageAlert = {\n name: string\n version: string\n key: string\n type: string\n blocked: boolean\n critical: boolean\n ecosystem: PURL_Type\n fixable: boolean\n raw: CompactSocketArtifactAlert\n upgradable: boolean\n}\n\nexport type AlertsByPurl = Map<string, SocketPackageAlert[]>\n\nconst MIN_ABOVE_THE_FOLD_COUNT = 3\n\nconst MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1\n\nconst format = new ColorOrMarkdown(false)\n\nexport type RiskCounts = {\n critical: number\n high: number\n middle: number\n low: number\n}\n\nfunction getHiddenRiskCounts(hiddenAlerts: SocketPackageAlert[]): RiskCounts {\n const riskCounts = {\n critical: 0,\n high: 0,\n middle: 0,\n low: 0,\n }\n for (const alert of hiddenAlerts) {\n switch (getAlertSeverityOrder(alert)) {\n case ALERT_SEVERITY_ORDER.critical:\n riskCounts.critical += 1\n break\n case ALERT_SEVERITY_ORDER.high:\n riskCounts.high += 1\n break\n case ALERT_SEVERITY_ORDER.middle:\n riskCounts.middle += 1\n break\n case ALERT_SEVERITY_ORDER.low:\n riskCounts.low += 1\n break\n }\n }\n return riskCounts\n}\n\nfunction getHiddenRisksDescription(riskCounts: RiskCounts): string {\n const descriptions: string[] = []\n if (riskCounts.critical) {\n descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)\n }\n if (riskCounts.high) {\n descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)\n }\n if (riskCounts.middle) {\n descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)\n }\n if (riskCounts.low) {\n descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)\n }\n return `(${descriptions.join('; ')})`\n}\n\nexport type AlertIncludeFilter = {\n actions?: ALERT_ACTION[] \| undefined\n blocked?: boolean \| undefined\n critical?: boolean \| undefined\n cve?: boolean \| undefined\n existing?: boolean \| undefined\n unfixable?: boolean \| undefined\n upgradable?: boolean \| undefined\n}\n\nexport type AddArtifactToAlertsMapOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function addArtifactToAlertsMap<T extends AlertsByPurl>(\n artifact: CompactSocketArtifact,\n alertsByPurl: T,\n options?: AddArtifactToAlertsMapOptions \| undefined,\n): Promise<T> {\n // Make TypeScript happy.\n if (!artifact.name \|\| !artifact.version \|\| !artifact.alerts?.length) {\n return alertsByPurl\n }\n const {\n consolidate = false,\n include: _include,\n overrides,\n } = {\n __proto__: null,\n ...options,\n } as AddArtifactToAlertsMapOptions\n\n const socketYml = findSocketYmlSync()\n const localRules = socketYml?.parsed.issueRules\n\n const include = {\n __proto__: null,\n actions: localRules ? undefined : 'error,monitor,warn',\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ..._include,\n } as AlertIncludeFilter\n\n const name = resolvePackageName(\n artifact as {\n name: string\n namespace?: string \| undefined\n },\n )\n const { type: ecosystem, version } = artifact\n const enabledState = {\n __proto__: null,\n ...localRules,\n } as Partial<Record<ALERT_TYPE, boolean>>\n let sockPkgAlerts: SocketPackageAlert[] = []\n for (const alert of artifact.alerts) {\n const action = alert.action ?? ''\n const enabledFlag = enabledState[alert.type]\n if (\n (action === 'ignore' && enabledFlag !== true) \|\|\n enabledFlag === false\n ) {\n continue\n }\n const blocked = action === 'error'\n const critical = alert.severity === ALERT_SEVERITY.critical\n const cve = isArtifactAlertCve(alert)\n const fixType = alert.fix?.type ?? ''\n const fixableCve = fixType === ALERT_FIX_TYPE.cve\n const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade\n const fixable = fixableCve \|\| fixableUpgrade\n const upgradable = fixableUpgrade && !hasOwn(overrides, name)\n if (\n (include.blocked && blocked) \|\|\n (include.critical && critical) \|\|\n (include.cve && cve) \|\|\n (include.unfixable && !fixable) \|\|\n (include.upgradable && upgradable)\n ) {\n sockPkgAlerts.push({\n name,\n version,\n key: alert.key,\n type: alert.type,\n blocked,\n critical,\n ecosystem,\n fixable,\n raw: alert,\n upgradable,\n })\n }\n }\n if (!sockPkgAlerts.length) {\n return alertsByPurl\n }\n const purl = `pkg:${ecosystem}/${name}@${version}`\n const major = getMajor(version)!\n if (consolidate) {\n type HighestVersionByMajor = Map<\n number,\n { alert: SocketPackageAlert; version: string }\n >\n const highestForCve: HighestVersionByMajor = new Map()\n const highestForUpgrade: HighestVersionByMajor = new Map()\n const unfixableAlerts: SocketPackageAlert[] = []\n for (const sockPkgAlert of sockPkgAlerts) {\n const alert = sockPkgAlert.raw\n const fixType = alert.fix?.type ?? ''\n if (fixType === ALERT_FIX_TYPE.cve) {\n // An alert with alert.fix.type of 'cve' should have a\n // alert.props.firstPatchedVersionIdentifier property value.\n // We're just being cautious.\n const firstPatchedVersionIdentifier = (alert.props as CveProps)\n ?.firstPatchedVersionIdentifier\n const patchedMajor = firstPatchedVersionIdentifier\n ? getMajor(firstPatchedVersionIdentifier)\n : null\n if (typeof patchedMajor === 'number') {\n // Consolidate to the highest \"first patched version\" by each major\n // version number.\n const highest = highestForCve.get(patchedMajor)?.version ?? '0.0.0'\n if (semver.gt(firstPatchedVersionIdentifier!, highest)) {\n highestForCve.set(patchedMajor, {\n alert: sockPkgAlert,\n version: firstPatchedVersionIdentifier!,\n })\n }\n } else {\n unfixableAlerts.push(sockPkgAlert)\n }\n } else if (fixType === ALERT_FIX_TYPE.upgrade) {\n // For Socket Optimize upgrades we assume the highest version available\n // is compatible. This may change in the future.\n const highest = highestForUpgrade.get(major)?.version ?? '0.0.0'\n if (semver.gt(version, highest)) {\n highestForUpgrade.set(major, { alert: sockPkgAlert, version })\n }\n } else {\n unfixableAlerts.push(sockPkgAlert)\n }\n }\n sockPkgAlerts = [\n // Sort CVE alerts by severity: critical, high, middle, then low.\n ...Array.from(highestForCve.values())\n .map(d => d.alert)\n .sort(alertSeverityComparator),\n ...Array.from(highestForUpgrade.values()).map(d => d.alert),\n ...unfixableAlerts,\n ]\n } else {\n sockPkgAlerts.sort((a, b) => naturalCompare(a.type, b.type))\n }\n if (sockPkgAlerts.length) {\n alertsByPurl.set(purl, sockPkgAlerts)\n }\n return alertsByPurl\n}\n\nexport function alertsHaveBlocked(alerts: SocketPackageAlert[]): boolean {\n return alerts.find(a => a.blocked) !== undefined\n}\n\nexport function alertsHaveSeverity(\n alerts: SocketPackageAlert[],\n severity: `${keyof typeof ALERT_SEVERITY}`,\n): boolean {\n return alerts.find(a => a.raw.severity === severity) !== undefined\n}\n\nexport function alertSeverityComparator(\n a: SocketPackageAlert,\n b: SocketPackageAlert,\n): number {\n // Put the most severe first.\n return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)\n}\n\nexport function getAlertSeverityOrder(alert: SocketPackageAlert): number {\n // The more severe, the lower the sort number.\n const { severity } = alert.raw\n return severity === ALERT_SEVERITY.critical\n ? 0\n : severity === ALERT_SEVERITY.high\n ? 1\n : severity === ALERT_SEVERITY.middle\n ? 2\n : severity === ALERT_SEVERITY.low\n ? 3\n : 4\n}\n\nexport function getAlertsSeverityOrder(alerts: SocketPackageAlert[]): number {\n return alertsHaveBlocked(alerts) \|\|\n alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)\n ? 0\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)\n ? 1\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)\n ? 2\n : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)\n ? 3\n : 4\n}\n\nexport type CveExcludeFilter = {\n upgradable?: boolean \| undefined\n}\n\nexport type CveInfoByAlertKey = Map<\n string,\n {\n firstPatchedVersionIdentifier: string\n vulnerableVersionRange: string\n }\n>\n\nexport type CveInfoByPartialPurl = Map<string, CveInfoByAlertKey>\n\nexport type GetCveInfoByPackageOptions = {\n exclude?: CveExcludeFilter \| undefined\n}\n\nexport function getCveInfoFromAlertsMap(\n alertsMap: AlertsByPurl,\n options?: GetCveInfoByPackageOptions \| undefined,\n): CveInfoByPartialPurl \| null {\n const { exclude: exclude_ } = {\n __proto__: null,\n ...options,\n } as GetCveInfoByPackageOptions\n const exclude = {\n __proto__: null,\n ...exclude_,\n } as CveExcludeFilter\n\n let infoByPartialPurl: CveInfoByPartialPurl \| null = null\n // eslint-disable-next-line no-unused-labels\n alertsMapLoop: for (const { 0: purl, 1: sockPkgAlerts } of alertsMap) {\n const purlObj = getPurlObject(purl)\n const partialPurl = new PackageURL(\n purlObj.type,\n purlObj.namespace,\n purlObj.name,\n ).toString()\n const name = resolvePackageName(purlObj)\n sockPkgAlertsLoop: for (const sockPkgAlert of sockPkgAlerts) {\n const alert = sockPkgAlert.raw\n if (\n alert.fix?.type !== ALERT_FIX_TYPE.cve \|\|\n (exclude.upgradable &&\n getManifestData(sockPkgAlert.ecosystem as any, name))\n ) {\n continue sockPkgAlertsLoop\n }\n if (!infoByPartialPurl) {\n infoByPartialPurl = new Map()\n }\n let infos = infoByPartialPurl.get(partialPurl)\n if (!infos) {\n infos = new Map()\n infoByPartialPurl.set(partialPurl, infos)\n }\n const { key } = alert\n if (!infos.has(key)) {\n // An alert with alert.fix.type of 'cve' should have a\n // alert.props.firstPatchedVersionIdentifier property value.\n // We're just being cautious.\n const firstPatchedVersionIdentifier = (alert.props as CveProps)\n ?.firstPatchedVersionIdentifier\n const vulnerableVersionRange = (alert.props as CveProps)\n ?.vulnerableVersionRange\n let error: unknown\n if (firstPatchedVersionIdentifier && vulnerableVersionRange) {\n try {\n infos.set(key, {\n firstPatchedVersionIdentifier,\n vulnerableVersionRange: new semver.Range(\n // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that\n // semver.Range will parse it without erroring.\n vulnerableVersionRange\n .replace(/, +/g, ' ')\n .replace(/; +/g, ' \|\| '),\n ).format(),\n })\n continue sockPkgAlertsLoop\n } catch (e) {\n error = e\n }\n }\n\n debugFn('error', 'fail: invalid SocketPackageAlert')\n debugDir('inspect', { alert })\n\n if (error) {\n debugDir('inspect', { error: (error as Error).message ?? error })\n }\n }\n }\n }\n return infoByPartialPurl\n}\n\nexport function getSeverityLabel(\n severity: `${keyof typeof ALERT_SEVERITY}`,\n): string {\n return severity === 'middle' ? 'moderate' : severity\n}\n\nexport type LogAlertsMapOptions = {\n hideAt?: `${keyof typeof ALERT_SEVERITY}` \| 'none' \| undefined\n output?: NodeJS.WriteStream \| undefined\n}\n\nexport function logAlertsMap(\n alertsMap: AlertsByPurl,\n options: LogAlertsMapOptions,\n) {\n const { hideAt = 'middle', output = process.stderr } = {\n __proto__: null,\n ...options,\n } as LogAlertsMapOptions\n\n const translations = getTranslations()\n const sortedEntries = Array.from(alertsMap.entries()).sort(\n (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]),\n )\n\n const aboveTheFoldPurls = new Set<string>()\n const viewableAlertsByPurl = new Map<string, SocketPackageAlert[]>()\n const hiddenAlertsByPurl = new Map<string, SocketPackageAlert[]>()\n\n for (let i = 0, { length } = sortedEntries; i < length; i += 1) {\n const { 0: purl, 1: alerts } = sortedEntries[i]!\n const hiddenAlerts: typeof alerts = []\n const viewableAlerts = alerts.filter(a => {\n const keep =\n a.blocked \|\| getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]\n if (!keep) {\n hiddenAlerts.push(a)\n }\n return keep\n })\n if (hiddenAlerts.length) {\n hiddenAlertsByPurl.set(purl, hiddenAlerts.sort(alertSeverityComparator))\n }\n if (!viewableAlerts.length) {\n continue\n }\n viewableAlerts.sort(alertSeverityComparator)\n viewableAlertsByPurl.set(purl, viewableAlerts)\n if (\n viewableAlerts.find(\n (a: SocketPackageAlert) =>\n a.blocked \|\| getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle,\n )\n ) {\n aboveTheFoldPurls.add(purl)\n }\n }\n\n // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.\n for (const { 0: purl } of viewableAlertsByPurl.entries()) {\n if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {\n break\n }\n aboveTheFoldPurls.add(purl)\n }\n // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.\n for (const { 0: purl, 1: hiddenAlerts } of hiddenAlertsByPurl.entries()) {\n if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {\n break\n }\n aboveTheFoldPurls.add(purl)\n const viewableAlerts = viewableAlertsByPurl.get(purl) ?? []\n if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {\n const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length\n let removedHiddenAlerts: SocketPackageAlert[] \| undefined\n if (hiddenAlerts.length - neededCount > 0) {\n removedHiddenAlerts = hiddenAlerts.splice(\n 0,\n MIN_ABOVE_THE_FOLD_ALERT_COUNT,\n )\n } else {\n removedHiddenAlerts = hiddenAlerts\n hiddenAlertsByPurl.delete(purl)\n }\n viewableAlertsByPurl.set(purl, [\n ...viewableAlerts,\n ...removedHiddenAlerts,\n ])\n }\n }\n\n const mentionedPurlsWithHiddenAlerts = new Set<string>()\n for (\n let i = 0,\n prevAboveTheFold = true,\n entries = Array.from(viewableAlertsByPurl.entries()),\n { length } = entries;\n i < length;\n i += 1\n ) {\n const { 0: purl, 1: alerts } = entries[i]!\n const lines = new Set<string>()\n for (const alert of alerts) {\n const { type } = alert\n const severity = alert.raw.severity ?? ''\n const attributes = [\n ...(severity\n ? [colors[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))]\n : []),\n ...(alert.blocked ? [colors.bold(colors.red('blocked'))] : []),\n ...(alert.fixable ? ['fixable'] : []),\n ]\n const maybeAttributes = attributes.length\n ? ` ${colors.italic(`(${attributes.join('; ')})`)}`\n : ''\n // Based data from { pageProps: { alertTypes } } of:\n // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json\n const info = (translations.alerts as any)[type]\n const title = info?.title ?? type\n const maybeDesc = info?.description ? ` - ${info.description}` : ''\n const content = `${title}${maybeAttributes}${maybeDesc}`\n // TODO: emoji seems to mis-align terminals sometimes\n lines.add(` ${content}`)\n }\n const purlObj = getPurlObject(purl)\n const pkgName = resolvePackageName(purlObj)\n const hyperlink = format.hyperlink(\n pkgName,\n getSocketDevPackageOverviewUrl(purlObj.type, pkgName, purlObj.version),\n )\n const isAboveTheFold = aboveTheFoldPurls.has(purl)\n if (isAboveTheFold) {\n aboveTheFoldPurls.add(purl)\n output.write(`${i ? '\\n' : ''}${hyperlink}:\\n`)\n } else {\n output.write(`${prevAboveTheFold ? '\\n' : ''}${hyperlink}:\\n`)\n }\n for (const line of lines) {\n output.write(`${line}\\n`)\n }\n const hiddenAlerts = hiddenAlertsByPurl.get(purl) ?? []\n const { length: hiddenAlertsCount } = hiddenAlerts\n if (hiddenAlertsCount) {\n mentionedPurlsWithHiddenAlerts.add(purl)\n if (hiddenAlertsCount === 1) {\n output.write(\n ` ${colors.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0]!.raw.severity ?? 'low')} risk alert`)}\\n`,\n )\n } else {\n output.write(\n ` ${colors.dim(`+${hiddenAlertsCount} Hidden alerts ${colors.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\\n`,\n )\n }\n }\n prevAboveTheFold = isAboveTheFold\n }\n\n const additionalHiddenCount =\n hiddenAlertsByPurl.size - mentionedPurlsWithHiddenAlerts.size\n if (additionalHiddenCount) {\n const totalRiskCounts = {\n critical: 0,\n high: 0,\n middle: 0,\n low: 0,\n }\n for (const { 0: purl, 1: alerts } of hiddenAlertsByPurl.entries()) {\n if (mentionedPurlsWithHiddenAlerts.has(purl)) {\n continue\n }\n const riskCounts = getHiddenRiskCounts(alerts)\n totalRiskCounts.critical += riskCounts.critical\n totalRiskCounts.high += riskCounts.high\n totalRiskCounts.middle += riskCounts.middle\n totalRiskCounts.low += riskCounts.low\n }\n output.write(\n `${aboveTheFoldPurls.size ? '\\n' : ''}${colors.dim(`${aboveTheFoldPurls.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${colors.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\\n`,\n )\n }\n output.write('\\n')\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\n\nimport { stripPnpmPeerSuffix } from './pnpm.mts'\n\nexport function idToNpmPurl(id: string): string {\n return `pkg:npm/${id}`\n}\n\nexport function idToPurl(id: string, type: string): string {\n return `pkg:${type}/${id}`\n}\n\nexport function resolvePackageVersion(purlObj: PackageURL): string {\n const { version } = purlObj\n if (!version) {\n return ''\n }\n const { type } = purlObj\n return (\n semver.coerce(type === 'npm' ? stripPnpmPeerSuffix(version) : version)\n ?.version ?? ''\n )\n}\n","import { existsSync } from 'node:fs'\n\nimport yaml from 'js-yaml'\nimport semver from 'semver'\n\nimport { isObjectObject } from '@socketsecurity/registry/lib/objects'\nimport { stripBom } from '@socketsecurity/registry/lib/strings'\n\nimport { readFileUtf8 } from './fs.mts'\nimport { idToNpmPurl } from './spec.mts'\n\nimport type { LockfileObject, PackageSnapshot } from '@pnpm/lockfile.fs'\nimport type { SemVer } from 'semver'\n\nexport function extractOverridesFromPnpmLockSrc(lockfileContent: any): string {\n let match\n if (typeof lockfileContent === 'string') {\n match = /^overrides:(?:\\r?\\n {2}.+)+(?:\\r?\\n)/m.exec(lockfileContent)?.[0]\n }\n return match ?? ''\n}\n\nexport async function extractPurlsFromPnpmLockfile(\n lockfile: LockfileObject,\n): Promise<string[]> {\n const packages = lockfile?.packages ?? {}\n const seen = new Set<string>()\n const visit = (pkgPath: string) => {\n if (seen.has(pkgPath)) {\n return\n }\n const pkg = (packages as any)[pkgPath] as PackageSnapshot\n if (!pkg) {\n return\n }\n seen.add(pkgPath)\n const deps: { [name: string]: string } = {\n __proto__: null,\n ...pkg.dependencies,\n ...pkg.optionalDependencies,\n ...(pkg as any).devDependencies,\n }\n for (const depName in deps) {\n const ref = deps[depName]!\n const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`\n visit(subKey)\n }\n }\n for (const pkgPath of Object.keys(packages)) {\n visit(pkgPath)\n }\n return Array.from(seen).map(p =>\n idToNpmPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))),\n )\n}\n\nexport function isPnpmDepPath(maybeDepPath: string): boolean {\n return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47 /'/'/\n}\n\nexport function parsePnpmLockfile(\n lockfileContent: unknown,\n): LockfileObject \| null {\n let result\n if (typeof lockfileContent === 'string') {\n try {\n result = yaml.load(stripBom(lockfileContent))\n } catch {}\n }\n return isObjectObject(result) ? (result as LockfileObject) : null\n}\n\nexport function parsePnpmLockfileVersion(version: unknown): SemVer \| null {\n try {\n return semver.coerce(version as string)\n } catch {}\n return null\n}\n\nexport async function readPnpmLockfile(\n lockfilePath: string,\n): Promise<string \| null> {\n return existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null\n}\n\nexport function stripLeadingPnpmDepPathSlash(depPath: string): string {\n return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath\n}\n\nexport function stripPnpmPeerSuffix(depPath: string): string {\n const parenIndex = depPath.indexOf('(')\n const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex\n return index === -1 ? depPath : depPath.slice(0, index)\n}\n","import { arrayUnique } from '@socketsecurity/registry/lib/arrays'\nimport { debugDir } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport { extractPurlsFromPnpmLockfile } from './pnpm.mts'\nimport { getPublicToken, setupSdk } from './sdk.mts'\nimport { addArtifactToAlertsMap } from './socket-package-alert.mts'\n\nimport type { CompactSocketArtifact } from './alert/artifact.mts'\nimport type {\n AlertIncludeFilter,\n AlertsByPurl,\n} from './socket-package-alert.mts'\nimport type { LockfileObject } from '@pnpm/lockfile.fs'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nexport type GetAlertsMapFromPnpmLockfileOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromPnpmLockfile(\n lockfile: LockfileObject,\n options?: GetAlertsMapFromPnpmLockfileOptions \| undefined,\n): Promise<AlertsByPurl> {\n const purls = await extractPurlsFromPnpmLockfile(lockfile)\n return await getAlertsMapFromPurls(purls, {\n overrides: lockfile.overrides,\n ...options,\n })\n}\n\nexport type GetAlertsMapFromPurlsOptions = {\n consolidate?: boolean \| undefined\n include?: AlertIncludeFilter \| undefined\n overrides?: { [key: string]: string } \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromPurls(\n purls: string[] \| readonly string[],\n options?: GetAlertsMapFromPurlsOptions \| undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n include: undefined,\n nothrow: false,\n ...options,\n } as GetAlertsMapFromPurlsOptions\n\n opts.include = {\n __proto__: null,\n // Leave 'actions' unassigned so it can be given a default value in\n // subsequent functions where `options` is passed.\n // actions: undefined,\n blocked: true,\n critical: true,\n cve: true,\n existing: false,\n unfixable: true,\n upgradable: false,\n ...opts.include,\n } as AlertIncludeFilter\n\n const uniqPurls = arrayUnique(purls)\n debugDir('silly', { purls: uniqPurls })\n\n let { length: remaining } = uniqPurls\n const alertsByPurl: AlertsByPurl = new Map()\n\n if (!remaining) {\n return alertsByPurl\n }\n\n const { spinner } = opts\n const getText = () => `Looking up data for ${remaining} packages`\n\n spinner?.start(getText())\n\n const sockSdkCResult = await setupSdk({ apiToken: getPublicToken() })\n if (!sockSdkCResult.ok) {\n spinner?.stop()\n throw new Error('Auth error: Try to run `socket login` first')\n }\n const sockSdk = sockSdkCResult.data\n\n const alertsMapOptions = {\n overrides: opts.overrides,\n consolidate: opts.consolidate,\n include: opts.include,\n spinner,\n }\n\n for await (const batchResult of sockSdk.batchPackageStream(\n {\n components: uniqPurls.map(purl => ({ purl })),\n },\n {\n queryParams: {\n alerts: 'true',\n compact: 'true',\n ...(opts.include.actions\n ? { actions: opts.include.actions.join(',') }\n : {}),\n ...(opts.include.unfixable ? {} : { fixable: 'true' }),\n },\n },\n )) {\n if (batchResult.success) {\n await addArtifactToAlertsMap(\n batchResult.data as CompactSocketArtifact,\n alertsByPurl,\n alertsMapOptions,\n )\n } else if (!opts.nothrow) {\n const statusCode = batchResult.status ?? 'unknown'\n const statusMessage = batchResult.error ?? 'No status message'\n throw new Error(\n `Socket API server error (${statusCode}): ${statusMessage}`,\n )\n } else {\n spinner?.stop()\n logger.fail(\n `Received a ${batchResult.status} response from Socket API which we consider a permanent failure:`,\n batchResult.error,\n batchResult.cause ? `( ${batchResult.cause} )` : '',\n )\n debugDir('inspect', { batchResult })\n break\n }\n remaining -= 1\n if (remaining > 0) {\n spinner?.start(getText())\n }\n }\n\n spinner?.stop()\n\n return alertsByPurl\n}\n","import npmPackageArg from 'npm-package-arg'\n\nexport type {\n AliasResult,\n FileResult,\n HostedGit,\n HostedGitResult,\n RegistryResult,\n Result,\n URLResult,\n} from 'npm-package-arg'\n\nexport function npa(\n ...args: Parameters<typeof npmPackageArg>\n): ReturnType<typeof npmPackageArg> \| null {\n try {\n return Reflect.apply(npmPackageArg, undefined, args)\n } catch {}\n return null\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmAuditFlag,\n isNpmFundFlag,\n isNpmLoglevelFlag,\n isNpmProgressFlag,\n resolveBinPathSync,\n} from '@socketsecurity/registry/lib/npm'\nimport { isObject } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport constants from '../../constants.mts'\nimport { getNpmBinPath } from '../../utils/npm-paths.mts'\n\nimport type { SpawnResult } from '@socketsecurity/registry/lib/spawn'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nconst {\n NPM,\n SOCKET_CLI_SAFE_BIN,\n SOCKET_CLI_SAFE_PROGRESS,\n SOCKET_IPC_HANDSHAKE,\n} = constants\n\ntype SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>\n\nexport type SafeNpmInstallOptions = SpawnOption & {\n agentExecPath?: string \| undefined\n args?: string[] \| readonly string[] \| undefined\n ipc?: object \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport function safeNpmInstall(\n options?: SafeNpmInstallOptions,\n): SpawnResult<string, Record<any, any> \| undefined> {\n const {\n agentExecPath = getNpmBinPath(),\n args = [],\n ipc,\n spinner,\n ...spawnOptions\n } = { __proto__: null, ...options } as SafeNpmInstallOptions\n let stdio = spawnOptions.stdio\n const useIpc = isObject(ipc)\n // Include 'ipc' in the spawnOptions.stdio when an options.ipc object is provided.\n // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166\n // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.\n if (typeof stdio === 'string') {\n stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio]\n } else if (useIpc && Array.isArray(stdio) && !stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n const useDebug = isDebug('stdio')\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const binArgs = rawBinArgs.filter(\n a => !isNpmAuditFlag(a) && !isNpmFundFlag(a) && !isNpmProgressFlag(a),\n )\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : []\n const spawnPromise = spawn(\n // Lazily access constants.execPath.\n constants.execPath,\n [\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n // Lazily access constants.nodeHardenFlags.\n ...constants.nodeHardenFlags,\n // Lazily access constants.nodeMemoryFlags.\n ...constants.nodeMemoryFlags,\n // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? [\n '--require',\n // Lazily access constants.instrumentWithSentryPath.\n constants.instrumentWithSentryPath,\n ]\n : []),\n '--require',\n // Lazily access constants.shadowNpmInjectPath.\n constants.shadowNpmInjectPath,\n resolveBinPathSync(agentExecPath),\n 'install',\n // Avoid code paths for 'audit' and 'fund'.\n '--no-audit',\n '--no-fund',\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=silent' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n spinner,\n ...spawnOptions,\n stdio,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n ...spawnOptions.env,\n },\n },\n )\n if (useIpc) {\n spawnPromise.process.send({\n [SOCKET_IPC_HANDSHAKE]: {\n [SOCKET_CLI_SAFE_BIN]: NPM,\n [SOCKET_CLI_SAFE_PROGRESS]: progressArg,\n ...ipc,\n },\n })\n }\n return spawnPromise\n}\n","import { spawn } from '@socketsecurity/registry/lib/spawn'\nimport { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nimport constants from '../constants.mts'\nimport { cmdFlagsToString } from './cmd.mts'\nimport { safeNpmInstall } from '../shadow/npm/install.mts'\n\nimport type { EnvDetails } from './package-environment.mts'\n\nconst { NPM, PNPM } = constants\n\ntype SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>\n\nexport type AgentInstallOptions = SpawnOption & {\n args?: string[] \| readonly string[] \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport type AgentSpawnResult = ReturnType<typeof spawn>\n\nexport function runAgentInstall(\n pkgEnvDetails: EnvDetails,\n options?: AgentInstallOptions \| undefined,\n): AgentSpawnResult {\n const { agent, agentExecPath } = pkgEnvDetails\n // All package managers support the \"install\" command.\n if (agent === NPM) {\n return safeNpmInstall({\n agentExecPath,\n ...options,\n })\n }\n const {\n args = [],\n spinner,\n ...spawnOptions\n } = { __proto__: null, ...options } as AgentInstallOptions\n const skipNodeHardenFlags =\n agent === PNPM && pkgEnvDetails.agentVersion.major < 11\n return spawn(agentExecPath, ['install', ...args], {\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n spinner,\n stdio: 'inherit',\n ...spawnOptions,\n env: {\n ...process.env,\n // Lazily access constants.processEnv.\n ...constants.processEnv,\n NODE_OPTIONS: cmdFlagsToString([\n ...(skipNodeHardenFlags\n ? []\n : // Lazily access constants.nodeHardenFlags.\n constants.nodeHardenFlags),\n // Lazily access constants.nodeNoWarningsFlags.\n ...constants.nodeNoWarningsFlags,\n ]),\n ...spawnOptions.env,\n },\n })\n}\n","import NpmConfig from '@npmcli/config'\nimport {\n definitions as npmConfigDefinitions,\n flatten as npmConfigFlatten,\n shorthands as npmConfigShorthands,\n // @ts-ignore: TypeScript types unavailable.\n} from '@npmcli/config/lib/definitions'\n\nimport { getNpmPath } from './npm-paths.mts'\n\nimport type { ArboristOptions } from '../shadow/npm/arborist/types.mts'\nimport type { SemVer } from 'semver'\n\nexport type NpmConfigOptions = {\n cwd?: string \| undefined\n env?: NodeJS.ProcessEnv \| undefined\n execPath?: string \| undefined\n nodeVersion?: string \| undefined\n npmCommand?: string \| undefined\n npmPath?: string \| undefined\n npmVersion?: SemVer \| string \| undefined\n platform?: NodeJS.Platform \| undefined\n}\n\nexport async function getNpmConfig(\n options?: NpmConfigOptions \| undefined,\n): Promise<ArboristOptions> {\n const {\n cwd = process.cwd(),\n env = process.env,\n execPath = process.execPath,\n nodeVersion = process.version,\n npmCommand = 'install',\n npmPath = getNpmPath(),\n npmVersion,\n platform = process.platform,\n } = { __proto__: null, ...options } as NpmConfigOptions\n const config = new NpmConfig({\n argv: [],\n cwd,\n definitions: npmConfigDefinitions,\n execPath,\n env: { ...env },\n flatten: npmConfigFlatten,\n npmPath,\n platform,\n shorthands: npmConfigShorthands,\n })\n await config.load()\n const flatConfig = { __proto__: null, ...config.flat } as ArboristOptions\n\n if (nodeVersion) {\n flatConfig.nodeVersion = nodeVersion\n }\n if (npmCommand) {\n flatConfig.npmCommand = npmCommand\n }\n if (npmVersion) {\n flatConfig.npmVersion = npmVersion.toString()\n }\n return flatConfig\n}\n","import { existsSync } from 'node:fs'\n\nimport { readFileUtf8 } from './fs.mts'\n\nexport async function readLockfile(\n lockfilePath: string,\n): Promise<string \| null> {\n return existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\n\nimport browserslist from 'browserslist'\nimport semver from 'semver'\nimport which from 'which'\n\nimport { parse as parseBunLockb } from '@socketregistry/hyrious__bun.lockb/index.cjs'\nimport { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'\nimport { Logger } from '@socketsecurity/registry/lib/logger'\nimport { readPackageJson } from '@socketsecurity/registry/lib/packages'\nimport { naturalCompare } from '@socketsecurity/registry/lib/sorts'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\nimport { isNonEmptyString } from '@socketsecurity/registry/lib/strings'\n\nimport { cmdPrefixMessage } from './cmd.mts'\nimport { findUp, readFileBinary, readFileUtf8 } from './fs.mts'\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { SemVer } from 'semver'\n\nconst {\n BINARY_LOCK_EXT,\n BUN,\n HIDDEN_PACKAGE_LOCK_JSON,\n LOCK_EXT,\n NPM,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n PACKAGE_JSON,\n PNPM,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n} = constants\n\nexport const AGENTS = [BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT] as const\n\nconst binByAgent = new Map<Agent, string>([\n [BUN, BUN],\n [NPM, NPM],\n [PNPM, PNPM],\n [YARN_BERRY, YARN],\n [YARN_CLASSIC, YARN],\n [VLT, VLT],\n])\n\nexport type Agent = (typeof AGENTS)[number]\n\nexport type EnvBase = {\n agent: Agent\n agentExecPath: string\n agentSupported: boolean\n features: {\n // Fixed by https://github.com/npm/cli/pull/8089.\n // Landed in npm v11.2.0.\n npmBuggyOverrides: boolean\n }\n nodeSupported: boolean\n nodeVersion: SemVer\n npmExecPath: string\n pkgRequirements: {\n agent: string\n node: string\n }\n pkgSupports: {\n agent: boolean\n node: boolean\n }\n}\n\nexport type EnvDetails = Readonly<\n Remap<\n EnvBase & {\n agentVersion: SemVer\n editablePkgJson: EditablePackageJson\n lockName: string\n lockPath: string\n lockSrc: string\n pkgPath: string\n }\n >\n>\n\nexport type DetectAndValidateOptions = {\n cmdName?: string \| undefined\n logger?: Logger \| undefined\n prod?: boolean \| undefined\n}\n\nexport type DetectOptions = {\n cwd?: string \| undefined\n onUnknown?: (pkgManager: string \| undefined) => void\n}\n\nexport type PartialEnvDetails = Readonly<\n Remap<\n EnvBase & {\n agentVersion: SemVer \| undefined\n editablePkgJson: EditablePackageJson \| undefined\n lockName: string \| undefined\n lockPath: string \| undefined\n lockSrc: string \| undefined\n pkgPath: string \| undefined\n }\n >\n>\n\nexport type ReadLockFile =\n \| ((lockPath: string) => Promise<string \| undefined>)\n \| ((lockPath: string, agentExecPath: string) => Promise<string \| undefined>)\n \| ((\n lockPath: string,\n agentExecPath: string,\n cwd: string,\n ) => Promise<string \| undefined>)\n\nconst readLockFileByAgent: Map<Agent, ReadLockFile> = (() => {\n function wrapReader<T extends (...args: any[]) => Promise<any>>(\n reader: T,\n ): (...args: Parameters<T>) => Promise<Awaited<ReturnType<T>> \| undefined> {\n return async (...args: any[]): Promise<any> => {\n try {\n return await reader(...args)\n } catch {}\n return undefined\n }\n }\n\n const binaryReader = wrapReader(readFileBinary)\n\n const defaultReader = wrapReader(\n async (lockPath: string) => await readFileUtf8(lockPath),\n )\n\n return new Map([\n [\n BUN,\n wrapReader(\n async (\n lockPath: string,\n agentExecPath: string,\n cwd = process.cwd(),\n ) => {\n const ext = path.extname(lockPath)\n if (ext === LOCK_EXT) {\n return await defaultReader(lockPath)\n }\n if (ext === BINARY_LOCK_EXT) {\n const lockBuffer = await binaryReader(lockPath)\n if (lockBuffer) {\n try {\n return parseBunLockb(lockBuffer)\n } catch {}\n }\n // To print a Yarn lockfile to your console without writing it to disk\n // use `bun bun.lockb`.\n // https://bun.sh/guides/install/yarnlock\n return (\n await spawn(agentExecPath, [lockPath], {\n cwd,\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n })\n ).stdout\n }\n return undefined\n },\n ),\n ],\n [NPM, defaultReader],\n [PNPM, defaultReader],\n [VLT, defaultReader],\n [YARN_BERRY, defaultReader],\n [YARN_CLASSIC, defaultReader],\n ])\n})()\n\n// The order of LOCKS properties IS significant as it affects iteration order.\nconst LOCKS: Record<string, Agent> = {\n [`bun${LOCK_EXT}`]: BUN,\n [`bun${BINARY_LOCK_EXT}`]: BUN,\n // If both package-lock.json and npm-shrinkwrap.json are present in the root\n // of a project, npm-shrinkwrap.json will take precedence and package-lock.json\n // will be ignored.\n // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson\n 'npm-shrinkwrap.json': NPM,\n 'package-lock.json': NPM,\n 'pnpm-lock.yaml': PNPM,\n 'pnpm-lock.yml': PNPM,\n [`yarn${LOCK_EXT}`]: YARN_CLASSIC,\n 'vlt-lock.json': VLT,\n // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:\n // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles\n //\n // Unlike the other LOCKS keys this key contains a directory AND filename so\n // it has to be handled differently.\n 'node_modules/.package-lock.json': NPM,\n}\n\nasync function getAgentExecPath(agent: Agent): Promise<string> {\n const binName = binByAgent.get(agent)!\n if (binName === NPM) {\n // Lazily access constants.npmExecPath.\n return constants.npmExecPath\n }\n return (await which(binName, { nothrow: true })) ?? binName\n}\n\nasync function getAgentVersion(\n agentExecPath: string,\n cwd: string,\n): Promise<SemVer \| undefined> {\n let result\n try {\n result =\n // Coerce version output into a valid semver version by passing it through\n // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),\n // and tildes (~).\n semver.coerce(\n // All package managers support the \"--version\" flag.\n\n (\n await spawn(agentExecPath, ['--version'], {\n cwd,\n // Lazily access constants.WIN32.\n shell: constants.WIN32,\n })\n ).stdout,\n ) ?? undefined\n } catch (e) {\n debugFn('error', 'caught: unexpected error')\n debugDir('inspect', { error: e })\n }\n return result\n}\n\nexport async function detectPackageEnvironment({\n cwd = process.cwd(),\n onUnknown,\n}: DetectOptions = {}): Promise<EnvDetails \| PartialEnvDetails> {\n let lockPath = await findUp(Object.keys(LOCKS), { cwd })\n let lockName = lockPath ? path.basename(lockPath) : undefined\n const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON\n const pkgJsonPath = lockPath\n ? path.resolve(\n lockPath,\n `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`,\n )\n : await findUp(PACKAGE_JSON, { cwd })\n const pkgPath =\n pkgJsonPath && existsSync(pkgJsonPath)\n ? path.dirname(pkgJsonPath)\n : undefined\n const editablePkgJson = pkgPath\n ? await readPackageJson(pkgPath, { editable: true })\n : undefined\n // Read Corepack `packageManager` field in package.json:\n // https://nodejs.org/api/packages.html#packagemanager\n const pkgManager = isNonEmptyString(editablePkgJson?.content?.packageManager)\n ? editablePkgJson.content.packageManager\n : undefined\n\n let agent: Agent \| undefined\n if (pkgManager) {\n // A valid \"packageManager\" field value is \"<package manager name>@<version>\".\n // https://nodejs.org/api/packages.html#packagemanager\n const atSignIndex = pkgManager.lastIndexOf('@')\n if (atSignIndex !== -1) {\n const name = pkgManager.slice(0, atSignIndex) as Agent\n const version = pkgManager.slice(atSignIndex + 1)\n if (version && AGENTS.includes(name)) {\n agent = name\n }\n }\n }\n if (\n agent === undefined &&\n !isHiddenLockFile &&\n typeof pkgJsonPath === 'string' &&\n typeof lockName === 'string'\n ) {\n agent = LOCKS[lockName] as Agent\n }\n if (agent === undefined) {\n agent = NPM\n onUnknown?.(pkgManager)\n }\n const agentExecPath = await getAgentExecPath(agent)\n const agentVersion = await getAgentVersion(agentExecPath, cwd)\n if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {\n agent = YARN_BERRY\n }\n // Lazily access constants.maintainedNodeVersions.\n const { maintainedNodeVersions } = constants\n // Lazily access constants.minimumVersionByAgent.\n const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent)!\n const minSupportedNodeMajor = semver.major(maintainedNodeVersions.last)\n const minSupportedNodeVersion = `${minSupportedNodeMajor}.0.0`\n const minSupportedNodeRange = `>=${minSupportedNodeMajor}`\n const nodeVersion = semver.coerce(process.version)!\n let lockSrc: string \| undefined\n let pkgAgentRange: string \| undefined\n let pkgNodeRange: string \| undefined\n let pkgMinAgentVersion = minSupportedAgentVersion\n let pkgMinNodeVersion = minSupportedNodeVersion\n if (editablePkgJson?.content) {\n const { engines } = editablePkgJson.content\n const engineAgentRange = engines?.[agent]\n const engineNodeRange = engines?.['node']\n if (isNonEmptyString(engineAgentRange)) {\n pkgAgentRange = engineAgentRange\n // Roughly check agent range as semver.coerce will strip leading\n // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).\n const coerced = semver.coerce(pkgAgentRange)\n if (coerced && semver.lt(coerced, pkgMinAgentVersion)) {\n pkgMinAgentVersion = coerced.version\n }\n }\n if (isNonEmptyString(engineNodeRange)) {\n pkgNodeRange = engineNodeRange\n // Roughly check Node range as semver.coerce will strip leading\n // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).\n const coerced = semver.coerce(pkgNodeRange)\n if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {\n pkgMinNodeVersion = coerced.version\n }\n }\n const browserslistQuery = editablePkgJson.content['browserslist'] as\n \| string[]\n \| undefined\n if (Array.isArray(browserslistQuery)) {\n // List Node targets in ascending version order.\n const browserslistNodeTargets = browserslist(browserslistQuery)\n .filter(v => /^node /i.test(v))\n .map(v => v.slice(5 /'node '.length*/))\n .sort(naturalCompare)\n if (browserslistNodeTargets.length) {\n // browserslistNodeTargets[0] is the lowest Node target version.\n const coerced = semver.coerce(browserslistNodeTargets[0])\n if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {\n pkgMinNodeVersion = coerced.version\n }\n }\n }\n lockSrc =\n typeof lockPath === 'string'\n ? await readLockFileByAgent.get(agent)!(lockPath, agentExecPath, cwd)\n : undefined\n } else {\n lockName = undefined\n lockPath = undefined\n }\n\n // Does the system agent version meet our minimum supported agent version?\n const agentSupported =\n !!agentVersion &&\n semver.satisfies(agentVersion, `>=${minSupportedAgentVersion}`)\n // Does the system Node version meet our minimum supported Node version?\n const nodeSupported = semver.satisfies(nodeVersion, minSupportedNodeRange)\n\n const npmExecPath =\n agent === NPM ? agentExecPath : await getAgentExecPath(NPM)\n const npmBuggyOverrides =\n agent === NPM &&\n !!agentVersion &&\n semver.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION)\n\n const pkgMinAgentRange = `>=${pkgMinAgentVersion}`\n const pkgMinNodeRange = `>=${semver.major(pkgMinNodeVersion)}`\n\n return {\n agent,\n agentExecPath,\n agentSupported,\n agentVersion,\n editablePkgJson,\n features: { npmBuggyOverrides },\n lockName,\n lockPath,\n lockSrc,\n nodeSupported,\n nodeVersion,\n npmExecPath,\n pkgPath,\n pkgRequirements: {\n agent: pkgAgentRange ?? pkgMinAgentRange,\n node: pkgNodeRange ?? pkgMinNodeRange,\n },\n pkgSupports: {\n // Does our minimum supported agent version meet the package's requirements?\n agent: semver.satisfies(minSupportedAgentVersion, pkgMinAgentRange),\n // Does our supported Node versions meet the package's requirements?\n node: maintainedNodeVersions.some(v =>\n semver.satisfies(v, pkgMinNodeRange),\n ),\n },\n }\n}\n\nexport async function detectAndValidatePackageEnvironment(\n cwd: string,\n options?: DetectAndValidateOptions \| undefined,\n): Promise<CResult<EnvDetails>> {\n const {\n cmdName = '',\n logger,\n prod,\n } = {\n __proto__: null,\n ...options,\n } as DetectAndValidateOptions\n const details = await detectPackageEnvironment({\n cwd,\n onUnknown(pkgManager: string \| undefined) {\n logger?.warn(\n cmdPrefixMessage(\n cmdName,\n `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`,\n ),\n )\n },\n })\n const { agent, nodeVersion, pkgRequirements } = details\n const agentVersion = details.agentVersion ?? 'unknown'\n if (!details.agentSupported) {\n const minVersion = constants.minimumVersionByAgent.get(agent)!\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`,\n ),\n }\n }\n if (!details.nodeSupported) {\n const minVersion = constants.maintainedNodeVersions.last\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`,\n ),\n }\n }\n if (!details.pkgSupports.agent) {\n return {\n ok: false,\n message: 'Engine Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Package engine \"${agent}\" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`,\n ),\n }\n }\n if (!details.pkgSupports.node) {\n return {\n ok: false,\n message: 'Version Mismatch',\n cause: cmdPrefixMessage(\n cmdName,\n `Package engine \"node\" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`,\n ),\n }\n }\n const lockName = details.lockName ?? 'lock file'\n if (details.lockName === undefined \|\| details.lockSrc === undefined) {\n return {\n ok: false,\n message: 'Missing Lock File',\n cause: cmdPrefixMessage(cmdName, `No ${lockName} found`),\n }\n }\n if (details.lockSrc.trim() === '') {\n return {\n ok: false,\n message: 'Empty Lock File',\n cause: cmdPrefixMessage(cmdName, `${lockName} is empty`),\n }\n }\n if (details.pkgPath === undefined) {\n return {\n ok: false,\n message: 'Missing package.json',\n cause: cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`),\n }\n }\n if (prod && (agent === BUN \|\| agent === YARN_BERRY)) {\n return {\n ok: false,\n message: 'Bad input',\n cause: cmdPrefixMessage(\n cmdName,\n `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`,\n ),\n }\n }\n if (\n details.lockPath &&\n path.relative(cwd, details.lockPath).startsWith('.')\n ) {\n // Note: In tests we return <redacted> because otherwise snapshots will fail.\n const { REDACTED } = constants\n // Lazily access constants.ENV.VITEST.\n const redacting = constants.ENV.VITEST\n logger?.warn(\n cmdPrefixMessage(\n cmdName,\n `Package ${lockName} found at ${redacting ? REDACTED : details.lockPath}`,\n ),\n )\n }\n return { ok: true, data: details as EnvDetails }\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\n\nimport constants from '../constants.mts'\n\nimport type { CResult } from '../types.mts'\n\nexport const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion'\n\nexport function getCompletionSourcingCommand(): CResult<string> {\n // Note: this is exported to distPath in .config/rollup.dist.config.mjs\n const completionScriptExportPath = path.join(\n // Lazily access constants.distPath.\n constants.distPath,\n 'socket-completion.bash',\n )\n\n if (!fs.existsSync(completionScriptExportPath)) {\n return {\n ok: false,\n message: 'Tab Completion script not found',\n cause: `Expected to find completion script at \\`${completionScriptExportPath}\\` but it was not there`,\n }\n }\n\n return { ok: true, data: `source ${completionScriptExportPath}` }\n}\n\nexport function getBashrcDetails(targetCommandName: string): CResult<{\n completionCommand: string\n sourcingCommand: string\n toAddToBashrc: string\n targetName: string\n targetPath: string\n}> {\n const sourcingCommand = getCompletionSourcingCommand()\n if (!sourcingCommand.ok) {\n return sourcingCommand\n }\n\n // Lazily access constants.socketAppDataPath.\n const { socketAppDataPath } = constants\n if (!socketAppDataPath) {\n return {\n ok: false,\n message: 'Could not determine config directory',\n cause: 'Failed to get config path',\n }\n }\n\n // _socket_completion is the function defined in our completion bash script\n const completionCommand = `${COMPLETION_CMD_PREFIX} ${targetCommandName}`\n\n // Location of completion script in config after installing\n const completionScriptPath = path.join(\n path.dirname(socketAppDataPath),\n 'completion',\n 'socket-completion.bash',\n )\n\n const bashrcContent = `# Socket CLI completion for \"${targetCommandName}\"\nif [ -f \"${completionScriptPath}\" ]; then\n # Load the tab completion script\n source \"${completionScriptPath}\"\n # Tell bash to use this function for tab completion of this function\n ${completionCommand}\nfi\n`\n\n return {\n ok: true,\n data: {\n sourcingCommand: sourcingCommand.data,\n completionCommand,\n toAddToBashrc: bashrcContent,\n targetName: targetCommandName,\n targetPath: completionScriptPath,\n },\n }\n}\n"],"names":["workspacePatterns","throws","length","cwd","__proto__","absolute","ignores","dot","onlyDirectories","ignore","force","recursive","retries","root","dir","encoding","throwIfNoEntry","socketAppDataPath","logger","updateConfigValue","mkdirSync","ok","data","yml","path","parsed","prevDir","exports","debugFn","message","cause","_readOnlyConfig","_cachedConfig","localConfig","wasDeleted","_pendingSave","writeFileSync","getSentry","constructor","_defaultToken","constants","apiProxy","agent","proxy","baseUrl","name","version","homepage","spinner","error","sdkResult","method","headers","Authorization","result","mw2","lines","cols","cws","body","msg","keyPrefix","indent","padName","commandOrAliasName","type","hidden","description","argv","allowUnknownFlags","booleanDefault","autoHelp","autoVersion","configOverrideResult","emitBanner","parentName","Object","commands","out","cli2","collectUnknownFlags","importMeta","cli","console","process","meow","REDACTED","numeric","style","sdkOptions","desc","organizations","choices","value","orgSlug","GITHUB_REF_TYPE","info","remoteUrl","stdio","email","user","configValue","owner","repo","parsedGitRemoteUrlCache","SOCKET_WEBSITE_URL","namespace","keys","all","nothrow","shadowBinPath","shadowIndex","theBinPath","WIN32","existsSync","thePath","config","socketConfig","obj","json","sockJson","i","env","SOCKET_CLI_ISSUES_URL","_npmBinPath","_npmBinPathDetails","_npxBinPath","_npxBinPathDetails","ALERT_TYPE_MILD_CVE","cve","remove","upgrade","critical","high","middle","low","header","hyperlink","fallback","fallbackToUrl","raw","none","descriptions","consolidate","include","overrides","actions","existing","upgradable","highestForCve","alert","unfixableAlerts","highestForUpgrade","sockPkgAlerts","alertsByPurl","severity","exclude","sockPkgAlertsLoop","infoByPartialPurl","infos","key","vulnerableVersionRange","hideAt","hiddenAlerts","viewableAlerts","viewableAlertsByPurl","aboveTheFoldPurls","removedHiddenAlerts","hiddenAlertsByPurl","output","mentionedPurlsWithHiddenAlerts","prevAboveTheFold","totalRiskCounts","seen","blocked","unfixable","purls","components","purl","queryParams","alerts","compact","fixable","batchResult","remaining","SOCKET_IPC_HANDSHAKE","args","spawnPromise","PNPM","agentExecPath","NODE_OPTIONS","npmCommand","definitions","flatten","shorthands","flatConfig","YARN_CLASSIC","semver","onUnknown","editable","maintainedNodeVersions","engines","pkgAgentRange","pkgNodeRange","lockName","lockPath","features","npmBuggyOverrides","pkgRequirements","pkgSupports","node","cmdName","prod","toAddToBashrc","targetName","targetPath"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAkBA;AACE;AACA;AACA;AAAQ;AACR;AAAQ;AACR;AAAe;AACf;AAAe;AACf;AAAS;AACT;AAAoB;AACpB;AAAY;AACZ;AAAgB;AAChB;AACA;AACA;AAGF;AAEA;AAIE;;;AAMI;AACA;AACA;;AAEIA;;AAEF;AACE;AACF;AACF;AACF;AACF;AACEA;AAAkDC;;AAGpD;AACA;AAKF;AAEA;;;AAOE;AAAkBC;;;AAEhB;;AAQA;AACF;AACA;AACF;AAEA;AAKE;AACF;;AAEA;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACA;AACA;AAME;AACF;AACA;AACA;AAIA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;;;AAQF;AAEA;;AACUA;AAAO;;AAEb;AACF;AACA;;;AAGA;AACA;AACA;;AAMA;AACA;;AAEF;AAEO;AAIL;AACA;AACF;AAEO;;;AAKH;AACA;;AAEA;AACF;AACA;AACF;AAMO;;AAKHC;;;AAGF;AAAMC;;;AAEN;AAEA;AAWA;AACEC;AACAF;AACF;AAEA;AACK;;AASHG;AACF;AAEA;AACA;AACEF;AACAC;;AAEAE;;;;;;AAOA;AACF;;AAEA;AACA;AACA;;AASF;AAEO;AACL;AACEF;;AAEAG;AACF;AACF;AAEO;;;AAOCH;;AAEAI;;AAGR;AAEO;AAIL;AACA;AACF;AAEO;AAGL;AACA;AACF;;AC3QO;AACL;;AAImBC;AAAaC;AAAgB;AAC5CC;AAAW;AAEjB;AAOO;AAGHT;AACA;;AAEa;AAEf;;AACQU;AAAK;;AAEb;AACE;;AAEI;AACF;;;AAGE;;AAEA;AACE;AACF;;AAEJ;AACAC;AACF;AACA;AACF;AASO;AAIL;AACE;;AAEA;AACAC;AACF;AACF;AAEO;AAIL;AACE;;AAEA;AACAA;AACF;AACF;AAOO;;AAKH;AACEA;AACA;;AAEA;AAAoCA;AAAkB;AACxD;;AAEF;AACF;AAOO;;;AAYDA;AACA;AAAoCA;AAAkB;AACxD;;AAEF;AACF;AA4BO;;;AAKyBC;;AAAkC;;AAEhE;AACF;;ACrJA;AAEA;AAmBA;AAGA;AAEA;;AAEI;;AAEA;;AACQC;AAAkB;AAC1B;AACE;AACA;;;AAME;AACEC;AACF;AACA;AACA;AACA;AACE;;AAEAC;AACF;AACF;AACEC;AAA6CT;AAAgB;AAC/D;AACF;AACF;AACA;AACF;AAEA;AAGE;AACA;AACA;AACA;AAEA;;AAEIU;;AAEAC;;AAEJ;;AACSD;AAAUC;;AACrB;AAEO;;;;AAIH;;;AAGEC;AACF;AACA;;;AAGMC;AACAC;;AAEJ;AACE;AACF;AACF;AACAC;;AAEF;AACA;AACF;AAEO;AAGL;AACA;AACA;AACE;AACF;;AACSL;AAAUC;;AACrB;;AAEA;AACA;AACO;AAGL;AACA;AACA;AACE;AACF;AACA;AACF;;AAEA;AACA;AACAK;AAEO;;AAEP;AAEO;;AAEP;AAEO;AACL;AACF;AAEO;AACL;AACF;AAEO;AACL;AACF;AAEA;AACA;AACA;AAEO;AACLC;AAEA;;;AAGE;AACE;AACA;;AAEEP;AACAQ;AACAC;;AAGJ;AACF;AACE;;AAEAC;;AAGEV;AACAQ;AACAC;;AAGJ;;AAEA;AACAE;AACAD;;AAEA;AACA;AACE;AACEb;AAGF;AACAc;;AAEF;;AAESX;AAAUC;;AACrB;AAEO;AACLM;AACA;AACAI;AACE;AACA;;;;AAEFD;AACF;AAEA;AACO;AAIL;AACA;AACA;AACE;AACF;AACA;AACA;AACA;;AAEE;AACEE;AACF;;AAEEC;AACF;AACF;;AAEIhB;AAGF;AACAe;AACF;AACA;;AAEIZ;;AAEAC;;AAEJ;;AAGEa;;AAEEA;AACA;;AACQlB;AAAkB;AAC1B;AACEmB;AAIF;AACF;AACF;;AAGEf;;AAEAC;;AAEJ;;AC/RA;;AAEE;AAA+De;AAAU;AAC3E;AAIO;AAEA;AAGLC;;;AAGA;AACF;AAEO;AAIL;AACA;;AAEA;AACF;AAEO;AAIL;;AAEE;AACF;AACAV;AACA;AACF;;AC1CO;;AAOL;AACA;AACF;;ACCA;AAEA;AAAQ1B;AAA4B;;AAEpC;AACA;AACE;AACE;;AAEF;AACF;;AAEA;AACA;AACE;AACE;;AAEF;AACF;AAEA;AACE;;AAEI;;AAEA;;AAEJ;AACA;AACF;;AAEA;AACA;AACO;AACL;AACA;AACEqC;AACF;AACE;AACE;;;AAKJ;AACA;AACF;AAEO;AACL;AACA;AAGF;AAEO;AACL;AACF;AAEO;;AAGH;;AAEA;AACAC;AAEJ;AAQO;AAGL;AAAepC;;;;;AACoB;;;AAI/ByB;AAEF;AACAU;AACF;;;AAIIlB;AACAQ;AACAC;;AAEJ;;AAEMW;AAAS;AACf;;AAEA;;;AAE4C;;;AAM1CpB;AACAC;AACEoB;AAAmCC;;AACnCC;;AAEE;AACAC;AACA;AACAC;AACA;AACAC;;;;AAIR;;ACjHA;AA4BO;;;AAISC;AAAQ;AACpB5C;;;AAIF;AACE4C;AACF;;AAEA;AAEA;;;AAGE;AACE;AACAA;AAGF;;AAEA;;AAEA;AACEA;AACApB;AACF;;AAEEA;AACF;;AACsBqB;AAAS;;AAG7B5B;AACAQ;;;AAGJ;;AAEA;;AAEA;AACA;;;;AAGUC;AAAc;AAEtB;AACEF;AACF;AACEA;AACF;;AACsBsB;AAAU;;AAG9B7B;AACAQ;;AAEAP;;AAEA;;AAEJ;;AACUA;AAAK;;AAEXD;AACAC;;AAEJ;AACF;AAEO;AAIL;;;;AAIE;AACA;AAEAM;;AACsBqB;AAAS;;AAG7B5B;AACAQ;;;AAGJ;;AAEA;AACA;;;AAIED;;AACsBqB;AAAM;;AAG1B5B;AACAQ;AACAC;AACAR;;AAEA;;AAEJ;;;AAGID;;;AAGJ;AACF;AAEO;;AAEH;AACF;AACA;AACE;AACF;;AAEE;AACF;;AAEE;AACF;;AAEF;;AAEA;AACO;AACL;AACE;;AAEF;AACE;AACF;AACA;AACA;AACA;AACF;AAEO;AACL;;AAEEH;AAGF;AAEA;AACEiC;AACAC;AACEC;AACF;AACF;AACF;AAEO;AAIL;;;AAGIhC;AACAQ;AACAC;;AAGJ;;AAEA;;AACQkB;AAAQ;AAEhB;AACEA;AACF;AAEA;;AAEEM;AACA;AACEN;AAGF;;AAEA;AACEA;AAGF;AAEA;AAEApB;;AACsBqB;AAAS;;AAG7B5B;AACAQ;AACA;AAAcC;;;AAElB;AAEA;;;AAGIT;AACAQ;AACAC;;AAEJ;;AAGE;;AAGET;AACAC;;;AAGFM;;AACsBqB;AAAS;;AAG7B5B;AACAQ;AACAC;;AAEJ;AACF;AAEO;;AAML;AACE;AACF;;;AAIIT;AACAC;;;;AAIAD;AACAQ;AACAC;;AAEJ;AACF;;ACzTO;AAKL;AACA;AACA;AACA;AACA;AACA;AACA;;AAEEyB;AACF;;;AAIAC;AACA;;AAIA;AACAA;AAEA;AACF;AAEO;AAEL;AACA;AACAC;AAGA;;AAGA;AACE;AAAkBvD;;AAChB;AACA;AACAwD;AAKF;AACF;;AAGA;;AAEA;;AAGA;AAAkBxD;;;AAElB;;AAGA;AACEyD;AACA;AAAkBzD;;AAChB;AACA;;AAEF;AACAyD;AACF;AAEA;AACF;AAEO;AAEL;AACA;AACAF;AAEA;;;;;AAMA;;AAGA;;AAEA;;AAGA;AAAkBvD;;;AAElB;;;AAIEyD;;;AAGAA;AACF;AAEA;AACF;;ACvGA;AACA;AACO;AACL;;AAEE/B;AAEA;AACEA;AACF;;AAEA;AACA;;;AAMIP;AACAQ;AACAP;AACF;AAEJ;;AAGE;;;;AAIA;;AAGAJ;;AACsB+B;AAAS;;AAG3B5B;AACAQ;AACAP;AACF;AAEJ;AACF;;ACtCO;;AAWH;AACF;AAEA;AACA;AACE;AACA;AACE;AACF;;;AAEQpB;AAAkB;;AAExB;AACF;AACA;AACA;AACA0D;;AAIEA;AACF;AACAA;AACF;;AAEA;AACA;AACA;;;AAIE1C;AAEIG;AACAQ;;AAEF;AAEJ;AACEX;AACF;AAEA;AACF;;AC9DO;AACL;AACE;AACF;AACA;AACE;AACF;AACA;AACF;;ACKO;;AAIG2C;AAAiB;AACvBzD;;;AAGF;;AAGE;AACE;AAAYyD;AAAU;AAE5B;AAEO;;AAKHC;AACAD;AACAE;AACF;AACE3D;;;;AAIF;AACA;AACE;;AAEE;AACF;AACA;;AAMF;AACA;AACF;;ACpDA;AACA;AACO;;AAKP;;ACyDO;;;;;;;;AAWL;AAAMA;;;AACN;;AAEA;AACE4D;AACF;AAEA;AACE;AACAlB;AACEmB;AACAC;AACAC;;AAEF;;;AAGF;AACA;;AAIA;;AAEE;AACEjD;AACA;AACE;AACAkD;AACF;AACF;AACA;AACA;;AAEElD;AACA;AACE;;AAOF;AACF;AACF;AAEA;;AAEI+C;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;AAGAF;AACAC;AAAe;AACfC;;;;AAIJ;;;AAGA;;AAEA;AACA;AACA;;;AAGE;;AAEA;AACAE;AACAC;AAA2B;AAC3B;AACA;AACAC;AACAC;AACF;AAEA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACEC;AACE;AACAjC;;AAGFiC;AAGF;;AAEA;AACA;AACE;AACA;;AAEF;AACE;AACA;AACA;AACE;AACA;;AAEF;AACF;AAEA;AACEC;AACAxD;AACAA;;AAEA;AACF;;AAEA;AACA;AACE;AACA;;AAIA;;AAEA;AACA;;AAEIyD;AACF;AACF;AACF;;;AAII;AACE;AAGS;AAAc;AAIvB;AAEsC;AAAS;;AACjCT;AAAO;;;AAGf;AACF;AAGN;AACF;;AAEA;;AAuBAU;AAII;AACEC;AACF;AACE3D;AAIF;AACF;;;AAIE;AACA;;AAOJ;;AAGA4D;AACAA;AACAA;AACAA;AACAA;AAGAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AAGAA;AAGAA;AAGAA;AACAA;AACAA;AACAA;AAGAA;AAGAA;AACAA;AACAA;AAGAA;AAIA;AACF;;AAEA;AACA;AACA;;AAGF;AACA;AACA;AACA;;AAEA;AACA;AAAmCf;AAAY;;AAE/C;AACA;AACA;;;AAIM;;AAEA;AACAM;AACA;AACA;AACAE;AACAC;AACA;AACAF;AACF;;AAGF;AACA;AACEI;AACA;AACF;AACA;;AAEE;;AAEF;AACE;AACA;AACAK;AACF;AACF;;AAEA;AACA;AACA;AACO;AACLV;;;;AAIAM;AAOF;;;AAIE;;;AAGEJ;AAAiB;AACjBC;AACAF;AAA2B;AAC3BU;;;;AAIAC;AACF;AAEA;AACEP;AACA;AACAxD;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACEgE;AACF;;AAEA;AACA;AACE;AACAC;AACA;AACAC;AACF;;AAEA;AACA;AACA;AACA;;AAEAC;;AAEE;AACA;AACAhB;AACAE;AACAC;;;;;AAKF;AACA;;AAGA;AACF;AAEO;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEF;AAEA;AACE;;AACQc;AAAS;AACjB;AACA;AACA;AAEI;;;AAGJ;;;AAKA;AACA;AACA;AACA;AAOA;AACA;AACA;AACF;AACA;AACA;AACA;AACA;;AAGA;;AC/iBO;AACL;AACA;;AAGEC;AACAC;AACF;AAEA;AACA;AACE;AACA;;;AAGA;AACF;;AAEE;AACF;AACE;AACF;AACF;;ACXO;;AAGGC;AAAW;AACjBrF;;;AAIF;AACA;AACE;AACF;AACA;;AAGEsF;AACF;AACF;;ACvBO;AACL;AACA;AACExE;AAGA;AACF;;AAEA;AACA;;AACQyE;;AACR;AACE9D;AAEA+D;;;;AAKMC;;;AAGJ;AAEEhD;AACAgD;AACA1B;;AAIN;AAEA;AACE;AACF;AACA;AACF;;ACrCO;AACL;;AAEE;AACA;AACF;AAEA;;AAEEyB;AAEI/C;AACAgD;AACA1B;AACF;AAEEtB;AACAgD;AACA1B;AACF;AAEEtB;AACAgD;AACA1B;;AAIN;;AAEE;;AAEEjD;AACF;;AAKA;AACF;AACE;;AAEEA;AACF;;AAIA;AACF;AACF;;AC/CO;AAKL;;;;AAIIA;AAGAA;AACAA;AAGAA;AAGAA;AAGAA;AAGAA;AACAA;AAGAA;AACAA;AAGAA;AACAA;AAGA;AACF;;AAEA;AACAA;AAGAA;AAGAA;AACA;AACEA;AACF;AACE4E;AAEA;;AAEA;AACF;AACF;AAEA;AACF;;AC1DA;AACO;AACL;AACA;AACElE;;AACSP;AAAUC;;AACrB;;AAEA;AACA;AACA;AACEM;;AACSP;AAAUC;;AACrB;AAEA;AACA;AACE;AACF;;AAEQqE;;AACR;AACA;;AAEItE;AACAQ;AACAP;;AAEJ;AAEA;;;AAGID;AACAQ;AACAP;;AAEJ;AAEAM;;AAGEP;AACAQ;AACAP;;AAEJ;;AC7CO;AACL;;;;AAC0CyE;;AAC1C;AACA;AACE;AACF;AACA;AACA;AACE;AACF;AACA;AACA;;AAEE;AACqD5F;;AAGrD;AACA;AACE;AACF;;AAEF;AACA;AACA;AACF;AAOO;;;AAKH;AACwDA;;AAExD6F;;AAEEpE;;AACsBqE;AAAU;AAClC;;AAEArE;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AACL;AACA;AACF;AASO;AACL;AAAyC9C;;AACzC;AACA;;AAEE;;AAIF;AACA;;AAEE;;AAIF;AACF;AAQO;AACL;;AAEE+F;;;AAGFtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;AACE;AACF;AACA;;AAEEiD;;AAEF;AACAtE;;;AAGE;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AAKA;;AAEAA;;AAEEA;AAIF;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAKL;AACErB;AACA;AACF;;AAEEzB;AACA;AACAgG;AACA;AACAC;AACF;AAAMhG;;;AAEN;AAEA;;AAEE8F;;;AAGFtE;;AAEE;;AAEAA;;AACsBqB;AAAS;AACjC;AAEA;AACArB;;AAEE;AACA;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AACA;AACA;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACA;AACF;AAEO;AAKL;AAAyC9C;;AACzC;;AAK4B;AAAS;AAAS;AAC1C;AACA;AACE;AACAyB;;AAEE;AACAyE;;AAIA;AACEzE;;AACsBqB;AAAS;AACjC;AACF;AACF;;AAEE;;AAEEiD;;AAEF;AACAtE;;AAEE;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACF;AACF;AAEJ;AAEO;AAIL;;AAEEiD;;AAEF;AACAtE;;AAEE;AACA;AAKA;;AAEA;AACEA;;AACsBqB;AAAS;AACjC;AACF;AACA;AACF;AAEO;AAIL;AAAyC9C;;;;;AAYzC;AACF;AAEO;AAIL;AACA;AACA;;AAEF;AAEO;AAIL;;AAEE+F;;AAEF;AACAtE;;AAEE;AACA;;AAEAA;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AAGL;AAAyC9C;;;;AAGvC;AAGA;;AAEEkB;;;;AAIFO;;AACsBqB;AAAS;;AAE7B5B;AACAQ;AACAC;;AAEJ;AACF;AAEA;AAEO;;AAEL;;;;AAEA;AACA;AACA;AACA;AACA;AACEwB;AAAWgD;;;AACb;AACE;;AAEE;AACA;AACA;AACA;;AAEA;AACA;;AAEEhD;;AAAkBiD;;AACpB;;AAEJ;AACAC;AACA;;AAA4B;AAC9B;;ACpaO;AAGL;AAGF;;ACdA;AAAQC;AAAmB;AAEpB;AAGL;;;AACcC;AAAU;AACxB;AAGF;AAMO;AAGL;AACA;;AAEF;AAEO;;;AASP;;ACnCA;AACA;AACA;AACA;AACO;AAGL;AAMF;;ACfO;AAIL;;;AAGE;;AACUC;AAAwBd;;AAClC;AACF;AACF;;ACKO;AAKL;AAEIe;AACAC;;AAEJ;;AACQC;AAAc;;AAEtB;AACA;AAAkB5G;;AAChB;AACA;;AAEE6G;AACF;AACEC;AACA;AACF;AACF;;AACSnE;AAAerB;;;AAC1B;AAEO;AACL;;AACQyF;AAAM;;AAEd;;AAEE;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACAC;;AAIF;;AAEA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA;AACC1F;AACC;AACCyF;AAEH;AACF;AACA;;AAEE;AACF;AACAE;AACF;AACF;AAOO;;AAKGC;AAAsBjH;AAAoB;AAChDC;;;;;AAMAiH;AACF;AAEA;AACF;;ACtDO;;;;AAIL;AACA;;AAEF;AAEO;;AAEH;AAEA;AAEA;AAEA;AAEAvE;;AAEJ;AAEO;;AAKL;AACElB;;AACSP;;;AACX;;;;;;AAMwB4B;AAAS;AAE/B;AACE/B;;AACSG;;;AACX;AACA;;AAEEA;AACAQ;;;AAGJ;AAEA;;AAEEyF;AACF;AACE1F;;AACsB2F;AAAK;AAE3B;AACErG;;AACSG;;;AACX;;AAGEA;AACAQ;AACAC;;AAEJ;;AAGEZ;;AACSG;;;AACX;;AAEA;AACA;;;AAESA;AAAUC;;AACrB;AAEO;;;;;AAQHM;;AACsBqB;AAAS;;AACTuE;AAAS;;AAE7BnG;AACAQ;AACAC;;AAGJ;;AAGA;;AAEST;AAAUC;;AACrB;;ACpKA;AAEO;;AAEL;AAAkBpB;;;AAEd;AACA;AACEoD;AACAmE;AACF;AACEnE;AACF;AACF;AACF;AACA;AACF;AAEO;AACL;;AAEA;AACA;AACE;AACF;AACA;AACF;AAEO;;AAEL;AACF;AAEO;AACL;AACF;;ACvBO;;AAKGoE;AAAc;AAAMtH;;;AAC5B;AACA;;;;AAMM;;AAEA;;AAEA;AACAoC;AAIA;AACAkF;;AAEE;;;;;AAKF;;;AAIKrG;;;;AAET;;;AAESA;AAAWC;AAASO;;AAC/B;AACF;;AC3CA;;;;AAAgC8F;AAAsB;AAEtD;AACEzG;AAGA;AACA;AACA;AACAkE;AACF;AAEA;AACO;;AAEHwC;;;AAGA;AACF;AACA;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEA;AACO;;AAEH;;;;AAIE;;AAEA;;AAEA3G;AACA;AACA;AACA;AACAkE;AACF;AACF;AACA;AACF;AAEA;AACO;;AAEH;;;AAQF;AACA;AACF;AAEA;AACO;;AAEH0C;;;AAGA;AACF;AACA;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEO;AACL;AACF;AAEO;AACL;AACF;;ACrCA;;;;AAIEC;AACF;AAEO;;AAGG/D;AAAK;AACb;AAMF;;ACjFO;;AAGkB7D;;AAAwB;AACjD;;ACFO;AACL6H;AACAC;AACAC;AACF;;ACDO;AACLC;AACAC;AACAC;AACAC;AACF;;ACLO;;AAIH;AACF;;AAGE;AACF;AAEAC;AACE;AAGF;AAEAC;AAIIC;AACAC;;AAMF;AACE;;AAII;AACN;AACA;AACF;;AAKE;AACF;;AAGE;AACF;;;AAMA;;AAGE;;AAIF;AACF;;;ACtCO;AAKL;AACE;;AAEA;;AAEA;;AAEA;;AAEA;;AAEA;AAAiB;;;AAEPC;AAAI;;;AAEJ1I;AAAO;;;AAGb;AACE;AACF;AACF;;AAEE;AACE;AACF;AACF;AACA;AACF;AACA;;AAEA;AACA;AACE;AACJ;AACF;AAEO;;AAEH;;;AAGF;AACF;AAEO;;AAEH;;AAEF;AACF;;AC7EA;AAEA;AAEO;;;AAGD;;AAGJ;AACA;AACF;;ACcO;AACLkI;AACAC;AACAC;AACAC;AACF;AAEO;AACLH;AACAC;AACAC;AACAC;AACAM;AACF;AAiBA;AAEA;AAEA;AASA;AACE;AACET;AACAC;AACAC;AACAC;;AAEF;;;;AAIM;;;AAGA;;;AAGA;;;AAGA;AACJ;AACF;AACA;AACF;AAEA;;;AAGIO;AACF;;AAEEA;AACF;;AAEEA;AACF;;AAEEA;AACF;AACA;AACF;AAmBO;AAKL;AACA;AACE;AACF;;AAEEC;AACAC;AACAC;AACF;AACE7I;;;AAIF;AACA;AAEA;AACEA;AACA8I;AAEAd;AACAH;AACAkB;AAEAC;;;AAIF;;AAMQnF;AAAiBnB;AAAQ;AACjC;AACE1C;;;;AAIF;AACE;AACA;;AAKE;AACF;AACA;;AAEA;;AAEA;AACA;AACA;;AAEA;;;;;;;;;;AAgBIwI;AACAQ;AACF;AACF;AACF;AACA;AACE;AACF;;AAEA;AACA;AAKE;AACA;;AAEA;AACE;;AAEA;AACE;AACA;AACA;AACA;;AAKA;AACE;AACA;;;AAGEC;AACEC;AACAxG;AACF;AACF;AACF;AACEyG;AACF;AACF;AACE;AACA;;;AAGEC;AAA+BF;AAAqBxG;AAAQ;AAC9D;AACF;AACEyG;AACF;AACF;AACAE;AACE;;AAOJ;AACEA;AACF;;AAEEC;AACF;AACA;AACF;AAEO;;AAEP;AAEO;AAIL;AACF;AAEO;AAIL;;AAEF;AAEO;AACL;;AACQC;;AACR;AASF;AAEO;;AAWP;AAoBO;;AAIGC;AAAkB;AACxBxJ;;;AAGF;AACEA;;;;AAKF;;AAC4B;AAAS;;AACnC;;AAMA;AACAyJ;AACE;;AAME;AACF;;AAEEC;AACF;AACA;;AAEEC;AACAD;AACF;;AACQE;AAAI;AACZ;AACE;AACA;AACA;AACA;AAEA;AAEA;;;AAGID;;AAEEE;AACE;AACA;AACAA;AAIJ;AACA;;AAEAhH;AACF;AACF;AAEArB;;AACsB0H;AAAM;AAE5B;;AACwBrG;AAAyC;AACjE;AACF;AACF;AACF;AACA;AACF;AAEO;AAGL;AACF;AAOO;;AAIGiH;;AAA2C;AACjD9J;;;AAIF;AACA;AAIA;AACA;AACA;AAEA;AAAkBF;;;AACR;AAAS;AAAU;;AAE3B;AACE;;AAGEiK;AACF;AACA;AACF;;;AAGA;AACA;AACE;AACF;AACAC;AACAC;AACA;AAMEC;AACF;AACF;;AAEA;AACA;AAAa;AAAQ;AACnB;AACE;AACF;AACAA;AACF;AACA;AACA;AAAa;AAAS;AAAgB;AACpC;AACE;AACF;AACAA;;AAEA;AACE;AACA;AACA;;AAKA;AACEC;AACAC;AACF;AACAH;AAIF;AACF;AAEA;;AAKMnK;;;AAII;AAAS;AAAU;AAC3B;AACA;;AACU+D;AAAK;;;;AAYb;AACA;AACA;AACA;AACA;;AAEA;AACAT;AACF;AACA;AACA;;AAKA;AACA;AACE8G;AACAG;AACF;AACEA;AACF;AACA;AACEA;AACF;;;AAEQvK;AAA0B;AAClC;AACEwK;;;AAKA;;AAIA;AACF;AACAC;AACF;;AAIA;AACE;AACEvC;AACAC;AACAC;AACAC;;AAEF;AAAa;AAAS;AAAU;AAC9B;AACE;AACF;AACA;AACAqC;AACAA;AACAA;AACAA;AACF;AACAH;AAGF;AACAA;AACF;;AC1lBO;;AAEP;AAEO;AACL;AACF;;ACEO;AACL;AACA;;AAEA;;AAEF;AAEO;AAGL;AACA;;AAEE;AACE;AACF;AACA;;AAEE;AACF;AACAI;AACA;AACEzK;;;AAGA;;AAEF;AACE;AACA;;AAEF;;;;AAIF;;AAIF;AAEO;AACL;AACF;AAEO;AAGL;AACA;;;;AAIA;AACA;AACF;AAEO;;AAEH;;AAEF;AACF;AAQO;AACL;AACF;AAEO;AACL;AACA;AACA;AACF;;ACrEO;AAIL;AACA;;;AAGA;AACF;AAUO;AAIL;AACEA;AACA2I;AACAC;AACAnC;;;;AAKAzG;AACA;AACA;AACA;AACA0K;AACA1C;AACAH;AACAkB;AACA4B;AACA3B;AACA;;AAGF;;AACoB4B;AAAiB;;AAE/B9K;AAAkB;AACxB;;AAGE;AACF;;AAEQ8C;AAAQ;AAChB;AAEAA;AAEA;;AAAmE;AACnE;;AAEE;AACF;AACA;AAEA;;;;AAIEA;;AAGF;AAEIiI;AAAqCC;AAAK;AAC5C;AAEEC;AACEC;AACAC;AACA;;;;AAGoCC;;AACtC;AACF;;;AAQA;AACE;AACA;;AAIF;;;;AAOwBC;AAAY;AAClC;AACF;AACAC;;AAEExI;AACF;AACF;;AAIA;AACF;;ACpIO;;;;AAML;AACF;;ACFA;;;;AAIEyI;AACF;AAWO;;;AAKHC;;;;AAIF;AAAMtL;;;AACN;AACA;AACA;AACA;AACA;AACA;AACE8F;AACF;AACEA;AACF;AACA;AACA;AACA;;;AAKA;;;;AAIE;;AAGE;;AAEA;;AAEA;;AAEA;AACA;AAGM;AACA1D;AAIN;;AAIA;AACA;AAEA;;AAEA;AACA;;;AAOA;;AAEAkF;;AAEE;;AAEA;AACF;AACF;AAEF;AACEiE;AACE;;;;AAIA;AACF;AACF;AACA;AACF;;AC9GA;;AAAaC;AAAK;AAWX;;;AAIUC;AAAc;AAC7B;;AAEE;;;AAGA;AACF;;AAEEH;;;AAGF;AAAMtL;;;AACN;;AAGE;;;AAGA8F;AACA;AACAwB;;AAEE;;AAEAoE;AAGM;;AAEJ;AACA;AAEF;AACF;AACF;AACF;;ACpCO;;AAIH3L;;;;AAIA4L;;;;AAIF;AAAM3L;;;AACN;AACEgE;;AAEA4H;;AAEAtE;;;AACAuE;;;AAGAC;AACF;AACA;AACA;AAAqB9L;AAAiB;;AAEtC;;AAEA;AACA;;AAEA;AACA;AACE+L;AACF;AACA;AACF;;ACzDO;;AAIP;;ACgBA;;;;;;;;;;;;AAYEC;AACF;AAEO;AAEP;AA+EA;;;;AAMQ;;AAEF;;AAEJ;AAEA;AAEA;;AAaQ;;AAEE;AACF;;AAEE;AACA;;;;AAIA;AACA;AACA;AACA;;;AAII;;;AAIN;AACA;AACF;AASR;;AAEA;AACA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF;AAEA;AACE;;AAEE;;AAEF;AACA;AAA+BvF;;AACjC;AAEA;AAIE;;;AAGI;AACA;AACA;AACAwF;AACE;;;;AAKI;;AAEF;;AAINzK;;AACsBqB;AAAS;AACjC;AACA;AACF;AAEO;AACL9C;AACAmM;AACa;;AACqCnM;AAAI;;AAEtD;;AAMiCA;AAAI;AACrC;;AAKqCoM;;AAErC;AACA;AACA;AAIA;AACA;AACE;AACA;AACA;AACA;;;;AAII7J;AACF;AACF;AACF;AACA;AAMEA;AACF;;AAEEA;;AAEF;AACA;;AAEA;AACEA;AACF;AACA;;AACQ8J;AAAuB;AAC/B;;;AAGA;AACA;;AAEA;AACA;AACA;;;;;AAIUC;;AACR;AACA;AACA;AACEC;AACA;AACA;AACA;;;AAGA;AACF;AACA;AACEC;AACA;AACA;AACA;;;AAGA;AACF;AACA;AAGA;AACE;AACA;;AAKE;;;;AAIA;AACF;AACF;;AAKF;AACEC;AACAC;AACF;;AAEA;AACA;AAGA;;AAGA;AAEA;AAKA;;;;;;;;AASEC;AAAYC;;;;;;;;;AAQZC;;;;AAIAC;AACE;;AAEA;AACAC;AAGF;;AAEJ;AAEO;;AAKHC;;AAEAC;AACF;AACEhN;;;AAGF;;;AAGIc;AAMF;AACF;;;;AAC4B8L;AAAgB;AAC5C;AACA;;;AAGI3L;AACAQ;;;AAMJ;AACA;AACE;;AAEER;AACAQ;;;AAMJ;AACA;;AAEIR;AACAQ;AACAC;;AAKJ;AACA;;AAEIT;AACAQ;;;AAMJ;AACA;;;AAGIR;AACAQ;AACAC;;AAEJ;;;AAGIT;AACAQ;AACAC;;AAEJ;AACA;;AAEIT;AACAQ;AACAC;;AAEJ;;;AAGIT;AACAQ;AACAC;;AAKJ;AACA;AAIE;;AACQwD;AAAS;AACjB;AACA;AACApE;AAMF;;AACSG;AAAUC;;AACrB;;AC/fO;AAEA;AACL;AACA;AACE;AACAkB;AAIF;;AAEInB;AACAQ;;;AAGJ;;AAESR;;;AACX;AAEO;AAOL;AACA;AACE;AACF;;AAEA;;AACQJ;AAAkB;;;AAGtBI;AACAQ;AACAC;;AAEJ;;AAEA;AACA;;AAEA;AACA;;AAOF;AACA;AACA;AACA;AACA;AACA;AACA;;AAGIT;AACAC;;;AAGE+L;AACAC;AACAC;AACF;;AAEJ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;","debugId":"613f7d50-fb1a-4c13-8fcf-25d4ec7a5f46"}