@socketsecurity/cli-with-sentry 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/dist/cli.js +465 -404
  2. package/dist/cli.js.map +1 -1
  3. package/dist/constants.js +3 -3
  4. package/dist/constants.js.map +1 -1
  5. package/dist/flags.js +5 -6
  6. package/dist/flags.js.map +1 -1
  7. package/dist/shadow-npm-bin.js +4 -4
  8. package/dist/shadow-npm-bin.js.map +1 -1
  9. package/dist/shadow-npm-inject.js +5 -8
  10. package/dist/shadow-npm-inject.js.map +1 -1
  11. package/dist/socket-completion.bash +1 -1
  12. package/dist/tsconfig.dts.tsbuildinfo +1 -1
  13. package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
  14. package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
  15. package/dist/types/commands/fix/{fix-env-helpers.d.mts → env-helpers.d.mts} +1 -1
  16. package/dist/types/commands/fix/env-helpers.d.mts.map +1 -0
  17. package/dist/types/commands/fix/git.d.mts +13 -0
  18. package/dist/types/commands/fix/git.d.mts.map +1 -0
  19. package/dist/types/commands/fix/pull-request.d.mts +10 -53
  20. package/dist/types/commands/fix/pull-request.d.mts.map +1 -1
  21. package/dist/types/commands/patch/cmd-patch.d.mts.map +1 -1
  22. package/dist/types/commands/patch/handle-patch.d.mts +1 -1
  23. package/dist/types/commands/patch/handle-patch.d.mts.map +1 -1
  24. package/dist/types/commands/patch/manifest-schema.d.mts +34 -0
  25. package/dist/types/commands/patch/manifest-schema.d.mts.map +1 -0
  26. package/dist/types/commands/scan/fetch-supported-scan-file-names.d.mts +2 -0
  27. package/dist/types/commands/scan/fetch-supported-scan-file-names.d.mts.map +1 -1
  28. package/dist/types/flags.d.mts +9 -8
  29. package/dist/types/flags.d.mts.map +1 -1
  30. package/dist/types/shadow/npm/arborist/lib/arborist/index.d.mts.map +1 -1
  31. package/dist/types/shadow/npm/paths.d.mts +0 -1
  32. package/dist/types/shadow/npm/paths.d.mts.map +1 -1
  33. package/dist/types/utils/fs.d.mts +0 -1
  34. package/dist/types/utils/fs.d.mts.map +1 -1
  35. package/dist/types/utils/github.d.mts +38 -0
  36. package/dist/types/utils/github.d.mts.map +1 -0
  37. package/dist/types/utils/glob.d.mts +0 -1
  38. package/dist/types/utils/glob.d.mts.map +1 -1
  39. package/dist/utils.js +205 -18
  40. package/dist/utils.js.map +1 -1
  41. package/dist/vendor.js +3460 -140
  42. package/external/@socketsecurity/registry/external/libnpmpack.js +96569 -41361
  43. package/external/@socketsecurity/registry/external/pacote.js +77357 -68133
  44. package/external/@socketsecurity/registry/lib/fs.js +13 -27
  45. package/external/@socketsecurity/registry/lib/json.js +42 -0
  46. package/external/@socketsecurity/registry/manifest.json +4 -4
  47. package/package.json +9 -8
  48. package/dist/types/commands/fix/fix-branch-helpers.d.mts +0 -4
  49. package/dist/types/commands/fix/fix-branch-helpers.d.mts.map +0 -1
  50. package/dist/types/commands/fix/fix-env-helpers.d.mts.map +0 -1
  51. package/dist/types/commands/fix/socket-git.d.mts +0 -32
  52. package/dist/types/commands/fix/socket-git.d.mts.map +0 -1
package/dist/constants.js CHANGED
@@ -145,10 +145,10 @@ const LAZY_ENV = () => {
145
145
  INLINED_SOCKET_CLI_SYNP_VERSION: envAsString("1.9.14"),
146
146
  // Comp-time inlined Socket package version.
147
147
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
148
- INLINED_SOCKET_CLI_VERSION: envAsString("1.1.0"),
148
+ INLINED_SOCKET_CLI_VERSION: envAsString("1.1.2"),
149
149
  // Comp-time inlined Socket package version hash.
150
150
  // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
151
- INLINED_SOCKET_CLI_VERSION_HASH: envAsString("1.1.0:cb6f6bb:96e51517:pub"),
151
+ INLINED_SOCKET_CLI_VERSION_HASH: envAsString("1.1.2:d3bacfd:1d89bc9a:pub"),
152
152
  // The absolute location of the %localappdata% folder on Windows used to store
153
153
  // user-specific, non-roaming application data, like temporary files, cached
154
154
  // data, and program settings, that are specific to the current machine and user.
@@ -474,5 +474,5 @@ const constants = createConstantsObject({
474
474
  });
475
475
 
476
476
  module.exports = constants;
477
- //# debugId=31999698-2c4b-47f0-b5a0-e4ad2d266451
477
+ //# debugId=3364307a-92fb-4837-b168-85d232de18c3
478
478
  //# sourceMappingURL=constants.js.map
package/dist/constants.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\n// Using `path.dirname(__filename)` to resolve `__dirname` works for both 'dist'\n// AND 'src' directories because constants.js and constants.mts respectively are\n// in the root of each.\nconst __dirname = path.dirname(__filename)\n\nconst {\n NPM,\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\nexport type RegistryEnv = typeof registryConstants.ENV\n\nexport type RegistryInternals =\n (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\nexport type Sentry = any\n\nexport type Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\nexport type ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_API_URL: string\n GITHUB_BASE_REF: string\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_SERVER_URL: string\n GITHUB_TOKEN: string\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: string\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SOCKET_CLI_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n NODE_EXTRA_CA_CERTS: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TIMEOUT: number\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_GIT_USER_EMAIL: string\n SOCKET_CLI_GIT_USER_NAME: string\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_NPM_PATH: string\n SOCKET_CLI_ORG_SLUG: string\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\nexport type ProcessEnv = {\n [K in keyof ENV]?: string\n}\n\nexport type IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SHADOW_ACCEPT_RISKS?: boolean | undefined\n SOCKET_CLI_SHADOW_API_TOKEN?: string | undefined\n SOCKET_CLI_SHADOW_BIN?: string | undefined\n SOCKET_CLI_SHADOW_PROGRESS?: boolean | undefined\n SOCKET_CLI_SHADOW_SILENT?: boolean | undefined\n}>\n\nexport type Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly ENV: ENV\n readonly DOT_SOCKET_DOT_FACTS_JSON: '.socket.facts.json'\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_SHADOW_ACCEPT_RISKS: 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\n readonly SOCKET_CLI_SHADOW_API_TOKEN: 'SOCKET_CLI_SHADOW_API_TOKEN'\n readonly SOCKET_CLI_SHADOW_BIN: 'SOCKET_CLI_SHADOW_BIN'\n readonly SOCKET_CLI_SHADOW_PROGRESS: 'SOCKET_CLI_SHADOW_PROGRESS'\n readonly SOCKET_CLI_SHADOW_SILENT: 'SOCKET_CLI_SHADOW_SILENT'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_DEFAULT_BRANCH: 'socket-default-branch'\n readonly SOCKET_DEFAULT_REPOSITORY: 'socket-default-repository'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly binCliPath: string\n readonly binPath: string\n readonly blessedContribPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly blessedPath: string\n readonly coanaBinPath: string\n readonly coanaPath: string\n readonly distCliPath: string\n readonly distPath: string\n readonly externalPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly instrumentWithSentryPath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeDebugFlags: string[]\n readonly nodeHardenFlags: string[]\n readonly nodeMemoryFlags: string[]\n readonly npmCachePath: string\n readonly npmGlobalPrefix: string\n readonly npmNmNodeGypPath: string\n readonly processEnv: ProcessEnv\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly shadowNpmBinPath: string\n readonly shadowNpmInjectPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly socketRegistryPath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst DOT_SOCKET_DOT_FACTS_JSON = '.socket.facts.json'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_SHADOW_ACCEPT_RISKS = 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\nconst SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN'\nconst SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN'\nconst SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS'\nconst SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_DEFAULT_BRANCH = 'socket-default-branch'\nconst SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nlet _npmStdioPipeOptions: SpawnOptions | undefined\nfunction getNpmStdioPipeOptions() {\n if (_npmStdioPipeOptions === undefined) {\n _npmStdioPipeOptions = {\n cwd: process.cwd(),\n shell: constants.WIN32,\n }\n }\n return _npmStdioPipeOptions\n}\n\nconst LAZY_ENV = () => {\n const { env } = process\n const envHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/env')\n const utils = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/utils.js'),\n )\n const envAsBoolean = envHelpers.envAsBoolean\n const envAsNumber = envHelpers.envAsNumber\n const envAsString = envHelpers.envAsString\n const getConfigValueOrUndef = utils.getConfigValueOrUndef\n const readOrDefaultSocketJson = utils.readOrDefaultSocketJson\n const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])\n const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n )\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),\n // The API URL. For example, https://api.github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_API_URL:\n envAsString(env['GITHUB_API_URL']) || 'https://api.github.com',\n // The name of the base ref or target branch of the pull request in a workflow\n // run. This is only set when the event that triggers a workflow run is either\n // pull_request or pull_request_target. For example, main.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_BASE_REF: envAsString(env['GITHUB_BASE_REF']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),\n // The URL of the GitHub server. For example, https://github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_SERVER_URL:\n envAsString(env['GITHUB_SERVER_URL']) || 'https://github.com',\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @coana-tech/cli package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION']\".\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION'],\n ),\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD,\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SYNP_VERSION']\".\n INLINED_SOCKET_CLI_SYNP_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_SYNP_VERSION'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // The absolute location of the %localappdata% folder on Windows used to store\n // user-specific, non-roaming application data, like temporary files, cached\n // data, and program settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),\n // Enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE: constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? constants.socketCachePath\n : '',\n // Redefine registryConstants.ENV.NODE_ENV to account for the\n // INLINED_SOCKET_CLI_PUBLISHED_BUILD environment variable.\n NODE_ENV:\n envAsString(env['NODE_ENV']).toLowerCase() === 'production'\n ? 'production'\n : INLINED_SOCKET_CLI_PUBLISHED_BUILD\n ? ''\n : 'development',\n // Well known \"root\" CAs (like VeriSign) will be extended with the extra\n // certificates in file. The file should consist of one or more trusted\n // certificates in PEM format.\n // https://nodejs.org/api/cli.html#node_extra_ca_certsfile\n NODE_EXTRA_CA_CERTS:\n envAsString(env['NODE_EXTRA_CA_CERTS']) ||\n // Commonly used environment variable to specify the path to a single\n // PEM-encoded certificate file.\n envAsString(env['SSL_CERT_FILE']),\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(env['PATH']),\n // Accept risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),\n // Change the base URL for Socket API calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(env['SOCKET_CLI_API_BASE_URL']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_BASE_URL']) ||\n getConfigValueOrUndef('apiBaseUrl') ||\n 'https://api.socket.dev/v0/',\n // Set the proxy that all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(env['SOCKET_CLI_API_PROXY']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_PROXY']) ||\n // Commonly used environment variables to specify routing requests through\n // a proxy server.\n envAsString(env['HTTPS_PROXY']) ||\n envAsString(env['https_proxy']) ||\n envAsString(env['HTTP_PROXY']) ||\n envAsString(env['http_proxy']),\n // Set the timeout in milliseconds for Socket API requests.\n // https://nodejs.org/api/http.html#httprequesturl-options-callback\n SOCKET_CLI_API_TIMEOUT: envAsNumber(env['SOCKET_CLI_API_TOKEN']),\n // Set the Socket API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(env['SOCKET_CLI_API_TOKEN']) ||\n // TODO: Remove legacy environment variable names.\n envAsString(env['SOCKET_CLI_API_KEY']) ||\n envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_API_KEY']),\n // A JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),\n // The git config user.email used by Socket CLI.\n SOCKET_CLI_GIT_USER_EMAIL:\n envAsString(env['SOCKET_CLI_GIT_USER_EMAIL']) ||\n 'github-actions[bot]@users.noreply.github.com',\n // The git config user.name used by Socket CLI.\n SOCKET_CLI_GIT_USER_NAME:\n envAsString(env['SOCKET_CLI_GIT_USER_NAME']) ||\n envAsString(env['SOCKET_CLI_GIT_USERNAME']) ||\n 'github-actions[bot]',\n // Change the base URL for GitHub REST API calls.\n // https://docs.github.com/en/rest\n SOCKET_CLI_GITHUB_API_URL:\n envAsString(env['SOCKET_CLI_GITHUB_API_URL']) ||\n readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github\n ?.githubApiUrl ||\n 'https://api.github.com',\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||\n // TODO: Remove undocumented legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),\n // The absolute location of the npm directory.\n SOCKET_CLI_NPM_PATH: envAsString(env['SOCKET_CLI_NPM_PATH']),\n // Specify the Socket organization slug.\n SOCKET_CLI_ORG_SLUG:\n envAsString(env['SOCKET_CLI_ORG_SLUG']) ||\n // Coana CLI accepts the SOCKET_ORG_SLUG environment variable.\n envAsString(env['SOCKET_ORG_SLUG']),\n // View all risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(env['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () => path.join(constants.homePath, '.bashrc')\n\nconst lazyBinPath = () => path.join(constants.rootPath, 'bin')\n\nconst lazyBinCliPath = () => path.join(constants.binPath, 'cli.js')\n\nconst lazyBlessedContribPath = () =>\n path.join(constants.externalPath, 'blessed-contrib')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyBlessedPath = () => path.join(constants.externalPath, 'blessed')\n\nconst lazyDistCliPath = () => path.join(constants.distPath, 'cli.js')\n\nconst lazyDistPath = () => path.join(constants.rootPath, 'dist')\n\nconst lazyExternalPath = () => path.join(constants.rootPath, 'external')\n\nconst lazyGithubCachePath = () => path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyInstrumentWithSentryPath = () =>\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n [NPM, '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () => path.join(constants.rootPath, 'node_modules/.bin')\n\nconst lazyNodeDebugFlags = () =>\n constants.ENV.SOCKET_CLI_DEBUG ? ['--trace-uncaught', '--trace-warnings'] : []\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32\n ? [\n // https://nodejs.org/api/cli.html#--disallow-code-generation-from-strings\n // '--disallow-code-generation-from-strings'\n ]\n : [\n // '--disallow-code-generation-from-strings',\n // https://nodejs.org/api/cli.html#--disable-protomode\n // '--disable-proto',\n // 'throw',\n // https://nodejs.org/api/cli.html#--frozen-intrinsics\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n // '--frozen-intrinsics',\n // https://nodejs.org/api/cli.html#--no-deprecation\n // '--no-deprecation',\n ],\n )\n\nconst lazyNodeMemoryFlags = () => {\n const flags = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/flags.js'),\n )\n const getMaxOldSpaceSizeFlag = flags.getMaxOldSpaceSizeFlag\n const getMaxSemiSpaceSizeFlag = flags.getMaxSemiSpaceSizeFlag\n return Object.freeze([\n `--max-old-space-size=${getMaxOldSpaceSizeFlag()}`,\n `--max-semi-space-size=${getMaxSemiSpaceSizeFlag()}`,\n ])\n}\n\nconst lazyNpmCachePath = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['config', 'get', 'cache'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmGlobalPrefix = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['prefix', '-g'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmNmNodeGypPath = () =>\n path.join(\n constants.npmRealExecPath,\n '../../node_modules/node-gyp/bin/node-gyp.js',\n )\n\nconst lazyProcessEnv = () =>\n Object.setPrototypeOf(\n Object.fromEntries(\n Object.entries(constants.ENV).reduce(\n (entries, entry) => {\n const { 0: key, 1: value } = entry\n if (key.startsWith('INLINED_SOCKET_CLI_')) {\n return entries\n }\n if (typeof value === 'string') {\n if (value) {\n entries.push(entry as [string, string])\n }\n } else if (typeof value === 'boolean' && value) {\n entries.push([key, '1'])\n }\n return entries\n },\n [] as Array<[string, string]>,\n ),\n ),\n null,\n )\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazyShadowBinPath = () => path.join(constants.rootPath, 'shadow-npm-bin')\n\nconst lazyShadowNpmBinPath = () =>\n path.join(constants.distPath, 'shadow-npm-bin.js')\n\nconst lazyShadowNpmInjectPath = () =>\n path.join(constants.distPath, 'shadow-npm-inject.js')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data directory:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? constants.ENV.LOCALAPPDATA\n : constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = /*@__PURE__*/ require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n constants.homePath,\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () => path.join(constants.rootPath, '.cache')\n\nconst lazySocketRegistryPath = () =>\n path.join(constants.externalPath, '@socketsecurity/registry')\n\nconst lazyZshRcPath = () => path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n DOT_SOCKET_DOT_FACTS_JSON,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_SHADOW_ACCEPT_RISKS,\n SOCKET_CLI_SHADOW_API_TOKEN,\n SOCKET_CLI_SHADOW_BIN,\n SOCKET_CLI_SHADOW_PROGRESS,\n SOCKET_CLI_SHADOW_SILENT,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_DEFAULT_BRANCH,\n SOCKET_DEFAULT_REPOSITORY,\n SOCKET_WEBSITE_URL,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n binPath: undefined,\n binCliPath: undefined,\n blessedContribPath: undefined,\n blessedOptions: undefined,\n blessedPath: undefined,\n coanaBinPath: undefined,\n coanaPath: undefined,\n distCliPath: undefined,\n distPath: undefined,\n externalPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n instrumentWithSentryPath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n nodeDebugFlags: undefined,\n nodeMemoryFlags: undefined,\n npmCachePath: undefined,\n npmGlobalPrefix: undefined,\n npmNmNodeGypPath: undefined,\n processEnv: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n shadowNpmInjectPath: undefined,\n shadowNpmBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n socketRegistryPath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n binCliPath: lazyBinCliPath,\n binPath: lazyBinPath,\n blessedContribPath: lazyBlessedContribPath,\n blessedOptions: lazyBlessedOptions,\n blessedPath: lazyBlessedPath,\n distCliPath: lazyDistCliPath,\n distPath: lazyDistPath,\n externalPath: lazyExternalPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n instrumentWithSentryPath: lazyInstrumentWithSentryPath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeDebugFlags: lazyNodeDebugFlags,\n nodeHardenFlags: lazyNodeHardenFlags,\n nodeMemoryFlags: lazyNodeMemoryFlags,\n npmCachePath: lazyNpmCachePath,\n npmGlobalPrefix: lazyNpmGlobalPrefix,\n npmNmNodeGypPath: lazyNpmNmNodeGypPath,\n processEnv: lazyProcessEnv,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n shadowNpmBinPath: lazyShadowNpmBinPath,\n shadowNpmInjectPath: lazyShadowNpmInjectPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n socketRegistryPath: lazySocketRegistryPath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","_npmStdioPipeOptions","cwd","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_BASE_REF","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","NODE_EXTRA_CA_CERTS","envAsString","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TIMEOUT","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_GIT_USER_NAME","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_NPM_PATH","SOCKET_CLI_ORG_SLUG","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","smartCSR","term","useBCE","constants","entries","WIN32","logger","dataHome","ENV","bashRcPath","binPath","binCliPath","blessedContribPath","blessedOptions","blessedPath","coanaBinPath","coanaPath","distCliPath","distPath","externalPath","githubCachePath","homePath","instrumentWithSentryPath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","nodeDebugFlags","nodeMemoryFlags","npmCachePath","npmGlobalPrefix","npmNmNodeGypPath","processEnv","rootPath","shadowBinPath","shadowNpmInjectPath","shadowNpmBinPath","socketAppDataPath","socketCachePath","socketRegistryPath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAYA;AACA;AACA;AACA;AACA;AACA;AAEA;;;AAGE;AACEA;;AAEAC;AACF;AACF;AA+JA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;;AAEIC;AACEC;;;AAGJ;AACA;AACF;AAEA;;AACUC;AAAI;AACZ;AACA;AAGA;AACA;AACA;AACA;AACA;;;AAKA;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;AACA;AACAC;AACA;AACA;;AAIA;AACA;;AAOA;AACA;AACA;AACA;AACAC;AAEE;AACA;AACAC;AACF;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAEE;AACAH;AAGF;AACA;AACAI;AAEE;AACAJ;AACA;AACA;AACAA;AAIF;AACA;AACAK;AACA;AACA;AACAC;AAEE;;AAIF;AACAC;AACA;;AAIA;AACAC;AAIA;AACA;;AAMA;AACA;AACA;AACA;AACAC;AAEE;AACAT;AAEF;AACAU;AACA;AACAC;AACA;AACAC;AAEE;AACAZ;AACF;AACAa;AACA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AAEA;AAEA;AAEA;AAGA;AAEIC;AACAC;AACAC;AACF;AAEF;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAGA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;AAEA;;AAGA;AACA;AACA;AAEI;AACA;AACAC;AAEM;AACA;AAAA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAIV;AACE;AAGA;AACA;AACA;AAIF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AAMA;;AAKkB;AAAQ;AAAS;AACzB;AACE;AACF;AACA;AACE;AACEC;AACF;;;AAGF;AACA;AACF;AAOR;AAEA;AAEA;AAGA;AAGA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQC;AAAM;AACd;;AAIE;AACE;AACAC;AACF;AACEC;AAIF;AACF;;AAEF;AAEA;AAEA;AAGA;AAEA;;;;;;;;;;;;;AAcIC;;;;;;;;;;;;;;;;;;;;;;;;;AAyBAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEEhC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAG;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"31999698-2c4b-47f0-b5a0-e4ad2d266451"}
1
+ {"version":3,"file":"constants.js","sources":["../src/constants.mts"],"sourcesContent":["import { realpathSync } from 'node:fs'\nimport { createRequire } from 'node:module'\nimport os from 'node:os'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport registryConstants from '@socketsecurity/registry/lib/constants'\n\nimport type { Agent } from './utils/package-environment.mts'\nimport type { Remap } from '@socketsecurity/registry/lib/objects'\nimport type { SpawnOptions } from '@socketsecurity/registry/lib/spawn'\n\nconst require = createRequire(import.meta.url)\nconst __filename = fileURLToPath(import.meta.url)\n// Using `path.dirname(__filename)` to resolve `__dirname` works for both 'dist'\n// AND 'src' directories because constants.js and constants.mts respectively are\n// in the root of each.\nconst __dirname = path.dirname(__filename)\n\nconst {\n NPM,\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: {\n attributes: registryConstantsAttribs,\n createConstantsObject,\n getIpc,\n },\n} = registryConstants\n\nexport type RegistryEnv = typeof registryConstants.ENV\n\nexport type RegistryInternals =\n (typeof registryConstants)['Symbol(kInternalsSymbol)']\n\nexport type Sentry = any\n\nexport type Internals = Remap<\n Omit<RegistryInternals, 'getIpc'> &\n Readonly<{\n getIpc: {\n (): Promise<IPC>\n <K extends keyof IPC | undefined>(\n key?: K | undefined,\n ): Promise<K extends keyof IPC ? IPC[K] : IPC>\n }\n getSentry: () => Sentry\n setSentry(Sentry: Sentry): boolean\n }>\n>\n\nexport type ENV = Remap<\n RegistryEnv &\n Readonly<{\n DISABLE_GITHUB_CACHE: boolean\n GITHUB_API_URL: string\n GITHUB_BASE_REF: string\n GITHUB_REF_NAME: string\n GITHUB_REF_TYPE: string\n GITHUB_REPOSITORY: string\n GITHUB_SERVER_URL: string\n GITHUB_TOKEN: string\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: string\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: string\n INLINED_SOCKET_CLI_HOMEPAGE: string\n INLINED_SOCKET_CLI_LEGACY_BUILD: string\n INLINED_SOCKET_CLI_NAME: string\n INLINED_SOCKET_CLI_PUBLISHED_BUILD: string\n INLINED_SOCKET_CLI_SENTRY_BUILD: string\n INLINED_SOCKET_CLI_VERSION: string\n INLINED_SOCKET_CLI_VERSION_HASH: string\n INLINED_SOCKET_CLI_SYNP_VERSION: string\n LOCALAPPDATA: string\n NODE_COMPILE_CACHE: string\n NODE_EXTRA_CA_CERTS: string\n PATH: string\n SOCKET_CLI_ACCEPT_RISKS: boolean\n SOCKET_CLI_API_BASE_URL: string\n SOCKET_CLI_API_PROXY: string\n SOCKET_CLI_API_TIMEOUT: number\n SOCKET_CLI_API_TOKEN: string\n SOCKET_CLI_CONFIG: string\n SOCKET_CLI_GIT_USER_EMAIL: string\n SOCKET_CLI_GIT_USER_NAME: string\n SOCKET_CLI_GITHUB_TOKEN: string\n SOCKET_CLI_NO_API_TOKEN: boolean\n SOCKET_CLI_NPM_PATH: string\n SOCKET_CLI_ORG_SLUG: string\n SOCKET_CLI_VIEW_ALL_RISKS: boolean\n TERM: string\n XDG_DATA_HOME: string\n }>\n>\n\nexport type ProcessEnv = {\n [K in keyof ENV]?: string\n}\n\nexport type IPC = Readonly<{\n SOCKET_CLI_FIX?: string | undefined\n SOCKET_CLI_OPTIMIZE?: boolean | undefined\n SOCKET_CLI_SHADOW_ACCEPT_RISKS?: boolean | undefined\n SOCKET_CLI_SHADOW_API_TOKEN?: string | undefined\n SOCKET_CLI_SHADOW_BIN?: string | undefined\n SOCKET_CLI_SHADOW_PROGRESS?: boolean | undefined\n SOCKET_CLI_SHADOW_SILENT?: boolean | undefined\n}>\n\nexport type Constants = Remap<\n Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {\n readonly 'Symbol(kInternalsSymbol)': Internals\n readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'\n readonly ALERT_TYPE_CVE: 'cve'\n readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'\n readonly ALERT_TYPE_MILD_CVE: 'mildCVE'\n readonly API_V0_URL: 'https://api.socket.dev/v0/'\n readonly BINARY_LOCK_EXT: '.lockb'\n readonly BUN: 'bun'\n readonly ENV: ENV\n readonly DOT_SOCKET_DOT_FACTS_JSON: '.socket.facts.json'\n readonly DRY_RUN_LABEL: '[DryRun]'\n readonly DRY_RUN_BAILING_NOW: '[DryRun] Bailing now'\n readonly DRY_RUN_NOT_SAVING: '[DryRun] Not saving'\n readonly IPC: IPC\n readonly LOCK_EXT: '.lock'\n readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'\n readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'\n readonly PNPM: 'pnpm'\n readonly REDACTED: '<redacted>'\n readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'\n readonly SOCKET_CLI_BIN_NAME: 'socket'\n readonly SOCKET_CLI_CONFIG: 'SOCKET_CLI_CONFIG'\n readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'\n readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'\n readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'\n readonly SOCKET_CLI_SHADOW_ACCEPT_RISKS: 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\n readonly SOCKET_CLI_SHADOW_API_TOKEN: 'SOCKET_CLI_SHADOW_API_TOKEN'\n readonly SOCKET_CLI_SHADOW_BIN: 'SOCKET_CLI_SHADOW_BIN'\n readonly SOCKET_CLI_SHADOW_PROGRESS: 'SOCKET_CLI_SHADOW_PROGRESS'\n readonly SOCKET_CLI_SHADOW_SILENT: 'SOCKET_CLI_SHADOW_SILENT'\n readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'\n readonly SOCKET_DEFAULT_BRANCH: 'socket-default-branch'\n readonly SOCKET_DEFAULT_REPOSITORY: 'socket-default-repository'\n readonly SOCKET_WEBSITE_URL: 'https://socket.dev'\n readonly VLT: 'vlt'\n readonly YARN: 'yarn'\n readonly YARN_BERRY: 'yarn/berry'\n readonly YARN_CLASSIC: 'yarn/classic'\n readonly YARN_LOCK: 'yarn.lock'\n readonly bashRcPath: string\n readonly binCliPath: string\n readonly binPath: string\n readonly blessedContribPath: string\n readonly blessedOptions: {\n smartCSR: boolean\n term: string\n useBCE: boolean\n }\n readonly blessedPath: string\n readonly coanaBinPath: string\n readonly coanaPath: string\n readonly distCliPath: string\n readonly distPath: string\n readonly externalPath: string\n readonly githubCachePath: string\n readonly homePath: string\n readonly instrumentWithSentryPath: string\n readonly minimumVersionByAgent: Map<Agent, string>\n readonly nmBinPath: string\n readonly nodeDebugFlags: string[]\n readonly nodeHardenFlags: string[]\n readonly nodeMemoryFlags: string[]\n readonly npmCachePath: string\n readonly npmGlobalPrefix: string\n readonly npmNmNodeGypPath: string\n readonly processEnv: ProcessEnv\n readonly rootPath: string\n readonly shadowBinPath: string\n readonly shadowNpmBinPath: string\n readonly shadowNpmInjectPath: string\n readonly socketAppDataPath: string\n readonly socketCachePath: string\n readonly socketRegistryPath: string\n readonly zshRcPath: string\n }\n>\n\nconst ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'\nconst ALERT_TYPE_CVE = 'cve'\nconst ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'\nconst ALERT_TYPE_MILD_CVE = 'mildCVE'\nconst API_V0_URL = 'https://api.socket.dev/v0/'\nconst BINARY_LOCK_EXT = '.lockb'\nconst BUN = 'bun'\nconst DOT_SOCKET_DOT_FACTS_JSON = '.socket.facts.json'\nconst DRY_RUN_LABEL = '[DryRun]'\nconst DRY_RUN_BAILING_NOW = `${DRY_RUN_LABEL}: Bailing now`\nconst DRY_RUN_NOT_SAVING = `${DRY_RUN_LABEL}: Not saving`\nconst LOCALAPPDATA = 'LOCALAPPDATA'\nconst LOCK_EXT = '.lock'\nconst NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'\nconst NPM_REGISTRY_URL = 'https://registry.npmjs.org'\nconst PNPM = 'pnpm'\nconst REDACTED = '<redacted>'\nconst SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'\nconst SOCKET_CLI_BIN_NAME = 'socket'\nconst SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'\nconst SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'\nconst SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'\nconst SOCKET_CLI_SHADOW_ACCEPT_RISKS = 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'\nconst SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN'\nconst SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN'\nconst SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS'\nconst SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'\nconst SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'\nconst SOCKET_DEFAULT_BRANCH = 'socket-default-branch'\nconst SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository'\nconst SOCKET_WEBSITE_URL = 'https://socket.dev'\nconst VLT = 'vlt'\nconst YARN = 'yarn'\nconst YARN_BERRY = 'yarn/berry'\nconst YARN_CLASSIC = 'yarn/classic'\nconst YARN_LOCK = 'yarn.lock'\n\nlet _Sentry: any\n\nlet _npmStdioPipeOptions: SpawnOptions | undefined\nfunction getNpmStdioPipeOptions() {\n if (_npmStdioPipeOptions === undefined) {\n _npmStdioPipeOptions = {\n cwd: process.cwd(),\n shell: constants.WIN32,\n }\n }\n return _npmStdioPipeOptions\n}\n\nconst LAZY_ENV = () => {\n const { env } = process\n const envHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/env')\n const utils = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/utils.js'),\n )\n const envAsBoolean = envHelpers.envAsBoolean\n const envAsNumber = envHelpers.envAsNumber\n const envAsString = envHelpers.envAsString\n const getConfigValueOrUndef = utils.getConfigValueOrUndef\n const readOrDefaultSocketJson = utils.readOrDefaultSocketJson\n const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])\n const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(\n process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],\n )\n // We inline some environment values so that they CANNOT be influenced by user\n // provided environment variables.\n return Object.freeze({\n __proto__: null,\n // Lazily access registryConstants.ENV.\n ...registryConstants.ENV,\n // Disable using GitHub's workflow actions/cache.\n // https://github.com/actions/cache\n DISABLE_GITHUB_CACHE: envAsBoolean(env['DISABLE_GITHUB_CACHE']),\n // The API URL. For example, https://api.github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_API_URL:\n envAsString(env['GITHUB_API_URL']) || 'https://api.github.com',\n // The name of the base ref or target branch of the pull request in a workflow\n // run. This is only set when the event that triggers a workflow run is either\n // pull_request or pull_request_target. For example, main.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_BASE_REF: envAsString(env['GITHUB_BASE_REF']),\n // The short ref name of the branch or tag that triggered the GitHub workflow\n // run. This value matches the branch or tag name shown on GitHub. For example,\n // feature-branch-1. For pull requests, the format is <pr_number>/merge.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_NAME: envAsString(env['GITHUB_REF_NAME']),\n // The type of ref that triggered the workflow run. Valid values are branch or tag.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REF_TYPE: envAsString(env['GITHUB_REF_TYPE']),\n // The owner and repository name. For example, octocat/Hello-World.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),\n // The URL of the GitHub server. For example, https://github.com.\n // https://docs.github.com/en/codespaces/developing-in-a-codespace/default-environment-variables-for-your-codespace#list-of-default-environment-variables\n GITHUB_SERVER_URL:\n envAsString(env['GITHUB_SERVER_URL']) || 'https://github.com',\n // The GITHUB_TOKEN secret is a GitHub App installation access token.\n // The token's permissions are limited to the repository that contains the\n // workflow.\n // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret\n GITHUB_TOKEN,\n // Comp-time inlined @coana-tech/cli package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION']\".\n INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION'],\n ),\n // Comp-time inlined @cyclonedx/cdxgen package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']\".\n INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION'],\n ),\n // Comp-time inlined Socket package homepage.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_HOMEPAGE']\".\n INLINED_SOCKET_CLI_HOMEPAGE: envAsString(\n process.env['INLINED_SOCKET_CLI_HOMEPAGE'],\n ),\n // Comp-time inlined flag to determine if this is the Legacy build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']\".\n INLINED_SOCKET_CLI_LEGACY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],\n ),\n // Comp-time inlined Socket package name.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_NAME']\".\n INLINED_SOCKET_CLI_NAME: envAsString(\n process.env['INLINED_SOCKET_CLI_NAME'],\n ),\n // Comp-time inlined flag to determine if this is a published build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n INLINED_SOCKET_CLI_PUBLISHED_BUILD,\n // Comp-time inlined flag to determine if this is the Sentry build.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\n INLINED_SOCKET_CLI_SENTRY_BUILD: envAsBoolean(\n process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],\n ),\n // Comp-time inlined synp package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SYNP_VERSION']\".\n INLINED_SOCKET_CLI_SYNP_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_SYNP_VERSION'],\n ),\n // Comp-time inlined Socket package version.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION']\".\n INLINED_SOCKET_CLI_VERSION: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION'],\n ),\n // Comp-time inlined Socket package version hash.\n // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n INLINED_SOCKET_CLI_VERSION_HASH: envAsString(\n process.env['INLINED_SOCKET_CLI_VERSION_HASH'],\n ),\n // The absolute location of the %localappdata% folder on Windows used to store\n // user-specific, non-roaming application data, like temporary files, cached\n // data, and program settings, that are specific to the current machine and user.\n LOCALAPPDATA: envAsString(env[LOCALAPPDATA]),\n // Enable the module compile cache for the Node.js instance.\n // https://nodejs.org/api/cli.html#node_compile_cachedir\n NODE_COMPILE_CACHE: constants.SUPPORTS_NODE_COMPILE_CACHE_ENV_VAR\n ? constants.socketCachePath\n : '',\n // Redefine registryConstants.ENV.NODE_ENV to account for the\n // INLINED_SOCKET_CLI_PUBLISHED_BUILD environment variable.\n NODE_ENV:\n envAsString(env['NODE_ENV']).toLowerCase() === 'production'\n ? 'production'\n : INLINED_SOCKET_CLI_PUBLISHED_BUILD\n ? ''\n : 'development',\n // Well known \"root\" CAs (like VeriSign) will be extended with the extra\n // certificates in file. The file should consist of one or more trusted\n // certificates in PEM format.\n // https://nodejs.org/api/cli.html#node_extra_ca_certsfile\n NODE_EXTRA_CA_CERTS:\n envAsString(env['NODE_EXTRA_CA_CERTS']) ||\n // Commonly used environment variable to specify the path to a single\n // PEM-encoded certificate file.\n envAsString(env['SSL_CERT_FILE']),\n // PATH is an environment variable that lists directories where executable\n // programs are located. When a command is run, the system searches these\n // directories to find the executable.\n PATH: envAsString(env['PATH']),\n // Accept risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),\n // Change the base URL for Socket API calls.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_BASE_URL:\n envAsString(env['SOCKET_CLI_API_BASE_URL']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_BASE_URL']) ||\n getConfigValueOrUndef('apiBaseUrl') ||\n 'https://api.socket.dev/v0/',\n // Set the proxy that all requests are routed through.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development\n SOCKET_CLI_API_PROXY:\n envAsString(env['SOCKET_CLI_API_PROXY']) ||\n // TODO: Remove legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_API_PROXY']) ||\n // Commonly used environment variables to specify routing requests through\n // a proxy server.\n envAsString(env['HTTPS_PROXY']) ||\n envAsString(env['https_proxy']) ||\n envAsString(env['HTTP_PROXY']) ||\n envAsString(env['http_proxy']),\n // Set the timeout in milliseconds for Socket API requests.\n // https://nodejs.org/api/http.html#httprequesturl-options-callback\n SOCKET_CLI_API_TIMEOUT: envAsNumber(env['SOCKET_CLI_API_TOKEN']),\n // Set the Socket API token.\n // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables\n SOCKET_CLI_API_TOKEN:\n envAsString(env['SOCKET_CLI_API_TOKEN']) ||\n // TODO: Remove legacy environment variable names.\n envAsString(env['SOCKET_CLI_API_KEY']) ||\n envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||\n envAsString(env['SOCKET_SECURITY_API_KEY']),\n // A JSON stringified Socket configuration object.\n SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),\n // The git config user.email used by Socket CLI.\n SOCKET_CLI_GIT_USER_EMAIL:\n envAsString(env['SOCKET_CLI_GIT_USER_EMAIL']) ||\n 'github-actions[bot]@users.noreply.github.com',\n // The git config user.name used by Socket CLI.\n SOCKET_CLI_GIT_USER_NAME:\n envAsString(env['SOCKET_CLI_GIT_USER_NAME']) ||\n envAsString(env['SOCKET_CLI_GIT_USERNAME']) ||\n 'github-actions[bot]',\n // Change the base URL for GitHub REST API calls.\n // https://docs.github.com/en/rest\n SOCKET_CLI_GITHUB_API_URL:\n envAsString(env['SOCKET_CLI_GITHUB_API_URL']) ||\n readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github\n ?.githubApiUrl ||\n 'https://api.github.com',\n // A classic GitHub personal access token with the \"repo\" scope or a\n // fine-grained access token with at least read/write permissions set for\n // \"Contents\" and \"Pull Request\".\n // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n SOCKET_CLI_GITHUB_TOKEN:\n envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) ||\n // TODO: Remove undocumented legacy environment variable name.\n envAsString(env['SOCKET_SECURITY_GITHUB_PAT']) ||\n GITHUB_TOKEN,\n // Make the default API token `undefined`.\n SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),\n // The absolute location of the npm directory.\n SOCKET_CLI_NPM_PATH: envAsString(env['SOCKET_CLI_NPM_PATH']),\n // Specify the Socket organization slug.\n SOCKET_CLI_ORG_SLUG:\n envAsString(env['SOCKET_CLI_ORG_SLUG']) ||\n // Coana CLI accepts the SOCKET_ORG_SLUG environment variable.\n envAsString(env['SOCKET_ORG_SLUG']),\n // View all risks of a Socket wrapped npm/npx run.\n SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),\n // Specifies the type of terminal or terminal emulator being used by the process.\n TERM: envAsString(env['TERM']),\n // The location of the base directory on Linux and MacOS used to store\n // user-specific data files, defaulting to $HOME/.local/share if not set or empty.\n XDG_DATA_HOME: envAsString(env['XDG_DATA_HOME']),\n })\n}\n\nconst lazyBashRcPath = () => path.join(constants.homePath, '.bashrc')\n\nconst lazyBinPath = () => path.join(constants.rootPath, 'bin')\n\nconst lazyBinCliPath = () => path.join(constants.binPath, 'cli.js')\n\nconst lazyBlessedContribPath = () =>\n path.join(constants.externalPath, 'blessed-contrib')\n\nconst lazyBlessedOptions = () =>\n Object.freeze({\n smartCSR: true,\n term: constants.WIN32 ? 'windows-ansi' : 'xterm',\n useBCE: true,\n })\n\nconst lazyBlessedPath = () => path.join(constants.externalPath, 'blessed')\n\nconst lazyDistCliPath = () => path.join(constants.distPath, 'cli.js')\n\nconst lazyDistPath = () => path.join(constants.rootPath, 'dist')\n\nconst lazyExternalPath = () => path.join(constants.rootPath, 'external')\n\nconst lazyGithubCachePath = () => path.join(constants.socketCachePath, 'github')\n\nconst lazyHomePath = () => os.homedir()\n\nconst lazyInstrumentWithSentryPath = () =>\n path.join(constants.distPath, 'instrument-with-sentry.js')\n\nconst lazyMinimumVersionByAgent = () =>\n new Map([\n // Bun >=1.1.39 supports the text-based lockfile.\n // https://bun.sh/blog/bun-lock-text-lockfile\n [BUN, '1.1.39'],\n // The npm version bundled with Node 18.\n // https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch\n [NPM, '10.8.2'],\n // 8.x is the earliest version to support Node 18.\n // https://pnpm.io/installation#compatibility\n // https://www.npmjs.com/package/pnpm?activeTab=versions\n [PNPM, '8.15.7'],\n // 4.x supports >= Node 18.12.0\n // https://github.com/yarnpkg/berry/blob/%40yarnpkg/core/4.1.0/CHANGELOG.md#400\n [YARN_BERRY, '4.0.0'],\n // Latest 1.x.\n // https://www.npmjs.com/package/yarn?activeTab=versions\n [YARN_CLASSIC, '1.22.22'],\n // vlt does not support overrides so we don't gate on it.\n [VLT, '*'],\n ])\n\nconst lazyNmBinPath = () => path.join(constants.rootPath, 'node_modules/.bin')\n\nconst lazyNodeDebugFlags = () =>\n constants.ENV.SOCKET_CLI_DEBUG ? ['--trace-uncaught', '--trace-warnings'] : []\n\n// Redefine registryConstants.nodeHardenFlags to account for the\n// INLINED_SOCKET_CLI_SENTRY_BUILD environment variable.\nconst lazyNodeHardenFlags = () =>\n Object.freeze(\n // Harden Node security.\n // https://nodejs.org/en/learn/getting-started/security-best-practices\n constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD || constants.WIN32\n ? [\n // https://nodejs.org/api/cli.html#--disallow-code-generation-from-strings\n // '--disallow-code-generation-from-strings'\n ]\n : [\n // '--disallow-code-generation-from-strings',\n // https://nodejs.org/api/cli.html#--disable-protomode\n // '--disable-proto',\n // 'throw',\n // https://nodejs.org/api/cli.html#--frozen-intrinsics\n // We have contributed the following patches to our dependencies to make\n // Node's --frozen-intrinsics workable.\n // √ https://github.com/SBoudrias/Inquirer.js/pull/1683\n // √ https://github.com/pnpm/components/pull/23\n // '--frozen-intrinsics',\n // https://nodejs.org/api/cli.html#--no-deprecation\n // '--no-deprecation',\n ],\n )\n\nconst lazyNodeMemoryFlags = () => {\n const flags = /*@__PURE__*/ require(\n path.join(constants.rootPath, 'dist/flags.js'),\n )\n const getMaxOldSpaceSizeFlag = flags.getMaxOldSpaceSizeFlag\n const getMaxSemiSpaceSizeFlag = flags.getMaxSemiSpaceSizeFlag\n return Object.freeze([\n `--max-old-space-size=${getMaxOldSpaceSizeFlag()}`,\n `--max-semi-space-size=${getMaxSemiSpaceSizeFlag()}`,\n ])\n}\n\nconst lazyNpmCachePath = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['config', 'get', 'cache'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmGlobalPrefix = () => {\n const spawnHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/spawn')\n const spawnSync = spawnHelpers.spawnSync\n return spawnSync(\n constants.npmExecPath,\n ['prefix', '-g'],\n getNpmStdioPipeOptions(),\n ).stdout\n}\n\nconst lazyNpmNmNodeGypPath = () =>\n path.join(\n constants.npmRealExecPath,\n '../../node_modules/node-gyp/bin/node-gyp.js',\n )\n\nconst lazyProcessEnv = () =>\n Object.setPrototypeOf(\n Object.fromEntries(\n Object.entries(constants.ENV).reduce(\n (entries, entry) => {\n const { 0: key, 1: value } = entry\n if (key.startsWith('INLINED_SOCKET_CLI_')) {\n return entries\n }\n if (typeof value === 'string') {\n if (value) {\n entries.push(entry as [string, string])\n }\n } else if (typeof value === 'boolean' && value) {\n entries.push([key, '1'])\n }\n return entries\n },\n [] as Array<[string, string]>,\n ),\n ),\n null,\n )\n\nconst lazyRootPath = () => path.join(realpathSync.native(__dirname), '..')\n\nconst lazyShadowBinPath = () => path.join(constants.rootPath, 'shadow-npm-bin')\n\nconst lazyShadowNpmBinPath = () =>\n path.join(constants.distPath, 'shadow-npm-bin.js')\n\nconst lazyShadowNpmInjectPath = () =>\n path.join(constants.distPath, 'shadow-npm-inject.js')\n\nconst lazySocketAppDataPath = (): string | undefined => {\n // Get the OS app data directory:\n // - Win: %LOCALAPPDATA% or fail?\n // - Mac: %XDG_DATA_HOME% or fallback to \"~/Library/Application Support/\"\n // - Linux: %XDG_DATA_HOME% or fallback to \"~/.local/share/\"\n // Note: LOCALAPPDATA is typically: C:\\Users\\USERNAME\\AppData\n // Note: XDG stands for \"X Desktop Group\", nowadays \"freedesktop.org\"\n // On most systems that path is: $HOME/.local/share\n // Then append `socket/settings`, so:\n // - Win: %LOCALAPPDATA%\\socket\\settings or return undefined\n // - Mac: %XDG_DATA_HOME%/socket/settings or \"~/Library/Application Support/socket/settings\"\n // - Linux: %XDG_DATA_HOME%/socket/settings or \"~/.local/share/socket/settings\"\n const { WIN32 } = constants\n let dataHome: string | undefined = WIN32\n ? constants.ENV.LOCALAPPDATA\n : constants.ENV.XDG_DATA_HOME\n if (!dataHome) {\n if (WIN32) {\n const logger = /*@__PURE__*/ require('@socketsecurity/registry/lib/logger')\n logger.warn(`Missing %${LOCALAPPDATA}%`)\n } else {\n dataHome = path.join(\n constants.homePath,\n constants.DARWIN ? 'Library/Application Support' : '.local/share',\n )\n }\n }\n return dataHome ? path.join(dataHome, 'socket/settings') : undefined\n}\n\nconst lazySocketCachePath = () => path.join(constants.rootPath, '.cache')\n\nconst lazySocketRegistryPath = () =>\n path.join(constants.externalPath, '@socketsecurity/registry')\n\nconst lazyZshRcPath = () => path.join(constants.homePath, '.zshrc')\n\nconst constants: Constants = createConstantsObject(\n {\n ...registryConstantsAttribs.props,\n ALERT_TYPE_CRITICAL_CVE,\n ALERT_TYPE_CVE,\n ALERT_TYPE_MEDIUM_CVE,\n ALERT_TYPE_MILD_CVE,\n API_V0_URL,\n BINARY_LOCK_EXT,\n BUN,\n DOT_SOCKET_DOT_FACTS_JSON,\n DRY_RUN_LABEL,\n DRY_RUN_BAILING_NOW,\n DRY_RUN_NOT_SAVING,\n ENV: undefined,\n LOCK_EXT,\n NPM_BUGGY_OVERRIDES_PATCHED_VERSION,\n NPM_REGISTRY_URL,\n PNPM,\n REDACTED,\n SOCKET_CLI_ACCEPT_RISKS,\n SOCKET_CLI_BIN_NAME,\n SOCKET_CLI_FIX,\n SOCKET_CLI_ISSUES_URL,\n SOCKET_CLI_OPTIMIZE,\n SOCKET_CLI_SHADOW_ACCEPT_RISKS,\n SOCKET_CLI_SHADOW_API_TOKEN,\n SOCKET_CLI_SHADOW_BIN,\n SOCKET_CLI_SHADOW_PROGRESS,\n SOCKET_CLI_SHADOW_SILENT,\n SOCKET_CLI_VIEW_ALL_RISKS,\n SOCKET_DEFAULT_BRANCH,\n SOCKET_DEFAULT_REPOSITORY,\n SOCKET_WEBSITE_URL,\n VLT,\n YARN,\n YARN_BERRY,\n YARN_CLASSIC,\n YARN_LOCK,\n bashRcPath: undefined,\n binPath: undefined,\n binCliPath: undefined,\n blessedContribPath: undefined,\n blessedOptions: undefined,\n blessedPath: undefined,\n coanaBinPath: undefined,\n coanaPath: undefined,\n distCliPath: undefined,\n distPath: undefined,\n externalPath: undefined,\n githubCachePath: undefined,\n homePath: undefined,\n instrumentWithSentryPath: undefined,\n minimumVersionByAgent: undefined,\n nmBinPath: undefined,\n nodeHardenFlags: undefined,\n nodeDebugFlags: undefined,\n nodeMemoryFlags: undefined,\n npmCachePath: undefined,\n npmGlobalPrefix: undefined,\n npmNmNodeGypPath: undefined,\n processEnv: undefined,\n rootPath: undefined,\n shadowBinPath: undefined,\n shadowNpmInjectPath: undefined,\n shadowNpmBinPath: undefined,\n socketAppDataPath: undefined,\n socketCachePath: undefined,\n socketRegistryPath: undefined,\n zshRcPath: undefined,\n },\n {\n getters: {\n ...registryConstantsAttribs.getters,\n ENV: LAZY_ENV,\n bashRcPath: lazyBashRcPath,\n binCliPath: lazyBinCliPath,\n binPath: lazyBinPath,\n blessedContribPath: lazyBlessedContribPath,\n blessedOptions: lazyBlessedOptions,\n blessedPath: lazyBlessedPath,\n distCliPath: lazyDistCliPath,\n distPath: lazyDistPath,\n externalPath: lazyExternalPath,\n githubCachePath: lazyGithubCachePath,\n homePath: lazyHomePath,\n instrumentWithSentryPath: lazyInstrumentWithSentryPath,\n minimumVersionByAgent: lazyMinimumVersionByAgent,\n nmBinPath: lazyNmBinPath,\n nodeDebugFlags: lazyNodeDebugFlags,\n nodeHardenFlags: lazyNodeHardenFlags,\n nodeMemoryFlags: lazyNodeMemoryFlags,\n npmCachePath: lazyNpmCachePath,\n npmGlobalPrefix: lazyNpmGlobalPrefix,\n npmNmNodeGypPath: lazyNpmNmNodeGypPath,\n processEnv: lazyProcessEnv,\n rootPath: lazyRootPath,\n shadowBinPath: lazyShadowBinPath,\n shadowNpmBinPath: lazyShadowNpmBinPath,\n shadowNpmInjectPath: lazyShadowNpmInjectPath,\n socketAppDataPath: lazySocketAppDataPath,\n socketCachePath: lazySocketCachePath,\n socketRegistryPath: lazySocketRegistryPath,\n zshRcPath: lazyZshRcPath,\n },\n internals: {\n ...registryConstantsAttribs.internals,\n getIpc,\n getSentry() {\n return _Sentry\n },\n setSentry(Sentry: Sentry): boolean {\n if (_Sentry === undefined) {\n _Sentry = Sentry\n return true\n }\n return false\n },\n },\n },\n) as Constants\n\nexport default constants\n"],"names":["attributes","getIpc","_npmStdioPipeOptions","cwd","env","__proto__","DISABLE_GITHUB_CACHE","GITHUB_BASE_REF","GITHUB_REF_NAME","GITHUB_REF_TYPE","GITHUB_REPOSITORY","LOCALAPPDATA","NODE_EXTRA_CA_CERTS","envAsString","PATH","SOCKET_CLI_ACCEPT_RISKS","SOCKET_CLI_API_BASE_URL","SOCKET_CLI_API_PROXY","SOCKET_CLI_API_TIMEOUT","SOCKET_CLI_API_TOKEN","SOCKET_CLI_CONFIG","SOCKET_CLI_GIT_USER_NAME","SOCKET_CLI_GITHUB_TOKEN","SOCKET_CLI_NO_API_TOKEN","SOCKET_CLI_NPM_PATH","SOCKET_CLI_ORG_SLUG","SOCKET_CLI_VIEW_ALL_RISKS","TERM","XDG_DATA_HOME","smartCSR","term","useBCE","constants","entries","WIN32","logger","dataHome","ENV","bashRcPath","binPath","binCliPath","blessedContribPath","blessedOptions","blessedPath","coanaBinPath","coanaPath","distCliPath","distPath","externalPath","githubCachePath","homePath","instrumentWithSentryPath","minimumVersionByAgent","nmBinPath","nodeHardenFlags","nodeDebugFlags","nodeMemoryFlags","npmCachePath","npmGlobalPrefix","npmNmNodeGypPath","processEnv","rootPath","shadowBinPath","shadowNpmInjectPath","shadowNpmBinPath","socketAppDataPath","socketCachePath","socketRegistryPath","zshRcPath","getters","internals","getSentry","_Sentry"],"mappings":";;;;;;;;;;AAYA;AACA;AACA;AACA;AACA;AACA;AAEA;;;AAGE;AACEA;;AAEAC;AACF;AACF;AA+JA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;;AAEIC;AACEC;;;AAGJ;AACA;AACF;AAEA;;AACUC;AAAI;AACZ;AACA;AAGA;AACA;AACA;AACA;AACA;;;AAKA;AACA;;AAEEC;AACA;;AAEA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;AACAC;AACA;AACA;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;AACAC;AACA;AACA;;AAGA;AACA;AACA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAEA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;;AAIA;AACA;AACA;AACAC;AACA;AACA;;AAIA;AACA;;AAOA;AACA;AACA;AACA;AACAC;AAEE;AACA;AACAC;AACF;AACA;AACA;AACAC;AACA;AACAC;AACA;AACA;AACAC;AAEE;AACAH;AAGF;AACA;AACAI;AAEE;AACAJ;AACA;AACA;AACAA;AAIF;AACA;AACAK;AACA;AACA;AACAC;AAEE;;AAIF;AACAC;AACA;;AAIA;AACAC;AAIA;AACA;;AAMA;AACA;AACA;AACA;AACAC;AAEE;AACAT;AAEF;AACAU;AACA;AACAC;AACA;AACAC;AAEE;AACAZ;AACF;AACAa;AACA;AACAC;AACA;AACA;AACAC;AACF;AACF;AAEA;AAEA;AAEA;AAEA;AAGA;AAEIC;AACAC;AACAC;AACF;AAEF;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAGA;AAEI;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGJ;AAEA;;AAGA;AACA;AACA;AAEI;AACA;AACAC;AAEM;AACA;AAAA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAIV;AACE;AAGA;AACA;AACA;AAIF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AACE;AACA;AACA;AAKF;AAEA;AAMA;;AAKkB;AAAQ;AAAS;AACzB;AACE;AACF;AACA;AACE;AACEC;AACF;;;AAGF;AACA;AACF;AAOR;AAEA;AAEA;AAGA;AAGA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACQC;AAAM;AACd;;AAIE;AACE;AACAC;AACF;AACEC;AAIF;AACF;;AAEF;AAEA;AAEA;AAGA;AAEA;;;;;;;;;;;;;AAcIC;;;;;;;;;;;;;;;;;;;;;;;;;AAyBAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEC;;AAEEhC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAG;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAE;AACAD;AACAE;AACAC;AACAC;AACAC;;AAEFE;;;AAGEC;AACE;;;;AAIEC;AACA;AACF;AACA;AACF;AACF;AACF;;","debugId":"3364307a-92fb-4837-b168-85d232de18c3"}
package/dist/flags.js CHANGED
@@ -5,7 +5,9 @@ var require$$0 = require('node:url');
5
5
  var vendor = require('./vendor.js');
6
6
  var constants = require('./constants.js');
7
7
 
8
- // TODO: Not sure if we're missing something but meow doesn't seem to expose this?
8
+ // Meow doesn't expose this.
9
+
10
+ // We use this description in getFlagListOutput, meow doesn't care.
9
11
 
10
12
  let _rawSpaceSizeFlags;
11
13
  function getRawSpaceSizeFlags() {
@@ -112,9 +114,6 @@ function getMaxSemiSpaceSizeFlag() {
112
114
  // Ensure export because dist/flags.js is required in src/constants.mts.
113
115
  // eslint-disable-next-line n/exports-style
114
116
  exports.getMaxSemiSpaceSizeFlag = getMaxSemiSpaceSizeFlag;
115
-
116
- // Note: we use this description in getFlagListOutput, meow doesn't care
117
-
118
117
  const commonFlags = {
119
118
  config: {
120
119
  type: 'string',
@@ -125,8 +124,8 @@ const commonFlags = {
125
124
  dryRun: {
126
125
  type: 'boolean',
127
126
  default: false,
127
+ // Only show in root command.
128
128
  hidden: true,
129
- // Only show in root command
130
129
  description: 'Do input validation for a command and exit 0 when input is ok'
131
130
  },
132
131
  help: {
@@ -178,5 +177,5 @@ const outputFlags = {
178
177
 
179
178
  exports.commonFlags = commonFlags;
180
179
  exports.outputFlags = outputFlags;
181
- //# debugId=955cafd2-ffd2-4d71-a752-444f60e84962
180
+ //# debugId=d418e48b-1ea9-45c8-aff7-990323504244
182
181
  //# sourceMappingURL=flags.js.map
package/dist/flags.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"flags.js","sources":["../src/flags.mts"],"sourcesContent":["import os from 'node:os'\nimport { pathToFileURL } from 'node:url'\n\nimport meow from 'meow'\nimport terminalLink from 'terminal-link'\n\nimport constants from './constants.mts'\n\nimport type { Flag } from 'meow'\n\n// TODO: Not sure if we're missing something but meow doesn't seem to expose this?\nexport type StringFlag = Flag<'string', string> | Flag<'string', string[], true>\nexport type BooleanFlag =\n | Flag<'boolean', boolean>\n | Flag<'boolean', boolean[], true>\nexport type NumberFlag = Flag<'number', number> | Flag<'number', number[], true>\nexport type AnyFlag = StringFlag | BooleanFlag | NumberFlag\n\ntype RawSpaceSizeFlags = {\n maxOldSpaceSize: number\n maxSemiSpaceSize: number\n}\n\nlet _rawSpaceSizeFlags: RawSpaceSizeFlags | undefined\nfunction getRawSpaceSizeFlags(): RawSpaceSizeFlags {\n if (_rawSpaceSizeFlags === undefined) {\n const cli = meow({\n argv: process.argv.slice(2),\n // Prevent meow from potentially exiting early.\n autoHelp: false,\n autoVersion: false,\n flags: {\n maxOldSpaceSize: {\n type: 'number',\n default: 0,\n },\n maxSemiSpaceSize: {\n type: 'number',\n default: 0,\n },\n },\n importMeta: { url: `${pathToFileURL(__filename)}` } as ImportMeta,\n })\n _rawSpaceSizeFlags = {\n maxOldSpaceSize: cli.flags['maxOldSpaceSize'],\n maxSemiSpaceSize: cli.flags['maxSemiSpaceSize'],\n }\n }\n return _rawSpaceSizeFlags\n}\n\nlet _maxOldSpaceSizeFlag: number | undefined\nexport function getMaxOldSpaceSizeFlag(): number {\n if (_maxOldSpaceSizeFlag === undefined) {\n _maxOldSpaceSizeFlag = getRawSpaceSizeFlags().maxOldSpaceSize\n if (!_maxOldSpaceSizeFlag) {\n const match = /(?<=--max-old-space-size=)\\d+/.exec(\n constants.ENV.NODE_OPTIONS,\n )?.[0]\n _maxOldSpaceSizeFlag = match ? Number(match) : 0\n }\n if (!_maxOldSpaceSizeFlag) {\n // Default value determined by available system memory.\n _maxOldSpaceSizeFlag = Math.floor(\n // Total system memory in MiB.\n (os.totalmem() / 1024 / 1024) *\n // Set 75% of total memory (safe buffer to avoid system pressure).\n 0.75,\n )\n }\n }\n return _maxOldSpaceSizeFlag\n}\n// Ensure export because dist/flags.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getMaxOldSpaceSizeFlag = getMaxOldSpaceSizeFlag\n\nlet _maxSemiSpaceSizeFlag: number | undefined\nexport function getMaxSemiSpaceSizeFlag(): number {\n if (_maxSemiSpaceSizeFlag === undefined) {\n _maxSemiSpaceSizeFlag = getRawSpaceSizeFlags().maxSemiSpaceSize\n if (!_maxSemiSpaceSizeFlag) {\n const match = /(?<=--max-semi-space-size=)\\d+/.exec(\n constants.ENV.NODE_OPTIONS,\n )?.[0]\n _maxSemiSpaceSizeFlag = match ? Number(match) : 0\n }\n if (!_maxSemiSpaceSizeFlag) {\n const maxOldSpaceSize = getMaxOldSpaceSizeFlag()\n // Dynamically scale semi-space size based on max-old-space-size.\n // https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib\n if (maxOldSpaceSize <= 8192) {\n // Use tiered values for smaller heaps to avoid excessive young\n // generation size. This helps stay within safe memory limits on\n // constrained systems or CI.\n if (maxOldSpaceSize <= 512) {\n _maxSemiSpaceSizeFlag = 4\n } else if (maxOldSpaceSize <= 1024) {\n _maxSemiSpaceSizeFlag = 8\n } else if (maxOldSpaceSize <= 2048) {\n _maxSemiSpaceSizeFlag = 16\n } else if (maxOldSpaceSize <= 4096) {\n _maxSemiSpaceSizeFlag = 32\n } else {\n _maxSemiSpaceSizeFlag = 64\n }\n } else {\n // For large heaps (> 8 GiB), compute semi-space size using a log-scaled\n // function.\n //\n // The idea:\n // - log2(16384 MiB) = 14 → semi = 14 * 8 = 112\n // - log2(32768 MiB) = 15 → semi = 15 * 8 = 120\n // - Scales gradually as heap increases, avoiding overly large jumps\n //\n // Each 1 MiB of semi-space adds ~3 MiB to the total young generation\n // (V8 uses 3 spaces). So this keeps semi-space proportional, without\n // over committing.\n //\n // Also note: V8 won’t benefit much from >256 MiB semi-space unless\n // you’re allocating large short-lived objects very frequently\n // (e.g. large arrays, buffers).\n const log2OldSpace = Math.log2(maxOldSpaceSize)\n const scaledSemiSpace = Math.floor(log2OldSpace) * 8\n _maxSemiSpaceSizeFlag = scaledSemiSpace\n }\n }\n }\n return _maxSemiSpaceSizeFlag\n}\n// Ensure export because dist/flags.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getMaxSemiSpaceSizeFlag = getMaxSemiSpaceSizeFlag\n\n// Note: we use this description in getFlagListOutput, meow doesn't care\nexport type MeowFlags = Record<\n string,\n AnyFlag & { description: string; hidden?: boolean }\n>\n\nexport const commonFlags: MeowFlags = {\n config: {\n type: 'string',\n default: '',\n hidden: true,\n description: 'Override the local config with this JSON',\n },\n dryRun: {\n type: 'boolean',\n default: false,\n hidden: true, // Only show in root command\n description:\n 'Do input validation for a command and exit 0 when input is ok',\n },\n help: {\n type: 'boolean',\n default: false,\n shortFlag: 'h',\n hidden: true,\n description: 'Print this help',\n },\n maxOldSpaceSize: {\n type: 'number',\n get default() {\n return getMaxOldSpaceSizeFlag()\n },\n hidden: true,\n description: `Set Node's V8 ${terminalLink('--max-old-space-size', 'https://nodejs.org/api/cli.html#--max-old-space-sizesize-in-mib')} option`,\n },\n maxSemiSpaceSize: {\n type: 'number',\n get default() {\n return getMaxSemiSpaceSizeFlag()\n },\n hidden: true,\n description: `Set Node's V8 ${terminalLink('--max-semi-space-size', 'https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib')} option`,\n },\n nobanner: {\n // I know this would be `--no-banner` but that doesn't work with cdxgen.\n // Mostly for internal usage anyways.\n type: 'boolean',\n default: false,\n hidden: true,\n description: 'Hide the Socket banner',\n },\n}\n\nexport const outputFlags: MeowFlags = {\n json: {\n type: 'boolean',\n shortFlag: 'j',\n default: false,\n description: 'Output result as json',\n },\n markdown: {\n type: 'boolean',\n shortFlag: 'm',\n default: false,\n description: 'Output result as markdown',\n },\n}\n\nexport const validationFlags: MeowFlags = {\n all: {\n type: 'boolean',\n default: false,\n description: 'Include all issues',\n },\n strict: {\n type: 'boolean',\n default: false,\n description: 'Exits with an error code if any matching issues are found',\n },\n}\n"],"names":["autoHelp","autoVersion","flags","maxOldSpaceSize","type","default","maxSemiSpaceSize","importMeta","url","_rawSpaceSizeFlags","_maxOldSpaceSizeFlag","os","exports","_maxSemiSpaceSizeFlag","config","hidden","description","dryRun","help","shortFlag","nobanner","json","markdown"],"mappings":";;;;;;;AAUA;;AAaA;AACA;;;;AAIM;AACAA;AACAC;AACAC;AACEC;AACEC;AACAC;;AAEFC;AACEF;AACAC;AACF;;AAEFE;AAAcC;AAAoC;AACpD;AACAC;AACEN;AACAG;;AAEJ;AACA;AACF;AAEA;AACO;;AAEHI;;AAEE;;AAIF;;AAEE;;AAEE;AACCC;AACC;AACA;AAEN;AACF;AACA;AACF;AACA;AACA;AACAC;AAEA;AACO;;AAEHC;;AAEE;;AAIF;;AAEE;AACA;AACA;;AAEE;AACA;AACA;;AAEEA;AACF;AACEA;AACF;AACEA;AACF;AACEA;AACF;AACEA;AACF;AACF;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEAA;AACF;AACF;AACF;AACA;AACF;AACA;AACA;AACAD;;AAEA;;AAMO;AACLE;AACEV;AACAC;AACAU;AACAC;;AAEFC;AACEb;AACAC;AACAU;AAAc;AACdC;;AAGFE;AACEd;AACAC;AACAc;AACAJ;AACAC;;AAEFb;AACEC;;;;AAIAW;AACAC;;AAEFV;AACEF;;;;AAIAW;AACAC;;AAEFI;AACE;AACA;AACAhB;AACAC;AACAU;AACAC;AACF;AACF;AAEO;AACLK;AACEjB;AACAe;AACAd;AACAW;;AAEFM;AACElB;AACAe;AACAd;AACAW;AACF;AACF;;;","debugId":"955cafd2-ffd2-4d71-a752-444f60e84962"}
1
+ {"version":3,"file":"flags.js","sources":["../src/flags.mts"],"sourcesContent":["import os from 'node:os'\nimport { pathToFileURL } from 'node:url'\n\nimport meow from 'meow'\nimport terminalLink from 'terminal-link'\n\nimport constants from './constants.mts'\n\nimport type { Flag } from 'meow'\n\n// Meow doesn't expose this.\nexport type AnyFlag = StringFlag | BooleanFlag | NumberFlag\n\nexport type BooleanFlag =\n | Flag<'boolean', boolean>\n | Flag<'boolean', boolean[], true>\n\nexport type NumberFlag = Flag<'number', number> | Flag<'number', number[], true>\n\nexport type StringFlag = Flag<'string', string> | Flag<'string', string[], true>\n\nexport type MeowFlag = AnyFlag & { description: string; hidden?: boolean }\n\n// We use this description in getFlagListOutput, meow doesn't care.\nexport type MeowFlags = Record<string, MeowFlag>\n\ntype RawSpaceSizeFlags = {\n maxOldSpaceSize: number\n maxSemiSpaceSize: number\n}\n\nlet _rawSpaceSizeFlags: RawSpaceSizeFlags | undefined\nfunction getRawSpaceSizeFlags(): RawSpaceSizeFlags {\n if (_rawSpaceSizeFlags === undefined) {\n const cli = meow({\n argv: process.argv.slice(2),\n // Prevent meow from potentially exiting early.\n autoHelp: false,\n autoVersion: false,\n flags: {\n maxOldSpaceSize: {\n type: 'number',\n default: 0,\n },\n maxSemiSpaceSize: {\n type: 'number',\n default: 0,\n },\n },\n importMeta: { url: `${pathToFileURL(__filename)}` } as ImportMeta,\n })\n _rawSpaceSizeFlags = {\n maxOldSpaceSize: cli.flags['maxOldSpaceSize'],\n maxSemiSpaceSize: cli.flags['maxSemiSpaceSize'],\n }\n }\n return _rawSpaceSizeFlags\n}\n\nlet _maxOldSpaceSizeFlag: number | undefined\nexport function getMaxOldSpaceSizeFlag(): number {\n if (_maxOldSpaceSizeFlag === undefined) {\n _maxOldSpaceSizeFlag = getRawSpaceSizeFlags().maxOldSpaceSize\n if (!_maxOldSpaceSizeFlag) {\n const match = /(?<=--max-old-space-size=)\\d+/.exec(\n constants.ENV.NODE_OPTIONS,\n )?.[0]\n _maxOldSpaceSizeFlag = match ? Number(match) : 0\n }\n if (!_maxOldSpaceSizeFlag) {\n // Default value determined by available system memory.\n _maxOldSpaceSizeFlag = Math.floor(\n // Total system memory in MiB.\n (os.totalmem() / 1024 / 1024) *\n // Set 75% of total memory (safe buffer to avoid system pressure).\n 0.75,\n )\n }\n }\n return _maxOldSpaceSizeFlag\n}\n// Ensure export because dist/flags.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getMaxOldSpaceSizeFlag = getMaxOldSpaceSizeFlag\n\nlet _maxSemiSpaceSizeFlag: number | undefined\nexport function getMaxSemiSpaceSizeFlag(): number {\n if (_maxSemiSpaceSizeFlag === undefined) {\n _maxSemiSpaceSizeFlag = getRawSpaceSizeFlags().maxSemiSpaceSize\n if (!_maxSemiSpaceSizeFlag) {\n const match = /(?<=--max-semi-space-size=)\\d+/.exec(\n constants.ENV.NODE_OPTIONS,\n )?.[0]\n _maxSemiSpaceSizeFlag = match ? Number(match) : 0\n }\n if (!_maxSemiSpaceSizeFlag) {\n const maxOldSpaceSize = getMaxOldSpaceSizeFlag()\n // Dynamically scale semi-space size based on max-old-space-size.\n // https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib\n if (maxOldSpaceSize <= 8192) {\n // Use tiered values for smaller heaps to avoid excessive young\n // generation size. This helps stay within safe memory limits on\n // constrained systems or CI.\n if (maxOldSpaceSize <= 512) {\n _maxSemiSpaceSizeFlag = 4\n } else if (maxOldSpaceSize <= 1024) {\n _maxSemiSpaceSizeFlag = 8\n } else if (maxOldSpaceSize <= 2048) {\n _maxSemiSpaceSizeFlag = 16\n } else if (maxOldSpaceSize <= 4096) {\n _maxSemiSpaceSizeFlag = 32\n } else {\n _maxSemiSpaceSizeFlag = 64\n }\n } else {\n // For large heaps (> 8 GiB), compute semi-space size using a log-scaled\n // function.\n //\n // The idea:\n // - log2(16384 MiB) = 14 → semi = 14 * 8 = 112\n // - log2(32768 MiB) = 15 → semi = 15 * 8 = 120\n // - Scales gradually as heap increases, avoiding overly large jumps\n //\n // Each 1 MiB of semi-space adds ~3 MiB to the total young generation\n // (V8 uses 3 spaces). So this keeps semi-space proportional, without\n // over committing.\n //\n // Also note: V8 won’t benefit much from >256 MiB semi-space unless\n // you’re allocating large short-lived objects very frequently\n // (e.g. large arrays, buffers).\n const log2OldSpace = Math.log2(maxOldSpaceSize)\n const scaledSemiSpace = Math.floor(log2OldSpace) * 8\n _maxSemiSpaceSizeFlag = scaledSemiSpace\n }\n }\n }\n return _maxSemiSpaceSizeFlag\n}\n// Ensure export because dist/flags.js is required in src/constants.mts.\n// eslint-disable-next-line n/exports-style\nexports.getMaxSemiSpaceSizeFlag = getMaxSemiSpaceSizeFlag\n\nexport const commonFlags: MeowFlags = {\n config: {\n type: 'string',\n default: '',\n hidden: true,\n description: 'Override the local config with this JSON',\n },\n dryRun: {\n type: 'boolean',\n default: false,\n // Only show in root command.\n hidden: true,\n description:\n 'Do input validation for a command and exit 0 when input is ok',\n },\n help: {\n type: 'boolean',\n default: false,\n shortFlag: 'h',\n hidden: true,\n description: 'Print this help',\n },\n maxOldSpaceSize: {\n type: 'number',\n get default() {\n return getMaxOldSpaceSizeFlag()\n },\n hidden: true,\n description: `Set Node's V8 ${terminalLink('--max-old-space-size', 'https://nodejs.org/api/cli.html#--max-old-space-sizesize-in-mib')} option`,\n },\n maxSemiSpaceSize: {\n type: 'number',\n get default() {\n return getMaxSemiSpaceSizeFlag()\n },\n hidden: true,\n description: `Set Node's V8 ${terminalLink('--max-semi-space-size', 'https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib')} option`,\n },\n nobanner: {\n // I know this would be `--no-banner` but that doesn't work with cdxgen.\n // Mostly for internal usage anyways.\n type: 'boolean',\n default: false,\n hidden: true,\n description: 'Hide the Socket banner',\n },\n}\n\nexport const outputFlags: MeowFlags = {\n json: {\n type: 'boolean',\n shortFlag: 'j',\n default: false,\n description: 'Output result as json',\n },\n markdown: {\n type: 'boolean',\n shortFlag: 'm',\n default: false,\n description: 'Output result as markdown',\n },\n}\n\nexport const validationFlags: MeowFlags = {\n all: {\n type: 'boolean',\n default: false,\n description: 'Include all issues',\n },\n strict: {\n type: 'boolean',\n default: false,\n description: 'Exits with an error code if any matching issues are found',\n },\n}\n"],"names":["autoHelp","autoVersion","flags","maxOldSpaceSize","type","default","maxSemiSpaceSize","importMeta","url","_rawSpaceSizeFlags","_maxOldSpaceSizeFlag","os","exports","_maxSemiSpaceSizeFlag","config","hidden","description","dryRun","help","shortFlag","nobanner","json","markdown"],"mappings":";;;;;;;AAUA;;AAaA;;AAQA;AACA;;;;AAIM;AACAA;AACAC;AACAC;AACEC;AACEC;AACAC;;AAEFC;AACEF;AACAC;AACF;;AAEFE;AAAcC;AAAoC;AACpD;AACAC;AACEN;AACAG;;AAEJ;AACA;AACF;AAEA;AACO;;AAEHI;;AAEE;;AAIF;;AAEE;;AAEE;AACCC;AACC;AACA;AAEN;AACF;AACA;AACF;AACA;AACA;AACAC;AAEA;AACO;;AAEHC;;AAEE;;AAIF;;AAEE;AACA;AACA;;AAEE;AACA;AACA;;AAEEA;AACF;AACEA;AACF;AACEA;AACF;AACEA;AACF;AACEA;AACF;AACF;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEAA;AACF;AACF;AACF;AACA;AACF;AACA;AACA;AACAD;AAEO;AACLE;AACEV;AACAC;AACAU;AACAC;;AAEFC;AACEb;AACAC;AACA;AACAU;AACAC;;AAGFE;AACEd;AACAC;AACAc;AACAJ;AACAC;;AAEFb;AACEC;;;;AAIAW;AACAC;;AAEFV;AACEF;;;;AAIAW;AACAC;;AAEFI;AACE;AACA;AACAhB;AACAC;AACAU;AACAC;AACF;AACF;AAEO;AACLK;AACEjB;AACAe;AACAd;AACAW;;AAEFM;AACElB;AACAe;AACAd;AACAW;AACF;AACF;;;","debugId":"d418e48b-1ea9-45c8-aff7-990323504244"}
package/dist/shadow-npm-bin.js CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
4
4
  var npm = require('../external/@socketsecurity/registry/lib/npm');
5
- var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
5
+ var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
6
6
  var spawn = require('../external/@socketsecurity/registry/lib/spawn');
7
7
  var path = require('node:path');
8
8
  var vendor = require('./vendor.js');
@@ -43,7 +43,7 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
43
43
  __proto__: null,
44
44
  ...options
45
45
  };
46
- const cwd = require$$10.getOwn(spawnOpts, 'cwd') ?? process.cwd();
46
+ const cwd = require$$11.getOwn(spawnOpts, 'cwd') ?? process.cwd();
47
47
  const isShadowNpm = binName === 'npm';
48
48
  const terminatorPos = args.indexOf('--');
49
49
  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
@@ -68,7 +68,7 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
68
68
  cwd,
69
69
  onlyDirectories: true
70
70
  })) ? [] : ['--no-audit'];
71
- let stdio = require$$10.getOwn(spawnOpts, 'stdio');
71
+ let stdio = require$$11.getOwn(spawnOpts, 'stdio');
72
72
  if (typeof stdio === 'string') {
73
73
  stdio = [stdio, stdio, stdio, 'ipc'];
74
74
  } else if (Array.isArray(stdio)) {
@@ -107,5 +107,5 @@ async function shadowBin(binName, args = process.argv.slice(2), options, extra)
107
107
  }
108
108
 
109
109
  module.exports = shadowBin;
110
- //# debugId=fe0a3202-8243-4366-9da8-ec21d25cb3a7
110
+ //# debugId=3db6aa47-ab77-4ba0-8e8b-08bbbbf027ee
111
111
  //# sourceMappingURL=shadow-npm-bin.js.map
package/dist/shadow-npm-bin.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"shadow-npm-bin.js","sources":["../src/shadow/npm/link.mts","../src/shadow/npm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getNpmBinPath,\n getNpxBinPath,\n isNpmBinPathShadowed,\n isNpxBinPathShadowed,\n} from '../../utils/npm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'npm' | 'npx',\n): Promise<string> {\n const isNpx = binName === 'npx'\n // Find package manager being shadowed by this process.\n const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n const { WIN32 } = constants\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n return binPath\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmAuditFlag,\n isNpmLoglevelFlag,\n isNpmNodeOptionsFlag,\n isNpmProgressFlag,\n} from '@socketsecurity/registry/lib/npm'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { findUp } from '../../utils/fs.mts'\nimport { getPublicApiToken } from '../../utils/sdk.mts'\n\nimport type { IPC } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowBinOptions = SpawnOptions & {\n ipc?: IPC | undefined\n}\n\nexport type ShadowBinResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nexport default async function shadowBin(\n binName: 'npm' | 'npx',\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowBinOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowBinOptions\n const cwd = getOwn(spawnOpts, 'cwd') ?? process.cwd()\n const isShadowNpm = binName === 'npm'\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const nodeOptionsArg = rawBinArgs.findLast(isNpmNodeOptionsFlag)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const permArgs =\n isShadowNpm && constants.SUPPORTS_NODE_PERMISSION_FLAG\n ? [\n '--permission',\n '--allow-child-process',\n // '--allow-addons',\n // '--allow-wasi',\n // Allow all reads because npm walks up directories looking for config\n // and package.json files.\n '--allow-fs-read=*',\n `--allow-fs-write=${cwd}/*`,\n `--allow-fs-write=${constants.npmGlobalPrefix}/*`,\n `--allow-fs-write=${constants.npmCachePath}/*`,\n ]\n : []\n\n const useAudit = rawBinArgs.includes('--audit')\n const useDebug = isDebug('stdio')\n const useNodeOptions = nodeOptionsArg || permArgs.length\n const binArgs = rawBinArgs.filter(\n a => !isNpmAuditFlag(a) && !isNpmProgressFlag(a),\n )\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n // The default value of loglevel is \"notice\". We default to \"error\" which is\n // two levels quieter.\n const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n const noAuditArgs =\n useAudit || !(await findUp('node_modules', { cwd, onlyDirectories: true }))\n ? []\n : ['--no-audit']\n\n let stdio = getOwn(spawnOpts, 'stdio')\n if (typeof stdio === 'string') {\n stdio = [stdio, stdio, stdio, 'ipc']\n } else if (Array.isArray(stdio)) {\n if (!stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n } else {\n stdio = ['pipe', 'pipe', 'pipe', 'ipc']\n }\n\n const realBinPath = await installLinks(constants.shadowBinPath, binName)\n\n const spawnPromise = spawn(\n constants.execPath,\n [\n ...constants.nodeNoWarningsFlags,\n ...constants.nodeDebugFlags,\n ...constants.nodeHardenFlags,\n ...constants.nodeMemoryFlags,\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? ['--require', constants.instrumentWithSentryPath]\n : []),\n '--require',\n constants.shadowNpmInjectPath,\n realBinPath,\n ...noAuditArgs,\n ...(useNodeOptions\n ? [\n `--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${cmdFlagsToString(permArgs)}'`,\n ]\n : []),\n '--no-fund',\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=error' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n ...spawnOpts,\n env: {\n ...process.env,\n ...constants.processEnv,\n ...spawnEnv,\n },\n stdio,\n },\n extra,\n )\n\n spawnPromise.process.send({\n [constants.SOCKET_IPC_HANDSHAKE]: {\n [constants.SOCKET_CLI_SHADOW_API_TOKEN]: getPublicApiToken(),\n [constants.SOCKET_CLI_SHADOW_BIN]: binName,\n [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,\n ...ipc,\n },\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","onlyDirectories","stdio","spawnPromise"],"mappings":";;;;;;;;;;;AAYO;AAIL;AACA;;;AAEQA;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;ACNe;;AAOXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;AACA;AACA;;AAEA;;AAMQ;AACA;AACA;AACA;AACA;AAOR;AACA;AACA;AACA;;AAIA;AACA;;;;AAGoDC;AAAsB;AAI1E;AACA;;;AAGE;AACEC;AACF;AACF;;AAEA;;AAIA;AAoBI;;AAEA;AACA;;AAMA;AACAH;;;;;AAKAG;;AAKJC;;AAEI;AACA;AACA;;AAEF;AACF;;AAESA;;AACX;;","debugId":"fe0a3202-8243-4366-9da8-ec21d25cb3a7"}
1
+ {"version":3,"file":"shadow-npm-bin.js","sources":["../src/shadow/npm/link.mts","../src/shadow/npm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getNpmBinPath,\n getNpxBinPath,\n isNpmBinPathShadowed,\n isNpxBinPathShadowed,\n} from '../../utils/npm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'npm' | 'npx',\n): Promise<string> {\n const isNpx = binName === 'npx'\n // Find package manager being shadowed by this process.\n const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n const { WIN32 } = constants\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n return binPath\n}\n","import { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n isNpmAuditFlag,\n isNpmLoglevelFlag,\n isNpmNodeOptionsFlag,\n isNpmProgressFlag,\n} from '@socketsecurity/registry/lib/npm'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { findUp } from '../../utils/fs.mts'\nimport { getPublicApiToken } from '../../utils/sdk.mts'\n\nimport type { IPC } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowBinOptions = SpawnOptions & {\n ipc?: IPC | undefined\n}\n\nexport type ShadowBinResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nexport default async function shadowBin(\n binName: 'npm' | 'npx',\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowBinOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowBinOptions\n const cwd = getOwn(spawnOpts, 'cwd') ?? process.cwd()\n const isShadowNpm = binName === 'npm'\n const terminatorPos = args.indexOf('--')\n const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const nodeOptionsArg = rawBinArgs.findLast(isNpmNodeOptionsFlag)\n const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n const permArgs =\n isShadowNpm && constants.SUPPORTS_NODE_PERMISSION_FLAG\n ? [\n '--permission',\n '--allow-child-process',\n // '--allow-addons',\n // '--allow-wasi',\n // Allow all reads because npm walks up directories looking for config\n // and package.json files.\n '--allow-fs-read=*',\n `--allow-fs-write=${cwd}/*`,\n `--allow-fs-write=${constants.npmGlobalPrefix}/*`,\n `--allow-fs-write=${constants.npmCachePath}/*`,\n ]\n : []\n\n const useAudit = rawBinArgs.includes('--audit')\n const useDebug = isDebug('stdio')\n const useNodeOptions = nodeOptionsArg || permArgs.length\n const binArgs = rawBinArgs.filter(\n a => !isNpmAuditFlag(a) && !isNpmProgressFlag(a),\n )\n const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n // The default value of loglevel is \"notice\". We default to \"error\" which is\n // two levels quieter.\n const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n const noAuditArgs =\n useAudit || !(await findUp('node_modules', { cwd, onlyDirectories: true }))\n ? []\n : ['--no-audit']\n\n let stdio = getOwn(spawnOpts, 'stdio')\n if (typeof stdio === 'string') {\n stdio = [stdio, stdio, stdio, 'ipc']\n } else if (Array.isArray(stdio)) {\n if (!stdio.includes('ipc')) {\n stdio = stdio.concat('ipc')\n }\n } else {\n stdio = ['pipe', 'pipe', 'pipe', 'ipc']\n }\n\n const realBinPath = await installLinks(constants.shadowBinPath, binName)\n\n const spawnPromise = spawn(\n constants.execPath,\n [\n ...constants.nodeNoWarningsFlags,\n ...constants.nodeDebugFlags,\n ...constants.nodeHardenFlags,\n ...constants.nodeMemoryFlags,\n ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n ? ['--require', constants.instrumentWithSentryPath]\n : []),\n '--require',\n constants.shadowNpmInjectPath,\n realBinPath,\n ...noAuditArgs,\n ...(useNodeOptions\n ? [\n `--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${cmdFlagsToString(permArgs)}'`,\n ]\n : []),\n '--no-fund',\n // Add '--no-progress' to fix input being swallowed by the npm spinner.\n '--no-progress',\n // Add '--loglevel=error' if a loglevel flag is not provided and the\n // SOCKET_CLI_DEBUG environment variable is not truthy.\n ...logLevelArgs,\n ...binArgs,\n ...otherArgs,\n ],\n {\n ...spawnOpts,\n env: {\n ...process.env,\n ...constants.processEnv,\n ...spawnEnv,\n },\n stdio,\n },\n extra,\n )\n\n spawnPromise.process.send({\n [constants.SOCKET_IPC_HANDSHAKE]: {\n [constants.SOCKET_CLI_SHADOW_API_TOKEN]: getPublicApiToken(),\n [constants.SOCKET_CLI_SHADOW_BIN]: binName,\n [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,\n ...ipc,\n },\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","onlyDirectories","stdio","spawnPromise"],"mappings":";;;;;;;;;;;AAYO;AAIL;AACA;;;AAEQA;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;ACNe;;AAOXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;AACA;AACA;;AAEA;;AAMQ;AACA;AACA;AACA;AACA;AAOR;AACA;AACA;AACA;;AAIA;AACA;;;;AAGoDC;AAAsB;AAI1E;AACA;;;AAGE;AACEC;AACF;AACF;;AAEA;;AAIA;AAoBI;;AAEA;AACA;;AAMA;AACAH;;;;;AAKAG;;AAKJC;;AAEI;AACA;AACA;;AAEF;AACF;;AAESA;;AACX;;","debugId":"3db6aa47-ab77-4ba0-8e8b-08bbbbf027ee"}
package/dist/shadow-npm-inject.js CHANGED
@@ -6,9 +6,9 @@ var path = require('node:path');
6
6
  var path$1 = require('../external/@socketsecurity/registry/lib/path');
7
7
  var constants = require('./constants.js');
8
8
  var utils = require('./utils.js');
9
- var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
10
9
  var logger = require('../external/@socketsecurity/registry/lib/logger');
11
- var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
10
+ var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
11
+ var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
12
12
 
13
13
  var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
14
14
  let _arboristPkgPath;
@@ -71,7 +71,7 @@ async function getAlertsMapFromArborist(arb, needInfoOn, options) {
71
71
  consolidate: false,
72
72
  nothrow: false,
73
73
  ...options,
74
- filter: utils.toFilterConfig(require$$10.getOwn(options, 'filter'))
74
+ filter: utils.toFilterConfig(require$$11.getOwn(options, 'filter'))
75
75
  };
76
76
  const purls = needInfoOn.map(d => utils.idToNpmPurl(d.node.pkgid));
77
77
  let overrides;
@@ -99,7 +99,7 @@ function getDetailsFromDiff(diff, options) {
99
99
  const filterConfig = utils.toFilterConfig({
100
100
  existing: false,
101
101
  unknownOrigin: true,
102
- ...require$$10.getOwn(options, 'filter')
102
+ ...require$$11.getOwn(options, 'filter')
103
103
  });
104
104
  const queue = [...diff.children];
105
105
  let pos = 0;
@@ -221,9 +221,6 @@ class SafeArborist extends Arborist {
221
221
  ...(args.length ? args[0] : undefined)
222
222
  };
223
223
  const ipc = await getIpc();
224
- require$$9.debugDir('inspect', {
225
- ipc
226
- });
227
224
  const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN];
228
225
  if (!binName) {
229
226
  return await this[kRiskyReify](...args);
@@ -308,5 +305,5 @@ function installSafeArborist() {
308
305
  }
309
306
 
310
307
  installSafeArborist();
311
- //# debugId=44a0aaa3-4b99-476e-824c-10525f74b23d
308
+ //# debugId=cb5f5a9e-09b4-4668-be84-c67c918a6432
312
309
  //# sourceMappingURL=shadow-npm-inject.js.map
package/dist/shadow-npm-inject.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"shadow-npm-inject.js","sources":["../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/types.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string | undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string | undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristDepValidPath: string | undefined\nexport function getArboristDepValidPath() {\n if (_arboristDepValidPath === undefined) {\n _arboristDepValidPath = path.join(\n getArboristPackagePath(),\n 'lib/dep-valid.js',\n )\n }\n return _arboristDepValidPath\n}\n\nlet _arboristEdgeClassPath: string | undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string | undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string | undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createEnum } from '../../../utils/objects.mts'\n\nimport type {\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n Options as BaseArboristOptions,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n Edge as BaseEdge,\n Node as BaseNode,\n BaseOverrideSet,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristOptions = BaseArboristOptions & {\n npmCommand?: string\n npmVersion?: string\n}\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n | 'actualTree'\n | 'auditReport'\n | 'buildIdealTree'\n | 'diff'\n | 'idealTree'\n | 'loadActual'\n | 'loadVirtual'\n | 'reify'\n> & {\n auditReport?: AuditReportInstance | null | undefined\n actualTree?: NodeClass | null | undefined\n diff: Diff | null\n idealTree?: NodeClass | null | undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<NodeClass>\n loadActual(options?: ArboristOptions): Promise<NodeClass>\n loadVirtual(options?: ArboristOptions): Promise<NodeClass>\n reify(options?: ArboristReifyOptions): Promise<NodeClass>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n | 'actual'\n | 'children'\n | 'filterSet'\n | 'ideal'\n | 'leaves'\n | 'removed'\n | 'shrinkwrapInflated'\n | 'unchanged'\n> & {\n actual: NodeClass\n children: Diff[]\n filterSet: Set<NodeClass>\n ideal: NodeClass\n leaves: NodeClass[]\n parent: Diff | null\n removed: NodeClass[]\n shrinkwrapInflated: Set<NodeClass>\n unchanged: NodeClass[]\n}\n\nexport type EdgeClass = Omit<\n BaseEdge,\n | 'accept'\n | 'detach'\n | 'optional'\n | 'overrides'\n | 'peer'\n | 'peerConflicted'\n | 'rawSpec'\n | 'reload'\n | 'satisfiedBy'\n | 'spec'\n | 'to'\n> & {\n optional: boolean\n overrides: OverrideSetClass | undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string | undefined\n get spec(): string\n get to(): NodeClass | null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: NodeClass): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nexport type NodeClass = Omit<\n BaseNode,\n | 'addEdgeIn'\n | 'addEdgeOut'\n | 'canDedupe'\n | 'canReplace'\n | 'canReplaceWith'\n | 'children'\n | 'deleteEdgeIn'\n | 'edgesIn'\n | 'edgesOut'\n | 'from'\n | 'hasShrinkwrap'\n | 'inDepBundle'\n | 'inShrinkwrap'\n | 'integrity'\n | 'isTop'\n | 'matches'\n | 'meta'\n | 'name'\n | 'overrides'\n | 'packageName'\n | 'parent'\n | 'recalculateOutEdgesOverrides'\n | 'resolve'\n | 'resolveParent'\n | 'root'\n | 'target'\n | 'updateOverridesEdgeInAdded'\n | 'updateOverridesEdgeInRemoved'\n | 'version'\n | 'versions'\n> & {\n name: string\n version: string\n children: Map<string, NodeClass | LinkClass>\n edgesIn: Set<EdgeClass>\n edgesOut: Map<string, EdgeClass>\n from: NodeClass | null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean | undefined\n integrity?: string | null\n isTop: boolean | undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: EdgeClass): void\n }\n overrides: OverrideSetClass | undefined\n target: NodeClass\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string | null\n get parent(): NodeClass | null\n set parent(value: NodeClass | null)\n get resolveParent(): NodeClass | null\n get root(): NodeClass | null\n set root(value: NodeClass | null)\n new (...args: any): NodeClass\n addEdgeIn(edge: EdgeClass): void\n addEdgeOut(edge: EdgeClass): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: NodeClass, ignorePeers?: string[]): boolean\n canReplaceWith(node: NodeClass, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: EdgeClass): void\n matches(node: NodeClass): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): NodeClass\n updateOverridesEdgeInAdded(\n otherOverrideSet: OverrideSetClass | undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: OverrideSetClass): boolean\n}\n\nexport interface OverrideSetClass\n extends Omit<\n BaseOverrideSet,\n | 'ancestry'\n | 'children'\n | 'getEdgeRule'\n | 'getMatchingRule'\n | 'getNodeRule'\n | 'parent'\n | 'ruleset'\n > {\n children: Map<string, OverrideSetClass>\n key: string | undefined\n keySpec: string | undefined\n name: string | undefined\n parent: OverrideSetClass | undefined\n value: string | undefined\n version: string | undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, OverrideSetClass>\n ancestry(): Generator<OverrideSetClass>\n childrenAreEqual(otherOverrideSet: OverrideSetClass | undefined): boolean\n getEdgeRule(edge: EdgeClass): OverrideSetClass\n getMatchingRule(node: NodeClass): OverrideSetClass | null\n getNodeRule(node: NodeClass): OverrideSetClass\n isEqual(otherOverrideSet: OverrideSetClass | undefined): boolean\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { getOwn, hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { fetchPackagePackument } from '@socketsecurity/registry/lib/packages'\n\nimport constants from '../../constants.mts'\nimport { Edge } from './arborist/index.mts'\nimport { DiffAction } from './arborist/types.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { toFilterConfig } from '../../utils/filter-config.mts'\nimport { npa } from '../../utils/npm-package-arg.mts'\nimport { applyRange, getMajor, getMinVersion } from '../../utils/semver.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type {\n ArboristInstance,\n Diff,\n EdgeClass,\n LinkClass,\n NodeClass,\n} from './arborist/types.mts'\nimport type { AliasResult } from '../../utils/npm-package-arg.mts'\nimport type { RangeStyle } from '../../utils/semver.mts'\nimport type {\n AlertFilter,\n AlertsByPurl,\n} from '../../utils/socket-package-alert.mts'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nfunction getUrlOrigin(input: string): string {\n try {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return new URL(input).origin ?? ''\n } catch {}\n return ''\n}\n\nexport type BestPatchVersionOptions = {\n minSatisfying?: boolean | undefined\n vulnerableVersionRange?: string | undefined\n}\n\nexport function findBestPatchVersion(\n node: NodeClass,\n availableVersions: string[],\n options?: BestPatchVersionOptions | undefined,\n): string | null {\n const { minSatisfying = false, vulnerableVersionRange } = {\n __proto__: null,\n ...options,\n } as BestPatchVersionOptions\n const manifestData = getManifestData('npm', node.name)\n let eligibleVersions\n if (manifestData && manifestData.name === manifestData.package) {\n const major = getMajor(manifestData.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(v => getMajor(v) === major)\n } else {\n const major = getMajor(node.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(\n v =>\n // Filter for versions that are within the current major version and\n // are NOT in the vulnerable range.\n getMajor(v) === major &&\n (!vulnerableVersionRange ||\n !semver.satisfies(v, vulnerableVersionRange)),\n )\n }\n if (eligibleVersions) {\n const satisfying = minSatisfying\n ? semver.minSatisfying\n : semver.maxSatisfying\n return satisfying(eligibleVersions, '*')\n }\n return null\n}\n\nexport function findPackageNode(\n tree: NodeClass,\n name: string,\n version?: string | undefined,\n): NodeClass | undefined {\n const queue: Array<NodeClass | LinkClass> = [tree]\n const visited = new Set<NodeClass>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNode')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n return node\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return undefined\n}\n\nexport function findPackageNodes(\n tree: NodeClass,\n name: string,\n version?: string | undefined,\n): NodeClass[] {\n const matches: NodeClass[] = []\n const queue: Array<NodeClass | LinkClass> = [tree]\n const visited = new Set<NodeClass>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNodes')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n\n const { version: targetVersion } = node\n if (!targetVersion && Array.isArray(node.errors) && node.errors.length) {\n debugFn(\n 'notice',\n `miss: version for ${node.name} due to errors:\\n`,\n node.errors,\n )\n }\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n matches.push(node)\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return matches\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n apiToken?: string | undefined\n consolidate?: boolean | undefined\n filter?: AlertFilter | undefined\n nothrow?: boolean | undefined\n spinner?: Spinner | undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: ArboristInstance,\n needInfoOn: PackageDetail[],\n options?: GetAlertsMapFromArboristOptions | undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n nothrow: false,\n ...options,\n filter: toFilterConfig(getOwn(options, 'filter')),\n } as GetAlertsMapFromArboristOptions & { filter: AlertFilter }\n\n const purls = needInfoOn.map(d => idToNpmPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } | undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n Array.from(overridesMap.entries()).map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...opts,\n })\n}\n\nexport type DiffQueryFilter = {\n existing?: boolean | undefined\n unknownOrigin?: boolean | undefined\n}\n\nexport type DiffQueryOptions = {\n filter?: DiffQueryFilter | undefined\n}\n\nexport type PackageDetail = {\n node: NodeClass\n existing?: NodeClass | undefined\n}\n\nexport function getDetailsFromDiff(\n diff: Diff | null,\n options?: DiffQueryOptions | undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff` is `null` when `npm install --package-lock-only` is passed.\n if (!diff) {\n debugFn('notice', `miss: diff is ${diff}`)\n return details\n }\n\n const { NPM_REGISTRY_URL } = constants\n\n const filterConfig = toFilterConfig({\n existing: false,\n unknownOrigin: true,\n ...getOwn(options, 'filter'),\n }) as DiffQueryFilter\n\n const queue: Diff[] = [...diff.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff')\n }\n const currDiff = queue[pos++]!\n const { action } = currDiff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = currDiff\n let existing: NodeClass | undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {\n if (\n filterConfig.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of currDiff.children) {\n queue[queueLength++] = child\n }\n }\n if (filterConfig.existing) {\n const { unchanged } = diff\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n filterConfig.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n\nexport function getTargetNode(nodeOrLink: NodeClass | LinkClass): NodeClass\nexport function getTargetNode<T>(nodeOrLink: T): NodeClass | null\nexport function getTargetNode(nodeOrLink: any): NodeClass | null {\n return nodeOrLink?.isLink ? nodeOrLink.target : (nodeOrLink ?? null)\n}\n\nexport function isTopLevel(tree: NodeClass, node: NodeClass): boolean {\n return getTargetNode(tree.children.get(node.name)) === node\n}\n\nexport type Packument = Exclude<\n Awaited<ReturnType<typeof fetchPackagePackument>>,\n null\n>\n\nexport function updateNode(\n node: NodeClass,\n newVersion: string,\n newVersionPackument: Packument['versions'][number],\n): void {\n // Object.defineProperty is needed to set the version property and replace\n // the old value with newVersion.\n Object.defineProperty(node, 'version', {\n configurable: true,\n enumerable: true,\n get: () => newVersion,\n })\n // Update package.version associated with the node.\n node.package.version = newVersion\n // Update node.resolved.\n const purlObj = PackageURL.fromString(idToNpmPurl(node.name))\n node.resolved = `${constants.NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${newVersion}.tgz`\n // Update node.integrity with the targetPackument.dist.integrity value if available\n // else delete node.integrity so a new value is resolved for the target version.\n const { integrity } = newVersionPackument.dist\n if (integrity) {\n node.integrity = integrity\n } else {\n delete node.integrity\n }\n // Update node.package.deprecated based on targetPackument.deprecated.\n if (hasOwn(newVersionPackument, 'deprecated')) {\n node.package['deprecated'] = newVersionPackument.deprecated as string\n } else {\n delete node.package['deprecated']\n }\n // Update node.package.dependencies.\n const newDeps = { ...newVersionPackument.dependencies }\n const { dependencies: oldDeps } = node.package\n node.package.dependencies = newDeps\n if (oldDeps) {\n for (const oldDepName of Object.keys(oldDeps)) {\n if (!hasOwn(newDeps, oldDepName)) {\n // Detach old edges for dependencies that don't exist on the updated\n // node.package.dependencies.\n node.edgesOut.get(oldDepName)?.detach()\n }\n }\n }\n for (const newDepName of Object.keys(newDeps)) {\n if (!hasOwn(oldDeps, newDepName)) {\n // Add new edges for dependencies that don't exist on the old\n // node.package.dependencies.\n node.addEdgeOut(\n new Edge({\n from: node,\n name: newDepName,\n spec: newDeps[newDepName],\n type: 'prod',\n }) as unknown as EdgeClass,\n )\n }\n }\n}\n\nexport function updatePackageJsonFromNode(\n editablePkgJson: EditablePackageJson,\n tree: NodeClass,\n node: NodeClass,\n newVersion: string,\n rangeStyle?: RangeStyle | undefined,\n): boolean {\n let result = false\n if (!isTopLevel(tree, node)) {\n return result\n }\n const { name } = node\n for (const depField of [\n 'dependencies',\n 'optionalDependencies',\n 'peerDependencies',\n ]) {\n const depObject = editablePkgJson.content[depField] as\n | { [key: string]: string }\n | undefined\n const depValue = hasOwn(depObject, name) ? depObject[name] : undefined\n if (typeof depValue !== 'string' || depValue.startsWith('catalog:')) {\n continue\n }\n let oldRange = depValue\n // Use npa if depValue looks like more than just a semver range.\n if (depValue.includes(':')) {\n const npaResult = npa(depValue)\n if (!npaResult || (npaResult as AliasResult).subSpec) {\n continue\n }\n oldRange = npaResult.rawSpec\n }\n const oldMin = getMinVersion(oldRange)\n const newRange =\n oldMin &&\n // Ensure we're on the same major version...\n getMajor(newVersion) === oldMin.major &&\n // and not a downgrade.\n semver.gte(newVersion, oldMin.version)\n ? applyRange(oldRange, newVersion, rangeStyle)\n : oldRange\n if (oldRange !== newRange) {\n result = true\n editablePkgJson.update({\n [depField]: {\n ...depObject,\n [name]: newRange,\n },\n })\n }\n }\n return result\n}\n","// @ts-ignore\nimport UntypedArborist from '@npmcli/arborist/lib/arborist/index.js'\n\nimport { debugDir } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../../../../../constants.mts'\nimport { findUp } from '../../../../../utils/fs.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport {\n getAlertsMapFromArborist,\n getDetailsFromDiff,\n} from '../../../arborist-helpers.mts'\n\nimport type {\n ArboristClass,\n ArboristReifyOptions,\n NodeClass,\n} from '../../types.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n // @ts-ignore\n __proto__: null,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n dryRun: false,\n save: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = UntypedArborist\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<NodeClass>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n\n const ipc = await getIpc()\n debugDir('inspect', { ipc })\n\n const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n\n await super.reify(\n {\n ...options,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n\n const shadowAcceptRisks = !!ipc[constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]\n const shadowProgress = !!ipc[constants.SOCKET_CLI_SHADOW_PROGRESS]\n const shadowSilent = !!ipc[constants.SOCKET_CLI_SHADOW_SILENT]\n\n const acceptRisks =\n shadowAcceptRisks || constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const reportOnlyBlocking = acceptRisks || options.dryRun || options['yes']\n const silent = !!options['silent']\n const spinner = silent || !shadowProgress ? undefined : constants.spinner\n\n const isShadowNpx = binName === 'npx'\n const hasExisting = await findUp('node_modules', {\n cwd: process.cwd(),\n onlyDirectories: true,\n })\n const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx\n\n const needInfoOn = getDetailsFromDiff(this.diff, {\n filter: {\n existing: shouldCheckExisting,\n },\n })\n\n const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {\n apiToken: ipc[constants.SOCKET_CLI_SHADOW_API_TOKEN],\n spinner,\n filter: reportOnlyBlocking\n ? {\n actions: ['error'],\n blocked: true,\n existing: shouldCheckExisting,\n }\n : {\n actions: ['error', 'monitor', 'warn'],\n existing: shouldCheckExisting,\n },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!silent && !shadowSilent) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,\n )\n if (isShadowNpx) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\n// @ts-ignore\nimport UntypedEdge from '@npmcli/arborist/lib/edge.js'\n// @ts-ignore\nimport UntypedNode from '@npmcli/arborist/lib/node.js'\n// @ts-ignore\nimport UntypedOverrideSet from '@npmcli/arborist/lib/override-set.js'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { Arborist, SafeArborist } from './lib/arborist/index.mts'\n\nimport type { EdgeClass, NodeClass, OverrideSetClass } from './types.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport { Arborist, SafeArborist }\n\nexport const Edge: EdgeClass = UntypedEdge\n\nexport const Node: NodeClass = UntypedNode\n\nexport const OverrideSet: OverrideSetClass = UntypedOverrideSet\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: Edge }\n cache[getArboristNodeClassPath()] = { exports: Node }\n cache[getArboristOverrideSetClassPath()] = { exports: OverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["_arboristPkgPath","add","change","remove","__proto__","consolidate","nothrow","debugFn","NPM_REGISTRY_URL","existing","unknownOrigin","length","action","actual","ideal","keep","node","queue","unchanged","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","Object","ipc","cwd","onlyDirectories","filter","apiToken","blocked","actions","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;AAOA;AACO;;;AAGH;AAGA;AAIAA;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAaA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACXO;AACLC;AACAC;AACAC;AACF;;AChCA;;AAEI;AACA;AACA;;;AAGF;AACF;AA2IO;AAKL;AACEC;AACAC;AACAC;AACA;;;AAIF;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEEC;AACA;AACF;;AAEQC;AAAiB;;AAGvBC;AACAC;AACA;AACF;AAEA;;;AAEMC;AAAoB;;AAExB;AACE;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIEN;AACF;AACF;AACF;AACEM;AACF;AACA;AACE;;AAKIC;AACAP;AACF;AACF;AACF;AACF;AACA;AACEQ;AACF;AACF;;;AAEUC;AAAU;AAClB;AAAkBP;;AAChB;AACA;;AAKIK;AACAP;AACF;AACF;AACF;AACF;AACA;AACF;;ACtTA;AAoBA;;AAEE;AAA+DU;AAAO;AACxE;AAEO;AACLf;AACAgB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAUO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJK;AACA;AACF;;AAEA;AACA;AAIE;AACEzB;;;AAIF;;AACsB0B;AAAI;AAE1B;;;AAGA;;AAII;AACA;AACAN;;AAEF;AACA;;;;;;AAUF;;AAGA;AACA;AACEO;AACAC;AACF;AACA;AAEA;AACEC;AACExB;AACF;AACF;;AAGEyB;;;;AAKMC;AACA1B;AACF;AAEE2B;AACA3B;AACF;AACN;;;AAIE;;AAEE4B;;AAEF;;AAGN;AAQA;AAGI;AACEC;AAGA;;AAEA;AACF;;AAGF;AACF;;ACvKA;AAIO;AAEA;AAEA;AAEA;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACnCAC","debugId":"44a0aaa3-4b99-476e-824c-10525f74b23d"}
1
+ {"version":3,"file":"shadow-npm-inject.js","sources":["../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/types.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string | undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string | undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristEdgeClassPath: string | undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string | undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string | undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createEnum } from '../../../utils/objects.mts'\n\nimport type {\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n Options as BaseArboristOptions,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n Edge as BaseEdge,\n Node as BaseNode,\n BaseOverrideSet,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristOptions = BaseArboristOptions & {\n npmCommand?: string\n npmVersion?: string\n}\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n | 'actualTree'\n | 'auditReport'\n | 'buildIdealTree'\n | 'diff'\n | 'idealTree'\n | 'loadActual'\n | 'loadVirtual'\n | 'reify'\n> & {\n auditReport?: AuditReportInstance | null | undefined\n actualTree?: NodeClass | null | undefined\n diff: Diff | null\n idealTree?: NodeClass | null | undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<NodeClass>\n loadActual(options?: ArboristOptions): Promise<NodeClass>\n loadVirtual(options?: ArboristOptions): Promise<NodeClass>\n reify(options?: ArboristReifyOptions): Promise<NodeClass>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n | 'actual'\n | 'children'\n | 'filterSet'\n | 'ideal'\n | 'leaves'\n | 'removed'\n | 'shrinkwrapInflated'\n | 'unchanged'\n> & {\n actual: NodeClass\n children: Diff[]\n filterSet: Set<NodeClass>\n ideal: NodeClass\n leaves: NodeClass[]\n parent: Diff | null\n removed: NodeClass[]\n shrinkwrapInflated: Set<NodeClass>\n unchanged: NodeClass[]\n}\n\nexport type EdgeClass = Omit<\n BaseEdge,\n | 'accept'\n | 'detach'\n | 'optional'\n | 'overrides'\n | 'peer'\n | 'peerConflicted'\n | 'rawSpec'\n | 'reload'\n | 'satisfiedBy'\n | 'spec'\n | 'to'\n> & {\n optional: boolean\n overrides: OverrideSetClass | undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string | undefined\n get spec(): string\n get to(): NodeClass | null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: NodeClass): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nexport type NodeClass = Omit<\n BaseNode,\n | 'addEdgeIn'\n | 'addEdgeOut'\n | 'canDedupe'\n | 'canReplace'\n | 'canReplaceWith'\n | 'children'\n | 'deleteEdgeIn'\n | 'edgesIn'\n | 'edgesOut'\n | 'from'\n | 'hasShrinkwrap'\n | 'inDepBundle'\n | 'inShrinkwrap'\n | 'integrity'\n | 'isTop'\n | 'matches'\n | 'meta'\n | 'name'\n | 'overrides'\n | 'packageName'\n | 'parent'\n | 'recalculateOutEdgesOverrides'\n | 'resolve'\n | 'resolveParent'\n | 'root'\n | 'target'\n | 'updateOverridesEdgeInAdded'\n | 'updateOverridesEdgeInRemoved'\n | 'version'\n | 'versions'\n> & {\n name: string\n version: string\n children: Map<string, NodeClass | LinkClass>\n edgesIn: Set<EdgeClass>\n edgesOut: Map<string, EdgeClass>\n from: NodeClass | null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean | undefined\n integrity?: string | null\n isTop: boolean | undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: EdgeClass): void\n }\n overrides: OverrideSetClass | undefined\n target: NodeClass\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string | null\n get parent(): NodeClass | null\n set parent(value: NodeClass | null)\n get resolveParent(): NodeClass | null\n get root(): NodeClass | null\n set root(value: NodeClass | null)\n new (...args: any): NodeClass\n addEdgeIn(edge: EdgeClass): void\n addEdgeOut(edge: EdgeClass): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: NodeClass, ignorePeers?: string[]): boolean\n canReplaceWith(node: NodeClass, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: EdgeClass): void\n matches(node: NodeClass): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): NodeClass\n updateOverridesEdgeInAdded(\n otherOverrideSet: OverrideSetClass | undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: OverrideSetClass): boolean\n}\n\nexport interface OverrideSetClass\n extends Omit<\n BaseOverrideSet,\n | 'ancestry'\n | 'children'\n | 'getEdgeRule'\n | 'getMatchingRule'\n | 'getNodeRule'\n | 'parent'\n | 'ruleset'\n > {\n children: Map<string, OverrideSetClass>\n key: string | undefined\n keySpec: string | undefined\n name: string | undefined\n parent: OverrideSetClass | undefined\n value: string | undefined\n version: string | undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, OverrideSetClass>\n ancestry(): Generator<OverrideSetClass>\n childrenAreEqual(otherOverrideSet: OverrideSetClass | undefined): boolean\n getEdgeRule(edge: EdgeClass): OverrideSetClass\n getMatchingRule(node: NodeClass): OverrideSetClass | null\n getNodeRule(node: NodeClass): OverrideSetClass\n isEqual(otherOverrideSet: OverrideSetClass | undefined): boolean\n}\n","import semver from 'semver'\n\nimport { PackageURL } from '@socketregistry/packageurl-js'\nimport { getManifestData } from '@socketsecurity/registry'\nimport { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { getOwn, hasOwn } from '@socketsecurity/registry/lib/objects'\nimport { fetchPackagePackument } from '@socketsecurity/registry/lib/packages'\n\nimport constants from '../../constants.mts'\nimport { Edge } from './arborist/index.mts'\nimport { DiffAction } from './arborist/types.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { toFilterConfig } from '../../utils/filter-config.mts'\nimport { npa } from '../../utils/npm-package-arg.mts'\nimport { applyRange, getMajor, getMinVersion } from '../../utils/semver.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type {\n ArboristInstance,\n Diff,\n EdgeClass,\n LinkClass,\n NodeClass,\n} from './arborist/types.mts'\nimport type { AliasResult } from '../../utils/npm-package-arg.mts'\nimport type { RangeStyle } from '../../utils/semver.mts'\nimport type {\n AlertFilter,\n AlertsByPurl,\n} from '../../utils/socket-package-alert.mts'\nimport type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nfunction getUrlOrigin(input: string): string {\n try {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return new URL(input).origin ?? ''\n } catch {}\n return ''\n}\n\nexport type BestPatchVersionOptions = {\n minSatisfying?: boolean | undefined\n vulnerableVersionRange?: string | undefined\n}\n\nexport function findBestPatchVersion(\n node: NodeClass,\n availableVersions: string[],\n options?: BestPatchVersionOptions | undefined,\n): string | null {\n const { minSatisfying = false, vulnerableVersionRange } = {\n __proto__: null,\n ...options,\n } as BestPatchVersionOptions\n const manifestData = getManifestData('npm', node.name)\n let eligibleVersions\n if (manifestData && manifestData.name === manifestData.package) {\n const major = getMajor(manifestData.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(v => getMajor(v) === major)\n } else {\n const major = getMajor(node.version)\n if (typeof major !== 'number') {\n return null\n }\n eligibleVersions = availableVersions.filter(\n v =>\n // Filter for versions that are within the current major version and\n // are NOT in the vulnerable range.\n getMajor(v) === major &&\n (!vulnerableVersionRange ||\n !semver.satisfies(v, vulnerableVersionRange)),\n )\n }\n if (eligibleVersions) {\n const satisfying = minSatisfying\n ? semver.minSatisfying\n : semver.maxSatisfying\n return satisfying(eligibleVersions, '*')\n }\n return null\n}\n\nexport function findPackageNode(\n tree: NodeClass,\n name: string,\n version?: string | undefined,\n): NodeClass | undefined {\n const queue: Array<NodeClass | LinkClass> = [tree]\n const visited = new Set<NodeClass>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNode')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n return node\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return undefined\n}\n\nexport function findPackageNodes(\n tree: NodeClass,\n name: string,\n version?: string | undefined,\n): NodeClass[] {\n const matches: NodeClass[] = []\n const queue: Array<NodeClass | LinkClass> = [tree]\n const visited = new Set<NodeClass>()\n let sentinel = 0\n while (queue.length) {\n if (sentinel++ === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop in findPackageNodes')\n }\n const nodeOrLink = queue.pop()!\n const node = getTargetNode(nodeOrLink)\n if (visited.has(node)) {\n continue\n }\n visited.add(node)\n\n const { version: targetVersion } = node\n if (!targetVersion && Array.isArray(node.errors) && node.errors.length) {\n debugFn(\n 'notice',\n `miss: version for ${node.name} due to errors:\\n`,\n node.errors,\n )\n }\n if (\n node.name === name &&\n (typeof version !== 'string' || node.version === version)\n ) {\n matches.push(node)\n }\n for (const child of node.children.values()) {\n queue.push(child)\n }\n for (const edge of node.edgesOut.values()) {\n const { to } = edge\n if (to) {\n queue.push(to)\n }\n }\n }\n return matches\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n apiToken?: string | undefined\n consolidate?: boolean | undefined\n filter?: AlertFilter | undefined\n nothrow?: boolean | undefined\n spinner?: Spinner | undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: ArboristInstance,\n needInfoOn: PackageDetail[],\n options?: GetAlertsMapFromArboristOptions | undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n nothrow: false,\n ...options,\n filter: toFilterConfig(getOwn(options, 'filter')),\n } as GetAlertsMapFromArboristOptions & { filter: AlertFilter }\n\n const purls = needInfoOn.map(d => idToNpmPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } | undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n Array.from(overridesMap.entries()).map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...opts,\n })\n}\n\nexport type DiffQueryFilter = {\n existing?: boolean | undefined\n unknownOrigin?: boolean | undefined\n}\n\nexport type DiffQueryOptions = {\n filter?: DiffQueryFilter | undefined\n}\n\nexport type PackageDetail = {\n node: NodeClass\n existing?: NodeClass | undefined\n}\n\nexport function getDetailsFromDiff(\n diff: Diff | null,\n options?: DiffQueryOptions | undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff` is `null` when `npm install --package-lock-only` is passed.\n if (!diff) {\n debugFn('notice', `miss: diff is ${diff}`)\n return details\n }\n\n const { NPM_REGISTRY_URL } = constants\n\n const filterConfig = toFilterConfig({\n existing: false,\n unknownOrigin: true,\n ...getOwn(options, 'filter'),\n }) as DiffQueryFilter\n\n const queue: Diff[] = [...diff.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff')\n }\n const currDiff = queue[pos++]!\n const { action } = currDiff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = currDiff\n let existing: NodeClass | undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {\n if (\n filterConfig.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of currDiff.children) {\n queue[queueLength++] = child\n }\n }\n if (filterConfig.existing) {\n const { unchanged } = diff\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n filterConfig.unknownOrigin ||\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n\nexport function getTargetNode(nodeOrLink: NodeClass | LinkClass): NodeClass\nexport function getTargetNode<T>(nodeOrLink: T): NodeClass | null\nexport function getTargetNode(nodeOrLink: any): NodeClass | null {\n return nodeOrLink?.isLink ? nodeOrLink.target : (nodeOrLink ?? null)\n}\n\nexport function isTopLevel(tree: NodeClass, node: NodeClass): boolean {\n return getTargetNode(tree.children.get(node.name)) === node\n}\n\nexport type Packument = Exclude<\n Awaited<ReturnType<typeof fetchPackagePackument>>,\n null\n>\n\nexport function updateNode(\n node: NodeClass,\n newVersion: string,\n newVersionPackument: Packument['versions'][number],\n): void {\n // Object.defineProperty is needed to set the version property and replace\n // the old value with newVersion.\n Object.defineProperty(node, 'version', {\n configurable: true,\n enumerable: true,\n get: () => newVersion,\n })\n // Update package.version associated with the node.\n node.package.version = newVersion\n // Update node.resolved.\n const purlObj = PackageURL.fromString(idToNpmPurl(node.name))\n node.resolved = `${constants.NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${newVersion}.tgz`\n // Update node.integrity with the targetPackument.dist.integrity value if available\n // else delete node.integrity so a new value is resolved for the target version.\n const { integrity } = newVersionPackument.dist\n if (integrity) {\n node.integrity = integrity\n } else {\n delete node.integrity\n }\n // Update node.package.deprecated based on targetPackument.deprecated.\n if (hasOwn(newVersionPackument, 'deprecated')) {\n node.package['deprecated'] = newVersionPackument.deprecated as string\n } else {\n delete node.package['deprecated']\n }\n // Update node.package.dependencies.\n const newDeps = { ...newVersionPackument.dependencies }\n const { dependencies: oldDeps } = node.package\n node.package.dependencies = newDeps\n if (oldDeps) {\n for (const oldDepName of Object.keys(oldDeps)) {\n if (!hasOwn(newDeps, oldDepName)) {\n // Detach old edges for dependencies that don't exist on the updated\n // node.package.dependencies.\n node.edgesOut.get(oldDepName)?.detach()\n }\n }\n }\n for (const newDepName of Object.keys(newDeps)) {\n if (!hasOwn(oldDeps, newDepName)) {\n // Add new edges for dependencies that don't exist on the old\n // node.package.dependencies.\n node.addEdgeOut(\n new Edge({\n from: node,\n name: newDepName,\n spec: newDeps[newDepName],\n type: 'prod',\n }) as unknown as EdgeClass,\n )\n }\n }\n}\n\nexport function updatePackageJsonFromNode(\n editablePkgJson: EditablePackageJson,\n tree: NodeClass,\n node: NodeClass,\n newVersion: string,\n rangeStyle?: RangeStyle | undefined,\n): boolean {\n let result = false\n if (!isTopLevel(tree, node)) {\n return result\n }\n const { name } = node\n for (const depField of [\n 'dependencies',\n 'optionalDependencies',\n 'peerDependencies',\n ]) {\n const depObject = editablePkgJson.content[depField] as\n | { [key: string]: string }\n | undefined\n const depValue = hasOwn(depObject, name) ? depObject[name] : undefined\n if (typeof depValue !== 'string' || depValue.startsWith('catalog:')) {\n continue\n }\n let oldRange = depValue\n // Use npa if depValue looks like more than just a semver range.\n if (depValue.includes(':')) {\n const npaResult = npa(depValue)\n if (!npaResult || (npaResult as AliasResult).subSpec) {\n continue\n }\n oldRange = npaResult.rawSpec\n }\n const oldMin = getMinVersion(oldRange)\n const newRange =\n oldMin &&\n // Ensure we're on the same major version...\n getMajor(newVersion) === oldMin.major &&\n // and not a downgrade.\n semver.gte(newVersion, oldMin.version)\n ? applyRange(oldRange, newVersion, rangeStyle)\n : oldRange\n if (oldRange !== newRange) {\n result = true\n editablePkgJson.update({\n [depField]: {\n ...depObject,\n [name]: newRange,\n },\n })\n }\n }\n return result\n}\n","// @ts-ignore\nimport UntypedArborist from '@npmcli/arborist/lib/arborist/index.js'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants from '../../../../../constants.mts'\nimport { findUp } from '../../../../../utils/fs.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport {\n getAlertsMapFromArborist,\n getDetailsFromDiff,\n} from '../../../arborist-helpers.mts'\n\nimport type {\n ArboristClass,\n ArboristReifyOptions,\n NodeClass,\n} from '../../types.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n // @ts-ignore\n __proto__: null,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n dryRun: false,\n save: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = UntypedArborist\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<NodeClass>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n\n const ipc = await getIpc()\n\n const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n\n await super.reify(\n {\n ...options,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n\n const shadowAcceptRisks = !!ipc[constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]\n const shadowProgress = !!ipc[constants.SOCKET_CLI_SHADOW_PROGRESS]\n const shadowSilent = !!ipc[constants.SOCKET_CLI_SHADOW_SILENT]\n\n const acceptRisks =\n shadowAcceptRisks || constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const reportOnlyBlocking = acceptRisks || options.dryRun || options['yes']\n const silent = !!options['silent']\n const spinner = silent || !shadowProgress ? undefined : constants.spinner\n\n const isShadowNpx = binName === 'npx'\n const hasExisting = await findUp('node_modules', {\n cwd: process.cwd(),\n onlyDirectories: true,\n })\n const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx\n\n const needInfoOn = getDetailsFromDiff(this.diff, {\n filter: {\n existing: shouldCheckExisting,\n },\n })\n\n const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {\n apiToken: ipc[constants.SOCKET_CLI_SHADOW_API_TOKEN],\n spinner,\n filter: reportOnlyBlocking\n ? {\n actions: ['error'],\n blocked: true,\n existing: shouldCheckExisting,\n }\n : {\n actions: ['error', 'monitor', 'warn'],\n existing: shouldCheckExisting,\n },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!silent && !shadowSilent) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,\n )\n if (isShadowNpx) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\n// @ts-ignore\nimport UntypedEdge from '@npmcli/arborist/lib/edge.js'\n// @ts-ignore\nimport UntypedNode from '@npmcli/arborist/lib/node.js'\n// @ts-ignore\nimport UntypedOverrideSet from '@npmcli/arborist/lib/override-set.js'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { Arborist, SafeArborist } from './lib/arborist/index.mts'\n\nimport type { EdgeClass, NodeClass, OverrideSetClass } from './types.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport { Arborist, SafeArborist }\n\nexport const Edge: EdgeClass = UntypedEdge\n\nexport const Node: NodeClass = UntypedNode\n\nexport const OverrideSet: OverrideSetClass = UntypedOverrideSet\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: Edge }\n cache[getArboristNodeClassPath()] = { exports: Node }\n cache[getArboristOverrideSetClassPath()] = { exports: OverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["_arboristPkgPath","add","change","remove","__proto__","consolidate","nothrow","debugFn","NPM_REGISTRY_URL","existing","unknownOrigin","length","action","actual","ideal","keep","node","queue","unchanged","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","Object","cwd","onlyDirectories","filter","apiToken","blocked","actions","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;AAOA;AACO;;;AAGH;AAGA;AAIAA;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACAO;AACLC;AACAC;AACAC;AACF;;AChCA;;AAEI;AACA;AACA;;;AAGF;AACF;AA2IO;AAKL;AACEC;AACAC;AACAC;AACA;;;AAIF;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEEC;AACA;AACF;;AAEQC;AAAiB;;AAGvBC;AACAC;AACA;AACF;AAEA;;;AAEMC;AAAoB;;AAExB;AACE;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIEN;AACF;AACF;AACF;AACEM;AACF;AACA;AACE;;AAKIC;AACAP;AACF;AACF;AACF;AACF;AACA;AACEQ;AACF;AACF;;;AAEUC;AAAU;AAClB;AAAkBP;;AAChB;AACA;;AAKIK;AACAP;AACF;AACF;AACF;AACF;AACA;AACF;;ACtTA;AAmBA;;AAEE;AAA+DU;AAAO;AACxE;AAEO;AACLf;AACAgB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAUO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJK;AACA;AACF;;AAEA;AACA;AAIE;AACEzB;;;AAIF;AAEA;;;AAGA;;AAII;AACA;AACAoB;;AAEF;AACA;;;;;;AAUF;;AAGA;AACA;AACEM;AACAC;AACF;AACA;AAEA;AACEC;AACEvB;AACF;AACF;;AAGEwB;;;;AAKMC;AACAzB;AACF;AAEE0B;AACA1B;AACF;AACN;;;AAIE;;AAEE2B;;AAEF;;AAGN;AAQA;AAGI;AACEC;AAGA;;AAEA;AACF;;AAGF;AACF;;ACrKA;AAIO;AAEA;AAEA;AAEA;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACnCAC","debugId":"cb5f5a9e-09b4-4668-be84-c67c918a6432"}
package/dist/socket-completion.bash CHANGED
@@ -87,7 +87,7 @@ FLAGS=(
87
87
  [dependencies]="--json --limit --markdown --offset"
88
88
  [diff-scan]=""
89
89
  [diff-scan get]="--after --before --depth --file --json"
90
- [fix]="--auto-merge --autopilot --ghsa --limit --min-satisfying --purl --range-style --test --test-script"
90
+ [fix]="--auto-merge --id --limit --range-style"
91
91
  [install]=""
92
92
  [install completion]=""
93
93
  [login]="--api-base-url --api-proxy"