npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.14 → 1.1.17 - Mend

@socketsecurity/cli-with-sentry 1.1.14 → 1.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/dist/shadow-pnpm-bin.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"shadow-pnpm-bin.js","sources":["../src/shadow/pnpm/link.mts","../src/shadow/pnpm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getPnpmBinPath,\n isPnpmBinPathShadowed,\n} from '../../utils/pnpm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n _binName: 'pnpm',\n): Promise<string> {\n // Find pnpm being shadowed by this process.\n const binPath = getPnpmBinPath()\n const { WIN32 } = constants\n\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isPnpmBinPathShadowed()\n\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, 'pnpm-cli.js'),\n path.join(shadowBinPath, 'pnpm'),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { PNPM_LOCK_YAML } from '../../constants.mts'\nimport {\n getAlertsMapFromPnpmLockfile,\n getAlertsMapFromPurls,\n} from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { parsePnpmLockfile, readPnpmLockfile } from '../../utils/pnpm.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowPnpmOptions = SpawnOptions & {\n ipc?: IpcObject \| undefined\n}\n\nexport type ShadowPnpmResult = {\n spawnPromise: SpawnResult<string, SpawnExtra \| undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'i',\n 'install',\n 'install-test',\n 'it',\n 'update',\n 'up',\n])\n\nexport default async function shadowPnpm(\n args: string[] \| readonly string[] = process.argv.slice(2),\n options?: ShadowPnpmOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<ShadowPnpmResult> {\n const opts = { __proto__: null, ...options } as ShadowPnpmOptions\n const { env: spawnEnv, ipc, ...spawnOpts } = opts\n\n let { cwd = process.cwd() } = opts\n if (cwd instanceof URL) {\n cwd = fileURLToPath(cwd)\n }\n\n const terminatorPos = args.indexOf('--')\n const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is an install-type command that needs security scanning\n const command = rawPnpmArgs[0]\n const needsScanning = command && INSTALL_COMMANDS.has(command)\n\n // Get pnpm path\n const realPnpmPath = await installLinks(constants.shadowBinPath, 'pnpm')\n\n const permArgs = [\n '--reporter=silent',\n // Disable update checks during security scanning\n '--no-update-notifier',\n ]\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawPnpmArgs.includes('--dry-run')) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add') {\n // For 'pnpm add package1 package2@version', get packages from args\n const packageArgs = rawPnpmArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string \| undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (['install', 'i', 'update', 'up'].includes(command)) {\n // For install/update, scan all dependencies from pnpm-lock.yaml\n const pnpmLockPath = path.join(cwd, PNPM_LOCK_YAML)\n if (existsSync(pnpmLockPath)) {\n try {\n const lockfileContent = await readPnpmLockfile(pnpmLockPath)\n if (lockfileContent) {\n const lockfile = parsePnpmLockfile(lockfileContent)\n if (lockfile) {\n // Use existing function to scan the entire lockfile\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: all dependencies from ${PNPM_LOCK_YAML}`,\n )\n }\n\n const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `Socket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n\n // Return early since we've already done the scanning\n if (isDebug()) {\n debugFn(\n 'notice',\n 'complete: lockfile scanning, proceeding with install',\n )\n }\n }\n }\n } catch (e) {\n if (isDebug()) {\n debugFn('error', 'caught: pnpm lockfile scanning error')\n debugDir('inspect', { error: e })\n }\n }\n } else if (isDebug()) {\n debugFn(\n 'notice',\n 'skip: no pnpm-lock.yaml found, skipping bulk install scanning',\n )\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawPnpmArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","cwd","name","version","packagePurls","debugFn","nothrow","blocked","actions","hideAt","logger","process","error","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;;AAUO;AAIL;AACA;;AACQA;AAAM;;AAEd;;AAEE;AACF;AAEA;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACJA;AAUe;AAKb;AAAeC;;;;AACPD;;;AAAiC;;AAEnCE;AAAoB;;AAExBA;AACF;AAEA;AACA;AACA;;AAEA;AACA;;;AAGA;;;AAKE;AACA;;;;;;;AAUA;;;AAIE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AACE;;AAEA;;AAEI;AACA;AACE;AACA;AACE;;AAEEC;AAIF;AAEA;AACEC;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;;AAYAC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEEN;AAIF;AACF;AACF;;;AAGEA;;AACsBO;AAAS;AACjC;AACF;AACF;AACEP;AAIF;AACF;AAEA;;AAEIA;;AACsBD;AAAa;AACrC;;AAGE;AACEE;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEN;;AACsBO;AAAS;AACjC;AACA;AACF;AACF;;AAGEP;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"95396bfd-89e3-4dec-a9d6-623419962b28"}
1	+ {"version":3,"file":"shadow-pnpm-bin.js","sources":["../src/shadow/pnpm/link.mts","../src/shadow/pnpm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getPnpmBinPath,\n isPnpmBinPathShadowed,\n} from '../../utils/pnpm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n _binName: 'pnpm',\n): Promise<string> {\n // Find pnpm being shadowed by this process.\n const binPath = getPnpmBinPath()\n const { WIN32 } = constants\n\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isPnpmBinPathShadowed()\n\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, 'pnpm-cli.js'),\n path.join(shadowBinPath, 'pnpm'),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { FLAG_DRY_RUN, PNPM_LOCK_YAML } from '../../constants.mts'\nimport {\n getAlertsMapFromPnpmLockfile,\n getAlertsMapFromPurls,\n} from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { parsePnpmLockfile, readPnpmLockfile } from '../../utils/pnpm.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowPnpmOptions = SpawnOptions & {\n ipc?: IpcObject \| undefined\n}\n\nexport type ShadowPnpmResult = {\n spawnPromise: SpawnResult<string, SpawnExtra \| undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'i',\n 'install',\n 'install-test',\n 'it',\n 'update',\n 'up',\n])\n\nexport default async function shadowPnpm(\n args: string[] \| readonly string[] = process.argv.slice(2),\n options?: ShadowPnpmOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<ShadowPnpmResult> {\n const opts = { __proto__: null, ...options } as ShadowPnpmOptions\n const { env: spawnEnv, ipc, ...spawnOpts } = opts\n\n let { cwd = process.cwd() } = opts\n if (cwd instanceof URL) {\n cwd = fileURLToPath(cwd)\n }\n\n const terminatorPos = args.indexOf('--')\n const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is an install-type command that needs security scanning\n const command = rawPnpmArgs[0]\n const needsScanning = command && INSTALL_COMMANDS.has(command)\n\n // Get pnpm path\n const realPnpmPath = await installLinks(constants.shadowBinPath, 'pnpm')\n\n const permArgs = ['--reporter=silent']\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawPnpmArgs.includes(FLAG_DRY_RUN)) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add') {\n // For 'pnpm add package1 package2@version', get packages from args\n const packageArgs = rawPnpmArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string \| undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (['install', 'i', 'update', 'up'].includes(command)) {\n // For install/update, scan all dependencies from pnpm-lock.yaml\n const pnpmLockPath = path.join(cwd, PNPM_LOCK_YAML)\n if (existsSync(pnpmLockPath)) {\n try {\n const lockfileContent = await readPnpmLockfile(pnpmLockPath)\n if (lockfileContent) {\n const lockfile = parsePnpmLockfile(lockfileContent)\n if (lockfile) {\n // Use existing function to scan the entire lockfile\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: all dependencies from ${PNPM_LOCK_YAML}`,\n )\n }\n\n const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `Socket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n\n // Return early since we've already done the scanning\n if (isDebug()) {\n debugFn(\n 'notice',\n 'complete: lockfile scanning, proceeding with install',\n )\n }\n }\n }\n } catch (e) {\n if (isDebug()) {\n debugFn('error', 'caught: pnpm lockfile scanning error')\n debugDir('inspect', { error: e })\n }\n }\n } else if (isDebug()) {\n debugFn(\n 'notice',\n 'skip: no pnpm-lock.yaml found, skipping bulk install scanning',\n )\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawPnpmArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","cwd","name","version","packagePurls","debugFn","nothrow","blocked","actions","hideAt","logger","process","error","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;;AAUO;AAIL;AACA;;AACQA;AAAM;;AAEd;;AAEE;AACF;AAEA;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACJA;AAUe;AAKb;AAAeC;;;;AACPD;;;AAAiC;;AAEnCE;AAAoB;;AAExBA;AACF;AAEA;AACA;AACA;;AAEA;AACA;;;AAGA;;AAGA;;;;;;;AASE;;;AAIE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AACE;;AAEA;;AAEI;AACA;AACE;AACA;AACE;;AAEEC;AAIF;AAEA;AACEC;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;;AAYAC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEEN;AAIF;AACF;AACF;;;AAGEA;;AACsBO;AAAS;AACjC;AACF;AACF;AACEP;AAIF;AACF;AAEA;;AAEIA;;AACsBD;AAAa;AACrC;;AAGE;AACEE;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEN;;AACsBO;AAAS;AACjC;AACA;AACF;AACF;;AAGEP;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"f69cd503-77eb-4641-a4ae-622c377f99cb"}

package/dist/shadow-yarn-bin.js CHANGED Viewed

@@ -54,7 +54,7 @@ async function shadowYarn(args = process.argv.slice(2), options, extra) {
   const permArgs = [];
   const prefixArgs = [];
   const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs];
-  if (needsScanning && !rawYarnArgs.includes('--dry-run')) {
+  if (needsScanning && !rawYarnArgs.includes(constants.FLAG_DRY_RUN)) {
     const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
     const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
@@ -196,5 +196,5 @@ Socket yarn exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun
 }
 module.exports = shadowYarn;
-//# debugId=ff5e070d-ede1-4e55-b8e9-dfa667ad45a0
+//# debugId=bc98a9a0-2f24-4096-92b6-cda4ca25f80c
 //# sourceMappingURL=shadow-yarn-bin.js.map

package/dist/shadow-yarn-bin.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"shadow-yarn-bin.js","sources":["../src/shadow/yarn/link.mts","../src/shadow/yarn/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getYarnBinPath,\n isYarnBinPathShadowed,\n} from '../../utils/yarn-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'yarn',\n): Promise<string> {\n const binPath = getYarnBinPath()\n const { WIN32 } = constants\n\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isYarnBinPathShadowed()\n\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { promises as fs } from 'node:fs'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowYarnOptions = SpawnOptions & {\n ipc?: IpcObject \| undefined\n}\n\nexport type ShadowYarnResult = {\n spawnPromise: SpawnResult<string, SpawnExtra \| undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'install',\n 'up',\n 'upgrade',\n 'upgrade-interactive',\n])\n\nconst DLX_COMMANDS = new Set(['dlx'])\n\nexport default async function shadowYarn(\n args: string[] \| readonly string[] = process.argv.slice(2),\n options?: ShadowYarnOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<ShadowYarnResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowYarnOptions\n const terminatorPos = args.indexOf('--')\n const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is a command that needs security scanning\n const command = rawYarnArgs[0]\n const needsScanning =\n command && (INSTALL_COMMANDS.has(command) \|\| DLX_COMMANDS.has(command))\n\n // Get yarn path\n const realYarnPath = await installLinks(constants.shadowBinPath, 'yarn')\n\n const permArgs: string[] = []\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawYarnArgs.includes(~~'--dry-run'~~)) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add' \|\| command === 'dlx') {\n // For 'yarn add package1 package2@version' or 'yarn dlx package'\n const packageArgs = rawYarnArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string \| undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (\n ['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)\n ) {\n // For install/upgrade, scan all dependencies from package.json\n // Note: This scans direct dependencies only. For full transitive dependency\n // scanning, yarn.lock parsing would be needed (not yet implemented)\n try {\n const packageJsonContent = await fs.readFile('package.json', 'utf8')\n const packageJson = JSON.parse(packageJsonContent)\n\n const allDeps = {\n ...packageJson.dependencies,\n ...packageJson.devDependencies,\n ...packageJson.optionalDependencies,\n ...packageJson.peerDependencies,\n }\n\n for (const [name, version] of Object.entries(allDeps)) {\n if (typeof version === 'string') {\n packagePurls.push(idToNpmPurl(`${name}@${version}`))\n } else {\n packagePurls.push(idToNpmPurl(name))\n }\n }\n\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: ${packagePurls.length} direct dependencies from package.json`,\n )\n debugFn(\n 'notice',\n 'note: transitive dependencies not scanned (yarn.lock parsing not implemented)',\n )\n }\n } catch (e) {\n if (isDebug()) {\n debugFn(\n 'error',\n 'caught: package.json read error during dependency scanning',\n )\n debugDir('inspect', { error: e })\n }\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket yarn exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawYarnArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","name","version","packagePurls","debugFn","error","nothrow","blocked","actions","hideAt","logger","process","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;AAUO;AAIL;;AACQA;AAAM;;AAGZ;AACF;AAEA;;AAGE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACPA;AAQA;AAEe;;AAMXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;;AAEA;AACA;AACA;;AAGA;;;;;;;;;AAYE;;AAGA;AACE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AAGE;AACA;AACA;;;AAGE;AAEA;;;;AAIE;;AAGF;AACE;;AAEA;AACEA;AACF;AACF;;;AAOEC;AAIF;;;AAGEA;;AAIsBC;AAAS;AACjC;AACF;AACF;AAEA;;AAEID;;AACsBD;AAAa;AACrC;;AAGE;AACEG;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEP;;AACsBC;AAAS;AACjC;AACA;AACF;AACF;;AAGED;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"~~ff5e070d~~-~~ede1~~-~~4e55~~-~~b8e9~~-~~dfa667ad45a0~~"}
1	+ {"version":3,"file":"shadow-yarn-bin.js","sources":["../src/shadow/yarn/link.mts","../src/shadow/yarn/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getYarnBinPath,\n isYarnBinPathShadowed,\n} from '../../utils/yarn-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'yarn',\n): Promise<string> {\n const binPath = getYarnBinPath()\n const { WIN32 } = constants\n\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isYarnBinPathShadowed()\n\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { promises as fs } from 'node:fs'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { FLAG_DRY_RUN } from '../../constants.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowYarnOptions = SpawnOptions & {\n ipc?: IpcObject \| undefined\n}\n\nexport type ShadowYarnResult = {\n spawnPromise: SpawnResult<string, SpawnExtra \| undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'install',\n 'up',\n 'upgrade',\n 'upgrade-interactive',\n])\n\nconst DLX_COMMANDS = new Set(['dlx'])\n\nexport default async function shadowYarn(\n args: string[] \| readonly string[] = process.argv.slice(2),\n options?: ShadowYarnOptions \| undefined,\n extra?: SpawnExtra \| undefined,\n): Promise<ShadowYarnResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowYarnOptions\n const terminatorPos = args.indexOf('--')\n const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is a command that needs security scanning\n const command = rawYarnArgs[0]\n const needsScanning =\n command && (INSTALL_COMMANDS.has(command) \|\| DLX_COMMANDS.has(command))\n\n // Get yarn path\n const realYarnPath = await installLinks(constants.shadowBinPath, 'yarn')\n\n const permArgs: string[] = []\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawYarnArgs.includes(FLAG_DRY_RUN)) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add' \|\| command === 'dlx') {\n // For 'yarn add package1 package2@version' or 'yarn dlx package'\n const packageArgs = rawYarnArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string \| undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (\n ['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)\n ) {\n // For install/upgrade, scan all dependencies from package.json\n // Note: This scans direct dependencies only. For full transitive dependency\n // scanning, yarn.lock parsing would be needed (not yet implemented)\n try {\n const packageJsonContent = await fs.readFile('package.json', 'utf8')\n const packageJson = JSON.parse(packageJsonContent)\n\n const allDeps = {\n ...packageJson.dependencies,\n ...packageJson.devDependencies,\n ...packageJson.optionalDependencies,\n ...packageJson.peerDependencies,\n }\n\n for (const [name, version] of Object.entries(allDeps)) {\n if (typeof version === 'string') {\n packagePurls.push(idToNpmPurl(`${name}@${version}`))\n } else {\n packagePurls.push(idToNpmPurl(name))\n }\n }\n\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: ${packagePurls.length} direct dependencies from package.json`,\n )\n debugFn(\n 'notice',\n 'note: transitive dependencies not scanned (yarn.lock parsing not implemented)',\n )\n }\n } catch (e) {\n if (isDebug()) {\n debugFn(\n 'error',\n 'caught: package.json read error during dependency scanning',\n )\n debugDir('inspect', { error: e })\n }\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket yarn exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawYarnArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","name","version","packagePurls","debugFn","error","nothrow","blocked","actions","hideAt","logger","process","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;AAUO;AAIL;;AACQA;AAAM;;AAGZ;AACF;AAEA;;AAGE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACPA;AAQA;AAEe;;AAMXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;;AAEA;AACA;AACA;;AAGA;;;;;;;;;AAYE;;AAGA;AACE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AAGE;AACA;AACA;;;AAGE;AAEA;;;;AAIE;;AAGF;AACE;;AAEA;AACEA;AACF;AACF;;;AAOEC;AAIF;;;AAGEA;;AAIsBC;AAAS;AACjC;AACF;AACF;AAEA;;AAEID;;AACsBD;AAAa;AACrC;;AAGE;AACEG;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEP;;AACsBC;AAAS;AACjC;AACA;AACF;AACF;;AAGED;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"bc98a9a0-2f24-4096-92b6-cda4ca25f80c"}