@socketsecurity/cli-with-sentry 1.1.14 → 1.1.17

package/dist/utils.js

@@ -22,7 +22,8 @@ var shadowNpmBin = require('./shadow-npm-bin.js');
 var fs$1 = require('node:fs');
 var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var promises = require('node:timers/promises');
-var npm = require('../external/@socketsecurity/registry/lib/npm');
+var agent = require('../external/@socketsecurity/registry/lib/agent');
+var bin = require('../external/@socketsecurity/registry/lib/bin');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var globs = require('../external/@socketsecurity/registry/lib/globs');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
@@ -2082,7 +2083,7 @@ async function gitLocalBranchExists(branch, cwd = process.cwd()) {
   require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
     // Will throw with exit code 1 if the branch does not exist.
-    await spawn.spawn('git', ['show-ref', '--quiet', `refs/heads/${branch}`], stdioIgnoreOptions);
+    await spawn.spawn('git', ['show-ref', constants.FLAG_QUIET, `refs/heads/${branch}`], stdioIgnoreOptions);
     return true;
   } catch (e) {
     if (require$$9.isDebug('stdio')) {
@@ -2523,10 +2524,13 @@ function pathsToGlobPatterns(paths) {
 }
 
 function findBinPathDetailsSync(binName) {
-  const binPaths = vendor.libExports$1.sync(binName, {
+  const rawBinPaths = bin.whichBinSync(binName, {
     all: true,
     nothrow: true
   }) ?? [];
+  // whichBinSync may return a string when only one result is found, even with all: true.
+  // This handles both the current published version and future versions.
+  const binPaths = Array.isArray(rawBinPaths) ? rawBinPaths : typeof rawBinPaths === 'string' ? [rawBinPaths] : [];
   const {
     shadowBinPath
   } = constants.default;
@@ -2540,7 +2544,7 @@ function findBinPathDetailsSync(binName) {
     if (path.dirname(binPath) === shadowBinPath) {
       shadowIndex = i;
     } else {
-      theBinPath = npm.resolveBinPathSync(binPath);
+      theBinPath = bin.resolveBinPathSync(binPath);
       break;
     }
   }
@@ -2745,7 +2749,7 @@ function isNpxBinPathShadowed() {
   return getNpxBinPathDetails().shadowed;
 }
 
-const helpFlags = new Set(['--help', '-h']);
+const helpFlags = new Set([constants.FLAG_HELP, '-h']);
 
 /**
  * Convert command arguments to a properly formatted string representation.
@@ -2759,7 +2763,7 @@ function cmdFlagsToString(args) {
     if (arg.startsWith('--')) {
       const nextArg = i + 1 < length ? args[i + 1].trim() : undefined;
       // Check if the next item exists and is NOT another flag.
-      if (nextArg?.startsWith('--')) {
+      if (nextArg && !nextArg.startsWith('--')) {
         result.push(`${arg}=${nextArg}`);
         i += 1;
       } else {
@@ -2939,7 +2943,7 @@ async function spawnDlx(packageSpec, args, options, spawnExtra) {
       spawnArgs.push('--ignore-scripts');
     }
     if (silent) {
-      spawnArgs.push('--silent');
+      spawnArgs.push(constants.FLAG_SILENT);
     }
     spawnArgs.push(packageString, ...args);
     const shadowPnpmBin = /*@__PURE__*/require$2(constants.default.shadowPnpmBinPath);
@@ -2949,7 +2953,7 @@ async function spawnDlx(packageSpec, args, options, spawnExtra) {
     spawnArgs = ['dlx'];
     // Yarn dlx runs in a temporary environment by design and should always fetch fresh.
     if (silent) {
-      spawnArgs.push('--quiet');
+      spawnArgs.push(constants.FLAG_QUIET);
     }
     spawnArgs.push(packageString, ...args);
     const shadowYarnBin = /*@__PURE__*/require$2(constants.default.shadowYarnBinPath);
@@ -2964,7 +2968,7 @@ async function spawnDlx(packageSpec, args, options, spawnExtra) {
       spawnArgs.push('--force');
     }
     if (silent) {
-      spawnArgs.push('--silent');
+      spawnArgs.push(constants.FLAG_SILENT);
     }
     spawnArgs.push(packageString, ...args);
     return await shadowNpmBin(binName, spawnArgs, finalShadowOptions, spawnExtra);
@@ -3609,10 +3613,10 @@ function shadowNpmInstall(options) {
   const useDebug = require$$9.isDebug('stdio');
   const terminatorPos = args.indexOf('--');
   const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
-  const binArgs = rawBinArgs.filter(a => !npm.isNpmAuditFlag(a) && !npm.isNpmFundFlag(a) && !npm.isNpmProgressFlag(a));
+  const binArgs = rawBinArgs.filter(a => !agent.isNpmAuditFlag(a) && !agent.isNpmFundFlag(a) && !agent.isNpmProgressFlag(a));
   const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const progressArg = rawBinArgs.findLast(npm.isNpmProgressFlag) !== '--no-progress';
-  const isSilent = !useDebug && !binArgs.some(npm.isNpmLoglevelFlag);
+  const progressArg = rawBinArgs.findLast(agent.isNpmProgressFlag) !== '--no-progress';
+  const isSilent = !useDebug && !binArgs.some(agent.isNpmLoglevelFlag);
   const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : [];
   const useIpc = require$$11.isObject(ipc);
 
@@ -3629,7 +3633,7 @@ function shadowNpmInstall(options) {
   } else {
     stdio = useIpc ? ['pipe', 'pipe', 'pipe', 'ipc'] : 'pipe';
   }
-  const spawnPromise = spawn.spawn(constants.default.execPath, [...constants.default.nodeNoWarningsFlags, ...constants.default.nodeDebugFlags, ...constants.default.nodeHardenFlags, ...constants.default.nodeMemoryFlags, ...(constants.default.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.default.instrumentWithSentryPath] : []), '--require', constants.default.shadowNpmInjectPath, npm.resolveBinPathSync(agentExecPath), 'install',
+  const spawnPromise = spawn.spawn(constants.default.execPath, [...constants.default.nodeNoWarningsFlags, ...constants.default.nodeDebugFlags, ...constants.default.nodeHardenFlags, ...constants.default.nodeMemoryFlags, ...(constants.default.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.default.instrumentWithSentryPath] : []), '--require', constants.default.shadowNpmInjectPath, agent.resolveBinPathSync(agentExecPath), 'install',
   // Avoid code paths for 'audit' and 'fund'.
   '--no-audit', '--no-fund',
   // Add '--no-progress' to fix input being swallowed by the npm spinner.
@@ -3661,7 +3665,8 @@ function shadowNpmInstall(options) {
 function runAgentInstall(pkgEnvDetails, options) {
   const {
     agent,
-    agentExecPath
+    agentExecPath,
+    pkgPath
   } = pkgEnvDetails;
   const isNpm = agent === constants.NPM;
   const isPnpm = agent === constants.PNPM;
@@ -3669,6 +3674,7 @@ function runAgentInstall(pkgEnvDetails, options) {
   if (isNpm) {
     return shadowNpmInstall({
       agentExecPath,
+      cwd: pkgPath,
       ...options
     });
   }
@@ -3681,7 +3687,12 @@ function runAgentInstall(pkgEnvDetails, options) {
     ...options
   };
   const skipNodeHardenFlags = isPnpm && pkgEnvDetails.agentVersion.major < 11;
-  return spawn.spawn(agentExecPath, ['install', ...args], {
+  // In CI mode, pnpm uses --frozen-lockfile by default, which prevents lockfile updates.
+  // We need to explicitly disable it when updating the lockfile with overrides.
+  const isCi = constants.default.ENV['CI'];
+  const installArgs = isPnpm && isCi ? ['install', '--no-frozen-lockfile', ...args] : ['install', ...args];
+  return spawn.spawn(agentExecPath, installArgs, {
+    cwd: pkgPath,
     shell: constants.default.WIN32,
     spinner,
     stdio: 'inherit',
@@ -3697,15 +3708,19 @@ function runAgentInstall(pkgEnvDetails, options) {
 
 const {
   BUN,
+  BUN_LOCK,
+  BUN_LOCKB,
+  DOT_PACKAGE_LOCK_JSON,
   EXT_LOCK,
   EXT_LOCKB,
-  HIDDEN_PACKAGE_LOCK_JSON,
   NODE_MODULES,
   NPM,
   NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
+  NPM_SHRINKWRAP_JSON,
   PACKAGE_JSON,
   PNPM,
   VLT,
+  VLT_LOCK_JSON,
   YARN,
   YARN_BERRY,
   YARN_CLASSIC
@@ -3749,36 +3764,62 @@ const readLockFileByAgent = (() => {
 
 // The order of LOCKS properties IS significant as it affects iteration order.
 const LOCKS = {
-  [`bun${EXT_LOCK}`]: BUN,
-  [`bun${EXT_LOCKB}`]: BUN,
+  [BUN_LOCK]: BUN,
+  [BUN_LOCKB]: BUN,
   // If both package-lock.json and npm-shrinkwrap.json are present in the root
   // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
   // will be ignored.
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': NPM,
+  [NPM_SHRINKWRAP_JSON]: NPM,
   [constants.PACKAGE_LOCK_JSON]: NPM,
   [constants.PNPM_LOCK_YAML]: PNPM,
   [constants.YARN_LOCK]: YARN_CLASSIC,
-  'vlt-lock.json': VLT,
+  [VLT_LOCK_JSON]: VLT,
   // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
   //
   // Unlike the other LOCKS keys this key contains a directory AND filename so
   // it has to be handled differently.
-  [`${NODE_MODULES}/.package-lock.json`]: NPM
+  [`${NODE_MODULES}/${DOT_PACKAGE_LOCK_JSON}`]: NPM
 };
 async function getAgentExecPath(agent) {
   const binName = binByAgent.get(agent);
   if (binName === NPM) {
-    return constants.default.npmExecPath;
-  }
-  return (await vendor.libExports$1(binName, {
+    // Try to use constants.npmExecPath first, but verify it exists.
+    const npmPath = constants.default.npmExecPath;
+    if (fs$1.existsSync(npmPath)) {
+      return npmPath;
+    }
+    // If npmExecPath doesn't exist, try common locations.
+    // Check npm in the same directory as node.
+    const nodeDir = path.dirname(process.execPath);
+    const npmInNodeDir = path.join(nodeDir, NPM);
+    if (fs$1.existsSync(npmInNodeDir)) {
+      return npmInNodeDir;
+    }
+    // Fall back to whichBin.
+    return (await bin.whichBin(binName, {
+      nothrow: true
+    })) ?? binName;
+  }
+  if (binName === PNPM) {
+    // Try to use constants.pnpmExecPath first, but verify it exists.
+    const pnpmPath = constants.default.pnpmExecPath;
+    if (fs$1.existsSync(pnpmPath)) {
+      return pnpmPath;
+    }
+    // Fall back to whichBin.
+    return (await bin.whichBin(binName, {
+      nothrow: true
+    })) ?? binName;
+  }
+  return (await bin.whichBin(binName, {
     nothrow: true
   })) ?? binName;
 }
 async function getAgentVersion(agent, agentExecPath, cwd) {
   let result;
-  const quotedCmd = `\`${agent} --version\``;
+  const quotedCmd = `\`${agent} ${constants.FLAG_VERSION}\``;
   require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
     result =
@@ -3787,7 +3828,7 @@ async function getAgentVersion(agent, agentExecPath, cwd) {
     // and tildes (~).
     vendor.semverExports.coerce(
     // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, ['--version'], {
+    (await spawn.spawn(agentExecPath, [constants.FLAG_VERSION], {
       cwd,
       shell: constants.default.WIN32
     })).stdout) ?? undefined;
@@ -3807,7 +3848,7 @@ async function detectPackageEnvironment({
     cwd
   });
   let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON;
+  const isHiddenLockFile = lockName === DOT_PACKAGE_LOCK_JSON;
   const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await findUp(PACKAGE_JSON, {
     cwd
   });
@@ -3946,7 +3987,7 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
   const details = await detectPackageEnvironment({
     cwd,
     onUnknown(pkgManager) {
-      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
+      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to ${NPM}`));
     }
   });
   const {
@@ -4754,5 +4795,5 @@ exports.toFilterConfig = toFilterConfig;
 exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=fce77ca7-be25-4c37-b4fb-40d1e77af26c
+//# debugId=4f982f8d-ea52-46a2-a41c-84d9eac292ab
 //# sourceMappingURL=utils.js.map