@socketsecurity/cli-with-sentry 1.1.18 → 1.1.19

package/dist/shadow-npm-bin2.js

@@ -0,0 +1,125 @@
+'use strict';
+
+var constants = require('./constants.js');
+var agent = require('../external/@socketsecurity/registry/lib/agent');
+var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
+var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var path = require('node:path');
+var vendor = require('./vendor.js');
+var utils = require('./utils.js');
+
+async function installLinks(shadowBinPath, binName) {
+  const isNpx = binName === 'npx';
+  // Find package manager being shadowed by this process.
+  const binPath = isNpx ? utils.getNpxBinPath() : utils.getNpmBinPath();
+  const {
+    WIN32
+  } = constants.default;
+  // TODO: Is this early exit needed?
+  if (WIN32 && binPath) {
+    return binPath;
+  }
+  const shadowed = isNpx ? utils.isNpxBinPathShadowed() : utils.isNpmBinPathShadowed();
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, `${binName}-cli.js`), path.join(shadowBinPath, binName));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+
+/**
+ * Ensures stdio configuration includes IPC channel for process communication.
+ * Converts various stdio formats to include 'ipc' as the fourth element.
+ */
+function ensureIpcInStdio(stdio) {
+  if (typeof stdio === 'string') {
+    return [stdio, stdio, stdio, 'ipc'];
+  } else if (Array.isArray(stdio)) {
+    if (!stdio.includes('ipc')) {
+      return stdio.concat('ipc');
+    }
+    return stdio;
+  } else {
+    return ['pipe', 'pipe', 'pipe', 'ipc'];
+  }
+}
+
+async function shadowNpmBase(binName, args = process.argv.slice(2), options, extra) {
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const cwd = require$$11.getOwn(spawnOpts, 'cwd') ?? process.cwd();
+  const isShadowNpm = binName === constants.NPM;
+  const terminatorPos = args.indexOf('--');
+  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const nodeOptionsArg = rawBinArgs.findLast(agent.isNpmNodeOptionsFlag);
+  const progressArg = rawBinArgs.findLast(agent.isNpmProgressFlag) !== '--no-progress';
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const permArgs = isShadowNpm && constants.default.SUPPORTS_NODE_PERMISSION_FLAG ? ['--permission', '--allow-child-process',
+  // '--allow-addons',
+  // '--allow-wasi',
+  // Allow all reads because npm walks up directories looking for config
+  // and package.json files.
+  '--allow-fs-read=*', `--allow-fs-write=${cwd}/*`, `--allow-fs-write=${constants.default.npmGlobalPrefix}/*`, `--allow-fs-write=${constants.default.npmCachePath}/*`] : [];
+  const useAudit = rawBinArgs.includes('--audit');
+  const useDebug = require$$9.isDebug('stdio');
+  const useNodeOptions = nodeOptionsArg || permArgs.length;
+  const binArgs = rawBinArgs.filter(a => !agent.isNpmAuditFlag(a) && !agent.isNpmProgressFlag(a));
+  const isSilent = !useDebug && !binArgs.some(agent.isNpmLoglevelFlag);
+  // The default value of loglevel is "notice". We default to "error" which is
+  // two levels quieter.
+  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : [];
+  const noAuditArgs = useAudit || !(await utils.findUp(constants.NODE_MODULES, {
+    cwd,
+    onlyDirectories: true
+  })) ? [] : ['--no-audit'];
+  const stdio = ensureIpcInStdio(require$$11.getOwn(spawnOpts, 'stdio'));
+  const realBinPath = await installLinks(constants.default.shadowBinPath, binName);
+  const spawnPromise = spawn.spawn(constants.default.execPath, [...constants.default.nodeNoWarningsFlags, ...constants.default.nodeDebugFlags, ...constants.default.nodeHardenFlags, ...constants.default.nodeMemoryFlags, ...(constants.default.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.default.instrumentWithSentryPath] : []), '--require', constants.default.shadowNpmInjectPath, realBinPath, ...noAuditArgs, ...(useNodeOptions ? [`--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${utils.cmdFlagsToString(permArgs)}'`] : []), '--no-fund',
+  // Add '--no-progress' to fix input being swallowed by the npm spinner.
+  '--no-progress',
+  // Add '--loglevel=error' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...binArgs, ...otherArgs], {
+    ...spawnOpts,
+    env: {
+      ...process.env,
+      ...constants.default.processEnv,
+      ...spawnEnv
+    },
+    stdio
+  }, extra);
+  spawnPromise.process.send({
+    [constants.default.SOCKET_IPC_HANDSHAKE]: {
+      [constants.default.SOCKET_CLI_SHADOW_API_TOKEN]: utils.getPublicApiToken(),
+      [constants.default.SOCKET_CLI_SHADOW_BIN]: binName,
+      [constants.default.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,
+      ...ipc
+    }
+  });
+  return {
+    spawnPromise
+  };
+}
+
+async function shadowNpmBin(args = process.argv.slice(2), options, extra) {
+  return await shadowNpmBase(constants.NPM, args, options, extra);
+}
+
+exports.ensureIpcInStdio = ensureIpcInStdio;
+exports.shadowNpmBase = shadowNpmBase;
+exports.shadowNpmBin = shadowNpmBin;
+//# debugId=2c1bb1bc-32c9-4dd7-8742-11961fead20c
+//# sourceMappingURL=shadow-npm-bin2.js.map

package/dist/shadow-npm-bin2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-npm-bin2.js","sources":["../src/shadow/npm/link.mts","../src/shadow/stdio-ipc.mts","../src/shadow/npm-base.mts","../src/shadow/npm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed,\n} from '../../utils/npm-paths.mts'\n\nexport async function installLinks(\n  shadowBinPath: string,\n  binName: 'npm' | 'npx',\n): Promise<string> {\n  const isNpx = binName === 'npx'\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        path.join(constants.distPath, `${binName}-cli.js`),\n        path.join(shadowBinPath, binName),\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n  }\n  return binPath\n}\n","import type { StdioOptions } from 'node:child_process'\n\n/**\n * Ensures stdio configuration includes IPC channel for process communication.\n * Converts various stdio formats to include 'ipc' as the fourth element.\n */\nexport function ensureIpcInStdio(\n  stdio: StdioOptions | undefined,\n): StdioOptions {\n  if (typeof stdio === 'string') {\n    return [stdio, stdio, stdio, 'ipc']\n  } else if (Array.isArray(stdio)) {\n    if (!stdio.includes('ipc')) {\n      return stdio.concat('ipc')\n    }\n    return stdio\n  } else {\n    return ['pipe', 'pipe', 'pipe', 'ipc']\n  }\n}\n","import {\n  isNpmAuditFlag,\n  isNpmLoglevelFlag,\n  isNpmNodeOptionsFlag,\n  isNpmProgressFlag,\n} from '@socketsecurity/registry/lib/agent'\nimport { isDebug } from '@socketsecurity/registry/lib/debug'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './npm/link.mts'\nimport { ensureIpcInStdio } from './stdio-ipc.mts'\nimport constants, { NODE_MODULES, NPM, NPX } from '../constants.mts'\nimport { cmdFlagsToString } from '../utils/cmd.mts'\nimport { findUp } from '../utils/fs.mts'\nimport { getPublicApiToken } from '../utils/sdk.mts'\n\nimport type { IpcObject } from '../constants.mts'\nimport type {\n  SpawnExtra,\n  SpawnOptions,\n  SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowBinOptions = SpawnOptions & {\n  ipc?: IpcObject | undefined\n}\n\nexport type ShadowBinResult = {\n  spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nexport default async function shadowNpmBase(\n  binName: typeof NPM | typeof NPX,\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowBinOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n  const {\n    env: spawnEnv,\n    ipc,\n    ...spawnOpts\n  } = { __proto__: null, ...options } as ShadowBinOptions\n  const cwd = getOwn(spawnOpts, 'cwd') ?? process.cwd()\n  const isShadowNpm = binName === NPM\n  const terminatorPos = args.indexOf('--')\n  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const nodeOptionsArg = rawBinArgs.findLast(isNpmNodeOptionsFlag)\n  const progressArg = rawBinArgs.findLast(isNpmProgressFlag) !== '--no-progress'\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const permArgs =\n    isShadowNpm && constants.SUPPORTS_NODE_PERMISSION_FLAG\n      ? [\n          '--permission',\n          '--allow-child-process',\n          // '--allow-addons',\n          // '--allow-wasi',\n          // Allow all reads because npm walks up directories looking for config\n          // and package.json files.\n          '--allow-fs-read=*',\n          `--allow-fs-write=${cwd}/*`,\n          `--allow-fs-write=${constants.npmGlobalPrefix}/*`,\n          `--allow-fs-write=${constants.npmCachePath}/*`,\n        ]\n      : []\n\n  const useAudit = rawBinArgs.includes('--audit')\n  const useDebug = isDebug('stdio')\n  const useNodeOptions = nodeOptionsArg || permArgs.length\n  const binArgs = rawBinArgs.filter(\n    a => !isNpmAuditFlag(a) && !isNpmProgressFlag(a),\n  )\n  const isSilent = !useDebug && !binArgs.some(isNpmLoglevelFlag)\n  // The default value of loglevel is \"notice\". We default to \"error\" which is\n  // two levels quieter.\n  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n  const noAuditArgs =\n    useAudit || !(await findUp(NODE_MODULES, { cwd, onlyDirectories: true }))\n      ? []\n      : ['--no-audit']\n\n  const stdio = ensureIpcInStdio(getOwn(spawnOpts, 'stdio'))\n\n  const realBinPath = await installLinks(constants.shadowBinPath, binName)\n\n  const spawnPromise = spawn(\n    constants.execPath,\n    [\n      ...constants.nodeNoWarningsFlags,\n      ...constants.nodeDebugFlags,\n      ...constants.nodeHardenFlags,\n      ...constants.nodeMemoryFlags,\n      ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD\n        ? ['--require', constants.instrumentWithSentryPath]\n        : []),\n      '--require',\n      constants.shadowNpmInjectPath,\n      realBinPath,\n      ...noAuditArgs,\n      ...(useNodeOptions\n        ? [\n            `--node-options='${nodeOptionsArg ? nodeOptionsArg.slice(15) : ''}${cmdFlagsToString(permArgs)}'`,\n          ]\n        : []),\n      '--no-fund',\n      // Add '--no-progress' to fix input being swallowed by the npm spinner.\n      '--no-progress',\n      // Add '--loglevel=error' if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...logLevelArgs,\n      ...binArgs,\n      ...otherArgs,\n    ],\n    {\n      ...spawnOpts,\n      env: {\n        ...process.env,\n        ...constants.processEnv,\n        ...spawnEnv,\n      },\n      stdio,\n    },\n    extra,\n  )\n\n  spawnPromise.process.send({\n    [constants.SOCKET_IPC_HANDSHAKE]: {\n      [constants.SOCKET_CLI_SHADOW_API_TOKEN]: getPublicApiToken(),\n      [constants.SOCKET_CLI_SHADOW_BIN]: binName,\n      [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,\n      ...ipc,\n    },\n  })\n\n  return { spawnPromise }\n}\n","import { NPM } from '../../constants.mts'\nimport shadowNpmBase from '../npm-base.mts'\n\nimport type { ShadowBinOptions, ShadowBinResult } from '../npm-base.mts'\nimport type { SpawnExtra } from '@socketsecurity/registry/lib/spawn'\n\nexport type { ShadowBinOptions, ShadowBinResult }\n\nexport default async function shadowNpmBin(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowBinOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n  return await shadowNpmBase(NPM, args, options, extra)\n}\n"],"names":["WIN32","env","__proto__","onlyDirectories","stdio","spawnPromise"],"mappings":";;;;;;;;;;;AAYO;AAIL;AACA;;;AAEQA;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;ACnCA;AACA;AACA;AACA;AACO;AAGL;;;AAGE;AACE;AACF;AACA;AACF;;AAEA;AACF;;ACae;;AAOXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;AACA;AACA;;AAEA;;AAMQ;AACA;AACA;AACA;AACA;AAOR;AACA;AACA;AACA;;AAIA;AACA;;;;AAGkDC;AAAsB;;;AAQxE;AAoBI;;AAEA;AACA;;AAMA;AACAF;;;;;AAKAG;;AAKJC;;AAEI;AACA;AACA;;AAEF;AACF;;AAESA;;AACX;;AC/He;;AAMf;;;;","debugId":"2c1bb1bc-32c9-4dd7-8742-11961fead20c"}

package/dist/shadow-npx-bin.js

@@ -0,0 +1,12 @@
+'use strict';
+
+var constants = require('./constants.js');
+var shadowNpmBin = require('./shadow-npm-bin2.js');
+
+async function shadowNpxBin(args = process.argv.slice(2), options, extra) {
+  return await shadowNpmBin.shadowNpmBase(constants.NPX, args, options, extra);
+}
+
+module.exports = shadowNpxBin;
+//# debugId=78c6da12-4727-423f-9815-2c7486bbf7e5
+//# sourceMappingURL=shadow-npx-bin.js.map

package/dist/shadow-npx-bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-npx-bin.js","sources":["../src/shadow/npx/bin.mts"],"sourcesContent":["import { NPX } from '../../constants.mts'\nimport shadowNpmBase from '../npm-base.mts'\n\nimport type { ShadowBinOptions, ShadowBinResult } from '../npm-base.mts'\nimport type { SpawnExtra } from '@socketsecurity/registry/lib/spawn'\n\nexport type { ShadowBinOptions, ShadowBinResult }\n\nexport default async function shadowNpxBin(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowBinOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowBinResult> {\n  return await shadowNpmBase(NPX, args, options, extra)\n}\n"],"names":[],"mappings":";;;;;AAQe;;AAMf;;","debugId":"78c6da12-4727-423f-9815-2c7486bbf7e5"}

package/dist/shadow-pnpm-bin.js

@@ -1,233 +1,8 @@
 'use strict';
+var shadowPnpmBin = require('./shadow-pnpm-bin2.js');
 
-var fs = require('node:fs');
-var path = require('node:path');
-var require$$0 = require('node:url');
-var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
-var logger = require('../external/@socketsecurity/registry/lib/logger');
-var spawn = require('../external/@socketsecurity/registry/lib/spawn');
-var vendor = require('./vendor.js');
-var constants = require('./constants.js');
-var utils = require('./utils.js');
 
-async function installLinks(shadowBinPath, _binName) {
-  // Find pnpm being shadowed by this process.
-  const binPath = utils.getPnpmBinPath();
-  const {
-    WIN32
-  } = constants.default;
 
-  // TODO: Is this early exit needed?
-  if (WIN32 && binPath) {
-    return binPath;
-  }
-  const shadowed = utils.isPnpmBinPathShadowed();
-
-  // Move our bin directory to front of PATH so its found first.
-  if (!shadowed) {
-    if (WIN32) {
-      await vendor.libExports(path.join(constants.default.distPath, 'pnpm-cli.js'), path.join(shadowBinPath, 'pnpm'));
-    }
-    const {
-      env
-    } = process;
-    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
-  }
-  return binPath;
-}
-
-const INSTALL_COMMANDS = new Set(['add', 'i', 'install', 'install-test', 'it', 'update', 'up']);
-async function shadowPnpm(args = process.argv.slice(2), options, extra) {
-  const opts = {
-    __proto__: null,
-    ...options
-  };
-  const {
-    env: spawnEnv,
-    ipc,
-    ...spawnOpts
-  } = opts;
-  let {
-    cwd = process.cwd()
-  } = opts;
-  if (cwd instanceof URL) {
-    cwd = require$$0.fileURLToPath(cwd);
-  }
-  const terminatorPos = args.indexOf('--');
-  const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-
-  // Check if this is an install-type command that needs security scanning
-  const command = rawPnpmArgs[0];
-  const needsScanning = command && INSTALL_COMMANDS.has(command);
-
-  // Get pnpm path
-  const realPnpmPath = await installLinks(constants.default.shadowBinPath);
-  const permArgs = ['--reporter=silent'];
-  const prefixArgs = [];
-  const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs];
-  if (needsScanning && !rawPnpmArgs.includes(constants.FLAG_DRY_RUN)) {
-    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
-    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
-
-    // Extract package names from command arguments before any downloads
-    const packagePurls = [];
-    if (command === 'add') {
-      // For 'pnpm add package1 package2@version', get packages from args
-      const packageArgs = rawPnpmArgs.slice(1).filter(arg => !arg.startsWith('-') && arg !== '--');
-      for (const pkgSpec of packageArgs) {
-        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'
-        let name;
-        let version;
-        if (pkgSpec.startsWith('@')) {
-          // Scoped package: @scope/name or @scope/name@version
-          const parts = pkgSpec.split('@');
-          if (parts.length === 2) {
-            // @scope/name (no version)
-            name = pkgSpec;
-          } else {
-            // @scope/name@version
-            name = `@${parts[1]}`;
-            version = parts[2];
-          }
-        } else {
-          // Regular package: name or name@version
-          const atIndex = pkgSpec.indexOf('@');
-          if (atIndex === -1) {
-            name = pkgSpec;
-          } else {
-            name = pkgSpec.slice(0, atIndex);
-            version = pkgSpec.slice(atIndex + 1);
-          }
-        }
-        if (name) {
-          packagePurls.push(version ? utils.idToNpmPurl(`${name}@${version}`) : utils.idToNpmPurl(name));
-        }
-      }
-    } else if (['install', 'i', 'update', 'up'].includes(command)) {
-      // For install/update, scan all dependencies from pnpm-lock.yaml
-      const pnpmLockPath = path.join(cwd, constants.PNPM_LOCK_YAML);
-      if (fs.existsSync(pnpmLockPath)) {
-        try {
-          const lockfileContent = await utils.readPnpmLockfile(pnpmLockPath);
-          if (lockfileContent) {
-            const lockfile = utils.parsePnpmLockfile(lockfileContent);
-            if (lockfile) {
-              // Use existing function to scan the entire lockfile
-              if (require$$9.isDebug()) {
-                require$$9.debugFn('notice', `scanning: all dependencies from ${constants.PNPM_LOCK_YAML}`);
-              }
-              const alertsMap = await utils.getAlertsMapFromPnpmLockfile(lockfile, {
-                nothrow: true,
-                filter: acceptRisks ? {
-                  actions: ['error'],
-                  blocked: true
-                } : {
-                  actions: ['error', 'monitor', 'warn']
-                }
-              });
-              if (alertsMap.size) {
-                process.exitCode = 1;
-                utils.logAlertsMap(alertsMap, {
-                  hideAt: viewAllRisks ? 'none' : 'middle',
-                  output: process.stderr
-                });
-                const errorMessage = `Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
-                logger.logger.error(errorMessage);
-                // eslint-disable-next-line n/no-process-exit
-                process.exit(1);
-                // This line is never reached in production, but helps tests.
-                throw new Error('process.exit called');
-              }
-
-              // Return early since we've already done the scanning
-              if (require$$9.isDebug()) {
-                require$$9.debugFn('notice', 'complete: lockfile scanning, proceeding with install');
-              }
-            }
-          }
-        } catch (e) {
-          if (require$$9.isDebug()) {
-            require$$9.debugFn('error', 'caught: pnpm lockfile scanning error');
-            require$$9.debugDir('inspect', {
-              error: e
-            });
-          }
-        }
-      } else if (require$$9.isDebug()) {
-        require$$9.debugFn('notice', 'skip: no pnpm-lock.yaml found, skipping bulk install scanning');
-      }
-    }
-    if (packagePurls.length > 0) {
-      if (require$$9.isDebug()) {
-        require$$9.debugFn('notice', 'scanning: packages before download');
-        require$$9.debugDir('inspect', {
-          packagePurls
-        });
-      }
-      try {
-        const alertsMap = await utils.getAlertsMapFromPurls(packagePurls, {
-          nothrow: true,
-          filter: acceptRisks ? {
-            actions: ['error'],
-            blocked: true
-          } : {
-            actions: ['error', 'monitor', 'warn']
-          }
-        });
-        if (alertsMap.size) {
-          process.exitCode = 1;
-          utils.logAlertsMap(alertsMap, {
-            hideAt: viewAllRisks ? 'none' : 'middle',
-            output: process.stderr
-          });
-          const errorMessage = `
-Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
-          logger.logger.error(errorMessage);
-          // eslint-disable-next-line n/no-process-exit
-          process.exit(1);
-          // This line is never reached in production, but helps tests.
-          throw new Error('process.exit called');
-        }
-      } catch (e) {
-        // Re-throw process.exit errors from tests.
-        if (e instanceof Error && e.message === 'process.exit called') {
-          throw e;
-        }
-        if (require$$9.isDebug()) {
-          require$$9.debugFn('error', 'caught: package scanning error');
-          require$$9.debugDir('inspect', {
-            error: e
-          });
-        }
-        // Continue with installation if scanning fails
-      }
-    }
-    if (require$$9.isDebug()) {
-      require$$9.debugFn('notice', 'complete: scanning, proceeding with install');
-      require$$9.debugDir('inspect', {
-        args: rawPnpmArgs.slice(1)
-      });
-    }
-  }
-  const argsToString = utils.cmdFlagsToString([...prefixArgs, ...suffixArgs]);
-  const env = {
-    ...process.env,
-    ...spawnEnv
-  };
-  if (require$$9.isDebug()) {
-    require$$9.debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`);
-  }
-  const spawnPromise = spawn.spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {
-    ...spawnOpts,
-    env,
-    extra
-  });
-  return {
-    spawnPromise
-  };
-}
-
-module.exports = shadowPnpm;
-//# debugId=f69cd503-77eb-4641-a4ae-622c377f99cb
+module.exports = shadowPnpmBin.shadowPnpmBin;
+//# debugId=26f08621-821f-4156-93c1-18cf372d6d32
 //# sourceMappingURL=shadow-pnpm-bin.js.map

package/dist/shadow-pnpm-bin.js.map

@@ -1 +1 @@
-{"version":3,"file":"shadow-pnpm-bin.js","sources":["../src/shadow/pnpm/link.mts","../src/shadow/pnpm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n  getPnpmBinPath,\n  isPnpmBinPathShadowed,\n} from '../../utils/pnpm-paths.mts'\n\nexport async function installLinks(\n  shadowBinPath: string,\n  _binName: 'pnpm',\n): Promise<string> {\n  // Find pnpm being shadowed by this process.\n  const binPath = getPnpmBinPath()\n  const { WIN32 } = constants\n\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n\n  const shadowed = isPnpmBinPathShadowed()\n\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        path.join(constants.distPath, 'pnpm-cli.js'),\n        path.join(shadowBinPath, 'pnpm'),\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n  }\n\n  return binPath\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { FLAG_DRY_RUN, PNPM_LOCK_YAML } from '../../constants.mts'\nimport {\n  getAlertsMapFromPnpmLockfile,\n  getAlertsMapFromPurls,\n} from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { parsePnpmLockfile, readPnpmLockfile } from '../../utils/pnpm.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n  SpawnExtra,\n  SpawnOptions,\n  SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowPnpmOptions = SpawnOptions & {\n  ipc?: IpcObject | undefined\n}\n\nexport type ShadowPnpmResult = {\n  spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n  'add',\n  'i',\n  'install',\n  'install-test',\n  'it',\n  'update',\n  'up',\n])\n\nexport default async function shadowPnpm(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowPnpmOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowPnpmResult> {\n  const opts = { __proto__: null, ...options } as ShadowPnpmOptions\n  const { env: spawnEnv, ipc, ...spawnOpts } = opts\n\n  let { cwd = process.cwd() } = opts\n  if (cwd instanceof URL) {\n    cwd = fileURLToPath(cwd)\n  }\n\n  const terminatorPos = args.indexOf('--')\n  const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n  // Check if this is an install-type command that needs security scanning\n  const command = rawPnpmArgs[0]\n  const needsScanning = command && INSTALL_COMMANDS.has(command)\n\n  // Get pnpm path\n  const realPnpmPath = await installLinks(constants.shadowBinPath, 'pnpm')\n\n  const permArgs = ['--reporter=silent']\n\n  const prefixArgs: string[] = []\n  const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs]\n\n  if (needsScanning && !rawPnpmArgs.includes(FLAG_DRY_RUN)) {\n    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n    // Extract package names from command arguments before any downloads\n    const packagePurls: string[] = []\n\n    if (command === 'add') {\n      // For 'pnpm add package1 package2@version', get packages from args\n      const packageArgs = rawPnpmArgs\n        .slice(1)\n        .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n      for (const pkgSpec of packageArgs) {\n        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n        let name: string\n        let version: string | undefined\n\n        if (pkgSpec.startsWith('@')) {\n          // Scoped package: @scope/name or @scope/name@version\n          const parts = pkgSpec.split('@')\n          if (parts.length === 2) {\n            // @scope/name (no version)\n            name = pkgSpec\n          } else {\n            // @scope/name@version\n            name = `@${parts[1]}`\n            version = parts[2]\n          }\n        } else {\n          // Regular package: name or name@version\n          const atIndex = pkgSpec.indexOf('@')\n          if (atIndex === -1) {\n            name = pkgSpec\n          } else {\n            name = pkgSpec.slice(0, atIndex)\n            version = pkgSpec.slice(atIndex + 1)\n          }\n        }\n\n        if (name) {\n          packagePurls.push(\n            version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n          )\n        }\n      }\n    } else if (['install', 'i', 'update', 'up'].includes(command)) {\n      // For install/update, scan all dependencies from pnpm-lock.yaml\n      const pnpmLockPath = path.join(cwd, PNPM_LOCK_YAML)\n      if (existsSync(pnpmLockPath)) {\n        try {\n          const lockfileContent = await readPnpmLockfile(pnpmLockPath)\n          if (lockfileContent) {\n            const lockfile = parsePnpmLockfile(lockfileContent)\n            if (lockfile) {\n              // Use existing function to scan the entire lockfile\n              if (isDebug()) {\n                debugFn(\n                  'notice',\n                  `scanning: all dependencies from ${PNPM_LOCK_YAML}`,\n                )\n              }\n\n              const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {\n                nothrow: true,\n                filter: acceptRisks\n                  ? { actions: ['error'], blocked: true }\n                  : { actions: ['error', 'monitor', 'warn'] },\n              })\n\n              if (alertsMap.size) {\n                process.exitCode = 1\n                logAlertsMap(alertsMap, {\n                  hideAt: viewAllRisks ? 'none' : 'middle',\n                  output: process.stderr,\n                })\n\n                const errorMessage = `Socket pnpm exiting due to risks.${\n                  viewAllRisks\n                    ? ''\n                    : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n                }${\n                  acceptRisks\n                    ? ''\n                    : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n                }`.trim()\n\n                logger.error(errorMessage)\n                // eslint-disable-next-line n/no-process-exit\n                process.exit(1)\n                // This line is never reached in production, but helps tests.\n                throw new Error('process.exit called')\n              }\n\n              // Return early since we've already done the scanning\n              if (isDebug()) {\n                debugFn(\n                  'notice',\n                  'complete: lockfile scanning, proceeding with install',\n                )\n              }\n            }\n          }\n        } catch (e) {\n          if (isDebug()) {\n            debugFn('error', 'caught: pnpm lockfile scanning error')\n            debugDir('inspect', { error: e })\n          }\n        }\n      } else if (isDebug()) {\n        debugFn(\n          'notice',\n          'skip: no pnpm-lock.yaml found, skipping bulk install scanning',\n        )\n      }\n    }\n\n    if (packagePurls.length > 0) {\n      if (isDebug()) {\n        debugFn('notice', 'scanning: packages before download')\n        debugDir('inspect', { packagePurls })\n      }\n\n      try {\n        const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n          nothrow: true,\n          filter: acceptRisks\n            ? { actions: ['error'], blocked: true }\n            : { actions: ['error', 'monitor', 'warn'] },\n        })\n\n        if (alertsMap.size) {\n          process.exitCode = 1\n          logAlertsMap(alertsMap, {\n            hideAt: viewAllRisks ? 'none' : 'middle',\n            output: process.stderr,\n          })\n\n          const errorMessage = `\nSocket pnpm exiting due to risks.${\n            viewAllRisks\n              ? ''\n              : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n          }${\n            acceptRisks\n              ? ''\n              : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n          }`.trim()\n\n          logger.error(errorMessage)\n          // eslint-disable-next-line n/no-process-exit\n          process.exit(1)\n          // This line is never reached in production, but helps tests.\n          throw new Error('process.exit called')\n        }\n      } catch (e) {\n        // Re-throw process.exit errors from tests.\n        if (e instanceof Error && e.message === 'process.exit called') {\n          throw e\n        }\n        if (isDebug()) {\n          debugFn('error', 'caught: package scanning error')\n          debugDir('inspect', { error: e })\n        }\n        // Continue with installation if scanning fails\n      }\n    }\n\n    if (isDebug()) {\n      debugFn('notice', 'complete: scanning, proceeding with install')\n      debugDir('inspect', { args: rawPnpmArgs.slice(1) })\n    }\n  }\n\n  const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n  const env = {\n    ...process.env,\n    ...spawnEnv,\n  } as Record<string, string>\n\n  if (isDebug()) {\n    debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`)\n  }\n\n  const spawnPromise = spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {\n    ...spawnOpts,\n    env,\n    extra,\n  })\n\n  return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","cwd","name","version","packagePurls","debugFn","nothrow","blocked","actions","hideAt","logger","process","error","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;;AAUO;AAIL;AACA;;AACQA;AAAM;;AAEd;;AAEE;AACF;AAEA;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACJA;AAUe;AAKb;AAAeC;;;;AACPD;;;AAAiC;;AAEnCE;AAAoB;;AAExBA;AACF;AAEA;AACA;AACA;;AAEA;AACA;;;AAGA;;AAGA;;;;;;;AASE;;;AAIE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AACE;;AAEA;;AAEI;AACA;AACE;AACA;AACE;;AAEEC;AAIF;AAEA;AACEC;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;;AAYAC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEEN;AAIF;AACF;AACF;;;AAGEA;;AACsBO;AAAS;AACjC;AACF;AACF;AACEP;AAIF;AACF;AAEA;;AAEIA;;AACsBD;AAAa;AACrC;;AAGE;AACEE;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEN;;AACsBO;AAAS;AACjC;AACA;AACF;AACF;;AAGEP;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"f69cd503-77eb-4641-a4ae-622c377f99cb"}
+{"version":3,"file":"shadow-pnpm-bin.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;","debugId":"26f08621-821f-4156-93c1-18cf372d6d32"}