npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.8 → 1.1.12 - Mend

@socketsecurity/cli-with-sentry 1.1.8 → 1.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (274) hide show

package/dist/npx-cli.js ADDED Viewed

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+'use strict';
+var shadowNpmBin = require('./shadow-npm-bin.js');
+void (async () => {
+  process.exitCode = 1;
+  const {
+    spawnPromise
+  } = await shadowNpmBin('npx', process.argv.slice(2), {
+    stdio: 'inherit'
+  });
+  // See https://nodejs.org/api/child_process.html#event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (signalName) {
+      process.kill(process.pid, signalName);
+    } else if (typeof code === 'number') {
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(code);
+    }
+  });
+  await spawnPromise;
+})();
+//# debugId=916eab81-da92-4adf-96e6-6c584ea1a61b
+//# sourceMappingURL=npx-cli.js.map

package/dist/npx-cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"npx-cli.js","sources":["../src/npx-cli.mts"],"sourcesContent":["#!/usr/bin/env node\n\nimport shadowNpmBin from './shadow/npm/bin.mts'\n\nvoid (async () => {\n process.exitCode = 1\n\n const { spawnPromise } = await shadowNpmBin('npx', process.argv.slice(2), {\n stdio: 'inherit',\n })\n\n // See https://nodejs.org/api/child_process.html#event-exit.\n spawnPromise.process.on('exit', (code, signalName) => {\n if (signalName) {\n process.kill(process.pid, signalName)\n } else if (typeof code === 'number') {\n // eslint-disable-next-line n/no-process-exit\n process.exit(code)\n }\n })\n\n await spawnPromise\n})()\n"],"names":["spawnPromise","stdio","process"],"mappings":";;;;;AAIA;;;AAGUA;AAAa;AACnBC;AACF;;AAEA;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AAEA;AACF","debugId":"916eab81-da92-4adf-96e6-6c584ea1a61b"}

package/dist/pnpm-cli.js ADDED Viewed

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+'use strict';
+var shadowPnpmBin = require('./shadow-pnpm-bin.js');
+void (async () => {
+  process.exitCode = 1;
+  const {
+    spawnPromise
+  } = await shadowPnpmBin(process.argv.slice(2), {
+    stdio: 'inherit'
+  });
+  // See https://nodejs.org/api/child_process.html#event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (signalName) {
+      process.kill(process.pid, signalName);
+    } else if (typeof code === 'number') {
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(code);
+    }
+  });
+  await spawnPromise;
+})();
+//# debugId=e61d61bd-2fda-42bf-9deb-0b9d3e70f243
+//# sourceMappingURL=pnpm-cli.js.map

package/dist/pnpm-cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pnpm-cli.js","sources":["../src/pnpm-cli.mts"],"sourcesContent":["#!/usr/bin/env node\n\nimport shadowPnpmBin from './shadow/pnpm/bin.mts'\n\nvoid (async () => {\n process.exitCode = 1\n\n const { spawnPromise } = await shadowPnpmBin(process.argv.slice(2), {\n stdio: 'inherit',\n })\n\n // See https://nodejs.org/api/child_process.html#event-exit.\n spawnPromise.process.on('exit', (code, signalName) => {\n if (signalName) {\n process.kill(process.pid, signalName)\n } else if (typeof code === 'number') {\n // eslint-disable-next-line n/no-process-exit\n process.exit(code)\n }\n })\n\n await spawnPromise\n})()\n"],"names":["spawnPromise","stdio","process"],"mappings":";;;;;AAIA;;;AAGUA;AAAa;AACnBC;AACF;;AAEA;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AAEA;AACF","debugId":"e61d61bd-2fda-42bf-9deb-0b9d3e70f243"}

package/dist/shadow-npm-inject.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict';
-var Module = require('node:module');
+var require$$5 = require('node:module');
 var vendor = require('./vendor.js');
 var path = require('node:path');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
@@ -9,6 +9,7 @@ var utils = require('./utils.js');
 var logger = require('../external/@socketsecurity/registry/lib/logger');
 var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
 var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
+var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 let _arboristPkgPath;
@@ -57,13 +58,10 @@ const DiffAction = utils.createEnum({
 });
 function getUrlOrigin(input) {
-  try {
-    // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
-    // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base
-    // return URL.parse(input)?.origin ?? ''
-    return new URL(input).origin ?? '';
-  } catch {}
-  return '';
+  // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
+  // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base
+  // return URL.parse(input)?.origin ?? ''
+  return require$$13.parseUrl(input)?.origin ?? '';
 }
 async function getAlertsMapFromArborist(arb, needInfoOn, options) {
   const opts = {
@@ -108,7 +106,7 @@ function getDetailsFromDiff(diff, options) {
   } = queue;
   while (pos < queueLength) {
     if (pos === constants.default.LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop while walking Arborist diff');
+      throw new Error('Detected infinite loop while walking Arborist diff.');
     }
     const currDiff = queue[pos++];
     const {
@@ -282,7 +280,7 @@ class SafeArborist extends Arborist {
   }
 }
-const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('shadow-npm-inject.js', document.baseURI).href)));
 const Edge = vendor.edgeExports;
 const Node = vendor.nodeExports;
 const OverrideSet = vendor.overrideSetExports;
@@ -305,5 +303,5 @@ function installSafeArborist() {
 }
 installSafeArborist();
-//# debugId=b33002f6-cafc-4095-a7ed-0703c935057c
+//# debugId=fa30e366-2602-48d0-939f-fcec4c526adc
 //# sourceMappingURL=shadow-npm-inject.js.map

package/dist/shadow-npm-inject.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"shadow-npm-inject.js","sources":["../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/types.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string \| undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string \| undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristEdgeClassPath: string \| undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string \| undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string \| undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createEnum } from '../../../utils/objects.mts'\n\nimport type {\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n Options as BaseArboristOptions,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n Edge as BaseEdge,\n Node as BaseNode,\n BaseOverrideSet,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristOptions = BaseArboristOptions & {\n npmCommand?: string\n npmVersion?: string\n}\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n \| 'actualTree'\n \| 'auditReport'\n \| 'buildIdealTree'\n \| 'diff'\n \| 'idealTree'\n \| 'loadActual'\n \| 'loadVirtual'\n \| 'reify'\n> & {\n auditReport?: AuditReportInstance \| null \| undefined\n actualTree?: NodeClass \| null \| undefined\n diff: Diff \| null\n idealTree?: NodeClass \| null \| undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<NodeClass>\n loadActual(options?: ArboristOptions): Promise<NodeClass>\n loadVirtual(options?: ArboristOptions): Promise<NodeClass>\n reify(options?: ArboristReifyOptions): Promise<NodeClass>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n \| 'actual'\n \| 'children'\n \| 'filterSet'\n \| 'ideal'\n \| 'leaves'\n \| 'removed'\n \| 'shrinkwrapInflated'\n \| 'unchanged'\n> & {\n actual: NodeClass\n children: Diff[]\n filterSet: Set<NodeClass>\n ideal: NodeClass\n leaves: NodeClass[]\n parent: Diff \| null\n removed: NodeClass[]\n shrinkwrapInflated: Set<NodeClass>\n unchanged: NodeClass[]\n}\n\nexport type EdgeClass = Omit<\n BaseEdge,\n \| 'accept'\n \| 'detach'\n \| 'optional'\n \| 'overrides'\n \| 'peer'\n \| 'peerConflicted'\n \| 'rawSpec'\n \| 'reload'\n \| 'satisfiedBy'\n \| 'spec'\n \| 'to'\n> & {\n optional: boolean\n overrides: OverrideSetClass \| undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string \| undefined\n get spec(): string\n get to(): NodeClass \| null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: NodeClass): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nexport type NodeClass = Omit<\n BaseNode,\n \| 'addEdgeIn'\n \| 'addEdgeOut'\n \| 'canDedupe'\n \| 'canReplace'\n \| 'canReplaceWith'\n \| 'children'\n \| 'deleteEdgeIn'\n \| 'edgesIn'\n \| 'edgesOut'\n \| 'from'\n \| 'hasShrinkwrap'\n \| 'inDepBundle'\n \| 'inShrinkwrap'\n \| 'integrity'\n \| 'isTop'\n \| 'matches'\n \| 'meta'\n \| 'name'\n \| 'overrides'\n \| 'packageName'\n \| 'parent'\n \| 'recalculateOutEdgesOverrides'\n \| 'resolve'\n \| 'resolveParent'\n \| 'root'\n \| 'target'\n \| 'updateOverridesEdgeInAdded'\n \| 'updateOverridesEdgeInRemoved'\n \| 'version'\n \| 'versions'\n> & {\n name: string\n version: string\n children: Map<string, NodeClass \| LinkClass>\n edgesIn: Set<EdgeClass>\n edgesOut: Map<string, EdgeClass>\n from: NodeClass \| null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean \| undefined\n integrity?: string \| null\n isTop: boolean \| undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: EdgeClass): void\n }\n overrides: OverrideSetClass \| undefined\n target: NodeClass\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string \| null\n get parent(): NodeClass \| null\n set parent(value: NodeClass \| null)\n get resolveParent(): NodeClass \| null\n get root(): NodeClass \| null\n set root(value: NodeClass \| null)\n new (...args: any): NodeClass\n addEdgeIn(edge: EdgeClass): void\n addEdgeOut(edge: EdgeClass): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: NodeClass, ignorePeers?: string[]): boolean\n canReplaceWith(node: NodeClass, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: EdgeClass): void\n matches(node: NodeClass): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): NodeClass\n updateOverridesEdgeInAdded(\n otherOverrideSet: OverrideSetClass \| undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: OverrideSetClass): boolean\n}\n\nexport interface OverrideSetClass\n extends Omit<\n BaseOverrideSet,\n \| 'ancestry'\n \| 'children'\n \| 'getEdgeRule'\n \| 'getMatchingRule'\n \| 'getNodeRule'\n \| 'parent'\n \| 'ruleset'\n > {\n children: Map<string, OverrideSetClass>\n key: string \| undefined\n keySpec: string \| undefined\n name: string \| undefined\n parent: OverrideSetClass \| undefined\n value: string \| undefined\n version: string \| undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, OverrideSetClass>\n ancestry(): Generator<OverrideSetClass>\n childrenAreEqual(otherOverrideSet: OverrideSetClass \| undefined): boolean\n getEdgeRule(edge: EdgeClass): OverrideSetClass\n getMatchingRule(node: NodeClass): OverrideSetClass \| null\n getNodeRule(node: NodeClass): OverrideSetClass\n isEqual(otherOverrideSet: OverrideSetClass \| undefined): boolean\n}\n","import { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\n\nimport constants from '../../constants.mts'\nimport { DiffAction } from './arborist/types.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { toFilterConfig } from '../../utils/filter-config.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { ArboristInstance, Diff, NodeClass } from './arborist/types.mts'\nimport type {\n AlertFilter,\n AlertsByPurl,\n} from '../../utils/socket-package-alert.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nfunction getUrlOrigin(input: string): string {\n try {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return new URL(input).origin ?? ''\n } catch {}\n return ''\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n apiToken?: string \| undefined\n consolidate?: boolean \| undefined\n filter?: AlertFilter \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: ArboristInstance,\n needInfoOn: PackageDetail[],\n options?: GetAlertsMapFromArboristOptions \| undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n nothrow: false,\n ...options,\n filter: toFilterConfig(getOwn(options, 'filter')),\n } as GetAlertsMapFromArboristOptions & { filter: AlertFilter }\n\n const purls = needInfoOn.map(d => idToNpmPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } \| undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n Array.from(overridesMap.entries()).map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...opts,\n })\n}\n\nexport type DiffQueryFilter = {\n existing?: boolean \| undefined\n unknownOrigin?: boolean \| undefined\n}\n\nexport type DiffQueryOptions = {\n filter?: DiffQueryFilter \| undefined\n}\n\nexport type PackageDetail = {\n node: NodeClass\n existing?: NodeClass \| undefined\n}\n\nexport function getDetailsFromDiff(\n diff: Diff \| null,\n options?: DiffQueryOptions \| undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff` is `null` when `npm install --package-lock-only` is passed.\n if (!diff) {\n debugFn('notice', `miss: diff is ${diff}`)\n return details\n }\n\n const { NPM_REGISTRY_URL } = constants\n\n const filterConfig = toFilterConfig({\n existing: false,\n unknownOrigin: true,\n ...getOwn(options, 'filter'),\n }) as DiffQueryFilter\n\n const queue: Diff[] = [...diff.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff')\n }\n const currDiff = queue[pos++]!\n const { action } = currDiff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = currDiff\n let existing: NodeClass \| undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode \|\| oldNode.resolved)) {\n if (\n filterConfig.unknownOrigin \|\|\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of currDiff.children) {\n queue[queueLength++] = child\n }\n }\n if (filterConfig.existing) {\n const { unchanged } = diff\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n filterConfig.unknownOrigin \|\|\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n","// @ts-ignore\nimport UntypedArborist from '@npmcli/arborist/lib/arborist/index.js'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants, { NODE_MODULES, NPX } from '../../../../../constants.mts'\nimport { findUp } from '../../../../../utils/fs.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport {\n getAlertsMapFromArborist,\n getDetailsFromDiff,\n} from '../../../arborist-helpers.mts'\n\nimport type {\n ArboristClass,\n ArboristReifyOptions,\n NodeClass,\n} from '../../types.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n // @ts-ignore\n __proto__: null,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n dryRun: false,\n save: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = UntypedArborist\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<NodeClass>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n\n const ipc = await getIpc()\n\n const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n\n await super.reify(\n {\n ...options,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n\n const shadowAcceptRisks = !!ipc[constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]\n const shadowProgress = !!ipc[constants.SOCKET_CLI_SHADOW_PROGRESS]\n const shadowSilent = !!ipc[constants.SOCKET_CLI_SHADOW_SILENT]\n\n const acceptRisks =\n shadowAcceptRisks \|\| constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const reportOnlyBlocking = acceptRisks \|\| options.dryRun \|\| options['yes']\n const silent = !!options['silent']\n const spinner = silent \|\| !shadowProgress ? undefined : constants.spinner\n\n const isShadowNpx = binName === NPX\n const hasExisting = await findUp(NODE_MODULES, {\n cwd: process.cwd(),\n onlyDirectories: true,\n })\n const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx\n\n const needInfoOn = getDetailsFromDiff(this.diff, {\n filter: {\n existing: shouldCheckExisting,\n },\n })\n\n const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {\n apiToken: ipc[constants.SOCKET_CLI_SHADOW_API_TOKEN],\n spinner,\n filter: reportOnlyBlocking\n ? {\n actions: ['error'],\n blocked: true,\n existing: shouldCheckExisting,\n }\n : {\n actions: ['error', 'monitor', 'warn'],\n existing: shouldCheckExisting,\n },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!silent && !shadowSilent) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,\n )\n if (isShadowNpx) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\n// @ts-ignore\nimport UntypedEdge from '@npmcli/arborist/lib/edge.js'\n// @ts-ignore\nimport UntypedNode from '@npmcli/arborist/lib/node.js'\n// @ts-ignore\nimport UntypedOverrideSet from '@npmcli/arborist/lib/override-set.js'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { Arborist, SafeArborist } from './lib/arborist/index.mts'\n\nimport type { EdgeClass, NodeClass, OverrideSetClass } from './types.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport { Arborist, SafeArborist }\n\nexport const Edge: EdgeClass = UntypedEdge\n\nexport const Node: NodeClass = UntypedNode\n\nexport const OverrideSet: OverrideSetClass = UntypedOverrideSet\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: Edge }\n cache[getArboristNodeClassPath()] = { exports: Node }\n cache[getArboristOverrideSetClassPath()] = { exports: OverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["_arboristPkgPath","add","change","remove","__proto__","consolidate","nothrow","debugFn","NPM_REGISTRY_URL","existing","unknownOrigin","length","action","actual","ideal","keep","node","queue","unchanged","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","Object","cwd","onlyDirectories","filter","apiToken","blocked","actions","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;AAOA;AACO;;;AAGH;AAGA;AAIAA;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACAO;AACLC;AACAC;AACAC;AACF;;ACjDA;;AAEI;AACA;AACA;;;AAGF;AACF;AAUO;AAKL;AACEC;AACAC;AACAC;AACA;;;AAIF;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEEC;AACA;AACF;;AAEQC;AAAiB;;AAGvBC;AACAC;AACA;AACF;AAEA;;;AAEMC;AAAoB;;AAExB;AACE;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIEN;AACF;AACF;AACF;AACEM;AACF;AACA;AACE;;AAKIC;AACAP;AACF;AACF;AACF;AACF;AACA;AACEQ;AACF;AACF;;;AAEUC;AAAU;AAClB;AAAkBP;;AAChB;AACA;;AAKIK;AACAP;AACF;AACF;AACF;AACF;AACA;AACF;;ACpKA;AAmBA;;AAEE;AAA+DU;AAAO;AACxE;AAEO;AACLf;AACAgB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAUO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJK;AACA;AACF;;AAEA;AACA;AAIE;AACEzB;;;AAIF;AAEA;;;AAGA;;AAII;AACA;AACAoB;;AAEF;AACA;;;;;;AAUF;;AAGA;AACA;AACEM;AACAC;AACF;AACA;AAEA;AACEC;AACEvB;AACF;AACF;;AAGEwB;;;;AAKMC;AACAzB;AACF;AAEE0B;AACA1B;AACF;AACN;;;AAIE;;AAEE2B;;AAEF;;AAGN;AAQA;AAGI;AACEC;AAGA;;AAEA;AACF;;AAGF;AACF;;ACrKA;AAIO;AAEA;AAEA;AAEA;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACnCAC","debugId":"b33002f6-cafc-4095-a7ed-0703c935057c"}
1	+ {"version":3,"file":"shadow-npm-inject.js","sources":["../src/shadow/npm/paths.mts","../src/shadow/npm/arborist/types.mts","../src/shadow/npm/arborist-helpers.mts","../src/shadow/npm/arborist/lib/arborist/index.mts","../src/shadow/npm/arborist/index.mts","../src/shadow/npm/inject.mts"],"sourcesContent":["import path from 'node:path'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../../constants.mts'\nimport { getNpmRequire } from '../../utils/npm-paths.mts'\n\nlet _arboristPkgPath: string \| undefined\nexport function getArboristPackagePath() {\n if (_arboristPkgPath === undefined) {\n const pkgName = '@npmcli/arborist'\n const mainPathWithForwardSlashes = normalizePath(\n getNpmRequire().resolve(pkgName),\n )\n const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n 0,\n mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length,\n )\n _arboristPkgPath = constants.WIN32\n ? path.normalize(arboristPkgPathWithForwardSlashes)\n : arboristPkgPathWithForwardSlashes\n }\n return _arboristPkgPath\n}\n\nlet _arboristClassPath: string \| undefined\nexport function getArboristClassPath() {\n if (_arboristClassPath === undefined) {\n _arboristClassPath = path.join(\n getArboristPackagePath(),\n 'lib/arborist/index.js',\n )\n }\n return _arboristClassPath\n}\n\nlet _arboristEdgeClassPath: string \| undefined\nexport function getArboristEdgeClassPath() {\n if (_arboristEdgeClassPath === undefined) {\n _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n }\n return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string \| undefined\nexport function getArboristNodeClassPath() {\n if (_arboristNodeClassPath === undefined) {\n _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n }\n return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string \| undefined\nexport function getArboristOverrideSetClassPath() {\n if (_arboristOverrideSetClassPath === undefined) {\n _arboristOverrideSetClassPath = path.join(\n getArboristPackagePath(),\n 'lib/override-set.js',\n )\n }\n return _arboristOverrideSetClassPath\n}\n","import { createEnum } from '../../../utils/objects.mts'\n\nimport type {\n Advisory as BaseAdvisory,\n Arborist as BaseArborist,\n Options as BaseArboristOptions,\n AuditReport as BaseAuditReport,\n Diff as BaseDiff,\n Edge as BaseEdge,\n Node as BaseNode,\n BaseOverrideSet,\n BuildIdealTreeOptions,\n ReifyOptions,\n} from '@npmcli/arborist'\n\nexport type ArboristOptions = BaseArboristOptions & {\n npmCommand?: string\n npmVersion?: string\n}\n\nexport type ArboristClass = ArboristInstance & {\n new (...args: any): ArboristInstance\n}\n\nexport type ArboristInstance = Omit<\n typeof BaseArborist,\n \| 'actualTree'\n \| 'auditReport'\n \| 'buildIdealTree'\n \| 'diff'\n \| 'idealTree'\n \| 'loadActual'\n \| 'loadVirtual'\n \| 'reify'\n> & {\n auditReport?: AuditReportInstance \| null \| undefined\n actualTree?: NodeClass \| null \| undefined\n diff: Diff \| null\n idealTree?: NodeClass \| null \| undefined\n buildIdealTree(options?: BuildIdealTreeOptions): Promise<NodeClass>\n loadActual(options?: ArboristOptions): Promise<NodeClass>\n loadVirtual(options?: ArboristOptions): Promise<NodeClass>\n reify(options?: ArboristReifyOptions): Promise<NodeClass>\n}\n\nexport type ArboristReifyOptions = ReifyOptions & ArboristOptions\n\nexport type AuditAdvisory = Omit<BaseAdvisory, 'id'> & {\n id: number\n cwe: string[]\n cvss: {\n score: number\n vectorString: string\n }\n vulnerable_versions: string\n}\n\nexport type AuditReportInstance = Omit<BaseAuditReport, 'report'> & {\n report: { [dependency: string]: AuditAdvisory[] }\n}\n\nexport const DiffAction = createEnum({\n add: 'ADD',\n change: 'CHANGE',\n remove: 'REMOVE',\n})\n\nexport type Diff = Omit<\n BaseDiff,\n \| 'actual'\n \| 'children'\n \| 'filterSet'\n \| 'ideal'\n \| 'leaves'\n \| 'removed'\n \| 'shrinkwrapInflated'\n \| 'unchanged'\n> & {\n actual: NodeClass\n children: Diff[]\n filterSet: Set<NodeClass>\n ideal: NodeClass\n leaves: NodeClass[]\n parent: Diff \| null\n removed: NodeClass[]\n shrinkwrapInflated: Set<NodeClass>\n unchanged: NodeClass[]\n}\n\nexport type EdgeClass = Omit<\n BaseEdge,\n \| 'accept'\n \| 'detach'\n \| 'optional'\n \| 'overrides'\n \| 'peer'\n \| 'peerConflicted'\n \| 'rawSpec'\n \| 'reload'\n \| 'satisfiedBy'\n \| 'spec'\n \| 'to'\n> & {\n optional: boolean\n overrides: OverrideSetClass \| undefined\n peer: boolean\n peerConflicted: boolean\n rawSpec: string\n get accept(): string \| undefined\n get spec(): string\n get to(): NodeClass \| null\n new (...args: any): EdgeClass\n detach(): void\n reload(hard?: boolean): void\n satisfiedBy(node: NodeClass): boolean\n}\n\nexport type LinkClass = Omit<NodeClass, 'isLink'> & {\n readonly isLink: true\n}\n\nexport type NodeClass = Omit<\n BaseNode,\n \| 'addEdgeIn'\n \| 'addEdgeOut'\n \| 'canDedupe'\n \| 'canReplace'\n \| 'canReplaceWith'\n \| 'children'\n \| 'deleteEdgeIn'\n \| 'edgesIn'\n \| 'edgesOut'\n \| 'from'\n \| 'hasShrinkwrap'\n \| 'inDepBundle'\n \| 'inShrinkwrap'\n \| 'integrity'\n \| 'isTop'\n \| 'matches'\n \| 'meta'\n \| 'name'\n \| 'overrides'\n \| 'packageName'\n \| 'parent'\n \| 'recalculateOutEdgesOverrides'\n \| 'resolve'\n \| 'resolveParent'\n \| 'root'\n \| 'target'\n \| 'updateOverridesEdgeInAdded'\n \| 'updateOverridesEdgeInRemoved'\n \| 'version'\n \| 'versions'\n> & {\n name: string\n version: string\n children: Map<string, NodeClass \| LinkClass>\n edgesIn: Set<EdgeClass>\n edgesOut: Map<string, EdgeClass>\n from: NodeClass \| null\n hasShrinkwrap: boolean\n inShrinkwrap: boolean \| undefined\n integrity?: string \| null\n isTop: boolean \| undefined\n meta: BaseNode['meta'] & {\n addEdge(edge: EdgeClass): void\n }\n overrides: OverrideSetClass \| undefined\n target: NodeClass\n versions: string[]\n get inDepBundle(): boolean\n get packageName(): string \| null\n get parent(): NodeClass \| null\n set parent(value: NodeClass \| null)\n get resolveParent(): NodeClass \| null\n get root(): NodeClass \| null\n set root(value: NodeClass \| null)\n new (...args: any): NodeClass\n addEdgeIn(edge: EdgeClass): void\n addEdgeOut(edge: EdgeClass): void\n canDedupe(preferDedupe?: boolean): boolean\n canReplace(node: NodeClass, ignorePeers?: string[]): boolean\n canReplaceWith(node: NodeClass, ignorePeers?: string[]): boolean\n deleteEdgeIn(edge: EdgeClass): void\n matches(node: NodeClass): boolean\n recalculateOutEdgesOverrides(): void\n resolve(name: string): NodeClass\n updateOverridesEdgeInAdded(\n otherOverrideSet: OverrideSetClass \| undefined,\n ): boolean\n updateOverridesEdgeInRemoved(otherOverrideSet: OverrideSetClass): boolean\n}\n\nexport interface OverrideSetClass\n extends Omit<\n BaseOverrideSet,\n \| 'ancestry'\n \| 'children'\n \| 'getEdgeRule'\n \| 'getMatchingRule'\n \| 'getNodeRule'\n \| 'parent'\n \| 'ruleset'\n > {\n children: Map<string, OverrideSetClass>\n key: string \| undefined\n keySpec: string \| undefined\n name: string \| undefined\n parent: OverrideSetClass \| undefined\n value: string \| undefined\n version: string \| undefined\n // eslint-disable-next-line @typescript-eslint/no-misused-new\n new (...args: any[]): OverrideSetClass\n get isRoot(): boolean\n get ruleset(): Map<string, OverrideSetClass>\n ancestry(): Generator<OverrideSetClass>\n childrenAreEqual(otherOverrideSet: OverrideSetClass \| undefined): boolean\n getEdgeRule(edge: EdgeClass): OverrideSetClass\n getMatchingRule(node: NodeClass): OverrideSetClass \| null\n getNodeRule(node: NodeClass): OverrideSetClass\n isEqual(otherOverrideSet: OverrideSetClass \| undefined): boolean\n}\n","import { debugFn } from '@socketsecurity/registry/lib/debug'\nimport { getOwn } from '@socketsecurity/registry/lib/objects'\nimport { parseUrl } from '@socketsecurity/registry/lib/url'\n\nimport constants from '../../constants.mts'\nimport { DiffAction } from './arborist/types.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { toFilterConfig } from '../../utils/filter-config.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { ArboristInstance, Diff, NodeClass } from './arborist/types.mts'\nimport type {\n AlertFilter,\n AlertsByPurl,\n} from '../../utils/socket-package-alert.mts'\nimport type { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nfunction getUrlOrigin(input: string): string {\n // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.\n // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base\n // return URL.parse(input)?.origin ?? ''\n return parseUrl(input)?.origin ?? ''\n}\n\nexport type GetAlertsMapFromArboristOptions = {\n apiToken?: string \| undefined\n consolidate?: boolean \| undefined\n filter?: AlertFilter \| undefined\n nothrow?: boolean \| undefined\n spinner?: Spinner \| undefined\n}\n\nexport async function getAlertsMapFromArborist(\n arb: ArboristInstance,\n needInfoOn: PackageDetail[],\n options?: GetAlertsMapFromArboristOptions \| undefined,\n): Promise<AlertsByPurl> {\n const opts = {\n __proto__: null,\n consolidate: false,\n nothrow: false,\n ...options,\n filter: toFilterConfig(getOwn(options, 'filter')),\n } as GetAlertsMapFromArboristOptions & { filter: AlertFilter }\n\n const purls = needInfoOn.map(d => idToNpmPurl(d.node.pkgid))\n\n let overrides: { [key: string]: string } \| undefined\n const overridesMap = (\n arb.actualTree ??\n arb.idealTree ??\n (await arb.loadActual())\n )?.overrides?.children\n if (overridesMap) {\n overrides = Object.fromEntries(\n Array.from(overridesMap.entries()).map(([key, overrideSet]) => {\n return [key, overrideSet.value!]\n }),\n )\n }\n\n return await getAlertsMapFromPurls(purls, {\n overrides,\n ...opts,\n })\n}\n\nexport type DiffQueryFilter = {\n existing?: boolean \| undefined\n unknownOrigin?: boolean \| undefined\n}\n\nexport type DiffQueryOptions = {\n filter?: DiffQueryFilter \| undefined\n}\n\nexport type PackageDetail = {\n node: NodeClass\n existing?: NodeClass \| undefined\n}\n\nexport function getDetailsFromDiff(\n diff: Diff \| null,\n options?: DiffQueryOptions \| undefined,\n): PackageDetail[] {\n const details: PackageDetail[] = []\n // `diff` is `null` when `npm install --package-lock-only` is passed.\n if (!diff) {\n debugFn('notice', `miss: diff is ${diff}`)\n return details\n }\n\n const { NPM_REGISTRY_URL } = constants\n\n const filterConfig = toFilterConfig({\n existing: false,\n unknownOrigin: true,\n ...getOwn(options, 'filter'),\n }) as DiffQueryFilter\n\n const queue: Diff[] = [...diff.children]\n let pos = 0\n let { length: queueLength } = queue\n while (pos < queueLength) {\n if (pos === constants.LOOP_SENTINEL) {\n throw new Error('Detected infinite loop while walking Arborist diff.')\n }\n const currDiff = queue[pos++]!\n const { action } = currDiff\n if (action) {\n // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff\n // action is 'REMOVE'\n // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff\n // action is 'ADD'.\n const { actual: oldNode, ideal: pkgNode } = currDiff\n let existing: NodeClass \| undefined\n let keep = false\n if (action === DiffAction.change) {\n if (pkgNode?.package.version !== oldNode?.package.version) {\n keep = true\n if (\n oldNode?.package.name &&\n oldNode.package.name === pkgNode?.package.name\n ) {\n existing = oldNode\n }\n }\n } else {\n keep = action !== DiffAction.remove\n }\n if (keep && pkgNode?.resolved && (!oldNode \|\| oldNode.resolved)) {\n if (\n filterConfig.unknownOrigin \|\|\n getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing,\n })\n }\n }\n }\n for (const child of currDiff.children) {\n queue[queueLength++] = child\n }\n }\n if (filterConfig.existing) {\n const { unchanged } = diff\n for (let i = 0, { length } = unchanged; i < length; i += 1) {\n const pkgNode = unchanged[i]!\n if (\n filterConfig.unknownOrigin \|\|\n getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL\n ) {\n details.push({\n node: pkgNode,\n existing: pkgNode,\n })\n }\n }\n }\n return details\n}\n","// @ts-ignore\nimport UntypedArborist from '@npmcli/arborist/lib/arborist/index.js'\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\nimport constants, { NODE_MODULES, NPX } from '../../../../../constants.mts'\nimport { findUp } from '../../../../../utils/fs.mts'\nimport { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'\nimport {\n getAlertsMapFromArborist,\n getDetailsFromDiff,\n} from '../../../arborist-helpers.mts'\n\nimport type {\n ArboristClass,\n ArboristReifyOptions,\n NodeClass,\n} from '../../types.mts'\n\nconst {\n kInternalsSymbol,\n [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },\n} = constants\n\nexport const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n __proto__: null,\n audit: false,\n dryRun: true,\n fund: false,\n ignoreScripts: true,\n progress: false,\n save: false,\n saveBundle: false,\n silent: true,\n}\n\nexport const SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {\n // @ts-ignore\n __proto__: null,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n dryRun: false,\n save: true,\n}\n\nexport const kCtorArgs = Symbol('ctorArgs')\n\nexport const kRiskyReify = Symbol('riskyReify')\n\nexport const Arborist: ArboristClass = UntypedArborist\n\n// Implementation code not related to our custom behavior is based on\n// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:\nexport class SafeArborist extends Arborist {\n constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {\n super(\n {\n path:\n (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n },\n ...ctorArgs.slice(1),\n )\n ;(this as any)[kCtorArgs] = ctorArgs\n }\n\n async [kRiskyReify](\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const ctorArgs = (this as any)[kCtorArgs]\n const arb = new Arborist(\n {\n ...(ctorArgs.length ? ctorArgs[0] : undefined),\n progress: false,\n },\n ...ctorArgs.slice(1),\n )\n const ret = await (arb.reify as (...args: any[]) => Promise<NodeClass>)(\n {\n ...(args.length ? args[0] : undefined),\n progress: false,\n },\n ...args.slice(1),\n )\n Object.assign(this, arb)\n return ret\n }\n\n // @ts-ignore Incorrectly typed.\n override async reify(\n this: SafeArborist,\n ...args: Parameters<InstanceType<ArboristClass>['reify']>\n ): Promise<NodeClass> {\n const options = {\n __proto__: null,\n ...(args.length ? args[0] : undefined),\n } as ArboristReifyOptions\n\n const ipc = await getIpc()\n\n const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN]\n if (!binName) {\n return await this[kRiskyReify](...args)\n }\n\n await super.reify(\n {\n ...options,\n ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,\n progress: false,\n },\n // @ts-ignore: TypeScript gets grumpy about rest parameters.\n ...args.slice(1),\n )\n\n const shadowAcceptRisks = !!ipc[constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]\n const shadowProgress = !!ipc[constants.SOCKET_CLI_SHADOW_PROGRESS]\n const shadowSilent = !!ipc[constants.SOCKET_CLI_SHADOW_SILENT]\n\n const acceptRisks =\n shadowAcceptRisks \|\| constants.ENV.SOCKET_CLI_ACCEPT_RISKS\n const reportOnlyBlocking = acceptRisks \|\| options.dryRun \|\| options['yes']\n const silent = !!options['silent']\n const spinner = silent \|\| !shadowProgress ? undefined : constants.spinner\n\n const isShadowNpx = binName === NPX\n const hasExisting = await findUp(NODE_MODULES, {\n cwd: process.cwd(),\n onlyDirectories: true,\n })\n const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx\n\n const needInfoOn = getDetailsFromDiff(this.diff, {\n filter: {\n existing: shouldCheckExisting,\n },\n })\n\n const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {\n apiToken: ipc[constants.SOCKET_CLI_SHADOW_API_TOKEN],\n spinner,\n filter: reportOnlyBlocking\n ? {\n actions: ['error'],\n blocked: true,\n existing: shouldCheckExisting,\n }\n : {\n actions: ['error', 'monitor', 'warn'],\n existing: shouldCheckExisting,\n },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n throw new Error(\n `\n Socket ${binName} exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }\n `.trim(),\n )\n } else if (!silent && !shadowSilent) {\n logger.success(\n `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,\n )\n if (isShadowNpx) {\n logger.log(`Running ${options.add![0]}`)\n }\n }\n\n return await this[kRiskyReify](...args)\n }\n}\n","import { createRequire } from 'node:module'\n\n// @ts-ignore\nimport UntypedEdge from '@npmcli/arborist/lib/edge.js'\n// @ts-ignore\nimport UntypedNode from '@npmcli/arborist/lib/node.js'\n// @ts-ignore\nimport UntypedOverrideSet from '@npmcli/arborist/lib/override-set.js'\n\nimport {\n getArboristClassPath,\n getArboristEdgeClassPath,\n getArboristNodeClassPath,\n getArboristOverrideSetClassPath,\n} from '../paths.mts'\nimport { Arborist, SafeArborist } from './lib/arborist/index.mts'\n\nimport type { EdgeClass, NodeClass, OverrideSetClass } from './types.mts'\n\nconst require = createRequire(import.meta.url)\n\nexport { Arborist, SafeArborist }\n\nexport const Edge: EdgeClass = UntypedEdge\n\nexport const Node: NodeClass = UntypedNode\n\nexport const OverrideSet: OverrideSetClass = UntypedOverrideSet\n\nexport function installSafeArborist() {\n // Override '@npmcli/arborist' module exports with patched variants based on\n // https://github.com/npm/cli/pull/8089.\n const cache: { [key: string]: any } = require.cache\n cache[getArboristClassPath()] = { exports: SafeArborist }\n cache[getArboristEdgeClassPath()] = { exports: Edge }\n cache[getArboristNodeClassPath()] = { exports: Node }\n cache[getArboristOverrideSetClassPath()] = { exports: OverrideSet }\n}\n","import { installSafeArborist } from './arborist/index.mts'\n\ninstallSafeArborist()\n"],"names":["_arboristPkgPath","add","change","remove","__proto__","consolidate","nothrow","debugFn","NPM_REGISTRY_URL","existing","unknownOrigin","length","action","actual","ideal","keep","node","queue","unchanged","getIpc","audit","dryRun","fund","ignoreScripts","progress","save","saveBundle","silent","path","Object","cwd","onlyDirectories","filter","apiToken","blocked","actions","hideAt","logger","cache","exports","installSafeArborist"],"mappings":";;;;;;;;;;;;;;AAOA;AACO;;;AAGH;AAGA;AAIAA;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;ACAO;AACLC;AACAC;AACAC;AACF;;AChDA;AACE;AACA;AACA;AACA;AACF;AAUO;AAKL;AACEC;AACAC;AACAC;AACA;;;AAIF;AAEA;;AAMA;;AAGM;AACF;AAEJ;AAEA;;;AAGA;AACF;AAgBO;;AAKL;;AAEEC;AACA;AACF;;AAEQC;AAAiB;;AAGvBC;AACAC;AACA;AACF;AAEA;;;AAEMC;AAAoB;;AAExB;AACE;AACF;AACA;;AACQC;AAAO;AACf;AACE;AACA;AACA;AACA;;AACQC;AAAiBC;AAAe;AACxC;;AAEA;;AAEIC;AACA;AAIEN;AACF;AACF;AACF;AACEM;AACF;AACA;AACE;;AAKIC;AACAP;AACF;AACF;AACF;AACF;AACA;AACEQ;AACF;AACF;;;AAEUC;AAAU;AAClB;AAAkBP;;AAChB;AACA;;AAKIK;AACAP;AACF;AACF;AACF;AACF;AACA;AACF;;AClKA;AAmBA;;AAEE;AAA+DU;AAAO;AACxE;AAEO;AACLf;AACAgB;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACAC;AACF;AAUO;AAEA;AAEA;;AAEP;AACA;AACO;;AAEH;AAEIC;;;;AAOF;AACJ;AAEA;AAGE;AACA;;AAGIJ;;AAIJ;;AAGIA;;AAIJK;AACA;AACF;;AAEA;AACA;AAIE;AACEzB;;;AAIF;AAEA;;;AAGA;;AAII;AACA;AACAoB;;AAEF;AACA;;;;;;AAUF;;AAGA;AACA;AACEM;AACAC;AACF;AACA;AAEA;AACEC;AACEvB;AACF;AACF;;AAGEwB;;;;AAKMC;AACAzB;AACF;AAEE0B;AACA1B;AACF;AACN;;;AAIE;;AAEE2B;;AAEF;;AAGN;AAQA;AAGI;AACEC;AAGA;;AAEA;AACF;;AAGF;AACF;;ACrKA;AAIO;AAEA;AAEA;AAEA;AACL;AACA;AACA;AACAC;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACnCAC","debugId":"fa30e366-2602-48d0-939f-fcec4c526adc"}

package/dist/shadow-pnpm-bin.js ADDED Viewed

@@ -0,0 +1,235 @@
+'use strict';
+var fs = require('node:fs');
+var path = require('node:path');
+var require$$0 = require('node:url');
+var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
+var logger = require('../external/@socketsecurity/registry/lib/logger');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var vendor = require('./vendor.js');
+var constants = require('./constants.js');
+var utils = require('./utils.js');
+async function installLinks(shadowBinPath, _binName) {
+  // Find pnpm being shadowed by this process.
+  const binPath = utils.getPnpmBinPath();
+  const {
+    WIN32
+  } = constants.default;
+  // TODO: Is this early exit needed?
+  if (WIN32 && binPath) {
+    return binPath;
+  }
+  const shadowed = utils.isPnpmBinPathShadowed();
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'pnpm-cli.js'), path.join(shadowBinPath, 'pnpm'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+const INSTALL_COMMANDS = new Set(['add', 'i', 'install', 'install-test', 'it', 'update', 'up']);
+async function shadowPnpm(args = process.argv.slice(2), options, extra) {
+  const opts = {
+    __proto__: null,
+    ...options
+  };
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = opts;
+  let {
+    cwd = process.cwd()
+  } = opts;
+  if (cwd instanceof URL) {
+    cwd = require$$0.fileURLToPath(cwd);
+  }
+  const terminatorPos = args.indexOf('--');
+  const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  // Check if this is an install-type command that needs security scanning
+  const command = rawPnpmArgs[0];
+  const needsScanning = command && INSTALL_COMMANDS.has(command);
+  // Get pnpm path
+  const realPnpmPath = await installLinks(constants.default.shadowBinPath);
+  const permArgs = ['--reporter=silent',
+  // Disable update checks during security scanning
+  '--no-update-notifier'];
+  const prefixArgs = [];
+  const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs];
+  if (needsScanning && !rawPnpmArgs.includes('--dry-run')) {
+    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
+    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
+    // Extract package names from command arguments before any downloads
+    const packagePurls = [];
+    if (command === 'add') {
+      // For 'pnpm add package1 package2@version', get packages from args
+      const packageArgs = rawPnpmArgs.slice(1).filter(arg => !arg.startsWith('-') && arg !== '--');
+      for (const pkgSpec of packageArgs) {
+        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'
+        let name;
+        let version;
+        if (pkgSpec.startsWith('@')) {
+          // Scoped package: @scope/name or @scope/name@version
+          const parts = pkgSpec.split('@');
+          if (parts.length === 2) {
+            // @scope/name (no version)
+            name = pkgSpec;
+          } else {
+            // @scope/name@version
+            name = `@${parts[1]}`;
+            version = parts[2];
+          }
+        } else {
+          // Regular package: name or name@version
+          const atIndex = pkgSpec.indexOf('@');
+          if (atIndex === -1) {
+            name = pkgSpec;
+          } else {
+            name = pkgSpec.slice(0, atIndex);
+            version = pkgSpec.slice(atIndex + 1);
+          }
+        }
+        if (name) {
+          packagePurls.push(version ? utils.idToNpmPurl(`${name}@${version}`) : utils.idToNpmPurl(name));
+        }
+      }
+    } else if (['install', 'i', 'update', 'up'].includes(command)) {
+      // For install/update, scan all dependencies from pnpm-lock.yaml
+      const pnpmLockPath = path.join(cwd, constants.PNPM_LOCK_YAML);
+      if (fs.existsSync(pnpmLockPath)) {
+        try {
+          const lockfileContent = await utils.readPnpmLockfile(pnpmLockPath);
+          if (lockfileContent) {
+            const lockfile = utils.parsePnpmLockfile(lockfileContent);
+            if (lockfile) {
+              // Use existing function to scan the entire lockfile
+              if (require$$9.isDebug()) {
+                require$$9.debugFn('notice', `scanning: all dependencies from ${constants.PNPM_LOCK_YAML}`);
+              }
+              const alertsMap = await utils.getAlertsMapFromPnpmLockfile(lockfile, {
+                nothrow: true,
+                filter: acceptRisks ? {
+                  actions: ['error'],
+                  blocked: true
+                } : {
+                  actions: ['error', 'monitor', 'warn']
+                }
+              });
+              if (alertsMap.size) {
+                process.exitCode = 1;
+                utils.logAlertsMap(alertsMap, {
+                  hideAt: viewAllRisks ? 'none' : 'middle',
+                  output: process.stderr
+                });
+                const errorMessage = `Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+                logger.logger.error(errorMessage);
+                // eslint-disable-next-line n/no-process-exit
+                process.exit(1);
+                // This line is never reached in production, but helps tests.
+                throw new Error('process.exit called');
+              }
+              // Return early since we've already done the scanning
+              if (require$$9.isDebug()) {
+                require$$9.debugFn('notice', 'complete: lockfile scanning, proceeding with install');
+              }
+            }
+          }
+        } catch (e) {
+          if (require$$9.isDebug()) {
+            require$$9.debugFn('error', 'caught: pnpm lockfile scanning error');
+            require$$9.debugDir('inspect', {
+              error: e
+            });
+          }
+        }
+      } else if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'skip: no pnpm-lock.yaml found, skipping bulk install scanning');
+      }
+    }
+    if (packagePurls.length > 0) {
+      if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'scanning: packages before download');
+        require$$9.debugDir('inspect', {
+          packagePurls
+        });
+      }
+      try {
+        const alertsMap = await utils.getAlertsMapFromPurls(packagePurls, {
+          nothrow: true,
+          filter: acceptRisks ? {
+            actions: ['error'],
+            blocked: true
+          } : {
+            actions: ['error', 'monitor', 'warn']
+          }
+        });
+        if (alertsMap.size) {
+          process.exitCode = 1;
+          utils.logAlertsMap(alertsMap, {
+            hideAt: viewAllRisks ? 'none' : 'middle',
+            output: process.stderr
+          });
+          const errorMessage = `
+Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+          logger.logger.error(errorMessage);
+          // eslint-disable-next-line n/no-process-exit
+          process.exit(1);
+          // This line is never reached in production, but helps tests.
+          throw new Error('process.exit called');
+        }
+      } catch (e) {
+        // Re-throw process.exit errors from tests.
+        if (e instanceof Error && e.message === 'process.exit called') {
+          throw e;
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package scanning error');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+        // Continue with installation if scanning fails
+      }
+    }
+    if (require$$9.isDebug()) {
+      require$$9.debugFn('notice', 'complete: scanning, proceeding with install');
+      require$$9.debugDir('inspect', {
+        args: rawPnpmArgs.slice(1)
+      });
+    }
+  }
+  const argsToString = utils.cmdFlagsToString([...prefixArgs, ...suffixArgs]);
+  const env = {
+    ...process.env,
+    ...spawnEnv
+  };
+  if (require$$9.isDebug()) {
+    require$$9.debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`);
+  }
+  const spawnPromise = spawn.spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {
+    ...spawnOpts,
+    env,
+    extra
+  });
+  return {
+    spawnPromise
+  };
+}
+module.exports = shadowPnpm;
+//# debugId=95396bfd-89e3-4dec-a9d6-623419962b28
+//# sourceMappingURL=shadow-pnpm-bin.js.map

package/dist/shadow-pnpm-bin.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"shadow-pnpm-bin.js","sources":["../src/shadow/pnpm/link.mts","../src/shadow/pnpm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getPnpmBinPath,\n isPnpmBinPathShadowed,\n} from '../../utils/pnpm-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n _binName: 'pnpm',\n): Promise<string> {\n // Find pnpm being shadowed by this process.\n const binPath = getPnpmBinPath()\n const { WIN32 } = constants\n\n // TODO: Is this early exit needed?\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isPnpmBinPathShadowed()\n\n // Move our bin directory to front of PATH so its found first.\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, 'pnpm-cli.js'),\n path.join(shadowBinPath, 'pnpm'),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { PNPM_LOCK_YAML } from '../../constants.mts'\nimport {\n getAlertsMapFromPnpmLockfile,\n getAlertsMapFromPurls,\n} from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { parsePnpmLockfile, readPnpmLockfile } from '../../utils/pnpm.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowPnpmOptions = SpawnOptions & {\n ipc?: IpcObject | undefined\n}\n\nexport type ShadowPnpmResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'i',\n 'install',\n 'install-test',\n 'it',\n 'update',\n 'up',\n])\n\nexport default async function shadowPnpm(\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowPnpmOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowPnpmResult> {\n const opts = { __proto__: null, ...options } as ShadowPnpmOptions\n const { env: spawnEnv, ipc, ...spawnOpts } = opts\n\n let { cwd = process.cwd() } = opts\n if (cwd instanceof URL) {\n cwd = fileURLToPath(cwd)\n }\n\n const terminatorPos = args.indexOf('--')\n const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is an install-type command that needs security scanning\n const command = rawPnpmArgs[0]\n const needsScanning = command && INSTALL_COMMANDS.has(command)\n\n // Get pnpm path\n const realPnpmPath = await installLinks(constants.shadowBinPath, 'pnpm')\n\n const permArgs = [\n '--reporter=silent',\n // Disable update checks during security scanning\n '--no-update-notifier',\n ]\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawPnpmArgs.includes('--dry-run')) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add') {\n // For 'pnpm add package1 package2@version', get packages from args\n const packageArgs = rawPnpmArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string | undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (['install', 'i', 'update', 'up'].includes(command)) {\n // For install/update, scan all dependencies from pnpm-lock.yaml\n const pnpmLockPath = path.join(cwd, PNPM_LOCK_YAML)\n if (existsSync(pnpmLockPath)) {\n try {\n const lockfileContent = await readPnpmLockfile(pnpmLockPath)\n if (lockfileContent) {\n const lockfile = parsePnpmLockfile(lockfileContent)\n if (lockfile) {\n // Use existing function to scan the entire lockfile\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: all dependencies from ${PNPM_LOCK_YAML}`,\n )\n }\n\n const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `Socket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n\n // Return early since we've already done the scanning\n if (isDebug()) {\n debugFn(\n 'notice',\n 'complete: lockfile scanning, proceeding with install',\n )\n }\n }\n }\n } catch (e) {\n if (isDebug()) {\n debugFn('error', 'caught: pnpm lockfile scanning error')\n debugDir('inspect', { error: e })\n }\n }\n } else if (isDebug()) {\n debugFn(\n 'notice',\n 'skip: no pnpm-lock.yaml found, skipping bulk install scanning',\n )\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket pnpm exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawPnpmArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","cwd","name","version","packagePurls","debugFn","nothrow","blocked","actions","hideAt","logger","process","error","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;;AAUO;AAIL;AACA;;AACQA;AAAM;;AAEd;;AAEE;AACF;AAEA;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACJA;AAUe;AAKb;AAAeC;;;;AACPD;;;AAAiC;;AAEnCE;AAAoB;;AAExBA;AACF;AAEA;AACA;AACA;;AAEA;AACA;;;AAGA;;;AAKE;AACA;;;;;;;AAUA;;;AAIE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AACE;;AAEA;;AAEI;AACA;AACE;AACA;AACE;;AAEEC;AAIF;AAEA;AACEC;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;;AAYAC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEEN;AAIF;AACF;AACF;;;AAGEA;;AACsBO;AAAS;AACjC;AACF;AACF;AACEP;AAIF;AACF;AAEA;;AAEIA;;AACsBD;AAAa;AACrC;;AAGE;AACEE;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEN;;AACsBO;AAAS;AACjC;AACA;AACF;AACF;;AAGEP;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"95396bfd-89e3-4dec-a9d6-623419962b28"}