npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.9 → 1.1.13 - Mend

@socketsecurity/cli-with-sentry 1.1.9 → 1.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/dist/shadow-yarn-bin.js ADDED Viewed

@@ -0,0 +1,200 @@
+'use strict';
+var fs = require('node:fs');
+var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
+var logger = require('../external/@socketsecurity/registry/lib/logger');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var path = require('node:path');
+var vendor = require('./vendor.js');
+var constants = require('./constants.js');
+var utils = require('./utils.js');
+async function installLinks(shadowBinPath, binName) {
+  const binPath = utils.getYarnBinPath();
+  const {
+    WIN32
+  } = constants.default;
+  if (WIN32 && binPath) {
+    return binPath;
+  }
+  const shadowed = utils.isYarnBinPathShadowed();
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, `${binName}-cli.js`), path.join(shadowBinPath, binName));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+const INSTALL_COMMANDS = new Set(['add', 'install', 'up', 'upgrade', 'upgrade-interactive']);
+const DLX_COMMANDS = new Set(['dlx']);
+async function shadowYarn(args = process.argv.slice(2), options, extra) {
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const terminatorPos = args.indexOf('--');
+  const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  // Check if this is a command that needs security scanning
+  const command = rawYarnArgs[0];
+  const needsScanning = command && (INSTALL_COMMANDS.has(command) || DLX_COMMANDS.has(command));
+  // Get yarn path
+  const realYarnPath = await installLinks(constants.default.shadowBinPath, 'yarn');
+  const permArgs = [];
+  const prefixArgs = [];
+  const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs];
+  if (needsScanning && !rawYarnArgs.includes('--dry-run')) {
+    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
+    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
+    // Extract package names from command arguments before any downloads
+    const packagePurls = [];
+    if (command === 'add' || command === 'dlx') {
+      // For 'yarn add package1 package2@version' or 'yarn dlx package'
+      const packageArgs = rawYarnArgs.slice(1).filter(arg => !arg.startsWith('-') && arg !== '--');
+      for (const pkgSpec of packageArgs) {
+        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'
+        let name;
+        let version;
+        if (pkgSpec.startsWith('@')) {
+          // Scoped package: @scope/name or @scope/name@version
+          const parts = pkgSpec.split('@');
+          if (parts.length === 2) {
+            // @scope/name (no version)
+            name = pkgSpec;
+          } else {
+            // @scope/name@version
+            name = `@${parts[1]}`;
+            version = parts[2];
+          }
+        } else {
+          // Regular package: name or name@version
+          const atIndex = pkgSpec.indexOf('@');
+          if (atIndex === -1) {
+            name = pkgSpec;
+          } else {
+            name = pkgSpec.slice(0, atIndex);
+            version = pkgSpec.slice(atIndex + 1);
+          }
+        }
+        if (name) {
+          packagePurls.push(version ? utils.idToNpmPurl(`${name}@${version}`) : utils.idToNpmPurl(name));
+        }
+      }
+    } else if (['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)) {
+      // For install/upgrade, scan all dependencies from package.json
+      // Note: This scans direct dependencies only. For full transitive dependency
+      // scanning, yarn.lock parsing would be needed (not yet implemented)
+      try {
+        const packageJsonContent = await fs.promises.readFile('package.json', 'utf8');
+        const packageJson = JSON.parse(packageJsonContent);
+        const allDeps = {
+          ...packageJson.dependencies,
+          ...packageJson.devDependencies,
+          ...packageJson.optionalDependencies,
+          ...packageJson.peerDependencies
+        };
+        for (const [name, version] of Object.entries(allDeps)) {
+          if (typeof version === 'string') {
+            packagePurls.push(utils.idToNpmPurl(`${name}@${version}`));
+          } else {
+            packagePurls.push(utils.idToNpmPurl(name));
+          }
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('notice', `scanning: ${packagePurls.length} direct dependencies from package.json`);
+          require$$9.debugFn('notice', 'note: transitive dependencies not scanned (yarn.lock parsing not implemented)');
+        }
+      } catch (e) {
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package.json read error during dependency scanning');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+      }
+    }
+    if (packagePurls.length > 0) {
+      if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'scanning: packages before download');
+        require$$9.debugDir('inspect', {
+          packagePurls
+        });
+      }
+      try {
+        const alertsMap = await utils.getAlertsMapFromPurls(packagePurls, {
+          nothrow: true,
+          filter: acceptRisks ? {
+            actions: ['error'],
+            blocked: true
+          } : {
+            actions: ['error', 'monitor', 'warn']
+          }
+        });
+        if (alertsMap.size) {
+          process.exitCode = 1;
+          utils.logAlertsMap(alertsMap, {
+            hideAt: viewAllRisks ? 'none' : 'middle',
+            output: process.stderr
+          });
+          const errorMessage = `
+Socket yarn exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+          logger.logger.error(errorMessage);
+          // eslint-disable-next-line n/no-process-exit
+          process.exit(1);
+          // This line is never reached in production, but helps tests.
+          throw new Error('process.exit called');
+        }
+      } catch (e) {
+        // Re-throw process.exit errors from tests.
+        if (e instanceof Error && e.message === 'process.exit called') {
+          throw e;
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package scanning error');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+        // Continue with installation if scanning fails
+      }
+    }
+    if (require$$9.isDebug()) {
+      require$$9.debugFn('notice', 'complete: scanning, proceeding with install');
+      require$$9.debugDir('inspect', {
+        args: rawYarnArgs.slice(1)
+      });
+    }
+  }
+  const argsToString = utils.cmdFlagsToString([...prefixArgs, ...suffixArgs]);
+  const env = {
+    ...process.env,
+    ...spawnEnv
+  };
+  if (require$$9.isDebug()) {
+    require$$9.debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`);
+  }
+  const spawnPromise = spawn.spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {
+    ...spawnOpts,
+    env,
+    extra
+  });
+  return {
+    spawnPromise
+  };
+}
+module.exports = shadowYarn;
+//# debugId=ff5e070d-ede1-4e55-b8e9-dfa667ad45a0
+//# sourceMappingURL=shadow-yarn-bin.js.map

package/dist/shadow-yarn-bin.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"shadow-yarn-bin.js","sources":["../src/shadow/yarn/link.mts","../src/shadow/yarn/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n getYarnBinPath,\n isYarnBinPathShadowed,\n} from '../../utils/yarn-paths.mts'\n\nexport async function installLinks(\n shadowBinPath: string,\n binName: 'yarn',\n): Promise<string> {\n const binPath = getYarnBinPath()\n const { WIN32 } = constants\n\n if (WIN32 && binPath) {\n return binPath\n }\n\n const shadowed = isYarnBinPathShadowed()\n\n if (!shadowed) {\n if (WIN32) {\n await cmdShim(\n path.join(constants.distPath, `${binName}-cli.js`),\n path.join(shadowBinPath, binName),\n )\n }\n const { env } = process\n env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n }\n\n return binPath\n}\n","import { promises as fs } from 'node:fs'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n SpawnExtra,\n SpawnOptions,\n SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowYarnOptions = SpawnOptions & {\n ipc?: IpcObject | undefined\n}\n\nexport type ShadowYarnResult = {\n spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n 'add',\n 'install',\n 'up',\n 'upgrade',\n 'upgrade-interactive',\n])\n\nconst DLX_COMMANDS = new Set(['dlx'])\n\nexport default async function shadowYarn(\n args: string[] | readonly string[] = process.argv.slice(2),\n options?: ShadowYarnOptions | undefined,\n extra?: SpawnExtra | undefined,\n): Promise<ShadowYarnResult> {\n const {\n env: spawnEnv,\n ipc,\n ...spawnOpts\n } = { __proto__: null, ...options } as ShadowYarnOptions\n const terminatorPos = args.indexOf('--')\n const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n // Check if this is a command that needs security scanning\n const command = rawYarnArgs[0]\n const needsScanning =\n command && (INSTALL_COMMANDS.has(command) || DLX_COMMANDS.has(command))\n\n // Get yarn path\n const realYarnPath = await installLinks(constants.shadowBinPath, 'yarn')\n\n const permArgs: string[] = []\n\n const prefixArgs: string[] = []\n const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs]\n\n if (needsScanning && !rawYarnArgs.includes('--dry-run')) {\n const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n // Extract package names from command arguments before any downloads\n const packagePurls: string[] = []\n\n if (command === 'add' || command === 'dlx') {\n // For 'yarn add package1 package2@version' or 'yarn dlx package'\n const packageArgs = rawYarnArgs\n .slice(1)\n .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n for (const pkgSpec of packageArgs) {\n // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n let name: string\n let version: string | undefined\n\n if (pkgSpec.startsWith('@')) {\n // Scoped package: @scope/name or @scope/name@version\n const parts = pkgSpec.split('@')\n if (parts.length === 2) {\n // @scope/name (no version)\n name = pkgSpec\n } else {\n // @scope/name@version\n name = `@${parts[1]}`\n version = parts[2]\n }\n } else {\n // Regular package: name or name@version\n const atIndex = pkgSpec.indexOf('@')\n if (atIndex === -1) {\n name = pkgSpec\n } else {\n name = pkgSpec.slice(0, atIndex)\n version = pkgSpec.slice(atIndex + 1)\n }\n }\n\n if (name) {\n packagePurls.push(\n version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n )\n }\n }\n } else if (\n ['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)\n ) {\n // For install/upgrade, scan all dependencies from package.json\n // Note: This scans direct dependencies only. For full transitive dependency\n // scanning, yarn.lock parsing would be needed (not yet implemented)\n try {\n const packageJsonContent = await fs.readFile('package.json', 'utf8')\n const packageJson = JSON.parse(packageJsonContent)\n\n const allDeps = {\n ...packageJson.dependencies,\n ...packageJson.devDependencies,\n ...packageJson.optionalDependencies,\n ...packageJson.peerDependencies,\n }\n\n for (const [name, version] of Object.entries(allDeps)) {\n if (typeof version === 'string') {\n packagePurls.push(idToNpmPurl(`${name}@${version}`))\n } else {\n packagePurls.push(idToNpmPurl(name))\n }\n }\n\n if (isDebug()) {\n debugFn(\n 'notice',\n `scanning: ${packagePurls.length} direct dependencies from package.json`,\n )\n debugFn(\n 'notice',\n 'note: transitive dependencies not scanned (yarn.lock parsing not implemented)',\n )\n }\n } catch (e) {\n if (isDebug()) {\n debugFn(\n 'error',\n 'caught: package.json read error during dependency scanning',\n )\n debugDir('inspect', { error: e })\n }\n }\n }\n\n if (packagePurls.length > 0) {\n if (isDebug()) {\n debugFn('notice', 'scanning: packages before download')\n debugDir('inspect', { packagePurls })\n }\n\n try {\n const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n nothrow: true,\n filter: acceptRisks\n ? { actions: ['error'], blocked: true }\n : { actions: ['error', 'monitor', 'warn'] },\n })\n\n if (alertsMap.size) {\n process.exitCode = 1\n logAlertsMap(alertsMap, {\n hideAt: viewAllRisks ? 'none' : 'middle',\n output: process.stderr,\n })\n\n const errorMessage = `\nSocket yarn exiting due to risks.${\n viewAllRisks\n ? ''\n : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n }${\n acceptRisks\n ? ''\n : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n }`.trim()\n\n logger.error(errorMessage)\n // eslint-disable-next-line n/no-process-exit\n process.exit(1)\n // This line is never reached in production, but helps tests.\n throw new Error('process.exit called')\n }\n } catch (e) {\n // Re-throw process.exit errors from tests.\n if (e instanceof Error && e.message === 'process.exit called') {\n throw e\n }\n if (isDebug()) {\n debugFn('error', 'caught: package scanning error')\n debugDir('inspect', { error: e })\n }\n // Continue with installation if scanning fails\n }\n }\n\n if (isDebug()) {\n debugFn('notice', 'complete: scanning, proceeding with install')\n debugDir('inspect', { args: rawYarnArgs.slice(1) })\n }\n }\n\n const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n const env = {\n ...process.env,\n ...spawnEnv,\n } as Record<string, string>\n\n if (isDebug()) {\n debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`)\n }\n\n const spawnPromise = spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {\n ...spawnOpts,\n env,\n extra,\n })\n\n return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","name","version","packagePurls","debugFn","error","nothrow","blocked","actions","hideAt","logger","process","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;AAUO;AAIL;;AACQA;AAAM;;AAGZ;AACF;AAEA;;AAGE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACPA;AAQA;AAEe;;AAMXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;;AAEA;AACA;AACA;;AAGA;;;;;;;;;AAYE;;AAGA;AACE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AAGE;AACA;AACA;;;AAGE;AAEA;;;;AAIE;;AAGF;AACE;;AAEA;AACEA;AACF;AACF;;;AAOEC;AAIF;;;AAGEA;;AAIsBC;AAAS;AACjC;AACF;AACF;AAEA;;AAEID;;AACsBD;AAAa;AACrC;;AAGE;AACEG;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEP;;AACsBC;AAAS;AACjC;AACA;AACF;AACF;;AAGED;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"ff5e070d-ede1-4e55-b8e9-dfa667ad45a0"}

package/dist/socket-completion.bash CHANGED Viewed

File without changes