@socketsecurity/cli 0.14.128 → 0.14.130
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/module-sync/arborist-helpers.d.ts +9 -10
- package/dist/module-sync/cli.js +285 -306
- package/dist/module-sync/cli.js.map +1 -1
- package/dist/module-sync/shadow-npm-inject.js +14 -34
- package/dist/module-sync/shadow-npm-inject.js.map +1 -1
- package/dist/require/cli.js +285 -306
- package/dist/require/cli.js.map +1 -1
- package/dist/require/shadow-npm-inject.js +14 -34
- package/dist/require/shadow-npm-inject.js.map +1 -1
- package/package.json +1 -1
package/dist/module-sync/cli.js
CHANGED
|
@@ -917,7 +917,7 @@ function emitBanner(name) {
|
|
|
917
917
|
logger.logger.error(getAsciiHeader(name))
|
|
918
918
|
}
|
|
919
919
|
function getAsciiHeader(command) {
|
|
920
|
-
const cliVersion = '0.14.
|
|
920
|
+
const cliVersion = '0.14.130:6d76a8a:75b17c6e:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
|
|
921
921
|
const nodeVersion = process$1.version
|
|
922
922
|
const apiToken = shadowNpmInject.getDefaultToken()
|
|
923
923
|
const defaultOrg = shadowNpmInject.getConfigValue('defaultOrg')
|
|
@@ -3788,29 +3788,6 @@ async function gitBranchExists(branch, cwd = process.cwd()) {
|
|
|
3788
3788
|
} catch {}
|
|
3789
3789
|
return false
|
|
3790
3790
|
}
|
|
3791
|
-
async function gitCheckoutBaseBranchIfAvailable(
|
|
3792
|
-
baseBranch,
|
|
3793
|
-
cwd = process.cwd()
|
|
3794
|
-
) {
|
|
3795
|
-
try {
|
|
3796
|
-
await gitHardReset()
|
|
3797
|
-
await spawn.spawn('git', ['fetch', '--depth=1', 'origin', baseBranch], {
|
|
3798
|
-
cwd
|
|
3799
|
-
})
|
|
3800
|
-
await spawn.spawn('git', ['checkout', baseBranch], {
|
|
3801
|
-
cwd
|
|
3802
|
-
})
|
|
3803
|
-
await spawn.spawn('git', ['reset', '--hard', `origin/${baseBranch}`], {
|
|
3804
|
-
cwd
|
|
3805
|
-
})
|
|
3806
|
-
logger.logger.info(`Checked out and reset to ${baseBranch}`)
|
|
3807
|
-
} catch (e) {
|
|
3808
|
-
logger.logger.warn(
|
|
3809
|
-
`Could not switch to ${baseBranch}. Proceeding with HEAD.`
|
|
3810
|
-
)
|
|
3811
|
-
debug.debugLog(e)
|
|
3812
|
-
}
|
|
3813
|
-
}
|
|
3814
3791
|
async function gitCleanFdx(cwd = process.cwd()) {
|
|
3815
3792
|
await spawn.spawn('git', ['clean', '-fdx'], {
|
|
3816
3793
|
cwd
|
|
@@ -4005,45 +3982,69 @@ async function openGitHubPullRequest(
|
|
|
4005
3982
|
throw new Error('Missing GITHUB_ACTIONS environment variable')
|
|
4006
3983
|
}
|
|
4007
3984
|
|
|
3985
|
+
const CMD_NAME$1 = 'socket fix'
|
|
3986
|
+
const alertMapOptions = Object.freeze({
|
|
3987
|
+
consolidate: true,
|
|
3988
|
+
include: {
|
|
3989
|
+
existing: true,
|
|
3990
|
+
unfixable: false,
|
|
3991
|
+
upgradable: false
|
|
3992
|
+
},
|
|
3993
|
+
nothrow: true
|
|
3994
|
+
})
|
|
3995
|
+
function assignDefaultFixOptions(options) {
|
|
3996
|
+
if (options.autoPilot === undefined) {
|
|
3997
|
+
options.autoPilot = false
|
|
3998
|
+
}
|
|
3999
|
+
if (options.autoMerge === undefined) {
|
|
4000
|
+
options.autoMerge = !!options.autoPilot
|
|
4001
|
+
}
|
|
4002
|
+
if (options.cwd === undefined) {
|
|
4003
|
+
options.cwd = process.cwd()
|
|
4004
|
+
}
|
|
4005
|
+
if (options.rangeStyle === undefined) {
|
|
4006
|
+
options.rangeStyle = 'preserve'
|
|
4007
|
+
}
|
|
4008
|
+
if (options.test === undefined) {
|
|
4009
|
+
options.test = !!options.autoPilot || !!options.testScript
|
|
4010
|
+
}
|
|
4011
|
+
if (options.testScript === undefined) {
|
|
4012
|
+
options.testScript = 'test'
|
|
4013
|
+
}
|
|
4014
|
+
return options
|
|
4015
|
+
}
|
|
4016
|
+
|
|
4008
4017
|
const { CI: CI$1, NPM: NPM$f } = constants
|
|
4009
4018
|
async function install$1(idealTree, options) {
|
|
4010
4019
|
const { cwd = process.cwd() } = {
|
|
4011
4020
|
__proto__: null,
|
|
4012
4021
|
...options
|
|
4013
4022
|
}
|
|
4014
|
-
const
|
|
4023
|
+
const arb = new shadowNpmInject.Arborist({
|
|
4015
4024
|
path: cwd
|
|
4016
4025
|
})
|
|
4017
|
-
|
|
4018
|
-
await
|
|
4026
|
+
arb.idealTree = idealTree
|
|
4027
|
+
await arb.reify()
|
|
4019
4028
|
}
|
|
4020
4029
|
async function npmFix(
|
|
4021
4030
|
pkgEnvDetails,
|
|
4022
4031
|
{ autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
|
|
4023
4032
|
) {
|
|
4024
|
-
const { pkgPath: rootPath } = pkgEnvDetails
|
|
4025
4033
|
spinner?.start()
|
|
4034
|
+
const { pkgPath: rootPath } = pkgEnvDetails
|
|
4026
4035
|
const arb = new shadowNpmInject.SafeArborist({
|
|
4027
4036
|
path: rootPath,
|
|
4028
4037
|
...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
|
|
4029
4038
|
})
|
|
4030
4039
|
// Calling arb.reify() creates the arb.diff object and nulls-out arb.idealTree.
|
|
4031
4040
|
await arb.reify()
|
|
4032
|
-
const alertMapOptions = {
|
|
4033
|
-
consolidate: true,
|
|
4034
|
-
include: {
|
|
4035
|
-
existing: true,
|
|
4036
|
-
unfixable: false,
|
|
4037
|
-
upgradable: false
|
|
4038
|
-
},
|
|
4039
|
-
nothrow: true
|
|
4040
|
-
}
|
|
4041
4041
|
const alertsMap = purls.length
|
|
4042
4042
|
? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
|
|
4043
4043
|
: await shadowNpmInject.getAlertsMapFromArborist(arb, alertMapOptions)
|
|
4044
4044
|
const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
|
|
4045
4045
|
if (!infoByPkg) {
|
|
4046
4046
|
spinner?.stop()
|
|
4047
|
+
logger.logger.info('No fixable vulnerabilities found.')
|
|
4047
4048
|
return
|
|
4048
4049
|
}
|
|
4049
4050
|
|
|
@@ -4059,123 +4060,104 @@ async function npmFix(
|
|
|
4059
4060
|
pkgEnvDetails.editablePkgJson.filename
|
|
4060
4061
|
]
|
|
4061
4062
|
for (const { 0: name, 1: infos } of infoByPkg) {
|
|
4062
|
-
|
|
4063
|
-
if (
|
|
4064
|
-
spinner?.info(`
|
|
4063
|
+
debug.debugLog(`Processing vulnerable package: ${name}`)
|
|
4064
|
+
if (registry.getManifestData(NPM$f, name)) {
|
|
4065
|
+
spinner?.info(`Socket Optimize package for ${name} exists, skipping`)
|
|
4066
|
+
continue
|
|
4067
|
+
}
|
|
4068
|
+
if (!infos.length) {
|
|
4069
|
+
debug.debugLog(`No vulnerability info found for ${name}`)
|
|
4065
4070
|
continue
|
|
4066
4071
|
}
|
|
4067
|
-
arb.idealTree = null
|
|
4068
4072
|
// eslint-disable-next-line no-await-in-loop
|
|
4069
|
-
await
|
|
4070
|
-
const oldVersions = arrays.arrayUnique(
|
|
4071
|
-
shadowNpmInject
|
|
4072
|
-
.findPackageNodes(arb.idealTree, name)
|
|
4073
|
-
.map(n => n.target?.version ?? n.version)
|
|
4074
|
-
.filter(Boolean)
|
|
4075
|
-
)
|
|
4076
|
-
const packument =
|
|
4077
|
-
oldVersions.length && infos.length
|
|
4078
|
-
? // eslint-disable-next-line no-await-in-loop
|
|
4079
|
-
await packages.fetchPackagePackument(name)
|
|
4080
|
-
: null
|
|
4073
|
+
const packument = await packages.fetchPackagePackument(name)
|
|
4081
4074
|
if (!packument) {
|
|
4075
|
+
debug.debugLog(`No packument found for ${name}`)
|
|
4082
4076
|
continue
|
|
4083
4077
|
}
|
|
4084
|
-
const
|
|
4078
|
+
const availableVersions = Object.keys(packument.versions)
|
|
4085
4079
|
const fixedSpecs = new Set()
|
|
4086
|
-
const installedSpecs = new Set()
|
|
4087
|
-
const testedSpecs = new Set()
|
|
4088
|
-
const unavailableSpecs = new Set()
|
|
4089
|
-
const revertedSpecs = new Set()
|
|
4090
4080
|
for (const pkgJsonPath of pkgJsonPaths) {
|
|
4081
|
+
const pkgPath = path$1.dirname(pkgJsonPath)
|
|
4082
|
+
const isWorkspaceRoot =
|
|
4083
|
+
pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
|
|
4084
|
+
const workspaceName = isWorkspaceRoot
|
|
4085
|
+
? 'root'
|
|
4086
|
+
: path$1.relative(rootPath, pkgPath)
|
|
4087
|
+
debug.debugLog(`Checking workspace: ${workspaceName}`)
|
|
4088
|
+
arb.idealTree = null
|
|
4089
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4090
|
+
await arb.buildIdealTree()
|
|
4091
|
+
const oldVersions = arrays.arrayUnique(
|
|
4092
|
+
shadowNpmInject
|
|
4093
|
+
.findPackageNodes(arb.idealTree, name)
|
|
4094
|
+
.map(n => n.target?.version ?? n.version)
|
|
4095
|
+
.filter(Boolean)
|
|
4096
|
+
)
|
|
4097
|
+
if (!oldVersions.length) {
|
|
4098
|
+
debug.debugLog(`Lockfile entries not found for ${name}`)
|
|
4099
|
+
continue
|
|
4100
|
+
}
|
|
4101
|
+
|
|
4102
|
+
// Always re-read the editable package.json to avoid stale mutations
|
|
4103
|
+
// across iterations.
|
|
4104
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4105
|
+
const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
|
|
4106
|
+
editable: true
|
|
4107
|
+
})
|
|
4091
4108
|
for (const oldVersion of oldVersions) {
|
|
4092
4109
|
const oldSpec = `${name}@${oldVersion}`
|
|
4093
4110
|
const oldPurl = `pkg:npm/${oldSpec}`
|
|
4111
|
+
const node = shadowNpmInject.findPackageNode(
|
|
4112
|
+
arb.idealTree,
|
|
4113
|
+
name,
|
|
4114
|
+
oldVersion
|
|
4115
|
+
)
|
|
4116
|
+
if (!node) {
|
|
4117
|
+
debug.debugLog(`Arborist node not found, skipping ${oldSpec}`)
|
|
4118
|
+
continue
|
|
4119
|
+
}
|
|
4094
4120
|
for (const {
|
|
4095
4121
|
firstPatchedVersionIdentifier,
|
|
4096
4122
|
vulnerableVersionRange
|
|
4097
4123
|
} of infos) {
|
|
4098
|
-
const
|
|
4099
|
-
|
|
4100
|
-
|
|
4101
|
-
|
|
4102
|
-
const node = shadowNpmInject.findPackageNode(
|
|
4103
|
-
arb.idealTree,
|
|
4104
|
-
name,
|
|
4105
|
-
oldVersion
|
|
4124
|
+
const newVersion = shadowNpmInject.findBestPatchVersion(
|
|
4125
|
+
node,
|
|
4126
|
+
availableVersions,
|
|
4127
|
+
vulnerableVersionRange
|
|
4106
4128
|
)
|
|
4107
|
-
|
|
4108
|
-
|
|
4109
|
-
|
|
4110
|
-
|
|
4111
|
-
)
|
|
4112
|
-
continue
|
|
4113
|
-
}
|
|
4114
|
-
if (
|
|
4115
|
-
!shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
|
|
4116
|
-
) {
|
|
4117
|
-
if (!unavailableSpecs.has(oldSpec)) {
|
|
4118
|
-
unavailableSpecs.add(oldSpec)
|
|
4119
|
-
spinner?.fail(`No update available for ${oldSpec}`)
|
|
4120
|
-
}
|
|
4129
|
+
const newVersionPackument = newVersion
|
|
4130
|
+
? packument.versions[newVersion]
|
|
4131
|
+
: undefined
|
|
4132
|
+
if (!(newVersion && newVersionPackument)) {
|
|
4133
|
+
spinner?.fail(`No update found for ${oldSpec}.`)
|
|
4121
4134
|
continue
|
|
4122
4135
|
}
|
|
4123
|
-
const isWorkspaceRoot =
|
|
4124
|
-
pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
|
|
4125
|
-
const workspaceName = isWorkspaceRoot
|
|
4126
|
-
? ''
|
|
4127
|
-
: path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
|
|
4128
|
-
const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
|
|
4129
|
-
const editablePkgJson = isWorkspaceRoot
|
|
4130
|
-
? pkgEnvDetails.editablePkgJson
|
|
4131
|
-
: // eslint-disable-next-line no-await-in-loop
|
|
4132
|
-
await packages.readPackageJson(pkgJsonPath, {
|
|
4133
|
-
editable: true
|
|
4134
|
-
})
|
|
4135
|
-
const newVersion = node.package.version
|
|
4136
4136
|
const newVersionRange = shadowNpmInject.applyRange(
|
|
4137
4137
|
oldVersion,
|
|
4138
4138
|
newVersion,
|
|
4139
4139
|
rangeStyle
|
|
4140
4140
|
)
|
|
4141
4141
|
const newSpec = `${name}@${newVersionRange}`
|
|
4142
|
-
const newSpecKey = `${workspaceName
|
|
4143
|
-
|
|
4144
|
-
|
|
4145
|
-
|
|
4146
|
-
|
|
4147
|
-
|
|
4148
|
-
: undefined),
|
|
4149
|
-
...(editablePkgJson.content.optionalDependencies
|
|
4150
|
-
? {
|
|
4151
|
-
optionalDependencies:
|
|
4152
|
-
editablePkgJson.content.optionalDependencies
|
|
4153
|
-
}
|
|
4154
|
-
: undefined),
|
|
4155
|
-
...(editablePkgJson.content.peerDependencies
|
|
4156
|
-
? {
|
|
4157
|
-
peerDependencies: editablePkgJson.content.peerDependencies
|
|
4158
|
-
}
|
|
4159
|
-
: undefined)
|
|
4142
|
+
const newSpecKey = `${workspaceName}:${newSpec}`
|
|
4143
|
+
if (fixedSpecs.has(newSpecKey)) {
|
|
4144
|
+
debug.debugLog(
|
|
4145
|
+
`Already fixed ${newSpec} in ${workspaceName}, skipping`
|
|
4146
|
+
)
|
|
4147
|
+
continue
|
|
4160
4148
|
}
|
|
4161
|
-
const
|
|
4162
|
-
|
|
4163
|
-
|
|
4164
|
-
|
|
4165
|
-
|
|
4166
|
-
|
|
4167
|
-
|
|
4168
|
-
|
|
4169
|
-
|
|
4170
|
-
|
|
4171
|
-
const shouldOpenPr = isCi
|
|
4172
|
-
? // eslint-disable-next-line no-await-in-loop
|
|
4173
|
-
!(await doesPullRequestExistForBranch(owner, repo, branch))
|
|
4174
|
-
: false
|
|
4175
|
-
if (isCi) {
|
|
4176
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4177
|
-
await gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)
|
|
4149
|
+
const revertData = {
|
|
4150
|
+
...(editablePkgJson.content.dependencies && {
|
|
4151
|
+
dependencies: editablePkgJson.content.dependencies
|
|
4152
|
+
}),
|
|
4153
|
+
...(editablePkgJson.content.optionalDependencies && {
|
|
4154
|
+
optionalDependencies: editablePkgJson.content.optionalDependencies
|
|
4155
|
+
}),
|
|
4156
|
+
...(editablePkgJson.content.peerDependencies && {
|
|
4157
|
+
peerDependencies: editablePkgJson.content.peerDependencies
|
|
4158
|
+
})
|
|
4178
4159
|
}
|
|
4160
|
+
shadowNpmInject.updateNode(node, newVersion, newVersionPackument)
|
|
4179
4161
|
shadowNpmInject.updatePackageJsonFromNode(
|
|
4180
4162
|
editablePkgJson,
|
|
4181
4163
|
arb.idealTree,
|
|
@@ -4183,105 +4165,110 @@ async function npmFix(
|
|
|
4183
4165
|
newVersion,
|
|
4184
4166
|
rangeStyle
|
|
4185
4167
|
)
|
|
4186
|
-
let error
|
|
4187
|
-
let errored = false
|
|
4188
|
-
let saved = false
|
|
4189
|
-
|
|
4190
4168
|
// eslint-disable-next-line no-await-in-loop
|
|
4191
|
-
if (await editablePkgJson.save()) {
|
|
4192
|
-
|
|
4193
|
-
|
|
4194
|
-
|
|
4195
|
-
|
|
4196
|
-
spinner?.info(`Installing ${newSpec}${workspaceDetails}`)
|
|
4169
|
+
if (!(await editablePkgJson.save())) {
|
|
4170
|
+
debug.debugLog(
|
|
4171
|
+
`Nothing changed for ${workspaceName}, skipping install`
|
|
4172
|
+
)
|
|
4173
|
+
continue
|
|
4197
4174
|
}
|
|
4175
|
+
spinner?.info(`Installing ${newSpec} in ${workspaceName}`)
|
|
4176
|
+
let error
|
|
4177
|
+
let errored = false
|
|
4198
4178
|
try {
|
|
4199
4179
|
// eslint-disable-next-line no-await-in-loop
|
|
4200
4180
|
await install$1(arb.idealTree, {
|
|
4201
4181
|
cwd
|
|
4202
4182
|
})
|
|
4203
4183
|
if (test) {
|
|
4204
|
-
|
|
4205
|
-
testedSpecs.add(newSpecKey)
|
|
4206
|
-
spinner?.info(`Testing ${newSpec}${workspaceDetails}`)
|
|
4207
|
-
}
|
|
4184
|
+
spinner?.info(`Testing ${newSpec} in ${workspaceName}`)
|
|
4208
4185
|
// eslint-disable-next-line no-await-in-loop
|
|
4209
4186
|
await npm.runScript(testScript, [], {
|
|
4210
4187
|
spinner,
|
|
4211
4188
|
stdio: 'ignore'
|
|
4212
4189
|
})
|
|
4213
4190
|
}
|
|
4214
|
-
|
|
4215
|
-
|
|
4216
|
-
|
|
4217
|
-
spinner?.start()
|
|
4218
|
-
}
|
|
4191
|
+
fixedSpecs.add(newSpecKey)
|
|
4192
|
+
spinner?.successAndStop(`Fixed ${name} in ${workspaceName}`)
|
|
4193
|
+
spinner?.start()
|
|
4219
4194
|
} catch (e) {
|
|
4220
|
-
error = e
|
|
4221
4195
|
errored = true
|
|
4196
|
+
error = e
|
|
4222
4197
|
}
|
|
4223
|
-
|
|
4224
|
-
|
|
4225
|
-
|
|
4226
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4227
|
-
(await gitCreateAndPushBranchIfNeeded(
|
|
4228
|
-
branch,
|
|
4229
|
-
getSocketCommitMessage(oldPurl, newVersion, workspaceName),
|
|
4230
|
-
cwd
|
|
4231
|
-
))
|
|
4232
|
-
) {
|
|
4233
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4234
|
-
const prResponse = await openGitHubPullRequest(
|
|
4235
|
-
owner,
|
|
4236
|
-
repo,
|
|
4237
|
-
baseBranch,
|
|
4238
|
-
branch,
|
|
4198
|
+
const baseBranch = isCi ? getBaseGitBranch() : ''
|
|
4199
|
+
if (!errored && isCi) {
|
|
4200
|
+
const branch = getSocketBranchName(
|
|
4239
4201
|
oldPurl,
|
|
4240
4202
|
newVersion,
|
|
4241
|
-
|
|
4242
|
-
cwd,
|
|
4243
|
-
workspaceName
|
|
4244
|
-
}
|
|
4203
|
+
workspaceName
|
|
4245
4204
|
)
|
|
4246
|
-
|
|
4247
|
-
const {
|
|
4248
|
-
|
|
4249
|
-
|
|
4205
|
+
try {
|
|
4206
|
+
const { owner, repo } = getGitHubEnvRepoInfo()
|
|
4207
|
+
if (
|
|
4208
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4209
|
+
(await doesPullRequestExistForBranch(owner, repo, branch)) ||
|
|
4250
4210
|
// eslint-disable-next-line no-await-in-loop
|
|
4251
|
-
await
|
|
4211
|
+
!(await gitCreateAndPushBranchIfNeeded(
|
|
4212
|
+
branch,
|
|
4213
|
+
getSocketCommitMessage(oldPurl, newVersion, workspaceName),
|
|
4214
|
+
cwd
|
|
4215
|
+
))
|
|
4216
|
+
) {
|
|
4217
|
+
continue
|
|
4252
4218
|
}
|
|
4253
|
-
|
|
4254
|
-
|
|
4255
|
-
|
|
4256
|
-
|
|
4257
|
-
|
|
4258
|
-
|
|
4259
|
-
|
|
4219
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4220
|
+
const prResponse = await openGitHubPullRequest(
|
|
4221
|
+
owner,
|
|
4222
|
+
repo,
|
|
4223
|
+
baseBranch,
|
|
4224
|
+
branch,
|
|
4225
|
+
oldPurl,
|
|
4226
|
+
newVersion,
|
|
4227
|
+
{
|
|
4228
|
+
cwd,
|
|
4229
|
+
workspaceName
|
|
4230
|
+
}
|
|
4231
|
+
)
|
|
4232
|
+
if (prResponse) {
|
|
4233
|
+
const { data } = prResponse
|
|
4234
|
+
spinner?.info(`Opened PR #${data.number}.`)
|
|
4235
|
+
if (autoMerge) {
|
|
4236
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4237
|
+
await enableAutoMerge(data)
|
|
4238
|
+
}
|
|
4260
4239
|
}
|
|
4240
|
+
} catch (e) {
|
|
4241
|
+
error = e
|
|
4242
|
+
errored = true
|
|
4261
4243
|
}
|
|
4262
|
-
|
|
4263
|
-
|
|
4264
|
-
|
|
4244
|
+
}
|
|
4245
|
+
if (isCi) {
|
|
4246
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4247
|
+
await gitHardReset(baseBranch, cwd)
|
|
4265
4248
|
// eslint-disable-next-line no-await-in-loop
|
|
4266
|
-
await
|
|
4267
|
-
shadowNpmInject.removeNodeModules(cwd),
|
|
4268
|
-
...(isCi
|
|
4269
|
-
? [gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)]
|
|
4270
|
-
: []),
|
|
4271
|
-
...(saved && !isCi ? [editablePkgJson.save()] : [])
|
|
4272
|
-
])
|
|
4249
|
+
await gitCleanFdx(cwd)
|
|
4273
4250
|
// eslint-disable-next-line no-await-in-loop
|
|
4274
|
-
await install$1(
|
|
4251
|
+
await install$1(arb.idealTree, {
|
|
4275
4252
|
cwd
|
|
4276
4253
|
})
|
|
4277
|
-
|
|
4278
|
-
|
|
4279
|
-
|
|
4280
|
-
|
|
4281
|
-
|
|
4282
|
-
|
|
4283
|
-
|
|
4254
|
+
}
|
|
4255
|
+
if (errored) {
|
|
4256
|
+
if (!isCi) {
|
|
4257
|
+
editablePkgJson.update(revertData)
|
|
4258
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4259
|
+
await Promise.all([
|
|
4260
|
+
shadowNpmInject.removeNodeModules(cwd),
|
|
4261
|
+
editablePkgJson.save()
|
|
4262
|
+
])
|
|
4263
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4264
|
+
await install$1(arb.idealTree, {
|
|
4265
|
+
cwd
|
|
4266
|
+
})
|
|
4284
4267
|
}
|
|
4268
|
+
spinner?.failAndStop(
|
|
4269
|
+
`Update failed for ${oldSpec} in ${workspaceName}`,
|
|
4270
|
+
error
|
|
4271
|
+
)
|
|
4285
4272
|
}
|
|
4286
4273
|
}
|
|
4287
4274
|
}
|
|
@@ -4435,25 +4422,29 @@ async function install(pkgEnvDetails, options) {
|
|
|
4435
4422
|
})
|
|
4436
4423
|
return await getActualTree(cwd)
|
|
4437
4424
|
}
|
|
4425
|
+
async function readLockfile(pkgPath) {
|
|
4426
|
+
return await vendor.libExports$3.readWantedLockfile(pkgPath, {
|
|
4427
|
+
ignoreIncompatible: false
|
|
4428
|
+
})
|
|
4429
|
+
}
|
|
4438
4430
|
async function pnpmFix(
|
|
4439
4431
|
pkgEnvDetails,
|
|
4440
4432
|
{ autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
|
|
4441
4433
|
) {
|
|
4434
|
+
spinner?.start()
|
|
4442
4435
|
const { pkgPath: rootPath } = pkgEnvDetails
|
|
4443
|
-
|
|
4444
|
-
ignoreIncompatible: false
|
|
4445
|
-
})
|
|
4436
|
+
let lockfile = await readLockfile(rootPath)
|
|
4446
4437
|
if (!lockfile) {
|
|
4447
|
-
|
|
4448
|
-
|
|
4449
|
-
|
|
4450
|
-
|
|
4451
|
-
|
|
4452
|
-
|
|
4453
|
-
|
|
4454
|
-
|
|
4455
|
-
|
|
4456
|
-
|
|
4438
|
+
await install(pkgEnvDetails, {
|
|
4439
|
+
cwd,
|
|
4440
|
+
spinner
|
|
4441
|
+
})
|
|
4442
|
+
lockfile = await readLockfile(rootPath)
|
|
4443
|
+
if (!lockfile) {
|
|
4444
|
+
spinner?.stop()
|
|
4445
|
+
logger.logger.error('Required pnpm-lock.yaml not found.')
|
|
4446
|
+
return
|
|
4447
|
+
}
|
|
4457
4448
|
}
|
|
4458
4449
|
const alertsMap = purls.length
|
|
4459
4450
|
? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
|
|
@@ -4463,9 +4454,10 @@ async function pnpmFix(
|
|
|
4463
4454
|
)
|
|
4464
4455
|
const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
|
|
4465
4456
|
if (!infoByPkg) {
|
|
4457
|
+
spinner?.stop()
|
|
4458
|
+
logger.logger.info('No fixable vulnerabilities found.')
|
|
4466
4459
|
return
|
|
4467
4460
|
}
|
|
4468
|
-
spinner?.start()
|
|
4469
4461
|
|
|
4470
4462
|
// Lazily access constants.ENV[CI].
|
|
4471
4463
|
const isCi = constants.ENV[CI]
|
|
@@ -4473,13 +4465,6 @@ async function pnpmFix(
|
|
|
4473
4465
|
pkgEnvDetails.agent,
|
|
4474
4466
|
rootPath
|
|
4475
4467
|
)
|
|
4476
|
-
const baseBranch = isCi ? getBaseGitBranch() : ''
|
|
4477
|
-
const { owner, repo } = isCi
|
|
4478
|
-
? getGitHubEnvRepoInfo()
|
|
4479
|
-
: {
|
|
4480
|
-
owner: '',
|
|
4481
|
-
repo: ''
|
|
4482
|
-
}
|
|
4483
4468
|
const pkgJsonPaths = [
|
|
4484
4469
|
...workspacePkgJsonPaths,
|
|
4485
4470
|
// Process the workspace root last since it will add an override to package.json.
|
|
@@ -4488,44 +4473,52 @@ async function pnpmFix(
|
|
|
4488
4473
|
for (const { 0: name, 1: infos } of infoByPkg) {
|
|
4489
4474
|
debug.debugLog(`Processing vulnerable package: ${name}`)
|
|
4490
4475
|
if (registry.getManifestData(NPM$c, name)) {
|
|
4491
|
-
spinner?.info(`
|
|
4476
|
+
spinner?.info(`Socket Optimize package for ${name} exists, skipping`)
|
|
4477
|
+
continue
|
|
4478
|
+
}
|
|
4479
|
+
if (!infos.length) {
|
|
4480
|
+
debug.debugLog(`No vulnerability info found for ${name}`)
|
|
4481
|
+
continue
|
|
4482
|
+
}
|
|
4483
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4484
|
+
const packument = await packages.fetchPackagePackument(name)
|
|
4485
|
+
if (!packument) {
|
|
4486
|
+
debug.debugLog(`No packument found for ${name}`)
|
|
4492
4487
|
continue
|
|
4493
4488
|
}
|
|
4489
|
+
const availableVersions = Object.keys(packument.versions)
|
|
4494
4490
|
const fixedSpecs = new Set()
|
|
4495
4491
|
for (const pkgJsonPath of pkgJsonPaths) {
|
|
4496
|
-
|
|
4497
|
-
|
|
4498
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4499
|
-
let actualTree = await getActualTree(cwd)
|
|
4492
|
+
const pkgPath = path$1.dirname(pkgJsonPath)
|
|
4500
4493
|
const isWorkspaceRoot =
|
|
4501
4494
|
pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
|
|
4502
4495
|
const workspaceName = isWorkspaceRoot
|
|
4503
4496
|
? 'root'
|
|
4504
|
-
: path$1.relative(rootPath,
|
|
4505
|
-
|
|
4506
|
-
? pkgEnvDetails.editablePkgJson
|
|
4507
|
-
: // eslint-disable-next-line no-await-in-loop
|
|
4508
|
-
await packages.readPackageJson(pkgJsonPath, {
|
|
4509
|
-
editable: true
|
|
4510
|
-
})
|
|
4497
|
+
: path$1.relative(rootPath, pkgPath)
|
|
4498
|
+
debug.debugLog(`Checking workspace: ${workspaceName}`)
|
|
4511
4499
|
|
|
4512
|
-
//
|
|
4513
|
-
|
|
4514
|
-
const oldOverrides = oldPnpmSection?.[OVERRIDES$2]
|
|
4500
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4501
|
+
let actualTree = await getActualTree(cwd)
|
|
4515
4502
|
const oldVersions = arrays.arrayUnique(
|
|
4516
4503
|
shadowNpmInject
|
|
4517
4504
|
.findPackageNodes(actualTree, name)
|
|
4518
4505
|
.map(n => n.target?.version ?? n.version)
|
|
4519
4506
|
.filter(Boolean)
|
|
4520
4507
|
)
|
|
4521
|
-
|
|
4522
|
-
|
|
4523
|
-
? // eslint-disable-next-line no-await-in-loop
|
|
4524
|
-
await packages.fetchPackagePackument(name)
|
|
4525
|
-
: null
|
|
4526
|
-
if (!packument) {
|
|
4508
|
+
if (!oldVersions.length) {
|
|
4509
|
+
debug.debugLog(`Lockfile entries not found for ${name}`)
|
|
4527
4510
|
continue
|
|
4528
4511
|
}
|
|
4512
|
+
|
|
4513
|
+
// Always re-read the editable package.json to avoid stale mutations
|
|
4514
|
+
// across iterations.
|
|
4515
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4516
|
+
const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
|
|
4517
|
+
editable: true
|
|
4518
|
+
})
|
|
4519
|
+
// Get current overrides for revert logic
|
|
4520
|
+
const oldPnpmSection = editablePkgJson.content[PNPM$8]
|
|
4521
|
+
const oldOverrides = oldPnpmSection?.[OVERRIDES$2]
|
|
4529
4522
|
for (const oldVersion of oldVersions) {
|
|
4530
4523
|
const oldSpec = `${name}@${oldVersion}`
|
|
4531
4524
|
const oldPurl = `pkg:npm/${oldSpec}`
|
|
@@ -4535,14 +4528,13 @@ async function pnpmFix(
|
|
|
4535
4528
|
oldVersion
|
|
4536
4529
|
)
|
|
4537
4530
|
if (!node) {
|
|
4538
|
-
debug.debugLog(`
|
|
4531
|
+
debug.debugLog(`Arborist node not found, skipping ${oldSpec}`)
|
|
4539
4532
|
continue
|
|
4540
4533
|
}
|
|
4541
4534
|
for (const {
|
|
4542
4535
|
firstPatchedVersionIdentifier,
|
|
4543
4536
|
vulnerableVersionRange
|
|
4544
4537
|
} of infos) {
|
|
4545
|
-
const availableVersions = Object.keys(packument.versions)
|
|
4546
4538
|
const newVersion = shadowNpmInject.findBestPatchVersion(
|
|
4547
4539
|
node,
|
|
4548
4540
|
availableVersions,
|
|
@@ -4552,7 +4544,7 @@ async function pnpmFix(
|
|
|
4552
4544
|
? packument.versions[newVersion]
|
|
4553
4545
|
: undefined
|
|
4554
4546
|
if (!(newVersion && newVersionPackument)) {
|
|
4555
|
-
spinner?.fail(`No update
|
|
4547
|
+
spinner?.fail(`No update found for ${oldSpec}.`)
|
|
4556
4548
|
continue
|
|
4557
4549
|
}
|
|
4558
4550
|
const overrideKey = `${name}@${vulnerableVersionRange}`
|
|
@@ -4608,28 +4600,27 @@ async function pnpmFix(
|
|
|
4608
4600
|
if (updateData) {
|
|
4609
4601
|
editablePkgJson.update(updateData)
|
|
4610
4602
|
}
|
|
4611
|
-
|
|
4603
|
+
shadowNpmInject.updatePackageJsonFromNode(
|
|
4612
4604
|
editablePkgJson,
|
|
4613
4605
|
actualTree,
|
|
4614
4606
|
node,
|
|
4615
4607
|
newVersion,
|
|
4616
4608
|
rangeStyle
|
|
4617
4609
|
)
|
|
4618
|
-
debug.debugLog(`Updated package.json from node: ${modded}`)
|
|
4619
|
-
|
|
4620
4610
|
// eslint-disable-next-line no-await-in-loop
|
|
4621
4611
|
if (!(await editablePkgJson.save())) {
|
|
4622
4612
|
debug.debugLog(
|
|
4623
|
-
`
|
|
4613
|
+
`Nothing changed for ${workspaceName}, skipping install`
|
|
4624
4614
|
)
|
|
4625
4615
|
continue
|
|
4626
4616
|
}
|
|
4627
4617
|
spinner?.info(`Installing ${newSpec} in ${workspaceName}`)
|
|
4628
|
-
let errored = false
|
|
4629
4618
|
let error
|
|
4619
|
+
let errored = false
|
|
4630
4620
|
try {
|
|
4631
4621
|
// eslint-disable-next-line no-await-in-loop
|
|
4632
4622
|
actualTree = await install(pkgEnvDetails, {
|
|
4623
|
+
cwd,
|
|
4633
4624
|
spinner
|
|
4634
4625
|
})
|
|
4635
4626
|
if (test) {
|
|
@@ -4643,25 +4634,31 @@ async function pnpmFix(
|
|
|
4643
4634
|
fixedSpecs.add(newSpecKey)
|
|
4644
4635
|
spinner?.successAndStop(`Fixed ${name} in ${workspaceName}`)
|
|
4645
4636
|
spinner?.start()
|
|
4637
|
+
} catch (e) {
|
|
4638
|
+
error = e
|
|
4639
|
+
errored = true
|
|
4640
|
+
}
|
|
4641
|
+
const baseBranch = isCi ? getBaseGitBranch() : ''
|
|
4642
|
+
if (!errored && isCi) {
|
|
4646
4643
|
const branch = getSocketBranchName(
|
|
4647
4644
|
oldPurl,
|
|
4648
4645
|
newVersion,
|
|
4649
4646
|
workspaceName
|
|
4650
4647
|
)
|
|
4651
|
-
|
|
4652
|
-
|
|
4653
|
-
|
|
4654
|
-
|
|
4655
|
-
|
|
4656
|
-
|
|
4657
|
-
|
|
4658
|
-
|
|
4659
|
-
|
|
4660
|
-
|
|
4661
|
-
|
|
4662
|
-
|
|
4663
|
-
|
|
4664
|
-
|
|
4648
|
+
try {
|
|
4649
|
+
const { owner, repo } = getGitHubEnvRepoInfo()
|
|
4650
|
+
if (
|
|
4651
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4652
|
+
(await doesPullRequestExistForBranch(owner, repo, branch)) ||
|
|
4653
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4654
|
+
!(await gitCreateAndPushBranchIfNeeded(
|
|
4655
|
+
branch,
|
|
4656
|
+
getSocketCommitMessage(oldPurl, newVersion, workspaceName),
|
|
4657
|
+
cwd
|
|
4658
|
+
))
|
|
4659
|
+
) {
|
|
4660
|
+
continue
|
|
4661
|
+
}
|
|
4665
4662
|
// eslint-disable-next-line no-await-in-loop
|
|
4666
4663
|
const prResponse = await openGitHubPullRequest(
|
|
4667
4664
|
owner,
|
|
@@ -4677,41 +4674,46 @@ async function pnpmFix(
|
|
|
4677
4674
|
)
|
|
4678
4675
|
if (prResponse) {
|
|
4679
4676
|
const { data } = prResponse
|
|
4680
|
-
spinner?.info(`PR #${data.number}
|
|
4677
|
+
spinner?.info(`Opened PR #${data.number}.`)
|
|
4681
4678
|
if (autoMerge) {
|
|
4682
4679
|
// eslint-disable-next-line no-await-in-loop
|
|
4683
4680
|
await enableAutoMerge(data)
|
|
4684
4681
|
}
|
|
4685
4682
|
}
|
|
4683
|
+
} catch (e) {
|
|
4684
|
+
error = e
|
|
4685
|
+
errored = true
|
|
4686
4686
|
}
|
|
4687
|
-
} catch (e) {
|
|
4688
|
-
error = e
|
|
4689
|
-
errored = true
|
|
4690
4687
|
}
|
|
4691
|
-
if (
|
|
4692
|
-
editablePkgJson.update(revertData)
|
|
4688
|
+
if (isCi) {
|
|
4693
4689
|
// eslint-disable-next-line no-await-in-loop
|
|
4694
|
-
await
|
|
4695
|
-
|
|
4696
|
-
|
|
4697
|
-
])
|
|
4690
|
+
await gitHardReset(baseBranch, cwd)
|
|
4691
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4692
|
+
await gitCleanFdx(cwd)
|
|
4698
4693
|
// eslint-disable-next-line no-await-in-loop
|
|
4699
4694
|
actualTree = await install(pkgEnvDetails, {
|
|
4695
|
+
cwd,
|
|
4700
4696
|
spinner
|
|
4701
4697
|
})
|
|
4698
|
+
}
|
|
4699
|
+
if (errored) {
|
|
4700
|
+
if (!isCi) {
|
|
4701
|
+
editablePkgJson.update(revertData)
|
|
4702
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4703
|
+
await Promise.all([
|
|
4704
|
+
shadowNpmInject.removeNodeModules(cwd),
|
|
4705
|
+
editablePkgJson.save()
|
|
4706
|
+
])
|
|
4707
|
+
// eslint-disable-next-line no-await-in-loop
|
|
4708
|
+
actualTree = await install(pkgEnvDetails, {
|
|
4709
|
+
cwd,
|
|
4710
|
+
spinner
|
|
4711
|
+
})
|
|
4712
|
+
}
|
|
4702
4713
|
spinner?.failAndStop(
|
|
4703
4714
|
`Update failed for ${oldSpec} in ${workspaceName}`,
|
|
4704
4715
|
error
|
|
4705
4716
|
)
|
|
4706
|
-
} else if (isCi) {
|
|
4707
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4708
|
-
await gitHardReset(baseBranch, cwd)
|
|
4709
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4710
|
-
await gitCleanFdx(cwd)
|
|
4711
|
-
// eslint-disable-next-line no-await-in-loop
|
|
4712
|
-
actualTree = await install(pkgEnvDetails, {
|
|
4713
|
-
spinner
|
|
4714
|
-
})
|
|
4715
4717
|
}
|
|
4716
4718
|
}
|
|
4717
4719
|
}
|
|
@@ -4720,29 +4722,6 @@ async function pnpmFix(
|
|
|
4720
4722
|
spinner?.stop()
|
|
4721
4723
|
}
|
|
4722
4724
|
|
|
4723
|
-
const CMD_NAME$1 = 'socket fix'
|
|
4724
|
-
function assignDefaultFixOptions(options) {
|
|
4725
|
-
if (options.autoPilot === undefined) {
|
|
4726
|
-
options.autoPilot = false
|
|
4727
|
-
}
|
|
4728
|
-
if (options.autoMerge === undefined) {
|
|
4729
|
-
options.autoMerge = !!options.autoPilot
|
|
4730
|
-
}
|
|
4731
|
-
if (options.cwd === undefined) {
|
|
4732
|
-
options.cwd = process.cwd()
|
|
4733
|
-
}
|
|
4734
|
-
if (options.rangeStyle === undefined) {
|
|
4735
|
-
options.rangeStyle = 'preserve'
|
|
4736
|
-
}
|
|
4737
|
-
if (options.test === undefined) {
|
|
4738
|
-
options.test = !!options.autoPilot || !!options.testScript
|
|
4739
|
-
}
|
|
4740
|
-
if (options.testScript === undefined) {
|
|
4741
|
-
options.testScript = 'test'
|
|
4742
|
-
}
|
|
4743
|
-
return options
|
|
4744
|
-
}
|
|
4745
|
-
|
|
4746
4725
|
const {
|
|
4747
4726
|
BINARY_LOCK_EXT,
|
|
4748
4727
|
BUN: BUN$5,
|
|
@@ -12285,7 +12264,7 @@ void (async () => {
|
|
|
12285
12264
|
await vendor.updater({
|
|
12286
12265
|
name: SOCKET_CLI_BIN_NAME,
|
|
12287
12266
|
// The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
|
|
12288
|
-
version: '0.14.
|
|
12267
|
+
version: '0.14.130',
|
|
12289
12268
|
ttl: 86_400_000 /* 24 hours in milliseconds */
|
|
12290
12269
|
})
|
|
12291
12270
|
try {
|
|
@@ -12353,5 +12332,5 @@ void (async () => {
|
|
|
12353
12332
|
await shadowNpmInject.captureException(e)
|
|
12354
12333
|
}
|
|
12355
12334
|
})()
|
|
12356
|
-
//# debugId=
|
|
12335
|
+
//# debugId=cff09185-7f8e-4487-ada1-cd5f599c6e2
|
|
12357
12336
|
//# sourceMappingURL=cli.js.map
|