@socketsecurity/cli 0.14.134 → 0.14.136

package/dist/shadow-bin.js

@@ -8,57 +8,6 @@ const path = require('node:path')
 const vendor = require('./vendor.js')
 const shadowNpmPaths = require('./shadow-npm-paths.js')
 const constants = require('./constants.js')
-require('node:fs')
-require('node:os')
-require('node:fs/promises')
-require('node:buffer')
-require('node:util')
-require('node:path')
-require('node:fs')
-require('node:tty')
-require('node:https')
-require('node:http')
-require('node:url')
-require('node:process')
-require('node:events')
-require('node:http')
-require('node:https')
-require('node:readline')
-require('@socketsecurity/registry/lib/constants/abort-signal')
-require('node:util')
-require('node:url')
-require('node:fs/promises')
-require('node:child_process')
-require('node:os')
-require('node:tty')
-require('node:crypto')
-require('node:constants')
-require('node:stream')
-require('node:assert')
-require('node:stream')
-require('node:string_decoder')
-require('node:path/win32')
-require('node:module')
-require('node:events')
-require('node:buffer')
-require('node:string_decoder')
-require('node:child_process')
-require('node:module')
-require('@socketsecurity/registry/lib/logger')
-require('@socketsecurity/registry/lib/path')
-require('@socketsecurity/registry/lib/words')
-require('./shadow-npm-inject.js')
-require('@socketsecurity/registry/lib/arrays')
-require('@socketsecurity/registry')
-require('@socketsecurity/registry/lib/objects')
-require('@socketsecurity/registry/lib/constants')
-require('@socketsecurity/registry/lib/prompts')
-require('@socketsecurity/registry/lib/strings')
-require('@socketsecurity/registry/lib/fs')
-require('@socketsecurity/registry/lib/packages')
-require('node:timers/promises')
-require('@socketsecurity/registry/lib/sorts')
-require('@socketsecurity/registry/lib/env')
 
 const { CLI, NPX } = constants
 async function installLinks(realBinPath, binName) {
@@ -153,5 +102,5 @@ async function shadowBin(binName, args = process.argv.slice(2)) {
 }
 
 module.exports = shadowBin
-//# debugId=313e790a-5075-4e29-8eaf-c781fda83d6e
+//# debugId=c07c77d4-8583-4c6b-9a6a-0361d5c81ac7
 //# sourceMappingURL=shadow-bin.js.map

package/dist/shadow-bin.js.map

@@ -1 +1 @@
-{"version":3,"file":"shadow-bin.js","sources":["../src/shadow/npm/link.ts","../src/shadow/npm/bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './paths'\nimport constants from '../../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../../constants'\n\nconst { SOCKET_CLI_SAFE_BIN, SOCKET_CLI_SAFE_PROGRESS, SOCKET_IPC_HANDSHAKE } =\n  constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2)\n) {\n  process.exitCode = 1\n  const useDebug = isDebug()\n  const terminatorPos = args.indexOf('--')\n  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const progressArg = rawBinArgs.findLast(isProgressFlag) !== '--no-progress'\n  const binArgs = rawBinArgs.filter(a => !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const isSilent = !useDebug && !binArgs.some(isLoglevelFlag)\n  // The default value of loglevel is \"notice\". We default to \"error\" which is\n  // two levels quieter.\n  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeHardenFlags.\n      ...constants.nodeHardenFlags,\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'].\n      ...(process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\n        ? [\n            '--require',\n            // Lazily access constants.distInstrumentWithSentryPath.\n            constants.distInstrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.distShadowNpmInjectPath.\n      constants.distShadowNpmInjectPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add '--no-progress' to fix input being swallowed by the npm spinner.\n      '--no-progress',\n      // Add '--loglevel=error' if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...logLevelArgs,\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      // eslint-disable-next-line n/no-process-exit\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_BIN]: binName,\n      [SOCKET_CLI_SAFE_PROGRESS]: progressArg\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","env","SOCKET_IPC_HANDSHAKE","constants","process","spawnPromise"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;AC9BA;;;AAAuDC;AAAqB;AAG7D;;AAKb;AACA;AACA;;AAEA;AACA;;AAEA;AACA;;;AAGE;;AAGE;;AAEA;;AAEA;;AASA;AACAC;AACA;AACA;AACA;;AAEA;AACA;;AAMA;;AAEF;AAEF;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AACAC;AACE;;AAEE;AACF;AACF;AACA;AACF;;","debugId":"313e790a-5075-4e29-8eaf-c781fda83d6e"}
+{"version":3,"file":"shadow-bin.js","sources":["../src/shadow/npm/link.ts","../src/shadow/npm/bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './paths'\nimport constants from '../../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../../constants'\n\nconst { SOCKET_CLI_SAFE_BIN, SOCKET_CLI_SAFE_PROGRESS, SOCKET_IPC_HANDSHAKE } =\n  constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2)\n) {\n  process.exitCode = 1\n  const useDebug = isDebug()\n  const terminatorPos = args.indexOf('--')\n  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const progressArg = rawBinArgs.findLast(isProgressFlag) !== '--no-progress'\n  const binArgs = rawBinArgs.filter(a => !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const isSilent = !useDebug && !binArgs.some(isLoglevelFlag)\n  // The default value of loglevel is \"notice\". We default to \"error\" which is\n  // two levels quieter.\n  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeHardenFlags.\n      ...constants.nodeHardenFlags,\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'].\n      ...(process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\n        ? [\n            '--require',\n            // Lazily access constants.distInstrumentWithSentryPath.\n            constants.distInstrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.distShadowNpmInjectPath.\n      constants.distShadowNpmInjectPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add '--no-progress' to fix input being swallowed by the npm spinner.\n      '--no-progress',\n      // Add '--loglevel=error' if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...logLevelArgs,\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      // eslint-disable-next-line n/no-process-exit\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_BIN]: binName,\n      [SOCKET_CLI_SAFE_PROGRESS]: progressArg\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","env","SOCKET_IPC_HANDSHAKE","constants","process","spawnPromise"],"mappings":";;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;AC9BA;;;AAAuDC;AAAqB;AAG7D;;AAKb;AACA;AACA;;AAEA;AACA;;AAEA;AACA;;;AAGE;;AAGE;;AAEA;;AAEA;;AASA;AACAC;AACA;AACA;AACA;;AAEA;AACA;;AAMA;;AAEF;AAEF;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AACAC;AACE;;AAEE;AACF;AACF;AACA;AACF;;","debugId":"c07c77d4-8583-4c6b-9a6a-0361d5c81ac7"}

package/dist/shadow-npm-inject.js

@@ -6,6 +6,7 @@ const vendor = require('./vendor.js')
 const logger = require('@socketsecurity/registry/lib/logger')
 const constants = require('./constants.js')
 const arrays = require('@socketsecurity/registry/lib/arrays')
+const packages = require('@socketsecurity/registry/lib/packages')
 const registry = require('@socketsecurity/registry')
 const objects = require('@socketsecurity/registry/lib/objects')
 const debug = require('@socketsecurity/registry/lib/debug')
@@ -16,48 +17,8 @@ const fs = require('node:fs')
 const os = require('node:os')
 const path = require('node:path')
 const fs$1 = require('@socketsecurity/registry/lib/fs')
-const packages = require('@socketsecurity/registry/lib/packages')
 const promises = require('node:timers/promises')
 const sorts = require('@socketsecurity/registry/lib/sorts')
-require('node:module')
-require('@socketsecurity/registry/lib/path')
-require('@socketsecurity/registry/lib/npm')
-require('@socketsecurity/registry/lib/words')
-require('./shadow-npm-inject.js')
-require('node:fs/promises')
-require('node:buffer')
-require('node:util')
-require('node:path')
-require('node:fs')
-require('node:tty')
-require('node:https')
-require('node:http')
-require('node:url')
-require('node:process')
-require('node:events')
-require('node:http')
-require('node:https')
-require('node:readline')
-require('@socketsecurity/registry/lib/constants/abort-signal')
-require('node:util')
-require('node:url')
-require('node:fs/promises')
-require('node:child_process')
-require('node:os')
-require('node:tty')
-require('node:crypto')
-require('node:constants')
-require('node:stream')
-require('node:assert')
-require('node:stream')
-require('node:string_decoder')
-require('node:path/win32')
-require('node:module')
-require('node:events')
-require('node:buffer')
-require('node:string_decoder')
-require('node:child_process')
-require('@socketsecurity/registry/lib/env')
 
 const { NPM: NPM$3, PNPM } = constants
 const PNPM_WORKSPACE = `${PNPM}-workspace`
@@ -662,7 +623,7 @@ async function setupSdk(
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: 'socket',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: '0.14.134',
+      version: '0.14.136',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: 'https://github.com/SocketDev/socket-cli'
     })
@@ -2365,10 +2326,11 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
   }
   const depTypes = vendor.libExports$1.detectDepTypes(lockfile)
   const purls = Object.keys(depTypes).map(id => {
-    const lastAtSignIndex = id.lastIndexOf('@')
-    const name = id.slice(0, lastAtSignIndex)
-    const version = id.slice(lastAtSignIndex + 1)
-    return `pkg:npm/${name}@${vendor.semverExports.coerce(version)}`
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      `pkg:npm/${id}`
+    )
+    const name = packages.resolvePackageName(purlObj)
+    return `pkg:npm/${name}@${vendor.semverExports.coerce(purlObj.version)}`
   })
   return await getAlertsMapFromPurls(purls, {
     overrides: lockfile.overrides,
@@ -2646,5 +2608,5 @@ exports.supportedConfigKeys = supportedConfigKeys
 exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode
-//# debugId=c11dabdd-174f-4ec7-a2e2-784eeeb79026
+//# debugId=9c835d76-48f0-4f82-a2c5-a1bbc9854cc9
 //# sourceMappingURL=shadow-npm-inject.js.map