@socketsecurity/cli 0.14.40 → 0.14.41

package/dist/module-sync/npm-injection.js

@@ -13,78 +13,45 @@ var path = require('node:path');
 var process = require('node:process');
 var semver = _socketInterop(require('semver'));
 var registry = require('@socketsecurity/registry');
+var arrays = require('@socketsecurity/registry/lib/arrays');
 var objects = require('@socketsecurity/registry/lib/objects');
 var packages = require('@socketsecurity/registry/lib/packages');
 var prompts = require('@socketsecurity/registry/lib/prompts');
 var spinner = require('@socketsecurity/registry/lib/spinner');
+var constants = require('./constants.js');
 var events = require('node:events');
 var https = require('node:https');
 var readline = require('node:readline');
-var constants = require('./constants.js');
 var socketUrl = require('./socket-url.js');
-var fs = require('node:fs');
 var promises = require('node:timers/promises');
-var config = require('@socketsecurity/config');
 var pathResolve = require('./path-resolve.js');
+var fs = require('node:fs');
 var npa = _socketInterop(require('npm-package-arg'));
 
 const {
-  API_V0_URL,
   LOOP_SENTINEL: LOOP_SENTINEL$2,
-  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1,
-  abortSignal: abortSignal$2
+  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1,
+  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1
 } = constants;
-async function* batchScan(pkgIds) {
-  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
-    method: 'POST',
-    headers: {
-      Authorization: `Basic ${Buffer.from(`${socketUrl.getPublicToken()}:`).toString('base64url')}`
-    },
-    signal: abortSignal$2
-  }).end(JSON.stringify({
-    components: pkgIds.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  }));
-  const {
-    0: res
-  } = await events.once(req, 'response');
-  const ok = res.statusCode >= 200 && res.statusCode <= 299;
-  if (!ok) {
-    throw new Error(`Socket API Error: ${res.statusCode}`);
-  }
-  const rli = readline.createInterface(res);
-  for await (const line of rli) {
-    yield JSON.parse(line);
-  }
-}
-function isAlertFixable(alert) {
-  return alert.type === 'socketUpgradeAvailable' || isAlertFixableCve(alert);
-}
-function isAlertFixableCve(alert) {
-  const {
-    type
-  } = alert;
-  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
-}
-function toRepoUrl(resolved) {
+function getUrlOrigin(input) {
   try {
-    return URL.parse(resolved)?.origin ?? '';
+    return URL.parse(input)?.origin ?? '';
   } catch {}
   return '';
 }
-function walk(diff_, options) {
+function getPackagesToQueryFromDiff(diff_, options) {
   const {
     // Lazily access constants.IPC.
-    fix = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1]
+    includeUnchanged = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1],
+    includeUnknownOrigin = false
   } = {
     __proto__: null,
     ...options
   };
-  const needInfoOn = [];
+  const details = [];
   // `diff_` is `null` when `npm install --package-lock-only` is passed.
   if (!diff_) {
-    return needInfoOn;
+    return details;
   }
   const queue = [...diff_.children];
   let pos = 0;
@@ -114,25 +81,28 @@ function walk(diff_, options) {
         if (pkgNode?.package.version !== oldNode?.package.version) {
           keep = true;
           if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
-            existing = oldNode.pkgid;
+            existing = oldNode;
           }
         }
       } else {
         keep = action !== 'REMOVE';
       }
       if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        needInfoOn.push({
-          existing,
-          pkgid: pkgNode.pkgid,
-          repository_url: toRepoUrl(pkgNode.resolved)
-        });
+        const origin = getUrlOrigin(pkgNode.resolved);
+        if (includeUnknownOrigin || origin === NPM_REGISTRY_URL$1) {
+          details.push({
+            node: pkgNode,
+            origin,
+            existing
+          });
+        }
       }
     }
     for (const child of diff.children) {
       queue[queueLength++] = child;
     }
   }
-  if (fix) {
+  if (includeUnchanged) {
     const {
       unchanged
     } = diff_;
@@ -140,14 +110,55 @@ function walk(diff_, options) {
         length
       } = unchanged; i < length; i += 1) {
       const pkgNode = unchanged[i];
-      needInfoOn.push({
-        existing: pkgNode.pkgid,
-        pkgid: pkgNode.pkgid,
-        repository_url: toRepoUrl(pkgNode.resolved)
-      });
+      const origin = getUrlOrigin(pkgNode.resolved);
+      if (includeUnknownOrigin || origin === NPM_REGISTRY_URL$1) {
+        details.push({
+          node: pkgNode,
+          origin,
+          existing: pkgNode
+        });
+      }
     }
   }
-  return needInfoOn;
+  return details;
+}
+
+const {
+  API_V0_URL,
+  abortSignal: abortSignal$2
+} = constants;
+async function* batchScan(pkgIds) {
+  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${socketUrl.getPublicToken()}:`).toString('base64url')}`
+    },
+    signal: abortSignal$2
+  }).end(JSON.stringify({
+    components: pkgIds.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  }));
+  const {
+    0: res
+  } = await events.once(req, 'response');
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = readline.createInterface(res);
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
+}
+function isArtifactAlertCveFixable(alert) {
+  const {
+    type
+  } = alert;
+  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
+}
+function isArtifactAlertFixable(alert) {
+  return alert.type === 'socketUpgradeAvailable' || isArtifactAlertCveFixable(alert);
 }
 
 const {
@@ -165,37 +176,6 @@ const WARN_UX = {
   block: false,
   display: true
 };
-function findSocketYmlSync() {
-  let prevDir = null;
-  let dir = process.cwd();
-  while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml');
-    let yml = maybeReadfileSync(ymlPath);
-    if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml');
-      yml = maybeReadfileSync(ymlPath);
-    }
-    if (typeof yml === 'string') {
-      try {
-        return {
-          path: ymlPath,
-          parsed: config.parseSocketConfig(yml)
-        };
-      } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
-      }
-    }
-    prevDir = dir;
-    dir = path.join(dir, '..');
-  }
-  return null;
-}
-function maybeReadfileSync(filepath) {
-  try {
-    return fs.readFileSync(filepath, 'utf8');
-  } catch {}
-  return undefined;
-}
 
 // Iterates over all entries with ordered issue rule for deferral.  Iterates over
 // all issue rules and finds the first defined value that does not defer otherwise
@@ -374,7 +354,7 @@ void (async () => {
       settings.entries.splice(i, 1);
     }
   }
-  const socketYml = findSocketYmlSync();
+  const socketYml = socketUrl.findSocketYmlSync();
   if (socketYml) {
     settings.entries.push({
       start: socketYml.path,
@@ -417,7 +397,6 @@ const arboristDepValidPath = path.join(arboristPkgPath, 'lib/dep-valid.js');
 const arboristEdgeClassPath = path.join(arboristPkgPath, 'lib/edge.js');
 const arboristNodeClassPath = path.join(arboristPkgPath, 'lib/node.js');
 const arboristOverrideSetClassPath = path.join(arboristPkgPath, 'lib/override-set.js');
-const pacotePath = path.join(npmNmPath, 'pacote');
 
 const depValid = require(arboristDepValidPath);
 
@@ -1083,7 +1062,7 @@ class SafeEdge extends Edge {
       this.#safeError = null;
     }
     // Patch adding "else if" condition based on
-    // https://github.com/npm/cli/pull/7025
+    // https://github.com/npm/cli/pull/7025.
     else if (oldOverrideSet) {
       // Propagate the new override set to the target node.
       this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
@@ -1134,7 +1113,6 @@ class SafeEdge extends Edge {
   }
 }
 
-const pacote = require(pacotePath);
 const {
   LOOP_SENTINEL,
   NPM,
@@ -1161,22 +1139,22 @@ function findBestPatchVersion(name, availableVersions, currentMajorVersion, vuln
   // Use semver to find the max satisfying version.
   return semver.maxSatisfying(eligibleVersions, '*');
 }
-function findPackage(tree, packageName) {
+function findPackageNodes(tree, packageName) {
   const queue = [{
     node: tree
   }];
+  const matches = [];
   let sentinel = 0;
   while (queue.length) {
     if (sentinel++ === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop in findPackage');
+      throw new Error('Detected infinite loop in findPackageNodes');
     }
     const {
       node: currentNode
     } = queue.pop();
     const node = currentNode.children.get(packageName);
     if (node) {
-      // Found package.
-      return node;
+      matches.push(node);
     }
     const children = [...currentNode.children.values()];
     for (let i = children.length - 1; i >= 0; i -= 1) {
@@ -1185,18 +1163,19 @@ function findPackage(tree, packageName) {
       });
     }
   }
-  return null;
+  return matches;
 }
-async function getPackagesAlerts(safeArb, pkgs, options) {
+async function getPackagesAlerts(details, options) {
   let {
     length: remaining
-  } = pkgs;
+  } = details;
   const packageAlerts = [];
   if (!remaining) {
     return packageAlerts;
   }
   const {
-    fixable,
+    includeExisting = false,
+    includeUnfixable = true,
     output
   } = {
     __proto__: null,
@@ -1208,7 +1187,7 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
   const getText = spinner$1 ? () => `Looking up data for ${remaining} packages` : () => '';
   spinner$1?.start(getText());
   try {
-    for await (const artifact of batchScan(pkgs.map(p => p.pkgid))) {
+    for await (const artifact of batchScan(arrays.arrayUnique(details.map(d => d.node.pkgid)))) {
       if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
         continue;
       }
@@ -1217,7 +1196,6 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
       } = artifact;
       const name = packages.resolvePackageName(artifact);
       const id = `${name}@${artifact.version}`;
-      let blocked = false;
       let displayWarning = false;
       let alerts = [];
       for (const alert of artifact.alerts) {
@@ -1231,15 +1209,12 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
             type: alert.type
           }
         });
-        if (ux.block) {
-          blocked = true;
-        }
         if (ux.display && output) {
           displayWarning = true;
         }
         if (ux.block || ux.display) {
-          const isFixable = isAlertFixable(alert);
-          if (!fixable || isFixable) {
+          const fixable = isArtifactAlertFixable(alert);
+          if (includeUnfixable || fixable) {
             alerts.push({
               name,
               version,
@@ -1247,38 +1222,27 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
               type: alert.type,
               block: ux.block,
               raw: alert,
-              fixable: isFixable
+              fixable
             });
           }
           // Lazily access constants.IPC.
-          if (!fixable && !constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
+          if (includeExisting && !constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
             // Before we ask about problematic issues, check to see if they
             // already existed in the old version if they did, be quiet.
-            const existing = pkgs.find(p => p.existing?.startsWith(`${name}@`))?.existing;
+            const existing = details.find(d => d.existing?.pkgid.startsWith(`${name}@`))?.existing;
             if (existing) {
               const oldArtifact =
               // eslint-disable-next-line no-await-in-loop
-              (await batchScan([existing]).next()).value;
+              (await batchScan([existing.pkgid]).next()).value;
               if (oldArtifact?.alerts?.length) {
                 alerts = alerts.filter(({
                   type
-                }) => !oldArtifact.alerts?.find(a => a.type === type));
+                }) => !oldArtifact.alerts.find(a => a.type === type));
               }
             }
           }
         }
       }
-      if (!blocked) {
-        const pkg = pkgs.find(p => p.pkgid === id);
-        if (pkg) {
-          await pacote.tarball.stream(id, stream => {
-            stream.resume();
-            return stream.promise();
-          }, {
-            ...safeArb[kCtorArgs][0]
-          });
-        }
-      }
       if (displayWarning && spinner$1) {
         spinner$1.stop(`(socket) ${formatter.hyperlink(id, socketUrl.getSocketDevPackageOverviewUrl(NPM, name, version))} contains risks:`);
       }
@@ -1324,23 +1288,23 @@ function getTranslations() {
   }
   return _translations;
 }
-function packageAlertsToReport(alerts) {
-  let report = null;
+async function updateAdvisoryDependencies(arb, alerts) {
+  let alertsByPkg;
   for (const alert of alerts) {
-    if (!isAlertFixableCve(alert.raw)) {
+    if (!isArtifactAlertCveFixable(alert.raw)) {
       continue;
     }
+    if (!alertsByPkg) {
+      alertsByPkg = {};
+    }
     const {
       name
     } = alert;
-    if (!report) {
-      report = {};
-    }
-    if (!report[name]) {
-      report[name] = [];
+    if (!alertsByPkg[name]) {
+      alertsByPkg[name] = [];
     }
     const props = alert.raw?.props;
-    report[name].push({
+    alertsByPkg[name].push({
       id: -1,
       url: props?.url,
       title: props?.title,
@@ -1351,92 +1315,89 @@ function packageAlertsToReport(alerts) {
       name
     });
   }
-  return report;
-}
-async function updateAdvisoryDependencies(arb, alerts) {
-  const report = packageAlertsToReport(alerts);
-  if (!report) {
+  if (!alertsByPkg) {
     // No advisories to process.
     return;
   }
   await arb.buildIdealTree();
   const tree = arb.idealTree;
-  for (const name of Object.keys(report)) {
-    const advisories = report[name];
-    const node = findPackage(tree, name);
-    if (!node) {
-      // Package not found in the tree.
+  for (const name of Object.keys(alertsByPkg)) {
+    const nodes = findPackageNodes(tree, name);
+    if (!nodes.length) {
       continue;
     }
-    const {
-      version
-    } = node;
-    const majorVerNum = semver.major(version);
-
     // Fetch packument to get available versions.
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
-    const availableVersions = packument ? Object.keys(packument.versions) : [];
-    for (const advisory of advisories) {
-      const {
-        vulnerable_versions
-      } = advisory;
-      // Find the highest non-vulnerable version within the same major range
-      const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
-      const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
-      // Check !targetVersion to make TypeScript happy.
-      if (!targetVersion || !targetPackument) {
-        // No suitable patch version found.
-        continue;
-      }
-
-      // Use Object.defineProperty to override the version.
-      Object.defineProperty(node, 'version', {
-        configurable: true,
-        enumerable: true,
-        get: () => targetVersion
-      });
-      node.package.version = targetVersion;
-      // Update resolved and clear integrity for the new version.
-      node.resolved = `${NPM_REGISTRY_URL}/${name}/-/${name}-${targetVersion}.tgz`;
-      if (node.integrity) {
-        delete node.integrity;
-      }
-      if ('deprecated' in targetPackument) {
-        node.package['deprecated'] = targetPackument.deprecated;
-      } else {
-        delete node.package['deprecated'];
-      }
-      const newDeps = {
-        ...targetPackument.dependencies
-      };
+    for (const node of nodes) {
       const {
-        dependencies: oldDeps
-      } = node.package;
-      node.package.dependencies = newDeps;
-      if (oldDeps) {
-        for (const oldDepName of Object.keys(oldDeps)) {
-          if (!objects.hasOwn(newDeps, oldDepName)) {
-            node.edgesOut.get(oldDepName)?.detach();
+        version
+      } = node;
+      const majorVerNum = semver.major(version);
+      const availableVersions = packument ? Object.keys(packument.versions) : [];
+      const pkgAlerts = alertsByPkg[name];
+      for (const alert of pkgAlerts) {
+        const {
+          vulnerable_versions
+        } = alert;
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
+        const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+        // Check !targetVersion to make TypeScript happy.
+        if (!targetVersion || !targetPackument) {
+          // No suitable patch version found.
+          continue;
+        }
+        // Use Object.defineProperty to override the version.
+        Object.defineProperty(node, 'version', {
+          configurable: true,
+          enumerable: true,
+          get: () => targetVersion
+        });
+        node.package.version = targetVersion;
+        // Update resolved and clear integrity for the new version.
+        node.resolved = `${NPM_REGISTRY_URL}/${name}/-/${name}-${targetVersion}.tgz`;
+        if (node.integrity) {
+          delete node.integrity;
+        }
+        if ('deprecated' in targetPackument) {
+          node.package['deprecated'] = targetPackument.deprecated;
+        } else {
+          delete node.package['deprecated'];
+        }
+        const newDeps = {
+          ...targetPackument.dependencies
+        };
+        const {
+          dependencies: oldDeps
+        } = node.package;
+        node.package.dependencies = newDeps;
+        if (oldDeps) {
+          for (const oldDepName of Object.keys(oldDeps)) {
+            if (!objects.hasOwn(newDeps, oldDepName)) {
+              node.edgesOut.get(oldDepName)?.detach();
+            }
           }
         }
-      }
-      for (const newDepName of Object.keys(newDeps)) {
-        if (!objects.hasOwn(oldDeps, newDepName)) {
-          node.addEdgeOut(new Edge({
-            from: node,
-            name: newDepName,
-            spec: newDeps[newDepName],
-            type: 'prod'
-          }));
+        for (const newDepName of Object.keys(newDeps)) {
+          if (!objects.hasOwn(oldDeps, newDepName)) {
+            node.addEdgeOut(new Edge({
+              from: node,
+              name: newDepName,
+              spec: newDeps[newDepName],
+              type: 'prod'
+            }));
+          }
         }
       }
     }
   }
 }
 async function reify(...args) {
-  const needInfoOn = await walk(this.diff);
-  if (!needInfoOn.length || needInfoOn.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1) {
+  // We are assuming `this[_diffTrees]()` has been called by `super.reify(...)`:
+  // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/reify.js#L141
+  const needInfoOn = getPackagesToQueryFromDiff(this.diff);
+  if (!needInfoOn.length) {
     // Nothing to check, hmmm already installed or all private?
     return await this[kRiskyReify](...args);
   }
@@ -1449,64 +1410,54 @@ async function reify(...args) {
     stderr: output,
     stdin: input
   } = process;
-  let alerts;
-  const proceed = bypassAlerts || (await (async () => {
-    alerts = await getPackagesAlerts(this, needInfoOn, {
-      output
-    });
-    if (bypassConfirms || !alerts.length) {
+  let alerts = bypassAlerts ? [] : await getPackagesAlerts(needInfoOn, {
+    output
+  });
+  if (alerts.length && !bypassConfirms && !(await prompts.confirm({
+    message: 'Accept risks of installing these packages?',
+    default: false
+  }, {
+    input,
+    output,
+    signal: abortSignal
+  }))) {
+    throw new Error('Socket npm exiting due to risks');
+  }
+  if (!alerts.length || !bypassConfirms && !(await prompts.confirm({
+    message: 'Try to fix alerts?',
+    default: true
+  }, {
+    input,
+    output,
+    signal: abortSignal
+  }))) {
+    return await this[kRiskyReify](...args);
+  }
+  const prev = new Set(alerts.map(a => a.key));
+  let ret;
+  /* eslint-disable no-await-in-loop */
+  while (alerts.length > 0) {
+    await updateAdvisoryDependencies(this, alerts);
+    ret = await this[kRiskyReify](...args);
+    await this.loadActual();
+    await this.buildIdealTree();
+    alerts = (await getPackagesAlerts(getPackagesToQueryFromDiff(this.diff, {
+      includeUnchanged: true
+    }), {
+      includeExisting: true,
+      includeUnfixable: true
+    })).filter(({
+      key
+    }) => {
+      if (prev.has(key)) {
+        return false;
+      }
+      prev.add(key);
       return true;
-    }
-    return await prompts.confirm({
-      message: 'Accept risks of installing these packages?',
-      default: false
-    }, {
-      input,
-      output,
-      signal: abortSignal
     });
-  })());
-  if (proceed) {
-    const fix = !!alerts?.length && (bypassConfirms || (await prompts.confirm({
-      message: 'Try to fix alerts?',
-      default: true
-    }, {
-      input,
-      output,
-      signal: abortSignal
-    })));
-    if (fix) {
-      let ret;
-      const prev = new Set(alerts?.map(a => a.key));
-      /* eslint-disable no-await-in-loop */
-      while (alerts.length > 0) {
-        await updateAdvisoryDependencies(this, alerts);
-        ret = await this[kRiskyReify](...args);
-        await this.loadActual();
-        await this.buildIdealTree();
-        alerts = await getPackagesAlerts(this, await walk(this.diff, {
-          fix: true
-        }), {
-          fixable: true
-        });
-        alerts = alerts.filter(a => {
-          const {
-            key
-          } = a;
-          if (prev.has(key)) {
-            return false;
-          }
-          prev.add(key);
-          return true;
-        });
-      }
-      /* eslint-enable no-await-in-loop */
-      return ret;
-    }
-    return await this[kRiskyReify](...args);
-  } else {
-    throw new Error('Socket npm exiting due to risks');
   }
+  /* eslint-enable no-await-in-loop */
+  return ret;
 }
 
 const Arborist = require(arboristClassPath);
@@ -1556,8 +1507,6 @@ class SafeArborist extends Arborist {
     options.dryRun = true;
     options.save = false;
     options.saveBundle = false;
-    // TODO: Make this deal with any refactor to private fields by punching the
-    // class itself.
     await super.reify(...args);
     options.dryRun = old.dryRun;
     options.save = old.save;
@@ -1567,6 +1516,8 @@ class SafeArborist extends Arborist {
 }
 
 function installSafeArborist() {
+  // Override '@npmcli/arborist' module exports with patched variants based on
+  // https://github.com/npm/cli/pull/7025.
   const cache = require.cache;
   cache[arboristClassPath] = {
     exports: SafeArborist