@socketsecurity/cli 0.14.43 → 0.14.44

package/dist/module-sync/npm-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm-injection.js","sources":["../../src/shadow/arborist/index.ts","../../src/shadow/npm-injection.ts"],"sourcesContent":["import { SafeArborist } from './lib/arborist'\nimport { SafeEdge } from './lib/edge'\nimport { SafeNode } from './lib/node'\nimport { SafeOverrideSet } from './lib/override-set'\nimport {\n  getArboristClassPath,\n  getArboristEdgeClassPath,\n  getArboristNodeClassPath,\n  getArboristOverrideSetClassPath\n} from '../npm-paths'\n\nexport function installSafeArborist() {\n  // Override '@npmcli/arborist' module exports with patched variants based on\n  // https://github.com/npm/cli/pull/7025.\n  const cache: { [key: string]: any } = require.cache\n  cache[getArboristClassPath()] = { exports: SafeArborist }\n  cache[getArboristEdgeClassPath()] = { exports: SafeEdge }\n  cache[getArboristNodeClassPath()] = { exports: SafeNode }\n  cache[getArboristOverrideSetClassPath()] = { exports: SafeOverrideSet }\n}\n","import { installSafeArborist } from './arborist'\n\ninstallSafeArborist()\n"],"names":["cache","exports","installSafeArborist"],"mappings":";;;;;AAWO;AACL;AACA;AACA;AACAA;AAAkCC;;AAClCD;AAAsCC;;AACtCD;AAAsCC;;AACtCD;AAA6CC;;AAC/C;;ACjBAC","debugId":"dac61d14-9648-405b-a9b5-46614799a46c"}

package/dist/module-sync/npm-paths.d.ts

@@ -1,14 +1,15 @@
+/// <reference types="node" />
 declare function directoryPatterns(): string[];
 declare function getNpmBinPath(): string;
 declare function isNpmBinPathShadowed(): boolean;
 declare function getNpxBinPath(): string;
 declare function isNpxBinPathShadowed(): boolean;
 declare function getNpmPath(): string;
-declare function getNpmNodeModulesPath(): string;
+declare function getNpmRequire(): NodeJS.Require;
 declare function getArboristPackagePath(): string;
 declare function getArboristClassPath(): string;
 declare function getArboristDepValidPath(): string;
 declare function getArboristEdgeClassPath(): string;
 declare function getArboristNodeClassPath(): string;
 declare function getArboristOverrideSetClassPath(): string;
-export { directoryPatterns, getNpmBinPath, isNpmBinPathShadowed, getNpxBinPath, isNpxBinPathShadowed, getNpmPath, getNpmNodeModulesPath, getArboristPackagePath, getArboristClassPath, getArboristDepValidPath, getArboristEdgeClassPath, getArboristNodeClassPath, getArboristOverrideSetClassPath };
+export { directoryPatterns, getNpmBinPath, isNpmBinPathShadowed, getNpxBinPath, isNpxBinPathShadowed, getNpmPath, getNpmRequire, getArboristPackagePath, getArboristClassPath, getArboristDepValidPath, getArboristEdgeClassPath, getArboristNodeClassPath, getArboristOverrideSetClassPath };

package/dist/module-sync/npm-paths.js

@@ -10,8 +10,10 @@ function _socketInterop(e) {
 }
 
 var fs = require('node:fs');
+var Module = require('node:module');
 var path = require('node:path');
 var process = require('node:process');
+var path$1 = require('@socketsecurity/registry/lib/path');
 var constants = require('./constants.js');
 var ignore = _socketInterop(require('ignore'));
 var micromatch = _socketInterop(require('micromatch'));
@@ -21,19 +23,25 @@ var colors = _socketInterop(require('yoctocolors-cjs'));
 var isUnicodeSupported = require('@socketregistry/is-unicode-supported/index.cjs');
 var spinner = require('@socketsecurity/registry/lib/spinner');
 
-const logSymbols = isUnicodeSupported() ? {
-  __proto__: null,
-  info: colors.blue('ℹ'),
-  success: colors.green('✔'),
-  warning: colors.yellow('⚠'),
-  error: colors.red('✖️')
-} : {
-  __proto__: null,
-  info: colors.blue('i'),
-  success: colors.green('√'),
-  warning: colors.yellow('‼'),
-  error: colors.red('×')
-};
+let _logSymbols;
+function getLogSymbols() {
+  if (_logSymbols === undefined) {
+    _logSymbols = isUnicodeSupported() ? {
+      __proto__: null,
+      info: colors.blue('ℹ'),
+      success: colors.green('✔'),
+      warning: colors.yellow('⚠'),
+      error: colors.red('✖️')
+    } : {
+      __proto__: null,
+      info: colors.blue('i'),
+      success: colors.green('√'),
+      warning: colors.yellow('‼'),
+      error: colors.red('×')
+    };
+  }
+  return _logSymbols;
+}
 class Logger {
   #spinnerLogger;
   constructor() {
@@ -57,7 +65,7 @@ function isDebug() {
 }
 function debugLog(...args) {
   if (isDebug()) {
-    console.error(logSymbols.info, ...args);
+    console.error(getLogSymbols().info, ...args);
   }
 }
 
@@ -89,11 +97,12 @@ function directoryPatterns() {
 }
 
 const {
+  NODE_MODULES: NODE_MODULES$1,
   NPM: NPM$1,
   shadowBinPath
 } = constants;
 async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
-  const patterns = ['golang', NPM$1, 'pypi'].reduce((r, n) => {
+  const patterns = ['golang', NPM$1, 'maven', 'pypi'].reduce((r, n) => {
     const supported = supportedFiles[n];
     r.push(...(supported ? Object.values(supported).map(p => `**/${p.pattern}`) : []));
     return r;
@@ -131,6 +140,9 @@ async function globWithGitIgnore(patterns, options) {
   const {
     absolute
   } = globOptions;
+
+  // Note: the input files must be INSIDE the cwd. If you get strange looking
+  // relative path errors here, most likely your path is outside the given cwd.
   const filtered = ignore().add(ignores).filter(absolute ? result.map(p => path.relative(cwd, p)) : result);
   return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered;
 }
@@ -187,31 +199,59 @@ function findBinPathDetailsSync(binName) {
     all: true,
     nothrow: true
   }) ?? [];
-  const binPath = bins.find((binPath, i) => {
+  let binPath;
+  for (let i = 0, {
+      length
+    } = bins; i < length; i += 1) {
+    const bin = fs.realpathSync.native(bins[i]);
     // Skip our bin directory if it's in the front.
-    if (fs.realpathSync(path.dirname(binPath)) === shadowBinPath) {
+    if (path.dirname(bin) === shadowBinPath) {
       shadowIndex = i;
-      return false;
+    } else {
+      binPath = bin;
+      break;
     }
-    return true;
-  });
+  }
   return {
     name: binName,
     path: binPath,
     shadowed: shadowIndex !== -1
   };
 }
-function findNpmPathSync(filepath) {
-  let curPath = filepath;
+function findNpmPathSync(npmBinPath) {
+  let thePath = npmBinPath;
   while (true) {
-    if (path.basename(curPath) === NPM$1) {
-      return curPath;
+    const nmPath = path.join(thePath, NODE_MODULES$1);
+    if (
+    // npm bin paths may look like:
+    // /usr/local/share/npm/bin/npm
+    // /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm
+    // C:\Users\SomeUsername\AppData\Roaming\npm\bin\npm.cmd
+    // OR
+    // C:\Program Files\nodejs\npm.cmd
+    //
+    // In all cases the npm path contains a node_modules folder:
+    // /usr/local/share/npm/bin/npm/node_modules
+    // C:\Program Files\nodejs\node_modules
+    //
+    // Use existsSync here because statsSync, even with { throwIfNoEntry: false },
+    // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.
+    // See https://github.com/nodejs/node/issues/56993.
+    fs.existsSync(nmPath) && fs.statSync(nmPath, {
+      throwIfNoEntry: false
+    })?.isDirectory() && (
+    // Optimistically look for the default location.
+    path.basename(thePath) === NPM$1 ||
+    // Chocolatey installs npm bins in the same directory as node bins.
+    // Lazily access constants.WIN32.
+    constants.WIN32 && fs.existsSync(path.join(thePath, `${NPM$1}.cmd`)))) {
+      return thePath;
     }
-    const parent = path.dirname(curPath);
-    if (parent === curPath) {
+    const parent = path.dirname(thePath);
+    if (parent === thePath) {
       return undefined;
     }
-    curPath = parent;
+    thePath = parent;
   }
 }
 async function getPackageFiles(cwd, inputPaths, config, supportedFiles) {
@@ -291,14 +331,15 @@ function isNpxBinPathShadowed() {
 let _npmPath;
 function getNpmPath() {
   if (_npmPath === undefined) {
-    const npmEntrypoint = path.dirname(fs.realpathSync.native(getNpmBinPath()));
-    _npmPath = findNpmPathSync(npmEntrypoint);
+    const npmBinPath = getNpmBinPath();
+    _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined;
     if (!_npmPath) {
-      console.error(`Unable to find npm CLI install directory.
-    Searched parent directories of ${npmEntrypoint}.
-
-    This is may be a bug with socket-npm related to changes to the npm CLI.
-    Please report to ${SOCKET_CLI_ISSUES_URL}.`);
+      let message = 'Unable to find npm CLI install directory.';
+      if (npmBinPath) {
+        message += `\nSearched parent directories of ${path.dirname(npmBinPath)}.`;
+      }
+      message += `\n\nThis is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`;
+      console.error(message);
       // The exit code 127 indicates that the command or binary being executed
       // could not be found.
       process.exit(127);
@@ -306,17 +347,23 @@ function getNpmPath() {
   }
   return _npmPath;
 }
-let _npmNmPath;
-function getNpmNodeModulesPath() {
-  if (_npmNmPath === undefined) {
-    _npmNmPath = path.join(getNpmPath(), NODE_MODULES);
+let _npmRequire;
+function getNpmRequire() {
+  if (_npmRequire === undefined) {
+    const npmPath = getNpmPath();
+    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM);
+    _npmRequire = Module.createRequire(path.join(fs.existsSync(npmNmPath) ? npmNmPath : npmPath, '<dummy-basename>'));
   }
-  return _npmNmPath;
+  return _npmRequire;
 }
 let _arboristPkgPath;
 function getArboristPackagePath() {
   if (_arboristPkgPath === undefined) {
-    _arboristPkgPath = path.join(getNpmNodeModulesPath(), '@npmcli/arborist');
+    const pkgName = '@npmcli/arborist';
+    const mainPathWithForwardSlashes = path$1.normalizePath(getNpmRequire().resolve(pkgName));
+    const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(0, mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length);
+    // Lazily access constants.WIN32.
+    _arboristPkgPath = constants.WIN32 ? path.normalize(arboristPkgPathWithForwardSlashes) : arboristPkgPathWithForwardSlashes;
   }
   return _arboristPkgPath;
 }
@@ -362,13 +409,15 @@ exports.getArboristDepValidPath = getArboristDepValidPath;
 exports.getArboristEdgeClassPath = getArboristEdgeClassPath;
 exports.getArboristNodeClassPath = getArboristNodeClassPath;
 exports.getArboristOverrideSetClassPath = getArboristOverrideSetClassPath;
+exports.getLogSymbols = getLogSymbols;
 exports.getNpmBinPath = getNpmBinPath;
-exports.getNpmNodeModulesPath = getNpmNodeModulesPath;
+exports.getNpmRequire = getNpmRequire;
 exports.getNpxBinPath = getNpxBinPath;
 exports.getPackageFiles = getPackageFiles;
 exports.getPackageFilesFullScans = getPackageFilesFullScans;
 exports.isDebug = isDebug;
 exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
 exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
-exports.logSymbols = logSymbols;
 exports.logger = logger;
+//# debugId=86fc9821-b01f-4210-8d26-6d3ece42c533
+//# sourceMappingURL=npm-paths.js.map

package/dist/module-sync/npm-paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm-paths.js","sources":["../../src/utils/logging.ts","../../src/utils/debug.ts","../../src/utils/ignore-by-default.ts","../../src/utils/path-resolve.ts","../../src/shadow/npm-paths.ts"],"sourcesContent":["import colors from 'yoctocolors-cjs'\n\nimport isUnicodeSupported from '@socketregistry/is-unicode-supported/index.cjs'\nimport { Spinner } from '@socketsecurity/registry/lib/spinner'\n\nexport type LogSymbols = {\n  info: string\n  success: string\n  warning: string\n  error: string\n}\n\nlet _logSymbols: LogSymbols | undefined\nexport function getLogSymbols() {\n  if (_logSymbols === undefined) {\n    _logSymbols = <LogSymbols>(isUnicodeSupported()\n      ? {\n          __proto__: null,\n          info: colors.blue('ℹ'),\n          success: colors.green('✔'),\n          warning: colors.yellow('⚠'),\n          error: colors.red('✖️')\n        }\n      : {\n          __proto__: null,\n          info: colors.blue('i'),\n          success: colors.green('√'),\n          warning: colors.yellow('‼'),\n          error: colors.red('×')\n        })\n  }\n  return _logSymbols\n}\n\nexport class Logger {\n  #spinnerLogger: ReturnType<typeof Spinner>\n  constructor() {\n    this.#spinnerLogger = new Spinner()\n  }\n\n  error(text: string) {\n    this.#spinnerLogger.error(text)\n  }\n\n  info(text: string) {\n    this.#spinnerLogger.info(text)\n  }\n\n  warn(text: string) {\n    this.#spinnerLogger.warning(text)\n  }\n}\n\nexport const logger = new Logger()\n","import { getLogSymbols } from './logging'\nimport constants from '../constants'\n\nexport function isDebug() {\n  // Lazily access constants.ENV.\n  return constants.ENV.SOCKET_CLI_DEBUG\n}\n\nexport function debugLog(...args: any[]) {\n  if (isDebug()) {\n    console.error(getLogSymbols().info, ...args)\n  }\n}\n","const ignoredDirs = [\n  // Taken from ignore-by-default:\n  // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js\n  '.git', // Git repository files, see <https://git-scm.com/>\n  '.log', // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>\n  '.nyc_output', // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>\n  '.sass-cache', // Cache folder for node-sass, see <https://github.com/sass/node-sass>\n  '.yarn', // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>\n  'bower_components', // Where Bower packages are installed, see <http://bower.io/>\n  'coverage', // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>\n  'node_modules', // Where Node modules are installed, see <https://nodejs.org/>\n  // Taken from globby:\n  // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16\n  'flow-typed'\n] as const\n\nconst ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`)\n\nexport function directoryPatterns() {\n  return [...ignoredDirPatterns]\n}\n","import { existsSync, promises as fs, realpathSync, statSync } from 'node:fs'\nimport path from 'node:path'\nimport process from 'node:process'\n\nimport ignore from 'ignore'\nimport micromatch from 'micromatch'\nimport { glob as tinyGlob } from 'tinyglobby'\nimport which from 'which'\n\nimport { debugLog } from './debug'\nimport { directoryPatterns } from './ignore-by-default'\nimport constants from '../constants'\n\nimport type { SocketYml } from '@socketsecurity/config'\nimport type { SocketSdkReturnType } from '@socketsecurity/sdk'\nimport type { GlobOptions } from 'tinyglobby'\n\ntype GlobWithGitIgnoreOptions = GlobOptions & {\n  socketConfig?: SocketYml | undefined\n}\n\nconst { NODE_MODULES, NPM, shadowBinPath } = constants\n\nasync function filterGlobResultToSupportedFiles(\n  entries: string[],\n  supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']\n): Promise<string[]> {\n  const patterns = ['golang', NPM, 'maven', 'pypi'].reduce(\n    (r: string[], n: string) => {\n      const supported = supportedFiles[n]\n      r.push(\n        ...(supported\n          ? Object.values(supported).map(p => `**/${p.pattern}`)\n          : [])\n      )\n      return r\n    },\n    []\n  )\n  return entries.filter(p => micromatch.some(p, patterns))\n}\n\nasync function globWithGitIgnore(\n  patterns: string[],\n  options: GlobWithGitIgnoreOptions\n) {\n  const {\n    cwd = process.cwd(),\n    socketConfig,\n    ...additionalOptions\n  } = <GlobWithGitIgnoreOptions>{ __proto__: null, ...options }\n  const projectIgnorePaths = socketConfig?.projectIgnorePaths\n  const ignoreFiles = await tinyGlob(['**/.gitignore'], {\n    absolute: true,\n    cwd,\n    expandDirectories: true\n  })\n  const ignores = [\n    ...directoryPatterns(),\n    ...(Array.isArray(projectIgnorePaths)\n      ? ignoreFileLinesToGlobPatterns(\n          projectIgnorePaths,\n          path.join(cwd, '.gitignore'),\n          cwd\n        )\n      : []),\n    ...(\n      await Promise.all(\n        ignoreFiles.map(async filepath =>\n          ignoreFileToGlobPatterns(\n            await fs.readFile(filepath, 'utf8'),\n            filepath,\n            cwd\n          )\n        )\n      )\n    ).flat()\n  ]\n  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/)\n  const globOptions = {\n    absolute: true,\n    cwd,\n    expandDirectories: false,\n    ignore: hasNegatedPattern ? [] : ignores,\n    ...additionalOptions\n  }\n  const result = await tinyGlob(patterns, globOptions)\n  if (!hasNegatedPattern) {\n    return result\n  }\n  const { absolute } = globOptions\n\n  // Note: the input files must be INSIDE the cwd. If you get strange looking\n  // relative path errors here, most likely your path is outside the given cwd.\n  const filtered = ignore()\n    .add(ignores)\n    .filter(absolute ? result.map(p => path.relative(cwd, p)) : result)\n  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered\n}\n\nfunction ignoreFileLinesToGlobPatterns(\n  lines: string[],\n  filepath: string,\n  cwd: string\n): string[] {\n  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\\\/g, '/')\n  const patterns = []\n  for (let i = 0, { length } = lines; i < length; i += 1) {\n    const pattern = lines[i]!.trim()\n    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {\n      patterns.push(\n        ignorePatternToMinimatch(\n          pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/\n            ? `!${path.posix.join(base, pattern.slice(1))}`\n            : path.posix.join(base, pattern)\n        )\n      )\n    }\n  }\n  return patterns\n}\n\nfunction ignoreFileToGlobPatterns(\n  content: string,\n  filepath: string,\n  cwd: string\n): string[] {\n  return ignoreFileLinesToGlobPatterns(content.split(/\\r?\\n/), filepath, cwd)\n}\n\n// Based on `@eslint/compat` convertIgnorePatternToMinimatch.\n// Apache v2.0 licensed\n// Copyright Nicholas C. Zakas\n// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28\nfunction ignorePatternToMinimatch(pattern: string): string {\n  const isNegated = pattern.startsWith('!')\n  const negatedPrefix = isNegated ? '!' : ''\n  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()\n  // Special cases.\n  if (\n    patternToTest === '' ||\n    patternToTest === '**' ||\n    patternToTest === '/**' ||\n    patternToTest === '**'\n  ) {\n    return `${negatedPrefix}${patternToTest}`\n  }\n  const firstIndexOfSlash = patternToTest.indexOf('/')\n  const matchEverywherePrefix =\n    firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1\n      ? '**/'\n      : ''\n  const patternWithoutLeadingSlash =\n    firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest\n  // Escape `{` and `(` because in gitignore patterns they are just\n  // literal characters without any specific syntactic meaning,\n  // while in minimatch patterns they can form brace expansion or extglob syntax.\n  //\n  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.\n  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.\n  // Minimatch pattern `src/\\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.\n  const escapedPatternWithoutLeadingSlash =\n    patternWithoutLeadingSlash.replaceAll(\n      /(?=((?:\\\\.|[^{(])*))\\1([{(])/guy,\n      '$1\\\\$2'\n    )\n  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : ''\n  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`\n}\n\nfunction pathsToPatterns(paths: string[]): string[] {\n  // TODO: Does not support `~/` paths.\n  return paths.map(p => (p === '.' ? '**/*' : p))\n}\n\nexport function findBinPathDetailsSync(binName: string): {\n  name: string\n  path: string | undefined\n  shadowed: boolean\n} {\n  let shadowIndex = -1\n  const bins =\n    which.sync(binName, {\n      all: true,\n      nothrow: true\n    }) ?? []\n  let binPath: string | undefined\n  for (let i = 0, { length } = bins; i < length; i += 1) {\n    const bin = realpathSync.native(bins[i]!)\n    // Skip our bin directory if it's in the front.\n    if (path.dirname(bin) === shadowBinPath) {\n      shadowIndex = i\n    } else {\n      binPath = bin\n      break\n    }\n  }\n  return { name: binName, path: binPath, shadowed: shadowIndex !== -1 }\n}\n\nexport function findNpmPathSync(npmBinPath: string): string | undefined {\n  let thePath = npmBinPath\n  while (true) {\n    const nmPath = path.join(thePath, NODE_MODULES)\n    if (\n      // npm bin paths may look like:\n      // /usr/local/share/npm/bin/npm\n      // /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm\n      // C:\\Users\\SomeUsername\\AppData\\Roaming\\npm\\bin\\npm.cmd\n      // OR\n      // C:\\Program Files\\nodejs\\npm.cmd\n      //\n      // In all cases the npm path contains a node_modules folder:\n      // /usr/local/share/npm/bin/npm/node_modules\n      // C:\\Program Files\\nodejs\\node_modules\n      //\n      // Use existsSync here because statsSync, even with { throwIfNoEntry: false },\n      // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.\n      // See https://github.com/nodejs/node/issues/56993.\n      existsSync(nmPath) &&\n      statSync(nmPath, { throwIfNoEntry: false })?.isDirectory() &&\n      // Optimistically look for the default location.\n      (path.basename(thePath) === NPM ||\n        // Chocolatey installs npm bins in the same directory as node bins.\n        // Lazily access constants.WIN32.\n        (constants.WIN32 && existsSync(path.join(thePath, `${NPM}.cmd`))))\n    ) {\n      return thePath\n    }\n    const parent = path.dirname(thePath)\n    if (parent === thePath) {\n      return undefined\n    }\n    thePath = parent\n  }\n}\n\nexport async function getPackageFiles(\n  cwd: string,\n  inputPaths: string[],\n  config: SocketYml | undefined,\n  supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']\n): Promise<string[]> {\n  debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)\n\n  const entries = await globWithGitIgnore(pathsToPatterns(inputPaths), {\n    cwd,\n    socketConfig: config\n  })\n\n  debugLog(\n    `Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`,\n    entries\n  )\n\n  const packageFiles = await filterGlobResultToSupportedFiles(\n    entries,\n    supportedFiles\n  )\n\n  debugLog(\n    `Mapped ${entries.length} entries to ${packageFiles.length} files:`,\n    packageFiles\n  )\n\n  return packageFiles\n}\n\nexport async function getPackageFilesFullScans(\n  cwd: string,\n  inputPaths: string[],\n  supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data'],\n  debugLog: typeof console.error = () => {}\n): Promise<string[]> {\n  debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)\n\n  const entries = await globWithGitIgnore(pathsToPatterns(inputPaths), {\n    cwd\n  })\n\n  debugLog(\n    `Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`,\n    entries\n  )\n\n  const packageFiles = await filterGlobResultToSupportedFiles(\n    entries,\n    supportedFiles\n  )\n\n  debugLog(\n    `Mapped ${entries.length} entries to ${packageFiles.length} files:`,\n    packageFiles\n  )\n\n  return packageFiles\n}\n","import { existsSync } from 'node:fs'\nimport Module from 'node:module'\nimport path from 'node:path'\nimport process from 'node:process'\n\nimport { normalizePath } from '@socketsecurity/registry/lib/path'\n\nimport constants from '../constants'\nimport { findBinPathDetailsSync, findNpmPathSync } from '../utils/path-resolve'\n\nconst { NODE_MODULES, NPM, NPX, SOCKET_CLI_ISSUES_URL } = constants\n\nfunction exitWithBinPathError(binName: string): never {\n  console.error(\n    `Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`\n  )\n  // The exit code 127 indicates that the command or binary being executed\n  // could not be found.\n  process.exit(127)\n}\n\nlet _npmBinPathDetails: ReturnType<typeof findBinPathDetailsSync> | undefined\nfunction getNpmBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n  if (_npmBinPathDetails === undefined) {\n    _npmBinPathDetails = findBinPathDetailsSync(NPM)\n  }\n  return _npmBinPathDetails\n}\n\nlet _npxBinPathDetails: ReturnType<typeof findBinPathDetailsSync> | undefined\nfunction getNpxBinPathDetails(): ReturnType<typeof findBinPathDetailsSync> {\n  if (_npxBinPathDetails === undefined) {\n    _npxBinPathDetails = findBinPathDetailsSync(NPX)\n  }\n  return _npxBinPathDetails\n}\n\nlet _npmBinPath: string | undefined\nexport function getNpmBinPath(): string {\n  if (_npmBinPath === undefined) {\n    _npmBinPath = getNpmBinPathDetails().path\n    if (!_npmBinPath) {\n      exitWithBinPathError(NPM)\n    }\n  }\n  return _npmBinPath\n}\n\nexport function isNpmBinPathShadowed() {\n  return getNpmBinPathDetails().shadowed\n}\n\nlet _npxBinPath: string | undefined\nexport function getNpxBinPath(): string {\n  if (_npxBinPath === undefined) {\n    _npxBinPath = getNpxBinPathDetails().path\n    if (!_npxBinPath) {\n      exitWithBinPathError(NPX)\n    }\n  }\n  return _npxBinPath\n}\n\nexport function isNpxBinPathShadowed() {\n  return getNpxBinPathDetails().shadowed\n}\n\nlet _npmPath: string | undefined\nexport function getNpmPath() {\n  if (_npmPath === undefined) {\n    const npmBinPath = getNpmBinPath()\n    _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined\n    if (!_npmPath) {\n      let message = 'Unable to find npm CLI install directory.'\n      if (npmBinPath) {\n        message += `\\nSearched parent directories of ${path.dirname(npmBinPath)}.`\n      }\n      message += `\\n\\nThis is may be a bug with socket-npm related to changes to the npm CLI.\\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`\n      console.error(message)\n      // The exit code 127 indicates that the command or binary being executed\n      // could not be found.\n      process.exit(127)\n    }\n  }\n  return _npmPath\n}\n\nlet _npmRequire: NodeJS.Require | undefined\nexport function getNpmRequire(): NodeJS.Require {\n  if (_npmRequire === undefined) {\n    const npmPath = getNpmPath()\n    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM)\n    _npmRequire = Module.createRequire(\n      path.join(existsSync(npmNmPath) ? npmNmPath : npmPath, '<dummy-basename>')\n    )\n  }\n  return _npmRequire\n}\n\nlet _arboristPkgPath: string | undefined\nexport function getArboristPackagePath() {\n  if (_arboristPkgPath === undefined) {\n    const pkgName = '@npmcli/arborist'\n    const mainPathWithForwardSlashes = normalizePath(\n      getNpmRequire().resolve(pkgName)\n    )\n    const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(\n      0,\n      mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length\n    )\n    // Lazily access constants.WIN32.\n    _arboristPkgPath = constants.WIN32\n      ? path.normalize(arboristPkgPathWithForwardSlashes)\n      : arboristPkgPathWithForwardSlashes\n  }\n  return _arboristPkgPath\n}\n\nlet _arboristClassPath: string | undefined\nexport function getArboristClassPath() {\n  if (_arboristClassPath === undefined) {\n    _arboristClassPath = path.join(\n      getArboristPackagePath(),\n      'lib/arborist/index.js'\n    )\n  }\n  return _arboristClassPath\n}\n\nlet _arboristDepValidPath: string | undefined\nexport function getArboristDepValidPath() {\n  if (_arboristDepValidPath === undefined) {\n    _arboristDepValidPath = path.join(\n      getArboristPackagePath(),\n      'lib/dep-valid.js'\n    )\n  }\n  return _arboristDepValidPath\n}\n\nlet _arboristEdgeClassPath: string | undefined\nexport function getArboristEdgeClassPath() {\n  if (_arboristEdgeClassPath === undefined) {\n    _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')\n  }\n  return _arboristEdgeClassPath\n}\n\nlet _arboristNodeClassPath: string | undefined\nexport function getArboristNodeClassPath() {\n  if (_arboristNodeClassPath === undefined) {\n    _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')\n  }\n  return _arboristNodeClassPath\n}\n\nlet _arboristOverrideSetClassPath: string | undefined\nexport function getArboristOverrideSetClassPath() {\n  if (_arboristOverrideSetClassPath === undefined) {\n    _arboristOverrideSetClassPath = path.join(\n      getArboristPackagePath(),\n      'lib/override-set.js'\n    )\n  }\n  return _arboristOverrideSetClassPath\n}\n"],"names":["_logSymbols","__proto__","info","success","warning","error","constructor","shadowBinPath","cwd","absolute","expandDirectories","ignore","length","all","nothrow","shadowIndex","binPath","name","path","existsSync","throwIfNoEntry","constants","thePath","socketConfig","debugLog","SOCKET_CLI_ISSUES_URL","console","process","_npmBinPathDetails","_npxBinPathDetails","_npmBinPath","_npxBinPath","_arboristPkgPath"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAYA;AACO;;AAEHA;AAEMC;AACAC;AACAC;AACAC;AACAC;AACF;AAEEJ;AACAC;AACAC;AACAC;AACAC;;AAER;AACA;AACF;AAEO;AACL;AACAC;AACE;AACF;;AAGE;AACF;;AAGE;AACF;;AAGE;AACF;AACF;;;AChDO;AACL;AACA;AACF;AAEO;;;AAGL;AACF;;ACZA;AACE;AACA;AACA;AAAQ;AACR;AAAQ;AACR;AAAe;AACf;AAAe;AACf;AAAS;AACT;AAAoB;AACpB;AAAY;AACZ;AAAgB;AAChB;AACA;AACA;AAGF;AAEO;;AAEP;;ACCA;;;AAA2BC;AAAc;AAEzC;AAIE;AAEI;;AAMA;;AAIJ;AACF;AAEA;;AAKIC;;;AAGF;AAAgCP;;;AAChC;;AAEEQ;;AAEAC;AACF;AACA;AAqBA;AACA;AACED;;AAEAC;AACAC;;;;;AAKA;AACF;;AACQF;AAAS;;AAEjB;AACA;AACA;AAGA;AACF;AAEA;;;AAOE;AAAkBG;;;AAEhB;;AAQA;AACF;AACA;AACF;AAEA;AAKE;AACF;;AAEA;AACA;AACA;AACA;AACA;AACE;AACA;AACA;AACA;AACA;AAME;AACF;AACA;AACA;AAIA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;;;AAQF;AAEA;AACE;AACA;AACF;AAEO;;AAML;AAEIC;AACAC;;AAEJ;AACA;AAAkBF;;;AAEhB;;AAEEG;AACF;AACEC;AACA;AACF;AACF;;AACSC;AAAeC;;;AAC1B;AAEO;;AAEL;;AAEE;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACAC;AACmBC;AAAsB;AACzC;AACCF;AACC;AACA;AACCG;AAEH;AACF;AACA;;AAEE;AACF;AACAC;AACF;AACF;AAEO;;;;AAUHC;AACF;AAEAC;;AAUAA;AAKA;AACF;AAEO;;;AASHhB;AACF;AAEAgB;;AAUAA;AAKA;AACF;;AC9RA;;;;AAAgCC;AAAsB;AAEtD;AACEC;AAGA;AACA;AACAC;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEA;AACA;;AAEIC;AACF;AACA;AACF;AAEA;AACO;;AAEHC;;;AAGA;AACF;AACA;AACF;AAEO;AACL;AACF;AAEA;AACO;;AAEHC;;;AAGA;AACF;AACA;AACF;AAEO;AACL;AACF;AAEA;AACO;;AAEH;;;;AAIE;;AAEA;;AAEAL;AACA;AACA;AACAC;AACF;AACF;AACA;AACF;AAEA;AACO;;AAEH;;;AAKF;AACA;AACF;AAEA;AACO;;;AAGH;AAGA;AAIA;AACAK;AAGF;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAGL;AACA;AACF;AAEA;AACO;;;AAML;AACA;AACF;;;;;;;;;;;;;;;;;","debugId":"86fc9821-b01f-4210-8d26-6d3ece42c533"}

package/dist/module-sync/npm.d.ts

@@ -0,0 +1,24 @@
+/// <reference types="npmcli__promise-spawn" />
+/// <reference types="node" />
+import spawn from '@npmcli/promise-spawn';
+declare function isAuditFlag(cmdArg: string): boolean;
+declare function isFundFlag(cmdArg: string): boolean;
+declare function isLoglevelFlag(cmdArg: string): boolean;
+declare function isProgressFlag(cmdArg: string): boolean;
+type SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>;
+type SafeNpmInstallOptions = SpawnOption & {
+    args?: string[];
+    ipc?: object;
+};
+declare function safeNpmInstall(opts?: SafeNpmInstallOptions): Promise<{
+    cmd: string;
+    args: string[];
+    code: number;
+    signal: NodeJS.Signals | null;
+    stdout: string;
+    stderr: string;
+} & Record<any, any>> & {
+    process: import("child_process").ChildProcess;
+    stdio: [import("stream").Writable | null, import("stream").Readable | null, import("stream").Readable | null, import("stream").Writable | import("stream").Readable | null | undefined, import("stream").Writable | import("stream").Readable | null | undefined];
+};
+export { isAuditFlag, isFundFlag, isLoglevelFlag, isProgressFlag, safeNpmInstall };

package/dist/module-sync/npm.js

@@ -0,0 +1,99 @@
+'use strict';
+
+function _socketInterop(e) {
+  let c = 0
+  for (const k in e ?? {}) {
+    c = c === 0 && k === 'default' ? 1 : 0
+    if (!c && k !== '__esModule') break
+  }
+  return c ? e.default : e
+}
+
+var process = require('node:process');
+var spawn = _socketInterop(require('@npmcli/promise-spawn'));
+var objects = require('@socketsecurity/registry/lib/objects');
+var npmPaths = require('./npm-paths.js');
+var constants = require('./constants.js');
+
+const {
+  SOCKET_IPC_HANDSHAKE,
+  abortSignal
+} = constants;
+const auditFlags = new Set(['--audit', '--no-audit']);
+const fundFlags = new Set(['--fund', '--no-fund']);
+
+// https://docs.npmjs.com/cli/v11/using-npm/logging#aliases
+const logFlags = new Set(['--loglevel', '-d', '--dd', '--ddd', '-q', '--quiet', '-s', '--silent']);
+const progressFlags = new Set(['--progress', '--no-progress']);
+function isAuditFlag(cmdArg) {
+  return auditFlags.has(cmdArg);
+}
+function isFundFlag(cmdArg) {
+  return fundFlags.has(cmdArg);
+}
+function isLoglevelFlag(cmdArg) {
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#setting-log-levels
+  return cmdArg.startsWith('--loglevel=') || logFlags.has(cmdArg);
+}
+function isProgressFlag(cmdArg) {
+  return progressFlags.has(cmdArg);
+}
+function safeNpmInstall(opts) {
+  const {
+    args = [],
+    ipc,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...opts
+  };
+  const terminatorPos = args.indexOf('--');
+  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !isAuditFlag(a) && !isFundFlag(a) && !isProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const useIpc = objects.isObject(ipc);
+  const useDebug = npmPaths.isDebug();
+  const spawnPromise = spawn(
+  // Lazily access constants.execPath.
+  constants.execPath, [
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags, '--require',
+  // Lazily access constants.npmInjectionPath.
+  constants.npmInjectionPath, npmPaths.getNpmBinPath(), 'install',
+  // Even though the '--silent' flag is passed npm will still run through
+  // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
+  // flags are passed.
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` and `--silent` flags to fix input being swallowed
+  // by the spinner when running the command with recent versions of npm.
+  '--no-progress',
+  // Add the '--silent' flag if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...(useDebug || npmArgs.some(isLoglevelFlag) ? [] : ['--silent']), ...npmArgs, ...otherArgs], {
+    signal: abortSignal,
+    // Set stdio to include 'ipc'.
+    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+    stdio: useDebug ?
+    // 'inherit'
+    useIpc ? [0, 1, 2, 'ipc'] : 'inherit' :
+    // 'ignore'
+    useIpc ? ['ignore', 'ignore', 'ignore', 'ipc'] : 'ignore',
+    ...spawnOptions,
+    env: {
+      ...process.env,
+      ...spawnOptions.env
+    }
+  });
+  if (useIpc) {
+    spawnPromise.process.send({
+      [SOCKET_IPC_HANDSHAKE]: ipc
+    });
+  }
+  return spawnPromise;
+}
+
+exports.isLoglevelFlag = isLoglevelFlag;
+exports.isProgressFlag = isProgressFlag;
+exports.safeNpmInstall = safeNpmInstall;
+//# debugId=73c2e7c8-ac5f-4a8a-8343-be29aaec8a8a
+//# sourceMappingURL=npm.js.map

package/dist/module-sync/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sources":["../../src/utils/npm.ts"],"sourcesContent":["import process from 'node:process'\n\nimport spawn from '@npmcli/promise-spawn'\n\nimport { isObject } from '@socketsecurity/registry/lib/objects'\n\nimport { isDebug } from './debug'\nimport constants from '../constants'\nimport { getNpmBinPath } from '../shadow/npm-paths'\n\nconst { SOCKET_IPC_HANDSHAKE, abortSignal } = constants\n\nconst auditFlags = new Set(['--audit', '--no-audit'])\n\nconst fundFlags = new Set(['--fund', '--no-fund'])\n\n// https://docs.npmjs.com/cli/v11/using-npm/logging#aliases\nconst logFlags = new Set([\n  '--loglevel',\n  '-d',\n  '--dd',\n  '--ddd',\n  '-q',\n  '--quiet',\n  '-s',\n  '--silent'\n])\n\nconst progressFlags = new Set(['--progress', '--no-progress'])\n\nexport function isAuditFlag(cmdArg: string) {\n  return auditFlags.has(cmdArg)\n}\n\nexport function isFundFlag(cmdArg: string) {\n  return fundFlags.has(cmdArg)\n}\n\nexport function isLoglevelFlag(cmdArg: string) {\n  // https://docs.npmjs.com/cli/v11/using-npm/logging#setting-log-levels\n  return cmdArg.startsWith('--loglevel=') || logFlags.has(cmdArg)\n}\n\nexport function isProgressFlag(cmdArg: string) {\n  return progressFlags.has(cmdArg)\n}\n\ntype SpawnOption = Exclude<Parameters<typeof spawn>[2], undefined>\n\ntype SafeNpmInstallOptions = SpawnOption & {\n  args?: string[]\n  ipc?: object\n}\n\nexport function safeNpmInstall(opts?: SafeNpmInstallOptions) {\n  const { args = [], ipc, ...spawnOptions } = { __proto__: null, ...opts }\n  const terminatorPos = args.indexOf('--')\n  const npmArgs = (\n    terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  ).filter(a => !isAuditFlag(a) && !isFundFlag(a) && !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const useIpc = isObject(ipc)\n  const useDebug = isDebug()\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      '--require',\n      // Lazily access constants.npmInjectionPath.\n      constants.npmInjectionPath,\n      getNpmBinPath(),\n      'install',\n      // Even though the '--silent' flag is passed npm will still run through\n      // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'\n      // flags are passed.\n      '--no-audit',\n      '--no-fund',\n      // Add `--no-progress` and `--silent` flags to fix input being swallowed\n      // by the spinner when running the command with recent versions of npm.\n      '--no-progress',\n      // Add the '--silent' flag if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...(useDebug || npmArgs.some(isLoglevelFlag) ? [] : ['--silent']),\n      ...npmArgs,\n      ...otherArgs\n    ],\n    {\n      signal: abortSignal,\n      // Set stdio to include 'ipc'.\n      // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166\n      // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.\n      stdio: useDebug\n        ? // 'inherit'\n          useIpc\n          ? [0, 1, 2, 'ipc']\n          : 'inherit'\n        : // 'ignore'\n          useIpc\n          ? ['ignore', 'ignore', 'ignore', 'ipc']\n          : 'ignore',\n      ...spawnOptions,\n      env: {\n        ...process.env,\n        ...spawnOptions.env\n      }\n    }\n  )\n  if (useIpc) {\n    spawnPromise.process.send({ [SOCKET_IPC_HANDSHAKE]: ipc })\n  }\n  return spawnPromise\n}\n"],"names":["abortSignal","args","__proto__","constants","signal","stdio","env","spawnPromise"],"mappings":";;;;;;;;;;;;;;;;;AAUA;;AAA8BA;AAAY;AAE1C;AAEA;;AAEA;AACA;AAWA;AAEO;AACL;AACF;AAEO;AACL;AACF;AAEO;AACL;AACA;AACF;AAEO;AACL;AACF;AASO;;AACGC;;;AAAgC;AAAMC;;;AAC9C;AACA;AAGA;AACA;AACA;;AAEE;;AAGE;AACA;AAEA;AACAC;AAGA;AACA;AACA;AACA;AAEA;AACA;;AAEA;AACA;;AAMAC;AACA;AACA;AACA;AACAC;AACI;;AAIA;;AAIJ;AACAC;;AAEE;AACF;AACF;AAEF;AACEC;AAA4B;AAA4B;AAC1D;AACA;AACF;;;;","debugId":"73c2e7c8-ac5f-4a8a-8343-be29aaec8a8a"}

package/dist/module-sync/path-resolve.d.ts

@@ -6,7 +6,7 @@ declare function findBinPathDetailsSync(binName: string): {
     path: string | undefined;
     shadowed: boolean;
 };
-declare function findNpmPathSync(filepath: string): string | undefined;
+declare function findNpmPathSync(npmBinPath: string): string | undefined;
 declare function getPackageFiles(cwd: string, inputPaths: string[], config: SocketYml | undefined, supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']): Promise<string[]>;
 declare function getPackageFilesFullScans(cwd: string, inputPaths: string[], supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data'], debugLog?: typeof console.error): Promise<string[]>;
 export { findBinPathDetailsSync, findNpmPathSync, getPackageFiles, getPackageFilesFullScans };

package/dist/module-sync/proc-log.d.ts

@@ -0,0 +1,3 @@
+type Logger = typeof import("npmlog") | typeof import("proc-log") | undefined;
+declare function getLogger(): Logger;
+export { Logger, getLogger };