npm - @socketsecurity/cli - Versions diffs - 0.14.6 → 0.14.8 - Mend

@socketsecurity/cli 0.14.6 → 0.14.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +151 -86
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -12,9 +12,9 @@ var sdk = require('./sdk.js');
 var require$$1$2 = require('@inquirer/prompts');
 var require$$3$2 = require('@npmcli/package-json');
 var require$$4 = require('@socketsecurity/registry');
+var require$$3$1 = require('semver');
 var require$$1$3 = require('@socketregistry/hyrious__bun.lockb');
 var require$$3 = require('browserslist');
-var require$$3$1 = require('semver');
 var require$$5$1 = require('which');
 var require$$2 = require('@apideck/better-ajv-errors');
 var require$$3$3 = require('@socketsecurity/config');
@@ -937,12 +937,13 @@ var _nodePath$3 = require$$1;
 var _hyrious__bun = require$$1$3;
 var _promiseSpawn$3 = require$$1$1;
 var _browserslist = require$$3;
-var _semver = require$$3$1;
+var _semver$1 = require$$3$1;
 var _which = require$$5$1;
 var _fs = fs;
 var _json = json;
 var _objects$1 = objects;
 var _strings = strings;
+const PNPM_WORKSPACE = 'pnpm-workspace';
 const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn'];
 const LOCKS = packageManagerDetector.LOCKS = {
   'bun.lockb': 'bun',
@@ -993,17 +994,16 @@ const readLockFileByAgent = (() => {
   };
 })();
 async function detect({
-  cwd,
+  cwd = process.cwd(),
   onUnknown
 } = {}) {
-  const lockPath = await (0, _fs.findUp)(Object.keys(LOCKS), {
+  let lockPath = await (0, _fs.findUp)(Object.keys(LOCKS), {
     cwd
   });
   const isHiddenLockFile = lockPath?.endsWith('.package-lock.json') ?? false;
   const pkgJsonPath = lockPath ? _nodePath$3.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await (0, _fs.findUp)('package.json', {
     cwd
   });
   // Read Corepack `packageManager` field in package.json:
   // https://nodejs.org/api/packages.html#packagemanager
   const pkgJsonStr = (0, _fs.existsSync)(pkgJsonPath) ? await (0, _fs.readFileUtf8)(pkgJsonPath) : undefined;
@@ -1022,7 +1022,7 @@ async function detect({
       }
     }
   }
-  if (agent === undefined && !isHiddenLockFile && typeof lockPath === 'string') {
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockPath === 'string') {
     agent = LOCKS[_nodePath$3.basename(lockPath)];
   }
   if (agent === undefined) {
@@ -1042,7 +1042,7 @@ async function detect({
   if (pkgJson) {
     const pkgPath = _nodePath$3.dirname(pkgJsonPath);
     isPrivate = !!pkgJson['private'];
-    isWorkspace = !!pkgJson['workspaces'] || agent === 'pnpm' && (0, _fs.existsSync)(_nodePath$3.join(pkgPath, 'pnpm-workspace.yaml'));
+    isWorkspace = !!pkgJson['workspaces'] || (0, _fs.existsSync)(_nodePath$3.join(pkgPath, `${PNPM_WORKSPACE}.yaml`)) || (0, _fs.existsSync)(_nodePath$3.join(pkgPath, `${PNPM_WORKSPACE}.yml`));
     let browser;
     let node;
     const browserField = (0, _objects$1.getOwn)(pkgJson, 'browser');
@@ -1051,7 +1051,7 @@ async function detect({
     }
     const nodeRange = (0, _objects$1.getOwn)(pkgJson['engines'], 'node');
     if ((0, _strings.isNonEmptyString)(nodeRange)) {
-      node = MAINTAINED_NODE_VERSIONS.some(v => _semver.satisfies(v, nodeRange));
+      node = MAINTAINED_NODE_VERSIONS.some(v => _semver$1.satisfies(v, nodeRange));
     }
     const browserslistQuery = (0, _objects$1.getOwn)(pkgJson, 'browserslist');
     if (Array.isArray(browserslistQuery)) {
@@ -1061,7 +1061,7 @@ async function detect({
         browser = browserslistTargets.length !== browserslistNodeTargets.length;
       }
       if (node === undefined && browserslistNodeTargets.length) {
-        node = MAINTAINED_NODE_VERSIONS.some(r => browserslistNodeTargets.some(v => _semver.satisfies(v, `^${r}`)));
+        node = MAINTAINED_NODE_VERSIONS.some(r => browserslistNodeTargets.some(v => _semver$1.satisfies(v, `^${r}`)));
       }
     }
     if (browser !== undefined) {
@@ -1071,6 +1071,8 @@ async function detect({
       targets.node = node;
     }
     lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
+  } else {
+    lockPath = undefined;
   }
   return {
     agent,
@@ -1130,31 +1132,47 @@ var _packageJson = require$$3$2;
 var _registry = require$$4;
 var _meow$m = _interopRequireDefault$n(vendor.build);
 var _ora$i = _interopRequireDefault$n(vendor.ora);
+var _semver = require$$3$1;
 var _formatting$k = formatting;
 var _objects = objects;
 var _packageManagerDetector = packageManagerDetector;
 var _regexps = regexps;
 var _sorts$1 = sorts;
 const distPath$1 = __dirname;
+const COMMAND_TITLE = 'Socket Optimize';
 const OVERRIDES_FIELD_NAME = 'overrides';
 const RESOLUTIONS_FIELD_NAME = 'resolutions';
-const SOCKET_REGISTRY_NAME = '@socketregistry';
-const SOCKET_REGISTRY_MAJOR_VERSION = '^1';
-const allPackages = (0, _registry.getManifestData)('npm').filter(({
-  1: d
-}) => d.engines?.node?.startsWith('>=18')).map(({
+const availableOverrides = (0, _registry.getManifestData)('npm').filter(({
   1: d
-}) => d.package);
-const getManifestOverridesByAgent = {
+}) => d.engines?.node?.startsWith('>=18'));
+const getOverridesDataByAgent = {
   // npm overrides documentation:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-  npm: pkgJson => pkgJson?.overrides ?? undefined,
+  npm: pkgJson => {
+    const overrides = pkgJson?.overrides ?? {};
+    return {
+      type: 'npm',
+      overrides
+    };
+  },
   // pnpm overrides documentation:
   // https://pnpm.io/package_json#pnpmoverrides
-  pnpm: pkgJson => pkgJson?.pnpm?.overrides ?? undefined,
+  pnpm: pkgJson => {
+    const overrides = pkgJson?.pnpm?.overrides ?? undefined;
+    return overrides ? {
+      type: 'pnpm',
+      overrides
+    } : undefined;
+  },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
-  yarn: pkgJson => pkgJson?.resolutions ?? undefined
+  yarn: pkgJson => {
+    const overrides = pkgJson?.resolutions ?? {};
+    return {
+      type: 'yarn',
+      overrides
+    };
+  }
 };
 const lockIncludesByAgent = {
   npm: (lockSrc, name) => {
@@ -1186,16 +1204,22 @@ const updateManifestByAgent = {
   __proto__: null,
   npm(editablePkgJson, overrides) {
     editablePkgJson.update({
+      __proto__: null,
       [OVERRIDES_FIELD_NAME]: overrides
     });
   },
   pnpm(editablePkgJson, overrides) {
     editablePkgJson.update({
-      [OVERRIDES_FIELD_NAME]: overrides
+      pnpm: {
+        __proto__: null,
+        ...editablePkgJson.content['pnpm'],
+        [OVERRIDES_FIELD_NAME]: overrides
+      }
     });
   },
   yarn(editablePkgJson, overrides) {
     editablePkgJson.update({
+      __proto__: null,
       [RESOLUTIONS_FIELD_NAME]: overrides
     });
   }
@@ -1206,48 +1230,91 @@ async function addOverrides({
   isWorkspace,
   lockSrc,
   lockIncludes,
-  pkgJsonPath,
-  overrides
+  pkgJsonPath
 }, aoState) {
   const {
     packageNames
   } = aoState;
-  let addedCount = 0;
-  let clonedOverrides;
-  for (const name of allPackages) {
-    if (!(0, _objects.hasOwn)(overrides, name) && lockIncludes(lockSrc, name)) {
-      if (clonedOverrides === undefined) {
-        clonedOverrides = {
-          __proto__: null,
-          ...overrides
-        };
+  const editablePkgJson = await _packageJson.load(_nodePath$2.dirname(pkgJsonPath));
+  const {
+    dependencies,
+    devDependencies,
+    peerDependencies,
+    optionalDependencies
+  } = editablePkgJson.content;
+  const depEntries = [['dependencies', dependencies ? {
+    __proto__: null,
+    ...dependencies
+  } : undefined], ['devDependencies', devDependencies ? {
+    __proto__: null,
+    ...devDependencies
+  } : undefined], ['peerDependencies', peerDependencies ? {
+    __proto__: null,
+    ...peerDependencies
+  } : undefined], ['optionalDependencies', optionalDependencies ? {
+    __proto__: null,
+    ...optionalDependencies
+  } : undefined]].filter(({
+    1: o
+  }) => o);
+  const overridesDataObjects = [getOverridesDataByAgent['npm'](editablePkgJson.content)];
+  const isApp = isPrivate || isWorkspace;
+  const overridesData = !isApp || agent !== 'npm' ? getOverridesDataByAgent[isApp ? agent : 'yarn'](editablePkgJson.content) : undefined;
+  if (overridesData) {
+    overridesDataObjects.push(overridesData);
+  }
+  const aliasMap = new Map();
+  for (const {
+    1: data
+  } of availableOverrides) {
+    const {
+      name: regPkgName,
+      package: origPkgName,
+      version
+    } = data;
+    for (const {
+      1: depObj
+    } of depEntries) {
+      let pkgSpec = depObj[origPkgName];
+      if (pkgSpec) {
+        // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
+        // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
+        const overrideSpecPrefix = `npm:${regPkgName}@`;
+        if (!pkgSpec.startsWith(overrideSpecPrefix)) {
+          aliasMap.set(regPkgName, pkgSpec);
+        } else {
+          packageNames.add(regPkgName);
+          pkgSpec = `${overrideSpecPrefix}^${version}`;
+          depObj[origPkgName] = pkgSpec;
+        }
+        aliasMap.set(origPkgName, pkgSpec);
       }
-      addedCount += 1;
-      packageNames.add(name);
-      clonedOverrides[name] = `npm:${SOCKET_REGISTRY_NAME}/${name}@${SOCKET_REGISTRY_MAJOR_VERSION}`;
     }
-  }
-  if (addedCount) {
-    const editablePkgJson = await _packageJson.load(_nodePath$2.dirname(pkgJsonPath));
-    const sortedOverrides = (0, _sorts$1.toSortedObject)(clonedOverrides);
-    updateManifestByAgent[agent](editablePkgJson, sortedOverrides);
-    if (!isPrivate && !isWorkspace) {
-      if ((0, _objects.hasOwn)(editablePkgJson.content, 'pnpm') && (0, _objects.isObjectObject)(editablePkgJson.content['pnpm'])) {
-        const pnpmKeys = Object.keys(editablePkgJson.content['pnpm']);
-        editablePkgJson.update(pnpmKeys.length === 1 && pnpmKeys[0] === 'overrides' ?
-        // Properties with undefined values are omitted when saved as JSON.
-        {
-          pnpm: undefined
-        } : {
-          pnpm: {
-            __proto__: null,
-            ...editablePkgJson.content['pnpm'],
-            overrides: undefined
-          }
-        });
+    for (const {
+      type,
+      overrides
+    } of overridesDataObjects) {
+      if (overrides && !(0, _objects.hasOwn)(overrides, origPkgName) && lockIncludes(lockSrc, origPkgName)) {
+        packageNames.add(regPkgName);
+        overrides[origPkgName] =
+        // With npm you may not set an override for a package that you directly
+        // depend on unless both the dependency and the override itself share
+        // the exact same spec. To make this limitation easier to deal with,
+        // overrides may also be defined as a reference to a spec for a direct
+        // dependency by prefixing the name of the package you wish the version
+        // to match with a $.
+        // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
+        type === 'npm' && aliasMap.has(origPkgName) && `$${origPkgName}` || `npm:${regPkgName}@^${_semver.major(version)}`;
       }
-      updateManifestByAgent.npm(editablePkgJson, sortedOverrides);
-      updateManifestByAgent.yarn(editablePkgJson, sortedOverrides);
+    }
+  }
+  if (packageNames.size) {
+    editablePkgJson.update(Object.fromEntries(depEntries));
+    for (const {
+      type,
+      overrides
+    } of overridesDataObjects) {
+      updateManifestByAgent[type](editablePkgJson, (0, _sorts$1.toSortedObject)(overrides));
     }
     await editablePkgJson.save();
   }
@@ -1260,6 +1327,7 @@ const optimize = optimize$1.optimize = {
   }) {
     const commandContext = setupCommand$l(`${parentName} dependency optimize`, optimize.description, argv, importMeta);
     if (commandContext) {
+      const cwd = process.cwd();
       const {
         agent,
         agentExecPath,
@@ -1272,49 +1340,44 @@ const optimize = optimize$1.optimize = {
         pkgJson,
         supported
       } = await (0, _packageManagerDetector.detect)({
-        cwd: process.cwd(),
+        cwd,
         onUnknown(pkgManager) {
-          console.log(`⚠️ Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}: Defaulting to npm`);
+          console.log(`⚠️ ${COMMAND_TITLE}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
         }
       });
       if (!supported) {
-        console.log('✘ The engines.node range is not supported.');
+        console.log(`✘ ${COMMAND_TITLE}: Package engines.node range is not supported`);
+        return;
+      }
+      const lockName = lockPath ? _nodePath$2.basename(lockPath) : 'lock file';
+      if (lockSrc === undefined) {
+        console.log(`✘ ${COMMAND_TITLE}: No ${lockName} found`);
         return;
       }
       if (pkgJson === undefined) {
-        console.log('✘ No package.json found.');
+        console.log(`✘ ${COMMAND_TITLE}: No package.json found`);
         return;
       }
+      if (lockPath && _nodePath$2.relative(cwd, lockPath).startsWith('.')) {
+        console.log(`⚠️ ${COMMAND_TITLE}: Package ${lockName} found at ${lockPath}`);
+      }
       const aoState = {
         output: pkgJsonStr,
         packageNames: new Set()
       };
       if (lockSrc) {
-        const configs = agent === 'bun' ? [{
-          agent: 'npm',
-          lockIncludes: lockIncludesByAgent.yarn,
-          overrides: getManifestOverridesByAgent.npm(pkgJson)
-        }, {
-          agent: 'yarn',
-          lockIncludes: lockIncludesByAgent.yarn,
-          overrides: getManifestOverridesByAgent.yarn(pkgJson)
-        }] : [{
-          agent,
-          lockIncludes: lockIncludesByAgent[agent],
-          overrides: getManifestOverridesByAgent[agent](pkgJson)
-        }];
-        for (const config of configs) {
-          await addOverrides({
-            __proto__: null,
-            isPrivate,
-            isWorkspace,
-            lockSrc,
-            pkgJsonPath,
-            pkgJsonStr,
-            pkgJson,
-            ...config
-          }, aoState);
-        }
+        const lockIncludes = agent === 'bun' ? lockIncludesByAgent.yarn : lockIncludesByAgent[agent];
+        await addOverrides({
+          __proto__: null,
+          agent: agent === 'bun' ? 'yarn' : agent,
+          isPrivate,
+          isWorkspace,
+          lockIncludes,
+          lockSrc,
+          pkgJsonPath,
+          pkgJsonStr,
+          pkgJson
+        }, aoState);
       }
       const {
         size: count
@@ -1324,7 +1387,6 @@ const optimize = optimize$1.optimize = {
       } else {
         console.log('Congratulations! Already Socket.dev optimized 🎉');
       }
-      const lockName = lockPath ? _nodePath$2.basename(lockPath) : 'lock file';
       const isNpm = agent === 'npm';
       if (isNpm || count) {
         // Always update package-lock.json until the npm overrides PR lands:
@@ -1347,9 +1409,12 @@ const optimize = optimize$1.optimize = {
             });
           }
           spinner.stop();
+          if (isNpm) {
+            console.log(`💡 Re-run ${COMMAND_TITLE} whenever ${lockName} changes.\n   This can be skipped once npm ships https://github.com/npm/cli/pull/7025.`);
+          }
         } catch {
           spinner.stop();
-          console.log(`✘ socket ${agent} install: Failed to update ${lockName}`);
+          console.log(`✘ ${COMMAND_TITLE}: ${agent} install failed to update ${lockName}`);
         }
       }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.14.6",
+  "version": "0.14.8",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "license": "MIT",
@@ -47,7 +47,7 @@
     "@npmcli/promise-spawn": "^8.0.1",
     "@socketregistry/hyrious__bun.lockb": "1.0.0",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.4",
+    "@socketsecurity/registry": "^1.0.8",
     "@socketsecurity/sdk": "^1.3.0",
     "ansi-align": "^3.0.1",
     "blessed": "^0.1.81",