@socketsecurity/cli 0.14.7 → 0.14.9

package/dist/cli.js

@@ -878,6 +878,7 @@ async function findUp(name, {
     for (const name of names) {
       const filePath = _nodePath$4.join(dir, name);
       try {
+        // eslint-disable-next-line no-await-in-loop
         const stats = await _nodeFs$4.promises.stat(filePath);
         if (stats.isFile()) {
           return filePath;
@@ -1051,7 +1052,10 @@ async function detect({
     }
     const nodeRange = (0, _objects$1.getOwn)(pkgJson['engines'], 'node');
     if ((0, _strings.isNonEmptyString)(nodeRange)) {
-      node = MAINTAINED_NODE_VERSIONS.some(v => _semver$1.satisfies(v, nodeRange));
+      node = MAINTAINED_NODE_VERSIONS.some(v => {
+        const coerced = _semver$1.coerce(nodeRange);
+        coerced && _semver$1.satisfies(coerced, `^${v}`);
+      });
     }
     const browserslistQuery = (0, _objects$1.getOwn)(pkgJson, 'browserslist');
     if (Array.isArray(browserslistQuery)) {
@@ -1061,7 +1065,10 @@ async function detect({
         browser = browserslistTargets.length !== browserslistNodeTargets.length;
       }
       if (node === undefined && browserslistNodeTargets.length) {
-        node = MAINTAINED_NODE_VERSIONS.some(r => browserslistNodeTargets.some(v => _semver$1.satisfies(v, `^${r}`)));
+        node = MAINTAINED_NODE_VERSIONS.some(v => browserslistNodeTargets.some(t => {
+          const coerced = _semver$1.coerce(t);
+          return coerced && _semver$1.satisfies(coerced, `^${v}`);
+        }));
       }
     }
     if (browser !== undefined) {
@@ -1257,12 +1264,16 @@ async function addOverrides({
   } : undefined]].filter(({
     1: o
   }) => o);
-  const overridesDataObjects = [getOverridesDataByAgent['npm'](editablePkgJson.content)];
-  const isApp = isPrivate || isWorkspace;
-  const overridesData = !isApp || agent !== 'npm' ? getOverridesDataByAgent[isApp ? agent : 'yarn'](editablePkgJson.content) : undefined;
-  if (overridesData) {
-    overridesDataObjects.push(overridesData);
+  const overridesDataObjects = [];
+  if (isPrivate || isWorkspace) {
+    const data = getOverridesDataByAgent[agent](editablePkgJson.content);
+    if (data) {
+      overridesDataObjects.push(data);
+    }
+  } else {
+    overridesDataObjects.push(getOverridesDataByAgent['npm'](editablePkgJson.content), getOverridesDataByAgent['yarn'](editablePkgJson.content));
   }
+  const aliasMap = new Map();
   for (const {
     1: data
   } of availableOverrides) {
@@ -1274,20 +1285,36 @@ async function addOverrides({
     for (const {
       1: depObj
     } of depEntries) {
-      const pkgSpec = depObj[origPkgName];
+      let pkgSpec = depObj[origPkgName];
       if (pkgSpec) {
-        if (!pkgSpec.startsWith(`npm:${regPkgName}@`)) {
+        // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
+        // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
+        const overrideSpecPrefix = `npm:${regPkgName}@`;
+        if (!pkgSpec.startsWith(overrideSpecPrefix)) {
+          aliasMap.set(regPkgName, pkgSpec);
+        } else {
           packageNames.add(regPkgName);
-          depObj[origPkgName] = `npm:${regPkgName}@^${version}`;
+          pkgSpec = `${overrideSpecPrefix}^${version}`;
+          depObj[origPkgName] = pkgSpec;
         }
+        aliasMap.set(origPkgName, pkgSpec);
       }
     }
     for (const {
+      type,
       overrides
     } of overridesDataObjects) {
-      if (overrides && !(0, _objects.hasOwn)(overrides, origPkgName) && lockIncludes(lockSrc, origPkgName)) {
+      if (!(0, _objects.hasOwn)(overrides, origPkgName) && lockIncludes(lockSrc, origPkgName)) {
         packageNames.add(regPkgName);
-        overrides[origPkgName] = `npm:${regPkgName}@^${_semver.major(version)}`;
+        overrides[origPkgName] =
+        // With npm you may not set an override for a package that you directly
+        // depend on unless both the dependency and the override itself share
+        // the exact same spec. To make this limitation easier to deal with,
+        // overrides may also be defined as a reference to a spec for a direct
+        // dependency by prefixing the name of the package you wish the version
+        // to match with a $.
+        // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
+        type === 'npm' && aliasMap.has(origPkgName) && `$${origPkgName}` || `npm:${regPkgName}@^${_semver.major(version)}`;
       }
     }
   }
@@ -1706,6 +1733,7 @@ async function fetchReportData(reportId, {
   let result;
   for (let retry = 1; !result; ++retry) {
     try {
+      // eslint-disable-next-line no-await-in-loop
       result = await (0, _apiHelpers$g.handleApiCall)(socketSdk.getReport(reportId), 'fetching report');
     } catch (err) {
       if (retry >= MAX_TIMEOUT_RETRY || !(err instanceof _ponyCause$3.ErrorWithCause) || err.cause?.cause?.response?.statusCode !== 524) {

package/dist/npm-injection.js

@@ -451,6 +451,7 @@ const ttyServer = (0, _ttyServer.createTTYServer)(_chalk.default.level, (0, _isI
 let _uxLookup;
 async function uxLookup(settings) {
   while (_uxLookup === undefined) {
+    // eslint-disable-next-line no-await-in-loop
     await (0, _promises.setTimeout)(1, {
       signal: abortSignal
     });
@@ -637,6 +638,7 @@ async function packagesHaveRiskyIssues(safeArb, _registry, pkgs, output) {
       } else {
         let blocked = false;
         for (const failure of pkgData.value.issues) {
+          // eslint-disable-next-line no-await-in-loop
           const ux = await uxLookup({
             package: {
               name,
@@ -655,6 +657,7 @@ async function packagesHaveRiskyIssues(safeArb, _registry, pkgs, output) {
             // already existed in the old version if they did, be quiet.
             const pkg = pkgs.find(pkg => pkg.pkgid === id && pkg.existing?.startsWith(`${name}@`));
             if (pkg?.existing) {
+              // eslint-disable-next-line no-await-in-loop
               for await (const oldPkgData of batchScan([pkg.existing])) {
                 if (oldPkgData.type === 'success') {
                   failures = failures.filter(issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.raw.type) == null);
@@ -1101,6 +1104,7 @@ class SafeArborist extends Arborist {
           const rli = _nodeReadline.createInterface(rlin, rlout);
           try {
             while (true) {
+              // eslint-disable-next-line no-await-in-loop
               const answer = await new Promise(resolve => {
                 rli.question('Accept risks of installing these packages (y/N)?\n', {
                   signal: abortSignal

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.14.7",
+  "version": "0.14.9",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "license": "MIT",
@@ -41,11 +41,11 @@
   },
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
-    "@cyclonedx/cdxgen": "^10.10.4",
+    "@cyclonedx/cdxgen": "^10.10.6",
     "@inquirer/prompts": "^7.0.0",
     "@npmcli/package-json": "6.0.1",
-    "@npmcli/promise-spawn": "^8.0.1",
-    "@socketregistry/hyrious__bun.lockb": "1.0.0",
+    "@npmcli/promise-spawn": "^8.0.2",
+    "@socketregistry/hyrious__bun.lockb": "1.0.1",
     "@socketsecurity/config": "^2.1.3",
     "@socketsecurity/registry": "^1.0.8",
     "@socketsecurity/sdk": "^1.3.0",
@@ -67,7 +67,7 @@
     "ignore": "^6.0.2",
     "ini": "5.0.0",
     "onetime": "^7.0.0",
-    "pacote": "^19.0.0",
+    "pacote": "^20.0.0",
     "pony-cause": "^2.1.11",
     "rc": "1.2.8",
     "registry-auth-token": "^5.0.2",
@@ -90,8 +90,9 @@
     "@babel/preset-env": "^7.25.8",
     "@babel/preset-typescript": "^7.25.7",
     "@babel/runtime": "^7.25.7",
-    "@eslint/compat": "^1.2.0",
-    "@rollup/plugin-commonjs": "^28.0.0",
+    "@eslint/compat": "^1.2.1",
+    "@eslint/js": "^9.13.0",
+    "@rollup/plugin-commonjs": "^28.0.1",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^15.3.0",
     "@rollup/plugin-replace": "^6.0.1",
@@ -100,7 +101,7 @@
     "@types/micromatch": "^4.0.9",
     "@types/mocha": "^10.0.9",
     "@types/mock-fs": "^4.13.4",
-    "@types/node": "^22.7.5",
+    "@types/node": "^22.7.7",
     "@types/npmcli__arborist": "^5.6.11",
     "@types/npmcli__package-json": "^4.0.4",
     "@types/npmcli__promise-spawn": "^6.0.3",
@@ -108,35 +109,36 @@
     "@types/update-notifier": "^6.0.8",
     "@types/which": "^3.0.4",
     "@types/yargs-parser": "^21.0.3",
-    "@typescript-eslint/eslint-plugin": "^8.8.1",
-    "@typescript-eslint/parser": "^8.8.1",
+    "@typescript-eslint/eslint-plugin": "^8.10.0",
+    "@typescript-eslint/parser": "^8.10.0",
     "c8": "^10.1.2",
     "chalk": "^5.3.0",
-    "eslint": "^9.12.0",
+    "eslint": "^9.13.0",
     "eslint-plugin-depend": "^0.11.0",
+    "eslint-plugin-unicorn": "^56.0.0",
     "globby": "^14.0.2",
     "husky": "^9.1.6",
     "is-interactive": "^2.0.0",
     "is-unicode-supported": "^2.1.0",
     "knip": "^5.33.3",
-    "magic-string": "^0.30.11",
+    "magic-string": "^0.30.12",
     "meow": "^13.2.0",
-    "mock-fs": "^5.3.0",
+    "mock-fs": "^5.4.0",
     "nock": "^13.5.5",
     "normalize-package-data": "^7.0.0",
-    "npm-run-all2": "^6.2.3",
+    "npm-run-all2": "^6.2.4",
     "open": "^10.1.0",
     "ora": "^8.1.0",
-    "oxlint": "^0.9.10",
+    "oxlint": "0.9.10",
     "prettier": "3.3.3",
     "read-package-up": "^11.0.0",
     "rollup": "4.24.0",
     "rollup-plugin-ts": "^3.4.5",
     "tap": "^21.0.1",
     "terminal-link": "^3.0.0",
-    "type-coverage": "^2.29.1",
+    "type-coverage": "^2.29.7",
     "typescript": "5.4.5",
-    "typescript-eslint": "^8.8.1",
+    "typescript-eslint": "^8.10.0",
     "unplugin-purge-polyfills": "^0.0.7",
     "update-notifier": "^7.3.1",
     "validate-npm-package-name": "^6.0.0"