@socketsecurity/cli 0.14.91 → 0.14.93

package/dist/module-sync/types.d.ts

@@ -13,6 +13,7 @@ type RangeStyle =
   | 'tilde'
 type FixOptions = {
   autoMerge?: boolean | undefined
+  autoPilot?: boolean | undefined
   cwd?: string | undefined
   rangeStyle?: RangeStyle | undefined
   spinner?: Spinner | undefined

package/dist/require/cli.js

@@ -417,7 +417,10 @@ ${mdTableStringNumber('Name', 'Counts', data['top_five_alert_types'])}
 }
 function displayAnalyticsScreen(data) {
   const ScreenWidget = _socketInterop(require('blessed/lib/widgets/screen'))
-  const screen = new ScreenWidget({})
+  // Lazily access constants.blessedOptions.
+  const screen = new ScreenWidget({
+    ...constants.blessedOptions
+  })
   const contrib = _socketInterop(require('blessed-contrib'))
   const grid = new contrib.grid({
     rows: 5,
@@ -912,7 +915,7 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.91:5903afd:6fabd1c5:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.93:8908783:f86f0c84:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
   const apiToken = shadowNpmInject.getDefaultToken()
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no'
@@ -3709,62 +3712,37 @@ const cmdDiffScan = {
   }
 }
 
-const {
-  GITHUB_ACTIONS,
-  GITHUB_REF_NAME,
-  GITHUB_REPOSITORY,
-  SOCKET_SECURITY_GITHUB_PAT
-} = constants
-async function branchExists(branch, cwd = process.cwd()) {
-  try {
-    await spawn.spawn(
-      'git',
-      ['show-ref', '--verify', '--quiet', `refs/heads/${branch}`],
-      {
-        cwd,
-        stdio: 'ignore'
-      }
-    )
-    return true
-  } catch {}
-  return false
-}
+const { GITHUB_REF_NAME } = constants
 async function checkoutBaseBranchIfAvailable(baseBranch, cwd = process.cwd()) {
   try {
-    const currentBranch = (
-      await spawn.spawn('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
-        cwd
-      })
-    ).stdout.trim()
-    if (currentBranch === baseBranch) {
-      logger.logger.info(`Already on ${baseBranch}`)
-      return
-    }
-    logger.logger.info(
-      `Switching branch from ${currentBranch} to ${baseBranch}...`
-    )
     await spawn.spawn('git', ['checkout', baseBranch], {
       cwd
     })
-    logger.logger.info(`Checked out ${baseBranch}`)
+    await spawn.spawn('git', ['reset', '--hard', `origin/${baseBranch}`], {
+      cwd
+    })
+    logger.logger.info(`Checked out and reset to ${baseBranch}`)
   } catch {
     logger.logger.warn(
       `Could not switch to ${baseBranch}. Proceeding with HEAD.`
     )
   }
 }
-function getGitHubRepoInfo() {
-  // Lazily access constants.ENV[GITHUB_REPOSITORY].
-  const ownerSlashRepo = constants.ENV[GITHUB_REPOSITORY]
-  const slashIndex = ownerSlashRepo.indexOf('/')
-  if (slashIndex === -1) {
-    throw new Error('GITHUB_REPOSITORY environment variable not set')
-  }
-  return {
-    owner: ownerSlashRepo.slice(0, slashIndex),
-    repo: ownerSlashRepo.slice(slashIndex + 1)
-  }
+function getBaseBranch() {
+  // Lazily access constants.ENV[GITHUB_REF_NAME].
+  return (
+    constants.ENV[GITHUB_REF_NAME] ??
+    // GitHub defaults to branch name "main"
+    // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
+    'main'
+  )
 }
+function getSocketBranchName(name, version) {
+  return `socket-fix-${name}-${version.replace(/\./g, '-')}`
+}
+
+const { GITHUB_ACTIONS, GITHUB_REPOSITORY, SOCKET_SECURITY_GITHUB_PAT } =
+  constants
 let _octokit
 function getOctokit() {
   if (_octokit === undefined) {
@@ -3775,6 +3753,16 @@ function getOctokit() {
   }
   return _octokit
 }
+async function doesPullRequestExistForBranch(owner, repo, branch) {
+  const octokit = getOctokit()
+  const { data: prs } = await octokit.pulls.list({
+    owner,
+    repo,
+    head: `${owner}:${branch}`,
+    state: 'open'
+  })
+  return prs.length > 0
+}
 async function enableAutoMerge(prResponseData) {
   const octokit = getOctokit()
   const { node_id: prId, number: prNumber } = prResponseData
@@ -3804,7 +3792,27 @@ async function enableAutoMerge(prResponseData) {
     logger.logger.error(`Failed to enable auto-merge for PR #${prNumber}:`, e)
   }
 }
-async function openGitHubPullRequest(name, targetVersion, cwd = process.cwd()) {
+function getGitHubRepoInfo() {
+  // Lazily access constants.ENV[GITHUB_REPOSITORY].
+  const ownerSlashRepo = constants.ENV[GITHUB_REPOSITORY]
+  const slashIndex = ownerSlashRepo.indexOf('/')
+  if (slashIndex === -1) {
+    throw new Error('GITHUB_REPOSITORY environment variable not set')
+  }
+  return {
+    owner: ownerSlashRepo.slice(0, slashIndex),
+    repo: ownerSlashRepo.slice(slashIndex + 1)
+  }
+}
+async function openGitHubPullRequest(
+  owner,
+  repo,
+  baseBranch,
+  branch,
+  name,
+  version,
+  cwd = process.cwd()
+) {
   // Lazily access constants.ENV[GITHUB_ACTIONS].
   if (constants.ENV[GITHUB_ACTIONS]) {
     // Lazily access constants.ENV[SOCKET_SECURITY_GITHUB_PAT].
@@ -3812,38 +3820,11 @@ async function openGitHubPullRequest(name, targetVersion, cwd = process.cwd()) {
     if (!pat) {
       throw new Error('Missing SOCKET_SECURITY_GITHUB_PAT environment variable')
     }
-    const baseBranch =
-      // Lazily access constants.ENV[GITHUB_REF_NAME].
-      constants.ENV[GITHUB_REF_NAME] ??
-      // GitHub defaults to branch name "main"
-      // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
-      'main'
-    const branch = `socket-fix-${name}-${targetVersion.replace(/\./g, '-')}`
-    const commitMsg = `chore: upgrade ${name} to ${targetVersion}`
-    const { owner, repo } = getGitHubRepoInfo()
+    const commitMsg = `chore: upgrade ${name} to ${version}`
     const url = `https://x-access-token:${pat}@github.com/${owner}/${repo}`
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], {
       cwd
     })
-    if (await branchExists(branch, cwd)) {
-      logger.logger.warn(
-        `Branch "${branch}" already exists. Skipping creation.`
-      )
-    } else {
-      await checkoutBaseBranchIfAvailable(baseBranch, cwd)
-      await spawn.spawn('git', ['checkout', '-b', branch], {
-        cwd
-      })
-      await spawn.spawn('git', ['add', 'package.json', 'pnpm-lock.yaml'], {
-        cwd
-      })
-      await spawn.spawn('git', ['commit', '-m', commitMsg], {
-        cwd
-      })
-      await spawn.spawn('git', ['push', '--set-upstream', 'origin', branch], {
-        cwd
-      })
-    }
     const octokit = getOctokit()
     return await octokit.pulls.create({
       owner,
@@ -3851,7 +3832,7 @@ async function openGitHubPullRequest(name, targetVersion, cwd = process.cwd()) {
       title: commitMsg,
       head: branch,
       base: baseBranch,
-      body: `[socket] Upgrade \`${name}\` to ${targetVersion}`
+      body: `[socket] Upgrade \`${name}\` to ${version}`
     })
   } else {
     throw new Error(
@@ -3941,92 +3922,102 @@ async function npmFix(
           continue
         }
         const oldSpec = `${name}@${oldVersion}`
-        let targetVersion
-        let failed = false
-        let installed = false
-        let saved = false
         if (
-          shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
+          !shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
         ) {
-          targetVersion = node.package.version
-          const fixSpec = `${name}@^${targetVersion}`
-          const revertData = {
-            ...(editablePkgJson.content.dependencies
-              ? {
-                  dependencies: editablePkgJson.content.dependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.optionalDependencies
-              ? {
-                  optionalDependencies:
-                    editablePkgJson.content.optionalDependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.peerDependencies
-              ? {
-                  peerDependencies: editablePkgJson.content.peerDependencies
-                }
-              : undefined)
+          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+          return
+        }
+        const targetVersion = node.package.version
+        const fixSpec = `${name}@^${targetVersion}`
+        const revertData = {
+          ...(editablePkgJson.content.dependencies
+            ? {
+                dependencies: editablePkgJson.content.dependencies
+              }
+            : undefined),
+          ...(editablePkgJson.content.optionalDependencies
+            ? {
+                optionalDependencies:
+                  editablePkgJson.content.optionalDependencies
+              }
+            : undefined),
+          ...(editablePkgJson.content.peerDependencies
+            ? {
+                peerDependencies: editablePkgJson.content.peerDependencies
+              }
+            : undefined)
+        }
+        spinner?.info(`Installing ${fixSpec}`)
+        const { owner, repo } = getGitHubRepoInfo()
+        const baseBranch = getBaseBranch()
+        const branch = getSocketBranchName(name, targetVersion)
+
+        // eslint-disable-next-line no-await-in-loop
+        await checkoutBaseBranchIfAvailable(baseBranch, cwd)
+        let installed = false
+        let saved = false
+        try {
+          shadowNpmInject.updatePackageJsonFromNode(
+            editablePkgJson,
+            arb.idealTree,
+            node,
+            targetVersion,
+            rangeStyle
+          )
+          // eslint-disable-next-line no-await-in-loop
+          await editablePkgJson.save()
+          saved = true
+
+          // eslint-disable-next-line no-await-in-loop
+          await install$1(arb.idealTree, {
+            cwd
+          })
+          installed = true
+          if (test) {
+            spinner?.info(`Testing ${fixSpec}`)
+            // eslint-disable-next-line no-await-in-loop
+            await npm.runScript(testScript, [], {
+              spinner,
+              stdio: 'ignore'
+            })
           }
-          spinner?.info(`Installing ${fixSpec}`)
-          try {
-            shadowNpmInject.updatePackageJsonFromNode(
-              editablePkgJson,
-              arb.idealTree,
-              node,
-              targetVersion,
-              rangeStyle
-            )
+          spinner?.successAndStop(`Fixed ${name}`)
+          spinner?.start()
+        } catch {
+          spinner?.error(`Reverting ${fixSpec}`)
+          if (saved) {
+            editablePkgJson.update(revertData)
             // eslint-disable-next-line no-await-in-loop
             await editablePkgJson.save()
-            saved = true
-
+          }
+          if (installed) {
             // eslint-disable-next-line no-await-in-loop
-            await install$1(arb.idealTree, {
+            await install$1(revertTree, {
               cwd
             })
-            installed = true
-            if (test) {
-              spinner?.info(`Testing ${fixSpec}`)
-              // eslint-disable-next-line no-await-in-loop
-              await npm.runScript(testScript, [], {
-                spinner,
-                stdio: 'ignore'
-              })
-            }
-            spinner?.successAndStop(`Fixed ${name}`)
-            spinner?.start()
-          } catch {
-            failed = true
-            spinner?.error(`Reverting ${fixSpec}`)
-            if (saved) {
-              editablePkgJson.update(revertData)
-              // eslint-disable-next-line no-await-in-loop
-              await editablePkgJson.save()
-            }
-            if (installed) {
-              // eslint-disable-next-line no-await-in-loop
-              await install$1(revertTree, {
-                cwd
-              })
-            }
-            spinner?.failAndStop(`Failed to fix ${oldSpec}`)
           }
-        } else {
-          failed = true
-          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+          spinner?.failAndStop(`Failed to fix ${oldSpec}`)
+          return
         }
         if (
-          !failed &&
-          // Check targetVersion to make TypeScript happy.
-          targetVersion &&
           // Lazily access constants.ENV[CI].
-          constants.ENV[CI$1]
+          constants.ENV[CI$1] &&
+          // eslint-disable-next-line no-await-in-loop
+          !(await doesPullRequestExistForBranch(owner, repo, branch))
         ) {
           let prResponse
           try {
             // eslint-disable-next-line no-await-in-loop
-            prResponse = await openGitHubPullRequest(name, targetVersion, cwd)
+            prResponse = await openGitHubPullRequest(
+              owner,
+              repo,
+              baseBranch,
+              branch,
+              name,
+              targetVersion,
+              cwd
+            )
           } catch (e) {
             logger.logger.error('Failed to open pull request', e)
           }
@@ -4337,122 +4328,133 @@ async function pnpmFix(
         const targetPackument = targetVersion
           ? packument.versions[targetVersion]
           : undefined
-        let failed = false
+        if (!(targetVersion && targetPackument)) {
+          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+          return
+        }
+        const oldPnpm = editablePkgJson.content[PNPM$9]
+        const oldPnpmKeyCount = oldPnpm ? Object.keys(oldPnpm).length : 0
+        const oldOverrides = oldPnpm?.[OVERRIDES$2]
+        const oldOverridesCount = oldOverrides
+          ? Object.keys(oldOverrides).length
+          : 0
+        const overrideKey = `${node.name}@${vulnerableVersionRange}`
+        const overrideRange = shadowNpmInject.applyRange(
+          oldOverrides?.[overrideKey] ?? targetVersion,
+          targetVersion,
+          rangeStyle
+        )
+        const fixSpec = `${name}@${overrideRange}`
+        const updateData = {
+          [PNPM$9]: {
+            ...oldPnpm,
+            [OVERRIDES$2]: {
+              [overrideKey]: overrideRange,
+              ...oldOverrides
+            }
+          }
+        }
+        const revertData = {
+          [PNPM$9]: oldPnpmKeyCount
+            ? {
+                ...oldPnpm,
+                [OVERRIDES$2]:
+                  oldOverridesCount === 1
+                    ? undefined
+                    : {
+                        [overrideKey]: undefined,
+                        ...oldOverrides
+                      }
+              }
+            : undefined,
+          ...(editablePkgJson.content.dependencies
+            ? {
+                dependencies: editablePkgJson.content.dependencies
+              }
+            : undefined),
+          ...(editablePkgJson.content.optionalDependencies
+            ? {
+                optionalDependencies:
+                  editablePkgJson.content.optionalDependencies
+              }
+            : undefined),
+          ...(editablePkgJson.content.peerDependencies
+            ? {
+                peerDependencies: editablePkgJson.content.peerDependencies
+              }
+            : undefined)
+        }
+        spinner?.info(`Installing ${fixSpec}`)
+        const { owner, repo } = getGitHubRepoInfo()
+        const baseBranch = getBaseBranch()
+        const branch = getSocketBranchName(name, targetVersion)
+
+        // eslint-disable-next-line no-await-in-loop
+        await checkoutBaseBranchIfAvailable(baseBranch, cwd)
         let installed = false
         let saved = false
-        if (targetVersion && targetPackument) {
-          const oldPnpm = editablePkgJson.content[PNPM$9]
-          const oldPnpmKeyCount = oldPnpm ? Object.keys(oldPnpm).length : 0
-          const oldOverrides = oldPnpm?.[OVERRIDES$2]
-          const oldOverridesCount = oldOverrides
-            ? Object.keys(oldOverrides).length
-            : 0
-          const overrideKey = `${node.name}@${vulnerableVersionRange}`
-          const overrideRange = shadowNpmInject.applyRange(
-            oldOverrides?.[overrideKey] ?? targetVersion,
+        try {
+          editablePkgJson.update(updateData)
+          shadowNpmInject.updatePackageJsonFromNode(
+            editablePkgJson,
+            actualTree,
+            node,
             targetVersion,
             rangeStyle
           )
-          const fixSpec = `${name}@${overrideRange}`
-          const updateData = {
-            [PNPM$9]: {
-              ...oldPnpm,
-              [OVERRIDES$2]: {
-                [overrideKey]: overrideRange,
-                ...oldOverrides
-              }
-            }
-          }
-          const revertData = {
-            [PNPM$9]: oldPnpmKeyCount
-              ? {
-                  ...oldPnpm,
-                  [OVERRIDES$2]:
-                    oldOverridesCount === 1
-                      ? undefined
-                      : {
-                          [overrideKey]: undefined,
-                          ...oldOverrides
-                        }
-                }
-              : undefined,
-            ...(editablePkgJson.content.dependencies
-              ? {
-                  dependencies: editablePkgJson.content.dependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.optionalDependencies
-              ? {
-                  optionalDependencies:
-                    editablePkgJson.content.optionalDependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.peerDependencies
-              ? {
-                  peerDependencies: editablePkgJson.content.peerDependencies
-                }
-              : undefined)
+          // eslint-disable-next-line no-await-in-loop
+          await editablePkgJson.save()
+          saved = true
+
+          // eslint-disable-next-line no-await-in-loop
+          actualTree = await install(pkgEnvDetails, {
+            spinner
+          })
+          installed = true
+          if (test) {
+            spinner?.info(`Testing ${fixSpec}`)
+            // eslint-disable-next-line no-await-in-loop
+            await npm.runScript(testScript, [], {
+              spinner,
+              stdio: 'ignore'
+            })
           }
-          spinner?.info(`Installing ${fixSpec}`)
-          try {
-            editablePkgJson.update(updateData)
-            shadowNpmInject.updatePackageJsonFromNode(
-              editablePkgJson,
-              actualTree,
-              node,
-              targetVersion,
-              rangeStyle
-            )
+          spinner?.successAndStop(`Fixed ${name}`)
+          spinner?.start()
+        } catch (e) {
+          spinner?.error(`Reverting ${fixSpec}`, e)
+          if (saved) {
+            editablePkgJson.update(revertData)
             // eslint-disable-next-line no-await-in-loop
             await editablePkgJson.save()
-            saved = true
-
+          }
+          if (installed) {
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
               spinner
             })
-            installed = true
-            if (test) {
-              spinner?.info(`Testing ${fixSpec}`)
-              // eslint-disable-next-line no-await-in-loop
-              await npm.runScript(testScript, [], {
-                spinner,
-                stdio: 'ignore'
-              })
-            }
-            spinner?.successAndStop(`Fixed ${name}`)
-            spinner?.start()
-          } catch (e) {
-            failed = true
-            spinner?.error(`Reverting ${fixSpec}`, e)
-            if (saved) {
-              editablePkgJson.update(revertData)
-              // eslint-disable-next-line no-await-in-loop
-              await editablePkgJson.save()
-            }
-            if (installed) {
-              // eslint-disable-next-line no-await-in-loop
-              actualTree = await install(pkgEnvDetails, {
-                spinner
-              })
-            }
-            spinner?.failAndStop(`Failed to fix ${oldSpec}`)
           }
-        } else {
-          failed = true
-          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+          spinner?.failAndStop(`Failed to fix ${oldSpec}`)
+          return
         }
         if (
-          !failed &&
-          // Check targetVersion to make TypeScript happy.
-          targetVersion &&
           // Lazily access constants.ENV[CI].
-          constants.ENV[CI]
+          constants.ENV[CI] &&
+          // eslint-disable-next-line no-await-in-loop
+          !(await doesPullRequestExistForBranch(owner, repo, branch))
         ) {
           let prResponse
           try {
             // eslint-disable-next-line no-await-in-loop
-            prResponse = await openGitHubPullRequest(name, targetVersion, cwd)
+            prResponse = await openGitHubPullRequest(
+              owner,
+              repo,
+              baseBranch,
+              branch,
+              name,
+              targetVersion,
+              cwd
+            )
           } catch (e) {
             logger.logger.error('Failed to open pull request', e)
           }
@@ -4900,9 +4902,14 @@ const config$z = {
   hidden: true,
   flags: {
     ...commonFlags,
+    autoPilot: {
+      type: 'boolean',
+      default: false,
+      description: `Shorthand for --autoMerge --test`
+    },
     autoMerge: {
       type: 'boolean',
-      default: true,
+      default: false,
       description: `Enable auto-merge for pull requests that Socket opens.\n                        See ${terminalLink('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
     },
     rangeStyle: {
@@ -4921,7 +4928,7 @@ const config$z = {
     },
     test: {
       type: 'boolean',
-      default: true,
+      default: false,
       description: 'Verify the fix by running unit tests'
     },
     testScript: {
@@ -4968,6 +4975,7 @@ async function run$z(argv, importMeta, { parentName }) {
   const { spinner } = constants
   await runFix({
     autoMerge: Boolean(cli.flags['autoMerge']),
+    autoPilot: Boolean(cli.flags['autoPilot']),
     spinner,
     rangeStyle: cli.flags['rangeStyle'] ?? undefined,
     test: Boolean(cli.flags['test']),
@@ -10838,7 +10846,10 @@ async function outputThreatFeed(data, { outputKind }) {
 
   // Note: this temporarily takes over the terminal (just like `man` does).
   const ScreenWidget = _socketInterop(require('blessed/lib/widgets/screen'))
-  const screen = new ScreenWidget()
+  // Lazily access constants.blessedOptions.
+  const screen = new ScreenWidget({
+    ...constants.blessedOptions
+  })
   // Register these keys first so you can always exit, even when it gets stuck
   // If we don't do this and the code crashes, the user must hard-kill the
   // node process just to exit it. That's very bad UX.
@@ -11345,7 +11356,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.91',
+    version: '0.14.93',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -11413,5 +11424,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=50c051d7-90c1-4ddf-b9ac-42c7cd92a24a
+//# debugId=e6ff3392-76c6-4336-9b51-e880fc6dca06
 //# sourceMappingURL=cli.js.map