@socketsecurity/cli 0.5.3 → 0.6.0

package/lib/shadow/link.cjs

@@ -4,6 +4,11 @@ const path = require('path')
 
 const which = require('which')
 
+if (process.platform === 'win32') {
+  console.error('Socket npm and socket npx wrapper Windows suppport is limited to WSL at this time.')
+  process.exit(1)
+}
+
 /**
  * @param {string} realDirname path to shadow/bin
  * @param {'npm' | 'npx'} binname

package/lib/shadow/npm-injection.cjs

@@ -1,5 +1,5 @@
-// THIS MUST BE CJS TO WORK WITH --require
 /* eslint-disable no-console */
+// THIS MUST BE CJS TO WORK WITH --require
 'use strict'
 
 const fs = require('fs')
@@ -7,15 +7,56 @@ const path = require('path')
 const https = require('https')
 const events = require('events')
 const rl = require('readline')
+const { PassThrough } = require('stream')
 const oraPromise = import('ora')
 const isInteractivePromise = import('is-interactive')
+const chalkPromise = import('chalk')
 const chalkMarkdownPromise = import('../utils/chalk-markdown.js')
+const ipc_version = require('../../package.json').version
+
+try {
+  // due to update-notifier pkg being ESM only we actually spawn a subprocess sadly
+  require('child_process').spawnSync(process.execPath, [
+    path.join(__dirname, 'update-notifier.mjs')
+  ], {
+    stdio: 'inherit'
+  })
+} catch (e) {
+  // ignore if update notification fails
+}
+
+/**
+ * @typedef {import('stream').Readable} Readable
+ */
+/**
+ * @typedef {import('stream').Writable} Writable
+ */
 
 const pubToken = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
 
 // shadow `npm` and `npx` to mitigate subshells
 require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
 
+/**
+ *
+ * @param {string} pkgid
+ * @returns {{name: string, version: string}}
+ */
+const pkgidParts = (pkgid) => {
+  const delimiter = pkgid.lastIndexOf('@')
+  const name = pkgid.slice(0, delimiter)
+  const version = pkgid.slice(delimiter + 1)
+  return { name, version }
+}
+
+/**
+ * @typedef PURLParts
+ * @property {'npm'} type
+ * @property {string} namespace_and_name
+ * @property {string} version
+ * @property {URL['href']} repository_url
+ */
+
 /**
  * @param {string[]} pkgids
  * @returns {AsyncGenerator<{eco: string, pkg: string, ver: string } & ({type: 'missing'} | {type: 'success', value: { issues: any[] }})>}
@@ -25,9 +66,7 @@ async function * batchScan (
 ) {
   const query = {
     packages: pkgids.map(pkgid => {
-      const delimiter = pkgid.lastIndexOf('@')
-      const name = pkgid.slice(0, delimiter)
-      const version = pkgid.slice(delimiter + 1)
+      const { name, version } = pkgidParts(pkgid)
       return {
         eco: 'npm', pkg: name, ver: version, top: true
       }
@@ -65,6 +104,10 @@ let translations = null
  */
 let formatter = null
 
+const ttyServerPromise = chalkPromise.then(chalk => {
+  return createTTYServer(chalk.default.level)
+})
+
 const npmEntrypoint = fs.realpathSync(`${process.argv[1]}`)
 /**
  * @param {string} filepath
@@ -82,6 +125,8 @@ function findRoot (filepath) {
 }
 const npmDir = findRoot(path.dirname(npmEntrypoint))
 const arboristLibClassPath = path.join(npmDir, 'node_modules', '@npmcli', 'arborist', 'lib', 'arborist', 'index.js')
+const npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+
 /**
  * @type {typeof import('@npmcli/arborist')}
  */
@@ -96,11 +141,11 @@ class SafeArborist extends Arborist {
   constructor (...ctorArgs) {
     const mutedArguments = [{
       ...(ctorArgs[0] ?? {}),
+      audit: true,
       dryRun: true,
       ignoreScripts: true,
       save: false,
       saveBundle: false,
-      audit: false,
       // progress: false,
       fund: false
     }, ctorArgs.slice(1)]
@@ -140,39 +185,72 @@ class SafeArborist extends Arborist {
     const diff = gatherDiff(this)
     // @ts-expect-error types are wrong
     args[0].dryRun = old.dryRun
-    // @ts-expect-error types are wrong
     args[0].save = old.save
-    // @ts-expect-error types are wrong
     args[0].saveBundle = old.saveBundle
-    // nothing to check, mmm already installed?
-    if (diff.check.length === 0 && diff.unknowns.length === 0) {
+    // nothing to check, mmm already installed or all private?
+    if (diff.findIndex(c => c.newPackage.repository_url === 'https://registry.npmjs.org') === -1) {
       return this[kRiskyReify](...args)
     }
-    const isInteractive = (await isInteractivePromise).default()
-    if (isInteractive) {
-      const ora = (await oraPromise).default
-      const risky = await packagesHaveRiskyIssues(diff.check, ora)
-      if (risky) {
-        const rl = require('readline')
-        const rli = rl.createInterface(process.stdin, process.stderr)
-        while (true) {
-          /**
-           * @type {string}
-           */
-          const answer = await new Promise((resolve) => {
-            rli.question('Accept risks of installing these packages (y/N)? ', (str) => resolve(str))
+    const ttyServer = await ttyServerPromise
+    const proceed = await ttyServer.captureTTY(async (input, output, colorLevel) => {
+      if (input) {
+        const chalkNS = await chalkPromise
+        chalkNS.default.level = colorLevel
+        const oraNS = await oraPromise
+        const ora = () => {
+          return oraNS.default({
+            stream: output,
+            color: 'cyan',
+            isEnabled: true,
+            isSilent: false,
+            hideCursor: true,
+            discardStdin: true,
+            spinner: oraNS.spinners.dots,
           })
-          if (/^\s*y(es)?\s*$/i.test(answer)) {
-            break
-          } else if (/^(\s*no?\s*|)$/i.test(answer)) {
-            throw new Error('Socket npm exiting due to risks')
+        }
+        const risky = await packagesHaveRiskyIssues(this.registry, diff, ora, input, output)
+        if (!risky) {
+          return true
+        }
+        const rl = require('readline')
+        const rlin = new PassThrough()
+        input.pipe(rlin, {
+          end: true
+        })
+        const rlout = new PassThrough()
+        rlout.pipe(output, {
+          end: false
+        })
+        const rli = rl.createInterface(rlin, rlout)
+        try {
+          while (true) {
+            /**
+             * @type {string}
+             */
+            const answer = await new Promise((resolve) => {
+              rli.question('Accept risks of installing these packages (y/N)? ', (str) => resolve(str))
+            })
+            if (/^\s*y(es)?\s*$/i.test(answer)) {
+              return true
+            } else if (/^(\s*no?\s*|)$/i.test(answer)) {
+              return false
+            }
           }
+        } finally {
+          rli.close()
+        }
+      } else {
+        if (await packagesHaveRiskyIssues(this.registry, diff, null, null, output)) {
+          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
         }
+        return true
       }
+      return false
+    })
+    if (proceed) {
       return this[kRiskyReify](...args)
     } else {
-      await packagesHaveRiskyIssues(diff.check)
-      throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
+      throw new Error('Socket npm exiting due to risks')
     }
   }
 }
@@ -180,34 +258,18 @@ class SafeArborist extends Arborist {
 require.cache[arboristLibClassPath].exports = SafeArborist
 
 /**
- * @param {InstanceType<typeof Arborist>} arb
- * @returns {{
+ * @typedef {{
  *   check: InstallEffect[],
  *   unknowns: InstallEffect[]
- * }}
+ * }} InstallDiff
+ */
+
+/**
+ * @param {InstanceType<typeof Arborist>} arb
+ * @returns {InstallEffect[]}
  */
 function gatherDiff (arb) {
-  // TODO: make this support private registry complexities
-  const registry = arb.registry
-  /**
-   * @type {InstallEffect[]}
-   */
-  const unknowns = []
-  /**
-   * @type {InstallEffect[]}
-   */
-  const check = []
-  for (const node of walk(arb.diff)) {
-    if (node.resolved?.startsWith(registry)) {
-      check.push(node)
-    } else {
-      unknowns.push(node)
-    }
-  }
-  return {
-    check,
-    unknowns
-  }
+  return walk(arb.diff)
 }
 /**
  * @typedef InstallEffect
@@ -216,6 +278,8 @@ function gatherDiff (arb) {
  * @property {import('@npmcli/arborist').Node['pkgid']} pkgid
  * @property {import('@npmcli/arborist').Node['resolved']} resolved
  * @property {import('@npmcli/arborist').Node['location']} location
+ * @property {PURLParts | null} oldPackage
+ * @property {PURLParts} newPackage
  */
 /**
  * @param {import('@npmcli/arborist').Diff | null} diff
@@ -243,13 +307,36 @@ function walk (diff, needInfoOn = []) {
     }
     if (keep) {
       if (diff.ideal?.pkgid) {
-        needInfoOn.push({
-          existing,
-          action: diff.action,
-          location: diff.ideal.location,
-          pkgid: diff.ideal.pkgid,
-          resolved: diff.ideal.resolved
-        })
+        /**
+         *
+         * @param {string} pkgid - `pkg@ver`
+         * @param {string} resolved - tarball link, should match `/name/-/name-ver.tgz` as tail, used to obtain repository_url
+         * @returns {PURLParts}
+         */
+        function toPURL (pkgid, resolved) {
+          const repo = resolved
+            .replace(/#[\s\S]*$/u, '')
+            .replace(/\?[\s\S]*$/u, '')
+            .replace(/\/[^/]*\/-\/[\s\S]*$/u, '')
+          const { name, version } = pkgidParts(pkgid)
+          return {
+            type: 'npm',
+            namespace_and_name: name,
+            version,
+            repository_url: repo
+          }
+        }
+        if (diff.ideal.resolved && (!diff.actual || diff.actual.resolved)) {
+          needInfoOn.push({
+            existing,
+            action: diff.action,
+            location: diff.ideal.location,
+            pkgid: diff.ideal.pkgid,
+            newPackage: toPURL(diff.ideal.pkgid, diff.ideal.resolved),
+            oldPackage: diff.actual && diff.actual.resolved ? toPURL(diff.actual.pkgid, diff.actual.resolved) : null,
+            resolved: diff.ideal.resolved,
+          })
+        }
       }
     }
   }
@@ -262,11 +349,14 @@ function walk (diff, needInfoOn = []) {
 }
 
 /**
+ * @param {string} registry
  * @param {InstallEffect[]} pkgs
  * @param {import('ora')['default'] | null} ora
+ * @param {Readable | null} input
+ * @param {Writable} ora
  * @returns {Promise<boolean>}
  */
-async function packagesHaveRiskyIssues (pkgs, ora = null) {
+async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, output) {
   let failed = false
   if (pkgs.length) {
     let remaining = pkgs.length
@@ -277,7 +367,7 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
     function getText () {
       return `Looking up data for ${remaining} packages`
     }
-    const spinner = ora ? ora(getText()).start() : null
+    const spinner = ora ? ora().start(getText()) : null
     const pkgDatas = []
     try {
       for await (const pkgData of batchScan(pkgs.map(pkg => pkg.pkgid))) {
@@ -326,7 +416,7 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
           formatter ??= new ((await chalkMarkdownPromise).ChalkOrMarkdown)(false)
           const name = pkgData.pkg
           const version = pkgData.ver
-          console.error(`${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:`)
+          output.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:\n`)
           if (translations) {
             for (const failure of failures) {
               const type = failure.type
@@ -335,8 +425,8 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
                 const issueTypeTranslation = translations.issues[type]
                 // TODO: emoji seems to misalign terminals sometimes
                 // @ts-ignore
-                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}`
-                console.error(msg)
+                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}\n`
+                output.write(msg)
               }
             }
           }
@@ -349,8 +439,6 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
           if (spinner) {
             spinner.text = getText()
           }
-        } else {
-          spinner?.stop()
         }
         pkgDatas.push(pkgData)
       }
@@ -367,3 +455,195 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
     return false
   }
 }
+
+/**
+ * @param {import('chalk')['default']['level']} colorLevel
+ * @returns {Promise<{ captureTTY<RET extends any>(mutexFn: (input: Readable | null, output: Writable, colorLevel: import('chalk')['default']['level']) => Promise<RET>): Promise<RET> }>}
+ */
+async function createTTYServer (colorLevel) {
+  const TTY_IPC = process.env.SOCKET_SECURITY_TTY_IPC
+  const net = require('net')
+  /**
+   * @type {import('readline')}
+   */
+  let readline
+  const isSTDINInteractive = (await isInteractivePromise).default({
+    stream: process.stdin
+  })
+  if (!isSTDINInteractive && TTY_IPC) {
+    return {
+      async captureTTY (mutexFn) {
+        return new Promise((resolve, reject) => {
+          const conn = net.createConnection({
+            path: TTY_IPC
+          }).on('error', reject)
+          let captured = false
+          const bufs = []
+          conn.on('data', function awaitCapture (chunk) {
+            bufs.push(chunk)
+            const lineBuff = Buffer.concat(bufs)
+            try {
+              if (!captured) {
+                const EOL = lineBuff.indexOf('\n'.charCodeAt(0))
+                if (EOL !== -1) {
+                  conn.removeListener('data', awaitCapture)
+                  conn.push(lineBuff.slice(EOL + 1))
+                  lineBuff = null
+                  captured = true
+                  const {
+                    ipc_version: remote_ipc_version,
+                    capabilities: { input: hasInput, output: hasOutput, colorLevel: ipcColorLevel }
+                  } = JSON.parse(lineBuff.slice(0, EOL).toString('utf-8'))
+                  if (remote_ipc_version !== ipc_version) {
+                    throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.')
+                  }
+                  const input = hasInput ? new PassThrough() : null
+                  input.pause()
+                  conn.pipe(input)
+                  const output = hasOutput ? new PassThrough() : null
+                  output.pipe(conn)
+                  // make ora happy
+                  // @ts-ignore
+                  output.isTTY = true
+                  // @ts-ignore
+                  output.cursorTo = function cursorTo (x, y, callback) {
+                    readline = readline || require('readline')
+                    readline.cursorTo(this, x, y, callback)
+                  }
+                  // @ts-ignore
+                  output.clearLine = function clearLine (dir, callback) {
+                    readline = readline || require('readline')
+                    readline.clearLine(this, dir, callback)
+                  }
+                  mutexFn(hasInput ? input : null, hasOutput ? output : null, ipcColorLevel)
+                    .then(resolve, reject)
+                    .finally(() => {
+                      conn.unref()
+                      conn.end()
+                      input.end()
+                      output.end()
+                      // process.exit(13)
+                    })
+                }
+              }
+            } catch (e) {
+              reject(e)
+            }
+          })
+        })
+      }
+    }
+  }
+  const pendingCaptures = []
+  let captured = false
+  const sock = path.join(require('os').tmpdir(), `socket-security-tty-${process.pid}.sock`)
+  process.env.SOCKET_SECURITY_TTY_IPC = sock
+  try {
+    await require('fs/promises').unlink(sock)
+  } catch (e) {
+    if (e.code !== 'ENOENT') {
+      throw e
+    }
+  }
+  process.on('exit', () => {
+    ttyServer.close()
+    try {
+      require('fs').unlinkSync(sock)
+    } catch (e) {
+      if (e.code !== 'ENOENT') {
+        throw e
+      }
+    }
+  })
+  const input = isSTDINInteractive ? process.stdin : null
+  const output = process.stderr
+  const ttyServer = await new Promise((resolve, reject) => {
+    const server = net.createServer(async (conn) => {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      npmlog.pause()
+      if (wasProgressEnabled) {
+        npmlog.disableProgress()
+      }
+      conn.write(`${JSON.stringify({
+        ipc_version,
+        capabilities: {
+          input: Boolean(input),
+          output: true,
+          colorLevel
+        }
+      })}\n`)
+      conn.on('data', (data) => {
+        output.write(data)
+      })
+      conn.on('error', (e) => {
+        output.write(`there was an error prompting from a subshell (${e.message}), socket npm closing`)
+        process.exit(1)
+      })
+      input.on('data', (data) => {
+        conn.write(data)
+      })
+      input.on('end', () => {
+        conn.unref()
+        conn.end()
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      })
+    }).listen(sock, (err) => {
+      if (err) reject(err)
+      else resolve(server)
+    }).unref()
+  })
+  /**
+   *
+   */
+  function nextCapture () {
+    if (pendingCaptures.length > 0) {
+      const nextCapture = pendingCaptures.shift()
+      nextCapture.resolve()
+    } else {
+      captured = false
+    }
+  }
+  return {
+    async captureTTY (mutexFn) {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      try {
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        // need await here for proper finally timing
+        return await mutexFn(input, output, colorLevel)
+      } finally {
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      }
+    }
+  }
+}

package/lib/shadow/update-notifier.mjs

@@ -0,0 +1,3 @@
+// ESM entrypoint doesn't work w/ --require, this needs to be done w/ a spawnSync sadly
+import { initUpdateNotifier } from '../utils/update-notifier.js'
+initUpdateNotifier()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "repository": {
@@ -47,7 +47,7 @@
     "@tsconfig/node14": "^1.0.3",
     "@types/chai": "^4.3.3",
     "@types/chai-as-promised": "^7.1.5",
-    "@types/mocha": "^10.0.0",
+    "@types/mocha": "^10.0.1",
     "@types/mock-fs": "^4.13.1",
     "@types/node": "^14.18.31",
     "@types/npm": "^7.19.0",

package/lib/shadow/global.d.ts

@@ -1,3 +0,0 @@
-declare module 'hyperlinker' {
-  export = (msg: string, href: URL['href']) => string
-}