@socketsecurity/cli 0.5.4 → 0.7.1

package/lib/commands/index.js

@@ -2,3 +2,5 @@ export * from './info/index.js'
 export * from './report/index.js'
 export * from './npm/index.js'
 export * from './npx/index.js'
+export * from './login/index.js'
+export * from './logout/index.js'

package/lib/commands/login/index.js

@@ -0,0 +1,66 @@
+import isInteractive from 'is-interactive'
+import meow from 'meow'
+import ora from 'ora'
+import prompts from 'prompts'
+
+import { ChalkOrMarkdown } from '../../utils/chalk-markdown.js'
+import { AuthError, InputError } from '../../utils/errors.js'
+import { setupSdk } from '../../utils/sdk.js'
+import { getSetting, updateSetting } from '../../utils/settings.js'
+
+const description = 'Socket API login'
+
+/** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
+export const login = {
+  description,
+  run: async (argv, importMeta, { parentName }) => {
+    const name = parentName + ' login'
+    const cli = meow(`
+      Usage
+        $ ${name}
+
+      Logs into the Socket API by prompting for an API key
+
+      Examples
+        $ ${name}
+    `, {
+      argv,
+      description,
+      importMeta,
+    })
+
+    if (cli.input.length) cli.showHelp()
+
+    if (!isInteractive()) {
+      throw new InputError('cannot prompt for credentials in a non-interactive shell')
+    }
+    const format = new ChalkOrMarkdown(false)
+    const { apiKey } = await prompts({
+      type: 'password',
+      name: 'apiKey',
+      message: `Enter your ${format.hyperlink(
+        'Socket.dev API key',
+        'https://docs.socket.dev/docs/api-keys'
+      )}`,
+    })
+
+    if (!apiKey) {
+      ora('API key not updated').warn()
+      return
+    }
+
+    const spinner = ora('Verifying API key...').start()
+
+    const oldKey = getSetting('apiKey')
+    updateSetting('apiKey', apiKey)
+    try {
+      const sdk = await setupSdk()
+      const quota = await sdk.getQuota()
+      if (!quota.success) throw new AuthError()
+      spinner.succeed(`API key ${oldKey ? 'updated' : 'set'}`)
+    } catch (e) {
+      updateSetting('apiKey', oldKey)
+      spinner.fail('Invalid API key')
+    }
+  }
+}

package/lib/commands/logout/index.js

@@ -0,0 +1,32 @@
+import meow from 'meow'
+import ora from 'ora'
+
+import { updateSetting } from '../../utils/settings.js'
+
+const description = 'Socket API logout'
+
+/** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
+export const logout = {
+  description,
+  run: async (argv, importMeta, { parentName }) => {
+    const name = parentName + ' logout'
+    const cli = meow(`
+      Usage
+        $ ${name}
+
+      Logs out of the Socket API and clears all Socket credentials from disk
+
+      Examples
+        $ ${name}
+    `, {
+      argv,
+      description,
+      importMeta,
+    })
+
+    if (cli.input.length) cli.showHelp()
+
+    updateSetting('apiKey', null)
+    ora('Successfully logged out').succeed()
+  }
+}

package/lib/commands/report/create.js

@@ -181,7 +181,17 @@ async function setupCommand (name, description, argv, importMeta) {
       }
     })
 
-  const packagePaths = await getPackageFiles(cwd, cli.input, config, debugLog)
+  // TODO: setupSdk(getDefaultKey() || FREE_API_KEY)
+  const socketSdk = await setupSdk()
+  const supportedFiles = await socketSdk.getReportSupportedFiles()
+    .then(res => {
+      if (!res.success) handleUnsuccessfulApiResponse('getReportSupportedFiles', res, ora())
+      return res.data
+    }).catch(cause => {
+      throw new ErrorWithCause('Failed getting supported files for report', { cause })
+    })
+
+  const packagePaths = await getPackageFiles(cwd, cli.input, config, supportedFiles, debugLog)
 
   return {
     config,

package/lib/shadow/npm-injection.cjs

@@ -1,5 +1,5 @@
-// THIS MUST BE CJS TO WORK WITH --require
 /* eslint-disable no-console */
+// THIS MUST BE CJS TO WORK WITH --require
 'use strict'
 
 const fs = require('fs')
@@ -7,15 +7,59 @@ const path = require('path')
 const https = require('https')
 const events = require('events')
 const rl = require('readline')
+const { PassThrough } = require('stream')
 const oraPromise = import('ora')
 const isInteractivePromise = import('is-interactive')
+const chalkPromise = import('chalk')
 const chalkMarkdownPromise = import('../utils/chalk-markdown.js')
+const settingsPromise = import('../utils/settings.js')
+const ipc_version = require('../../package.json').version
+
+try {
+  // due to update-notifier pkg being ESM only we actually spawn a subprocess sadly
+  require('child_process').spawnSync(process.execPath, [
+    path.join(__dirname, 'update-notifier.mjs')
+  ], {
+    stdio: 'inherit'
+  })
+} catch (e) {
+  // ignore if update notification fails
+}
+
+/**
+ * @typedef {import('stream').Readable} Readable
+ */
+/**
+ * @typedef {import('stream').Writable} Writable
+ */
 
-const pubToken = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+const pubTokenPromise = settingsPromise.then(({ getSetting }) =>
+  getSetting('apiKey') || 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+);
 
 // shadow `npm` and `npx` to mitigate subshells
 require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
 
+/**
+ *
+ * @param {string} pkgid
+ * @returns {{name: string, version: string}}
+ */
+const pkgidParts = (pkgid) => {
+  const delimiter = pkgid.lastIndexOf('@')
+  const name = pkgid.slice(0, delimiter)
+  const version = pkgid.slice(delimiter + 1)
+  return { name, version }
+}
+
+/**
+ * @typedef PURLParts
+ * @property {'npm'} type
+ * @property {string} namespace_and_name
+ * @property {string} version
+ * @property {URL['href']} repository_url
+ */
+
 /**
  * @param {string[]} pkgids
  * @returns {AsyncGenerator<{eco: string, pkg: string, ver: string } & ({type: 'missing'} | {type: 'success', value: { issues: any[] }})>}
@@ -23,11 +67,10 @@ require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
 async function * batchScan (
   pkgids
 ) {
+  const pubToken = await pubTokenPromise
   const query = {
     packages: pkgids.map(pkgid => {
-      const delimiter = pkgid.lastIndexOf('@')
-      const name = pkgid.slice(0, delimiter)
-      const version = pkgid.slice(delimiter + 1)
+      const { name, version } = pkgidParts(pkgid)
       return {
         eco: 'npm', pkg: name, ver: version, top: true
       }
@@ -65,6 +108,10 @@ let translations = null
  */
 let formatter = null
 
+const ttyServerPromise = chalkPromise.then(chalk => {
+  return createTTYServer(chalk.default.level)
+})
+
 const npmEntrypoint = fs.realpathSync(`${process.argv[1]}`)
 /**
  * @param {string} filepath
@@ -82,6 +129,8 @@ function findRoot (filepath) {
 }
 const npmDir = findRoot(path.dirname(npmEntrypoint))
 const arboristLibClassPath = path.join(npmDir, 'node_modules', '@npmcli', 'arborist', 'lib', 'arborist', 'index.js')
+const npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+
 /**
  * @type {typeof import('@npmcli/arborist')}
  */
@@ -96,11 +145,11 @@ class SafeArborist extends Arborist {
   constructor (...ctorArgs) {
     const mutedArguments = [{
       ...(ctorArgs[0] ?? {}),
+      audit: true,
       dryRun: true,
       ignoreScripts: true,
       save: false,
       saveBundle: false,
-      audit: false,
       // progress: false,
       fund: false
     }, ctorArgs.slice(1)]
@@ -140,39 +189,72 @@ class SafeArborist extends Arborist {
     const diff = gatherDiff(this)
     // @ts-expect-error types are wrong
     args[0].dryRun = old.dryRun
-    // @ts-expect-error types are wrong
     args[0].save = old.save
-    // @ts-expect-error types are wrong
     args[0].saveBundle = old.saveBundle
-    // nothing to check, mmm already installed?
-    if (diff.check.length === 0 && diff.unknowns.length === 0) {
+    // nothing to check, mmm already installed or all private?
+    if (diff.findIndex(c => c.newPackage.repository_url === 'https://registry.npmjs.org') === -1) {
       return this[kRiskyReify](...args)
     }
-    const isInteractive = (await isInteractivePromise).default()
-    if (isInteractive) {
-      const ora = (await oraPromise).default
-      const risky = await packagesHaveRiskyIssues(diff.check, ora)
-      if (risky) {
-        const rl = require('readline')
-        const rli = rl.createInterface(process.stdin, process.stderr)
-        while (true) {
-          /**
-           * @type {string}
-           */
-          const answer = await new Promise((resolve) => {
-            rli.question('Accept risks of installing these packages (y/N)? ', (str) => resolve(str))
+    const ttyServer = await ttyServerPromise
+    const proceed = await ttyServer.captureTTY(async (input, output, colorLevel) => {
+      if (input) {
+        const chalkNS = await chalkPromise
+        chalkNS.default.level = colorLevel
+        const oraNS = await oraPromise
+        const ora = () => {
+          return oraNS.default({
+            stream: output,
+            color: 'cyan',
+            isEnabled: true,
+            isSilent: false,
+            hideCursor: true,
+            discardStdin: true,
+            spinner: oraNS.spinners.dots,
           })
-          if (/^\s*y(es)?\s*$/i.test(answer)) {
-            break
-          } else if (/^(\s*no?\s*|)$/i.test(answer)) {
-            throw new Error('Socket npm exiting due to risks')
+        }
+        const risky = await packagesHaveRiskyIssues(this.registry, diff, ora, input, output)
+        if (!risky) {
+          return true
+        }
+        const rl = require('readline')
+        const rlin = new PassThrough()
+        input.pipe(rlin, {
+          end: true
+        })
+        const rlout = new PassThrough()
+        rlout.pipe(output, {
+          end: false
+        })
+        const rli = rl.createInterface(rlin, rlout)
+        try {
+          while (true) {
+            /**
+             * @type {string}
+             */
+            const answer = await new Promise((resolve) => {
+              rli.question('Accept risks of installing these packages (y/N)? ', (str) => resolve(str))
+            })
+            if (/^\s*y(es)?\s*$/i.test(answer)) {
+              return true
+            } else if (/^(\s*no?\s*|)$/i.test(answer)) {
+              return false
+            }
           }
+        } finally {
+          rli.close()
+        }
+      } else {
+        if (await packagesHaveRiskyIssues(this.registry, diff, null, null, output)) {
+          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
         }
+        return true
       }
+      return false
+    })
+    if (proceed) {
       return this[kRiskyReify](...args)
     } else {
-      await packagesHaveRiskyIssues(diff.check)
-      throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
+      throw new Error('Socket npm exiting due to risks')
     }
   }
 }
@@ -180,34 +262,18 @@ class SafeArborist extends Arborist {
 require.cache[arboristLibClassPath].exports = SafeArborist
 
 /**
- * @param {InstanceType<typeof Arborist>} arb
- * @returns {{
+ * @typedef {{
  *   check: InstallEffect[],
  *   unknowns: InstallEffect[]
- * }}
+ * }} InstallDiff
+ */
+
+/**
+ * @param {InstanceType<typeof Arborist>} arb
+ * @returns {InstallEffect[]}
  */
 function gatherDiff (arb) {
-  // TODO: make this support private registry complexities
-  const registry = arb.registry
-  /**
-   * @type {InstallEffect[]}
-   */
-  const unknowns = []
-  /**
-   * @type {InstallEffect[]}
-   */
-  const check = []
-  for (const node of walk(arb.diff)) {
-    if (node.resolved?.startsWith(registry)) {
-      check.push(node)
-    } else {
-      unknowns.push(node)
-    }
-  }
-  return {
-    check,
-    unknowns
-  }
+  return walk(arb.diff)
 }
 /**
  * @typedef InstallEffect
@@ -216,6 +282,8 @@ function gatherDiff (arb) {
  * @property {import('@npmcli/arborist').Node['pkgid']} pkgid
  * @property {import('@npmcli/arborist').Node['resolved']} resolved
  * @property {import('@npmcli/arborist').Node['location']} location
+ * @property {PURLParts | null} oldPackage
+ * @property {PURLParts} newPackage
  */
 /**
  * @param {import('@npmcli/arborist').Diff | null} diff
@@ -243,13 +311,36 @@ function walk (diff, needInfoOn = []) {
     }
     if (keep) {
       if (diff.ideal?.pkgid) {
-        needInfoOn.push({
-          existing,
-          action: diff.action,
-          location: diff.ideal.location,
-          pkgid: diff.ideal.pkgid,
-          resolved: diff.ideal.resolved
-        })
+        /**
+         *
+         * @param {string} pkgid - `pkg@ver`
+         * @param {string} resolved - tarball link, should match `/name/-/name-ver.tgz` as tail, used to obtain repository_url
+         * @returns {PURLParts}
+         */
+        function toPURL (pkgid, resolved) {
+          const repo = resolved
+            .replace(/#[\s\S]*$/u, '')
+            .replace(/\?[\s\S]*$/u, '')
+            .replace(/\/[^/]*\/-\/[\s\S]*$/u, '')
+          const { name, version } = pkgidParts(pkgid)
+          return {
+            type: 'npm',
+            namespace_and_name: name,
+            version,
+            repository_url: repo
+          }
+        }
+        if (diff.ideal.resolved && (!diff.actual || diff.actual.resolved)) {
+          needInfoOn.push({
+            existing,
+            action: diff.action,
+            location: diff.ideal.location,
+            pkgid: diff.ideal.pkgid,
+            newPackage: toPURL(diff.ideal.pkgid, diff.ideal.resolved),
+            oldPackage: diff.actual && diff.actual.resolved ? toPURL(diff.actual.pkgid, diff.actual.resolved) : null,
+            resolved: diff.ideal.resolved,
+          })
+        }
       }
     }
   }
@@ -262,11 +353,14 @@ function walk (diff, needInfoOn = []) {
 }
 
 /**
+ * @param {string} registry
  * @param {InstallEffect[]} pkgs
  * @param {import('ora')['default'] | null} ora
+ * @param {Readable | null} input
+ * @param {Writable} ora
  * @returns {Promise<boolean>}
  */
-async function packagesHaveRiskyIssues (pkgs, ora = null) {
+async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, output) {
   let failed = false
   if (pkgs.length) {
     let remaining = pkgs.length
@@ -277,7 +371,7 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
     function getText () {
       return `Looking up data for ${remaining} packages`
     }
-    const spinner = ora ? ora(getText()).start() : null
+    const spinner = ora ? ora().start(getText()) : null
     const pkgDatas = []
     try {
       for await (const pkgData of batchScan(pkgs.map(pkg => pkg.pkgid))) {
@@ -326,7 +420,7 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
           formatter ??= new ((await chalkMarkdownPromise).ChalkOrMarkdown)(false)
           const name = pkgData.pkg
           const version = pkgData.ver
-          console.error(`${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:`)
+          output.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:\n`)
           if (translations) {
             for (const failure of failures) {
               const type = failure.type
@@ -335,8 +429,8 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
                 const issueTypeTranslation = translations.issues[type]
                 // TODO: emoji seems to misalign terminals sometimes
                 // @ts-ignore
-                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}`
-                console.error(msg)
+                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}\n`
+                output.write(msg)
               }
             }
           }
@@ -349,8 +443,6 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
           if (spinner) {
             spinner.text = getText()
           }
-        } else {
-          spinner?.stop()
         }
         pkgDatas.push(pkgData)
       }
@@ -367,3 +459,195 @@ async function packagesHaveRiskyIssues (pkgs, ora = null) {
     return false
   }
 }
+
+/**
+ * @param {import('chalk')['default']['level']} colorLevel
+ * @returns {Promise<{ captureTTY<RET extends any>(mutexFn: (input: Readable | null, output: Writable, colorLevel: import('chalk')['default']['level']) => Promise<RET>): Promise<RET> }>}
+ */
+async function createTTYServer (colorLevel) {
+  const TTY_IPC = process.env.SOCKET_SECURITY_TTY_IPC
+  const net = require('net')
+  /**
+   * @type {import('readline')}
+   */
+  let readline
+  const isSTDINInteractive = (await isInteractivePromise).default({
+    stream: process.stdin
+  })
+  if (!isSTDINInteractive && TTY_IPC) {
+    return {
+      async captureTTY (mutexFn) {
+        return new Promise((resolve, reject) => {
+          const conn = net.createConnection({
+            path: TTY_IPC
+          }).on('error', reject)
+          let captured = false
+          const bufs = []
+          conn.on('data', function awaitCapture (chunk) {
+            bufs.push(chunk)
+            const lineBuff = Buffer.concat(bufs)
+            try {
+              if (!captured) {
+                const EOL = lineBuff.indexOf('\n'.charCodeAt(0))
+                if (EOL !== -1) {
+                  conn.removeListener('data', awaitCapture)
+                  conn.push(lineBuff.slice(EOL + 1))
+                  lineBuff = null
+                  captured = true
+                  const {
+                    ipc_version: remote_ipc_version,
+                    capabilities: { input: hasInput, output: hasOutput, colorLevel: ipcColorLevel }
+                  } = JSON.parse(lineBuff.slice(0, EOL).toString('utf-8'))
+                  if (remote_ipc_version !== ipc_version) {
+                    throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.')
+                  }
+                  const input = hasInput ? new PassThrough() : null
+                  input.pause()
+                  conn.pipe(input)
+                  const output = hasOutput ? new PassThrough() : null
+                  output.pipe(conn)
+                  // make ora happy
+                  // @ts-ignore
+                  output.isTTY = true
+                  // @ts-ignore
+                  output.cursorTo = function cursorTo (x, y, callback) {
+                    readline = readline || require('readline')
+                    readline.cursorTo(this, x, y, callback)
+                  }
+                  // @ts-ignore
+                  output.clearLine = function clearLine (dir, callback) {
+                    readline = readline || require('readline')
+                    readline.clearLine(this, dir, callback)
+                  }
+                  mutexFn(hasInput ? input : null, hasOutput ? output : null, ipcColorLevel)
+                    .then(resolve, reject)
+                    .finally(() => {
+                      conn.unref()
+                      conn.end()
+                      input.end()
+                      output.end()
+                      // process.exit(13)
+                    })
+                }
+              }
+            } catch (e) {
+              reject(e)
+            }
+          })
+        })
+      }
+    }
+  }
+  const pendingCaptures = []
+  let captured = false
+  const sock = path.join(require('os').tmpdir(), `socket-security-tty-${process.pid}.sock`)
+  process.env.SOCKET_SECURITY_TTY_IPC = sock
+  try {
+    await require('fs/promises').unlink(sock)
+  } catch (e) {
+    if (e.code !== 'ENOENT') {
+      throw e
+    }
+  }
+  process.on('exit', () => {
+    ttyServer.close()
+    try {
+      require('fs').unlinkSync(sock)
+    } catch (e) {
+      if (e.code !== 'ENOENT') {
+        throw e
+      }
+    }
+  })
+  const input = isSTDINInteractive ? process.stdin : null
+  const output = process.stderr
+  const ttyServer = await new Promise((resolve, reject) => {
+    const server = net.createServer(async (conn) => {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      npmlog.pause()
+      if (wasProgressEnabled) {
+        npmlog.disableProgress()
+      }
+      conn.write(`${JSON.stringify({
+        ipc_version,
+        capabilities: {
+          input: Boolean(input),
+          output: true,
+          colorLevel
+        }
+      })}\n`)
+      conn.on('data', (data) => {
+        output.write(data)
+      })
+      conn.on('error', (e) => {
+        output.write(`there was an error prompting from a subshell (${e.message}), socket npm closing`)
+        process.exit(1)
+      })
+      input.on('data', (data) => {
+        conn.write(data)
+      })
+      input.on('end', () => {
+        conn.unref()
+        conn.end()
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      })
+    }).listen(sock, (err) => {
+      if (err) reject(err)
+      else resolve(server)
+    }).unref()
+  })
+  /**
+   *
+   */
+  function nextCapture () {
+    if (pendingCaptures.length > 0) {
+      const nextCapture = pendingCaptures.shift()
+      nextCapture.resolve()
+    } else {
+      captured = false
+    }
+  }
+  return {
+    async captureTTY (mutexFn) {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      try {
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        // need await here for proper finally timing
+        return await mutexFn(input, output, colorLevel)
+      } finally {
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      }
+    }
+  }
+}

package/lib/shadow/update-notifier.mjs

@@ -0,0 +1,3 @@
+// ESM entrypoint doesn't work w/ --require, this needs to be done w/ a spawnSync sadly
+import { initUpdateNotifier } from '../utils/update-notifier.js'
+initUpdateNotifier()

package/lib/utils/api-helpers.js

@@ -8,7 +8,7 @@ import { AuthError } from './errors.js'
  * @param {T} _name
  * @param {import('@socketsecurity/sdk').SocketSdkErrorType<T>} result
  * @param {import('ora').Ora} spinner
- * @returns {void}
+ * @returns {never}
  */
 export function handleUnsuccessfulApiResponse (_name, result, spinner) {
   const resultError = 'error' in result && result.error && typeof result.error === 'object' ? result.error : {}

package/lib/utils/path-resolve.js

@@ -5,17 +5,12 @@ import { globby } from 'globby'
 import ignore from 'ignore'
 // @ts-ignore This package provides no types
 import { directories } from 'ignore-by-default'
+import micromatch from 'micromatch'
 import { ErrorWithCause } from 'pony-cause'
 
 import { InputError } from './errors.js'
 import { isErrnoException } from './type-helpers.js'
 
-/** @type {readonly string[]} */
-const SUPPORTED_LOCKFILES = [
-  'package-lock.json',
-  'yarn.lock',
-]
-
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
  *
@@ -23,10 +18,17 @@ const SUPPORTED_LOCKFILES = [
  */
 const ignoreByDefault = directories()
 
-/** @type {readonly string[]} */
-const GLOB_IGNORE = [
-  ...ignoreByDefault.map(item => '**/' + item)
-]
+/** @type {import('globby').Options} */
+const BASE_GLOBBY_OPTS = {
+  absolute: true,
+  expandDirectories: false,
+  gitignore: true,
+  ignore: [
+    ...ignoreByDefault.map(item => '**/' + item)
+  ],
+  markDirectories: true,
+  unique: true,
+}
 
 /**
  * Resolves package.json and lockfiles from (globbed) input paths, applying relevant ignores
@@ -34,28 +36,24 @@ const GLOB_IGNORE = [
  * @param {string} cwd The working directory to use when resolving paths
  * @param {string[]} inputPaths A list of paths to folders, package.json files and/or recognized lockfiles. Supports globs.
  * @param {import('@socketsecurity/config').SocketYml|undefined} config
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @param {typeof console.error} debugLog
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
+export async function getPackageFiles (cwd, inputPaths, config, supportedFiles, debugLog) {
   debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)
 
   // TODO: Does not support `~/` paths
   const entries = await globby(inputPaths, {
-    absolute: true,
+    ...BASE_GLOBBY_OPTS,
     cwd,
-    expandDirectories: false,
-    gitignore: true,
-    ignore: [...GLOB_IGNORE],
-    markDirectories: true,
-    onlyFiles: false,
-    unique: true,
+    onlyFiles: false
   })
 
   debugLog(`Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`, entries)
 
-  const packageFiles = await mapGlobResultToFiles(entries)
+  const packageFiles = await mapGlobResultToFiles(entries, supportedFiles)
 
   debugLog(`Mapped ${entries.length} entries to ${packageFiles.length} files:`, packageFiles)
 
@@ -73,11 +71,14 @@ export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
  * Takes paths to folders, package.json and/or recognized lock files and resolves them to package.json + lockfile pairs (where possible)
  *
  * @param {string[]} entries
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobResultToFiles (entries) {
-  const packageFiles = await Promise.all(entries.map(mapGlobEntryToFiles))
+export async function mapGlobResultToFiles (entries, supportedFiles) {
+  const packageFiles = await Promise.all(
+    entries.map(entry => mapGlobEntryToFiles(entry, supportedFiles))
+  )
 
   const uniquePackageFiles = [...new Set(packageFiles.flat())]
 
@@ -88,46 +89,58 @@ export async function mapGlobResultToFiles (entries) {
  * Takes a single path to a folder, package.json or a recognized lock file and resolves to a package.json + lockfile pair (where possible)
  *
  * @param {string} entry
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<'getReportSupportedFiles'>['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobEntryToFiles (entry) {
+export async function mapGlobEntryToFiles (entry, supportedFiles) {
   /** @type {string|undefined} */
-  let pkgFile
-  /** @type {string|undefined} */
-  let lockFile
-
+  let pkgJSFile
+  /** @type {string[]} */
+  let jsLockFiles = []
+  /** @type {string[]} */
+  let pyFiles = []
+
+  const jsSupported = supportedFiles['npm'] || {}
+  const jsLockFilePatterns = Object.keys(jsSupported)
+    .filter(key => key !== 'packagejson')
+    .map(key => /** @type {{ pattern: string }} */ (jsSupported[key]).pattern)
+
+  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {}).map(p => p.pattern)
   if (entry.endsWith('/')) {
     // If the match is a folder and that folder contains a package.json file, then include it
     const filePath = path.resolve(entry, 'package.json')
-    pkgFile = await fileExists(filePath) ? filePath : undefined
-  } else if (path.basename(entry) === 'package.json') {
-    // If the match is a package.json file, then include it
-    pkgFile = entry
-  } else if (SUPPORTED_LOCKFILES.includes(path.basename(entry))) {
-    // If the match is a lock file, include both it and the corresponding package.json file
-    lockFile = entry
-    pkgFile = path.resolve(path.dirname(entry), 'package.json')
+    if (await fileExists(filePath)) pkgJSFile = filePath
+    pyFiles = await globby(pyFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: entry
+    })
+  } else {
+    const entryFile = path.basename(entry)
+
+    if (entryFile === 'package.json') {
+      // If the match is a package.json file, then include it
+      pkgJSFile = entry
+    } else if (micromatch.isMatch(entryFile, jsLockFilePatterns)) {
+      jsLockFiles = [entry]
+      pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
+      if (!(await fileExists(pkgJSFile))) return []
+    } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
+      pyFiles = [entry]
+    }
   }
 
   // If we will include a package.json file but don't already have a corresponding lockfile, then look for one
-  if (!lockFile && pkgFile) {
-    const pkgDir = path.dirname(pkgFile)
-
-    for (const name of SUPPORTED_LOCKFILES) {
-      const lockFileAlternative = path.resolve(pkgDir, name)
-      if (await fileExists(lockFileAlternative)) {
-        lockFile = lockFileAlternative
-        break
-      }
-    }
-  }
+  if (!jsLockFiles.length && pkgJSFile) {
+    const pkgDir = path.dirname(pkgJSFile)
 
-  if (pkgFile && lockFile) {
-    return [pkgFile, lockFile]
+    jsLockFiles = await globby(jsLockFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: pkgDir
+    })
   }
 
-  return pkgFile ? [pkgFile] : []
+  return [...jsLockFiles, ...pyFiles].concat(pkgJSFile ? [pkgJSFile] : [])
 }
 
 /**

package/lib/utils/sdk.js

@@ -7,28 +7,27 @@ import isInteractive from 'is-interactive'
 import prompts from 'prompts'
 
 import { AuthError } from './errors.js'
+import { getSetting } from './settings.js'
 
 /**
- * The API key should be stored globally for the duration of the CLI execution
+ * This API key should be stored globally for the duration of the CLI execution
  *
  * @type {string | undefined}
  */
-let apiKey
+let sessionAPIKey
 
 /** @returns {Promise<import('@socketsecurity/sdk').SocketSdk>} */
 export async function setupSdk () {
-  if (!apiKey) {
-    apiKey = process.env['SOCKET_SECURITY_API_KEY']
-  }
+  let apiKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || sessionAPIKey
 
   if (!apiKey && isInteractive()) {
     const input = await prompts({
       type: 'password',
       name: 'apiKey',
-      message: 'Enter your Socket.dev API key',
+      message: 'Enter your Socket.dev API key (not saved)',
     })
 
-    apiKey = input.apiKey
+    apiKey = sessionAPIKey = input.apiKey
   }
 
   if (!apiKey) {

package/lib/utils/settings.js

@@ -0,0 +1,57 @@
+import * as fs from 'fs'
+import * as os from 'os'
+import * as path from 'path'
+
+import ora from 'ora'
+
+let dataHome = process.platform === 'win32'
+  ? process.env['LOCALAPPDATA']
+  : process.env['XDG_DATA_HOME']
+
+if (!dataHome) {
+  if (process.platform === 'win32') throw new Error('missing %LOCALAPPDATA%')
+  const home = os.homedir()
+  dataHome = path.join(home, ...(process.platform === 'darwin'
+    ? ['Library', 'Application Support']
+    : ['.local', 'share']
+  ))
+}
+
+const settingsPath = path.join(dataHome, 'socket', 'settings')
+
+/** @type {{apiKey?: string | null}} */
+let settings = {}
+
+if (fs.existsSync(settingsPath)) {
+  const raw = fs.readFileSync(settingsPath, 'utf-8')
+  try {
+    settings = JSON.parse(Buffer.from(raw, 'base64').toString())
+  } catch (e) {
+    ora(`Failed to parse settings at ${settingsPath}`).warn()
+  }
+} else {
+  fs.mkdirSync(path.dirname(settingsPath), { recursive: true })
+}
+
+/**
+ * @template {keyof typeof settings} Key
+ * @param {Key} key
+ * @returns {typeof settings[Key]}
+ */
+export function getSetting (key) {
+  return settings[key]
+}
+
+/**
+ * @template {keyof typeof settings} Key
+ * @param {Key} key
+ * @param {typeof settings[Key]} value
+ * @returns {void}
+ */
+export function updateSetting (key, value) {
+  settings[key] = value
+  fs.writeFileSync(
+    settingsPath,
+    Buffer.from(JSON.stringify(settings)).toString('base64')
+  )
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.5.4",
+  "version": "0.7.1",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "repository": {
@@ -43,11 +43,12 @@
     "test": "run-s check test:*"
   },
   "devDependencies": {
-    "@socketsecurity/eslint-config": "^2.0.0",
+    "@socketsecurity/eslint-config": "^3.0.1",
     "@tsconfig/node14": "^1.0.3",
     "@types/chai": "^4.3.3",
     "@types/chai-as-promised": "^7.1.5",
-    "@types/mocha": "^10.0.0",
+    "@types/micromatch": "^4.0.2",
+    "@types/mocha": "^10.0.1",
     "@types/mock-fs": "^4.13.1",
     "@types/node": "^14.18.31",
     "@types/npm": "^7.19.0",
@@ -84,7 +85,7 @@
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
     "@socketsecurity/config": "^2.0.0",
-    "@socketsecurity/sdk": "^0.5.4",
+    "@socketsecurity/sdk": "^0.6.0",
     "chalk": "^5.1.2",
     "globby": "^13.1.3",
     "hpagent": "^1.2.0",
@@ -93,6 +94,7 @@
     "is-interactive": "^2.0.0",
     "is-unicode-supported": "^1.3.0",
     "meow": "^11.0.0",
+    "micromatch": "^4.0.5",
     "ora": "^6.1.2",
     "pony-cause": "^2.1.8",
     "prompts": "^2.4.2",

package/lib/shadow/global.d.ts

@@ -1,3 +0,0 @@
-declare module 'hyperlinker' {
-  export = (msg: string, href: URL['href']) => string
-}