@socketsecurity/lib 1.1.2 → 1.3.0

package/dist/dlx-package.js

@@ -0,0 +1,151 @@
+/* Socket Lib - Built with esbuild */
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var dlx_package_exports = {};
+__export(dlx_package_exports, {
+  dlxPackage: () => dlxPackage
+});
+module.exports = __toCommonJS(dlx_package_exports);
+var import_node_crypto = require("node:crypto");
+var import_node_fs = require("node:fs");
+var import_node_path = __toESM(require("node:path"));
+var import_platform = require("./constants/platform");
+var import_fs = require("./fs");
+var import_path = require("./path");
+var import_paths = require("./paths");
+var import_spawn = require("./spawn");
+const rangeOperatorsRegExp = /[~^><=xX* ]|\|\|/;
+function generatePackageCacheKey(packageSpec) {
+  return (0, import_node_crypto.createHash)("sha256").update(packageSpec).digest("hex").slice(0, 16);
+}
+function parsePackageSpec(spec) {
+  if (spec.startsWith("@")) {
+    const parts = spec.split("@");
+    if (parts.length === 3) {
+      return { name: parts[1], version: parts[2] };
+    }
+    if (parts.length === 2) {
+      return { name: `@${parts[1]}`, version: void 0 };
+    }
+    const scopeAndName = `@${parts[1]}`;
+    return { name: scopeAndName, version: parts[2] };
+  }
+  const atIndex = spec.lastIndexOf("@");
+  if (atIndex === -1) {
+    return { name: spec, version: void 0 };
+  }
+  return {
+    name: spec.slice(0, atIndex),
+    version: spec.slice(atIndex + 1)
+  };
+}
+async function ensurePackageInstalled(packageSpec, packageName, force) {
+  const cacheKey = generatePackageCacheKey(packageSpec);
+  const packageDir = (0, import_path.normalizePath)(import_node_path.default.join((0, import_paths.getSocketDlxDir)(), cacheKey));
+  const installedDir = (0, import_path.normalizePath)(
+    import_node_path.default.join(packageDir, "node_modules", packageName)
+  );
+  if (!force && (0, import_node_fs.existsSync)(installedDir)) {
+    const pkgJsonPath = import_node_path.default.join(installedDir, "package.json");
+    if ((0, import_node_fs.existsSync)(pkgJsonPath)) {
+      return { installed: false, packageDir };
+    }
+  }
+  await (0, import_spawn.spawn)(
+    "npm",
+    [
+      "install",
+      "--prefix",
+      packageDir,
+      "--no-save",
+      "--no-package-lock",
+      "--no-audit",
+      "--no-fund",
+      packageSpec
+    ],
+    {
+      stdio: "pipe"
+    }
+  );
+  return { installed: true, packageDir };
+}
+function findBinaryPath(packageDir, packageName, binaryName) {
+  const installedDir = (0, import_path.normalizePath)(
+    import_node_path.default.join(packageDir, "node_modules", packageName)
+  );
+  const pkgJsonPath = import_node_path.default.join(installedDir, "package.json");
+  const pkgJson = (0, import_fs.readJsonSync)(pkgJsonPath);
+  const bin = pkgJson["bin"];
+  let binPath;
+  if (typeof bin === "string") {
+    binPath = bin;
+  } else if (typeof bin === "object" && bin !== null) {
+    const binName = binaryName || packageName.split("/").pop();
+    binPath = bin[binName];
+  }
+  if (!binPath) {
+    throw new Error(`No binary found for package "${packageName}"`);
+  }
+  return (0, import_path.normalizePath)(import_node_path.default.join(installedDir, binPath));
+}
+async function dlxPackage(args, options, spawnExtra) {
+  const {
+    force: userForce,
+    package: packageSpec,
+    spawnOptions
+  } = { __proto__: null, ...options };
+  const { name: packageName, version: packageVersion } = parsePackageSpec(packageSpec);
+  const isVersionRange = packageVersion !== void 0 && rangeOperatorsRegExp.test(packageVersion);
+  const force = userForce !== void 0 ? userForce : isVersionRange;
+  const fullPackageSpec = packageVersion ? `${packageName}@${packageVersion}` : packageName;
+  const { installed, packageDir } = await ensurePackageInstalled(
+    fullPackageSpec,
+    packageName,
+    force
+  );
+  const binaryPath = findBinaryPath(packageDir, packageName);
+  if (!import_platform.WIN32 && (0, import_node_fs.existsSync)(binaryPath)) {
+    const { chmodSync } = require("node:fs");
+    try {
+      chmodSync(binaryPath, 493);
+    } catch {
+    }
+  }
+  const spawnPromise = (0, import_spawn.spawn)(binaryPath, args, spawnOptions, spawnExtra);
+  return {
+    binaryPath,
+    installed,
+    packageDir,
+    spawnPromise
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  dlxPackage
+});
+//# sourceMappingURL=dlx-package.js.map

package/dist/dlx-package.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/dlx-package.ts"],
+  "sourcesContent": ["/**\n * @fileoverview DLX package execution - Install and execute npm packages.\n *\n * This module provides functionality to install and execute npm packages\n * in the ~/.socket/_dlx directory, similar to npx but with Socket's own cache.\n *\n * Uses content-addressed storage like npm's _npx:\n * - Hash is generated from package spec (name@version)\n * - Each unique spec gets its own directory: ~/.socket/_dlx/<hash>/\n * - Allows caching multiple versions of the same package\n *\n * Version range handling:\n * - Exact versions (1.0.0) use cache if available\n * - Range versions (^1.0.0, ~1.0.0) auto-force to get latest within range\n * - User can override with explicit force: false\n *\n * Key difference from dlx-binary.ts:\n * - dlx-binary.ts: Downloads standalone binaries from URLs\n * - dlx-package.ts: Installs npm packages from registries\n */\n\nimport { createHash } from 'node:crypto'\nimport { existsSync } from 'node:fs'\nimport path from 'node:path'\n\nimport { WIN32 } from './constants/platform'\nimport { readJsonSync } from './fs'\nimport { normalizePath } from './path'\nimport { getSocketDlxDir } from './paths'\nimport type { SpawnExtra, SpawnOptions } from './spawn'\nimport { spawn } from './spawn'\n\n/**\n * Regex to check if a version string contains range operators.\n * Matches any version with range operators: ~, ^, >, <, =, x, X, *, spaces, or ||.\n */\nconst rangeOperatorsRegExp = /[~^><=xX* ]|\\|\\|/\n\nexport interface DlxPackageOptions {\n  /**\n   * Package to install (e.g., '@cyclonedx/cdxgen@10.0.0').\n   */\n  package: string\n  /**\n   * Force reinstallation even if package exists.\n   */\n  force?: boolean | undefined\n  /**\n   * Additional spawn options for the execution.\n   */\n  spawnOptions?: SpawnOptions | undefined\n}\n\nexport interface DlxPackageResult {\n  /** Path to the installed package directory. */\n  packageDir: string\n  /** Path to the binary that was executed. */\n  binaryPath: string\n  /** Whether the package was newly installed. */\n  installed: boolean\n  /** The spawn promise for the running process. */\n  spawnPromise: ReturnType<typeof spawn>\n}\n\n/**\n * Generate a cache key from package spec, similar to npm's _npx.\n * Uses first 16 hex characters of SHA256 hash.\n */\nfunction generatePackageCacheKey(packageSpec: string): string {\n  return createHash('sha256').update(packageSpec).digest('hex').slice(0, 16)\n}\n\n/**\n * Parse package spec into name and version.\n * Examples:\n * - 'lodash@4.17.21' \u2192 { name: 'lodash', version: '4.17.21' }\n * - '@scope/pkg@1.0.0' \u2192 { name: '@scope/pkg', version: '1.0.0' }\n * - 'lodash' \u2192 { name: 'lodash', version: undefined }\n */\nfunction parsePackageSpec(spec: string): {\n  name: string\n  version: string | undefined\n} {\n  // Handle scoped packages (@scope/name@version).\n  if (spec.startsWith('@')) {\n    const parts = spec.split('@')\n    if (parts.length === 3) {\n      // @scope@version -> Invalid, but handle gracefully.\n      return { name: parts[1], version: parts[2] }\n    }\n    if (parts.length === 2) {\n      // @scope/name with no version.\n      return { name: `@${parts[1]}`, version: undefined }\n    }\n    // @scope/name@version.\n    const scopeAndName = `@${parts[1]}`\n    return { name: scopeAndName, version: parts[2] }\n  }\n\n  // Handle unscoped packages (name@version).\n  const atIndex = spec.lastIndexOf('@')\n  if (atIndex === -1) {\n    return { name: spec, version: undefined }\n  }\n\n  return {\n    name: spec.slice(0, atIndex),\n    version: spec.slice(atIndex + 1),\n  }\n}\n\n/**\n * Install package to ~/.socket/_dlx/<hash>/ if not already installed.\n */\nasync function ensurePackageInstalled(\n  packageSpec: string,\n  packageName: string,\n  force: boolean,\n): Promise<{ installed: boolean; packageDir: string }> {\n  const cacheKey = generatePackageCacheKey(packageSpec)\n  const packageDir = normalizePath(path.join(getSocketDlxDir(), cacheKey))\n  const installedDir = normalizePath(\n    path.join(packageDir, 'node_modules', packageName),\n  )\n\n  // Check if already installed (unless force).\n  if (!force && existsSync(installedDir)) {\n    // Verify package.json exists.\n    const pkgJsonPath = path.join(installedDir, 'package.json')\n    if (existsSync(pkgJsonPath)) {\n      return { installed: false, packageDir }\n    }\n  }\n\n  // Use npm install --prefix to install to specific directory.\n  await spawn(\n    'npm',\n    [\n      'install',\n      '--prefix',\n      packageDir,\n      '--no-save',\n      '--no-package-lock',\n      '--no-audit',\n      '--no-fund',\n      packageSpec,\n    ],\n    {\n      stdio: 'pipe',\n    },\n  )\n\n  return { installed: true, packageDir }\n}\n\n/**\n * Find the binary path for an installed package.\n */\nfunction findBinaryPath(\n  packageDir: string,\n  packageName: string,\n  binaryName?: string,\n): string {\n  const installedDir = normalizePath(\n    path.join(packageDir, 'node_modules', packageName),\n  )\n  const pkgJsonPath = path.join(installedDir, 'package.json')\n\n  // Read package.json to find bin entry.\n  const pkgJson = readJsonSync(pkgJsonPath) as Record<string, unknown>\n  const bin = pkgJson['bin']\n\n  let binPath: string | undefined\n\n  if (typeof bin === 'string') {\n    // Single binary.\n    binPath = bin\n  } else if (typeof bin === 'object' && bin !== null) {\n    // Multiple binaries - use binaryName or package name.\n    const binName = binaryName || packageName.split('/').pop()\n    binPath = (bin as Record<string, string>)[binName!]\n  }\n\n  if (!binPath) {\n    throw new Error(`No binary found for package \"${packageName}\"`)\n  }\n\n  return normalizePath(path.join(installedDir, binPath))\n}\n\n/**\n * Execute a package via DLX - install if needed and run its binary.\n *\n * This is the Socket equivalent of npx/pnpm dlx/yarn dlx, but using\n * our own cache directory (~/.socket/_dlx) and installation logic.\n *\n * Auto-forces reinstall for version ranges to get latest within range.\n */\nexport async function dlxPackage(\n  args: readonly string[] | string[],\n  options?: DlxPackageOptions | undefined,\n  spawnExtra?: SpawnExtra | undefined,\n): Promise<DlxPackageResult> {\n  const {\n    force: userForce,\n    package: packageSpec,\n    spawnOptions,\n  } = { __proto__: null, ...options } as DlxPackageOptions\n\n  // Parse package spec.\n  const { name: packageName, version: packageVersion } =\n    parsePackageSpec(packageSpec)\n\n  // Auto-force for version ranges to get latest within range.\n  // User can still override with explicit force: false if they want cache.\n  const isVersionRange =\n    packageVersion !== undefined && rangeOperatorsRegExp.test(packageVersion)\n  const force = userForce !== undefined ? userForce : isVersionRange\n\n  // Build full package spec for installation.\n  const fullPackageSpec = packageVersion\n    ? `${packageName}@${packageVersion}`\n    : packageName\n\n  // Ensure package is installed.\n  const { installed, packageDir } = await ensurePackageInstalled(\n    fullPackageSpec,\n    packageName,\n    force,\n  )\n\n  // Find binary path.\n  const binaryPath = findBinaryPath(packageDir, packageName)\n\n  // Make binary executable on Unix systems.\n  if (!WIN32 && existsSync(binaryPath)) {\n    const { chmodSync } = require('node:fs')\n    try {\n      chmodSync(binaryPath, 0o755)\n    } catch {\n      // Ignore chmod errors.\n    }\n  }\n\n  // Execute binary.\n  const spawnPromise = spawn(binaryPath, args, spawnOptions, spawnExtra)\n\n  return {\n    binaryPath,\n    installed,\n    packageDir,\n    spawnPromise,\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAqBA,yBAA2B;AAC3B,qBAA2B;AAC3B,uBAAiB;AAEjB,sBAAsB;AACtB,gBAA6B;AAC7B,kBAA8B;AAC9B,mBAAgC;AAEhC,mBAAsB;AAMtB,MAAM,uBAAuB;AAgC7B,SAAS,wBAAwB,aAA6B;AAC5D,aAAO,+BAAW,QAAQ,EAAE,OAAO,WAAW,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC3E;AASA,SAAS,iBAAiB,MAGxB;AAEA,MAAI,KAAK,WAAW,GAAG,GAAG;AACxB,UAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,QAAI,MAAM,WAAW,GAAG;AAEtB,aAAO,EAAE,MAAM,MAAM,CAAC,GAAG,SAAS,MAAM,CAAC,EAAE;AAAA,IAC7C;AACA,QAAI,MAAM,WAAW,GAAG;AAEtB,aAAO,EAAE,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,SAAS,OAAU;AAAA,IACpD;AAEA,UAAM,eAAe,IAAI,MAAM,CAAC,CAAC;AACjC,WAAO,EAAE,MAAM,cAAc,SAAS,MAAM,CAAC,EAAE;AAAA,EACjD;AAGA,QAAM,UAAU,KAAK,YAAY,GAAG;AACpC,MAAI,YAAY,IAAI;AAClB,WAAO,EAAE,MAAM,MAAM,SAAS,OAAU;AAAA,EAC1C;AAEA,SAAO;AAAA,IACL,MAAM,KAAK,MAAM,GAAG,OAAO;AAAA,IAC3B,SAAS,KAAK,MAAM,UAAU,CAAC;AAAA,EACjC;AACF;AAKA,eAAe,uBACb,aACA,aACA,OACqD;AACrD,QAAM,WAAW,wBAAwB,WAAW;AACpD,QAAM,iBAAa,2BAAc,iBAAAA,QAAK,SAAK,8BAAgB,GAAG,QAAQ,CAAC;AACvE,QAAM,mBAAe;AAAA,IACnB,iBAAAA,QAAK,KAAK,YAAY,gBAAgB,WAAW;AAAA,EACnD;AAGA,MAAI,CAAC,aAAS,2BAAW,YAAY,GAAG;AAEtC,UAAM,cAAc,iBAAAA,QAAK,KAAK,cAAc,cAAc;AAC1D,YAAI,2BAAW,WAAW,GAAG;AAC3B,aAAO,EAAE,WAAW,OAAO,WAAW;AAAA,IACxC;AAAA,EACF;AAGA,YAAM;AAAA,IACJ;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE,OAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,EAAE,WAAW,MAAM,WAAW;AACvC;AAKA,SAAS,eACP,YACA,aACA,YACQ;AACR,QAAM,mBAAe;AAAA,IACnB,iBAAAA,QAAK,KAAK,YAAY,gBAAgB,WAAW;AAAA,EACnD;AACA,QAAM,cAAc,iBAAAA,QAAK,KAAK,cAAc,cAAc;AAG1D,QAAM,cAAU,wBAAa,WAAW;AACxC,QAAM,MAAM,QAAQ,KAAK;AAEzB,MAAI;AAEJ,MAAI,OAAO,QAAQ,UAAU;AAE3B,cAAU;AAAA,EACZ,WAAW,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAElD,UAAM,UAAU,cAAc,YAAY,MAAM,GAAG,EAAE,IAAI;AACzD,cAAW,IAA+B,OAAQ;AAAA,EACpD;AAEA,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,gCAAgC,WAAW,GAAG;AAAA,EAChE;AAEA,aAAO,2BAAc,iBAAAA,QAAK,KAAK,cAAc,OAAO,CAAC;AACvD;AAUA,eAAsB,WACpB,MACA,SACA,YAC2B;AAC3B,QAAM;AAAA,IACJ,OAAO;AAAA,IACP,SAAS;AAAA,IACT;AAAA,EACF,IAAI,EAAE,WAAW,MAAM,GAAG,QAAQ;AAGlC,QAAM,EAAE,MAAM,aAAa,SAAS,eAAe,IACjD,iBAAiB,WAAW;AAI9B,QAAM,iBACJ,mBAAmB,UAAa,qBAAqB,KAAK,cAAc;AAC1E,QAAM,QAAQ,cAAc,SAAY,YAAY;AAGpD,QAAM,kBAAkB,iBACpB,GAAG,WAAW,IAAI,cAAc,KAChC;AAGJ,QAAM,EAAE,WAAW,WAAW,IAAI,MAAM;AAAA,IACtC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAGA,QAAM,aAAa,eAAe,YAAY,WAAW;AAGzD,MAAI,CAAC,6BAAS,2BAAW,UAAU,GAAG;AACpC,UAAM,EAAE,UAAU,IAAI,QAAQ,SAAS;AACvC,QAAI;AACF,gBAAU,YAAY,GAAK;AAAA,IAC7B,QAAQ;AAAA,IAER;AAAA,EACF;AAGA,QAAM,mBAAe,oBAAM,YAAY,MAAM,cAAc,UAAU;AAErE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": ["path"]
+}