node-power-user 2.0.1 → 2.1.1

package/README.md

@@ -73,10 +73,37 @@ List all global packages for all versions of Node.js on your machine (you **must
 npu global
 ```
 
+### Install Packages
+Install packages with supply chain protection via [Socket](https://socket.dev/). Every install is wrapped with Socket to detect malicious or compromised packages — including transitive dependencies — before they're added to your project. After install, a full `socket npm audit` runs against your entire dependency tree.
+
+```shell
+npu install
+npu i <package>
+npu i <package> --save-dev
+npu i <package> --save-exact
+```
+
+**If Socket CLI is not installed, `npu install` will refuse to run.** Install it globally to enable protection:
+```shell
+npm install -g @socketsecurity/cli --save-exact
+```
+
+Use `--force` to bypass Socket protection (not recommended):
+```shell
+npu i <package> --force
+```
+
+### Audit
+Run a Socket supply chain audit on your current dependency tree.
+```shell
+npu audit
+```
+
 ### Outdated Packages
-Compare the versions of installed modules to those in your package.json
+Compare the versions of installed modules to those in your package.json. When you choose to update, the install step and a full post-install audit are both wrapped with Socket for supply chain protection.
 ```shell
 npu outdated
+npu out --force  # bypass Socket protection
 ```
 
 ### List Packages
@@ -112,6 +139,19 @@ npu wait <ms>
 ### Global flags
   * `--debug`: Log the commands and flags before they are executed
 
+## 🛠️ Development
+To test commands locally while developing:
+```shell
+npm start -- <command> [options]
+```
+
+For example:
+```shell
+npm start -- outdated
+npm start -- bump patch
+npm start -- -v
+```
+
 ## 🗨️ Final Words
 If you are still having difficulty, we would love for you to post a question to [the Node Power User issues page](https://github.com/itw-creative-works/node-power-user/issues). It is much easier to answer questions that include your code and relevant files! So if you can provide them, we'd be extremely grateful (and more likely to help you find the answer!)
 

package/dist/cli.js

@@ -8,6 +8,8 @@ const ALIASES = {
   bump: ['-b', '--bump'],
   clean: ['-c', '--clean'],
   global: ['-g', '--global'],
+  audit: ['--audit'],
+  install: ['-i', '--install', 'i'],
   open: ['--open', 'repo', '--repo'],
   outdated: ['-o', 'out', '--outdated', '-u', '--update', 'up', 'update'],
   packages: ['-p', 'pack', '--packages'],
@@ -64,6 +66,12 @@ Main.prototype.process = async function (options) {
     const Command = require(commandFile);
     return await Command(options);
   } catch (e) {
+    // Exit cleanly on Ctrl+C
+    if (e.name === 'ExitPromptError' || e.message?.includes('SIGINT')) {
+      console.log('\nExited.');
+      process.exit(0);
+    }
+
     console.error(`Error executing command "${command}": ${e.message}`);
 
     // Exit with error

package/dist/commands/audit.js

@@ -0,0 +1,18 @@
+// Libraries
+const logger = new (require('../lib/logger'))('node-power-user');
+const socket = require('../lib/socket');
+
+// Module
+module.exports = async function (options) {
+  // Check socket status upfront (blocks if not installed unless --force)
+  await socket.check({ force: options.force });
+
+  // Run audit
+  logger.log('Running Socket audit on current dependency tree...');
+
+  try {
+    await socket.audit({ force: options.force });
+  } catch (e) {
+    logger.error(e.message);
+  }
+};

package/dist/commands/install.js

@@ -0,0 +1,62 @@
+// Libraries
+const logger = new (require('../lib/logger'))('node-power-user');
+const socket = require('../lib/socket');
+
+// Module
+module.exports = async function (options) {
+  // Get packages from positional args (everything after "install" / "i")
+  const packages = (options._ || []).slice(1);
+
+  // Build the npm command
+  const flags = [];
+
+  if (options.D || options['save-dev']) {
+    flags.push('--save-dev');
+  }
+
+  if (options.E || options['save-exact']) {
+    flags.push('--save-exact');
+  }
+
+  if (options.g || options.global) {
+    flags.push('--global');
+  }
+
+  const command = packages.length > 0
+    ? `npm install ${packages.join(' ')} ${flags.join(' ')}`.trim()
+    : `npm install ${flags.join(' ')}`.trim();
+
+  // Check socket status upfront (blocks if not installed unless --force)
+  await socket.check({ force: options.force });
+
+  // Log
+  logger.log(`Running: ${logger.format.cyan(command)}`);
+
+  // Wrap with socket
+  try {
+    await socket.wrap(command, { force: options.force });
+  } catch (e) {
+    const flaggedPackages = e.flaggedPackages || [];
+
+    if (flaggedPackages.length > 0) {
+      logger.log('');
+      logger.error('Socket flagged the following dependencies:');
+      flaggedPackages.forEach(pkg => logger.error(`  • ${pkg}`));
+    }
+
+    logger.log('');
+    logger.log('To retry with Socket protection bypassed:');
+    logger.log(logger.format.cyan(`  npu i ${packages.join(' ')} ${flags.join(' ')} --force`.trim()));
+    return;
+  }
+
+  // Run full audit after install
+  try {
+    await socket.audit({ force: options.force });
+  } catch (e) {
+    logger.error(`Audit warning: ${e.message}`);
+  }
+
+  // Done
+  logger.log(logger.format.green('Install complete.'));
+};

package/dist/commands/outdated.js

@@ -7,6 +7,7 @@ const path = require('path');
 const version = require('wonderful-version');
 const inquirer = require('@inquirer/prompts');
 const ncu = require('npm-check-updates');
+const socket = require('../lib/socket');
 const { execute } = require('node-powertools');
 
 // Load package.json
@@ -23,13 +24,31 @@ module.exports = async function (options) {
     return {};
   }
 
+  // Check socket status upfront (blocks if not installed unless --force)
+  await socket.check({ force: options.force });
+
+  if (options.force) {
+    logger.warn(chalk.red('--force flag detected — Socket supply chain protection is bypassed!'));
+  }
+
   // Log start
   logger.log(`Checking packages for ${logger.format.bold(projectJson.name || 'Unknown Project')}...`);
 
+  // Parse --ignore flag (comma-separated list of package names to skip)
+  const ignoreList = (options.ignore || '')
+    .split(',')
+    .map(s => s.trim())
+    .filter(Boolean);
+
+  if (ignoreList.length > 0) {
+    logger.log(chalk.dim(`Ignoring: ${ignoreList.join(', ')}`));
+  }
+
   // Run ncu for patch, minor, and latest (include peer dependencies)
   const ncuOptions = {
     packageFile: packageJsonPath,
     dep: 'prod,dev,peer,optional',
+    ...(ignoreList.length > 0 ? { reject: ignoreList } : {}),
   };
 
   const [patchUpgrades, minorUpgrades, latestUpgrades] = await Promise.all([
@@ -49,7 +68,7 @@ module.exports = async function (options) {
   // Build unified package data
   const allPackages = new Map();
 
-  for (const dep of Object.keys(allDependencies)) {
+  for (const dep of Object.keys(allDependencies).filter(d => !ignoreList.includes(d))) {
     const packageVersion = version.clean(allDependencies[dep]);
     const installedPackagePath = path.join(projectPath, 'node_modules', dep, 'package.json');
 
@@ -225,6 +244,9 @@ module.exports = async function (options) {
     : action === 'minor' ? minorUpgrades
     : latestUpgrades;
 
+  // Back up package.json before modifying
+  const packageJsonBackup = jetpack.read(packageJsonPath);
+
   await ncu.run({
     packageFile: packageJsonPath,
     target: action,
@@ -233,9 +255,80 @@ module.exports = async function (options) {
 
   logger.log(logger.format.green(`\nUpdated ${Object.keys(upgrades).length} package(s) in package.json.`));
 
-  // Run npm install
-  logger.log(logger.format.cyan('\nRunning npm install...'));
-  await execute('npm install', { log: true });
+  // Install the specific upgraded packages so npm actually pulls them in
+  // (plain `npm install` won't upgrade packages that already satisfy the range)
+  const packageNames = Object.keys(upgrades);
+  const installCmd = `npm install ${packageNames.map(name => `${name}@${version.clean(upgrades[name])}`).join(' ')}`;
+  logger.log(logger.format.cyan(`\nRunning ${installCmd}...`));
+
+  try {
+    await socket.wrap(installCmd, { force: options.force });
+  } catch (e) {
+    const flaggedPackages = e.flaggedPackages || [];
+
+    // Restore package.json since the bulk install failed
+    jetpack.write(packageJsonPath, packageJsonBackup);
+    logger.log('package.json has been restored to its original state.');
+
+    // Trace which of the requested packages bring in the flagged deps
+    const riskyParents = new Set();
+
+    if (flaggedPackages.length > 0) {
+      logger.log('');
+      logger.error('Socket flagged the following transitive dependencies:');
+
+      for (const flagged of flaggedPackages) {
+        const flaggedName = flagged.replace(/@[^@]+$/, ''); // strip version
+        let parentChain = '';
+
+        try {
+          const lsOutput = await execute(`npm ls ${flaggedName} --json`, { log: false });
+          const tree = JSON.parse(lsOutput);
+
+          // Find which top-level deps depend on the flagged package
+          const parents = [];
+          for (const [dep, info] of Object.entries(tree.dependencies || {})) {
+            if (dep === flaggedName || JSON.stringify(info).includes(`"${flaggedName}"`)) {
+              parents.push(dep);
+              riskyParents.add(dep);
+            }
+          }
+
+          if (parents.length > 0) {
+            parentChain = chalk.dim(` (from ${parents.join(', ')})`);
+          }
+        } catch (_) {
+          // npm ls may fail, just skip the trace
+        }
+
+        logger.error(`  • ${flagged}${parentChain}`);
+      }
+    }
+
+    // Suggest retry commands
+    if (riskyParents.size > 0) {
+      const ignoreArg = [...riskyParents].join(',');
+      logger.log('');
+      logger.log('To skip the risky packages and update the rest:');
+      logger.log(logger.format.cyan(`  npu out --ignore ${ignoreArg}`));
+    }
+
+    logger.log('');
+    logger.log('To retry with Socket protection bypassed:');
+    logger.log(logger.format.cyan(`  npu out --force`));
+    logger.log('');
+    logger.log('To bypass Socket for this install only:');
+    logger.log(logger.format.cyan(`  SOCKET_CLI_ACCEPT_RISKS=1 npm install ${packageNames.map(name => `${name}@${version.clean(upgrades[name])}`).join(' ')}`));
+
+    return { allPackages, updated: false, target: action };
+  }
+
+  // Run full audit after install
+  try {
+    await socket.audit({ force: options.force });
+  } catch (e) {
+    logger.error(`Audit warning: ${e.message}`);
+  }
 
   return { allPackages, updated: true, target: action };
 };

package/dist/lib/socket.js

@@ -0,0 +1,159 @@
+// Libraries
+const { execute } = require('node-powertools');
+const logger = new (require('./logger'))('node-power-user');
+
+// Check if socket CLI is installed
+let _socketVersion = undefined;
+async function isSocketAvailable() {
+  if (_socketVersion !== undefined) {
+    return !!_socketVersion;
+  }
+
+  try {
+    _socketVersion = (await execute('socket --version', { log: false })).trim();
+  } catch (e) {
+    _socketVersion = null;
+  }
+
+  return !!_socketVersion;
+}
+
+// Log socket status upfront (call at the start of commands)
+async function check(options) {
+  options = options || {};
+
+  const available = await isSocketAvailable();
+
+  if (available) {
+    logger.log(logger.format.green(`Socket v${_socketVersion} — supply chain protection enabled.`));
+  } else {
+    logger.error('Socket CLI is not installed. Your installs are NOT protected against supply chain attacks.');
+    logger.error(`Install it with: ${logger.format.cyan('npm install -g @socketsecurity/cli --save-exact')}`);
+
+    if (!options.force) {
+      logger.error('Refusing to proceed without Socket protection. Use --force to bypass.');
+      throw new Error('Socket CLI is not installed.');
+    }
+
+    logger.warn('Bypassing Socket protection (--force flag detected).');
+  }
+
+  return available;
+}
+
+// Wrap an npm command with socket if available
+async function wrap(command, options) {
+  options = options || {};
+
+  const available = await isSocketAvailable();
+
+  // If socket is not installed, fall back to plain npm
+  if (!available) {
+    await execute(command, { log: true });
+    return;
+  }
+
+  // Run with socket and capture output to check for risks
+  // When --force is used, set SOCKET_CLI_ACCEPT_RISKS so Socket actually installs
+  const env = options.force ? 'SOCKET_CLI_ACCEPT_RISKS=1 ' : '';
+  let output;
+  let exitedWithError = false;
+
+  try {
+    output = await execute(`${env}socket ${command}`, { log: false });
+  } catch (e) {
+    // Socket exits non-zero when it detects risks
+    output = e.message || '';
+    exitedWithError = true;
+  }
+
+  // Print the output
+  if (output) {
+    console.log(output);
+  }
+
+  // Check for risk warnings in output
+  const hasRisks = exitedWithError
+    || (/new risk|warning|alert|socket found|exiting due to risks/i.test(output)
+      && !/no new risks/i.test(output));
+
+  if (!hasRisks) {
+    return;
+  }
+
+  // Parse flagged package names from Socket output (e.g. "serialize-javascript@6.0.2")
+  const flaggedPackages = [];
+  const flaggedRegex = /^(\S+@\S+)\s/gm;
+  let match;
+  while ((match = flaggedRegex.exec(output)) !== null) {
+    flaggedPackages.push(match[1]);
+  }
+
+  // Risks detected — block unless --force flag is passed
+  logger.error('Socket detected supply chain risks in the packages above.');
+
+  if (!options.force) {
+    logger.error('Refusing to install. Review the risks above, then use --force to bypass.');
+    const err = new Error('Socket detected supply chain risks.');
+    err.flaggedPackages = flaggedPackages;
+    throw err;
+  }
+
+  logger.warn('Bypassing Socket risk warnings (--force flag detected).');
+}
+
+// Run a full socket audit on the current project
+async function audit(options) {
+  options = options || {};
+
+  const available = await isSocketAvailable();
+
+  if (!available) {
+    logger.warn('Skipping post-install audit — Socket CLI is not installed.');
+    return;
+  }
+
+  logger.log(logger.format.cyan('\nRunning post-install Socket audit...'));
+
+  let output;
+  let exitedWithError = false;
+
+  try {
+    output = await execute('socket npm audit', { log: false });
+  } catch (e) {
+    output = e.message || '';
+    exitedWithError = true;
+  }
+
+  // Print the output
+  if (output) {
+    console.log(output);
+  }
+
+  // Check for risk warnings in output
+  const hasRisks = exitedWithError
+    || (/new risk|warning|alert|socket found|exiting due to risks/i.test(output)
+      && !/no new risks/i.test(output));
+
+  if (!hasRisks) {
+    logger.log(logger.format.green('Socket audit passed — no risks detected.'));
+    return;
+  }
+
+  logger.error('Socket audit found supply chain risks in your dependencies.');
+
+  if (!options.force) {
+    logger.error('Review the risks above. Use --force to bypass.');
+    throw new Error('Socket audit detected supply chain risks.');
+  }
+
+  logger.warn('Bypassing Socket audit warnings (--force flag detected).');
+}
+
+// Export
+module.exports = {
+  isAvailable: isSocketAvailable,
+  check,
+  wrap,
+  audit,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-power-user",
-  "version": "2.0.1",
+  "version": "2.1.1",
   "description": "Easy tools for every Node.js developer!",
   "main": "dist/index.js",
   "scripts": {
@@ -15,6 +15,15 @@
     "node-power-user": "bin/node-power-user",
     "nodepoweruser": "bin/node-power-user"
   },
+  "files": [
+    "dist"
+  ],
+  "preparePackage": {
+    "input": "./src",
+    "output": "./dist",
+    "replace": {},
+    "type": "copy"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/itw-creative-works/node-power-user.git"
@@ -30,26 +39,21 @@
     "url": "https://github.com/itw-creative-works/node-power-user/issues"
   },
   "homepage": "https://itwcreativeworks.com",
-  "preparePackage": {
-    "input": "./src",
-    "output": "./dist",
-    "replace": {}
-  },
   "dependencies": {
-    "@inquirer/prompts": "^8.3.0",
+    "@inquirer/prompts": "^8.3.2",
     "chalk": "^5.6.2",
     "cli-progress": "^3.12.0",
     "fs-jetpack": "^5.1.0",
     "itwcw-package-analytics": "^1.0.8",
-    "node-powertools": "^2.3.2",
+    "node-powertools": "^3.0.0",
     "npm-api": "^1.0.1",
-    "npm-check-updates": "^19.5.0",
+    "npm-check-updates": "^20.0.0",
     "table": "^6.9.0",
     "wonderful-version": "^1.3.2",
     "yargs": "^18.0.0"
   },
   "devDependencies": {
-    "mocha": "^8.4.0",
-    "prepare-package": "^1.2.6"
+    "mocha": "^11.7.5",
+    "prepare-package": "^2.0.7"
   }
 }

package/CHANGELOG.md

@@ -1,33 +0,0 @@
-# CHANGELOG
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
-
-## Changelog Categories
-
-- `BREAKING` for breaking changes.
-- `Added` for new features.
-- `Changed` for changes in existing functionality.
-- `Deprecated` for soon-to-be removed features.
-- `Removed` for now removed features.
-- `Fixed` for any bug fixes.
-- `Security` in case of vulnerabilities.
-
----
-## [2.0.0] - 2026-02-24
-### BREAKING
-- Upgraded yargs v16 to v18: updated CLI entry point to use `parseSync()` API
-- Upgraded chalk v4 to v5: requires Node 22+ for ESM `require()` support
-- Upgraded @inquirer/prompts v7 to v8
-
-### Changed
-- Updated all `require('chalk')` to `require('chalk').default` for chalk v5 ESM compatibility
-- Improved outdated command menu: Minor/Major options only show when relevant updates exist
-- Made breaking changes legend conditional on actual major updates being present
-- Updated npm-check-updates to v19.5 and itwcw-package-analytics to v1.0.8
-
----
-## [1.0.0] - 2024-06-19
-### Added
-- Initial release of the project 🚀

package/TODO.md

@@ -1,7 +0,0 @@
-Use "keychain" for something?
-
-Interesting - the git status shows your branch is up to date now. However, the error you encountered was about needing to configure how to handle divergent branches in the future. The issue is that git needs to know your preference for handling situations where branches have diverged. You have three options:
-Merge (git config pull.rebase false) - Creates merge commits
-Rebase (git config pull.rebase true) - Replays your local commits on top of remote changes (cleaner history)
-Fast-forward only (git config pull.ff only) - Only pulls if it can fast-forward (safest, but fails if branches diverged)
-Which strategy would you prefer for handling divergent branches during pulls? I'd recommend rebase for a cleaner history, but I can set it to whichever you prefer. Would you like me to configure this globally for all your repositories or just for this one?