npm - node-power-user - Versions diffs - 2.1.0 → 2.1.2 - Mend

node-power-user 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +6 -0
package/dist/cli.js +1 -0
package/dist/commands/audit.js +18 -0
package/dist/commands/install.js +8 -0
package/dist/commands/outdated.js +10 -2
package/dist/lib/socket.js +24 -10
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -93,6 +93,12 @@ Use `--force` to bypass Socket protection (not recommended):
 npu i <package> --force
 ```
+### Audit
+Run a Socket supply chain audit on your current dependency tree.
+```shell
+npu audit
+```
 ### Outdated Packages
 Compare the versions of installed modules to those in your package.json. When you choose to update, the install step and a full post-install audit are both wrapped with Socket for supply chain protection.
 ```shell

package/dist/cli.js CHANGED Viewed

@@ -8,6 +8,7 @@ const ALIASES = {
   bump: ['-b', '--bump'],
   clean: ['-c', '--clean'],
   global: ['-g', '--global'],
+  audit: ['--audit'],
   install: ['-i', '--install', 'i'],
   open: ['--open', 'repo', '--repo'],
   outdated: ['-o', 'out', '--outdated', '-u', '--update', 'up', 'update'],

package/dist/commands/audit.js ADDED Viewed

@@ -0,0 +1,18 @@
+// Libraries
+const logger = new (require('../lib/logger'))('node-power-user');
+const socket = require('../lib/socket');
+// Module
+module.exports = async function (options) {
+  // Check socket status upfront (blocks if not installed unless --force)
+  await socket.check({ force: options.force });
+  // Run audit
+  logger.log('Running Socket audit on current dependency tree...');
+  try {
+    await socket.audit({ force: options.force });
+  } catch (e) {
+    logger.error(e.message);
+  }
+};

package/dist/commands/install.js CHANGED Viewed

@@ -36,6 +36,14 @@ module.exports = async function (options) {
   try {
     await socket.wrap(command, { force: options.force });
   } catch (e) {
+    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
+    // The npm error was already printed above; just acknowledge and stop.
+    if (e.reason === 'npm-failed') {
+      logger.log('');
+      logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
+      return;
+    }
     const flaggedPackages = e.flaggedPackages || [];
     if (flaggedPackages.length > 0) {

package/dist/commands/outdated.js CHANGED Viewed

@@ -264,12 +264,20 @@ module.exports = async function (options) {
   try {
     await socket.wrap(installCmd, { force: options.force });
   } catch (e) {
-    const flaggedPackages = e.flaggedPackages || [];
     // Restore package.json since the bulk install failed
     jetpack.write(packageJsonPath, packageJsonBackup);
     logger.log('package.json has been restored to its original state.');
+    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
+    // The npm error was already printed above; just acknowledge and stop.
+    if (e.reason === 'npm-failed') {
+      logger.log('');
+      logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
+      return { allPackages, updated: false, target: action };
+    }
+    const flaggedPackages = e.flaggedPackages || [];
     // Trace which of the requested packages bring in the flagged deps
     const riskyParents = new Set();

package/dist/lib/socket.js CHANGED Viewed

@@ -72,12 +72,21 @@ async function wrap(command, options) {
     console.log(output);
   }
-  // Check for risk warnings in output
-  const hasRisks = exitedWithError
-    || (/new risk|warning|alert|socket found|exiting due to risks/i.test(output)
-      && !/no new risks/i.test(output));
+  // Distinguish a real Socket risk-block from a generic npm failure.
+  // Socket prints its own markers when it blocks; npm failures (ERESOLVE,
+  // network errors, peer-dep conflicts) just exit non-zero with npm errors.
+  const socketBlocked = /new risk|socket found|exiting due to risks/i.test(output)
+    && !/no new risks/i.test(output);
+  // Subprocess failed but Socket didn't actually block — surface the npm error honestly.
+  if (exitedWithError && !socketBlocked) {
+    logger.error('npm install failed. See the error output above.');
+    const err = new Error('npm install failed.');
+    err.reason = 'npm-failed';
+    throw err;
+  }
-  if (!hasRisks) {
+  if (!socketBlocked) {
     return;
   }
@@ -95,6 +104,7 @@ async function wrap(command, options) {
   if (!options.force) {
     logger.error('Refusing to install. Review the risks above, then use --force to bypass.');
     const err = new Error('Socket detected supply chain risks.');
+    err.reason = 'socket-blocked';
     err.flaggedPackages = flaggedPackages;
     throw err;
   }
@@ -130,12 +140,16 @@ async function audit(options) {
     console.log(output);
   }
-  // Check for risk warnings in output
-  const hasRisks = exitedWithError
-    || (/new risk|warning|alert|socket found|exiting due to risks/i.test(output)
-      && !/no new risks/i.test(output));
+  // Distinguish a real Socket risk-finding from a generic audit-subprocess failure.
+  const socketFoundRisks = /new risk|socket found|exiting due to risks/i.test(output)
+    && !/no new risks/i.test(output);
+  if (exitedWithError && !socketFoundRisks) {
+    logger.warn('Socket audit subprocess failed (not a risk finding). See output above.');
+    return;
+  }
-  if (!hasRisks) {
+  if (!socketFoundRisks) {
     logger.log(logger.format.green('Socket audit passed — no risks detected.'));
     return;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "node-power-user",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "Easy tools for every Node.js developer!",
   "main": "dist/index.js",
   "scripts": {