node-power-user 2.1.5 → 2.1.7

package/dist/commands/audit.js

@@ -1,18 +1,42 @@
 // Libraries
 const logger = new (require('../lib/logger'))('node-power-user');
-const socket = require('../lib/socket');
+const { execute } = require('node-powertools');
+
+let _hasSocketCli;
+async function isSocketCliAvailable() {
+  if (_hasSocketCli !== undefined) {
+    return _hasSocketCli;
+  }
+  _hasSocketCli = await execute('socket --version', { log: false }).then(() => true).catch(() => false);
+  return _hasSocketCli;
+}
 
 // Module
 module.exports = async function (options) {
-  // Check socket status upfront (blocks if not installed unless --force)
-  await socket.check({ force: options.force });
+  const hasSocket = await isSocketCliAvailable();
+
+  if (hasSocket) {
+    logger.log('Running Socket audit on current dependency tree...');
+
+    try {
+      await execute('socket npm audit', { log: true });
+      logger.log(logger.format.green('Socket audit passed — no risks detected.'));
+    } catch (e) {
+      logger.warn('Socket audit found risks. Review the output above.');
+    }
+
+    return;
+  }
 
-  // Run audit
-  logger.log('Running Socket audit on current dependency tree...');
+  // Fall back to npm audit
+  logger.log('Socket CLI not installed — falling back to npm audit...');
+  logger.log(logger.format.cyan(`Install Socket CLI for deeper analysis: npm install -g @socketsecurity/cli`));
+  logger.log('');
 
   try {
-    await socket.audit({ force: options.force });
+    await execute('npm audit', { log: true });
+    logger.log(logger.format.green('npm audit passed — no known vulnerabilities.'));
   } catch (e) {
-    logger.error(e.message);
+    logger.warn('npm audit found vulnerabilities. Review the output above.');
   }
 };

package/dist/commands/install.js

@@ -53,39 +53,23 @@ module.exports = async function (options) {
   // Log
   logger.log(`Running: ${logger.format.cyan(command)}`);
 
-  // Wrap with socket
+  // Wrap with Socket Firewall
   try {
     await socket.wrap(command, { force: options.force });
   } catch (e) {
-    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
-    // The npm error was already printed above; just acknowledge and stop.
     if (e.reason === 'npm-failed') {
       logger.log('');
       logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
       return;
     }
 
-    const flaggedPackages = e.flaggedPackages || [];
-
-    if (flaggedPackages.length > 0) {
-      logger.log('');
-      logger.error('Socket flagged the following dependencies:');
-      flaggedPackages.forEach(pkg => logger.error(`  • ${pkg}`));
-    }
-
     logger.log('');
-    logger.log('To retry with Socket protection bypassed:');
+    logger.log('Install blocked. See the output above for details.');
+    logger.log('To retry without firewall protection:');
     logger.log(logger.format.cyan(`  npu i ${packages.join(' ')} ${flags.join(' ')} --force`.trim()));
     return;
   }
 
-  // Run full audit after install
-  try {
-    await socket.audit({ force: options.force });
-  } catch (e) {
-    logger.error(`Audit warning: ${e.message}`);
-  }
-
   // Done
   logger.log(logger.format.green('Install complete.'));
 };

package/dist/commands/outdated.js

@@ -103,7 +103,7 @@ module.exports = async function (options) {
         latestVersion,
         type: getDependencyType(projectJson, dep),
         hasDiscrepancy,
-        hasMajorUpdate: latestVersion && minorVersion !== latestVersion,
+        hasMajorUpdate: latestVersion && latestVersion.split('.')[0] !== packageVersion.split('.')[0],
       });
     }
   }
@@ -186,9 +186,11 @@ module.exports = async function (options) {
   );
 
   // Check if major/latest offers any versions beyond what minor gives
-  const hasMajorBeyondMinor = Object.keys(latestUpgrades).some(dep =>
-    latestUpgrades[dep] !== (minorUpgrades[dep] || allDependencies[dep])
-  );
+  const hasMajorBeyondMinor = Object.keys(latestUpgrades).some(dep => {
+    const latestMajor = version.clean(latestUpgrades[dep]).split('.')[0];
+    const currentMajor = version.clean(allDependencies[dep]).split('.')[0];
+    return latestMajor !== currentMajor;
+  });
 
   // If noPrompt, return data without showing menu (used by tests)
   if (options.noPrompt) {
@@ -454,65 +456,16 @@ module.exports = async function (options) {
     logger.log('package.json and package-lock.json have been restored to their original state.');
     logger.log('The removed package copies will show as missing in the next check until reinstalled.');
 
-    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
-    // The npm error was already printed above; just acknowledge and stop.
     if (e.reason === 'npm-failed') {
       logger.log('');
       logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
       return { allPackages, desynced, updated: false, target: action };
     }
 
-    const flaggedPackages = e.flaggedPackages || [];
-
-    // Trace which of the requested packages bring in the flagged deps
-    const riskyParents = new Set();
-
-    if (flaggedPackages.length > 0) {
-      logger.log('');
-      logger.error('Socket flagged the following transitive dependencies:');
-
-      for (const flagged of flaggedPackages) {
-        const flaggedName = flagged.replace(/@[^@]+$/, ''); // strip version
-        let parentChain = '';
-
-        try {
-          const lsOutput = await execute(`npm ls ${flaggedName} --json`, { log: false });
-          const tree = JSON.parse(lsOutput);
-
-          // Find which top-level deps depend on the flagged package
-          const parents = [];
-          for (const [dep, info] of Object.entries(tree.dependencies || {})) {
-            if (dep === flaggedName || JSON.stringify(info).includes(`"${flaggedName}"`)) {
-              parents.push(dep);
-              riskyParents.add(dep);
-            }
-          }
-
-          if (parents.length > 0) {
-            parentChain = chalk.dim(` (from ${parents.join(', ')})`);
-          }
-        } catch (_) {
-          // npm ls may fail, just skip the trace
-        }
-
-        logger.error(`  • ${flagged}${parentChain}`);
-      }
-    }
-
-    // Suggest retry commands
-    if (riskyParents.size > 0) {
-      const ignoreArg = [...riskyParents].join(',');
-      logger.log('');
-      logger.log('To skip the risky packages and update the rest:');
-      logger.log(logger.format.cyan(`  npu out --ignore ${ignoreArg}`));
-    }
-
     logger.log('');
-    logger.log('To retry with Socket protection bypassed:');
+    logger.log('Install blocked. See the output above for details.');
+    logger.log('To retry without firewall protection:');
     logger.log(logger.format.cyan(`  npu out --force`));
-    logger.log('');
-    logger.log('To bypass Socket for this install only:');
-    logger.log(logger.format.cyan(`  SOCKET_CLI_ACCEPT_RISKS=1 npm install ${packageNames.map(name => `${name}@${version.clean(upgrades[name])}`).join(' ')}`));
 
     return { allPackages, desynced, updated: false, target: action };
   }
@@ -533,28 +486,11 @@ module.exports = async function (options) {
   return { allPackages, desynced, updated: true, target: action };
 };
 
-// Helper to explain a Socket risk-block after stale copies were already removed.
-// Deliberately does NOT reinstall the removed copies — that would silently
-// bypass the block Socket just raised; removed is safer than stale-and-risky.
 function reportSocketBlock(e, retryCommand) {
-  const flaggedPackages = e.flaggedPackages || [];
-
-  if (flaggedPackages.length > 0) {
-    logger.log('');
-    logger.error('Socket flagged the following dependencies:');
-    flaggedPackages.forEach(pkg => logger.error(`  • ${pkg}`));
-
-    const flaggedNames = flaggedPackages.map(pkg => pkg.replace(/@[^@]+$/, ''));
-    logger.log('');
-    logger.log('If these are fixable CVEs in transitive deps pinned by package-lock.json, re-resolve them with:');
-    logger.log(logger.format.cyan(`  socket npm update ${flaggedNames.join(' ')}`));
-  }
-
   logger.log('');
-  logger.log('To retry with Socket protection bypassed:');
+  logger.log('Install blocked. See the output above for details.');
+  logger.log('To retry without firewall protection:');
   logger.log(logger.format.cyan(`  ${retryCommand}`));
-  logger.log('');
-  logger.log('The risky copies stay removed from node_modules (safer than leaving stale versions) and will show as missing until reinstalled.');
 }
 
 // Helper to report packages that npm claimed to install but didn't physically land.

package/dist/lib/socket.js

@@ -2,171 +2,91 @@
 const { execute } = require('node-powertools');
 const logger = new (require('./logger'))('node-power-user');
 
-// Check if socket CLI is installed
-let _socketVersion = undefined;
-async function isSocketAvailable() {
-  if (_socketVersion !== undefined) {
-    return !!_socketVersion;
+// Check if sfw (Socket Firewall) is installed
+let _sfwVersion = undefined;
+async function isFirewallAvailable() {
+  if (_sfwVersion !== undefined) {
+    return !!_sfwVersion;
   }
 
   try {
-    _socketVersion = (await execute('socket --version', { log: false })).trim();
+    _sfwVersion = (await execute('sfw --version', { log: false })).trim();
   } catch (e) {
-    _socketVersion = null;
+    _sfwVersion = null;
   }
 
-  return !!_socketVersion;
+  return !!_sfwVersion;
 }
 
-// Log socket status upfront (call at the start of commands)
+// Log firewall status upfront (call at the start of commands)
 async function check(options) {
   options = options || {};
 
-  const available = await isSocketAvailable();
+  const available = await isFirewallAvailable();
 
   if (available) {
-    logger.log(logger.format.green(`Socket v${_socketVersion} — supply chain protection enabled.`));
+    logger.log(logger.format.green(`${_sfwVersion} — supply chain protection enabled.`));
   } else {
-    logger.error('Socket CLI is not installed. Your installs are NOT protected against supply chain attacks.');
-    logger.error(`Install it with: ${logger.format.cyan('npm install -g @socketsecurity/cli --save-exact')}`);
+    logger.error('Socket Firewall (sfw) is not installed. Installs are NOT protected against supply chain attacks.');
+    logger.error(`Install it with: ${logger.format.cyan('npm install -g sfw')}`);
 
     if (!options.force) {
-      logger.error('Refusing to proceed without Socket protection. Use --force to bypass.');
-      throw new Error('Socket CLI is not installed.');
+      logger.error('Refusing to proceed without firewall protection. Use --force to bypass.');
+      throw new Error('Socket Firewall is not installed.');
     }
 
-    logger.warn('Bypassing Socket protection (--force flag detected).');
+    logger.warn('Bypassing firewall protection (--force flag detected).');
   }
 
   return available;
 }
 
-// Wrap an npm command with socket if available
+// Wrap an npm command with sfw if available
 async function wrap(command, options) {
   options = options || {};
 
-  const available = await isSocketAvailable();
+  const available = await isFirewallAvailable();
 
-  // If socket is not installed, fall back to plain npm
-  if (!available) {
-    await execute(command, { log: true });
+  // If firewall is not installed or --force is used, run plain npm
+  if (!available || options.force) {
+    try {
+      await execute(command, { log: true });
+    } catch (e) {
+      const err = new Error('npm install failed. See the error output above.');
+      err.reason = 'npm-failed';
+      throw err;
+    }
     return;
   }
 
-  // Run with socket and capture output to check for risks
-  // When --force is used, set SOCKET_CLI_ACCEPT_RISKS so Socket actually installs
-  const env = options.force ? 'SOCKET_CLI_ACCEPT_RISKS=1 ' : '';
+  // Run with Socket Firewall
   let output;
   let exitedWithError = false;
 
   try {
-    output = await execute(`${env}socket ${command}`, { log: false });
+    output = await execute(`sfw ${command}`, { log: false });
   } catch (e) {
-    // Socket exits non-zero when it detects risks
     output = e.message || '';
     exitedWithError = true;
   }
 
-  // Print the output
   if (output) {
     console.log(output);
   }
 
-  // Distinguish a real Socket risk-block from a generic npm failure.
-  // Socket prints its own markers when it blocks; npm failures (ERESOLVE,
-  // network errors, peer-dep conflicts) just exit non-zero with npm errors.
-  const socketBlocked = /new risk|socket found|exiting due to risks/i.test(output)
-    && !/no new risks/i.test(output);
-
-  // Subprocess failed but Socket didn't actually block — surface the npm error honestly.
-  if (exitedWithError && !socketBlocked) {
-    logger.error('npm install failed. See the error output above.');
-    const err = new Error('npm install failed.');
-    err.reason = 'npm-failed';
+  if (exitedWithError) {
+    const err = new Error('Install blocked — Socket Firewall may have flagged a risky package.');
+    err.reason = 'sfw-blocked';
     throw err;
   }
-
-  if (!socketBlocked) {
-    return;
-  }
-
-  // Parse flagged package names from Socket output (e.g. "serialize-javascript@6.0.2")
-  const flaggedPackages = [];
-  const flaggedRegex = /^(\S+@\S+)\s/gm;
-  let match;
-  while ((match = flaggedRegex.exec(output)) !== null) {
-    flaggedPackages.push(match[1]);
-  }
-
-  // Risks detected — block unless --force flag is passed
-  logger.error('Socket detected supply chain risks in the packages above.');
-
-  if (!options.force) {
-    logger.error('Refusing to install. Review the risks above, then use --force to bypass.');
-    const err = new Error('Socket detected supply chain risks.');
-    err.reason = 'socket-blocked';
-    err.flaggedPackages = flaggedPackages;
-    throw err;
-  }
-
-  logger.warn('Bypassing Socket risk warnings (--force flag detected).');
 }
 
-// Run a full socket audit on the current project
-async function audit(options) {
-  options = options || {};
-
-  const available = await isSocketAvailable();
-
-  if (!available) {
-    logger.warn('Skipping post-install audit — Socket CLI is not installed.');
-    return;
-  }
-
-  logger.log(logger.format.cyan('\nRunning post-install Socket audit...'));
-
-  let output;
-  let exitedWithError = false;
-
-  try {
-    output = await execute('socket npm audit', { log: false });
-  } catch (e) {
-    output = e.message || '';
-    exitedWithError = true;
-  }
-
-  // Print the output
-  if (output) {
-    console.log(output);
-  }
-
-  // Distinguish a real Socket risk-finding from a generic audit-subprocess failure.
-  const socketFoundRisks = /new risk|socket found|exiting due to risks/i.test(output)
-    && !/no new risks/i.test(output);
-
-  if (exitedWithError && !socketFoundRisks) {
-    logger.warn('Socket audit subprocess failed (not a risk finding). See output above.');
-    return;
-  }
-
-  if (!socketFoundRisks) {
-    logger.log(logger.format.green('Socket audit passed — no risks detected.'));
-    return;
-  }
-
-  logger.error('Socket audit found supply chain risks in your dependencies.');
-
-  if (!options.force) {
-    logger.error('Review the risks above. Use --force to bypass.');
-    throw new Error('Socket audit detected supply chain risks.');
-  }
-
-  logger.warn('Bypassing Socket audit warnings (--force flag detected).');
-}
+// Socket Firewall handles protection at install time — no separate audit step needed
+async function audit() {}
 
 // Export
 module.exports = {
-  isAvailable: isSocketAvailable,
+  isAvailable: isFirewallAvailable,
   check,
   wrap,
   audit,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-power-user",
-  "version": "2.1.5",
+  "version": "2.1.7",
   "description": "Easy tools for every Node.js developer!",
   "main": "dist/index.js",
   "scripts": {