npm - node-power-user - Versions diffs - 2.1.6 → 2.1.7 - Mend

node-power-user 2.1.6 → 2.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/commands/audit.js +31 -7
package/dist/commands/install.js +3 -19
package/dist/commands/outdated.js +4 -70
package/dist/lib/socket.js +35 -115
package/package.json +1 -1

package/dist/commands/audit.js CHANGED Viewed

@@ -1,18 +1,42 @@
 // Libraries
 const logger = new (require('../lib/logger'))('node-power-user');
-const socket = require('../lib/socket');
+const { execute } = require('node-powertools');
+let _hasSocketCli;
+async function isSocketCliAvailable() {
+  if (_hasSocketCli !== undefined) {
+    return _hasSocketCli;
+  }
+  _hasSocketCli = await execute('socket --version', { log: false }).then(() => true).catch(() => false);
+  return _hasSocketCli;
+}
 // Module
 module.exports = async function (options) {
-  // Check socket status upfront (blocks if not installed unless --force)
-  await socket.check({ force: options.force });
+  const hasSocket = await isSocketCliAvailable();
+  if (hasSocket) {
+    logger.log('Running Socket audit on current dependency tree...');
+    try {
+      await execute('socket npm audit', { log: true });
+      logger.log(logger.format.green('Socket audit passed — no risks detected.'));
+    } catch (e) {
+      logger.warn('Socket audit found risks. Review the output above.');
+    }
+    return;
+  }
-  // Run audit
-  logger.log('Running Socket audit on current dependency tree...');
+  // Fall back to npm audit
+  logger.log('Socket CLI not installed — falling back to npm audit...');
+  logger.log(logger.format.cyan(`Install Socket CLI for deeper analysis: npm install -g @socketsecurity/cli`));
+  logger.log('');
   try {
-    await socket.audit({ force: options.force });
+    await execute('npm audit', { log: true });
+    logger.log(logger.format.green('npm audit passed — no known vulnerabilities.'));
   } catch (e) {
-    logger.error(e.message);
+    logger.warn('npm audit found vulnerabilities. Review the output above.');
   }
 };

package/dist/commands/install.js CHANGED Viewed

@@ -53,39 +53,23 @@ module.exports = async function (options) {
   // Log
   logger.log(`Running: ${logger.format.cyan(command)}`);
-  // Wrap with socket
+  // Wrap with Socket Firewall
   try {
     await socket.wrap(command, { force: options.force });
   } catch (e) {
-    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
-    // The npm error was already printed above; just acknowledge and stop.
     if (e.reason === 'npm-failed') {
       logger.log('');
       logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
       return;
     }
-    const flaggedPackages = e.flaggedPackages || [];
-    if (flaggedPackages.length > 0) {
-      logger.log('');
-      logger.error('Socket flagged the following dependencies:');
-      flaggedPackages.forEach(pkg => logger.error(`  • ${pkg}`));
-    }
     logger.log('');
-    logger.log('To retry with Socket protection bypassed:');
+    logger.log('Install blocked. See the output above for details.');
+    logger.log('To retry without firewall protection:');
     logger.log(logger.format.cyan(`  npu i ${packages.join(' ')} ${flags.join(' ')} --force`.trim()));
     return;
   }
-  // Run full audit after install
-  try {
-    await socket.audit({ force: options.force });
-  } catch (e) {
-    logger.error(`Audit warning: ${e.message}`);
-  }
   // Done
   logger.log(logger.format.green('Install complete.'));
 };

package/dist/commands/outdated.js CHANGED Viewed

@@ -456,65 +456,16 @@ module.exports = async function (options) {
     logger.log('package.json and package-lock.json have been restored to their original state.');
     logger.log('The removed package copies will show as missing in the next check until reinstalled.');
-    // npm itself failed (ERESOLVE, network, peer-dep conflict) — not a Socket block.
-    // The npm error was already printed above; just acknowledge and stop.
     if (e.reason === 'npm-failed') {
       logger.log('');
       logger.log('Fix the npm error above (e.g. resolve peer-dep conflicts) and retry.');
       return { allPackages, desynced, updated: false, target: action };
     }
-    const flaggedPackages = e.flaggedPackages || [];
-    // Trace which of the requested packages bring in the flagged deps
-    const riskyParents = new Set();
-    if (flaggedPackages.length > 0) {
-      logger.log('');
-      logger.error('Socket flagged the following transitive dependencies:');
-      for (const flagged of flaggedPackages) {
-        const flaggedName = flagged.replace(/@[^@]+$/, ''); // strip version
-        let parentChain = '';
-        try {
-          const lsOutput = await execute(`npm ls ${flaggedName} --json`, { log: false });
-          const tree = JSON.parse(lsOutput);
-          // Find which top-level deps depend on the flagged package
-          const parents = [];
-          for (const [dep, info] of Object.entries(tree.dependencies || {})) {
-            if (dep === flaggedName || JSON.stringify(info).includes(`"${flaggedName}"`)) {
-              parents.push(dep);
-              riskyParents.add(dep);
-            }
-          }
-          if (parents.length > 0) {
-            parentChain = chalk.dim(` (from ${parents.join(', ')})`);
-          }
-        } catch (_) {
-          // npm ls may fail, just skip the trace
-        }
-        logger.error(`  • ${flagged}${parentChain}`);
-      }
-    }
-    // Suggest retry commands
-    if (riskyParents.size > 0) {
-      const ignoreArg = [...riskyParents].join(',');
-      logger.log('');
-      logger.log('To skip the risky packages and update the rest:');
-      logger.log(logger.format.cyan(`  npu out --ignore ${ignoreArg}`));
-    }
     logger.log('');
-    logger.log('To retry with Socket protection bypassed:');
+    logger.log('Install blocked. See the output above for details.');
+    logger.log('To retry without firewall protection:');
     logger.log(logger.format.cyan(`  npu out --force`));
-    logger.log('');
-    logger.log('To bypass Socket for this install only:');
-    logger.log(logger.format.cyan(`  SOCKET_CLI_ACCEPT_RISKS=1 npm install ${packageNames.map(name => `${name}@${version.clean(upgrades[name])}`).join(' ')}`));
     return { allPackages, desynced, updated: false, target: action };
   }
@@ -535,28 +486,11 @@ module.exports = async function (options) {
   return { allPackages, desynced, updated: true, target: action };
 };
-// Helper to explain a Socket risk-block after stale copies were already removed.
-// Deliberately does NOT reinstall the removed copies — that would silently
-// bypass the block Socket just raised; removed is safer than stale-and-risky.
 function reportSocketBlock(e, retryCommand) {
-  const flaggedPackages = e.flaggedPackages || [];
-  if (flaggedPackages.length > 0) {
-    logger.log('');
-    logger.error('Socket flagged the following dependencies:');
-    flaggedPackages.forEach(pkg => logger.error(`  • ${pkg}`));
-    const flaggedNames = flaggedPackages.map(pkg => pkg.replace(/@[^@]+$/, ''));
-    logger.log('');
-    logger.log('If these are fixable CVEs in transitive deps pinned by package-lock.json, re-resolve them with:');
-    logger.log(logger.format.cyan(`  socket npm update ${flaggedNames.join(' ')}`));
-  }
   logger.log('');
-  logger.log('To retry with Socket protection bypassed:');
+  logger.log('Install blocked. See the output above for details.');
+  logger.log('To retry without firewall protection:');
   logger.log(logger.format.cyan(`  ${retryCommand}`));
-  logger.log('');
-  logger.log('The risky copies stay removed from node_modules (safer than leaving stale versions) and will show as missing until reinstalled.');
 }
 // Helper to report packages that npm claimed to install but didn't physically land.

package/dist/lib/socket.js CHANGED Viewed

@@ -2,171 +2,91 @@
 const { execute } = require('node-powertools');
 const logger = new (require('./logger'))('node-power-user');
-// Check if socket CLI is installed
-let _socketVersion = undefined;
-async function isSocketAvailable() {
-  if (_socketVersion !== undefined) {
-    return !!_socketVersion;
+// Check if sfw (Socket Firewall) is installed
+let _sfwVersion = undefined;
+async function isFirewallAvailable() {
+  if (_sfwVersion !== undefined) {
+    return !!_sfwVersion;
   }
   try {
-    _socketVersion = (await execute('socket --version', { log: false })).trim();
+    _sfwVersion = (await execute('sfw --version', { log: false })).trim();
   } catch (e) {
-    _socketVersion = null;
+    _sfwVersion = null;
   }
-  return !!_socketVersion;
+  return !!_sfwVersion;
 }
-// Log socket status upfront (call at the start of commands)
+// Log firewall status upfront (call at the start of commands)
 async function check(options) {
   options = options || {};
-  const available = await isSocketAvailable();
+  const available = await isFirewallAvailable();
   if (available) {
-    logger.log(logger.format.green(`Socket v${_socketVersion} — supply chain protection enabled.`));
+    logger.log(logger.format.green(`${_sfwVersion} — supply chain protection enabled.`));
   } else {
-    logger.error('Socket CLI is not installed. Your installs are NOT protected against supply chain attacks.');
-    logger.error(`Install it with: ${logger.format.cyan('npm install -g @socketsecurity/cli --save-exact')}`);
+    logger.error('Socket Firewall (sfw) is not installed. Installs are NOT protected against supply chain attacks.');
+    logger.error(`Install it with: ${logger.format.cyan('npm install -g sfw')}`);
     if (!options.force) {
-      logger.error('Refusing to proceed without Socket protection. Use --force to bypass.');
-      throw new Error('Socket CLI is not installed.');
+      logger.error('Refusing to proceed without firewall protection. Use --force to bypass.');
+      throw new Error('Socket Firewall is not installed.');
     }
-    logger.warn('Bypassing Socket protection (--force flag detected).');
+    logger.warn('Bypassing firewall protection (--force flag detected).');
   }
   return available;
 }
-// Wrap an npm command with socket if available
+// Wrap an npm command with sfw if available
 async function wrap(command, options) {
   options = options || {};
-  const available = await isSocketAvailable();
+  const available = await isFirewallAvailable();
-  // If socket is not installed, fall back to plain npm
-  if (!available) {
-    await execute(command, { log: true });
+  // If firewall is not installed or --force is used, run plain npm
+  if (!available || options.force) {
+    try {
+      await execute(command, { log: true });
+    } catch (e) {
+      const err = new Error('npm install failed. See the error output above.');
+      err.reason = 'npm-failed';
+      throw err;
+    }
     return;
   }
-  // Run with socket and capture output to check for risks
-  // When --force is used, set SOCKET_CLI_ACCEPT_RISKS so Socket actually installs
-  const env = options.force ? 'SOCKET_CLI_ACCEPT_RISKS=1 ' : '';
+  // Run with Socket Firewall
   let output;
   let exitedWithError = false;
   try {
-    output = await execute(`${env}socket ${command}`, { log: false });
+    output = await execute(`sfw ${command}`, { log: false });
   } catch (e) {
-    // Socket exits non-zero when it detects risks
     output = e.message || '';
     exitedWithError = true;
   }
-  // Print the output
   if (output) {
     console.log(output);
   }
-  // Distinguish a real Socket risk-block from a generic npm failure.
-  // Socket prints its own markers when it blocks; npm failures (ERESOLVE,
-  // network errors, peer-dep conflicts) just exit non-zero with npm errors.
-  const socketBlocked = /new risk|socket found|exiting due to risks/i.test(output)
-    && !/no new risks/i.test(output);
-  // Subprocess failed but Socket didn't actually block — surface the npm error honestly.
-  if (exitedWithError && !socketBlocked) {
-    logger.error('npm install failed. See the error output above.');
-    const err = new Error('npm install failed.');
-    err.reason = 'npm-failed';
+  if (exitedWithError) {
+    const err = new Error('Install blocked — Socket Firewall may have flagged a risky package.');
+    err.reason = 'sfw-blocked';
     throw err;
   }
-  if (!socketBlocked) {
-    return;
-  }
-  // Parse flagged package names from Socket output (e.g. "serialize-javascript@6.0.2")
-  const flaggedPackages = [];
-  const flaggedRegex = /^(\S+@\S+)\s/gm;
-  let match;
-  while ((match = flaggedRegex.exec(output)) !== null) {
-    flaggedPackages.push(match[1]);
-  }
-  // Risks detected — block unless --force flag is passed
-  logger.error('Socket detected supply chain risks in the packages above.');
-  if (!options.force) {
-    logger.error('Refusing to install. Review the risks above, then use --force to bypass.');
-    const err = new Error('Socket detected supply chain risks.');
-    err.reason = 'socket-blocked';
-    err.flaggedPackages = flaggedPackages;
-    throw err;
-  }
-  logger.warn('Bypassing Socket risk warnings (--force flag detected).');
 }
-// Run a full socket audit on the current project
-async function audit(options) {
-  options = options || {};
-  const available = await isSocketAvailable();
-  if (!available) {
-    logger.warn('Skipping post-install audit — Socket CLI is not installed.');
-    return;
-  }
-  logger.log(logger.format.cyan('\nRunning post-install Socket audit...'));
-  let output;
-  let exitedWithError = false;
-  try {
-    output = await execute('socket npm audit', { log: false });
-  } catch (e) {
-    output = e.message || '';
-    exitedWithError = true;
-  }
-  // Print the output
-  if (output) {
-    console.log(output);
-  }
-  // Distinguish a real Socket risk-finding from a generic audit-subprocess failure.
-  const socketFoundRisks = /new risk|socket found|exiting due to risks/i.test(output)
-    && !/no new risks/i.test(output);
-  if (exitedWithError && !socketFoundRisks) {
-    logger.warn('Socket audit subprocess failed (not a risk finding). See output above.');
-    return;
-  }
-  if (!socketFoundRisks) {
-    logger.log(logger.format.green('Socket audit passed — no risks detected.'));
-    return;
-  }
-  logger.error('Socket audit found supply chain risks in your dependencies.');
-  if (!options.force) {
-    logger.error('Review the risks above. Use --force to bypass.');
-    throw new Error('Socket audit detected supply chain risks.');
-  }
-  logger.warn('Bypassing Socket audit warnings (--force flag detected).');
-}
+// Socket Firewall handles protection at install time — no separate audit step needed
+async function audit() {}
 // Export
 module.exports = {
-  isAvailable: isSocketAvailable,
+  isAvailable: isFirewallAvailable,
   check,
   wrap,
   audit,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "node-power-user",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "description": "Easy tools for every Node.js developer!",
   "main": "dist/index.js",
   "scripts": {