socket 0.14.14 → 0.14.16

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts","../src/utils/formatting.ts","../src/utils/sorts.ts","../src/flags.ts","../src/utils/meow-with-subcommands.ts","../src/commands/cdxgen.ts","../src/utils/api-helpers.ts","../src/utils/objects.ts","../src/utils/format-issues.ts","../src/commands/info.ts","../src/commands/login.ts","../src/commands/logout.ts","../src/commands/npm.ts","../src/commands/npx.ts","../src/utils/fs.ts","../src/utils/json.ts","../src/utils/strings.ts","../src/utils/package-manager-detector.ts","../src/utils/arrays.ts","../src/utils/promises.ts","../src/utils/regexps.ts","../src/commands/optimize.ts","../src/commands/organization.ts","../src/commands/raw-npm.ts","../src/commands/raw-npx.ts","../src/commands/report/view.ts","../src/commands/report/create.ts","../src/commands/report/index.ts","../src/commands/wrapper.ts","../src/commands/scan/create.ts","../src/commands/scan/delete.ts","../src/commands/scan/list.ts","../src/commands/scan/metadata.ts","../src/commands/scan/stream.ts","../src/commands/scan/index.ts","../src/commands/audit-log.ts","../src/commands/repos/create.ts","../src/commands/repos/delete.ts","../src/commands/repos/list.ts","../src/commands/repos/update.ts","../src/commands/repos/view.ts","../src/commands/repos/index.ts","../src/commands/dependencies.ts","../src/commands/analytics.ts","../src/commands/diff-scan/get.ts","../src/commands/diff-scan/index.ts","../src/commands/threat-feed.ts","../src/commands/index.ts"],"names":[],"mappings":""}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts","../src/utils/formatting.ts","../src/utils/sorts.ts","../src/flags.ts","../src/utils/meow-with-subcommands.ts","../src/commands/cdxgen.ts","../src/utils/api-helpers.ts","../src/utils/format-issues.ts","../src/commands/info.ts","../src/commands/login.ts","../src/commands/logout.ts","../src/commands/npm.ts","../src/commands/npx.ts","../src/utils/fs.ts","../src/utils/json.ts","../src/utils/strings.ts","../src/utils/package-manager-detector.ts","../src/utils/arrays.ts","../src/utils/promises.ts","../src/utils/regexps.ts","../src/commands/optimize.ts","../src/commands/organization.ts","../src/commands/raw-npm.ts","../src/commands/raw-npx.ts","../src/commands/report/view.ts","../src/commands/report/create.ts","../src/commands/report/index.ts","../src/commands/wrapper.ts","../src/commands/scan/create.ts","../src/commands/scan/delete.ts","../src/commands/scan/list.ts","../src/commands/scan/metadata.ts","../src/commands/scan/stream.ts","../src/commands/scan/index.ts","../src/commands/audit-log.ts","../src/commands/repos/create.ts","../src/commands/repos/delete.ts","../src/commands/repos/list.ts","../src/commands/repos/update.ts","../src/commands/repos/view.ts","../src/commands/repos/index.ts","../src/commands/dependencies.ts","../src/commands/analytics.ts","../src/commands/diff-scan/get.ts","../src/commands/diff-scan/index.ts","../src/commands/threat-feed.ts","../src/commands/index.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -324,45 +324,13 @@ async function queryAPI(path, apiKey) {
 
 var formatIssues = {};
 
-var objects = {};
-
-Object.defineProperty(objects, "__esModule", {
-  value: true
-});
-objects.hasOwn = hasOwn;
-objects.isObjectObject = isObjectObject;
-objects.objectSome = objectSome;
-objects.pick = pick;
-function hasOwn(obj, propKey) {
-  if (obj === null || obj === undefined) return false;
-  return Object.hasOwn(obj, propKey);
-}
-function isObjectObject(value) {
-  return value !== null && typeof value === 'object' && !Array.isArray(value);
-}
-function objectSome(obj) {
-  for (const key in obj) {
-    if (obj[key]) {
-      return true;
-    }
-  }
-  return false;
-}
-function pick(input, keys) {
-  const result = {};
-  for (const key of keys) {
-    result[key] = input[key];
-  }
-  return result;
-}
-
 Object.defineProperty(formatIssues, "__esModule", {
   value: true
 });
 formatIssues.formatSeverityCount = formatSeverityCount;
 formatIssues.getSeverityCount = getSeverityCount;
 var _misc$2 = sdk.misc;
-var _objects$4 = objects;
+var _objects$4 = sdk.objects;
 const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
 function getDesiredSeverities(lowestToInclude) {
   const result = [];
@@ -448,7 +416,7 @@ var _chalkMarkdown$3 = sdk.chalkMarkdown;
 var _errors$k = sdk.errors;
 var _formatIssues$1 = formatIssues;
 var _formatting$m = formatting;
-var _objects$3 = objects;
+var _objects$3 = sdk.objects;
 var _sdk$j = sdk.sdk;
 const info = info$1.info = {
   description: 'Look up info regarding a package',
@@ -820,8 +788,8 @@ const description$5 = 'npm wrapper functionality';
 npm.npm = {
   description: description$5,
   async run(argv, _importMeta, _ctx) {
-    process.exitCode = 1;
     const wrapperPath = _nodePath$6.join(distPath$3, 'npm-cli.js');
+    process.exitCode = 1;
     const spawnPromise = _promiseSpawn$5(process.execPath, [wrapperPath, ...argv], {
       stdio: 'inherit'
     });
@@ -928,7 +896,7 @@ Object.defineProperty(json, "__esModule", {
   value: true
 });
 json.parseJSONObject = parseJSONObject;
-var _objects$2 = objects;
+var _objects$2 = sdk.objects;
 function parseJSONObject(jsonStr) {
   try {
     const value = JSON.parse(jsonStr);
@@ -962,7 +930,7 @@ var _semver$1 = require$$3$1;
 var _which = require$$5$1;
 var _fs = fs;
 var _json = json;
-var _objects$1 = objects;
+var _objects$1 = sdk.objects;
 var _strings$1 = strings;
 const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn'];
 const numericCollator = new Intl.Collator(undefined, {
@@ -1241,7 +1209,7 @@ var _pacote = require$$8;
 var _semver = require$$3$1;
 var _flags$j = flags$1;
 var _formatting$k = formatting;
-var _objects = objects;
+var _objects = sdk.objects;
 var _packageManagerDetector = packageManagerDetector;
 var _promises$2 = promises;
 var _regexps = regexps;
@@ -1727,7 +1695,7 @@ async function setupCommand$j(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const spawnPromise = _promiseSpawn$1('npm', [argv.join(' ')], {
+  const spawnPromise = _promiseSpawn$1('npm', argv, {
     stdio: 'inherit'
   });
   spawnPromise.process.on('exit', (code, signal) => {

package/dist/npm-cli.js

@@ -21,13 +21,10 @@ const realFilename = (0, _nodeFs.realpathSync)(__filename);
 const realDirname = _nodePath.dirname(realFilename);
 const npmPath = (0, _link.installLinks)(_nodePath.join(realDirname, 'bin'), 'npm');
 const injectionPath = _nodePath.join(realDirname, 'npm-injection.js');
-process.exitCode = 1;
 
-/* 
-  Adding the `--quiet` and `--no-progress` flags when the `proc-log` module 
-  is found to fix a UX issue when running the command with recent versions of npm
-  (input swallowed by the standard npm spinner) 
-*/
+// Adding the `--quiet` and `--no-progress` flags when the `proc-log` module
+// is found to fix a UX issue when running the command with recent versions of
+// npm (input swallowed by the standard npm spinner)
 let npmArgs = [];
 if (process.argv.slice(2).includes('install')) {
   const npmEntrypoint = (0, _nodeFs.realpathSync)(npmPath);
@@ -44,9 +41,11 @@ if (process.argv.slice(2).includes('install')) {
     npmArgs = ['--quiet', '--no-progress'];
   }
 }
-_promiseSpawn(process.execPath, ['--require', injectionPath, npmPath, ...process.argv.slice(2), ...npmArgs], {
+process.exitCode = 1;
+const spawnPromise = _promiseSpawn(process.execPath, ['--require', injectionPath, npmPath, ...process.argv.slice(2), ...npmArgs], {
   stdio: 'inherit'
-}).process.on('exit', (code, signal) => {
+});
+spawnPromise.process.on('exit', (code, signal) => {
   if (signal) {
     process.kill(process.pid, signal);
   } else if (code !== null) {

package/dist/npm-injection.js

@@ -10,10 +10,12 @@ var require$$3 = require('node:readline');
 var require$$5 = require('node:stream');
 var require$$8$1 = require('node:timers/promises');
 var require$$3$1 = require('@socketsecurity/config');
+var require$$6$1 = require('npm-package-arg');
+var require$$3$2 = require('semver');
+var sdk = require('./sdk.js');
 var require$$1$1 = require('node:net');
 var require$$2 = require('node:os');
 var require$$6 = require('../package.json');
-var sdk = require('./sdk.js');
 var pathResolve = require('./path-resolve.js');
 var require$$8 = require('pacote');
 
@@ -393,14 +395,17 @@ var _config = require$$3$1;
 var _chalk = _interopRequireDefault(vendor.source);
 var _isInteractive = _interopRequireDefault(vendor.isInteractive);
 var _ora = _interopRequireWildcard(vendor.ora);
+var _npmPackageArg = require$$6$1;
+var _semver = require$$3$2;
+var _constants = sdk.constants;
 var _ttyServer = ttyServer$1;
 var _chalkMarkdown = sdk.chalkMarkdown;
 var _issueRules = issueRules;
 var _misc = sdk.misc;
+var _objects = sdk.objects;
 var _pathResolve = pathResolve.pathResolve;
 var _sdk = sdk.sdk;
 var _settings = sdk.settings;
-var _constants = sdk.constants;
 const LOOP_SENTINEL = 1_000_000;
 const POTENTIALLY_BUG_ERROR_SNIPPET = 'this is potentially a bug with socket-npm caused by changes to the npm cli';
 const distPath$1 = __dirname;
@@ -420,6 +425,8 @@ if (npmRootPath === undefined) {
 const npmNmPath = _nodePath$1.join(npmRootPath, 'node_modules');
 const arboristClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/arborist/index.js');
 const arboristEdgeClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/edge.js');
+const arboristNodeClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/node.js');
+const arboristOverrideSetClassPatch = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/override-set.js');
 let npmlog;
 try {
   npmlog = require(_nodePath$1.join(npmNmPath, 'proc-log/lib/index.js')).log;
@@ -441,6 +448,8 @@ try {
 }
 const Arborist = require(arboristClassPath);
 const Edge = require(arboristEdgeClassPath);
+const Node = require(arboristNodeClassPath);
+const OverrideSet = require(arboristOverrideSetClassPatch);
 const kCtorArgs = Symbol('ctorArgs');
 const kRiskyReify = Symbol('riskyReify');
 const formatter = new _chalkMarkdown.ChalkOrMarkdown(false);
@@ -493,15 +502,6 @@ async function* batchScan(pkgIds) {
     yield JSON.parse(line);
   }
 }
-function deleteEdgeIn(node, edge) {
-  node.edgesIn.delete(edge);
-  const {
-    overrides
-  } = edge;
-  if (overrides) {
-    updateNodeOverrideSetDueToEdgeRemoval(node, overrides);
-  }
-}
 function findSocketYmlSync() {
   let prevDir = null;
   let dir = process.cwd();
@@ -527,17 +527,20 @@ function findSocketYmlSync() {
   }
   return null;
 }
+
+// Patch adding findSpecificOverrideSet is based on
+// https://github.com/npm/cli/pull/7025.
 function findSpecificOverrideSet(first, second) {
   let overrideSet = second;
   while (overrideSet) {
-    if (overrideSetsEqual(overrideSet, first)) {
+    if (overrideSet.isEqual(first)) {
       return second;
     }
     overrideSet = overrideSet.parent;
   }
   overrideSet = first;
   while (overrideSet) {
-    if (overrideSetsEqual(overrideSet, second)) {
+    if (overrideSet.isEqual(second)) {
       return first;
     }
     overrideSet = overrideSet.parent;
@@ -551,61 +554,6 @@ function maybeReadfileSync(filepath) {
   } catch {}
   return undefined;
 }
-function overrideSetsChildrenAreEqual(overrideSet, other) {
-  const queue = [[overrideSet, other]];
-  let pos = 0;
-  let {
-    length: queueLength
-  } = queue;
-  while (pos < queueLength) {
-    if (pos === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop while comparing override sets');
-    }
-    const {
-      0: currSet,
-      1: currOtherSet
-    } = queue[pos++];
-    const {
-      children
-    } = currSet;
-    const {
-      children: otherChildren
-    } = currOtherSet;
-    if (children.size !== otherChildren.size) {
-      return false;
-    }
-    for (const key of children.keys()) {
-      if (!otherChildren.has(key)) {
-        return false;
-      }
-      const child = children.get(key);
-      const otherChild = otherChildren.get(key);
-      if (child.value !== otherChild.value) {
-        return false;
-      }
-      queue[queueLength++] = [child, otherChild];
-    }
-  }
-  return true;
-}
-function overrideSetsEqual(overrideSet, other) {
-  if (overrideSet === other) {
-    return true;
-  }
-  if (!other) {
-    return false;
-  }
-  if (overrideSet.key !== other.key || overrideSet.value !== other.value) {
-    return false;
-  }
-  if (!overrideSetsChildrenAreEqual(overrideSet, other)) {
-    return false;
-  }
-  if (!overrideSet.parent) {
-    return !other.parent;
-  }
-  return overrideSetsEqual(overrideSet.parent, other.parent);
-}
 async function packagesHaveRiskyIssues(safeArb, _registry, pkgs, output) {
   let result = false;
   let remaining = pkgs.length;
@@ -722,15 +670,6 @@ function pkgidParts(pkgid) {
     version
   };
 }
-function recalculateOutEdgesOverrides(node) {
-  // For each edge out propagate the new overrides through.
-  for (const edge of node.edgesOut.values()) {
-    edge.reload(true);
-    if (edge.to) {
-      updateNodeOverrideSet(edge.to, edge.overrides);
-    }
-  }
-}
 function toPURL(pkgid, resolved) {
   const repo = resolved.replace(/#[\s\S]*$/u, '').replace(/\?[\s\S]*$/u, '').replace(/\/[^/]*\/-\/[\s\S]*$/u, '');
   const {
@@ -744,84 +683,6 @@ function toPURL(pkgid, resolved) {
     repository_url: repo
   };
 }
-function updateNodeOverrideSetDueToEdgeRemoval(node, other) {
-  const {
-    overrides
-  } = node;
-  // If this edge's overrides isn't equal to this node's overrides, then removing
-  // it won't change newOverrideSet later.
-  if (!overrides || !overrideSetsEqual(overrides, other)) {
-    return false;
-  }
-  let newOverrideSet;
-  for (const edge of node.edgesIn) {
-    const {
-      overrides: edgeOverrides
-    } = edge;
-    if (newOverrideSet) {
-      newOverrideSet = findSpecificOverrideSet(edgeOverrides, newOverrideSet);
-    } else {
-      newOverrideSet = edgeOverrides;
-    }
-  }
-  if (overrideSetsEqual(overrides, newOverrideSet)) {
-    return false;
-  }
-  node.overrides = newOverrideSet;
-  if (newOverrideSet) {
-    // Optimization: If there's any override set at all, then no non-extraneous
-    // node has an empty override set. So if we temporarily have no override set
-    // (for example, we removed all the edges in), there's no use updating all
-    // the edges out right now. Let's just wait until we have an actual override
-    // set later.
-    recalculateOutEdgesOverrides(node);
-  }
-  return true;
-}
-
-// This logic isn't perfect either. When we have two edges in that have different
-// override sets, then we have to decide which set is correct. This function
-// assumes the more specific override set is applicable, so if we have dependencies
-// A->B->C and A->C and an override set that specifies what happens for C under
-// A->B, this will work even if the new A->C edge comes along and tries to change
-// the override set. The strictly correct logic is not to allow two edges with
-// different overrides to point to the same node, because even if this node can
-// satisfy both, one of its dependencies might need to be different depending on
-// the edge leading to it. However, this might cause a lot of duplication, because
-// the conflict in the dependencies might never actually happen.
-function updateNodeOverrideSet(node, otherOverrideSet) {
-  if (!node.overrides) {
-    // Assuming there are any overrides at all, the overrides field is never
-    // undefined for any node at the end state of the tree. So if the new edge's
-    // overrides is undefined it will be updated later. So we can wait with
-    // updating the node's overrides field.
-    if (!otherOverrideSet) {
-      return false;
-    }
-    node.overrides = otherOverrideSet;
-    recalculateOutEdgesOverrides(node);
-    return true;
-  }
-  const {
-    overrides
-  } = node;
-  if (overrideSetsEqual(overrides, otherOverrideSet)) {
-    return false;
-  }
-  const newOverrideSet = findSpecificOverrideSet(overrides, otherOverrideSet);
-  if (newOverrideSet) {
-    if (overrideSetsEqual(overrides, newOverrideSet)) {
-      return false;
-    }
-    node.overrides = newOverrideSet;
-    recalculateOutEdgesOverrides(node);
-    return true;
-  }
-  // This is an error condition. We can only get here if the new override set is
-  // in conflict with the existing.
-  console.error('Conflicting override sets');
-  return false;
-}
 function walk(diff_, needInfoOn = []) {
   const queue = [diff_];
   let pos = 0;
@@ -869,15 +730,18 @@ function walk(diff_, needInfoOn = []) {
   return needInfoOn;
 }
 
-// Copied from
-// https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/edge.js:
+// The Edge class makes heavy use of private properties which subclasses do NOT
+// have access to. So we have to recreate any functionality that relies on those
+// private properties and use our own "safe" prefixed non-conflicting private
+// properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/edge.js.
+//
 // The npm application
 // Copyright (c) npm, Inc. and Contributors
 // Licensed on the terms of The Artistic License 2.0
 //
 // An edge in the dependency graph.
 // Represents a dependency relationship of some kind.
-
 class SafeEdge extends Edge {
   #safeAccept;
   #safeError;
@@ -939,11 +803,20 @@ class SafeEdge extends Edge {
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
   get spec() {
     if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+      // Patch adding "if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      //
+      // If this edge has the same overrides field as the source, then we're not
+      // applying an override for this edge.
+      if (this.overrides === this.#safeFrom?.overrides) {
+        // The Edge rawSpec getter will retrieve the private Edge #spec property.
+        return this.rawSpec;
+      }
       if (this.overrides.value.startsWith('$')) {
         const ref = this.overrides.value.slice(1);
         // We may be a virtual root, if we are we want to resolve reference
         // overrides from the real root, not the virtual one.
-        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root.package;
+        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root?.package;
         if (pkg?.devDependencies?.[ref]) {
           return pkg.devDependencies[ref];
         }
@@ -977,6 +850,16 @@ class SafeEdge extends Edge {
         this.#safeError = 'PEER LOCAL';
       } else if (!this.satisfiedBy(this.#safeTo)) {
         this.#safeError = 'INVALID';
+      }
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      else if (this.overrides && this.#safeTo.edgesOut.size && !findSpecificOverrideSet(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
       } else {
         this.#safeError = 'OK';
       }
@@ -988,17 +871,34 @@ class SafeEdge extends Edge {
   }
   reload(hard = false) {
     this.#safeExplanation = null;
+
+    // Patch adding newOverrideSet and oldOverrideSet is based on
+    // https://github.com/npm/cli/pull/7025.
+    let newOverrideSet;
+    let oldOverrideSet;
     if (this.#safeFrom?.overrides) {
-      this.overrides = this.#safeFrom.overrides.getEdgeRule(this);
+      // Patch replacing
+      // this.overrides = this.#safeFrom.overrides.getEdgeRule(this)
+      // is based on https://github.com/npm/cli/pull/7025.
+      const newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
+        // If there's a new different override set we need to propagate it to
+        // the nodes. If we're deleting the override set then there's no point
+        // propagating it right now since it will be filled with another value
+        // later.
+        oldOverrideSet = this.overrides;
+        this.overrides = newOverrideSet;
+      }
     } else {
       this.overrides = undefined;
     }
     const newTo = this.#safeFrom?.resolve(this.name);
     if (newTo !== this.#safeTo) {
       if (this.#safeTo) {
-        // Instead of `this.#safeTo.edgesIn.delete(this)` we patch based on
-        // https://github.com/npm/cli/pull/7025.
-        deleteEdgeIn(this.#safeTo, this);
+        // Patch replacing
+        // this.#safeTo.edgesIn.delete(this)
+        // is based on https://github.com/npm/cli/pull/7025.
+        this.#safeTo.deleteEdgeIn(this);
       }
       this.#safeTo = newTo ?? null;
       this.#safeError = null;
@@ -1008,13 +908,21 @@ class SafeEdge extends Edge {
     } else if (hard) {
       this.#safeError = null;
     }
+    // Patch adding "else if" condition based on
+    // https://github.com/npm/cli/pull/7025
+    else if (oldOverrideSet) {
+      // Propagate the new override set to the target node.
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+    }
   }
   detach() {
     this.#safeExplanation = null;
     if (this.#safeTo) {
-      // Instead of `this.#safeTo.edgesIn.delete(this)` we patch based on
-      // https://github.com/npm/cli/pull/7025.
-      deleteEdgeIn(this.#safeTo, this);
+      // Patch replacing
+      // this.#safeTo.edgesIn.delete(this)
+      // is based on https://github.com/npm/cli/pull/7025.
+      this.#safeTo.deleteEdgeIn(this);
     }
     if (this.#safeFrom) {
       this.#safeFrom.edgesOut.delete(this.name);
@@ -1034,6 +942,333 @@ class SafeEdge extends Edge {
     return this.#safeTo;
   }
 }
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/node.js:
+class SafeNode extends Node {
+  // Is it safe to replace one node with another?  check the edges to
+  // make sure no one will get upset.  Note that the node might end up
+  // having its own unmet dependencies, if the new node has new deps.
+  // Note that there are cases where Arborist will opt to insert a node
+  // into the tree even though this function returns false!  This is
+  // necessary when a root dependency is added or updated, or when a
+  // root dependency brings peer deps along with it.  In that case, we
+  // will go ahead and create the invalid state, and then try to resolve
+  // it with more tree construction, because it's a user request.
+  canReplaceWith(node, ignorePeers) {
+    if (this.name !== node.name || this.packageName !== node.packageName) {
+      return false;
+    }
+    // Patch replacing
+    // if (node.overrides !== this.overrides) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If this node has no dependencies, then it's irrelevant to check the
+    // override rules of the replacement node.
+    if (this.edgesOut.size) {
+      // XXX need to check for two root nodes?
+      if (node.overrides) {
+        if (!node.overrides.isEqual(this.overrides)) {
+          return false;
+        }
+      } else {
+        if (this.overrides) {
+          return false;
+        }
+      }
+    }
+    // To satisfy the patch we ensure `node.overrides === this.overrides`
+    // so that the condition we want to replace,
+    // if (this.overrides !== node.overrides) {
+    // , is not hit.`
+    const oldOverrideSet = this.overrides;
+    let result = true;
+    if (oldOverrideSet !== node.overrides) {
+      this.overrides = node.overrides;
+    }
+    try {
+      result = super.canReplaceWith(node, ignorePeers);
+      this.overrides = oldOverrideSet;
+    } catch (e) {
+      this.overrides = oldOverrideSet;
+      throw e;
+    }
+    return result;
+  }
+  deleteEdgeIn(edge) {
+    this.edgesIn.delete(edge);
+    const {
+      overrides
+    } = edge;
+    if (overrides) {
+      this.updateOverridesEdgeInRemoved(overrides);
+    }
+  }
+  addEdgeIn(edge) {
+    // Patch replacing
+    // if (edge.overrides) {
+    //   this.overrides = edge.overrides
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // We need to handle the case where the new edge in has an overrides field
+    // which is different from the current value.
+    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
+      this.updateOverridesEdgeInAdded(edge.overrides);
+    }
+    this.edgesIn.add(edge);
+    // Try to get metadata from the yarn.lock file.
+    this.root.meta?.addEdge(edge);
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get overridden() {
+    // Patch replacing
+    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+      return false;
+    }
+    // The overrides rule is for a package with this name, but some override rules
+    // only apply to specific versions. To make sure this package was actually
+    // overridden, we check whether any edge going in had the rule applied to it,
+    // in which case its overrides set is different than its source node.
+    for (const edge of this.edgesIn) {
+      if (this.overrides.isEqual(edge.overrides)) {
+        if (!edge.overrides?.isEqual(edge.from?.overrides)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  // Patch adding recalculateOutEdgesOverrides is based on
+  // https://github.com/npm/cli/pull/7025.
+  recalculateOutEdgesOverrides() {
+    // For each edge out propagate the new overrides through.
+    for (const edge of this.edgesOut.values()) {
+      edge.reload(true);
+      if (edge.to) {
+        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+      }
+    }
+  }
+
+  // @ts-ignore: Incorrectly typed to accept null.
+  set root(newRoot) {
+    // Patch removing
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    //   this.overrides = this.parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // The "root" setter is a really large and complex function. To satisfy the
+    // patch we add a dummy value to `this.overrides` so that the condition we
+    // want to remove,
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    // , is not hit.
+    if (!this.overrides) {
+      this.overrides = new OverrideSet({
+        overrides: ''
+      });
+    }
+    try {
+      super.root = newRoot;
+      this.overrides = undefined;
+    } catch (e) {
+      this.overrides = undefined;
+      throw e;
+    }
+  }
+
+  // Patch adding updateOverridesEdgeInAdded is based on
+  // https://github.com/npm/cli/pull/7025.
+  //
+  // This logic isn't perfect either. When we have two edges in that have
+  // different override sets, then we have to decide which set is correct. This
+  // function assumes the more specific override set is applicable, so if we have
+  // dependencies A->B->C and A->C and an override set that specifies what happens
+  // for C under A->B, this will work even if the new A->C edge comes along and
+  // tries to change the override set. The strictly correct logic is not to allow
+  // two edges with different overrides to point to the same node, because even
+  // if this node can satisfy both, one of its dependencies might need to be
+  // different depending on the edge leading to it. However, this might cause a
+  // lot of duplication, because the conflict in the dependencies might never
+  // actually happen.
+  updateOverridesEdgeInAdded(otherOverrideSet) {
+    if (!otherOverrideSet) {
+      // Assuming there are any overrides at all, the overrides field is never
+      // undefined for any node at the end state of the tree. So if the new edge's
+      // overrides is undefined it will be updated later. So we can wait with
+      // updating the node's overrides field.
+      return false;
+    }
+    if (!this.overrides) {
+      this.overrides = otherOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    if (this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    const newOverrideSet = findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    if (newOverrideSet) {
+      if (this.overrides.isEqual(newOverrideSet)) {
+        return false;
+      }
+      this.overrides = newOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    // This is an error condition. We can only get here if the new override set is
+    // in conflict with the existing.
+    console.error('Conflicting override sets');
+    return false;
+  }
+
+  // Patch adding updateOverridesEdgeInRemoved is based on
+  // https://github.com/npm/cli/pull/7025.
+  updateOverridesEdgeInRemoved(otherOverrideSet) {
+    // If this edge's overrides isn't equal to this node's overrides,
+    // then removing it won't change newOverrideSet later.
+    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    let newOverrideSet;
+    for (const edge of this.edgesIn) {
+      const {
+        overrides: edgeOverrides
+      } = edge;
+      if (newOverrideSet && edgeOverrides) {
+        newOverrideSet = findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+      } else {
+        newOverrideSet = edgeOverrides;
+      }
+    }
+    if (this.overrides.isEqual(newOverrideSet)) {
+      return false;
+    }
+    this.overrides = newOverrideSet;
+    if (newOverrideSet) {
+      // Optimization: If there's any override set at all, then no non-extraneous
+      // node has an empty override set. So if we temporarily have no override set
+      // (for example, we removed all the edges in), there's no use updating all
+      // the edges out right now. Let's just wait until we have an actual override
+      // set later.
+      this.recalculateOutEdgesOverrides();
+    }
+    return true;
+  }
+}
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/override-set.js:
+class SafeOverrideSet extends OverrideSet {
+  // Patch adding childrenAreEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  childrenAreEqual(otherOverrideSet) {
+    const queue = [[this, otherOverrideSet]];
+    let pos = 0;
+    let {
+      length: queueLength
+    } = queue;
+    while (pos < queueLength) {
+      if (pos === LOOP_SENTINEL) {
+        throw new Error('Detected infinite loop while comparing override sets');
+      }
+      const {
+        0: currSet,
+        1: currOtherSet
+      } = queue[pos++];
+      const {
+        children
+      } = currSet;
+      const {
+        children: otherChildren
+      } = currOtherSet;
+      if (children.size !== otherChildren.size) {
+        return false;
+      }
+      for (const key of children.keys()) {
+        if (!otherChildren.has(key)) {
+          return false;
+        }
+        const child = children.get(key);
+        const otherChild = otherChildren.get(key);
+        if (child.value !== otherChild.value) {
+          return false;
+        }
+        queue[queueLength++] = [child, otherChild];
+      }
+    }
+    return true;
+  }
+  getEdgeRule(edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue;
+      }
+      // If keySpec is * we found our override.
+      if (rule.keySpec === '*') {
+        return rule;
+      }
+      // Patch replacing
+      // let spec = npa(`${edge.name}@${edge.spec}`)
+      // is based on https://github.com/npm/cli/pull/7025.
+      //
+      // We need to use the rawSpec here, because the spec has the overrides
+      // applied to it already.
+      let spec = _npmPackageArg(`${edge.name}@${edge.rawSpec}`);
+      if (spec.type === 'alias') {
+        spec = spec.subSpec;
+      }
+      if (spec.type === 'git') {
+        if (spec.gitRange && rule.keySpec && _semver.intersects(spec.gitRange, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      if (spec.type === 'range' || spec.type === 'version') {
+        if (rule.keySpec && _semver.intersects(spec.fetchSpec, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      // If we got this far, the spec type is one of tag, directory or file
+      // which means we have no real way to make version comparisons, so we
+      // just accept the override.
+      return rule;
+    }
+    return this;
+  }
+
+  // Patch adding isEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  isEqual(otherOverrideSet) {
+    if (this === otherOverrideSet) {
+      return true;
+    }
+    if (!otherOverrideSet) {
+      return false;
+    }
+    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
+      return false;
+    }
+    if (!this.childrenAreEqual(otherOverrideSet)) {
+      return false;
+    }
+    if (!this.parent) {
+      return !otherOverrideSet.parent;
+    }
+    return this.parent.isEqual(otherOverrideSet.parent);
+  }
+}
+
+// Implementation code not related to our custom behavior is based on
+// https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/arborist/index.js:
 class SafeArborist extends Arborist {
   constructor(...ctorArgs) {
     const mutedArguments = [{
@@ -1135,8 +1370,10 @@ class SafeArborist extends Arborist {
 }
 arborist.SafeArborist = SafeArborist;
 function installSafeArborist() {
-  require.cache[arboristEdgeClassPath].exports = SafeEdge;
   require.cache[arboristClassPath].exports = SafeArborist;
+  require.cache[arboristEdgeClassPath].exports = SafeEdge;
+  require.cache[arboristNodeClassPath].exports = SafeNode;
+  require.cache[arboristOverrideSetClassPatch].exports = SafeOverrideSet;
 }
 void (async () => {
   const remoteSettings = await (async () => {
@@ -1152,11 +1389,9 @@ void (async () => {
           orgs.push(org);
         }
       }
-      const result = await socketSdk.postSettings(orgs.map(org => {
-        return {
-          organization: org.id
-        };
-      }));
+      const result = await socketSdk.postSettings(orgs.map(org => ({
+        organization: org.id
+      })));
       if (!result.success) {
         throw new Error('Failed to fetch API key settings: ' + result.error.message);
       }
@@ -1165,7 +1400,7 @@ void (async () => {
         settings: result.data
       };
     } catch (e) {
-      if (typeof e === 'object' && e !== null && 'cause' in e) {
+      if ((0, _objects.isObject)(e) && 'cause' in e) {
         const {
           cause
         } = e;
@@ -1186,7 +1421,7 @@ void (async () => {
   } = remoteSettings;
   const enforcedOrgs = (0, _settings.getSetting)('enforcedOrgs') ?? [];
 
-  // remove any organizations not being enforced
+  // Remove any organizations not being enforced.
   for (const {
     0: i,
     1: org

package/dist/sdk.d.ts

@@ -1,5 +1,12 @@
 /// <reference types="node" />
 import { SocketSdk } from '@socketsecurity/sdk';
+declare function hasOwn(obj: any, propKey: PropertyKey): boolean;
+declare function isObject(value: any): value is object;
+declare function isObjectObject(value: any): value is {
+    [key: string]: any;
+};
+declare function objectSome(obj: Record<string, any>): boolean;
+declare function pick<T extends Record<string, any>, K extends keyof T>(input: T, keys: K[] | ReadonlyArray<K>): Pick<T, K>;
 declare function createDebugLogger(printDebugLogs?: boolean): typeof console.error;
 declare function isErrnoException(value: unknown): value is NodeJS.ErrnoException;
 declare function stringJoinWithSeparateFinalSeparator(list: (string | undefined)[], separator?: string): string;
@@ -10,4 +17,4 @@ declare const ENV: Readonly<{
 declare const FREE_API_KEY = "sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api";
 declare function getDefaultKey(): string | undefined;
 declare function setupSdk(apiKey?: string | undefined, apiBaseUrl?: string | undefined, proxy?: string | undefined): Promise<SocketSdk>;
-export { createDebugLogger, isErrnoException, stringJoinWithSeparateFinalSeparator, API_V0_URL, ENV, FREE_API_KEY, getDefaultKey, setupSdk };
+export { hasOwn, isObject, isObjectObject, objectSome, pick, createDebugLogger, isErrnoException, stringJoinWithSeparateFinalSeparator, API_V0_URL, ENV, FREE_API_KEY, getDefaultKey, setupSdk };

package/dist/sdk.js

@@ -143,6 +143,42 @@ function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
   return values.join(', ') + separator + finalValue;
 }
 
+var objects = {};
+
+Object.defineProperty(objects, "__esModule", {
+  value: true
+});
+objects.hasOwn = hasOwn;
+objects.isObject = isObject;
+objects.isObjectObject = isObjectObject;
+objects.objectSome = objectSome;
+objects.pick = pick;
+function hasOwn(obj, propKey) {
+  if (obj === null || obj === undefined) return false;
+  return Object.hasOwn(obj, propKey);
+}
+function isObject(value) {
+  return value !== null && typeof value === 'object';
+}
+function isObjectObject(value) {
+  return value !== null && typeof value === 'object' && !Array.isArray(value);
+}
+function objectSome(obj) {
+  for (const key in obj) {
+    if (obj[key]) {
+      return true;
+    }
+  }
+  return false;
+}
+function pick(input, keys) {
+  const result = {};
+  for (const key of keys) {
+    result[key] = input[key];
+  }
+  return result;
+}
+
 var sdk = {};
 
 var settings$1 = {};
@@ -266,5 +302,6 @@ exports.chalkMarkdown = chalkMarkdown;
 exports.constants = constants;
 exports.errors = errors;
 exports.misc = misc;
+exports.objects = objects;
 exports.sdk = sdk;
 exports.settings = settings$1;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.14",
+  "version": "0.14.16",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",
@@ -118,7 +118,6 @@
     "eslint-plugin-depend": "^0.11.0",
     "eslint-plugin-n": "^17.11.1",
     "eslint-plugin-unicorn": "^56.0.0",
-    "globby": "^14.0.2",
     "husky": "^9.1.6",
     "is-interactive": "^2.0.0",
     "is-unicode-supported": "^2.1.0",
@@ -161,9 +160,11 @@
     "indent-string": "npm:@socketregistry/indent-string@^1",
     "is-core-module": "npm:@socketregistry/is-core-module@^1",
     "isarray": "npm:@socketregistry/isarray@^1",
+    "npm-package-arg": "$npm-package-arg",
     "path-parse": "npm:@socketregistry/path-parse@^1",
     "safe-buffer": "npm:@socketregistry/safe-buffer@^1",
     "safer-buffer": "npm:@socketregistry/safer-buffer@^1",
+    "semver": "$semver",
     "set-function-length": "npm:@socketregistry/set-function-length@^1",
     "side-channel": "npm:@socketregistry/side-channel@^1"
   },
@@ -180,9 +181,11 @@
     "indent-string": "npm:@socketregistry/indent-string@^1",
     "is-core-module": "npm:@socketregistry/is-core-module@^1",
     "isarray": "npm:@socketregistry/isarray@^1",
+    "npm-package-arg": "^12.0.0",
     "path-parse": "npm:@socketregistry/path-parse@^1",
     "safe-buffer": "npm:@socketregistry/safe-buffer@^1",
     "safer-buffer": "npm:@socketregistry/safer-buffer@^1",
+    "semver": "^7.6.3",
     "set-function-length": "npm:@socketregistry/set-function-length@^1",
     "side-channel": "npm:@socketregistry/side-channel@^1"
   },