npm - socket - Versions diffs - 0.14.17 → 0.14.19 - Mend

socket 0.14.17 → 0.14.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -27,6 +27,7 @@ socket wrapper --enable
   [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
   - `--pin` - Pin overrides to their latest version
+  - `--prod` - Only add overrides for production dependencies
 - `socket raw-npm` and `socket raw-npx` - Temporarily disable the Socket
   'safe-npm' wrapper.

package/dist/cli.js CHANGED Viewed

@@ -1201,9 +1201,16 @@ const distPath$1 = __dirname;
 const manifestNpmOverrides = (0, _registry.getManifestData)('npm');
 const packumentCache = new Map();
 const getOverridesDataByAgent = {
+  bun(pkgJson) {
+    const overrides = pkgJson?.resolutions ?? {};
+    return {
+      type: 'yarn',
+      overrides
+    };
+  },
   // npm overrides documentation:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-  npm: pkgJson => {
+  npm(pkgJson) {
     const overrides = pkgJson?.overrides ?? {};
     return {
       type: 'npm',
@@ -1212,7 +1219,7 @@ const getOverridesDataByAgent = {
   },
   // pnpm overrides documentation:
   // https://pnpm.io/package_json#pnpmoverrides
-  pnpm: pkgJson => {
+  pnpm(pkgJson) {
     const overrides = pkgJson?.pnpm?.overrides ?? {};
     return {
       type: 'pnpm',
@@ -1221,7 +1228,7 @@ const getOverridesDataByAgent = {
   },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
-  yarn: pkgJson => {
+  yarn(pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
       type: 'yarn',
@@ -1229,23 +1236,8 @@ const getOverridesDataByAgent = {
     };
   }
 };
-const lockIncludesByAgent = {
-  npm: (lockSrc, name) => {
-    // Detects the package name in the following cases:
-    //   "name":
-    return lockSrc.includes(`"${name}":`);
-  },
-  pnpm: (lockSrc, name) => {
-    const escapedName = (0, _regexps.escapeRegExp)(name);
-    return new RegExp(
-    // Detects the package name in the following cases:
-    //   /name/
-    //   'name'
-    //   name:
-    //   name@
-    `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
-  },
-  yarn: (lockSrc, name) => {
+const lockIncludesByAgent = (() => {
+  const yarn = (lockSrc, name) => {
     const escapedName = (0, _regexps.escapeRegExp)(name);
     return new RegExp(
     // Detects the package name in the following cases:
@@ -1254,9 +1246,33 @@ const lockIncludesByAgent = {
     //   name@
     //   , name@
     `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
-  }
-};
+  };
+  return {
+    bun: yarn,
+    npm(lockSrc, name) {
+      // Detects the package name in the following cases:
+      //   "name":
+      return lockSrc.includes(`"${name}":`);
+    },
+    pnpm(lockSrc, name) {
+      const escapedName = (0, _regexps.escapeRegExp)(name);
+      return new RegExp(
+      // Detects the package name in the following cases:
+      //   /name/
+      //   'name'
+      //   name:
+      //   name@
+      `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
+    },
+    yarn
+  };
+})();
 const updateManifestByAgent = {
+  bun(pkgJson, overrides) {
+    pkgJson.update({
+      [RESOLUTIONS_FIELD_NAME]: overrides
+    });
+  },
   npm(pkgJson, overrides) {
     pkgJson.update({
       [OVERRIDES_FIELD_NAME]: overrides
@@ -1276,6 +1292,66 @@ const updateManifestByAgent = {
     });
   }
 };
+const lsByAgent = {
+  async bun(agentExecPath, cwd, _rootPath) {
+    try {
+      // Bun does not support filtering by production packages yet.
+      // https://github.com/oven-sh/bun/issues/8283
+      return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
+        cwd
+      })).stdout;
+    } catch {}
+    return '';
+  },
+  async npm(agentExecPath, cwd, rootPath) {
+    try {
+      let {
+        stdout
+      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--omit', 'dev', '--all'], {
+        cwd
+      });
+      stdout = stdout.replaceAll(cwd, '');
+      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
+    } catch {}
+    return '';
+  },
+  async pnpm(agentExecPath, cwd, rootPath) {
+    try {
+      let {
+        stdout
+      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+        cwd
+      });
+      stdout = stdout.replaceAll(cwd, '');
+      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
+    } catch {}
+    return '';
+  },
+  async yarn(agentExecPath, cwd, _rootPath) {
+    try {
+      return (
+        // Yarn Berry does not support filtering by production packages yet.
+        // https://github.com/yarnpkg/berry/issues/5117
+        (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
+          cwd
+        })).stdout
+      );
+    } catch {}
+    try {
+      // However, Yarn Classic does support it.
+      return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+        cwd
+      })).stdout;
+    } catch {}
+    return '';
+  }
+};
+const depsIncludesByAgent = {
+  bun: (stdout, name) => stdout.includes(name),
+  npm: (stdout, name) => stdout.includes(name),
+  pnpm: (stdout, name) => stdout.includes(name),
+  yarn: (stdout, name) => stdout.includes(name)
+};
 function getDependencyEntries(pkgJson) {
   const {
     dependencies,
@@ -1334,12 +1410,13 @@ function workspaceToGlobPattern(workspace) {
 }
 async function addOverrides({
   agent,
-  lockIncludes,
+  agentExecPath,
   lockSrc,
   manifestEntries,
+  pin,
   pkgJson: editablePkgJson,
   pkgPath,
-  pin,
+  prod,
   rootPath
 }, state = {
   added: new Set(),
@@ -1350,6 +1427,9 @@ async function addOverrides({
   }
   const pkgJson = editablePkgJson.content;
   const isRoot = pkgPath === rootPath;
+  const isLockScanned = isRoot && !prod;
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, rootPath);
+  const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
   const depEntries = getDependencyEntries(pkgJson);
   const workspaces = await getWorkspaces(agent, pkgPath, pkgJson);
   const isWorkspace = !!workspaces;
@@ -1370,6 +1450,7 @@ async function addOverrides({
       package: origPkgName,
       version
     } = data;
+    const major = _semver.major(version);
     for (const {
       1: depObj
     } of depEntries) {
@@ -1378,12 +1459,12 @@ async function addOverrides({
         let thisVersion = version;
         // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
         // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
-        const specStartsWith = `npm:${regPkgName}@`;
-        const existingVersion = pkgSpec.startsWith(specStartsWith) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
+        const regSpecStartsLike = `npm:${regPkgName}@`;
+        const existingVersion = pkgSpec.startsWith(regSpecStartsLike) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
         if (existingVersion) {
           thisVersion = existingVersion;
         } else {
-          pkgSpec = `${specStartsWith}^${version}`;
+          pkgSpec = `${regSpecStartsLike}^${version}`;
           depObj[origPkgName] = pkgSpec;
           state.added.add(regPkgName);
         }
@@ -1393,27 +1474,38 @@ async function addOverrides({
         });
       }
     }
-    if (!isRoot) {
-      return;
-    }
     // Chunk package names to process them in parallel 3 at a time.
     await (0, _promises2.pEach)(overridesDataObjects, 3, async ({
       overrides,
       type
     }) => {
       const overrideExists = (0, _objects.hasOwn)(overrides, origPkgName);
-      if (overrideExists || lockIncludes(lockSrc, origPkgName)) {
-        // With npm one may not set an override for a package that one directly
-        // depends on unless both the dependency and the override itself share
-        // the exact same spec. To make this limitation easier to deal with,
-        // overrides may also be defined as a reference to a spec for a direct
-        // dependency by prefixing the name of the package to match the version
-        // of with a $.
-        // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
-        const oldSpec = overrides[origPkgName];
+      if (overrideExists || thingScanner(thingToScan, origPkgName)) {
+        const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
         const depAlias = depAliasMap.get(origPkgName);
-        const thisVersion = overrideExists && (0, _strings.isNonEmptyString)(oldSpec) ? (await fetchPackageManifest(oldSpec.startsWith('$') ? depAlias?.id ?? oldSpec : oldSpec))?.version ?? version : version;
-        const newSpec = depAlias && type === 'npm' ? `$${origPkgName}` : `npm:${regPkgName}@^${pin ? thisVersion : _semver.major(thisVersion)}`;
+        const regSpecStartsLike = `npm:${regPkgName}@`;
+        let newSpec = `${regSpecStartsLike}^${pin ? version : major}`;
+        let thisVersion = version;
+        if (depAlias && type === 'npm') {
+          // With npm one may not set an override for a package that one directly
+          // depends on unless both the dependency and the override itself share
+          // the exact same spec. To make this limitation easier to deal with,
+          // overrides may also be defined as a reference to a spec for a direct
+          // dependency by prefixing the name of the package to match the version
+          // of with a $.
+          // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
+          newSpec = `$${origPkgName}`;
+        } else if (overrideExists) {
+          const thisSpec = oldSpec.startsWith('$') ? depAlias?.id ?? newSpec : oldSpec ?? newSpec;
+          if (thisSpec.startsWith(regSpecStartsLike)) {
+            if (pin) {
+              thisVersion = _semver.major(_semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version) === major ? version : (await fetchPackageManifest(thisSpec))?.version ?? version;
+            }
+            newSpec = `${regSpecStartsLike}^${pin ? thisVersion : _semver.major(thisVersion)}`;
+          } else {
+            newSpec = oldSpec;
+          }
+        }
         if (newSpec !== oldSpec) {
           if (overrideExists) {
             state.updated.add(regPkgName);
@@ -1437,11 +1529,12 @@ async function addOverrides({
         updated
       } = await addOverrides({
         agent,
+        agentExecPath,
         lockSrc,
-        lockIncludes,
         manifestEntries,
         pin,
         pkgPath: _nodePath$2.dirname(wsPkgJsonPath),
+        prod,
         rootPath
       });
       for (const regPkgName of added) {
@@ -1496,7 +1589,8 @@ const optimize = optimize$1.optimize = {
       return;
     }
     const {
-      pin
+      pin,
+      prod
     } = commandContext;
     const cwd = process.cwd();
     const {
@@ -1535,23 +1629,23 @@ const optimize = optimize$1.optimize = {
       updated: new Set()
     };
     if (lockSrc) {
-      const lockIncludes = agent === 'bun' ? lockIncludesByAgent.yarn : lockIncludesByAgent[agent];
       const nodeRange = `>=${minimumNodeVersion}`;
       const manifestEntries = manifestNpmOverrides.filter(({
         1: data
       }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
       await addOverrides({
-        agent: agent === 'bun' ? 'yarn' : agent,
-        lockIncludes,
+        agent,
+        agentExecPath,
         lockSrc,
         manifestEntries,
         pin,
         pkgJson,
         pkgPath,
+        prod,
         rootPath: pkgPath
       }, state);
     }
-    const pkgJsonChanged = state.updated.size > 0 || state.updated.size > 0;
+    const pkgJsonChanged = state.added.size > 0 || state.updated.size > 0;
     if (state.updated.size > 0) {
       console.log(`Updated ${state.updated.size} Socket.dev optimized overrides ${state.added.size ? '.' : '🚀'}`);
     }
@@ -1602,6 +1696,11 @@ function setupCommand$l(name, description, argv, importMeta) {
       type: 'boolean',
       default: false,
       description: 'Pin overrides to their latest version'
+    },
+    prod: {
+      type: 'boolean',
+      default: false,
+      description: 'Only add overrides for production dependencies'
     }
   };
   const cli = (0, _meow$m.default)(`
@@ -1621,14 +1720,16 @@ function setupCommand$l(name, description, argv, importMeta) {
   });
   const {
     help,
-    pin
+    pin,
+    prod
   } = cli.flags;
   if (help) {
     cli.showHelp();
     return;
   }
   return {
-    pin
+    pin,
+    prod
   };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.17",
+  "version": "0.14.19",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",