socket 0.14.18 → 0.14.19

package/README.md

@@ -27,6 +27,7 @@ socket wrapper --enable
   [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
 
   - `--pin` - Pin overrides to their latest version
+  - `--prod` - Only add overrides for production dependencies
 
 - `socket raw-npm` and `socket raw-npx` - Temporarily disable the Socket
   'safe-npm' wrapper.

package/dist/cli.js

@@ -1201,9 +1201,16 @@ const distPath$1 = __dirname;
 const manifestNpmOverrides = (0, _registry.getManifestData)('npm');
 const packumentCache = new Map();
 const getOverridesDataByAgent = {
+  bun(pkgJson) {
+    const overrides = pkgJson?.resolutions ?? {};
+    return {
+      type: 'yarn',
+      overrides
+    };
+  },
   // npm overrides documentation:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-  npm: pkgJson => {
+  npm(pkgJson) {
     const overrides = pkgJson?.overrides ?? {};
     return {
       type: 'npm',
@@ -1212,7 +1219,7 @@ const getOverridesDataByAgent = {
   },
   // pnpm overrides documentation:
   // https://pnpm.io/package_json#pnpmoverrides
-  pnpm: pkgJson => {
+  pnpm(pkgJson) {
     const overrides = pkgJson?.pnpm?.overrides ?? {};
     return {
       type: 'pnpm',
@@ -1221,7 +1228,7 @@ const getOverridesDataByAgent = {
   },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
-  yarn: pkgJson => {
+  yarn(pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
       type: 'yarn',
@@ -1229,23 +1236,8 @@ const getOverridesDataByAgent = {
     };
   }
 };
-const lockIncludesByAgent = {
-  npm: (lockSrc, name) => {
-    // Detects the package name in the following cases:
-    //   "name":
-    return lockSrc.includes(`"${name}":`);
-  },
-  pnpm: (lockSrc, name) => {
-    const escapedName = (0, _regexps.escapeRegExp)(name);
-    return new RegExp(
-    // Detects the package name in the following cases:
-    //   /name/
-    //   'name'
-    //   name:
-    //   name@
-    `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
-  },
-  yarn: (lockSrc, name) => {
+const lockIncludesByAgent = (() => {
+  const yarn = (lockSrc, name) => {
     const escapedName = (0, _regexps.escapeRegExp)(name);
     return new RegExp(
     // Detects the package name in the following cases:
@@ -1254,9 +1246,33 @@ const lockIncludesByAgent = {
     //   name@
     //   , name@
     `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
-  }
-};
+  };
+  return {
+    bun: yarn,
+    npm(lockSrc, name) {
+      // Detects the package name in the following cases:
+      //   "name":
+      return lockSrc.includes(`"${name}":`);
+    },
+    pnpm(lockSrc, name) {
+      const escapedName = (0, _regexps.escapeRegExp)(name);
+      return new RegExp(
+      // Detects the package name in the following cases:
+      //   /name/
+      //   'name'
+      //   name:
+      //   name@
+      `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
+    },
+    yarn
+  };
+})();
 const updateManifestByAgent = {
+  bun(pkgJson, overrides) {
+    pkgJson.update({
+      [RESOLUTIONS_FIELD_NAME]: overrides
+    });
+  },
   npm(pkgJson, overrides) {
     pkgJson.update({
       [OVERRIDES_FIELD_NAME]: overrides
@@ -1276,6 +1292,66 @@ const updateManifestByAgent = {
     });
   }
 };
+const lsByAgent = {
+  async bun(agentExecPath, cwd, _rootPath) {
+    try {
+      // Bun does not support filtering by production packages yet.
+      // https://github.com/oven-sh/bun/issues/8283
+      return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
+        cwd
+      })).stdout;
+    } catch {}
+    return '';
+  },
+  async npm(agentExecPath, cwd, rootPath) {
+    try {
+      let {
+        stdout
+      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--omit', 'dev', '--all'], {
+        cwd
+      });
+      stdout = stdout.replaceAll(cwd, '');
+      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
+    } catch {}
+    return '';
+  },
+  async pnpm(agentExecPath, cwd, rootPath) {
+    try {
+      let {
+        stdout
+      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+        cwd
+      });
+      stdout = stdout.replaceAll(cwd, '');
+      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
+    } catch {}
+    return '';
+  },
+  async yarn(agentExecPath, cwd, _rootPath) {
+    try {
+      return (
+        // Yarn Berry does not support filtering by production packages yet.
+        // https://github.com/yarnpkg/berry/issues/5117
+        (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
+          cwd
+        })).stdout
+      );
+    } catch {}
+    try {
+      // However, Yarn Classic does support it.
+      return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+        cwd
+      })).stdout;
+    } catch {}
+    return '';
+  }
+};
+const depsIncludesByAgent = {
+  bun: (stdout, name) => stdout.includes(name),
+  npm: (stdout, name) => stdout.includes(name),
+  pnpm: (stdout, name) => stdout.includes(name),
+  yarn: (stdout, name) => stdout.includes(name)
+};
 function getDependencyEntries(pkgJson) {
   const {
     dependencies,
@@ -1334,12 +1410,13 @@ function workspaceToGlobPattern(workspace) {
 }
 async function addOverrides({
   agent,
-  lockIncludes,
+  agentExecPath,
   lockSrc,
   manifestEntries,
+  pin,
   pkgJson: editablePkgJson,
   pkgPath,
-  pin,
+  prod,
   rootPath
 }, state = {
   added: new Set(),
@@ -1350,6 +1427,9 @@ async function addOverrides({
   }
   const pkgJson = editablePkgJson.content;
   const isRoot = pkgPath === rootPath;
+  const isLockScanned = isRoot && !prod;
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, rootPath);
+  const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
   const depEntries = getDependencyEntries(pkgJson);
   const workspaces = await getWorkspaces(agent, pkgPath, pkgJson);
   const isWorkspace = !!workspaces;
@@ -1379,12 +1459,12 @@ async function addOverrides({
         let thisVersion = version;
         // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
         // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
-        const specStartsWith = `npm:${regPkgName}@`;
-        const existingVersion = pkgSpec.startsWith(specStartsWith) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
+        const regSpecStartsLike = `npm:${regPkgName}@`;
+        const existingVersion = pkgSpec.startsWith(regSpecStartsLike) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
         if (existingVersion) {
           thisVersion = existingVersion;
         } else {
-          pkgSpec = `${specStartsWith}^${version}`;
+          pkgSpec = `${regSpecStartsLike}^${version}`;
           depObj[origPkgName] = pkgSpec;
           state.added.add(regPkgName);
         }
@@ -1394,19 +1474,17 @@ async function addOverrides({
         });
       }
     }
-    if (!isRoot) {
-      return;
-    }
     // Chunk package names to process them in parallel 3 at a time.
     await (0, _promises2.pEach)(overridesDataObjects, 3, async ({
       overrides,
       type
     }) => {
       const overrideExists = (0, _objects.hasOwn)(overrides, origPkgName);
-      if (overrideExists || lockIncludes(lockSrc, origPkgName)) {
+      if (overrideExists || thingScanner(thingToScan, origPkgName)) {
         const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
         const depAlias = depAliasMap.get(origPkgName);
-        let newSpec = `npm:${regPkgName}@^${pin ? version : major}`;
+        const regSpecStartsLike = `npm:${regPkgName}@`;
+        let newSpec = `${regSpecStartsLike}^${pin ? version : major}`;
         let thisVersion = version;
         if (depAlias && type === 'npm') {
           // With npm one may not set an override for a package that one directly
@@ -1417,13 +1495,16 @@ async function addOverrides({
           // of with a $.
           // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
           newSpec = `$${origPkgName}`;
-        } else if (overrideExists && pin) {
+        } else if (overrideExists) {
           const thisSpec = oldSpec.startsWith('$') ? depAlias?.id ?? newSpec : oldSpec ?? newSpec;
-          thisVersion = _semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version;
-          if (_semver.major(thisVersion) !== major) {
-            thisVersion = (await fetchPackageManifest(thisSpec))?.version ?? version;
+          if (thisSpec.startsWith(regSpecStartsLike)) {
+            if (pin) {
+              thisVersion = _semver.major(_semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version) === major ? version : (await fetchPackageManifest(thisSpec))?.version ?? version;
+            }
+            newSpec = `${regSpecStartsLike}^${pin ? thisVersion : _semver.major(thisVersion)}`;
+          } else {
+            newSpec = oldSpec;
           }
-          newSpec = `npm:${regPkgName}@^${pin ? thisVersion : _semver.major(thisVersion)}`;
         }
         if (newSpec !== oldSpec) {
           if (overrideExists) {
@@ -1448,11 +1529,12 @@ async function addOverrides({
         updated
       } = await addOverrides({
         agent,
+        agentExecPath,
         lockSrc,
-        lockIncludes,
         manifestEntries,
         pin,
         pkgPath: _nodePath$2.dirname(wsPkgJsonPath),
+        prod,
         rootPath
       });
       for (const regPkgName of added) {
@@ -1507,7 +1589,8 @@ const optimize = optimize$1.optimize = {
       return;
     }
     const {
-      pin
+      pin,
+      prod
     } = commandContext;
     const cwd = process.cwd();
     const {
@@ -1546,19 +1629,19 @@ const optimize = optimize$1.optimize = {
       updated: new Set()
     };
     if (lockSrc) {
-      const lockIncludes = agent === 'bun' ? lockIncludesByAgent.yarn : lockIncludesByAgent[agent];
       const nodeRange = `>=${minimumNodeVersion}`;
       const manifestEntries = manifestNpmOverrides.filter(({
         1: data
       }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
       await addOverrides({
-        agent: agent === 'bun' ? 'yarn' : agent,
-        lockIncludes,
+        agent,
+        agentExecPath,
         lockSrc,
         manifestEntries,
         pin,
         pkgJson,
         pkgPath,
+        prod,
         rootPath: pkgPath
       }, state);
     }
@@ -1613,6 +1696,11 @@ function setupCommand$l(name, description, argv, importMeta) {
       type: 'boolean',
       default: false,
       description: 'Pin overrides to their latest version'
+    },
+    prod: {
+      type: 'boolean',
+      default: false,
+      description: 'Only add overrides for production dependencies'
     }
   };
   const cli = (0, _meow$m.default)(`
@@ -1632,14 +1720,16 @@ function setupCommand$l(name, description, argv, importMeta) {
   });
   const {
     help,
-    pin
+    pin,
+    prod
   } = cli.flags;
   if (help) {
     cli.showHelp();
     return;
   }
   return {
-    pin
+    pin,
+    prod
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.18",
+  "version": "0.14.19",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",