socket 0.14.18 → 0.14.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -27,6 +27,7 @@ socket wrapper --enable
27
27
  [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
28
28
 
29
29
  - `--pin` - Pin overrides to their latest version
30
+ - `--prod` - Only add overrides for production dependencies
30
31
 
31
32
  - `socket raw-npm` and `socket raw-npx` - Temporarily disable the Socket
32
33
  'safe-npm' wrapper.
package/dist/cli.js CHANGED
@@ -14,7 +14,7 @@ var require$$1$4 = require('node:fs/promises');
14
14
  var require$$1$3 = require('@npmcli/package-json');
15
15
  var require$$5$1 = require('@socketsecurity/registry');
16
16
  var require$$7 = require('npm-package-arg');
17
- var require$$9 = require('pacote');
17
+ var require$$0$1 = require('pacote');
18
18
  var require$$3 = require('semver');
19
19
  var require$$11 = require('tinyglobby');
20
20
  var require$$12 = require('yaml');
@@ -26,12 +26,12 @@ var require$$3$1 = require('@socketsecurity/config');
26
26
  var pathResolve = require('./path-resolve.js');
27
27
  var require$$2$2 = require('node:os');
28
28
  var require$$3$2 = require('node:readline');
29
- var require$$0$1 = require('node:process');
29
+ var require$$0$2 = require('node:process');
30
30
  var require$$2$3 = require('node:readline/promises');
31
31
  var require$$2$4 = require('chalk-table');
32
32
  var require$$2$5 = require('blessed');
33
33
  var require$$3$3 = require('blessed-contrib');
34
- var require$$0$2 = require('node:util');
34
+ var require$$0$3 = require('node:util');
35
35
 
36
36
  var cli$1 = {};
37
37
 
@@ -285,7 +285,7 @@ apiHelpers.queryAPI = queryAPI;
285
285
  var _chalk$i = _interopRequireDefault$r(vendor.source);
286
286
  var _ponyCause$4 = require$$6;
287
287
  var _errors$l = sdk.errors;
288
- var _constants = sdk.constants;
288
+ var _constants$1 = sdk.constants;
289
289
  function handleUnsuccessfulApiResponse(_name, result, spinner) {
290
290
  const resultError = 'error' in result && result.error && typeof result.error === 'object' ? result.error : {};
291
291
  const message = 'message' in resultError && typeof resultError.message === 'string' ? resultError.message : 'No error message returned';
@@ -315,7 +315,7 @@ async function handleAPIError(code) {
315
315
  }
316
316
  }
317
317
  async function queryAPI(path, apiKey) {
318
- return await fetch(`${_constants.API_V0_URL}/${path}`, {
318
+ return await fetch(`${_constants$1.API_V0_URL}/${path}`, {
319
319
  method: 'GET',
320
320
  headers: {
321
321
  Authorization: 'Basic ' + btoa(`${apiKey}:${apiKey}`)
@@ -915,7 +915,7 @@ var _which = require$$6$1;
915
915
  var _fs$1 = fs;
916
916
  var _objects$1 = sdk.objects;
917
917
  var _strings$1 = strings;
918
- const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn'];
918
+ const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn/berry', 'yarn/classic'];
919
919
  const numericCollator = new Intl.Collator(undefined, {
920
920
  numeric: true,
921
921
  sensitivity: 'base'
@@ -952,7 +952,7 @@ const LOCKS = {
952
952
  'bun.lockb': 'bun',
953
953
  'pnpm-lock.yaml': 'pnpm',
954
954
  'pnpm-lock.yml': 'pnpm',
955
- 'yarn.lock': 'yarn',
955
+ 'yarn.lock': 'yarn/classic',
956
956
  // If both package-lock.json and npm-shrinkwrap.json are present in the root
957
957
  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
958
958
  // will be ignored.
@@ -988,11 +988,12 @@ const readLockFileByAgent = (() => {
988
988
  } catch {}
989
989
  // To print a Yarn lockfile to your console without writing it to disk use `bun bun.lockb`.
990
990
  // https://bun.sh/guides/install/yarnlock
991
- return (await _promiseSpawn$3(agentExecPath, [lockPath])).stdout;
991
+ return (await _promiseSpawn$3(agentExecPath, [lockPath])).stdout.trim();
992
992
  }),
993
993
  npm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
994
994
  pnpm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
995
- yarn: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath))
995
+ 'yarn/berry': wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
996
+ 'yarn/classic': wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath))
996
997
  };
997
998
  })();
998
999
  async function detect({
@@ -1007,10 +1008,11 @@ async function detect({
1007
1008
  cwd
1008
1009
  });
1009
1010
  const pkgPath = (0, _fs$1.existsSync)(pkgJsonPath) ? _nodePath$3.dirname(pkgJsonPath) : undefined;
1010
- const pkgJson = pkgPath ? await _packageJson$1.load(pkgPath) : undefined;
1011
+ const editablePkgJson = pkgPath ? await _packageJson$1.load(pkgPath) : undefined;
1012
+ const pkgJson = editablePkgJson?.content;
1011
1013
  // Read Corepack `packageManager` field in package.json:
1012
1014
  // https://nodejs.org/api/packages.html#packagemanager
1013
- const pkgManager = (0, _strings$1.isNonEmptyString)(pkgJson?.content?.packageManager) ? pkgJson.content.packageManager : undefined;
1015
+ const pkgManager = (0, _strings$1.isNonEmptyString)(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
1014
1016
  let agent;
1015
1017
  let agentVersion;
1016
1018
  if (pkgManager) {
@@ -1020,7 +1022,7 @@ async function detect({
1020
1022
  const version = pkgManager.slice(atSignIndex + 1);
1021
1023
  if (version && AGENTS.includes(name)) {
1022
1024
  agent = name;
1023
- agentVersion = version;
1025
+ agentVersion = _semver$1.coerce(version) ?? undefined;
1024
1026
  }
1025
1027
  }
1026
1028
  }
@@ -1034,6 +1036,18 @@ async function detect({
1034
1036
  const agentExecPath = (await _which(agent, {
1035
1037
  nothrow: true
1036
1038
  })) ?? agent;
1039
+ if (agentVersion === undefined) {
1040
+ try {
1041
+ agentVersion = _semver$1.coerce(
1042
+ // All package managers support the "--version" flag.
1043
+ (await _promiseSpawn$3(agentExecPath, ['--version'], {
1044
+ cwd
1045
+ })).stdout) ?? undefined;
1046
+ } catch {}
1047
+ }
1048
+ if (agent === 'yarn/classic' && (agentVersion?.major ?? 0) > 1) {
1049
+ agent = 'yarn/berry';
1050
+ }
1037
1051
  const targets = {
1038
1052
  browser: false,
1039
1053
  node: true
@@ -1041,18 +1055,18 @@ async function detect({
1041
1055
  let lockSrc;
1042
1056
  let minimumNodeVersion = maintainedNodeVersions.previous;
1043
1057
  if (pkgJson) {
1044
- const browserField = pkgJson.content.browser;
1058
+ const browserField = pkgJson.browser;
1045
1059
  if ((0, _strings$1.isNonEmptyString)(browserField) || (0, _objects$1.isObjectObject)(browserField)) {
1046
1060
  targets.browser = true;
1047
1061
  }
1048
- const nodeRange = pkgJson.content.engines?.['node'];
1062
+ const nodeRange = pkgJson.engines?.['node'];
1049
1063
  if ((0, _strings$1.isNonEmptyString)(nodeRange)) {
1050
1064
  const coerced = _semver$1.coerce(nodeRange);
1051
1065
  if (coerced && _semver$1.lt(coerced, minimumNodeVersion)) {
1052
1066
  minimumNodeVersion = coerced.version;
1053
1067
  }
1054
1068
  }
1055
- const browserslistQuery = pkgJson.content['browserslist'];
1069
+ const browserslistQuery = pkgJson['browserslist'];
1056
1070
  if (Array.isArray(browserslistQuery)) {
1057
1071
  const browserslistTargets = _browserslist(browserslistQuery).map(s => s.toLowerCase()).toSorted(alphaNumericComparator);
1058
1072
  const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
@@ -1078,7 +1092,7 @@ async function detect({
1078
1092
  lockPath,
1079
1093
  lockSrc,
1080
1094
  minimumNodeVersion,
1081
- pkgJson,
1095
+ pkgJson: editablePkgJson,
1082
1096
  pkgPath,
1083
1097
  supported: targets.browser || targets.node,
1084
1098
  targets
@@ -1180,10 +1194,11 @@ var _registry = require$$5$1;
1180
1194
  var _meow$m = _interopRequireDefault$n(vendor.build);
1181
1195
  var _npmPackageArg = require$$7;
1182
1196
  var _ora$i = _interopRequireDefault$n(vendor.ora);
1183
- var _pacote = require$$9;
1197
+ var _pacote = require$$0$1;
1184
1198
  var _semver = require$$3;
1185
1199
  var _tinyglobby = require$$11;
1186
1200
  var _yaml = require$$12;
1201
+ var _constants = sdk.constants;
1187
1202
  var _flags$j = flags$1;
1188
1203
  var _formatting$k = formatting;
1189
1204
  var _fs = fs;
@@ -1193,17 +1208,27 @@ var _promises2 = promises;
1193
1208
  var _regexps = regexps;
1194
1209
  var _sorts$1 = sorts;
1195
1210
  var _strings = strings;
1211
+ //import cacache from 'cacache'
1212
+
1213
+ //import { packumentCache, pacoteCachePath } from '../constants'
1214
+
1196
1215
  const COMMAND_TITLE = 'Socket Optimize';
1197
1216
  const OVERRIDES_FIELD_NAME = 'overrides';
1198
1217
  const PNPM_WORKSPACE = 'pnpm-workspace';
1199
1218
  const RESOLUTIONS_FIELD_NAME = 'resolutions';
1200
1219
  const distPath$1 = __dirname;
1201
1220
  const manifestNpmOverrides = (0, _registry.getManifestData)('npm');
1202
- const packumentCache = new Map();
1203
1221
  const getOverridesDataByAgent = {
1222
+ bun(pkgJson) {
1223
+ const overrides = pkgJson?.resolutions ?? {};
1224
+ return {
1225
+ type: 'yarn/berry',
1226
+ overrides
1227
+ };
1228
+ },
1204
1229
  // npm overrides documentation:
1205
1230
  // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
1206
- npm: pkgJson => {
1231
+ npm(pkgJson) {
1207
1232
  const overrides = pkgJson?.overrides ?? {};
1208
1233
  return {
1209
1234
  type: 'npm',
@@ -1212,7 +1237,7 @@ const getOverridesDataByAgent = {
1212
1237
  },
1213
1238
  // pnpm overrides documentation:
1214
1239
  // https://pnpm.io/package_json#pnpmoverrides
1215
- pnpm: pkgJson => {
1240
+ pnpm(pkgJson) {
1216
1241
  const overrides = pkgJson?.pnpm?.overrides ?? {};
1217
1242
  return {
1218
1243
  type: 'pnpm',
@@ -1221,31 +1246,25 @@ const getOverridesDataByAgent = {
1221
1246
  },
1222
1247
  // Yarn resolutions documentation:
1223
1248
  // https://yarnpkg.com/configuration/manifest#resolutions
1224
- yarn: pkgJson => {
1249
+ 'yarn/berry'(pkgJson) {
1225
1250
  const overrides = pkgJson?.resolutions ?? {};
1226
1251
  return {
1227
- type: 'yarn',
1252
+ type: 'yarn/berry',
1253
+ overrides
1254
+ };
1255
+ },
1256
+ // Yarn resolutions documentation:
1257
+ // https://classic.yarnpkg.com/en/docs/selective-version-resolutions
1258
+ 'yarn/classic'(pkgJson) {
1259
+ const overrides = pkgJson?.resolutions ?? {};
1260
+ return {
1261
+ type: 'yarn/classic',
1228
1262
  overrides
1229
1263
  };
1230
1264
  }
1231
1265
  };
1232
- const lockIncludesByAgent = {
1233
- npm: (lockSrc, name) => {
1234
- // Detects the package name in the following cases:
1235
- // "name":
1236
- return lockSrc.includes(`"${name}":`);
1237
- },
1238
- pnpm: (lockSrc, name) => {
1239
- const escapedName = (0, _regexps.escapeRegExp)(name);
1240
- return new RegExp(
1241
- // Detects the package name in the following cases:
1242
- // /name/
1243
- // 'name'
1244
- // name:
1245
- // name@
1246
- `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
1247
- },
1248
- yarn: (lockSrc, name) => {
1266
+ const lockIncludesByAgent = (() => {
1267
+ const yarn = (lockSrc, name) => {
1249
1268
  const escapedName = (0, _regexps.escapeRegExp)(name);
1250
1269
  return new RegExp(
1251
1270
  // Detects the package name in the following cases:
@@ -1254,9 +1273,34 @@ const lockIncludesByAgent = {
1254
1273
  // name@
1255
1274
  // , name@
1256
1275
  `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
1257
- }
1258
- };
1276
+ };
1277
+ return {
1278
+ bun: yarn,
1279
+ npm(lockSrc, name) {
1280
+ // Detects the package name in the following cases:
1281
+ // "name":
1282
+ return lockSrc.includes(`"${name}":`);
1283
+ },
1284
+ pnpm(lockSrc, name) {
1285
+ const escapedName = (0, _regexps.escapeRegExp)(name);
1286
+ return new RegExp(
1287
+ // Detects the package name in the following cases:
1288
+ // /name/
1289
+ // 'name'
1290
+ // name:
1291
+ // name@
1292
+ `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
1293
+ },
1294
+ 'yarn/berry': yarn,
1295
+ 'yarn/classic': yarn
1296
+ };
1297
+ })();
1259
1298
  const updateManifestByAgent = {
1299
+ bun(pkgJson, overrides) {
1300
+ pkgJson.update({
1301
+ [RESOLUTIONS_FIELD_NAME]: overrides
1302
+ });
1303
+ },
1260
1304
  npm(pkgJson, overrides) {
1261
1305
  pkgJson.update({
1262
1306
  [OVERRIDES_FIELD_NAME]: overrides
@@ -1270,12 +1314,88 @@ const updateManifestByAgent = {
1270
1314
  }
1271
1315
  });
1272
1316
  },
1273
- yarn(pkgJson, overrides) {
1317
+ 'yarn/berry'(pkgJson, overrides) {
1318
+ pkgJson.update({
1319
+ [RESOLUTIONS_FIELD_NAME]: overrides
1320
+ });
1321
+ },
1322
+ 'yarn/classic'(pkgJson, overrides) {
1274
1323
  pkgJson.update({
1275
1324
  [RESOLUTIONS_FIELD_NAME]: overrides
1276
1325
  });
1277
1326
  }
1278
1327
  };
1328
+ const lsByAgent = {
1329
+ async bun(agentExecPath, cwd, _rootPath) {
1330
+ try {
1331
+ // Bun does not support filtering by production packages yet.
1332
+ // https://github.com/oven-sh/bun/issues/8283
1333
+ return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
1334
+ cwd
1335
+ })).stdout;
1336
+ } catch {}
1337
+ return '';
1338
+ },
1339
+ async npm(agentExecPath, cwd, rootPath) {
1340
+ try {
1341
+ let {
1342
+ stdout
1343
+ } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--omit', 'dev', '--all'], {
1344
+ cwd
1345
+ });
1346
+ stdout = stdout.trim();
1347
+ stdout = stdout.replaceAll(cwd, '');
1348
+ stdout = rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
1349
+ return stdout.replaceAll('\\', '/');
1350
+ } catch {}
1351
+ return '';
1352
+ },
1353
+ async pnpm(agentExecPath, cwd, rootPath) {
1354
+ try {
1355
+ let {
1356
+ stdout
1357
+ } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
1358
+ cwd
1359
+ });
1360
+ stdout = stdout.trim();
1361
+ stdout = stdout.replaceAll(cwd, '');
1362
+ stdout = rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
1363
+ return stdout.replaceAll('\\', '/');
1364
+ } catch {}
1365
+ return '';
1366
+ },
1367
+ async 'yarn/berry'(agentExecPath, cwd, _rootPath) {
1368
+ try {
1369
+ return (
1370
+ // Yarn Berry does not support filtering by production packages yet.
1371
+ // https://github.com/yarnpkg/berry/issues/5117
1372
+ (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
1373
+ cwd
1374
+ })).stdout.trim()
1375
+ );
1376
+ } catch {}
1377
+ return '';
1378
+ },
1379
+ async 'yarn/classic'(agentExecPath, cwd, _rootPath) {
1380
+ try {
1381
+ // However, Yarn Classic does support it.
1382
+ // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
1383
+ // > Fix: Excludes dev dependencies from the yarn list output when the
1384
+ // environment is production
1385
+ return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
1386
+ cwd
1387
+ })).stdout.trim();
1388
+ } catch {}
1389
+ return '';
1390
+ }
1391
+ };
1392
+ const depsIncludesByAgent = {
1393
+ bun: (stdout, name) => stdout.includes(` ${name}@`),
1394
+ npm: (stdout, name) => stdout.includes(`/${name}\n`),
1395
+ pnpm: (stdout, name) => stdout.includes(`/${name}\n`),
1396
+ 'yarn/berry': (stdout, name) => stdout.includes(` ${name}@`),
1397
+ 'yarn/classic': (stdout, name) => stdout.includes(` ${name}@`)
1398
+ };
1279
1399
  function getDependencyEntries(pkgJson) {
1280
1400
  const {
1281
1401
  dependencies,
@@ -1334,22 +1454,30 @@ function workspaceToGlobPattern(workspace) {
1334
1454
  }
1335
1455
  async function addOverrides({
1336
1456
  agent,
1337
- lockIncludes,
1457
+ agentExecPath,
1338
1458
  lockSrc,
1339
1459
  manifestEntries,
1460
+ pin,
1340
1461
  pkgJson: editablePkgJson,
1341
1462
  pkgPath,
1342
- pin,
1463
+ prod,
1343
1464
  rootPath
1344
1465
  }, state = {
1345
1466
  added: new Set(),
1467
+ spinner: undefined,
1346
1468
  updated: new Set()
1347
1469
  }) {
1348
1470
  if (editablePkgJson === undefined) {
1349
1471
  editablePkgJson = await _packageJson.load(pkgPath);
1350
1472
  }
1473
+ const {
1474
+ spinner
1475
+ } = state;
1351
1476
  const pkgJson = editablePkgJson.content;
1352
1477
  const isRoot = pkgPath === rootPath;
1478
+ const isLockScanned = isRoot && !prod;
1479
+ const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, rootPath);
1480
+ const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
1353
1481
  const depEntries = getDependencyEntries(pkgJson);
1354
1482
  const workspaces = await getWorkspaces(agent, pkgPath, pkgJson);
1355
1483
  const isWorkspace = !!workspaces;
@@ -1357,9 +1485,11 @@ async function addOverrides({
1357
1485
  if (pkgJson['private'] || isWorkspace) {
1358
1486
  overridesDataObjects.push(getOverridesDataByAgent[agent](pkgJson));
1359
1487
  } else {
1360
- overridesDataObjects.push(getOverridesDataByAgent['npm'](pkgJson), getOverridesDataByAgent['yarn'](pkgJson));
1488
+ overridesDataObjects.push(getOverridesDataByAgent['npm'](pkgJson), getOverridesDataByAgent['yarn/classic'](pkgJson));
1489
+ }
1490
+ if (spinner) {
1491
+ spinner.text = `Adding overrides${isRoot ? '' : ` to ${_nodePath$2.relative(rootPath, pkgPath)}`}...`;
1361
1492
  }
1362
- const spinner = isRoot ? (0, _ora$i.default)('Fetching override manifests...').start() : undefined;
1363
1493
  const depAliasMap = new Map();
1364
1494
  // Chunk package names to process them in parallel 3 at a time.
1365
1495
  await (0, _promises2.pEach)(manifestEntries, 3, async ({
@@ -1379,12 +1509,12 @@ async function addOverrides({
1379
1509
  let thisVersion = version;
1380
1510
  // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
1381
1511
  // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
1382
- const specStartsWith = `npm:${regPkgName}@`;
1383
- const existingVersion = pkgSpec.startsWith(specStartsWith) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
1512
+ const regSpecStartsLike = `npm:${regPkgName}@`;
1513
+ const existingVersion = pkgSpec.startsWith(regSpecStartsLike) ? _semver.coerce(_npmPackageArg(pkgSpec).rawSpec)?.version ?? '' : '';
1384
1514
  if (existingVersion) {
1385
1515
  thisVersion = existingVersion;
1386
1516
  } else {
1387
- pkgSpec = `${specStartsWith}^${version}`;
1517
+ pkgSpec = `${regSpecStartsLike}^${version}`;
1388
1518
  depObj[origPkgName] = pkgSpec;
1389
1519
  state.added.add(regPkgName);
1390
1520
  }
@@ -1394,19 +1524,17 @@ async function addOverrides({
1394
1524
  });
1395
1525
  }
1396
1526
  }
1397
- if (!isRoot) {
1398
- return;
1399
- }
1400
1527
  // Chunk package names to process them in parallel 3 at a time.
1401
1528
  await (0, _promises2.pEach)(overridesDataObjects, 3, async ({
1402
1529
  overrides,
1403
1530
  type
1404
1531
  }) => {
1405
1532
  const overrideExists = (0, _objects.hasOwn)(overrides, origPkgName);
1406
- if (overrideExists || lockIncludes(lockSrc, origPkgName)) {
1533
+ if (overrideExists || thingScanner(thingToScan, origPkgName)) {
1407
1534
  const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
1408
1535
  const depAlias = depAliasMap.get(origPkgName);
1409
- let newSpec = `npm:${regPkgName}@^${pin ? version : major}`;
1536
+ const regSpecStartsLike = `npm:${regPkgName}@`;
1537
+ let newSpec = `${regSpecStartsLike}^${pin ? version : major}`;
1410
1538
  let thisVersion = version;
1411
1539
  if (depAlias && type === 'npm') {
1412
1540
  // With npm one may not set an override for a package that one directly
@@ -1417,13 +1545,16 @@ async function addOverrides({
1417
1545
  // of with a $.
1418
1546
  // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
1419
1547
  newSpec = `$${origPkgName}`;
1420
- } else if (overrideExists && pin) {
1548
+ } else if (overrideExists) {
1421
1549
  const thisSpec = oldSpec.startsWith('$') ? depAlias?.id ?? newSpec : oldSpec ?? newSpec;
1422
- thisVersion = _semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version;
1423
- if (_semver.major(thisVersion) !== major) {
1424
- thisVersion = (await fetchPackageManifest(thisSpec))?.version ?? version;
1550
+ if (thisSpec.startsWith(regSpecStartsLike)) {
1551
+ if (pin) {
1552
+ thisVersion = _semver.major(_semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version) === major ? version : (await fetchPackageManifest(thisSpec))?.version ?? version;
1553
+ }
1554
+ newSpec = `${regSpecStartsLike}^${pin ? thisVersion : _semver.major(thisVersion)}`;
1555
+ } else {
1556
+ newSpec = oldSpec;
1425
1557
  }
1426
- newSpec = `npm:${regPkgName}@^${pin ? thisVersion : _semver.major(thisVersion)}`;
1427
1558
  }
1428
1559
  if (newSpec !== oldSpec) {
1429
1560
  if (overrideExists) {
@@ -1439,7 +1570,8 @@ async function addOverrides({
1439
1570
  if (workspaces) {
1440
1571
  const wsPkgJsonPaths = await (0, _tinyglobby.glob)(workspaces.map(workspaceToGlobPattern), {
1441
1572
  absolute: true,
1442
- cwd: pkgPath
1573
+ cwd: pkgPath,
1574
+ ignore: ['**/node_modules/**', '**/bower_components/**']
1443
1575
  });
1444
1576
  // Chunk package names to process them in parallel 3 at a time.
1445
1577
  await (0, _promises2.pEach)(wsPkgJsonPaths, 3, async wsPkgJsonPath => {
@@ -1448,12 +1580,17 @@ async function addOverrides({
1448
1580
  updated
1449
1581
  } = await addOverrides({
1450
1582
  agent,
1583
+ agentExecPath,
1451
1584
  lockSrc,
1452
- lockIncludes,
1453
1585
  manifestEntries,
1454
1586
  pin,
1455
1587
  pkgPath: _nodePath$2.dirname(wsPkgJsonPath),
1588
+ prod,
1456
1589
  rootPath
1590
+ }, {
1591
+ added: new Set(),
1592
+ spinner,
1593
+ updated: new Set()
1457
1594
  });
1458
1595
  for (const regPkgName of added) {
1459
1596
  state.added.add(regPkgName);
@@ -1463,8 +1600,7 @@ async function addOverrides({
1463
1600
  }
1464
1601
  });
1465
1602
  }
1466
- spinner?.stop();
1467
- if (state.added.size || state.updated.size) {
1603
+ if (state.added.size > 0 || state.updated.size > 0) {
1468
1604
  editablePkgJson.update(Object.fromEntries(depEntries));
1469
1605
  for (const {
1470
1606
  overrides,
@@ -1476,10 +1612,39 @@ async function addOverrides({
1476
1612
  }
1477
1613
  return state;
1478
1614
  }
1615
+
1616
+ // type ExtractOptions = pacote.Options & {
1617
+ // tmpPrefix?: string
1618
+ // [key: string]: any
1619
+ // }
1620
+
1621
+ // async function extractPackage(pkgNameOrId: string, options: ExtractOptions | undefined, callback: (tmpDirPath: string) => any) {
1622
+ // if (arguments.length === 2 && typeof options === 'function') {
1623
+ // callback = options
1624
+ // options = undefined
1625
+ // }
1626
+ // const { tmpPrefix, ...extractOptions } = { __proto__: null, ...options }
1627
+ // // cacache.tmp.withTmp DOES return a promise.
1628
+ // await cacache.tmp.withTmp(
1629
+ // pacoteCachePath,
1630
+ // { tmpPrefix },
1631
+ // // eslint-disable-next-line @typescript-eslint/no-misused-promises
1632
+ // async tmpDirPath => {
1633
+ // await pacote.extract(pkgNameOrId, tmpDirPath, {
1634
+ // __proto__: null,
1635
+ // packumentCache,
1636
+ // preferOffline: true,
1637
+ // ...<Omit<typeof extractOptions, '__proto__'>>extractOptions
1638
+ // })
1639
+ // await callback(tmpDirPath)
1640
+ // }
1641
+ // )
1642
+ // }
1643
+
1479
1644
  async function fetchPackageManifest(pkgNameOrId, options) {
1480
1645
  const pacoteOptions = {
1481
1646
  ...options,
1482
- packumentCache,
1647
+ packumentCache: _constants.packumentCache,
1483
1648
  preferOffline: true
1484
1649
  };
1485
1650
  const {
@@ -1507,12 +1672,14 @@ const optimize = optimize$1.optimize = {
1507
1672
  return;
1508
1673
  }
1509
1674
  const {
1510
- pin
1675
+ pin,
1676
+ prod
1511
1677
  } = commandContext;
1512
1678
  const cwd = process.cwd();
1513
1679
  const {
1514
1680
  agent,
1515
1681
  agentExecPath,
1682
+ agentVersion,
1516
1683
  lockSrc,
1517
1684
  lockPath,
1518
1685
  minimumNodeVersion,
@@ -1534,53 +1701,64 @@ const optimize = optimize$1.optimize = {
1534
1701
  console.log(`✘ ${COMMAND_TITLE}: No ${lockName} found`);
1535
1702
  return;
1536
1703
  }
1704
+ if (lockSrc.trim() === '') {
1705
+ console.log(`✘ ${COMMAND_TITLE}: ${lockName} is empty`);
1706
+ return;
1707
+ }
1537
1708
  if (pkgPath === undefined) {
1538
1709
  console.log(`✘ ${COMMAND_TITLE}: No package.json found`);
1539
1710
  return;
1540
1711
  }
1712
+ if (prod && (agent === 'bun' || agent === 'yarn/berry')) {
1713
+ console.log(`✘ ${COMMAND_TITLE}: --prod not supported for ${agent}${agentVersion ? `@${agentVersion.toString()}` : ''}`);
1714
+ return;
1715
+ }
1541
1716
  if (lockPath && _nodePath$2.relative(cwd, lockPath).startsWith('.')) {
1542
1717
  console.log(`⚠️ ${COMMAND_TITLE}: Package ${lockName} found at ${lockPath}`);
1543
1718
  }
1719
+ const spinner = (0, _ora$i.default)('Socket optimizing...');
1544
1720
  const state = {
1545
1721
  added: new Set(),
1722
+ spinner,
1546
1723
  updated: new Set()
1547
1724
  };
1548
- if (lockSrc) {
1549
- const lockIncludes = agent === 'bun' ? lockIncludesByAgent.yarn : lockIncludesByAgent[agent];
1550
- const nodeRange = `>=${minimumNodeVersion}`;
1551
- const manifestEntries = manifestNpmOverrides.filter(({
1552
- 1: data
1553
- }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
1554
- await addOverrides({
1555
- agent: agent === 'bun' ? 'yarn' : agent,
1556
- lockIncludes,
1557
- lockSrc,
1558
- manifestEntries,
1559
- pin,
1560
- pkgJson,
1561
- pkgPath,
1562
- rootPath: pkgPath
1563
- }, state);
1564
- }
1725
+ spinner.start();
1726
+ const nodeRange = `>=${minimumNodeVersion}`;
1727
+ const manifestEntries = manifestNpmOverrides.filter(({
1728
+ 1: data
1729
+ }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
1730
+ await addOverrides({
1731
+ agent,
1732
+ agentExecPath,
1733
+ lockSrc,
1734
+ manifestEntries,
1735
+ pin,
1736
+ pkgJson,
1737
+ pkgPath,
1738
+ prod,
1739
+ rootPath: pkgPath
1740
+ }, state);
1741
+ spinner.stop();
1565
1742
  const pkgJsonChanged = state.added.size > 0 || state.updated.size > 0;
1566
- if (state.updated.size > 0) {
1567
- console.log(`Updated ${state.updated.size} Socket.dev optimized overrides ${state.added.size ? '.' : '🚀'}`);
1568
- }
1569
- if (state.added.size > 0) {
1570
- console.log(`Added ${state.added.size} Socket.dev optimized overrides 🚀`);
1571
- }
1572
- if (!pkgJsonChanged) {
1743
+ if (pkgJsonChanged) {
1744
+ if (state.updated.size > 0) {
1745
+ console.log(`Updated ${state.updated.size} Socket.dev optimized overrides ${state.added.size ? '.' : '🚀'}`);
1746
+ }
1747
+ if (state.added.size > 0) {
1748
+ console.log(`Added ${state.added.size} Socket.dev optimized overrides 🚀`);
1749
+ }
1750
+ } else {
1573
1751
  console.log('Congratulations! Already Socket.dev optimized 🎉');
1574
1752
  }
1575
1753
  const isNpm = agent === 'npm';
1576
1754
  if (isNpm || pkgJsonChanged) {
1577
1755
  // Always update package-lock.json until the npm overrides PR lands:
1578
1756
  // https://github.com/npm/cli/pull/7025
1579
- const spinner = (0, _ora$i.default)(`Updating ${lockName}...`).start();
1757
+ spinner.start(`Updating ${lockName}...`);
1580
1758
  try {
1581
1759
  if (isNpm) {
1582
1760
  const wrapperPath = _nodePath$2.join(distPath$1, 'npm-cli.js');
1583
- await _promiseSpawn$2(process.execPath, [wrapperPath, 'install'], {
1761
+ await _promiseSpawn$2(process.execPath, [wrapperPath, 'install', '--no-audit', '--no-fund'], {
1584
1762
  stdio: 'pipe',
1585
1763
  env: {
1586
1764
  ...process.env,
@@ -1588,6 +1766,7 @@ const optimize = optimize$1.optimize = {
1588
1766
  }
1589
1767
  });
1590
1768
  } else {
1769
+ // All package managers support the "install" command.
1591
1770
  await _promiseSpawn$2(agentExecPath, ['install'], {
1592
1771
  stdio: 'pipe'
1593
1772
  });
@@ -1613,6 +1792,11 @@ function setupCommand$l(name, description, argv, importMeta) {
1613
1792
  type: 'boolean',
1614
1793
  default: false,
1615
1794
  description: 'Pin overrides to their latest version'
1795
+ },
1796
+ prod: {
1797
+ type: 'boolean',
1798
+ default: false,
1799
+ description: 'Only add overrides for production dependencies'
1616
1800
  }
1617
1801
  };
1618
1802
  const cli = (0, _meow$m.default)(`
@@ -1632,14 +1816,16 @@ function setupCommand$l(name, description, argv, importMeta) {
1632
1816
  });
1633
1817
  const {
1634
1818
  help,
1635
- pin
1819
+ pin,
1820
+ prod
1636
1821
  } = cli.flags;
1637
1822
  if (help) {
1638
1823
  cli.showHelp();
1639
1824
  return;
1640
1825
  }
1641
1826
  return {
1642
- pin
1827
+ pin,
1828
+ prod
1643
1829
  };
1644
1830
  }
1645
1831
 
@@ -2455,7 +2641,7 @@ Object.defineProperty(create$3, "__esModule", {
2455
2641
  value: true
2456
2642
  });
2457
2643
  create$3.create = void 0;
2458
- var _nodeProcess = require$$0$1;
2644
+ var _nodeProcess = require$$0$2;
2459
2645
  var _promises$1 = require$$2$3;
2460
2646
  var _chalk$e = _interopRequireDefault$f(vendor.source);
2461
2647
  var _meow$e = _interopRequireDefault$f(vendor.build);
@@ -4324,7 +4510,7 @@ Object.defineProperty(get$1, "__esModule", {
4324
4510
  });
4325
4511
  get$1.get = void 0;
4326
4512
  var _nodeFs$1 = require$$0;
4327
- var _nodeUtil = require$$0$2;
4513
+ var _nodeUtil = require$$0$3;
4328
4514
  var _chalk$1 = _interopRequireDefault$2(vendor.source);
4329
4515
  var _meow$1 = _interopRequireDefault$2(vendor.build);
4330
4516
  var _ora$1 = _interopRequireDefault$2(vendor.ora);
@@ -17,7 +17,7 @@ var require$$1$1 = require('node:net');
17
17
  var require$$2 = require('node:os');
18
18
  var require$$6 = require('../package.json');
19
19
  var pathResolve = require('./path-resolve.js');
20
- var require$$9 = require('pacote');
20
+ var require$$0$1 = require('pacote');
21
21
 
22
22
  var npmInjection$1 = {};
23
23
 
@@ -444,7 +444,7 @@ let tarball;
444
444
  try {
445
445
  tarball = require(_nodePath$1.join(npmNmPath, 'pacote')).tarball;
446
446
  } catch {
447
- tarball = require$$9.tarball;
447
+ tarball = require$$0$1.tarball;
448
448
  }
449
449
  const Arborist = require(arboristClassPath);
450
450
  const Edge = require(arboristEdgeClassPath);
package/dist/sdk.d.ts CHANGED
@@ -14,7 +14,9 @@ declare const API_V0_URL = "https://api.socket.dev/v0";
14
14
  declare const ENV: Readonly<{
15
15
  UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: boolean;
16
16
  }>;
17
+ declare const packumentCache: Map<any, any>;
18
+ declare const pacoteCachePath: any;
17
19
  declare const FREE_API_KEY = "sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api";
18
20
  declare function getDefaultKey(): string | undefined;
19
21
  declare function setupSdk(apiKey?: string | undefined, apiBaseUrl?: string | undefined, proxy?: string | undefined): Promise<SocketSdk>;
20
- export { hasOwn, isObject, isObjectObject, objectSome, pick, createDebugLogger, isErrnoException, stringJoinWithSeparateFinalSeparator, API_V0_URL, ENV, FREE_API_KEY, getDefaultKey, setupSdk };
22
+ export { hasOwn, isObject, isObjectObject, objectSome, pick, createDebugLogger, isErrnoException, stringJoinWithSeparateFinalSeparator, API_V0_URL, ENV, packumentCache, pacoteCachePath, FREE_API_KEY, getDefaultKey, setupSdk };
package/dist/sdk.js CHANGED
@@ -1,12 +1,13 @@
1
1
  'use strict';
2
2
 
3
+ var require$$0 = require('pacote');
3
4
  var vendor = require('./vendor.js');
4
5
  var require$$1$1 = require('node:fs/promises');
5
6
  var require$$1 = require('node:path');
6
7
  var require$$1$2 = require('@inquirer/prompts');
7
8
  var require$$4 = require('@socketsecurity/sdk');
8
9
  var require$$5 = require('hpagent');
9
- var require$$0 = require('node:fs');
10
+ var require$$0$1 = require('node:fs');
10
11
  var require$$2 = require('node:os');
11
12
 
12
13
  var errors = {};
@@ -30,7 +31,8 @@ var constants = {};
30
31
  Object.defineProperty(constants, "__esModule", {
31
32
  value: true
32
33
  });
33
- constants.ENV = constants.API_V0_URL = void 0;
34
+ constants.pacoteCachePath = constants.packumentCache = constants.ENV = constants.API_V0_URL = void 0;
35
+ var _pacote = require$$0;
34
36
  function envAsBoolean(value) {
35
37
  return typeof value === 'string' && (value === '1' || value.toLowerCase() === 'true');
36
38
  }
@@ -39,6 +41,11 @@ constants.ENV = Object.freeze({
39
41
  // Flag set by the optimize command to bypass the packagesHaveRiskyIssues check.
40
42
  UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: envAsBoolean(process.env['UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE'])
41
43
  });
44
+ constants.packumentCache = new Map();
45
+ const {
46
+ constructor: PacoteFetcherBase
47
+ } = Reflect.getPrototypeOf(_pacote.RegistryFetcher.prototype);
48
+ constants.pacoteCachePath = new PacoteFetcherBase(/*dummy package spec*/'x', {}).cache;
42
49
 
43
50
  var chalkMarkdown = {};
44
51
 
@@ -189,7 +196,7 @@ Object.defineProperty(settings$1, "__esModule", {
189
196
  });
190
197
  settings$1.getSetting = getSetting;
191
198
  settings$1.updateSetting = updateSetting;
192
- var _nodeFs = require$$0;
199
+ var _nodeFs = require$$0$1;
193
200
  var _nodeOs = require$$2;
194
201
  var _nodePath$1 = require$$1;
195
202
  var _ora = _interopRequireDefault$1(vendor.ora);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "socket",
3
- "version": "0.14.18",
3
+ "version": "0.14.20",
4
4
  "description": "CLI tool for Socket.dev",
5
5
  "homepage": "http://github.com/SocketDev/socket-cli",
6
6
  "license": "MIT",