socket 0.14.20 → 0.14.21

package/dist/npm-cli.js

@@ -25,24 +25,24 @@ const injectionPath = _nodePath.join(realDirname, 'npm-injection.js');
 // Adding the `--quiet` and `--no-progress` flags when the `proc-log` module
 // is found to fix a UX issue when running the command with recent versions of
 // npm (input swallowed by the standard npm spinner)
-let npmArgs = [];
-if (process.argv.slice(2).includes('install')) {
+const npmArgs = process.argv.slice(2);
+if (npmArgs.includes('install') && !npmArgs.includes('--no-progress') && !npmArgs.includes('--quiet')) {
   const npmEntrypoint = (0, _nodeFs.realpathSync)(npmPath);
   const npmRootPath = (0, _pathResolve.findRoot)(_nodePath.dirname(npmEntrypoint));
   if (npmRootPath === undefined) {
     process.exit(127);
   }
   const npmDepPath = _nodePath.join(npmRootPath, 'node_modules');
-  let npmlog;
+  let procLog;
   try {
-    npmlog = require(_nodePath.join(npmDepPath, 'proc-log/lib/index.js')).log;
+    procLog = require(_nodePath.join(npmDepPath, 'proc-log/lib/index.js')).log;
   } catch {}
-  if (npmlog) {
-    npmArgs = ['--quiet', '--no-progress'];
+  if (procLog) {
+    npmArgs.push('--no-progress', '--quiet');
   }
 }
 process.exitCode = 1;
-const spawnPromise = _promiseSpawn(process.execPath, ['--require', injectionPath, npmPath, ...process.argv.slice(2), ...npmArgs], {
+const spawnPromise = _promiseSpawn(process.execPath, ['--require', injectionPath, npmPath, ...npmArgs], {
   stdio: 'inherit'
 });
 spawnPromise.process.on('exit', (code, signal) => {

package/dist/npm-injection.js

@@ -17,7 +17,6 @@ var require$$1$1 = require('node:net');
 var require$$2 = require('node:os');
 var require$$6 = require('../package.json');
 var pathResolve = require('./path-resolve.js');
-var require$$0$1 = require('pacote');
 
 var npmInjection$1 = {};
 
@@ -63,12 +62,12 @@ function createNonStandardTTYServer() {
               conn.removeListener('data', awaitCapture);
               conn.push(lineBuff.slice(eolIndex + 1));
               const {
-                ipc_version: remote_ipc_version,
                 capabilities: {
+                  colorLevel: ipcColorLevel,
                   input: hasInput,
-                  output: hasOutput,
-                  colorLevel: ipcColorLevel
-                }
+                  output: hasOutput
+                },
+                ipc_version: remote_ipc_version
               } = JSON.parse(lineBuff.slice(0, eolIndex).toString('utf-8'));
               lineBuff = null;
               captured = true;
@@ -406,47 +405,65 @@ var _objects = sdk.objects;
 var _pathResolve = pathResolve.pathResolve;
 var _sdk = sdk.sdk;
 var _settings = sdk.settings;
-const LOOP_SENTINEL = 1_000_000;
 const POTENTIALLY_BUG_ERROR_SNIPPET = 'this is potentially a bug with socket-npm caused by changes to the npm cli';
 const distPath$1 = __dirname;
 const rootPath$1 = _nodePath$1.resolve(distPath$1, '..');
-const translations = require(_nodePath$1.join(rootPath$1, 'translations.json'));
-const npmEntrypoint = (0, _nodeFs$1.realpathSync)(`${process.argv[1]}`);
+const npmEntrypoint = (0, _nodeFs$1.realpathSync)(process.argv[1]);
 const npmRootPath = (0, _pathResolve.findRoot)(_nodePath$1.dirname(npmEntrypoint));
-const abortController = new AbortController();
-const {
-  signal: abortSignal
-} = abortController;
+function tryRequire(...ids) {
+  for (const data of ids) {
+    let id;
+    let transformer;
+    if (Array.isArray(data)) {
+      id = data[0];
+      transformer = data[1];
+    } else {
+      id = data;
+      transformer = mod => mod;
+    }
+    try {
+      // Check that the transformed value isn't `undefined` because older
+      // versions of packages like 'proc-log' may not export a `log` method.
+      const exported = transformer(require(id));
+      if (exported !== undefined) {
+        return exported;
+      }
+    } catch {}
+  }
+  return undefined;
+}
 if (npmRootPath === undefined) {
   console.error(`Unable to find npm cli install directory, ${POTENTIALLY_BUG_ERROR_SNIPPET}.`);
   console.error(`Searched parent directories of ${npmEntrypoint}`);
   process.exit(127);
 }
+const LOOP_SENTINEL = 1_000_000;
+const NPM_REGISTRY_URL = 'https://registry.npmjs.org';
 const npmNmPath = _nodePath$1.join(npmRootPath, 'node_modules');
 const arboristClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/arborist/index.js');
+const arboristDepValidPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/dep-valid.js');
 const arboristEdgeClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/edge.js');
 const arboristNodeClassPath = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/node.js');
 const arboristOverrideSetClassPatch = _nodePath$1.join(npmNmPath, '@npmcli/arborist/lib/override-set.js');
-let npmlog;
-try {
-  npmlog = require(_nodePath$1.join(npmNmPath, 'proc-log/lib/index.js')).log;
-} catch {}
-if (npmlog === undefined) {
-  try {
-    npmlog = require(_nodePath$1.join(npmNmPath, 'npmlog/lib/log.js'));
-  } catch {}
-}
-if (npmlog === undefined) {
+const log = tryRequire([_nodePath$1.join(npmNmPath, 'proc-log/lib/index.js'),
+// The proc-log DefinitelyTyped definition is incorrect. The type definition
+// is really that of its export log.
+mod => mod.log], _nodePath$1.join(npmNmPath, 'npmlog/lib/log.js'));
+if (log === undefined) {
   console.error(`Unable to integrate with npm cli logging infrastructure, ${POTENTIALLY_BUG_ERROR_SNIPPET}.`);
   process.exit(127);
 }
-let tarball;
-try {
-  tarball = require(_nodePath$1.join(npmNmPath, 'pacote')).tarball;
-} catch {
-  tarball = require$$0$1.tarball;
-}
+const pacote = tryRequire(_nodePath$1.join(npmNmPath, 'pacote'), 'pacote');
+const {
+  tarball
+} = pacote;
+const translations = require(_nodePath$1.join(rootPath$1, 'translations.json'));
+const abortController = new AbortController();
+const {
+  signal: abortSignal
+} = abortController;
 const Arborist = require(arboristClassPath);
+const depValid = require(arboristDepValidPath);
 const Edge = require(arboristEdgeClassPath);
 const Node = require(arboristNodeClassPath);
 const OverrideSet = require(arboristOverrideSetClassPatch);
@@ -456,7 +473,7 @@ const formatter = new _chalkMarkdown.ChalkOrMarkdown(false);
 const pubToken = (0, _sdk.getDefaultKey)() ?? _sdk.FREE_API_KEY;
 const ttyServer = (0, _ttyServer.createTTYServer)(_chalk.default.level, (0, _isInteractive.default)({
   stream: process.stdin
-}), npmlog);
+}), log);
 let _uxLookup;
 async function uxLookup(settings) {
   while (_uxLookup === undefined) {
@@ -545,7 +562,7 @@ function findSpecificOverrideSet(first, second) {
     }
     overrideSet = overrideSet.parent;
   }
-  console.error('Conflicting override sets');
+  log.silly('Conflicting override sets', first, second);
   return undefined;
 }
 function maybeReadfileSync(filepath) {
@@ -747,11 +764,13 @@ class SafeEdge extends Edge {
   #safeError;
   #safeExplanation;
   #safeFrom;
+  #safeName;
   #safeTo;
   constructor(options) {
     const {
       accept,
-      from
+      from,
+      name
     } = options;
     // Defer to supper to validate options and assign non-private values.
     super(options);
@@ -761,43 +780,51 @@ class SafeEdge extends Edge {
     this.#safeError = null;
     this.#safeExplanation = null;
     this.#safeFrom = from;
+    this.#safeName = name;
     this.#safeTo = null;
     this.reload(true);
   }
-
-  // Return the edge data, and an explanation of how that edge came to be here.
-  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
-  explain() {
-    if (!this.#safeExplanation) {
-      const explanation = {
-        type: this.type,
-        name: this.name,
-        spec: this.spec,
-        bundled: false,
-        overridden: false,
-        error: undefined,
-        from: undefined,
-        rawSpec: undefined
-      };
-      if (this.rawSpec !== this.spec) {
-        explanation.rawSpec = this.rawSpec;
-        explanation.overridden = true;
-      }
-      if (this.bundled) {
-        explanation.bundled = this.bundled;
-      }
-      if (this.error) {
-        explanation.error = this.error;
+  get accept() {
+    return this.#safeAccept;
+  }
+  get bundled() {
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  }
+  get error() {
+    if (!this.#safeError) {
+      if (!this.#safeTo) {
+        if (this.optional) {
+          this.#safeError = null;
+        } else {
+          this.#safeError = 'MISSING';
+        }
+      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
+        this.#safeError = 'PEER LOCAL';
+      } else if (!this.satisfiedBy(this.#safeTo)) {
+        this.#safeError = 'INVALID';
       }
-      if (this.#safeFrom) {
-        explanation.from = this.#safeFrom.explain();
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      else if (this.overrides && this.#safeTo.edgesOut.size && !findSpecificOverrideSet(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
+      } else {
+        this.#safeError = 'OK';
       }
-      this.#safeExplanation = explanation;
     }
-    return this.#safeExplanation;
+    if (this.#safeError === 'OK') {
+      return null;
+    }
+    return this.#safeError;
   }
-  get bundled() {
-    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get from() {
+    return this.#safeFrom;
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
@@ -835,39 +862,55 @@ class SafeEdge extends Edge {
     }
     return this.rawSpec;
   }
-  get accept() {
-    return this.#safeAccept;
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get to() {
+    return this.#safeTo;
   }
-  get error() {
-    if (!this.#safeError) {
-      if (!this.#safeTo) {
-        if (this.optional) {
-          this.#safeError = null;
-        } else {
-          this.#safeError = 'MISSING';
-        }
-      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
-        this.#safeError = 'PEER LOCAL';
-      } else if (!this.satisfiedBy(this.#safeTo)) {
-        this.#safeError = 'INVALID';
+  detach() {
+    this.#safeExplanation = null;
+    // Patch replacing
+    // if (this.#safeTo) {
+    //   this.#safeTo.edgesIn.delete(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    this.#safeTo?.deleteEdgeIn(this);
+    this.#safeFrom?.edgesOut.delete(this.name);
+    this.#safeTo = null;
+    this.#safeError = 'DETACHED';
+    this.#safeFrom = null;
+  }
+
+  // Return the edge data, and an explanation of how that edge came to be here.
+  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
+  explain() {
+    if (!this.#safeExplanation) {
+      const explanation = {
+        type: this.type,
+        name: this.name,
+        spec: this.spec,
+        bundled: false,
+        overridden: false,
+        error: undefined,
+        from: undefined,
+        rawSpec: undefined
+      };
+      if (this.rawSpec !== this.spec) {
+        explanation.rawSpec = this.rawSpec;
+        explanation.overridden = true;
       }
-      // Patch adding "else if" condition is based on
-      // https://github.com/npm/cli/pull/7025.
-      else if (this.overrides && this.#safeTo.edgesOut.size && !findSpecificOverrideSet(this.overrides, this.#safeTo.overrides)) {
-        // Any inconsistency between the edge's override set and the target's
-        // override set is potentially problematic. But we only say the edge is
-        // in error if the override sets are plainly conflicting. Note that if
-        // the target doesn't have any dependencies of their own, then this
-        // inconsistency is irrelevant.
-        this.#safeError = 'INVALID';
-      } else {
-        this.#safeError = 'OK';
+      if (this.bundled) {
+        explanation.bundled = this.bundled;
       }
+      if (this.error) {
+        explanation.error = this.error;
+      }
+      if (this.#safeFrom) {
+        explanation.from = this.#safeFrom.explain();
+      }
+      this.#safeExplanation = explanation;
     }
-    if (this.#safeError === 'OK') {
-      return null;
-    }
-    return this.#safeError;
+    return this.#safeExplanation;
   }
   reload(hard = false) {
     this.#safeExplanation = null;
@@ -916,36 +959,100 @@ class SafeEdge extends Edge {
       this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
     }
   }
-  detach() {
-    this.#safeExplanation = null;
-    if (this.#safeTo) {
-      // Patch replacing
-      // this.#safeTo.edgesIn.delete(this)
-      // is based on https://github.com/npm/cli/pull/7025.
-      this.#safeTo.deleteEdgeIn(this);
+  satisfiedBy(node) {
+    // Patch replacing
+    // if (node.name !== this.#name) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (node.name !== this.#safeName || !this.#safeFrom) {
+      return false;
     }
-    if (this.#safeFrom) {
-      this.#safeFrom.edgesOut.delete(this.name);
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+      return depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom);
     }
-    this.#safeTo = null;
-    this.#safeError = 'DETACHED';
-    this.#safeFrom = null;
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get from() {
-    return this.#safeFrom;
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get to() {
-    return this.#safeTo;
+    // Patch replacing
+    // return depValid(node, this.spec, this.#accept, this.#from)
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If there's no override we just use the spec.
+    if (!this.overrides?.keySpec) {
+      return depValid(node, this.spec, this.#safeAccept, this.#safeFrom);
+    }
+    // There's some override. If the target node satisfies the overriding spec
+    // then it's okay.
+    if (depValid(node, this.spec, this.#safeAccept, this.#safeFrom)) {
+      return true;
+    }
+    // If it doesn't, then it should at least satisfy the original spec.
+    if (!depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom)) {
+      return false;
+    }
+    // It satisfies the original spec, not the overriding spec. We need to make
+    // sure it doesn't use the overridden spec.
+    // For example, we might have an ^8.0.0 rawSpec, and an override that makes
+    // keySpec=8.23.0 and the override value spec=9.0.0.
+    // If the node is 9.0.0, then it's okay because it's consistent with spec.
+    // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
+    // If the node is 8.23.0, then it's not okay because even though it's consistent
+    // with the rawSpec, it's also consistent with the keySpec.
+    // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
+    return !depValid(node, this.overrides.keySpec, this.#safeAccept, this.#safeFrom);
   }
 }
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
 // is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/node.js:
 class SafeNode extends Node {
+  // Return true if it's safe to remove this node, because anything that is
+  // depending on it would be fine with the thing that they would resolve to if
+  // it was removed, or nothing is depending on it in the first place.
+  canDedupe(preferDedupe = false) {
+    // Not allowed to mess with shrinkwraps or bundles.
+    if (this.inDepBundle || this.inShrinkwrap) {
+      return false;
+    }
+    // It's a top level pkg, or a dep of one.
+    if (!this.resolveParent || !this.resolveParent.resolveParent) {
+      return false;
+    }
+    // No one wants it, remove it.
+    if (this.edgesIn.size === 0) {
+      return true;
+    }
+    const other = this.resolveParent.resolveParent.resolve(this.name);
+    // Nothing else, need this one.
+    if (!other) {
+      return false;
+    }
+    // If it's the same thing, then always fine to remove.
+    if (other.matches(this)) {
+      return true;
+    }
+    // If the other thing can't replace this, then skip it.
+    if (!other.canReplace(this)) {
+      return false;
+    }
+    // Patch replacing
+    // if (preferDedupe || semver.gte(other.version, this.version)) {
+    //   return true
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If we prefer dedupe, or if the version is equal, take the other.
+    if (preferDedupe || _semver.eq(other.version, this.version)) {
+      return true;
+    }
+    // If our current version isn't the result of an override, then prefer to
+    // take the greater version.
+    if (!this.overridden && _semver.gt(other.version, this.version)) {
+      return true;
+    }
+    return false;
+  }
+
   // Is it safe to replace one node with another?  check the edges to
   // make sure no one will get upset.  Note that the node might end up
   // having its own unmet dependencies, if the new node has new deps.
@@ -1036,7 +1143,7 @@ class SafeNode extends Node {
     // overridden, we check whether any edge going in had the rule applied to it,
     // in which case its overrides set is different than its source node.
     for (const edge of this.edgesIn) {
-      if (this.overrides.isEqual(edge.overrides)) {
+      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
         if (!edge.overrides?.isEqual(edge.from?.overrides)) {
           return true;
         }
@@ -1123,9 +1230,9 @@ class SafeNode extends Node {
       this.recalculateOutEdgesOverrides();
       return true;
     }
-    // This is an error condition. We can only get here if the new override set is
-    // in conflict with the existing.
-    console.error('Conflicting override sets');
+    // This is an error condition. We can only get here if the new override set
+    // is in conflict with the existing.
+    log.silly(`Conflicting override requirements for node ${this.name}`, this);
     return false;
   }
 
@@ -1318,7 +1425,7 @@ class SafeArborist extends Arborist {
     options['save'] = old.save;
     options['saveBundle'] = old.saveBundle;
     // Nothing to check, mmm already installed or all private?
-    if (diff.findIndex(c => c.newPackage.repository_url === 'https://registry.npmjs.org') === -1) {
+    if (diff.findIndex(c => c.newPackage.repository_url === NPM_REGISTRY_URL) === -1) {
       return await this[kRiskyReify](...args);
     }
     let proceed = _constants.ENV.UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE;

package/dist/path-resolve.js

@@ -63,8 +63,8 @@ async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
 }
 async function globWithGitIgnore(patterns, options) {
   const {
-    socketConfig,
     cwd = process.cwd(),
+    socketConfig,
     ...additionalOptions
   } = {
     __proto__: null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.20",
+  "version": "0.14.21",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",
@@ -28,7 +28,7 @@
     "check:type-coverage": "type-coverage --detail --strict --at-least 95 --ignore-files 'test/*'",
     "knip:dependencies": "knip --dependencies",
     "knip:exports": "knip --include exports,duplicates",
-    "lint": "oxlint -c=./.oxlintrc.json --ignore-path=./.prettierignore --tsconfig=./tsconfig.json . -D correctness -D perf -D suspicious --promise-plugin --import-plugin",
+    "lint": "oxlint -c=./.oxlintrc.json --ignore-path=./.prettierignore --tsconfig=./tsconfig.json .",
     "lint:fix": "npm run lint -- --fix && npm run lint:fix:fast",
     "lint:fix:fast": "prettier --cache --log-level warn --write .",
     "prepare": "husky",
@@ -40,7 +40,7 @@
   },
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
-    "@cyclonedx/cdxgen": "^10.10.7",
+    "@cyclonedx/cdxgen": "^10.11.0",
     "@inquirer/prompts": "^7.0.1",
     "@npmcli/package-json": "6.0.1",
     "@npmcli/promise-spawn": "^8.0.2",
@@ -103,29 +103,31 @@
     "@types/micromatch": "^4.0.9",
     "@types/mocha": "^10.0.9",
     "@types/mock-fs": "^4.13.4",
-    "@types/node": "^22.8.1",
+    "@types/node": "^22.8.6",
     "@types/npmcli__arborist": "^5.6.11",
     "@types/npmcli__package-json": "^4.0.4",
     "@types/npmcli__promise-spawn": "^6.0.3",
+    "@types/proc-log": "^3.0.4",
     "@types/semver": "^7.5.8",
     "@types/update-notifier": "^6.0.8",
     "@types/which": "^3.0.4",
     "@types/yargs-parser": "^21.0.3",
-    "@typescript-eslint/eslint-plugin": "^8.12.0",
-    "@typescript-eslint/parser": "^8.12.0",
+    "@typescript-eslint/eslint-plugin": "^8.12.2",
+    "@typescript-eslint/parser": "^8.12.2",
     "c8": "^10.1.2",
     "chalk": "^5.3.0",
     "eslint": "^9.13.0",
     "eslint-plugin-depend": "^0.11.0",
-    "eslint-plugin-n": "^17.11.1",
+    "eslint-plugin-n": "^17.12.0",
+    "eslint-plugin-sort-destructure-keys": "^2.0.0",
     "eslint-plugin-unicorn": "^56.0.0",
     "husky": "^9.1.6",
     "is-interactive": "^2.0.0",
     "is-unicode-supported": "^2.1.0",
-    "knip": "^5.34.2",
+    "knip": "^5.36.1",
     "magic-string": "^0.30.12",
     "meow": "^13.2.0",
-    "mock-fs": "^5.4.0",
+    "mock-fs": "^5.4.1",
     "nock": "^13.5.5",
     "normalize-package-data": "^7.0.0",
     "npm-run-all2": "^7.0.1",
@@ -134,13 +136,13 @@
     "oxlint": "0.10.3",
     "prettier": "3.3.3",
     "read-package-up": "^11.0.0",
-    "rollup": "4.24.2",
+    "rollup": "4.24.3",
     "rollup-plugin-ts": "^3.4.5",
     "tap": "^21.0.1",
     "terminal-link": "^3.0.0",
     "type-coverage": "^2.29.7",
     "typescript": "5.4.5",
-    "typescript-eslint": "^8.12.0",
+    "typescript-eslint": "^8.12.2",
     "unplugin-purge-polyfills": "^0.0.7",
     "update-notifier": "^7.3.1",
     "validate-npm-package-name": "^6.0.0"