socket 0.14.76 → 0.14.78

package/dist/module-sync/package-environment.d.ts

@@ -11,9 +11,6 @@ declare const AGENTS: readonly [
   'vlt'
 ]
 type Agent = (typeof AGENTS)[number]
-type StringKeyValueObject = {
-  [key: string]: string
-}
 type DetectOptions = {
   cwd?: string | undefined
   onUnknown?: (pkgManager: string | undefined) => void
@@ -77,7 +74,6 @@ declare function detectAndValidatePackageEnvironment(
 export {
   AGENTS,
   Agent,
-  StringKeyValueObject,
   DetectOptions,
   EnvDetails,
   PartialEnvDetails,

package/dist/module-sync/shadow-npm-inject.js

@@ -406,7 +406,7 @@ async function setupSdk(
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: 'socket',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: '0.14.76',
+      version: '0.14.78',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: 'https://github.com/SocketDev/socket-cli'
     })
@@ -1843,7 +1843,31 @@ function findBestPatchVersion(
   }
   return semver.maxSatisfying(eligibleVersions, '*')
 }
-function findPackageNodes(tree, packageName) {
+function findPackageNode(tree, name, version) {
+  const queue = [
+    {
+      node: tree
+    }
+  ]
+  let sentinel = 0
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackageNodes')
+    }
+    const { node: currentNode } = queue.pop()
+    const node = currentNode.children.get(name)
+    if (node && (typeof version !== 'string' || node.version === version)) {
+      return node
+    }
+    const children = [...currentNode.children.values()]
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push({
+        node: children[i]
+      })
+    }
+  }
+}
+function findPackageNodes(tree, name, version) {
   const queue = [
     {
       node: tree
@@ -1856,8 +1880,8 @@ function findPackageNodes(tree, packageName) {
       throw new Error('Detected infinite loop in findPackageNodes')
     }
     const { node: currentNode } = queue.pop()
-    const node = currentNode.children.get(packageName)
-    if (node) {
+    const node = currentNode.children.get(name)
+    if (node && 'undefined' !== 'string') {
       matches.push(node)
     }
     const children = [...currentNode.children.values()]
@@ -1878,6 +1902,7 @@ async function getAlertsMapFromArborist(arb, options_) {
   }
   const include = {
     __proto__: null,
+    actions: undefined,
     blocked: true,
     critical: true,
     cve: true,
@@ -1924,7 +1949,16 @@ async function getAlertsMapFromArborist(arb, options_) {
     {
       alerts: 'true',
       compact: 'true',
-      fixable: include.unfixable ? 'false' : 'true'
+      ...(include.actions
+        ? {
+            actions: include.actions.join(',')
+          }
+        : {}),
+      ...(include.unfixable
+        ? {}
+        : {
+            fixable: 'true'
+          })
     },
     {
       components: pkgIds.map(id => ({
@@ -1954,6 +1988,9 @@ async function getAlertsMapFromArborist(arb, options_) {
   spinner?.stop()
   return alertsByPkgId
 }
+function isTopLevel(tree, node) {
+  return tree.children.get(node.name) === node
+}
 function updateNode(
   node,
   packument,
@@ -1975,27 +2012,33 @@ function updateNode(
     // No suitable patch version found.
     return false
   }
-  // Use Object.defineProperty to override the version.
+  // Object.defineProperty is needed to set the version property and replace
+  // the old value with targetVersion.
   Object.defineProperty(node, 'version', {
     configurable: true,
     enumerable: true,
     get: () => targetVersion
   })
+  // Update package.version associated with the node.
   node.package.version = targetVersion
-  // Update resolved and clear integrity for the new version.
+  // Update node.resolved.
   const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`)
   node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`
+  // Update node.integrity with the targetPackument.dist.integrity value if available
+  // else delete node.integrity so a new value is resolved for the target version.
   const { integrity } = targetPackument.dist
   if (integrity) {
     node.integrity = integrity
   } else {
     delete node.integrity
   }
-  if ('deprecated' in targetPackument) {
+  // Update node.package.deprecated based on targetPackument.deprecated.
+  if (objects.hasOwn(targetPackument, 'deprecated')) {
     node.package['deprecated'] = targetPackument.deprecated
   } else {
     delete node.package['deprecated']
   }
+  // Update node.package.dependencies.
   const newDeps = {
     ...targetPackument.dependencies
   }
@@ -2004,12 +2047,16 @@ function updateNode(
   if (oldDeps) {
     for (const oldDepName of Object.keys(oldDeps)) {
       if (!objects.hasOwn(newDeps, oldDepName)) {
+        // Detach old edges for dependencies that don't exist on the updated
+        // node.package.dependencies.
         node.edgesOut.get(oldDepName)?.detach()
       }
     }
   }
   for (const newDepName of Object.keys(newDeps)) {
     if (!objects.hasOwn(oldDeps, newDepName)) {
+      // Add new edges for dependencies that don't exist on the old
+      // node.package.dependencies.
       node.addEdgeOut(
         new Edge({
           from: node,
@@ -2022,6 +2069,30 @@ function updateNode(
   }
   return true
 }
+function updatePackageJsonFromNode(editablePkgJson, tree, node) {
+  if (isTopLevel(tree, node)) {
+    const { name, version } = node
+    for (const depField of [
+      'dependencies',
+      'optionalDependencies',
+      'peerDependencies'
+    ]) {
+      const oldValue = editablePkgJson.content[depField]
+      if (oldValue) {
+        const oldVersion = oldValue[name]
+        if (oldVersion) {
+          const rangeDecorator = /^[~^]/.exec(oldVersion)?.[0] ?? ''
+          editablePkgJson.update({
+            [depField]: {
+              ...oldValue,
+              [name]: `${rangeDecorator}${version}`
+            }
+          })
+        }
+      }
+    }
+  }
+}
 
 const {
   NPM,
@@ -2103,6 +2174,10 @@ class SafeArborist extends Arborist {
       // @ts-ignore: TS gets grumpy about rest parameters.
       ...args.slice(1)
     )
+    // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
+    const acceptRisks = constants.ENV[SOCKET_CLI_ACCEPT_RISKS]
+    // Lazily access constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS].
+    const viewAllRisks = constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS]
     const progress = ipc[SOCKET_CLI_SAFE_PROGRESS]
     const spinner =
       options['silent'] || !progress
@@ -2114,14 +2189,13 @@ class SafeArborist extends Arborist {
     const alertsMap = await getAlertsMapFromArborist(this, {
       spinner,
       include:
-        options.dryRun ||
-        options['yes'] ||
-        // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
-        constants.ENV[SOCKET_CLI_ACCEPT_RISKS]
+        acceptRisks || options.dryRun || options['yes']
           ? {
+              actions: ['error'],
               blocked: true,
               critical: false,
               cve: false,
+              existing: true,
               unfixable: false
             }
           : {
@@ -2132,17 +2206,16 @@ class SafeArborist extends Arborist {
     if (alertsMap.size) {
       process$1.exitCode = 1
       logAlertsMap(alertsMap, {
-        // Lazily access constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS].
-        hideAt: constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS] ? 'none' : 'middle',
+        hideAt: viewAllRisks ? 'none' : 'middle',
         output: process$1.stderr
       })
       throw new Error(commonTags.stripIndents`
-          Socket ${binName} exiting due to risks.
-          View all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.
-          Accept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.
+          Socket ${binName} exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`}
         `)
     } else if (!options['silent']) {
-      logger.logger.success(`Socket ${binName} found no risks!`)
+      logger.logger.success(
+        `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'} risks`
+      )
       if (binName === NPX) {
         logger.logger.log(`Running ${options.add[0]}`)
       }
@@ -2182,6 +2255,7 @@ exports.SafeArborist = SafeArborist
 exports.addArtifactToAlertsMap = addArtifactToAlertsMap
 exports.captureException = captureException
 exports.findBestPatchVersion = findBestPatchVersion
+exports.findPackageNode = findPackageNode
 exports.findPackageNodes = findPackageNodes
 exports.findUp = findUp
 exports.formatSeverityCount = formatSeverityCount
@@ -2204,5 +2278,6 @@ exports.setupSdk = setupSdk
 exports.supportedConfigKeys = supportedConfigKeys
 exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
-//# debugId=184afe6f-ae08-4fa9-98b6-92378d5c76d3
+exports.updatePackageJsonFromNode = updatePackageJsonFromNode
+//# debugId=dcc0e27e-3ad3-4dc2-8bf7-0175bc0f49f3
 //# sourceMappingURL=shadow-npm-inject.js.map