socket 0.14.96 → 0.14.98

package/dist/module-sync/cli.js

@@ -35,6 +35,7 @@ const arrays = require('@socketsecurity/registry/lib/arrays')
 const registry = require('@socketsecurity/registry')
 const npm = require('@socketsecurity/registry/lib/npm')
 const packages = require('@socketsecurity/registry/lib/packages')
+const packageurlJs = require('@socketregistry/packageurl-js')
 const spawn = require('@socketsecurity/registry/lib/spawn')
 const index_cjs = require('@socketregistry/hyrious__bun.lockb/index.cjs')
 const sorts = require('@socketsecurity/registry/lib/sorts')
@@ -899,7 +900,7 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.96:b940b80:4d1e4dd0:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.98:34de472:e54f91d7:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
   const apiToken = shadowNpmInject.getDefaultToken()
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no'
@@ -1356,7 +1357,7 @@ async function runCycloneDX(yargvWithYes) {
         await shadowBin(NPX$3, [
           ...yesArgs,
           // The '@rollup/plugin-replace' will replace "process.env['INLINED_SYNP_VERSION']".
-          `synp@${'^1.9.14'}`,
+          `synp@${'1.9.14'}`,
           '--source-file',
           `./${YARN_LOCK}`
         ])
@@ -1368,7 +1369,7 @@ async function runCycloneDX(yargvWithYes) {
   await shadowBin(NPX$3, [
     ...yesArgs,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']".
-    `@cyclonedx/cdxgen@${'^11.2.3'}`,
+    `@cyclonedx/cdxgen@${'11.2.3'}`,
     ...argvToArray(yargv)
   ])
   if (cleanupPackageLock) {
@@ -3701,6 +3702,26 @@ const cmdDiffScan = {
 }
 
 const { GITHUB_REF_NAME } = constants
+function formatBranchName(str) {
+  return str.replace(/[-_.]+/g, '-').replace(/[-a-zA-Z0-9]+/g, '') ?? ''
+}
+function getPkgNameFromPurlObj(purlObj) {
+  return `${purlObj.namespace ? `${purlObj.namespace}/` : ''}${purlObj.name}`
+}
+async function branchExists(branch, cwd = process.cwd()) {
+  try {
+    await spawn.spawn(
+      'git',
+      ['show-ref', '--verify', '--quiet', `refs/heads/${branch}`],
+      {
+        cwd,
+        stdio: 'ignore'
+      }
+    )
+    return true
+  } catch {}
+  return false
+}
 async function checkoutBaseBranchIfAvailable(baseBranch, cwd = process.cwd()) {
   try {
     await spawn.spawn('git', ['checkout', baseBranch], {
@@ -3716,6 +3737,29 @@ async function checkoutBaseBranchIfAvailable(baseBranch, cwd = process.cwd()) {
     )
   }
 }
+async function createAndPushBranchIfNeeded(
+  branch,
+  commitMsg,
+  cwd = process.cwd()
+) {
+  if (await branchExists(branch, cwd)) {
+    logger.logger.warn(`Branch "${branch}" already exists. Skipping creation.`)
+    return false
+  }
+  await spawn.spawn('git', ['checkout', '-b', branch], {
+    cwd
+  })
+  await spawn.spawn('git', ['add', 'package.json', 'pnpm-lock.yaml'], {
+    cwd
+  })
+  await spawn.spawn('git', ['commit', '-m', commitMsg], {
+    cwd
+  })
+  await spawn.spawn('git', ['push', '--set-upstream', 'origin', branch], {
+    cwd
+  })
+  return true
+}
 function getBaseBranch() {
   // Lazily access constants.ENV[GITHUB_REF_NAME].
   return (
@@ -3725,8 +3769,28 @@ function getBaseBranch() {
     'main'
   )
 }
-function getSocketBranchName(name, version) {
-  return `socket-fix-${name}-${version.replace(/\./g, '-')}`
+function getSocketBranchName(purl, toVersion) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const namespace = formatBranchName(purlObj.namespace ?? '')
+  const name = formatBranchName(purlObj.name)
+  const version = formatBranchName(toVersion)
+  const fullName = `${namespace ? `${namespace}-` : ''}${name}`
+  return `socket-fix-${fullName}-${version}`
+}
+function getSocketPullRequestTitle(purl, toVersion) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  return `Bump ${pkgName} from ${purlObj.version} to ${toVersion}`
+}
+function getSocketPullRequestBody(purl, toVersion) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  return `Bumps [${pkgName}](https://socket.dev/${purlObj.type}/package/${pkgName}) from ${purlObj.version} to ${toVersion}.`
+}
+function getSocketCommitMessage(purl, toVersion) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  return `socket: Bump ${pkgName} from ${purlObj.version} to ${toVersion}`
 }
 
 const { GITHUB_ACTIONS, GITHUB_REPOSITORY, SOCKET_SECURITY_GITHUB_PAT } =
@@ -3741,6 +3805,18 @@ function getOctokit() {
   }
   return _octokit
 }
+let _octokitGraphql
+function getOctokitGraphql() {
+  if (!_octokitGraphql) {
+    _octokitGraphql = vendor.graphql2.defaults({
+      headers: {
+        // Lazily access constants.ENV[SOCKET_SECURITY_GITHUB_PAT].
+        authorization: `token ${constants.ENV[SOCKET_SECURITY_GITHUB_PAT]}`
+      }
+    })
+  }
+  return _octokitGraphql
+}
 async function doesPullRequestExistForBranch(owner, repo, branch) {
   const octokit = getOctokit()
   const { data: prs } = await octokit.pulls.list({
@@ -3751,11 +3827,10 @@ async function doesPullRequestExistForBranch(owner, repo, branch) {
   })
   return prs.length > 0
 }
-async function enableAutoMerge(prResponseData) {
-  const octokit = getOctokit()
-  const { node_id: prId, number: prNumber } = prResponseData
+async function enableAutoMerge({ node_id: prId, number: prNumber }) {
+  const octokitGraphql = getOctokitGraphql()
   try {
-    await octokit.graphql(
+    await octokitGraphql(
       `
       mutation EnableAutoMerge($pullRequestId: ID!) {
         enablePullRequestAutoMerge(input: {
@@ -3776,16 +3851,23 @@ async function enableAutoMerge(prResponseData) {
       }
     )
     logger.logger.info(`Auto-merge enabled for PR #${prNumber}`)
+    return true
   } catch (e) {
-    logger.logger.error(`Failed to enable auto-merge for PR #${prNumber}:`, e)
+    let message = `Failed to enable auto-merge for PR #${prNumber}`
+    if (e instanceof vendor.GraphqlResponseError && e.errors) {
+      const details = e.errors.map(({ message }) => ` - ${message}`).join('\n')
+      message += `:\n${details}`
+    }
+    logger.logger.error(message)
+    return false
   }
 }
-function getGitHubRepoInfo() {
+function getGitHubEnvRepoInfo() {
   // Lazily access constants.ENV[GITHUB_REPOSITORY].
   const ownerSlashRepo = constants.ENV[GITHUB_REPOSITORY]
   const slashIndex = ownerSlashRepo.indexOf('/')
   if (slashIndex === -1) {
-    throw new Error('GITHUB_REPOSITORY environment variable not set')
+    throw new Error('Missing GITHUB_REPOSITORY environment variable')
   }
   return {
     owner: ownerSlashRepo.slice(0, slashIndex),
@@ -3797,8 +3879,8 @@ async function openGitHubPullRequest(
   repo,
   baseBranch,
   branch,
-  name,
-  version,
+  purl,
+  toVersion,
   cwd = process.cwd()
 ) {
   // Lazily access constants.ENV[GITHUB_ACTIONS].
@@ -3813,19 +3895,34 @@ async function openGitHubPullRequest(
       cwd
     })
     const octokit = getOctokit()
-    return await octokit.pulls.create({
-      owner,
-      repo,
-      title: `chore: upgrade ${name} to ${version}`,
-      head: branch,
-      base: baseBranch,
-      body: `[socket] Upgrade \`${name}\` to ${version}`
-    })
-  } else {
-    throw new Error(
-      'Unsupported CI platform or missing GITHUB_ACTIONS environment variable'
-    )
+    try {
+      return await octokit.pulls.create({
+        owner,
+        repo,
+        title: getSocketPullRequestTitle(purl, toVersion),
+        head: branch,
+        base: baseBranch,
+        body: getSocketPullRequestBody(purl, toVersion)
+      })
+    } catch (e) {
+      let message = `Failed to open pull request`
+      if (e instanceof vendor.RequestError) {
+        const restErrors = e.response?.data?.['errors']
+        if (Array.isArray(restErrors)) {
+          const details = restErrors
+            .map(
+              restErr =>
+                `- ${restErr.message ?? `${restErr.resource}.${restErr.field} (${restErr.code})`}`
+            )
+            .join('\n')
+          message += `:\n${details}`
+        }
+      }
+      logger.logger.error(message)
+      return null
+    }
   }
+  throw new Error('Missing GITHUB_ACTIONS environment variable')
 }
 
 const { CI: CI$1, NPM: NPM$f } = constants
@@ -3891,7 +3988,9 @@ async function npmFix(
     for (const spec of specs) {
       const lastAtSignIndex = spec.lastIndexOf('@')
       const name = spec.slice(0, lastAtSignIndex)
-      const oldVersion = spec.slice(lastAtSignIndex + 1)
+      const fromVersion = spec.slice(lastAtSignIndex + 1)
+      const fromSpec = `${name}@${fromVersion}`
+      const fromPurl = `pkg:npm/${fromSpec}`
       for (const {
         firstPatchedVersionIdentifier,
         vulnerableVersionRange
@@ -3903,20 +4002,39 @@ async function npmFix(
         const node = shadowNpmInject.findPackageNode(
           arb.idealTree,
           name,
-          oldVersion
+          fromVersion
         )
         if (!node) {
           continue
         }
-        const oldSpec = `${name}@${oldVersion}`
         if (
           !shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
         ) {
-          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+          spinner?.failAndStop(`Could not patch ${fromSpec}`)
           return
         }
-        const targetVersion = node.package.version
-        const fixSpec = `${name}@^${targetVersion}`
+        const toVersion = node.package.version
+        const toVersionRange = shadowNpmInject.applyRange(
+          fromVersion,
+          toVersion,
+          rangeStyle
+        )
+        const toSpec = `${name}@${toVersionRange}`
+        let branch
+        let owner
+        let repo
+        let shouldOpenPr = false
+        // Lazily access constants.ENV[CI].
+        if (constants.ENV[CI$1]) {
+          ;({ owner, repo } = getGitHubEnvRepoInfo())
+          branch = getSocketBranchName(name, toVersion)
+          // eslint-disable-next-line no-await-in-loop
+          shouldOpenPr = !(await doesPullRequestExistForBranch(
+            owner,
+            repo,
+            branch
+          ))
+        }
         const revertData = {
           ...(editablePkgJson.content.dependencies
             ? {
@@ -3935,10 +4053,8 @@ async function npmFix(
               }
             : undefined)
         }
-        spinner?.info(`Installing ${fixSpec}`)
-        const { owner, repo } = getGitHubRepoInfo()
+        spinner?.info(`Installing ${toSpec}`)
         const baseBranch = getBaseBranch()
-        const branch = getSocketBranchName(name, targetVersion)
 
         // eslint-disable-next-line no-await-in-loop
         await checkoutBaseBranchIfAvailable(baseBranch, cwd)
@@ -3949,7 +4065,7 @@ async function npmFix(
             editablePkgJson,
             arb.idealTree,
             node,
-            targetVersion,
+            toVersion,
             rangeStyle
           )
           // eslint-disable-next-line no-await-in-loop
@@ -3962,7 +4078,7 @@ async function npmFix(
           })
           installed = true
           if (test) {
-            spinner?.info(`Testing ${fixSpec}`)
+            spinner?.info(`Testing ${toSpec}`)
             // eslint-disable-next-line no-await-in-loop
             await npm.runScript(testScript, [], {
               spinner,
@@ -3972,7 +4088,7 @@ async function npmFix(
           spinner?.successAndStop(`Fixed ${name}`)
           spinner?.start()
         } catch {
-          spinner?.error(`Reverting ${fixSpec}`)
+          spinner?.error(`Reverting ${toSpec}`)
           if (saved) {
             editablePkgJson.update(revertData)
             // eslint-disable-next-line no-await-in-loop
@@ -3984,40 +4100,29 @@ async function npmFix(
               cwd
             })
           }
-          spinner?.failAndStop(`Failed to fix ${oldSpec}`)
+          spinner?.failAndStop(`Failed to fix ${fromSpec}`)
           return
         }
-        if (
-          // Lazily access constants.ENV[CI].
-          constants.ENV[CI$1] &&
+        if (shouldOpenPr) {
           // eslint-disable-next-line no-await-in-loop
-          !(await doesPullRequestExistForBranch(owner, repo, branch))
-        ) {
-          let prResponse
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            prResponse = await openGitHubPullRequest(
-              owner,
-              repo,
-              baseBranch,
-              branch,
-              name,
-              targetVersion,
-              cwd
-            )
-          } catch (e) {
-            logger.logger.error('Failed to open pull request', e)
-          }
+          await createAndPushBranchIfNeeded(
+            branch,
+            getSocketCommitMessage(fromPurl, toVersion),
+            cwd
+          )
+          // eslint-disable-next-line no-await-in-loop
+          const prResponse = await openGitHubPullRequest(
+            owner,
+            repo,
+            baseBranch,
+            branch,
+            fromPurl,
+            toVersion,
+            cwd
+          )
           if (prResponse && autoMerge) {
-            try {
-              // eslint-disable-next-line no-await-in-loop
-              await enableAutoMerge(prResponse.data)
-            } catch (e) {
-              logger.logger.error(
-                'Failed to enable auto-merge in pull request',
-                e
-              )
-            }
+            // eslint-disable-next-line no-await-in-loop
+            await enableAutoMerge(prResponse.data)
           }
         }
       }
@@ -4292,7 +4397,9 @@ async function pnpmFix(
     for (const spec of specs) {
       const lastAtSignIndex = spec.lastIndexOf('@')
       const name = spec.slice(0, lastAtSignIndex)
-      const oldVersion = spec.slice(lastAtSignIndex + 1)
+      const fromVersion = spec.slice(lastAtSignIndex + 1)
+      const fromSpec = `${name}@${fromVersion}`
+      const fromPurl = `pkg:npm/${fromSpec}`
       for (const {
         firstPatchedVersionIdentifier,
         vulnerableVersionRange
@@ -4300,23 +4407,22 @@ async function pnpmFix(
         const node = shadowNpmInject.findPackageNode(
           actualTree,
           name,
-          oldVersion
+          fromVersion
         )
         if (!node) {
           continue
         }
-        const oldSpec = `${name}@${oldVersion}`
         const availableVersions = Object.keys(packument.versions)
-        const targetVersion = shadowNpmInject.findBestPatchVersion(
+        const toVersion = shadowNpmInject.findBestPatchVersion(
           node,
           availableVersions,
           vulnerableVersionRange
         )
-        const targetPackument = targetVersion
-          ? packument.versions[targetVersion]
+        const targetPackument = toVersion
+          ? packument.versions[toVersion]
           : undefined
-        if (!(targetVersion && targetPackument)) {
-          spinner?.failAndStop(`Could not patch ${oldSpec}`)
+        if (!(toVersion && targetPackument)) {
+          spinner?.failAndStop(`Could not patch ${fromSpec}`)
           return
         }
         const oldPnpm = editablePkgJson.content[PNPM$9]
@@ -4325,18 +4431,33 @@ async function pnpmFix(
         const oldOverridesCount = oldOverrides
           ? Object.keys(oldOverrides).length
           : 0
-        const overrideKey = `${node.name}@${vulnerableVersionRange}`
-        const overrideRange = shadowNpmInject.applyRange(
-          oldOverrides?.[overrideKey] ?? targetVersion,
-          targetVersion,
+        const overrideKey = `${name}@${vulnerableVersionRange}`
+        const toVersionRange = shadowNpmInject.applyRange(
+          oldOverrides?.[overrideKey] ?? fromVersion,
+          toVersion,
           rangeStyle
         )
-        const fixSpec = `${name}@${overrideRange}`
+        const toSpec = `${name}@${toVersionRange}`
+        let branch
+        let owner
+        let repo
+        let shouldOpenPr = false
+        // Lazily access constants.ENV[CI].
+        if (constants.ENV[CI]) {
+          ;({ owner, repo } = getGitHubEnvRepoInfo())
+          branch = getSocketBranchName(name, toVersion)
+          // eslint-disable-next-line no-await-in-loop
+          shouldOpenPr = !(await doesPullRequestExistForBranch(
+            owner,
+            repo,
+            branch
+          ))
+        }
         const updateData = {
           [PNPM$9]: {
             ...oldPnpm,
             [OVERRIDES$2]: {
-              [overrideKey]: overrideRange,
+              [overrideKey]: toVersionRange,
               ...oldOverrides
             }
           }
@@ -4371,10 +4492,8 @@ async function pnpmFix(
               }
             : undefined)
         }
-        spinner?.info(`Installing ${fixSpec}`)
-        const { owner, repo } = getGitHubRepoInfo()
+        spinner?.info(`Installing ${toSpec}`)
         const baseBranch = getBaseBranch()
-        const branch = getSocketBranchName(name, targetVersion)
 
         // eslint-disable-next-line no-await-in-loop
         await checkoutBaseBranchIfAvailable(baseBranch, cwd)
@@ -4386,7 +4505,7 @@ async function pnpmFix(
             editablePkgJson,
             actualTree,
             node,
-            targetVersion,
+            toVersion,
             rangeStyle
           )
           // eslint-disable-next-line no-await-in-loop
@@ -4399,7 +4518,7 @@ async function pnpmFix(
           })
           installed = true
           if (test) {
-            spinner?.info(`Testing ${fixSpec}`)
+            spinner?.info(`Testing ${toSpec}`)
             // eslint-disable-next-line no-await-in-loop
             await npm.runScript(testScript, [], {
               spinner,
@@ -4409,7 +4528,7 @@ async function pnpmFix(
           spinner?.successAndStop(`Fixed ${name}`)
           spinner?.start()
         } catch (e) {
-          spinner?.error(`Reverting ${fixSpec}`, e)
+          spinner?.error(`Reverting ${toSpec}`, e)
           if (saved) {
             editablePkgJson.update(revertData)
             // eslint-disable-next-line no-await-in-loop
@@ -4421,40 +4540,29 @@ async function pnpmFix(
               spinner
             })
           }
-          spinner?.failAndStop(`Failed to fix ${oldSpec}`)
+          spinner?.failAndStop(`Failed to fix ${fromSpec}`)
           return
         }
-        if (
-          // Lazily access constants.ENV[CI].
-          constants.ENV[CI] &&
+        if (shouldOpenPr) {
           // eslint-disable-next-line no-await-in-loop
-          !(await doesPullRequestExistForBranch(owner, repo, branch))
-        ) {
-          let prResponse
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            prResponse = await openGitHubPullRequest(
-              owner,
-              repo,
-              baseBranch,
-              branch,
-              name,
-              targetVersion,
-              cwd
-            )
-          } catch (e) {
-            logger.logger.error('Failed to open pull request', e)
-          }
+          await createAndPushBranchIfNeeded(
+            branch,
+            getSocketCommitMessage(fromPurl, toVersion),
+            cwd
+          )
+          // eslint-disable-next-line no-await-in-loop
+          const prResponse = await openGitHubPullRequest(
+            owner,
+            repo,
+            baseBranch,
+            branch,
+            fromPurl,
+            toVersion,
+            cwd
+          )
           if (prResponse && autoMerge) {
-            try {
-              // eslint-disable-next-line no-await-in-loop
-              await enableAutoMerge(prResponse.data)
-            } catch (e) {
-              logger.logger.error(
-                'Failed to enable auto-merge in pull request',
-                e
-              )
-            }
+            // eslint-disable-next-line no-await-in-loop
+            await enableAutoMerge(prResponse.data)
           }
         }
       }
@@ -11376,7 +11484,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.96',
+    version: '0.14.98',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -11444,5 +11552,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=c17c1611-cf3e-4a35-ac26-b683d683981a
+//# debugId=1769a14b-3357-49bc-b674-3e9970c2763e
 //# sourceMappingURL=cli.js.map