socket 1.1.1 → 1.1.3

package/dist/cli.js

@@ -25,6 +25,7 @@ var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
+var require$$0$1 = require('node:crypto');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -3716,68 +3717,27 @@ const cmdFix = {
   hidden: hidden$q,
   run: run$I
 };
-async function run$I(argv, importMeta, {
-  parentName
-}) {
-  const config = {
-    commandName: CMD_NAME$r,
-    description: description$x,
-    hidden: hidden$q,
-    flags: {
-      ...flags.commonFlags,
-      ...flags.outputFlags,
-      autoMerge: {
-        type: 'boolean',
-        default: false,
-        description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
-      },
-      autopilot: {
-        type: 'boolean',
-        default: false,
-        description: `Shorthand for --auto-merge --test`,
-        hidden: true
-      },
-      id: {
-        type: 'string',
-        default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
-        isMultiple: true
-      },
-      limit: {
-        type: 'number',
-        default: DEFAULT_LIMIT,
-        description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
-      },
-      maxSatisfying: {
-        type: 'boolean',
-        default: true,
-        description: 'Use the maximum satisfying version for dependency updates',
-        hidden: true
-      },
-      minSatisfying: {
-        type: 'boolean',
-        default: false,
-        description: 'Constrain dependency updates to the minimum satisfying version',
-        hidden: true
-      },
-      prCheck: {
-        type: 'boolean',
-        default: true,
-        description: 'Check for an existing PR before attempting a fix',
-        hidden: true
-      },
-      purl: {
-        type: 'string',
-        default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags, instead of querying the Socket API`,
-        isMultiple: true,
-        shortFlag: 'p',
-        hidden: true
-      },
-      rangeStyle: {
-        type: 'string',
-        default: 'preserve',
-        description: `
+const generalFlags$2 = {
+  autoMerge: {
+    type: 'boolean',
+    default: false,
+    description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
+  },
+  id: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+    isMultiple: true
+  },
+  limit: {
+    type: 'number',
+    default: DEFAULT_LIMIT,
+    description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
+  },
+  rangeStyle: {
+    type: 'string',
+    default: 'preserve',
+    description: `
 Define how dependency version ranges are updated in package.json (default 'preserve').
 Available styles:
   * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
@@ -3789,19 +3749,70 @@ Available styles:
   * preserve - Retain the existing version range style as-is
   * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
       `.trim()
-      },
-      test: {
-        type: 'boolean',
-        default: false,
-        description: 'Verify the fix by running unit tests',
-        hidden: true
-      },
-      testScript: {
-        type: 'string',
-        default: 'test',
-        description: "The test script to run for fix attempts (default 'test')",
-        hidden: true
-      }
+  }
+};
+const hiddenFlags = {
+  autopilot: {
+    type: 'boolean',
+    default: false,
+    description: `Shorthand for --auto-merge --test`,
+    hidden: true
+  },
+  ghsa: {
+    ...generalFlags$2['id'],
+    hidden: true
+  },
+  maxSatisfying: {
+    type: 'boolean',
+    default: true,
+    description: 'Use the maximum satisfying version for dependency updates',
+    hidden: true
+  },
+  minSatisfying: {
+    type: 'boolean',
+    default: false,
+    description: 'Constrain dependency updates to the minimum satisfying version',
+    hidden: true
+  },
+  prCheck: {
+    type: 'boolean',
+    default: true,
+    description: 'Check for an existing PR before attempting a fix',
+    hidden: true
+  },
+  purl: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags`,
+    isMultiple: true,
+    shortFlag: 'p',
+    hidden: true
+  },
+  test: {
+    type: 'boolean',
+    default: false,
+    description: 'Verify the fix by running unit tests',
+    hidden: true
+  },
+  testScript: {
+    type: 'string',
+    default: 'test',
+    description: "The test script to run for fix attempts (default 'test')",
+    hidden: true
+  }
+};
+async function run$I(argv, importMeta, {
+  parentName
+}) {
+  const config = {
+    commandName: CMD_NAME$r,
+    description: description$x,
+    hidden: hidden$q,
+    flags: {
+      ...flags.commonFlags,
+      ...flags.outputFlags,
+      ...generalFlags$2,
+      ...hiddenFlags
     },
     help: (command, config) => `
     Usage
@@ -3889,7 +3900,7 @@ Available styles:
   // We patched in this feature with `npx custompatch meow` at
   // socket-cli/patches/meow#13.2.0.patch.
   const unknownFlags = cli.unknownFlags ?? [];
-  const ghsas = utils.cmdFlagValueToArray(cli.flags['ghsa']);
+  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
   const limit = Number(cli.flags['limit']) || DEFAULT_LIMIT;
   const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
   const minSatisfying = Boolean(cli.flags['minSatisfying']) || !maxSatisfying;
@@ -8662,6 +8673,30 @@ const cmdPackage = {
   }
 };
 
+const PatchRecordSchema = vendor.object({
+  exportedAt: vendor.string(),
+  files: vendor.record(vendor.string(),
+  // File path
+  vendor.object({
+    beforeHash: vendor.string(),
+    afterHash: vendor.string()
+  })),
+  vulnerabilities: vendor.record(vendor.string(),
+  // Vulnerability ID like "GHSA-jrhj-2j3q-xf3v"
+  vendor.object({
+    cves: vendor.array(vendor.string()),
+    summary: vendor.string(),
+    severity: vendor.string(),
+    description: vendor.string(),
+    patchExplanation: vendor.string()
+  }))
+});
+const PatchManifestSchema = vendor.object({
+  patches: vendor.record(
+  // Package identifier like "npm:simplehttpserver@0.0.6".
+  vendor.string(), PatchRecordSchema)
+});
+
 async function outputPatchResult(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -8689,21 +8724,221 @@ async function outputPatchResult(result, outputKind) {
   logger.logger.success('Patch command completed!');
 }
 
+async function applyNPMPatches(patches, dryRun, socketDir, packages) {
+  const patchLookup = new Map();
+  for (const patchInfo of patches) {
+    const {
+      purl
+    } = patchInfo;
+    const fullName = purl.namespace ? `@${purl.namespace}/${purl.name}` : purl.name;
+    const lookupKey = `${fullName}@${purl.version}`;
+    patchLookup.set(lookupKey, patchInfo);
+  }
+  const nodeModulesFolders = await findNodeModulesFolders(process.cwd());
+  logger.logger.log(`Found ${nodeModulesFolders.length} node_modules folders`);
+  for (const nodeModulesPath of nodeModulesFolders) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      const entries = await fs$1.promises.readdir(nodeModulesPath);
+      for (const entry of entries) {
+        const entryPath = path.join(nodeModulesPath, entry);
+        if (entry.startsWith('@')) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            const scopedEntries = await fs$1.promises.readdir(entryPath);
+            for (const scopedEntry of scopedEntries) {
+              const packagePath = path.join(entryPath, scopedEntry);
+              // eslint-disable-next-line no-await-in-loop
+              const pkg = await readPackageJson(packagePath);
+              if (pkg) {
+                // Skip if specific packages requested and this isn't one of them
+                if (packages.length > 0 && !packages.includes(pkg.name)) {
+                  continue;
+                }
+                const lookupKey = `${pkg.name}@${pkg.version}`;
+                const patchInfo = patchLookup.get(lookupKey);
+                if (patchInfo) {
+                  logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${packagePath}`);
+                  logger.logger.log(`  Patch key: ${patchInfo.key}`);
+                  logger.logger.log(`  Processing files:`);
+                  for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
+                    // eslint-disable-next-line no-await-in-loop
+                    await processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir);
+                  }
+                }
+              }
+            }
+          } catch {
+            // Ignore errors reading scoped packages
+          }
+        } else {
+          // eslint-disable-next-line no-await-in-loop
+          const pkg = await readPackageJson(entryPath);
+          if (pkg) {
+            // Skip if specific packages requested and this isn't one of them
+            if (packages.length > 0 && !packages.includes(pkg.name)) {
+              continue;
+            }
+            const lookupKey = `${pkg.name}@${pkg.version}`;
+            const patchInfo = patchLookup.get(lookupKey);
+            if (patchInfo) {
+              logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${entryPath}`);
+              logger.logger.log(`  Patch key: ${patchInfo.key}`);
+              logger.logger.log(`  Processing files:`);
+              for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
+                // eslint-disable-next-line no-await-in-loop
+                await processFilePatch(entryPath, fileName, fileInfo, dryRun, socketDir);
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      logger.logger.error(`Error processing ${nodeModulesPath}:`, error);
+    }
+  }
+}
+async function computeSHA256(filePath) {
+  try {
+    const content = await fs$1.promises.readFile(filePath);
+    const hash = require$$0$1.createHash('sha256');
+    hash.update(content);
+    return hash.digest('hex');
+  } catch {
+    return null;
+  }
+}
+async function findNodeModulesFolders(rootDir) {
+  const nodeModulesPaths = [];
+  async function searchDir(dir) {
+    try {
+      const entries = await fs$1.promises.readdir(dir);
+      for (const entry of entries) {
+        if (entry.startsWith('.') || entry === 'dist' || entry === 'build') {
+          continue;
+        }
+        const fullPath = path.join(dir, entry);
+        // eslint-disable-next-line no-await-in-loop
+        const stats = await fs$1.promises.stat(fullPath);
+        if (stats.isDirectory()) {
+          if (entry === 'node_modules') {
+            nodeModulesPaths.push(fullPath);
+          } else {
+            // eslint-disable-next-line no-await-in-loop
+            await searchDir(fullPath);
+          }
+        }
+      }
+    } catch (error) {
+      // Ignore permission errors or missing directories
+    }
+  }
+  await searchDir(rootDir);
+  return nodeModulesPaths;
+}
+function parsePURL(purlString) {
+  const [ecosystem, rest] = purlString.split(':', 2);
+  const [nameAndNamespace, version] = (rest ?? '').split('@', 2);
+  let namespace;
+  let name;
+  if (ecosystem === 'npm' && nameAndNamespace?.startsWith('@')) {
+    const parts = nameAndNamespace.split('/');
+    namespace = parts[0]?.substring(1);
+    name = parts.slice(1).join('/');
+  } else {
+    name = nameAndNamespace ?? '';
+  }
+  return {
+    type: ecosystem ?? 'unknown',
+    namespace: namespace ?? '',
+    name: name ?? '',
+    version: version ?? '0.0.0'
+  };
+}
+async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir) {
+  const filePath = path.join(packagePath, fileName);
+  if (!fs$1.existsSync(filePath)) {
+    logger.logger.log(`File not found: ${fileName}`);
+    return;
+  }
+  const currentHash = await computeSHA256(filePath);
+  if (!currentHash) {
+    logger.logger.log(`Failed to compute hash for: ${fileName}`);
+    return;
+  }
+  if (currentHash === fileInfo.beforeHash) {
+    logger.logger.success(`File matches expected hash: ${fileName}`);
+    logger.logger.log(`Current hash: ${currentHash}`);
+    logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
+    if (!dryRun) {
+      const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
+      if (!fs$1.existsSync(blobPath)) {
+        logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
+        return;
+      }
+      try {
+        await fs$1.promises.copyFile(blobPath, filePath);
+        logger.logger.success(`Patch applied successfully`);
+      } catch (error) {
+        logger.logger.log(`Error applying patch: ${error}`);
+      }
+    } else {
+      logger.logger.log(`(dry run - no changes made)`);
+    }
+  } else if (currentHash === fileInfo.afterHash) {
+    logger.logger.success(`File already patched: ${fileName}`);
+    logger.logger.log(`Current hash: ${currentHash}`);
+  } else {
+    logger.logger.fail(`File hash mismatch: ${fileName}`);
+    logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
+    logger.logger.log(`Current:  ${currentHash}`);
+    logger.logger.log(`Target:   ${fileInfo.afterHash}`);
+  }
+}
+async function readPackageJson(packagePath) {
+  const pkgJsonPath = path.join(packagePath, 'package.json');
+  const pkg = await fs$2.readJson(pkgJsonPath, {
+    throws: false
+  });
+  if (pkg) {
+    return {
+      name: pkg.name || '',
+      version: pkg.version || ''
+    };
+  }
+  return null;
+}
 async function handlePatch({
+  cwd,
+  dryRun,
   outputKind,
   packages,
   spinner
 }) {
-  spinner.start('Analyzing dependencies for security patches...');
   try {
-    // TODO: Implement actual patch logic
-    // This is a stub implementation
-    const result = {
-      ok: true,
-      data: {
-        patchedPackages: packages.length > 0 ? packages : ['example-package']
+    const dotSocketDirPath = path.join(cwd, '.socket');
+    const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+
+    // Read the manifest file.
+    const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
+    const manifestData = JSON.parse(manifestContent);
+
+    // Validate the schema.
+    const validated = PatchManifestSchema.parse(manifestData);
+
+    // Parse PURLs and group by ecosystem.
+    const patchesByEcosystem = {};
+    for (const [key, patch] of Object.entries(validated.patches)) {
+      const purl = parsePURL(key);
+      if (!patchesByEcosystem[purl.type]) {
+        patchesByEcosystem[purl.type] = [];
       }
-    };
+      patchesByEcosystem[purl.type]?.push({
+        key,
+        purl,
+        patch
+      });
+    }
     spinner.stop();
     logger.logger.log('');
     if (packages.length > 0) {
@@ -8712,14 +8947,32 @@ async function handlePatch({
       logger.logger.info('Scanning all dependencies for available patches');
     }
     logger.logger.log('');
+    if (patchesByEcosystem['npm']) {
+      await applyNPMPatches(patchesByEcosystem['npm'], dryRun, dotSocketDirPath, packages);
+    }
+    const result = {
+      ok: true,
+      data: {
+        patchedPackages: packages.length > 0 ? packages : ['patched successfully']
+      }
+    };
     await outputPatchResult(result, outputKind);
   } catch (e) {
     spinner.stop();
+    let message = 'Failed to apply patches';
+    let cause = e?.message || 'Unknown error';
+    if (e instanceof SyntaxError) {
+      message = 'Invalid JSON in manifest.json';
+      cause = e.message;
+    } else if (e instanceof Error && 'issues' in e) {
+      message = 'Schema validation failed';
+      cause = String(e);
+    }
     const result = {
       ok: false,
       code: 1,
-      message: 'Failed to apply patches',
-      cause: e?.message || 'Unknown error'
+      message,
+      cause
     };
     await outputPatchResult(result, outputKind);
   }
@@ -8785,19 +9038,26 @@ async function run$k(argv, importMeta, {
   if (!wasValidInput) {
     return;
   }
-  if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_NOT_SAVING);
-    return;
-  }
   let [cwd = '.'] = cli.input;
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
+  const dotSocketDirPath = path.join(cwd, '.socket');
+  if (!fs$1.existsSync(dotSocketDirPath)) {
+    logger.logger.error('Error: No .socket directory found in current directory');
+    return;
+  }
+  const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+  if (!fs$1.existsSync(manifestPath)) {
+    logger.logger.error('Error: No manifest.json found in .socket directory');
+  }
   const {
     spinner
   } = constants;
-  const packages = Array.isArray(cli.flags['package']) ? cli.flags['package'].flatMap(p => String(p).split(',')) : String(cli.flags['package'] || '').split(',').filter(Boolean);
+  const packages = utils.cmdFlagValueToArray(cli.flags['package']);
   await handlePatch({
+    cwd,
+    dryRun,
     outputKind,
     packages,
     spinner
@@ -14002,5 +14262,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=11a3cbfe-6b5a-4bf7-afd9-6885b9deef59
+//# debugId=8481439d-81fb-4c40-8fb9-cbf6be031d3
 //# sourceMappingURL=cli.js.map