socket 1.1.11 → 1.1.13

package/dist/shadow-pnpm-bin.js

@@ -0,0 +1,235 @@
+'use strict';
+
+var fs = require('node:fs');
+var path = require('node:path');
+var require$$0 = require('node:url');
+var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
+var logger = require('../external/@socketsecurity/registry/lib/logger');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var vendor = require('./vendor.js');
+var constants = require('./constants.js');
+var utils = require('./utils.js');
+
+async function installLinks(shadowBinPath, _binName) {
+  // Find pnpm being shadowed by this process.
+  const binPath = utils.getPnpmBinPath();
+  const {
+    WIN32
+  } = constants.default;
+
+  // TODO: Is this early exit needed?
+  if (WIN32 && binPath) {
+    return binPath;
+  }
+  const shadowed = utils.isPnpmBinPathShadowed();
+
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'pnpm-cli.js'), path.join(shadowBinPath, 'pnpm'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+
+const INSTALL_COMMANDS = new Set(['add', 'i', 'install', 'install-test', 'it', 'update', 'up']);
+async function shadowPnpm(args = process.argv.slice(2), options, extra) {
+  const opts = {
+    __proto__: null,
+    ...options
+  };
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = opts;
+  let {
+    cwd = process.cwd()
+  } = opts;
+  if (cwd instanceof URL) {
+    cwd = require$$0.fileURLToPath(cwd);
+  }
+  const terminatorPos = args.indexOf('--');
+  const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+
+  // Check if this is an install-type command that needs security scanning
+  const command = rawPnpmArgs[0];
+  const needsScanning = command && INSTALL_COMMANDS.has(command);
+
+  // Get pnpm path
+  const realPnpmPath = await installLinks(constants.default.shadowBinPath);
+  const permArgs = ['--reporter=silent',
+  // Disable update checks during security scanning
+  '--no-update-notifier'];
+  const prefixArgs = [];
+  const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs];
+  if (needsScanning && !rawPnpmArgs.includes('--dry-run')) {
+    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
+    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
+
+    // Extract package names from command arguments before any downloads
+    const packagePurls = [];
+    if (command === 'add') {
+      // For 'pnpm add package1 package2@version', get packages from args
+      const packageArgs = rawPnpmArgs.slice(1).filter(arg => !arg.startsWith('-') && arg !== '--');
+      for (const pkgSpec of packageArgs) {
+        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'
+        let name;
+        let version;
+        if (pkgSpec.startsWith('@')) {
+          // Scoped package: @scope/name or @scope/name@version
+          const parts = pkgSpec.split('@');
+          if (parts.length === 2) {
+            // @scope/name (no version)
+            name = pkgSpec;
+          } else {
+            // @scope/name@version
+            name = `@${parts[1]}`;
+            version = parts[2];
+          }
+        } else {
+          // Regular package: name or name@version
+          const atIndex = pkgSpec.indexOf('@');
+          if (atIndex === -1) {
+            name = pkgSpec;
+          } else {
+            name = pkgSpec.slice(0, atIndex);
+            version = pkgSpec.slice(atIndex + 1);
+          }
+        }
+        if (name) {
+          packagePurls.push(version ? utils.idToNpmPurl(`${name}@${version}`) : utils.idToNpmPurl(name));
+        }
+      }
+    } else if (['install', 'i', 'update', 'up'].includes(command)) {
+      // For install/update, scan all dependencies from pnpm-lock.yaml
+      const pnpmLockPath = path.join(cwd, constants.PNPM_LOCK_YAML);
+      if (fs.existsSync(pnpmLockPath)) {
+        try {
+          const lockfileContent = await utils.readPnpmLockfile(pnpmLockPath);
+          if (lockfileContent) {
+            const lockfile = utils.parsePnpmLockfile(lockfileContent);
+            if (lockfile) {
+              // Use existing function to scan the entire lockfile
+              if (require$$9.isDebug()) {
+                require$$9.debugFn('notice', `scanning: all dependencies from ${constants.PNPM_LOCK_YAML}`);
+              }
+              const alertsMap = await utils.getAlertsMapFromPnpmLockfile(lockfile, {
+                nothrow: true,
+                filter: acceptRisks ? {
+                  actions: ['error'],
+                  blocked: true
+                } : {
+                  actions: ['error', 'monitor', 'warn']
+                }
+              });
+              if (alertsMap.size) {
+                process.exitCode = 1;
+                utils.logAlertsMap(alertsMap, {
+                  hideAt: viewAllRisks ? 'none' : 'middle',
+                  output: process.stderr
+                });
+                const errorMessage = `Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+                logger.logger.error(errorMessage);
+                // eslint-disable-next-line n/no-process-exit
+                process.exit(1);
+                // This line is never reached in production, but helps tests.
+                throw new Error('process.exit called');
+              }
+
+              // Return early since we've already done the scanning
+              if (require$$9.isDebug()) {
+                require$$9.debugFn('notice', 'complete: lockfile scanning, proceeding with install');
+              }
+            }
+          }
+        } catch (e) {
+          if (require$$9.isDebug()) {
+            require$$9.debugFn('error', 'caught: pnpm lockfile scanning error');
+            require$$9.debugDir('inspect', {
+              error: e
+            });
+          }
+        }
+      } else if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'skip: no pnpm-lock.yaml found, skipping bulk install scanning');
+      }
+    }
+    if (packagePurls.length > 0) {
+      if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'scanning: packages before download');
+        require$$9.debugDir('inspect', {
+          packagePurls
+        });
+      }
+      try {
+        const alertsMap = await utils.getAlertsMapFromPurls(packagePurls, {
+          nothrow: true,
+          filter: acceptRisks ? {
+            actions: ['error'],
+            blocked: true
+          } : {
+            actions: ['error', 'monitor', 'warn']
+          }
+        });
+        if (alertsMap.size) {
+          process.exitCode = 1;
+          utils.logAlertsMap(alertsMap, {
+            hideAt: viewAllRisks ? 'none' : 'middle',
+            output: process.stderr
+          });
+          const errorMessage = `
+Socket pnpm exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+          logger.logger.error(errorMessage);
+          // eslint-disable-next-line n/no-process-exit
+          process.exit(1);
+          // This line is never reached in production, but helps tests.
+          throw new Error('process.exit called');
+        }
+      } catch (e) {
+        // Re-throw process.exit errors from tests.
+        if (e instanceof Error && e.message === 'process.exit called') {
+          throw e;
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package scanning error');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+        // Continue with installation if scanning fails
+      }
+    }
+    if (require$$9.isDebug()) {
+      require$$9.debugFn('notice', 'complete: scanning, proceeding with install');
+      require$$9.debugDir('inspect', {
+        args: rawPnpmArgs.slice(1)
+      });
+    }
+  }
+  const argsToString = utils.cmdFlagsToString([...prefixArgs, ...suffixArgs]);
+  const env = {
+    ...process.env,
+    ...spawnEnv
+  };
+  if (require$$9.isDebug()) {
+    require$$9.debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`);
+  }
+  const spawnPromise = spawn.spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {
+    ...spawnOpts,
+    env,
+    extra
+  });
+  return {
+    spawnPromise
+  };
+}
+
+module.exports = shadowPnpm;
+//# debugId=95396bfd-89e3-4dec-a9d6-623419962b28
+//# sourceMappingURL=shadow-pnpm-bin.js.map

package/dist/shadow-pnpm-bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-pnpm-bin.js","sources":["../src/shadow/pnpm/link.mts","../src/shadow/pnpm/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n  getPnpmBinPath,\n  isPnpmBinPathShadowed,\n} from '../../utils/pnpm-paths.mts'\n\nexport async function installLinks(\n  shadowBinPath: string,\n  _binName: 'pnpm',\n): Promise<string> {\n  // Find pnpm being shadowed by this process.\n  const binPath = getPnpmBinPath()\n  const { WIN32 } = constants\n\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n\n  const shadowed = isPnpmBinPathShadowed()\n\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        path.join(constants.distPath, 'pnpm-cli.js'),\n        path.join(shadowBinPath, 'pnpm'),\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n  }\n\n  return binPath\n}\n","import { existsSync } from 'node:fs'\nimport path from 'node:path'\nimport { fileURLToPath } from 'node:url'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants, { PNPM_LOCK_YAML } from '../../constants.mts'\nimport {\n  getAlertsMapFromPnpmLockfile,\n  getAlertsMapFromPurls,\n} from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { parsePnpmLockfile, readPnpmLockfile } from '../../utils/pnpm.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n  SpawnExtra,\n  SpawnOptions,\n  SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowPnpmOptions = SpawnOptions & {\n  ipc?: IpcObject | undefined\n}\n\nexport type ShadowPnpmResult = {\n  spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n  'add',\n  'i',\n  'install',\n  'install-test',\n  'it',\n  'update',\n  'up',\n])\n\nexport default async function shadowPnpm(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowPnpmOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowPnpmResult> {\n  const opts = { __proto__: null, ...options } as ShadowPnpmOptions\n  const { env: spawnEnv, ipc, ...spawnOpts } = opts\n\n  let { cwd = process.cwd() } = opts\n  if (cwd instanceof URL) {\n    cwd = fileURLToPath(cwd)\n  }\n\n  const terminatorPos = args.indexOf('--')\n  const rawPnpmArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n  // Check if this is an install-type command that needs security scanning\n  const command = rawPnpmArgs[0]\n  const needsScanning = command && INSTALL_COMMANDS.has(command)\n\n  // Get pnpm path\n  const realPnpmPath = await installLinks(constants.shadowBinPath, 'pnpm')\n\n  const permArgs = [\n    '--reporter=silent',\n    // Disable update checks during security scanning\n    '--no-update-notifier',\n  ]\n\n  const prefixArgs: string[] = []\n  const suffixArgs = [...rawPnpmArgs, ...permArgs, ...otherArgs]\n\n  if (needsScanning && !rawPnpmArgs.includes('--dry-run')) {\n    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n    // Extract package names from command arguments before any downloads\n    const packagePurls: string[] = []\n\n    if (command === 'add') {\n      // For 'pnpm add package1 package2@version', get packages from args\n      const packageArgs = rawPnpmArgs\n        .slice(1)\n        .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n      for (const pkgSpec of packageArgs) {\n        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n        let name: string\n        let version: string | undefined\n\n        if (pkgSpec.startsWith('@')) {\n          // Scoped package: @scope/name or @scope/name@version\n          const parts = pkgSpec.split('@')\n          if (parts.length === 2) {\n            // @scope/name (no version)\n            name = pkgSpec\n          } else {\n            // @scope/name@version\n            name = `@${parts[1]}`\n            version = parts[2]\n          }\n        } else {\n          // Regular package: name or name@version\n          const atIndex = pkgSpec.indexOf('@')\n          if (atIndex === -1) {\n            name = pkgSpec\n          } else {\n            name = pkgSpec.slice(0, atIndex)\n            version = pkgSpec.slice(atIndex + 1)\n          }\n        }\n\n        if (name) {\n          packagePurls.push(\n            version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n          )\n        }\n      }\n    } else if (['install', 'i', 'update', 'up'].includes(command)) {\n      // For install/update, scan all dependencies from pnpm-lock.yaml\n      const pnpmLockPath = path.join(cwd, PNPM_LOCK_YAML)\n      if (existsSync(pnpmLockPath)) {\n        try {\n          const lockfileContent = await readPnpmLockfile(pnpmLockPath)\n          if (lockfileContent) {\n            const lockfile = parsePnpmLockfile(lockfileContent)\n            if (lockfile) {\n              // Use existing function to scan the entire lockfile\n              if (isDebug()) {\n                debugFn(\n                  'notice',\n                  `scanning: all dependencies from ${PNPM_LOCK_YAML}`,\n                )\n              }\n\n              const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {\n                nothrow: true,\n                filter: acceptRisks\n                  ? { actions: ['error'], blocked: true }\n                  : { actions: ['error', 'monitor', 'warn'] },\n              })\n\n              if (alertsMap.size) {\n                process.exitCode = 1\n                logAlertsMap(alertsMap, {\n                  hideAt: viewAllRisks ? 'none' : 'middle',\n                  output: process.stderr,\n                })\n\n                const errorMessage = `Socket pnpm exiting due to risks.${\n                  viewAllRisks\n                    ? ''\n                    : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n                }${\n                  acceptRisks\n                    ? ''\n                    : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n                }`.trim()\n\n                logger.error(errorMessage)\n                // eslint-disable-next-line n/no-process-exit\n                process.exit(1)\n                // This line is never reached in production, but helps tests.\n                throw new Error('process.exit called')\n              }\n\n              // Return early since we've already done the scanning\n              if (isDebug()) {\n                debugFn(\n                  'notice',\n                  'complete: lockfile scanning, proceeding with install',\n                )\n              }\n            }\n          }\n        } catch (e) {\n          if (isDebug()) {\n            debugFn('error', 'caught: pnpm lockfile scanning error')\n            debugDir('inspect', { error: e })\n          }\n        }\n      } else if (isDebug()) {\n        debugFn(\n          'notice',\n          'skip: no pnpm-lock.yaml found, skipping bulk install scanning',\n        )\n      }\n    }\n\n    if (packagePurls.length > 0) {\n      if (isDebug()) {\n        debugFn('notice', 'scanning: packages before download')\n        debugDir('inspect', { packagePurls })\n      }\n\n      try {\n        const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n          nothrow: true,\n          filter: acceptRisks\n            ? { actions: ['error'], blocked: true }\n            : { actions: ['error', 'monitor', 'warn'] },\n        })\n\n        if (alertsMap.size) {\n          process.exitCode = 1\n          logAlertsMap(alertsMap, {\n            hideAt: viewAllRisks ? 'none' : 'middle',\n            output: process.stderr,\n          })\n\n          const errorMessage = `\nSocket pnpm exiting due to risks.${\n            viewAllRisks\n              ? ''\n              : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n          }${\n            acceptRisks\n              ? ''\n              : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n          }`.trim()\n\n          logger.error(errorMessage)\n          // eslint-disable-next-line n/no-process-exit\n          process.exit(1)\n          // This line is never reached in production, but helps tests.\n          throw new Error('process.exit called')\n        }\n      } catch (e) {\n        // Re-throw process.exit errors from tests.\n        if (e instanceof Error && e.message === 'process.exit called') {\n          throw e\n        }\n        if (isDebug()) {\n          debugFn('error', 'caught: package scanning error')\n          debugDir('inspect', { error: e })\n        }\n        // Continue with installation if scanning fails\n      }\n    }\n\n    if (isDebug()) {\n      debugFn('notice', 'complete: scanning, proceeding with install')\n      debugDir('inspect', { args: rawPnpmArgs.slice(1) })\n    }\n  }\n\n  const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n  const env = {\n    ...process.env,\n    ...spawnEnv,\n  } as Record<string, string>\n\n  if (isDebug()) {\n    debugFn('notice', `spawn: pnpm shadow bin ${realPnpmPath} ${argsToString}`)\n  }\n\n  const spawnPromise = spawn(realPnpmPath, [...prefixArgs, ...suffixArgs], {\n    ...spawnOpts,\n    env,\n    extra,\n  })\n\n  return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","cwd","name","version","packagePurls","debugFn","nothrow","blocked","actions","hideAt","logger","process","error","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;;AAUO;AAIL;AACA;;AACQA;AAAM;;AAEd;;AAEE;AACF;AAEA;;AAEA;;AAEE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACJA;AAUe;AAKb;AAAeC;;;;AACPD;;;AAAiC;;AAEnCE;AAAoB;;AAExBA;AACF;AAEA;AACA;AACA;;AAEA;AACA;;;AAGA;;;AAKE;AACA;;;;;;;AAUA;;;AAIE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AACE;;AAEA;;AAEI;AACA;AACE;AACA;AACE;;AAEEC;AAIF;AAEA;AACEC;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;;AAYAC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEEN;AAIF;AACF;AACF;;;AAGEA;;AACsBO;AAAS;AACjC;AACF;AACF;AACEP;AAIF;AACF;AAEA;;AAEIA;;AACsBD;AAAa;AACrC;;AAGE;AACEE;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEN;;AACsBO;AAAS;AACjC;AACA;AACF;AACF;;AAGEP;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"95396bfd-89e3-4dec-a9d6-623419962b28"}

package/dist/shadow-yarn-bin.js

@@ -0,0 +1,200 @@
+'use strict';
+
+var fs = require('node:fs');
+var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
+var logger = require('../external/@socketsecurity/registry/lib/logger');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var path = require('node:path');
+var vendor = require('./vendor.js');
+var constants = require('./constants.js');
+var utils = require('./utils.js');
+
+async function installLinks(shadowBinPath, binName) {
+  const binPath = utils.getYarnBinPath();
+  const {
+    WIN32
+  } = constants.default;
+  if (WIN32 && binPath) {
+    return binPath;
+  }
+  const shadowed = utils.isYarnBinPathShadowed();
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, `${binName}-cli.js`), path.join(shadowBinPath, binName));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+
+const INSTALL_COMMANDS = new Set(['add', 'install', 'up', 'upgrade', 'upgrade-interactive']);
+const DLX_COMMANDS = new Set(['dlx']);
+async function shadowYarn(args = process.argv.slice(2), options, extra) {
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const terminatorPos = args.indexOf('--');
+  const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+
+  // Check if this is a command that needs security scanning
+  const command = rawYarnArgs[0];
+  const needsScanning = command && (INSTALL_COMMANDS.has(command) || DLX_COMMANDS.has(command));
+
+  // Get yarn path
+  const realYarnPath = await installLinks(constants.default.shadowBinPath, 'yarn');
+  const permArgs = [];
+  const prefixArgs = [];
+  const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs];
+  if (needsScanning && !rawYarnArgs.includes('--dry-run')) {
+    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS']);
+    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS']);
+
+    // Extract package names from command arguments before any downloads
+    const packagePurls = [];
+    if (command === 'add' || command === 'dlx') {
+      // For 'yarn add package1 package2@version' or 'yarn dlx package'
+      const packageArgs = rawYarnArgs.slice(1).filter(arg => !arg.startsWith('-') && arg !== '--');
+      for (const pkgSpec of packageArgs) {
+        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'
+        let name;
+        let version;
+        if (pkgSpec.startsWith('@')) {
+          // Scoped package: @scope/name or @scope/name@version
+          const parts = pkgSpec.split('@');
+          if (parts.length === 2) {
+            // @scope/name (no version)
+            name = pkgSpec;
+          } else {
+            // @scope/name@version
+            name = `@${parts[1]}`;
+            version = parts[2];
+          }
+        } else {
+          // Regular package: name or name@version
+          const atIndex = pkgSpec.indexOf('@');
+          if (atIndex === -1) {
+            name = pkgSpec;
+          } else {
+            name = pkgSpec.slice(0, atIndex);
+            version = pkgSpec.slice(atIndex + 1);
+          }
+        }
+        if (name) {
+          packagePurls.push(version ? utils.idToNpmPurl(`${name}@${version}`) : utils.idToNpmPurl(name));
+        }
+      }
+    } else if (['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)) {
+      // For install/upgrade, scan all dependencies from package.json
+      // Note: This scans direct dependencies only. For full transitive dependency
+      // scanning, yarn.lock parsing would be needed (not yet implemented)
+      try {
+        const packageJsonContent = await fs.promises.readFile('package.json', 'utf8');
+        const packageJson = JSON.parse(packageJsonContent);
+        const allDeps = {
+          ...packageJson.dependencies,
+          ...packageJson.devDependencies,
+          ...packageJson.optionalDependencies,
+          ...packageJson.peerDependencies
+        };
+        for (const [name, version] of Object.entries(allDeps)) {
+          if (typeof version === 'string') {
+            packagePurls.push(utils.idToNpmPurl(`${name}@${version}`));
+          } else {
+            packagePurls.push(utils.idToNpmPurl(name));
+          }
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('notice', `scanning: ${packagePurls.length} direct dependencies from package.json`);
+          require$$9.debugFn('notice', 'note: transitive dependencies not scanned (yarn.lock parsing not implemented)');
+        }
+      } catch (e) {
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package.json read error during dependency scanning');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+      }
+    }
+    if (packagePurls.length > 0) {
+      if (require$$9.isDebug()) {
+        require$$9.debugFn('notice', 'scanning: packages before download');
+        require$$9.debugDir('inspect', {
+          packagePurls
+        });
+      }
+      try {
+        const alertsMap = await utils.getAlertsMapFromPurls(packagePurls, {
+          nothrow: true,
+          filter: acceptRisks ? {
+            actions: ['error'],
+            blocked: true
+          } : {
+            actions: ['error', 'monitor', 'warn']
+          }
+        });
+        if (alertsMap.size) {
+          process.exitCode = 1;
+          utils.logAlertsMap(alertsMap, {
+            hideAt: viewAllRisks ? 'none' : 'middle',
+            output: process.stderr
+          });
+          const errorMessage = `
+Socket yarn exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${constants.default.SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${constants.default.SOCKET_CLI_ACCEPT_RISKS}=1.`}`.trim();
+          logger.logger.error(errorMessage);
+          // eslint-disable-next-line n/no-process-exit
+          process.exit(1);
+          // This line is never reached in production, but helps tests.
+          throw new Error('process.exit called');
+        }
+      } catch (e) {
+        // Re-throw process.exit errors from tests.
+        if (e instanceof Error && e.message === 'process.exit called') {
+          throw e;
+        }
+        if (require$$9.isDebug()) {
+          require$$9.debugFn('error', 'caught: package scanning error');
+          require$$9.debugDir('inspect', {
+            error: e
+          });
+        }
+        // Continue with installation if scanning fails
+      }
+    }
+    if (require$$9.isDebug()) {
+      require$$9.debugFn('notice', 'complete: scanning, proceeding with install');
+      require$$9.debugDir('inspect', {
+        args: rawYarnArgs.slice(1)
+      });
+    }
+  }
+  const argsToString = utils.cmdFlagsToString([...prefixArgs, ...suffixArgs]);
+  const env = {
+    ...process.env,
+    ...spawnEnv
+  };
+  if (require$$9.isDebug()) {
+    require$$9.debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`);
+  }
+  const spawnPromise = spawn.spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {
+    ...spawnOpts,
+    env,
+    extra
+  });
+  return {
+    spawnPromise
+  };
+}
+
+module.exports = shadowYarn;
+//# debugId=ff5e070d-ede1-4e55-b8e9-dfa667ad45a0
+//# sourceMappingURL=shadow-yarn-bin.js.map

package/dist/shadow-yarn-bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-yarn-bin.js","sources":["../src/shadow/yarn/link.mts","../src/shadow/yarn/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n  getYarnBinPath,\n  isYarnBinPathShadowed,\n} from '../../utils/yarn-paths.mts'\n\nexport async function installLinks(\n  shadowBinPath: string,\n  binName: 'yarn',\n): Promise<string> {\n  const binPath = getYarnBinPath()\n  const { WIN32 } = constants\n\n  if (WIN32 && binPath) {\n    return binPath\n  }\n\n  const shadowed = isYarnBinPathShadowed()\n\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        path.join(constants.distPath, `${binName}-cli.js`),\n        path.join(shadowBinPath, binName),\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n  }\n\n  return binPath\n}\n","import { promises as fs } from 'node:fs'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n  SpawnExtra,\n  SpawnOptions,\n  SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowYarnOptions = SpawnOptions & {\n  ipc?: IpcObject | undefined\n}\n\nexport type ShadowYarnResult = {\n  spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n  'add',\n  'install',\n  'up',\n  'upgrade',\n  'upgrade-interactive',\n])\n\nconst DLX_COMMANDS = new Set(['dlx'])\n\nexport default async function shadowYarn(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowYarnOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowYarnResult> {\n  const {\n    env: spawnEnv,\n    ipc,\n    ...spawnOpts\n  } = { __proto__: null, ...options } as ShadowYarnOptions\n  const terminatorPos = args.indexOf('--')\n  const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n  // Check if this is a command that needs security scanning\n  const command = rawYarnArgs[0]\n  const needsScanning =\n    command && (INSTALL_COMMANDS.has(command) || DLX_COMMANDS.has(command))\n\n  // Get yarn path\n  const realYarnPath = await installLinks(constants.shadowBinPath, 'yarn')\n\n  const permArgs: string[] = []\n\n  const prefixArgs: string[] = []\n  const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs]\n\n  if (needsScanning && !rawYarnArgs.includes('--dry-run')) {\n    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n    // Extract package names from command arguments before any downloads\n    const packagePurls: string[] = []\n\n    if (command === 'add' || command === 'dlx') {\n      // For 'yarn add package1 package2@version' or 'yarn dlx package'\n      const packageArgs = rawYarnArgs\n        .slice(1)\n        .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n      for (const pkgSpec of packageArgs) {\n        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n        let name: string\n        let version: string | undefined\n\n        if (pkgSpec.startsWith('@')) {\n          // Scoped package: @scope/name or @scope/name@version\n          const parts = pkgSpec.split('@')\n          if (parts.length === 2) {\n            // @scope/name (no version)\n            name = pkgSpec\n          } else {\n            // @scope/name@version\n            name = `@${parts[1]}`\n            version = parts[2]\n          }\n        } else {\n          // Regular package: name or name@version\n          const atIndex = pkgSpec.indexOf('@')\n          if (atIndex === -1) {\n            name = pkgSpec\n          } else {\n            name = pkgSpec.slice(0, atIndex)\n            version = pkgSpec.slice(atIndex + 1)\n          }\n        }\n\n        if (name) {\n          packagePurls.push(\n            version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n          )\n        }\n      }\n    } else if (\n      ['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)\n    ) {\n      // For install/upgrade, scan all dependencies from package.json\n      // Note: This scans direct dependencies only. For full transitive dependency\n      // scanning, yarn.lock parsing would be needed (not yet implemented)\n      try {\n        const packageJsonContent = await fs.readFile('package.json', 'utf8')\n        const packageJson = JSON.parse(packageJsonContent)\n\n        const allDeps = {\n          ...packageJson.dependencies,\n          ...packageJson.devDependencies,\n          ...packageJson.optionalDependencies,\n          ...packageJson.peerDependencies,\n        }\n\n        for (const [name, version] of Object.entries(allDeps)) {\n          if (typeof version === 'string') {\n            packagePurls.push(idToNpmPurl(`${name}@${version}`))\n          } else {\n            packagePurls.push(idToNpmPurl(name))\n          }\n        }\n\n        if (isDebug()) {\n          debugFn(\n            'notice',\n            `scanning: ${packagePurls.length} direct dependencies from package.json`,\n          )\n          debugFn(\n            'notice',\n            'note: transitive dependencies not scanned (yarn.lock parsing not implemented)',\n          )\n        }\n      } catch (e) {\n        if (isDebug()) {\n          debugFn(\n            'error',\n            'caught: package.json read error during dependency scanning',\n          )\n          debugDir('inspect', { error: e })\n        }\n      }\n    }\n\n    if (packagePurls.length > 0) {\n      if (isDebug()) {\n        debugFn('notice', 'scanning: packages before download')\n        debugDir('inspect', { packagePurls })\n      }\n\n      try {\n        const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n          nothrow: true,\n          filter: acceptRisks\n            ? { actions: ['error'], blocked: true }\n            : { actions: ['error', 'monitor', 'warn'] },\n        })\n\n        if (alertsMap.size) {\n          process.exitCode = 1\n          logAlertsMap(alertsMap, {\n            hideAt: viewAllRisks ? 'none' : 'middle',\n            output: process.stderr,\n          })\n\n          const errorMessage = `\nSocket yarn exiting due to risks.${\n            viewAllRisks\n              ? ''\n              : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n          }${\n            acceptRisks\n              ? ''\n              : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n          }`.trim()\n\n          logger.error(errorMessage)\n          // eslint-disable-next-line n/no-process-exit\n          process.exit(1)\n          // This line is never reached in production, but helps tests.\n          throw new Error('process.exit called')\n        }\n      } catch (e) {\n        // Re-throw process.exit errors from tests.\n        if (e instanceof Error && e.message === 'process.exit called') {\n          throw e\n        }\n        if (isDebug()) {\n          debugFn('error', 'caught: package scanning error')\n          debugDir('inspect', { error: e })\n        }\n        // Continue with installation if scanning fails\n      }\n    }\n\n    if (isDebug()) {\n      debugFn('notice', 'complete: scanning, proceeding with install')\n      debugDir('inspect', { args: rawYarnArgs.slice(1) })\n    }\n  }\n\n  const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n  const env = {\n    ...process.env,\n    ...spawnEnv,\n  } as Record<string, string>\n\n  if (isDebug()) {\n    debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`)\n  }\n\n  const spawnPromise = spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {\n    ...spawnOpts,\n    env,\n    extra,\n  })\n\n  return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","name","version","packagePurls","debugFn","error","nothrow","blocked","actions","hideAt","logger","process","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;AAUO;AAIL;;AACQA;AAAM;;AAGZ;AACF;AAEA;;AAGE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACPA;AAQA;AAEe;;AAMXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;;AAEA;AACA;AACA;;AAGA;;;;;;;;;AAYE;;AAGA;AACE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AAGE;AACA;AACA;;;AAGE;AAEA;;;;AAIE;;AAGF;AACE;;AAEA;AACEA;AACF;AACF;;;AAOEC;AAIF;;;AAGEA;;AAIsBC;AAAS;AACjC;AACF;AACF;AAEA;;AAEID;;AACsBD;AAAa;AACrC;;AAGE;AACEG;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEP;;AACsBC;AAAS;AACjC;AACA;AACF;AACF;;AAGED;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"ff5e070d-ede1-4e55-b8e9-dfa667ad45a0"}