Merge branch 'main' into add-sbom

Author: jdalton

.dep-stats.json

@@ -10,7 +10,7 @@
     "@socketregistry/is-unicode-supported": "^1.0.0",
     "@socketregistry/packageurl-js": "^1.0.2",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.85",
+    "@socketsecurity/registry": "^1.0.87",
     "@socketsecurity/sdk": "^1.4.5",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",

package-lock.json

@@ -73,7 +73,7 @@
     "@socketregistry/is-unicode-supported": "^1.0.0",
     "@socketregistry/packageurl-js": "^1.0.2",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.85",
+    "@socketsecurity/registry": "^1.0.87",
     "@socketsecurity/sdk": "^1.4.5",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",
@@ -102,12 +102,12 @@
     "yoctocolors-cjs": "^2.1.2"
   },
   "devDependencies": {
-    "@babel/core": "^7.26.7",
+    "@babel/core": "^7.26.8",
     "@babel/plugin-proposal-export-default-from": "^7.25.9",
     "@babel/plugin-syntax-dynamic-import": "^7.8.3",
     "@babel/plugin-transform-export-namespace-from": "^7.25.9",
-    "@babel/plugin-transform-runtime": "^7.25.9",
-    "@babel/preset-env": "^7.26.7",
+    "@babel/plugin-transform-runtime": "^7.26.8",
+    "@babel/preset-env": "^7.26.8",
     "@babel/preset-typescript": "^7.26.0",
     "@babel/runtime": "^7.26.7",
     "@biomejs/biome": "^1.9.4",

package.json

@@ -22,8 +22,7 @@ import { getDefaultToken, setupSdk } from '../utils/sdk'
 import type { CliSubcommand } from '../utils/meow-with-subcommands'
 
 export const analytics: CliSubcommand = {
-  description: `Look up analytics data \n
-  Default parameters are set to show the organization-level analytics over the last 7 days.`,
+  description: `Look up analytics data\n                        Default parameters are set to show the organization-level analytics over the last 7 days.`,
   async run(argv, importMeta, { parentName }) {
     const name = parentName + ' analytics'
 

src/commands/analytics.ts

@@ -1,11 +1,38 @@
 import { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 import constants from '../constants'
-import { shadowNpmInstall } from '../utils/shadow-npm'
+import { shadowNpmInstall } from '../utils/npm'
 
 import type { CliSubcommand } from '../utils/meow-with-subcommands'
 
-const { SOCKET_CLI_FIX_PACKAGE_LOCK_FILE, SOCKET_IPC_HANDSHAKE } = constants
+const { SOCKET_CLI_IN_FIX_CMD, SOCKET_IPC_HANDSHAKE } = constants
+
+// const prev = new Set(alerts.map(a => a.key))
+// let ret: SafeNode | undefined
+// /* eslint-disable no-await-in-loop */
+// while (alerts.length > 0) {
+//   await updateAdvisoryNodes(this, alerts)
+//   ret = await this[kRiskyReify](...args)
+//   await this.loadActual()
+//   await this.buildIdealTree()
+//   needInfoOn = getPackagesToQueryFromDiff(this.diff, {
+//     includeUnchanged: true
+//   })
+//   alerts = (
+//     await getPackagesAlerts(needInfoOn, {
+//       includeExisting: true,
+//       includeUnfixable: true
+//     })
+//   ).filter(({ key }) => {
+//     const unseen = !prev.has(key)
+//     if (unseen) {
+//       prev.add(key)
+//     }
+//     return unseen
+//   })
+// }
+// /* eslint-enable no-await-in-loop */
+// return ret!
 
 export const fix: CliSubcommand = {
   description: 'Fix "fixable" Socket alerts',
@@ -16,7 +43,7 @@ export const fix: CliSubcommand = {
       await shadowNpmInstall({
         ipc: {
           [SOCKET_IPC_HANDSHAKE]: {
-            [SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]: true
+            [SOCKET_CLI_IN_FIX_CMD]: true
           }
         }
       })

src/commands/fix.ts

@@ -28,9 +28,9 @@ import { pluralize } from '@socketsecurity/registry/lib/words'
 import constants from '../constants'
 import { commonFlags } from '../flags'
 import { safeReadFile } from '../utils/fs'
+import { shadowNpmInstall } from '../utils/npm'
 import { getFlagListOutput } from '../utils/output-formatting'
 import { detect } from '../utils/package-manager-detector'
-import { shadowNpmInstall } from '../utils/shadow-npm'
 
 import type { CliSubcommand } from '../utils/meow-with-subcommands'
 import type {
@@ -49,7 +49,7 @@ const {
   OVERRIDES,
   PNPM,
   RESOLUTIONS,
-  SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
+  SOCKET_CLI_IN_OPTIMIZE_CMD,
   SOCKET_IPC_HANDSHAKE,
   VLT,
   YARN_BERRY,
@@ -62,7 +62,7 @@ const NPM_OVERRIDE_PR_URL = 'https://github.com/npm/cli/pull/7025'
 const PNPM_FIELD_NAME = PNPM
 const PNPM_WORKSPACE = `${PNPM}-workspace`
 
-const manifestNpmOverrides = getManifestData(NPM)!
+const manifestNpmOverrides = getManifestData(NPM)
 
 type NpmOverrides = { [key: string]: string | StringKeyValueObject }
 type PnpmOrYarnOverrides = { [key: string]: string }
@@ -930,10 +930,13 @@ export const optimize: CliSubcommand = {
         if (isNpm) {
           const ipc = {
             [SOCKET_IPC_HANDSHAKE]: {
-              [SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE]: true
+              [SOCKET_CLI_IN_OPTIMIZE_CMD]: true
             }
           }
-          await shadowNpmInstall({ ipc })
+          await shadowNpmInstall({
+            flags: ['--ignore-scripts'],
+            ipc
+          })
           // TODO: This is a temporary workaround for a `npm ci` bug where it
           // will error out after Socket Optimize generates a lock file. More
           // investigation is needed.

src/commands/optimize.ts

@@ -33,8 +33,8 @@ type ENV = RegistryEnv &
   }>
 
 type IPC = Readonly<{
-  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: boolean
-  SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE: boolean
+  SOCKET_CLI_IN_FIX_CMD: boolean
+  SOCKET_CLI_IN_OPTIMIZE_CMD: boolean
 }>
 
 type Constants = Omit<
@@ -56,9 +56,9 @@ type Constants = Omit<
   readonly PNPM: 'pnpm'
   readonly REQUIRE: 'require'
   readonly SOCKET_CLI_DEBUG: 'SOCKET_CLI_DEBUG'
-  readonly SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: 'SOCKET_CLI_FIX_PACKAGE_LOCK_FILE'
+  readonly SOCKET_CLI_IN_FIX_CMD: 'SOCKET_CLI_IN_FIX_CMD'
+  readonly SOCKET_CLI_IN_OPTIMIZE_CMD: 'SOCKET_CLI_IN_OPTIMIZE_CMD'
   readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'
-  readonly SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE: 'SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE'
   readonly VLT: 'vlt'
   readonly YARN: 'yarn'
   readonly YARN_BERRY: 'yarn/berry'
@@ -85,10 +85,9 @@ const NPX = 'npx'
 const PNPM = 'pnpm'
 const REQUIRE = 'require'
 const SOCKET_CLI_DEBUG = 'SOCKET_CLI_DEBUG'
-const SOCKET_CLI_FIX_PACKAGE_LOCK_FILE = 'SOCKET_CLI_FIX_PACKAGE_LOCK_FILE'
+const SOCKET_CLI_IN_FIX_CMD = 'SOCKET_CLI_IN_FIX_CMD'
+const SOCKET_CLI_IN_OPTIMIZE_CMD = 'SOCKET_CLI_IN_OPTIMIZE_CMD'
 const SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'
-const SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE =
-  'SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE'
 const VLT = 'vlt'
 const YARN = 'yarn'
 const YARN_BERRY = `${YARN}/berry`
@@ -161,9 +160,9 @@ const constants = <Constants>createConstantsObject(
     PNPM,
     REQUIRE,
     SOCKET_CLI_DEBUG,
-    SOCKET_CLI_FIX_PACKAGE_LOCK_FILE,
+    SOCKET_CLI_IN_FIX_CMD,
+    SOCKET_CLI_IN_OPTIMIZE_CMD,
     SOCKET_CLI_ISSUES_URL,
-    SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
     VLT,
     YARN,
     YARN_BERRY,

src/constants.ts

@@ -14,7 +14,6 @@ function getUrlOrigin(input: string): string {
 
 export type PackageDetail = {
   node: SafeNode
-  origin: string
   existing?: SafeNode | undefined
 }
 
@@ -72,11 +71,12 @@ export function getPackagesToQueryFromDiff(
         keep = action !== 'REMOVE'
       }
       if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        const origin = getUrlOrigin(pkgNode.resolved)
-        if (includeUnknownOrigin || origin === NPM_REGISTRY_URL) {
+        if (
+          includeUnknownOrigin ||
+          getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
+        ) {
           details.push({
             node: pkgNode,
-            origin,
             existing
           })
         }
@@ -90,11 +90,12 @@ export function getPackagesToQueryFromDiff(
     const { unchanged } = diff_!
     for (let i = 0, { length } = unchanged; i < length; i += 1) {
       const pkgNode = unchanged[i]!
-      const origin = getUrlOrigin(pkgNode.resolved!)
-      if (includeUnknownOrigin || origin === NPM_REGISTRY_URL) {
+      if (
+        includeUnknownOrigin ||
+        getUrlOrigin(pkgNode.resolved!) === NPM_REGISTRY_URL
+      ) {
         details.push({
           node: pkgNode,
-          origin,
           existing: pkgNode
         })
       }

src/shadow/arborist/lib/arborist/diff.ts

@@ -8,20 +8,26 @@ export const Arborist: ArboristClass = require(getArboristClassPath())
 
 export const kCtorArgs = Symbol('ctorArgs')
 
+const safeOptOverrides = {
+  __proto__: null,
+  audit: false,
+  dryRun: true,
+  fund: false,
+  ignoreScripts: true,
+  progress: false,
+  save: false,
+  saveBundle: false,
+  silent: true
+}
+
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
 export class SafeArborist extends Arborist {
   constructor(...ctorArgs: ConstructorParameters<ArboristClass>) {
     super(
       {
         ...ctorArgs[0],
-        audit: true,
-        dryRun: true,
-        ignoreScripts: true,
-        save: false,
-        saveBundle: false,
-        // progress: false,
-        fund: false
+        ...safeOptOverrides
       },
       ...ctorArgs.slice(1)
     )
@@ -31,9 +37,8 @@ export class SafeArborist extends Arborist {
   async [kRiskyReify](
     ...args: Parameters<InstanceType<ArboristClass>['reify']>
   ): Promise<SafeNode> {
-    // SafeArborist has suffered side effects and must be rebuilt from scratch.
     const arb = new Arborist(...(this as any)[kCtorArgs])
-    arb.idealTree = this.idealTree
+    //arb.idealTree = this.idealTree
     const ret = await arb.reify(...args)
     Object.assign(this, arb)
     return ret
@@ -44,24 +49,18 @@ export class SafeArborist extends Arborist {
     this: SafeArborist,
     ...args: Parameters<InstanceType<ArboristClass>['reify']>
   ): Promise<SafeNode> {
-    const options = <ArboristReifyOptions>(args[0] ? { ...args[0] } : {})
+    const options = <ArboristReifyOptions>{
+      __proto__: null,
+      ...(args.length ? args[0] : undefined)
+    }
     if (options.dryRun) {
       return await this[kRiskyReify](...args)
     }
-    const old = {
-      ...options,
-      dryRun: false,
-      save: Boolean(options.save ?? true),
-      saveBundle: Boolean(options.saveBundle ?? false)
-    }
+    Object.assign(options, safeOptOverrides)
+    const old = args[0]
     args[0] = options
-    options.dryRun = true
-    options.save = false
-    options.saveBundle = false
     await super.reify(...args)
-    options.dryRun = old.dryRun
-    options.save = old.save
-    options.saveBundle = old.saveBundle
+    args[0] = old
     return await Reflect.apply(reify, this, args)
   }
 }