Merge branch 'main' into action-cmd

typicode · web-flow · commit b5fa690d1a34 · 2024-12-10T16:49:21.000+01:00
Signed-off-by: typicode &lt;typicode@gmail.com&gt;
diff --git a/.dep-stats.json b/.dep-stats.json
@@ -5,7 +5,7 @@
     "@inquirer/prompts": "^7.1.0",
     "@npmcli/promise-spawn": "^8.0.2",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.33",
+    "@socketsecurity/registry": "^1.0.35",
     "@socketsecurity/sdk": "^1.3.0",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",
diff --git a/eslint.config.js b/eslint.config.js
@@ -41,6 +41,7 @@ const sharedRules = {
 }
 
 const sharedRulesForImportX = {
+  ...origImportXFlatConfigs.recommended.rules,
   'import-x/order': [
     'warn',
     {
@@ -66,35 +67,38 @@ const sharedRulesForImportX = {
   ]
 }
 
-const getImportXFlatConfigs = isEsm => ({
-  recommended: {
-    ...origImportXFlatConfigs.recommended,
-    languageOptions: {
-      ...origImportXFlatConfigs.recommended.languageOptions,
-      ecmaVersion: LATEST,
-      sourceType: isEsm ? 'module' : 'script'
+function getImportXFlatConfigs(isEsm) {
+  return {
+    recommended: {
+      ...origImportXFlatConfigs.recommended,
+      languageOptions: {
+        ...origImportXFlatConfigs.recommended.languageOptions,
+        ecmaVersion: LATEST,
+        sourceType: isEsm ? 'module' : 'script'
+      },
+      rules: {
+        ...sharedRulesForImportX,
+        'import-x/no-named-as-default-member': 'off'
+      }
     },
-    rules: {
-      ...origImportXFlatConfigs.recommended.rules,
-      ...sharedRulesForImportX,
-      'import-x/no-named-as-default-member': 'off'
-    }
-  },
-  typescript: {
-    ...origImportXFlatConfigs.typescript,
-    settings: {
-      ...origImportXFlatConfigs.typescript.settings,
-      'import-x/resolver-next': [
-        createOxcImportResolver({
-          tsConfig: {
-            configFile: rootTsConfigPath,
-            references: 'auto'
-          }
-        })
-      ]
+    typescript: {
+      ...origImportXFlatConfigs.typescript,
+      plugins: origImportXFlatConfigs.recommended.plugins,
+      settings: {
+        ...origImportXFlatConfigs.typescript.settings,
+        ...sharedRulesForImportX,
+        'import-x/resolver-next': [
+          createOxcImportResolver({
+            tsConfig: {
+              configFile: rootTsConfigPath,
+              references: 'auto'
+            }
+          })
+        ]
+      }
     }
   }
-})
+}
 
 const importFlatConfigsForScript = getImportXFlatConfigs(false)
 const importFlatConfigsForModule = getImportXFlatConfigs(true)
@@ -126,13 +130,13 @@ module.exports = [
         }
       }
     },
+    linterOptions: {
+      reportUnusedDisableDirectives: 'off'
+    },
     plugins: {
       ...sharedPlugins,
       '@typescript-eslint': tsEslint.plugin
     },
-    linterOptions: {
-      reportUnusedDisableDirectives: 'off'
-    },
     rules: {
       ...sharedRules,
       // Define @typescript-eslint/no-extraneous-class because oxlint defines
@@ -167,17 +171,10 @@ module.exports = [
     }
   },
   {
-    files: ['scripts/**/*.js', 'test/**/*.cjs'],
-    ...nodePlugin.configs['flat/recommended-script']
-  },
-  {
-    files: ['scripts/**/*.js', 'test/**/*.cjs'],
-    plugins: {
-      ...sharedPlugins
-    },
+    files: ['scripts/**/*.{c,}js', 'test/**/*.{c,}js'],
+    ...nodePlugin.configs['flat/recommended-script'],
     rules: {
-      ...js.configs.recommended.rules,
-      ...sharedRules,
+      ...nodePlugin.configs['flat/recommended-script'].rules,
       'n/exports-style': ['error', 'module.exports'],
       // The n/no-unpublished-bin rule does does not support non-trivial glob
       // patterns used in package.json "files" fields. In those cases we simplify
@@ -199,5 +196,15 @@ module.exports = [
         { argsIgnorePattern: '^_|^this$', ignoreRestSiblings: true }
       ]
     }
+  },
+  {
+    files: ['scripts/**/*.{c,}js', 'test/**/*.{c,}js'],
+    plugins: {
+      ...sharedPlugins
+    },
+    rules: {
+      ...js.configs.recommended.rules,
+      ...sharedRules
+    }
   }
 ]
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -78,7 +78,7 @@
     "@inquirer/prompts": "^7.1.0",
     "@npmcli/promise-spawn": "^8.0.2",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.33",
+    "@socketsecurity/registry": "^1.0.35",
     "@socketsecurity/sdk": "^1.3.0",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",
diff --git a/src/shadow/arborist.ts b/src/shadow/arborist.ts
@@ -248,6 +248,17 @@ const kRiskyReify = Symbol('riskyReify')
 const formatter = new ColorOrMarkdown(false)
 const pubToken = getDefaultKey() ?? FREE_API_KEY
 
+type BatchIssue = {
+  type: string
+  value: {
+    severity: string
+    category: string
+    locations: ({ [key: string]: any })[]
+    label: string
+    description: string
+    props: { [key: string]: any }
+  }
+}
 type IssueUXLookup = ReturnType<typeof createIssueUXLookup>
 type IssueUXLookupSettings = Parameters<IssueUXLookup>[0]
 type IssueUXLookupResult = ReturnType<IssueUXLookup>
@@ -271,7 +282,12 @@ async function* batchScan(
 ): AsyncGenerator<
   { eco: string; pkg: string; ver: string } & (
     | { type: 'missing' }
-    | { type: 'success'; value: { issues: any[] } }
+    | {
+        type: 'success'
+        value: {
+          issues: BatchIssue[]
+        }
+      }
   )
 > {
   const query = {
@@ -369,6 +385,14 @@ function findSpecificOverrideSet(
   return undefined
 }
 
+function isIssueFixable(issue: BatchIssue): boolean {
+  const { type } = issue
+  if (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') {
+    return !!issue.value.props['firstPatchedVersionIdentifier']
+  }
+  return type === 'socketUpgradeAvailable'
+}
+
 function maybeReadfileSync(filepath: string): string | undefined {
   try {
     return readFileSync(filepath, 'utf8')
@@ -400,26 +424,27 @@ async function packagesHaveRiskyIssues(
       const id = `${name}@${version}`
 
       let displayWarning = false
-      let failures: {
+      let issues: {
         type: string
         block: boolean
+        fixable: boolean
         raw?: any
       }[] = []
       if (pkgData.type === 'missing') {
         result = true
-        failures.push({
+        issues.push({
           type: 'missingDependency',
           block: false,
+          fixable: false,
           raw: undefined
         })
       } else {
         let blocked = false
-        for (const failure of pkgData.value.issues) {
-          const { type } = failure
+        for (const issue of pkgData.value.issues) {
           // eslint-disable-next-line no-await-in-loop
           const ux = await uxLookup({
             package: { name, version },
-            issue: { type }
+            issue: { type: issue.type }
           })
           if (ux.block) {
             result = true
@@ -429,10 +454,11 @@ async function packagesHaveRiskyIssues(
             displayWarning = true
           }
           if (ux.block || ux.display) {
-            failures.push({
-              type,
+            issues.push({
+              type: issue.type,
               block: ux.block,
-              raw: failure
+              raw: issue,
+              fixable: isIssueFixable(issue)
             })
             // Before we ask about problematic issues, check to see if they
             // already existed in the old version if they did, be quiet.
@@ -445,10 +471,10 @@ async function packagesHaveRiskyIssues(
                 (await batchScan([pkg.existing]).next()).value
               )
               if (oldPkgData.type === 'success') {
-                failures = failures.filter(
-                  issue =>
+                issues = issues.filter(
+                  ({ type }) =>
                     oldPkgData.value.issues.find(
-                      oldIssue => oldIssue.type === issue.type
+                      oldIssue => oldIssue.type === type
                     ) === undefined
                 )
               }
@@ -469,30 +495,32 @@ async function packagesHaveRiskyIssues(
           }
         }
       }
+      if (displayWarning && isBlessedPackageName(name)) {
+        issues = issues.filter(
+          ({ type }) =>
+            type !== 'unpopularPackage' && type !== 'unstableOwnership'
+        )
+        displayWarning = issues.length > 0
+      }
       if (displayWarning) {
         spinner.stop(
           `(socket) ${formatter.hyperlink(id, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:`
         )
-        // Filter issues for blessed packages.
-        if (isBlessedPackageName(name)) {
-          failures = failures.filter(
-            ({ type }) =>
-              type !== 'unpopularPackage' && type !== 'unstableOwnership'
-          )
-        }
-        failures.sort((a, b) => (a.type < b.type ? -1 : 1))
-
+        issues.sort((a, b) => (a.type < b.type ? -1 : 1))
         const lines = new Set()
-        for (const failure of failures) {
-          const { type } = failure
+        for (const issue of issues) {
           // Based data from { pageProps: { alertTypes } } of:
           // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-          const info = translations.issues[type]
-          const title = info?.title ?? type
-          const maybeBlocking = failure.block ? '' : ' (non-blocking)'
+          const info = translations.issues[issue.type]
+          const title = info?.title ?? issue.type
+          const attributes = [
+            ...(issue.fixable ? ['fixable'] : []),
+            ...(issue.block ? [] : ['non-blocking'])
+          ]
+          const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : ''
           const maybeDesc = info?.description ? ` - ${info.description}` : ''
           // TODO: emoji seems to mis-align terminals sometimes
-          lines.add(`  ${title}${maybeBlocking}${maybeDesc}\n`)
+          lines.add(`  ${title}${maybeAttributes}${maybeDesc}\n`)
         }
         for (const line of lines) {
           output?.write(line)
