SocketDev · jdalton · May 6, 2025 · May 6, 2025 · May 6, 2025
diff --git a/.config/rollup.dist.config.mjs b/.config/rollup.dist.config.mjs
@@ -37,7 +37,6 @@ const {
   ROLLUP_EXTERNAL_SUFFIX,
   SHADOW_NPM_BIN,
   SHADOW_NPM_INJECT,
-  SHADOW_NPM_PATHS,
   SLASH_NODE_MODULES_SLASH,
   SOCKET_CLI_BIN_NAME,
   SOCKET_CLI_BIN_NAME_ALIAS,
@@ -50,6 +49,7 @@ const {
   SOCKET_CLI_SENTRY_NPM_BIN_NAME,
   SOCKET_CLI_SENTRY_NPX_BIN_NAME,
   SOCKET_CLI_SENTRY_PACKAGE_NAME,
+  UTILS,
   VENDOR
 } = constants
 
@@ -274,7 +274,7 @@ export default async () => {
   const nmPath = path.join(rootPath, NODE_MODULES)
   const shadowNpmBinSrcPath = path.join(srcPath, 'shadow/npm/bin.mts')
   const shadowNpmInjectSrcPath = path.join(srcPath, 'shadow/npm/inject.mts')
-  const shadowNpmPathsSrcPath = path.join(srcPath, 'shadow/npm/paths.mts')
+  const utilsSrcPath = path.join(srcPath, UTILS)
   const blessedContribFilepaths = await tinyGlob(['**/*.mjs'], {
     absolute: true,
     cwd: path.join(externalSrcPath, BLESSED_CONTRIB)
@@ -362,10 +362,14 @@ export default async () => {
                 return SHADOW_NPM_BIN
               case shadowNpmInjectSrcPath:
                 return SHADOW_NPM_INJECT
-              case shadowNpmPathsSrcPath:
-                return SHADOW_NPM_PATHS
               default:
-                return id.includes(SLASH_NODE_MODULES_SLASH) ? VENDOR : null
+                if (id.startsWith(utilsSrcPath)) {
+                  return UTILS
+                }
+                if (id.includes(SLASH_NODE_MODULES_SLASH)) {
+                  return VENDOR
+                }
+                return null
             }
           },
           plugins: [

diff --git a/scripts/constants.js b/scripts/constants.js
@@ -28,7 +28,6 @@ const INSTRUMENT_WITH_SENTRY = 'instrument-with-sentry'
 const ROLLUP_EXTERNAL_SUFFIX = '?commonjs-external'
 const SHADOW_NPM_BIN = 'shadow-bin'
 const SHADOW_NPM_INJECT = 'shadow-npm-inject'
-const SHADOW_NPM_PATHS = 'shadow-npm-paths'
 const SLASH_NODE_MODULES_SLASH = '/node_modules/'
 const SOCKET = 'socket'
 const SOCKET_CLI_BIN_NAME = 'socket'
@@ -42,6 +41,7 @@ const SOCKET_CLI_SENTRY_BIN_NAME = 'socket-with-sentry'
 const SOCKET_CLI_SENTRY_NPM_BIN_NAME = 'socket-npm-with-sentry'
 const SOCKET_CLI_SENTRY_NPX_BIN_NAME = 'socket-npx-with-sentry'
 const SOCKET_CLI_SENTRY_PACKAGE_NAME = `${SOCKET_SECURITY_SCOPE}/cli-with-sentry`
+const UTILS = 'utils'
 const VENDOR = 'vendor'
 const WITH_SENTRY = 'with-sentry'
 
@@ -105,7 +105,6 @@ const constants = createConstantsObject(
     ROLLUP_EXTERNAL_SUFFIX,
     SHADOW_NPM_BIN,
     SHADOW_NPM_INJECT,
-    SHADOW_NPM_PATHS,
     SLASH_NODE_MODULES_SLASH,
     SOCKET,
     SOCKET_CLI_BIN_NAME,
@@ -119,6 +118,7 @@ const constants = createConstantsObject(
     SOCKET_CLI_SENTRY_NPM_BIN_NAME,
     SOCKET_CLI_SENTRY_NPX_BIN_NAME,
     SOCKET_CLI_SENTRY_PACKAGE_NAME,
+    UTILS,
     VENDOR,
     WITH_SENTRY,
     configPath: undefined,

diff --git a/src/commands/fix/npm-fix.mts b/src/commands/fix/npm-fix.mts
@@ -31,17 +31,15 @@ import {
   SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
   SafeArborist
 } from '../../shadow/npm/arborist/lib/arborist/index.mts'
-import {
-  getAlertsMapFromArborist,
-  getAlertsMapFromPurls
-} from '../../utils/alerts-map.mts'
 import {
   findBestPatchVersion,
   findPackageNode,
   findPackageNodes,
+  getAlertsMapFromArborist,
   updateNode,
   updatePackageJsonFromNode
-} from '../../utils/arborist-helpers.mts'
+} from '../../shadow/npm/arborist-helpers.mts'
+import { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'
 import { removeNodeModules } from '../../utils/fs.mts'
 import { globWorkspace } from '../../utils/glob.mts'
 import { applyRange } from '../../utils/semver.mts'

diff --git a/src/commands/fix/pnpm-fix.mts b/src/commands/fix/pnpm-fix.mts
@@ -32,17 +32,17 @@ import {
   SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
   SafeArborist
 } from '../../shadow/npm/arborist/lib/arborist/index.mts'
-import { runAgentInstall } from '../../utils/agent.mts'
-import {
-  getAlertsMapFromPnpmLockfile,
-  getAlertsMapFromPurls
-} from '../../utils/alerts-map.mts'
 import {
   findBestPatchVersion,
   findPackageNode,
   findPackageNodes,
   updatePackageJsonFromNode
-} from '../../utils/arborist-helpers.mts'
+} from '../../shadow/npm/arborist-helpers.mts'
+import { runAgentInstall } from '../../utils/agent.mts'
+import {
+  getAlertsMapFromPnpmLockfile,
+  getAlertsMapFromPurls
+} from '../../utils/alerts-map.mts'
 import { removeNodeModules } from '../../utils/fs.mts'
 import { globWorkspace } from '../../utils/glob.mts'
 import { parsePnpmLockfileVersion } from '../../utils/pnpm.mts'

diff --git a/src/commands/raw-npm/run-raw-npm.mts b/src/commands/raw-npm/run-raw-npm.mts
@@ -1,7 +1,7 @@
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../../constants.mts'
-import { getNpmBinPath } from '../../shadow/npm/paths.mts'
+import { getNpmBinPath } from '../../utils/npm-paths.mts'
 
 export async function runRawNpm(
   argv: string[] | readonly string[]

diff --git a/src/commands/raw-npx/run-raw-npx.mts b/src/commands/raw-npx/run-raw-npx.mts
@@ -1,7 +1,7 @@
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../../constants.mts'
-import { getNpxBinPath } from '../../shadow/npm/paths.mts'
+import { getNpxBinPath } from '../../utils/npm-paths.mts'
 
 export async function runRawNpx(
   argv: string[] | readonly string[]

diff --git a/src/constants.mts b/src/constants.mts
@@ -108,7 +108,6 @@ type Constants = Remap<
     readonly REDACTED: '<redacted>'
     readonly SHADOW_NPM_BIN: 'shadow-bin'
     readonly SHADOW_NPM_INJECT: 'shadow-npm-inject'
-    readonly SHADOW_NPM_PATHS: 'shadow-npm-paths'
     readonly SOCKET: 'socket'
     readonly SOCKET_APP_DIR: 'socket/settings'
     readonly SOCKET_CLI_ACCEPT_RISKS: 'SOCKET_CLI_ACCEPT_RISKS'
@@ -179,7 +178,6 @@ const PNPM = 'pnpm'
 const REDACTED = '<redacted>'
 const SHADOW_NPM_BIN = 'shadow-bin'
 const SHADOW_NPM_INJECT = 'shadow-npm-inject'
-const SHADOW_NPM_PATHS = 'shadow-npm-paths'
 const SOCKET = 'socket'
 const SOCKET_APP_DIR = 'socket/settings'
 const SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'
@@ -447,7 +445,6 @@ const constants: Constants = createConstantsObject(
     REDACTED,
     SHADOW_NPM_BIN,
     SHADOW_NPM_INJECT,
-    SHADOW_NPM_PATHS,
     SOCKET,
     SOCKET_APP_DIR,
     SOCKET_CLI_ACCEPT_RISKS,

diff --git a/src/utils/arborist-helpers.mts → src/shadow/npm/arborist-helpers.mts b/src/utils/arborist-helpers.mts → src/shadow/npm/arborist-helpers.mts
@@ -5,17 +5,24 @@ import { getManifestData } from '@socketsecurity/registry'
 import { hasOwn } from '@socketsecurity/registry/lib/objects'
 import { fetchPackagePackument } from '@socketsecurity/registry/lib/packages'
 
-import constants from '../constants.mts'
-import { applyRange, getMajor } from './semver.mts'
-import { idToPurl } from './spec.mts'
-import { DiffAction } from '../shadow/npm/arborist/lib/arborist/types.mts'
-import { Edge } from '../shadow/npm/arborist/lib/edge.mts'
+import constants from '../../constants.mts'
+import { applyRange, getMajor } from '../../utils/semver.mts'
+import { idToPurl } from '../../utils/spec.mts'
+import { DiffAction } from './arborist/lib/arborist/types.mts'
+import { Edge } from './arborist/lib/edge.mts'
+import { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'
 
-import type { RangeStyle } from './semver.mts'
-import type { Diff } from '../shadow/npm/arborist/lib/arborist/types.mts'
-import type { SafeEdge } from '../shadow/npm/arborist/lib/edge.mts'
-import type { SafeNode } from '../shadow/npm/arborist/lib/node.mts'
+import type { RangeStyle } from '../../utils/semver.mts'
+import type { SafeArborist } from './arborist/lib/arborist/index.mts'
+import type { Diff } from './arborist/lib/arborist/types.mts'
+import type { SafeEdge } from './arborist/lib/edge.mts'
+import type { SafeNode } from './arborist/lib/node.mts'
+import type {
+  AlertIncludeFilter,
+  AlertsByPkgId
+} from '../../utils/socket-package-alert.mts'
 import type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'
+import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 const { LOOP_SENTINEL, NPM, NPM_REGISTRY_URL } = constants
 
@@ -108,6 +115,64 @@ export function findPackageNodes(
   return matches
 }
 
+export type GetAlertsMapFromArboristOptions = {
+  consolidate?: boolean | undefined
+  include?: AlertIncludeFilter | undefined
+  nothrow?: boolean | undefined
+  spinner?: Spinner | undefined
+}
+
+export async function getAlertsMapFromArborist(
+  arb: SafeArborist,
+  options_?: GetAlertsMapFromArboristOptions | undefined
+): Promise<AlertsByPkgId> {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    limit: Infinity,
+    nothrow: false,
+    ...options_
+  } as GetAlertsMapFromArboristOptions
+
+  const include = {
+    __proto__: null,
+    actions: undefined,
+    blocked: true,
+    critical: true,
+    cve: true,
+    existing: false,
+    unfixable: true,
+    upgradable: false,
+    ...options.include
+  } as AlertIncludeFilter
+
+  const needInfoOn = getDetailsFromDiff(arb.diff, {
+    include: {
+      unchanged: include.existing
+    }
+  })
+  const purls = needInfoOn.map(d => idToPurl(d.node.pkgid))
+
+  let overrides: { [key: string]: string } | undefined
+  const overridesMap = (
+    arb.actualTree ??
+    arb.idealTree ??
+    (await arb.loadActual())
+  )?.overrides?.children
+  if (overridesMap) {
+    overrides = Object.fromEntries(
+      [...overridesMap.entries()].map(([key, overrideSet]) => {
+        return [key, overrideSet.value!]
+      })
+    )
+  }
+
+  return await getAlertsMapFromPurls(purls, {
+    overrides,
+    ...options
+  })
+}
+
 export type DiffQueryIncludeFilter = {
   unchanged?: boolean | undefined
   unknownOrigin?: boolean | undefined

diff --git a/src/shadow/npm/arborist/lib/arborist/index.mts b/src/shadow/npm/arborist/lib/arborist/index.mts
@@ -3,8 +3,8 @@ import { createRequire } from 'node:module'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
 import constants from '../../../../../constants.mts'
-import { getAlertsMapFromArborist } from '../../../../../utils/alerts-map.mts'
 import { logAlertsMap } from '../../../../../utils/socket-package-alert.mts'
+import { getAlertsMapFromArborist } from '../../../arborist-helpers.mts'
 import { getArboristClassPath } from '../../../paths.mts'
 
 import type { ArboristClass, ArboristReifyOptions } from './types.mts'

diff --git a/src/shadow/npm/arborist/lib/dep-valid.mts b/src/shadow/npm/arborist/lib/dep-valid.mts
@@ -6,9 +6,22 @@ import type { SafeNode } from './node.mts'
 
 const require = createRequire(import.meta.url)
 
-export const depValid: (
+type DepValidFn = (
   child: SafeNode,
   requested: string,
   accept: string | undefined,
   requester: SafeNode
-) => boolean = require(getArboristDepValidPath())
+) => boolean
+
+let _depValid: DepValidFn | undefined
+export function depValid(
+  child: SafeNode,
+  requested: string,
+  accept: string | undefined,
+  requester: SafeNode
+) {
+  if (_depValid === undefined) {
+    _depValid = require(getArboristDepValidPath()) as DepValidFn
+  }
+  return _depValid(child, requested, accept, requester)
+}
diff --git a/src/utils/npm.mts → src/shadow/npm/install.mts b/src/utils/npm.mts → src/shadow/npm/install.mts
@@ -9,8 +9,8 @@ import {
 import { isObject } from '@socketsecurity/registry/lib/objects'
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
-import constants from '../constants.mts'
-import { getNpmBinPath } from '../shadow/npm/paths.mts'
+import constants from '../../constants.mts'
+import { getNpmBinPath } from '../../utils/npm-paths.mts'
 
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 

diff --git a/src/shadow/npm/link.mts b/src/shadow/npm/link.mts
@@ -2,13 +2,13 @@ import path from 'node:path'
 
 import cmdShim from 'cmd-shim'
 
+import constants from '../../constants.mts'
 import {
   getNpmBinPath,
   getNpxBinPath,
   isNpmBinPathShadowed,
   isNpxBinPathShadowed
-} from './paths.mts'
-import constants from '../../constants.mts'
+} from '../../utils/npm-paths.mts'
 
 const { CLI, NPX } = constants