Cleanup how safe-wrapper flags are used

Author: jdalton

src/commands/cdxgen/cmd-cdxgen.ts

@@ -138,13 +138,12 @@ async function run(
 ): Promise<void> {
   const cli = meowOrExit({
     allowUnknownFlags: true,
-    argv: argv.filter(s => s !== '--help' && s !== '-h'), // Don't let meow take over --help
+    // Don't let meow take over --help.
+    argv: argv.filter(s => s !== '--help' && s !== '-h'),
     config,
     importMeta,
     parentName
   })
-  //
-  //
   // if (cli.input.length)
   //   logger.fail(
   //     stripIndents`
@@ -156,10 +155,10 @@ async function run(
   //   return
   // }
 
-  // TODO: convert to meow
+  // TODO: Convert to meow.
   const yargv = {
     ...yargsParse(argv as string[], yargsConfig)
-  } as any // as Record<string, unknown>;
+  } as any
 
   const unknown: string[] = yargv._
   const { length: unknownLength } = unknown
@@ -174,14 +173,14 @@ async function run(
     return
   }
 
-  if (yargv.output === undefined) {
-    yargv.output = 'socket-cdx.json'
-  }
-
   if (cli.flags['dryRun']) {
     logger.log(DRY_RUN_BAIL_TEXT)
     return
   }
 
+  if (yargv.output === undefined) {
+    yargv.output = 'socket-cdx.json'
+  }
+
   await runCycloneDX(yargv)
 }

src/commands/cdxgen/run-cyclonedx.ts

@@ -36,21 +36,22 @@ export async function runCycloneDX(yargv: any) {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
-        await shadowBin(
-          NPX,
-          ['[email protected]', '--', '--source-file', './yarn.lock'],
-          2
-        )
+        await shadowBin(NPX, [
+          '[email protected]',
+          '--',
+          '--source-file',
+          './yarn.lock'
+        ])
         yargv.type = NPM
         cleanupPackageLock = true
       } catch {}
     }
   }
-  await shadowBin(
-    NPX,
-    ['@cyclonedx/[email protected]', '--', ...argvToArray(yargv)],
-    2
-  )
+  await shadowBin(NPX, [
+    '@cyclonedx/[email protected]',
+    '--',
+    ...argvToArray(yargv)
+  ])
   if (cleanupPackageLock) {
     try {
       await fs.rm('./package-lock.json')

src/constants.ts

@@ -55,7 +55,7 @@ type ENV = Remap<
 type IPC = Readonly<{
   SOCKET_CLI_FIX?: string | undefined
   SOCKET_CLI_OPTIMIZE?: boolean | undefined
-  SOCKET_CLI_SAFE_WRAPPER?: number | undefined
+  SOCKET_CLI_SAFE_WRAPPER?: string | undefined
 }>
 
 type Constants = Remap<

src/shadow/npm/arborist/lib/arborist/index.ts

@@ -12,6 +12,8 @@ import type { ArboristClass, ArboristReifyOptions } from './types'
 import type { SafeNode } from '../node'
 
 const {
+  NPM,
+  NPX,
   SOCKET_CLI_SAFE_WRAPPER,
   kInternalsSymbol,
   [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIPC }
@@ -82,10 +84,15 @@ export class SafeArborist extends Arborist {
       __proto__: null,
       ...(args.length ? args[0] : undefined)
     } as ArboristReifyOptions
-    const level = options.dryRun ? 0 : await getIPC(SOCKET_CLI_SAFE_WRAPPER)
-    if (!level) {
+    const safeWrapperName = options.dryRun
+      ? undefined
+      : await getIPC(SOCKET_CLI_SAFE_WRAPPER)
+    const isSafeNpm = safeWrapperName === NPM
+    const isSafeNpx = safeWrapperName === NPX
+    if (!safeWrapperName || (isSafeNpx && options['yes'])) {
       return await this[kRiskyReify](...args)
     }
+
     // Lazily access constants.spinner.
     const { spinner } = constants
     await super.reify(
@@ -100,7 +107,8 @@ export class SafeArborist extends Arborist {
     const alertsMap = await getAlertsMapFromArborist(this, {
       spinner,
       include: {
-        unfixable: level < 2
+        existing: isSafeNpx,
+        unfixable: isSafeNpm
       }
     })
     if (alertsMap.size) {

src/shadow/npm/bin.ts

@@ -18,8 +18,7 @@ const {
 
 export default async function shadowBin(
   binName: 'npm' | 'npx',
-  args = process.argv.slice(2),
-  level = 1
+  args = process.argv.slice(2)
 ) {
   process.exitCode = 1
   const useDebug = isDebug()
@@ -74,7 +73,7 @@ export default async function shadowBin(
   })
   spawnPromise.process.send({
     [SOCKET_IPC_HANDSHAKE]: {
-      [SOCKET_CLI_SAFE_WRAPPER]: level
+      [SOCKET_CLI_SAFE_WRAPPER]: binName
     }
   })
   await spawnPromise