Cleanup getPackagesToQueryFromDiff

Author: jdalton

src/shadow/arborist/lib/arborist/diff.ts

@@ -3,30 +3,35 @@ import constants from '../../../../constants'
 import type { SafeNode } from '../node'
 import type { Diff } from '@npmcli/arborist'
 
-const { LOOP_SENTINEL, SOCKET_CLI_FIX_PACKAGE_LOCK_FILE } = constants
+const { LOOP_SENTINEL, NPM_REGISTRY_URL, SOCKET_CLI_FIX_PACKAGE_LOCK_FILE } =
+  constants
 
-function toRepoUrl(resolved: string): string {
+function getUrlOrigin(input: string): string {
   try {
-    return URL.parse(resolved)?.origin ?? ''
+    return URL.parse(input)?.origin ?? ''
   } catch {}
   return ''
 }
 
 export type PackageDetail = {
   pkgid: SafeNode['pkgid']
-  repository_url: string
+  origin: string
   existing?: SafeNode['pkgid'] | undefined
 }
 
-type GetPackagesToQueryFromDiffOptions = { includeUnchanged?: boolean }
+type GetPackagesToQueryFromDiffOptions = {
+  includeUnchanged?: boolean
+  includeUnknownOrigin?: boolean
+}
 
 export function getPackagesToQueryFromDiff(
   diff_: Diff | null,
   options?: GetPackagesToQueryFromDiffOptions
 ): PackageDetail[] {
   const {
     // Lazily access constants.IPC.
-    includeUnchanged = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]
+    includeUnchanged = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE],
+    includeUnknownOrigin = false
   } = <GetPackagesToQueryFromDiffOptions>{
     __proto__: null,
     ...options
@@ -70,11 +75,14 @@ export function getPackagesToQueryFromDiff(
         keep = action !== 'REMOVE'
       }
       if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        details.push({
-          existing,
-          pkgid: pkgNode.pkgid,
-          repository_url: toRepoUrl(pkgNode.resolved)
-        })
+        const origin = getUrlOrigin(pkgNode.resolved)
+        if (includeUnknownOrigin || origin === NPM_REGISTRY_URL) {
+          details.push({
+            pkgid: pkgNode.pkgid,
+            origin,
+            existing
+          })
+        }
       }
     }
     for (const child of diff.children) {
@@ -85,11 +93,15 @@ export function getPackagesToQueryFromDiff(
     const { unchanged } = diff_!
     for (let i = 0, { length } = unchanged; i < length; i += 1) {
       const pkgNode = unchanged[i]!
-      details.push({
-        existing: pkgNode.pkgid,
-        pkgid: pkgNode.pkgid,
-        repository_url: toRepoUrl(pkgNode.resolved!)
-      })
+      const origin = getUrlOrigin(pkgNode.resolved!)
+      if (includeUnknownOrigin || origin === NPM_REGISTRY_URL) {
+        const { pkgid } = pkgNode
+        details.push({
+          pkgid,
+          origin,
+          existing: pkgid
+        })
+      }
     }
   }
   return details

src/shadow/arborist/lib/arborist/reify.ts

@@ -12,8 +12,8 @@ import {
 import { confirm } from '@socketsecurity/registry/lib/prompts'
 import { Spinner } from '@socketsecurity/registry/lib/spinner'
 
-import { kCtorArgs, kRiskyReify } from './index'
 import { getPackagesToQueryFromDiff } from './diff'
+import { kCtorArgs, kRiskyReify } from './index'
 import constants from '../../../../constants'
 import {
   batchScan,
@@ -27,8 +27,8 @@ import { getSocketDevPackageOverviewUrl } from '../../../../utils/socket-url'
 import { pacotePath } from '../../../npm-paths'
 import { Edge, SafeEdge } from '../edge'
 
+import type { PackageDetail } from './diff'
 import type { ArboristClass, AuditAdvisory, SafeArborist } from './index'
-import type { InstallEffect } from './walk'
 import type { SocketArtifact } from '../../../../utils/alert/artifact'
 import type { SafeNode } from '../node'
 import type { Writable } from 'node:stream'
@@ -107,10 +107,10 @@ type GetPackageAlertsOptions = {
 
 async function getPackagesAlerts(
   safeArb: SafeArborist,
-  pkgs: InstallEffect[],
+  details: PackageDetail[],
   options?: GetPackageAlertsOptions
 ): Promise<SocketPackageAlert[]> {
-  let { length: remaining } = pkgs
+  let { length: remaining } = details
   const packageAlerts: SocketPackageAlert[] = []
   if (!remaining) {
     return packageAlerts
@@ -125,7 +125,7 @@ async function getPackagesAlerts(
     : () => ''
   spinner?.start(getText())
   try {
-    for await (const artifact of batchScan(pkgs.map(p => p.pkgid))) {
+    for await (const artifact of batchScan(details.map(d => d.pkgid))) {
       if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
         continue
       }
@@ -371,10 +371,7 @@ export async function reify(
   ...args: Parameters<InstanceType<ArboristClass>['reify']>
 ): Promise<SafeNode> {
   const needInfoOn = getPackagesToQueryFromDiff(this.diff)
-  if (
-    !needInfoOn.length ||
-    needInfoOn.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1
-  ) {
+  if (!needInfoOn.length) {
     // Nothing to check, hmmm already installed or all private?
     return await this[kRiskyReify](...args)
   }