Run socket npm install after optimize when agent is npm

Author: jdalton

src/commands/optimize.ts

@@ -1,5 +1,8 @@
-import meow from 'meow'
+import path from 'node:path'
+
+import spawn from '@npmcli/promise-spawn'
 import { getManifestData } from '@socketsecurity/registry'
+import meow from 'meow'
 
 import { printFlagList } from '../utils/formatting'
 import { writeFileUtf8 } from '../utils/fs'
@@ -17,6 +20,8 @@ import type {
   StringKeyValueObject
 } from '../utils/package-manager-detector'
 
+const distPath = __dirname
+
 const OVERRIDES_FIELD_NAME = 'overrides'
 
 const RESOLUTIONS_FIELD_NAME = 'resolutions'
@@ -54,17 +59,22 @@ type CreateManifest = (
 
 const createManifestByAgent: Record<Agent, CreateManifest> = {
   npm: (ref: PackageJSONObject, overrides: Overrides) =>
-    <PackageJSONObject>{ ...ref, overrides },
+    (<unknown>{ __proto__: null, ...ref, overrides }) as PackageJSONObject,
   pnpm: (ref: PackageJSONObject, overrides: Overrides) =>
-    <PackageJSONObject>{
+    (<unknown>{
+      __proto__: null,
       ...ref,
       pnpm: <PackageJSONObject>{
         ...(<StringKeyValueObject>(ref['pnpm'] ?? {})),
         overrides
       }
-    },
+    }) as PackageJSONObject,
   yarn: (ref: PackageJSONObject, overrides: Overrides) =>
-    <PackageJSONObject>{ ...ref, resolutions: overrides }
+    (<unknown>{
+      __proto__: null,
+      ...ref,
+      resolutions: overrides
+    }) as PackageJSONObject
 } as const
 
 type LockIncludes = (lockSrc: string, name: string) => boolean
@@ -253,7 +263,10 @@ async function addOverrides(
   for (const name of allPackages) {
     if (!hasOwn(overrides, name) && lockIncludes(lockSrc, name)) {
       if (clonedOverrides === undefined) {
-        clonedOverrides = { ...overrides }
+        clonedOverrides = (<unknown>{
+          __proto__: null,
+          ...overrides
+        }) as Overrides
       }
       addedCount += 1
       packageNames.add(name)
@@ -289,8 +302,6 @@ export const optimize: CliSubcommand = {
       importMeta
     )
     if (commandContext) {
-      //const spinnerText = 'Searching dependencies...'
-      //const spinner = ora(spinnerText).start()
       const { agent, lockSrc, pkgJson, pkgPath, pkgJsonStr, supported } =
         await detect({
           cwd: process.cwd(),
@@ -342,6 +353,7 @@ export const optimize: CliSubcommand = {
         for (const config of configs) {
           await addOverrides(
             <AddOverridesConfig>{
+              __proto__: null,
               lockSrc,
               pkgPath,
               pkgJson,
@@ -351,6 +363,17 @@ export const optimize: CliSubcommand = {
             aoState
           )
         }
+        if (agent === 'npm') {
+          const wrapperPath = path.join(distPath, 'npm-cli.js')
+          await spawn(process.execPath, [wrapperPath, ...argv], {
+            stdio: 'inherit',
+            env: (<unknown>{
+              __proto__: null,
+              ...process.env,
+              UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: '1'
+            }) as NodeJS.ProcessEnv
+          })
+        }
       }
       const { size: count } = aoState.packageNames
       if (count) {

src/constants.ts

@@ -1 +1,15 @@
+function envAsBoolean(value: any): boolean {
+  return (
+    typeof value === 'string' &&
+    (value === '1' || value.toLowerCase() === 'true')
+  )
+}
+
 export const API_V0_URL = 'https://api.socket.dev/v0'
+
+export const ENV = Object.freeze({
+  // Flag set by the optimize command to bypass the packagesHaveRiskyIssues check.
+  UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: envAsBoolean(
+    process.env['UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE']
+  )
+})

src/shadow/arborist.ts

@@ -29,7 +29,7 @@ import type {
 } from '@npmcli/arborist'
 import type { Writable } from 'node:stream'
 import type { Options as OraOptions } from 'ora'
-import { API_V0_URL } from '../constants'
+import { API_V0_URL, ENV } from '../constants'
 
 type ArboristClass = typeof BaseArborist & {
   new (...args: any): typeof BaseArborist
@@ -894,53 +894,56 @@ export class SafeArborist extends Arborist {
     ) {
       return await this[kRiskyReify](...args)
     }
-    const proceed = await ttyServer.captureTTY(
-      async (colorLevel, input, output) => {
-        chalk.level = colorLevel
-        if (input && output) {
-          const risky = await packagesHaveRiskyIssues(
-            this,
-            this['registry'],
-            diff,
-            output
-          )
-          if (!risky) {
-            return true
-          }
-          const rlin = new PassThrough()
-          input.pipe(rlin)
-          const rlout = new PassThrough()
-          rlout.pipe(output, { end: false })
-          const rli = rl.createInterface(rlin, rlout)
-          try {
-            while (true) {
-              const answer: string = await new Promise(resolve => {
-                rli.question(
-                  'Accept risks of installing these packages (y/N)?\n',
-                  { signal: abortSignal },
-                  resolve
-                )
-              })
-              if (/^\s*y(?:es)?\s*$/i.test(answer)) {
-                return true
-              }
-              if (/^(?:\s*no?\s*|)$/i.test(answer)) {
-                return false
+    let proceed = ENV.UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE
+    if (!proceed) {
+      proceed = await ttyServer.captureTTY(
+        async (colorLevel, input, output) => {
+          chalk.level = colorLevel
+          if (input && output) {
+            const risky = await packagesHaveRiskyIssues(
+              this,
+              this['registry'],
+              diff,
+              output
+            )
+            if (!risky) {
+              return true
+            }
+            const rlin = new PassThrough()
+            input.pipe(rlin)
+            const rlout = new PassThrough()
+            rlout.pipe(output, { end: false })
+            const rli = rl.createInterface(rlin, rlout)
+            try {
+              while (true) {
+                const answer: string = await new Promise(resolve => {
+                  rli.question(
+                    'Accept risks of installing these packages (y/N)?\n',
+                    { signal: abortSignal },
+                    resolve
+                  )
+                })
+                if (/^\s*y(?:es)?\s*$/i.test(answer)) {
+                  return true
+                }
+                if (/^(?:\s*no?\s*|)$/i.test(answer)) {
+                  return false
+                }
               }
+            } finally {
+              rli.close()
             }
-          } finally {
-            rli.close()
+          } else if (
+            await packagesHaveRiskyIssues(this, this['registry'], diff, output)
+          ) {
+            throw new Error(
+              'Socket npm Unable to prompt to accept risk, need TTY to do so'
+            )
           }
-        } else if (
-          await packagesHaveRiskyIssues(this, this['registry'], diff, output)
-        ) {
-          throw new Error(
-            'Socket npm Unable to prompt to accept risk, need TTY to do so'
-          )
+          return true
         }
-        return true
-      }
-    )
+      )
+    }
     if (proceed) {
       return await this[kRiskyReify](...args)
     } else {