Restrict overrides to those supported by the environment

Author: jdalton

src/commands/analytics.ts

@@ -1,4 +1,4 @@
-import fs from 'node:fs'
+import fs from 'node:fs/promises'
 
 import blessed from 'blessed'
 // @ts-ignore
@@ -186,30 +186,26 @@ async function fetchOrgAnalyticsData(
   if (result.success === false) {
     return handleUnsuccessfulApiResponse('getOrgAnalytics', result, spinner)
   }
-
   spinner.stop()
 
   if (!result.data.length) {
     return console.log(
       'No analytics data is available for this organization yet.'
     )
   }
-
   const data = formatData(result.data, 'org')
-
   if (outputJson && !filePath) {
     return console.log(result.data)
   }
-
   if (filePath) {
-    fs.writeFile(filePath, JSON.stringify(result.data), err => {
-      err
-        ? console.error(err)
-        : console.log(`Data successfully written to ${filePath}`)
-    })
+    try {
+      await fs.writeFile(filePath, JSON.stringify(result.data), 'utf8')
+      console.log(`Data successfully written to ${filePath}`)
+    } catch (e: any) {
+      console.error(e)
+    }
     return
   }
-
   return displayAnalyticsScreen(data)
 }
 
@@ -361,22 +357,19 @@ async function fetchRepoAnalyticsData(
       'No analytics data is available for this organization yet.'
     )
   }
-
   const data = formatData(result.data, 'repo')
-
   if (outputJson && !filePath) {
     return console.log(result.data)
   }
-
   if (filePath) {
-    fs.writeFile(filePath, JSON.stringify(result.data), err => {
-      err
-        ? console.error(err)
-        : console.log(`Data successfully written to ${filePath}`)
-    })
+    try {
+      await fs.writeFile(filePath, JSON.stringify(result.data), 'utf8')
+      console.log(`Data successfully written to ${filePath}`)
+    } catch (e: any) {
+      console.error(e)
+    }
     return
   }
-
   return displayAnalyticsScreen(data)
 }
 

src/commands/optimize.ts

@@ -14,6 +14,7 @@ import { escapeRegExp } from '../utils/regexps'
 import { toSortedObject } from '../utils/sorts'
 
 import type { Content as PackageJsonContent } from '@npmcli/package-json'
+import type { ManifestEntry } from '@socketsecurity/registry'
 import type { CliSubcommand } from '../utils/meow-with-subcommands'
 import type {
   Agent,
@@ -26,9 +27,7 @@ const COMMAND_TITLE = 'Socket Optimize'
 const OVERRIDES_FIELD_NAME = 'overrides'
 const RESOLUTIONS_FIELD_NAME = 'resolutions'
 
-const availableOverrides = getManifestData('npm')!.filter(({ 1: d }) =>
-  d.engines?.node?.startsWith('>=18')
-)
+const manifestNpmOverrides = getManifestData('npm')!
 
 type NpmOverrides = { [key: string]: string | StringKeyValueObject }
 type PnpmOrYarnOverrides = { [key: string]: string }
@@ -130,10 +129,10 @@ type AddOverridesConfig = {
   isWorkspace: boolean
   lockSrc: string
   lockIncludes: LockIncludes
+  manifestEntries: ManifestEntry[]
   pkgJsonPath: string
   pkgJsonStr: string
   pkgJson: PackageJsonContent
-  overrides?: Overrides | undefined
 }
 
 type AddOverridesState = {
@@ -148,6 +147,7 @@ async function addOverrides(
     isWorkspace,
     lockSrc,
     lockIncludes,
+    manifestEntries,
     pkgJsonPath
   }: AddOverridesConfig,
   aoState: AddOverridesState
@@ -194,7 +194,7 @@ async function addOverrides(
     )
   }
   const aliasMap = new Map<string, string>()
-  for (const { 1: data } of availableOverrides) {
+  for (const { 1: data } of manifestEntries) {
     const { name: regPkgName, package: origPkgName, version } = data
     for (const { 1: depObj } of depEntries) {
       let pkgSpec = depObj[origPkgName]
@@ -212,7 +212,7 @@ async function addOverrides(
         aliasMap.set(origPkgName, pkgSpec)
       }
     }
-    for (const { type, overrides } of overridesDataObjects) {
+    for (const { overrides, type } of overridesDataObjects) {
       if (
         !hasOwn(overrides, origPkgName) &&
         lockIncludes(lockSrc, origPkgName)
@@ -233,7 +233,7 @@ async function addOverrides(
   }
   if (packageNames.size) {
     editablePkgJson.update(<PackageJsonContent>Object.fromEntries(depEntries))
-    for (const { type, overrides } of overridesDataObjects) {
+    for (const { overrides, type } of overridesDataObjects) {
       updateManifestByAgent[type](editablePkgJson, toSortedObject(overrides))
     }
     await editablePkgJson.save()
@@ -259,6 +259,7 @@ export const optimize: CliSubcommand = {
         isWorkspace,
         lockSrc,
         lockPath,
+        minimumNodeVersion,
         pkgJsonPath,
         pkgJsonStr,
         pkgJson,
@@ -273,7 +274,7 @@ export const optimize: CliSubcommand = {
       })
       if (!supported) {
         console.log(
-          `✘ ${COMMAND_TITLE}: Package engines.node range is not supported`
+          `✘ ${COMMAND_TITLE}: No supported Node or browser range detected`
         )
         return
       }
@@ -301,6 +302,10 @@ export const optimize: CliSubcommand = {
           agent === 'bun'
             ? lockIncludesByAgent.yarn
             : lockIncludesByAgent[agent]
+        const nodeRange = `>=${minimumNodeVersion}`
+        const manifestEntries = manifestNpmOverrides.filter(({ 1: data }) =>
+          semver.satisfies(semver.coerce(data.engines.node)!, nodeRange)
+        )
         await addOverrides(
           <AddOverridesConfig>{
             __proto__: null,
@@ -309,6 +314,7 @@ export const optimize: CliSubcommand = {
             isWorkspace,
             lockIncludes,
             lockSrc,
+            manifestEntries,
             pkgJsonPath,
             pkgJsonStr,
             pkgJson

src/utils/objects.ts

@@ -1,8 +1,3 @@
-export function getOwn(obj: any, propKey: PropertyKey): any {
-  if (obj === null || obj === undefined) return undefined
-  return Object.hasOwn(obj, propKey) ? obj[propKey] : undefined
-}
-
 export function hasOwn(obj: any, propKey: PropertyKey): boolean {
   if (obj === null || obj === undefined) return false
   return Object.hasOwn(obj, propKey)

src/utils/package-manager-detector.ts

@@ -8,7 +8,7 @@ import which from 'which'
 
 import { existsSync, findUp, readFileBinary, readFileUtf8 } from './fs'
 import { parseJSONObject } from './json'
-import { getOwn, isObjectObject } from './objects'
+import { isObjectObject } from './objects'
 import { isNonEmptyString } from './strings'
 
 import type { Content as PackageJsonContent } from '@npmcli/package-json'
@@ -40,9 +40,50 @@ export const LOCKS: Record<string, string> = {
   'node_modules/.package-lock.json': 'npm'
 }
 
-const MAINTAINED_NODE_VERSIONS = browserslist('maintained node versions')
-  // Trim value, e.g. 'node 22.5.0' to '22.5.0'
-  .map(v => v.slice(5))
+const numericCollator = new Intl.Collator(undefined, {
+  numeric: true,
+  sensitivity: 'base'
+})
+const { compare: alphaNumericComparator } = numericCollator
+
+const maintainedNodeVersions = (() => {
+  // Under the hood browserlist uses the node-releases package which is out of date:
+  // https://github.com/chicoxyzzy/node-releases/issues/37
+  // So we maintain a manual version list for now.
+  // https://nodejs.org/en/about/previous-releases#looking-for-latest-release-of-a-version-branch
+  const manualPrev = '18.20.4'
+  const manualCurr = '20.18.0'
+  const manualNext = '22.10.0'
+
+  const query = browserslist('maintained node versions')
+    // Trim value, e.g. 'node 22.5.0' to '22.5.0'.
+    .map(s => s.slice(5 /*'node '.length*/))
+    // Sort ascending.
+    .toSorted(alphaNumericComparator)
+  const queryPrev = query.at(0) ?? manualPrev
+  const queryCurr = query.at(1) ?? manualCurr
+  const queryNext = query.at(2) ?? manualNext
+
+  const previous = semver.maxSatisfying(
+    [queryPrev, manualPrev],
+    `^${semver.major(queryPrev)}`
+  )!
+  const current = semver.maxSatisfying(
+    [queryCurr, manualCurr],
+    `^${semver.major(queryCurr)}`
+  )!
+  const next = semver.maxSatisfying(
+    [queryNext, manualNext],
+    `^${semver.major(queryNext)}`
+  )!
+  return Object.freeze(
+    Object.assign([previous, current, next], {
+      previous,
+      current,
+      next
+    })
+  )
+})()
 
 export type DetectOptions = {
   cwd?: string
@@ -57,6 +98,7 @@ export type DetectResult = Readonly<{
   isWorkspace: boolean
   lockPath: string | undefined
   lockSrc: string | undefined
+  minimumNodeVersion: string
   pkgJson: PackageJsonContent | undefined
   pkgJsonPath: string | undefined
   pkgJsonStr: string | undefined
@@ -69,25 +111,25 @@ export type DetectResult = Readonly<{
 
 type ReadLockFile = (
   lockPath: string,
-  agentExecPath?: string
+  agentExecPath: string
 ) => Promise<string | undefined>
 
 const readLockFileByAgent: Record<AgentPlusBun, ReadLockFile> = (() => {
   const wrapReader =
     (
       reader: (
         lockPath: string,
-        agentExecPath?: string
+        agentExecPath: string
       ) => Promise<string | undefined>
     ): ReadLockFile =>
-    async (lockPath: string, agentExecPath?: string) => {
+    async (lockPath: string, agentExecPath: string) => {
       try {
         return await reader(lockPath, agentExecPath)
       } catch {}
       return undefined
     }
   return {
-    bun: wrapReader(async (lockPath: string, agentExecPath?: string) => {
+    bun: wrapReader(async (lockPath: string, agentExecPath: string) => {
       let lockBuffer: Buffer | undefined
       try {
         lockBuffer = <Buffer>await readFileBinary(lockPath)
@@ -99,7 +141,7 @@ const readLockFileByAgent: Record<AgentPlusBun, ReadLockFile> = (() => {
       } catch {}
       // To print a Yarn lockfile to your console without writing it to disk use `bun bun.lockb`.
       // https://bun.sh/guides/install/yarnlock
-      return (await spawn(agentExecPath ?? 'bun', [lockPath])).stdout
+      return (await spawn(agentExecPath, [lockPath])).stdout
     }),
     npm: wrapReader(async (lockPath: string) => await readFileUtf8(lockPath)),
     pnpm: wrapReader(async (lockPath: string) => await readFileUtf8(lockPath)),
@@ -126,8 +168,8 @@ export async function detect({
       ? (parseJSONObject(pkgJsonStr) ?? undefined)
       : undefined
   const pkgManager = <string | undefined>(
-    (isNonEmptyString(getOwn(pkgJson, 'packageManager'))
-      ? pkgJson?.['packageManager']
+    (isNonEmptyString(pkgJson?.['packageManager'])
+      ? pkgJson['packageManager']
       : undefined)
   )
 
@@ -156,60 +198,56 @@ export async function detect({
     agent = 'npm'
     onUnknown?.(pkgManager)
   }
-  const agentExecPath = (await which(agent, { nothrow: true })) ?? agent
 
-  let lockSrc: string | undefined
+  const agentExecPath = (await which(agent, { nothrow: true })) ?? agent
   const targets = {
     browser: false,
     node: true
   }
-
+  let lockSrc: string | undefined
   let isPrivate = false
   let isWorkspace = false
+  let minimumNodeVersion = maintainedNodeVersions.previous
   if (pkgJson) {
     const pkgPath = path.dirname(pkgJsonPath!)
     isPrivate = !!pkgJson['private']
     isWorkspace =
       !!pkgJson['workspaces'] ||
       existsSync(path.join(pkgPath, `${PNPM_WORKSPACE}.yaml`)) ||
       existsSync(path.join(pkgPath, `${PNPM_WORKSPACE}.yml`))
-    let browser: boolean | undefined
-    let node: boolean | undefined
-    const browserField = getOwn(pkgJson, 'browser')
+    const browserField = pkgJson['browser']
     if (isNonEmptyString(browserField) || isObjectObject(browserField)) {
-      browser = true
+      targets.browser = true
     }
-    const nodeRange = getOwn(pkgJson['engines'], 'node')
+    const nodeRange = (pkgJson as any)['engines']?.['node']
     if (isNonEmptyString(nodeRange)) {
-      node = MAINTAINED_NODE_VERSIONS.some(v => {
-        const coerced = semver.coerce(nodeRange)
-        return coerced && semver.satisfies(coerced, `^${semver.major(v)}`)
-      })
+      const coerced = semver.coerce(nodeRange)
+      if (coerced) {
+        minimumNodeVersion = coerced.version
+      }
     }
-    const browserslistQuery = getOwn(pkgJson, 'browserslist')
+    const browserslistQuery = <string[] | undefined>pkgJson['browserslist']
     if (Array.isArray(browserslistQuery)) {
       const browserslistTargets = browserslist(browserslistQuery)
+        .map(s => s.toLowerCase())
+        .toSorted(alphaNumericComparator)
       const browserslistNodeTargets = browserslistTargets
         .filter(v => v.startsWith('node '))
-        .map(v => v.slice(5))
-      if (browser === undefined && browserslistTargets.length) {
-        browser = browserslistTargets.length !== browserslistNodeTargets.length
+        .map(v => v.slice(5 /*'node '.length*/))
+      if (!targets.browser && browserslistTargets.length) {
+        targets.browser =
+          browserslistTargets.length !== browserslistNodeTargets.length
       }
-      if (node === undefined && browserslistNodeTargets.length) {
-        node = MAINTAINED_NODE_VERSIONS.some(v =>
-          browserslistNodeTargets.some(t => {
-            const coerced = semver.coerce(t)
-            return coerced && semver.satisfies(coerced, `^${semver.major(v)}`)
-          })
-        )
+      if (browserslistNodeTargets.length) {
+        const coerced = semver.coerce(browserslistNodeTargets[0])
+        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+          minimumNodeVersion = coerced.version
+        }
       }
     }
-    if (browser !== undefined) {
-      targets.browser = browser
-    }
-    if (node !== undefined) {
-      targets.node = node
-    }
+    targets.node = maintainedNodeVersions.some(v =>
+      semver.satisfies(v, `>=${minimumNodeVersion}`)
+    )
     lockSrc =
       typeof lockPath === 'string'
         ? await readLockFileByAgent[agent](lockPath, agentExecPath)
@@ -225,6 +263,7 @@ export async function detect({
     isWorkspace,
     lockPath,
     lockSrc,
+    minimumNodeVersion,
     pkgJson,
     pkgJsonPath,
     pkgJsonStr,