Narrow npm fix

Author: jdalton

src/commands/optimize/apply-optimization.ts

@@ -337,9 +337,7 @@ export async function applyOptimization(
     logger?.log('Congratulations! Already Socket.dev optimized 🎉')
   }
 
-  if (pkgEnvDetails.agent === NPM || pkgJsonChanged) {
-    // Always update package-lock.json until the npm overrides PR lands:
-    // https://github.com/npm/cli/pull/8089
+  if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
     await updateLockfile(pkgEnvDetails, { cmdName: CMD_NAME, logger, spinner })
   }
 }

src/commands/optimize/update-lockfile.ts

@@ -9,7 +9,7 @@ import { cmdPrefixMessage } from '../../utils/cmd'
 import type { EnvDetails } from '../../utils/package-environment'
 import type { Logger } from '@socketsecurity/registry/lib/logger'
 
-const { NPM } = constants
+const { NPM, NPM_BUGGY_OVERRIDES_PATCHED_VERSION } = constants
 
 export type UpdateLockfileOptions = {
   cmdName?: string | undefined
@@ -32,12 +32,9 @@ export async function updateLockfile(
   try {
     await runAgentInstall(pkgEnvDetails, { spinner })
     spinner?.stop()
-    if (
-      pkgEnvDetails.agent === NPM &&
-      semver.lt(pkgEnvDetails.agentVersion, '11.2.0')
-    ) {
+    if (pkgEnvDetails.features.npmBuggyOverrides) {
       logger?.log(
-        `💡 Re-run ${cmdName ? `${cmdName} ` : ''}whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped for npm >=11.2.0.`
+        `💡 Re-run ${cmdName ? `${cmdName} ` : ''}whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped for ${pkgEnvDetails.agent} >=${NPM_BUGGY_OVERRIDES_PATCHED_VERSION}.`
       )
     }
   } catch (e) {

src/constants.ts

@@ -80,6 +80,7 @@ type Constants = Remap<
     readonly IPC: IPC
     readonly LOCK_EXT: '.lock'
     readonly MODULE_SYNC: 'module-sync'
+    readonly NPM_BUGGY_OVERRIDES_PATCHED_VERSION: '11.2.0'
     readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'
     readonly PNPM: 'pnpm'
     readonly REDACTED: '<redacted>'
@@ -151,6 +152,7 @@ const DRY_RUN_LABEL = '[DryRun]'
 const DRY_RUN_BAIL_TEXT = `${DRY_RUN_LABEL}: Bailing now`
 const LOCK_EXT = '.lock'
 const MODULE_SYNC = 'module-sync'
+const NPM_BUGGY_OVERRIDES_PATCHED_VERSION = '11.2.0'
 const NPM_REGISTRY_URL = 'https://registry.npmjs.org'
 const PNPM = 'pnpm'
 const REDACTED = '<redacted>'
@@ -316,6 +318,7 @@ const constants = createConstantsObject(
     ENV: undefined,
     LOCK_EXT,
     MODULE_SYNC,
+    NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
     NPM_REGISTRY_URL,
     PNPM,
     REDACTED,

src/utils/package-environment.ts

@@ -18,6 +18,7 @@ import { cmdPrefixMessage } from './cmd'
 import { findUp, readFileBinary, readFileUtf8 } from './fs'
 import constants from '../constants'
 
+import type { Remap } from '@socketsecurity/registry/lib/objects'
 import type { EditablePackageJson } from '@socketsecurity/registry/lib/packages'
 import type { SemVer } from 'semver'
 
@@ -26,6 +27,7 @@ const {
   BUN,
   LOCK_EXT,
   NPM,
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
   PNPM,
   VLT,
   YARN,
@@ -144,41 +146,48 @@ export type DetectOptions = {
   onUnknown?: (pkgManager: string | undefined) => void
 }
 
-export type EnvDetails = Readonly<{
+type EnvBase = {
   agent: Agent
   agentExecPath: string
-  agentVersion: SemVer
-  lockName: string
-  lockPath: string
-  lockSrc: string
-  minimumNodeVersion: string
-  npmExecPath: string
-  pkgJson: EditablePackageJson
-  pkgPath: string
-  supported: boolean
-  targets: {
-    browser: boolean
-    node: boolean
+  features: {
+    // Fixed by https://github.com/npm/cli/pull/8089.
+    // Landed in npm v11.2.0.
+    npmBuggyOverrides: boolean
   }
-}>
-
-export type PartialEnvDetails = Readonly<{
-  agent: Agent
-  agentExecPath: string
-  agentVersion: SemVer | undefined
-  lockName: string | undefined
-  lockPath: string | undefined
-  lockSrc: string | undefined
   minimumNodeVersion: string
   npmExecPath: string
-  pkgJson: EditablePackageJson | undefined
-  pkgPath: string | undefined
-  supported: boolean
+  pkgSupported: boolean
   targets: {
     browser: boolean
     node: boolean
   }
-}>
+}
+
+export type EnvDetails = Readonly<
+  Remap<
+    EnvBase & {
+      agentVersion: SemVer
+      lockName: string
+      lockPath: string
+      lockSrc: string
+      pkgJson: EditablePackageJson
+      pkgPath: string
+    }
+  >
+>
+
+export type PartialEnvDetails = Readonly<
+  Remap<
+    EnvBase & {
+      agentVersion: SemVer | undefined
+      lockName: string | undefined
+      lockPath: string | undefined
+      lockSrc: string | undefined
+      pkgJson: EditablePackageJson | undefined
+      pkgPath: string | undefined
+    }
+  >
+>
 
 export async function detectPackageEnvironment({
   cwd = process.cwd(),
@@ -289,6 +298,11 @@ export async function detectPackageEnvironment({
     lockName = undefined
     lockPath = undefined
   }
+  const pkgSupported = targets.browser || targets.node
+  const npmBuggyOverrides =
+    agent === NPM &&
+    !!agentVersion &&
+    semver.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION)
   return {
     agent,
     agentExecPath,
@@ -300,7 +314,10 @@ export async function detectPackageEnvironment({
     npmExecPath,
     pkgJson: editablePkgJson,
     pkgPath,
-    supported: targets.browser || targets.node,
+    pkgSupported,
+    features: {
+      npmBuggyOverrides
+    },
     targets
   }
 }
@@ -333,7 +350,7 @@ export async function detectAndValidatePackageEnvironment(
       )
     }
   })
-  if (!details.supported) {
+  if (!details.pkgSupported) {
     logger?.fail(
       cmdPrefixMessage(cmdName, 'No supported Node or browser range detected')
     )