More fix command work

Author: jdalton

src/commands/fix/npm-fix.ts

@@ -0,0 +1,152 @@
+import { getManifestData } from '@socketsecurity/registry'
+import { runScript } from '@socketsecurity/registry/lib/npm'
+import {
+  fetchPackagePackument,
+  readPackageJson
+} from '@socketsecurity/registry/lib/packages'
+
+import constants from '../../constants'
+import {
+  Arborist,
+  SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
+  SafeArborist
+} from '../../shadow/npm/arborist/lib/arborist'
+import {
+  findPackageNodes,
+  getAlertsMapFromArborist,
+  updateNode
+} from '../../utils/lockfile/package-lock-json'
+import { getCveInfoByAlertsMap } from '../../utils/socket-package-alert'
+
+import type { SafeNode } from '../../shadow/npm/arborist/lib/node'
+import type { EnvDetails } from '../../utils/package-environment-detector'
+import type { Spinner } from '@socketsecurity/registry/lib/spinner'
+
+const { NPM } = constants
+
+function isTopLevel(tree: SafeNode, node: SafeNode): boolean {
+  return tree.children.get(node.name) === node
+}
+
+type NpmFixOptions = {
+  spinner?: Spinner | undefined
+}
+
+export async function npmFix(
+  _pkgEnvDetails: EnvDetails,
+  cwd: string,
+  options?: NpmFixOptions | undefined
+) {
+  const { spinner } = { __proto__: null, ...options } as NpmFixOptions
+
+  spinner?.start()
+
+  const arb = new SafeArborist({
+    path: cwd,
+    ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  })
+
+  await arb.reify()
+
+  const alertsMap = await getAlertsMapFromArborist(arb, {
+    consolidate: true,
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
+    }
+  })
+
+  const infoByPkg = getCveInfoByAlertsMap(alertsMap)
+  if (!infoByPkg) {
+    spinner?.stop()
+    return
+  }
+
+  await arb.buildIdealTree()
+
+  const editablePkgJson = await readPackageJson(cwd, { editable: true })
+
+  for (const { 0: name, 1: infos } of infoByPkg) {
+    const revertToIdealTree = arb.idealTree!
+    arb.idealTree = null
+    // eslint-disable-next-line no-await-in-loop
+    await arb.buildIdealTree()
+
+    const tree = arb.idealTree!
+
+    const hasUpgrade = !!getManifestData(NPM, name)
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
+      continue
+    }
+
+    const nodes = findPackageNodes(tree, name)
+
+    const packument =
+      nodes.length && infos.length
+        ? // eslint-disable-next-line no-await-in-loop
+          await fetchPackagePackument(name)
+        : null
+    if (!packument) {
+      continue
+    }
+
+    for (let i = 0, { length: nodesLength } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i]!
+      for (
+        let j = 0, { length: infosLength } = infos;
+        j < infosLength;
+        j += 1
+      ) {
+        const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
+          infos[j]!
+        const { version: oldVersion } = node
+        if (
+          updateNode(
+            node,
+            packument,
+            vulnerableVersionRange,
+            firstPatchedVersionIdentifier
+          )
+        ) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await runScript('test', [], { spinner, stdio: 'ignore' })
+
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`)
+
+            if (isTopLevel(tree, node)) {
+              for (const depField of [
+                'dependencies',
+                'optionalDependencies',
+                'peerDependencies'
+              ]) {
+                const { content: pkgJson } = editablePkgJson
+                const oldVersion = (pkgJson[depField] as any)?.[name]
+                if (oldVersion) {
+                  const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? ''
+                  ;(pkgJson as any)[depField][name] =
+                    `${decorator}${node.version}`
+                }
+              }
+            }
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save()
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`)
+            arb.idealTree = revertToIdealTree
+          }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`)
+        }
+      }
+    }
+  }
+
+  const arb2 = new Arborist({ path: cwd })
+  arb2.idealTree = arb.idealTree
+  await arb2.reify()
+
+  spinner?.stop()
+}

src/commands/fix/pnpm-fix.ts

@@ -0,0 +1,145 @@
+import { readWantedLockfile } from '@pnpm/lockfile-file'
+
+import { getManifestData } from '@socketsecurity/registry'
+import {
+  fetchPackagePackument,
+  readPackageJson
+} from '@socketsecurity/registry/lib/packages'
+
+import constants from '../../constants'
+import {
+  SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
+  SafeArborist
+} from '../../shadow/npm/arborist/lib/arborist'
+import {
+  findBestPatchVersion,
+  findPackageNodes
+} from '../../utils/lockfile/package-lock-json'
+import { getAlertsMapFromPnpmLockfile } from '../../utils/lockfile/pnpm-lock-yaml'
+import { getCveInfoByAlertsMap } from '../../utils/socket-package-alert'
+import { runAgentInstall } from '../optimize/run-agent'
+
+import type { EnvDetails } from '../../utils/package-environment-detector'
+import type { Spinner } from '@socketsecurity/registry/lib/spinner'
+
+const { NPM, OVERRIDES, PNPM } = constants
+
+type PnpmFixOptions = {
+  spinner?: Spinner | undefined
+}
+
+export async function pnpmFix(
+  pkgEnvDetails: EnvDetails,
+  cwd: string,
+  options?: PnpmFixOptions | undefined
+) {
+  const { spinner } = { __proto__: null, ...options } as PnpmFixOptions
+
+  spinner?.start()
+
+  const lockfile = await readWantedLockfile(cwd, { ignoreIncompatible: false })
+  if (!lockfile) {
+    spinner?.stop()
+    return
+  }
+
+  const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {
+    consolidate: true,
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
+    }
+  })
+
+  const infoByPkg = getCveInfoByAlertsMap(alertsMap)
+  if (!infoByPkg) {
+    spinner?.stop()
+    return
+  }
+
+  const arb = new SafeArborist({
+    path: cwd,
+    ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  })
+
+  await arb.loadActual()
+
+  const editablePkgJson = await readPackageJson(cwd, { editable: true })
+  const { content: pkgJson } = editablePkgJson
+
+  for (const { 0: name, 1: infos } of infoByPkg) {
+    const tree = arb.actualTree!
+
+    const hasUpgrade = !!getManifestData(NPM, name)
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
+      continue
+    }
+
+    const nodes = findPackageNodes(tree, name)
+
+    const packument =
+      nodes.length && infos.length
+        ? // eslint-disable-next-line no-await-in-loop
+          await fetchPackagePackument(name)
+        : null
+    if (!packument) {
+      continue
+    }
+
+    for (let i = 0, { length: nodesLength } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i]!
+      for (
+        let j = 0, { length: infosLength } = infos;
+        j < infosLength;
+        j += 1
+      ) {
+        const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
+          infos[j]!
+        const { version: oldVersion } = node
+        const availableVersions = Object.keys(packument.versions)
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = findBestPatchVersion(
+          node,
+          availableVersions,
+          vulnerableVersionRange,
+          firstPatchedVersionIdentifier
+        )
+        const targetPackument = targetVersion
+          ? packument.versions[targetVersion]
+          : undefined
+        if (targetPackument) {
+          const oldPnpm = (pkgJson as any)[PNPM]
+          const oldOverrides = oldPnpm?.[OVERRIDES] as
+            | { [key: string]: string }
+            | undefined
+          try {
+            editablePkgJson.update({
+              [PNPM]: {
+                ...oldPnpm,
+                [OVERRIDES]: {
+                  [`${node.name}@${vulnerableVersionRange}`]: `^${targetVersion}`,
+                  ...oldOverrides
+                }
+              }
+            })
+
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`)
+
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save()
+            // eslint-disable-next-line no-await-in-loop
+            await runAgentInstall(pkgEnvDetails, { spinner })
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`)
+          }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`)
+        }
+      }
+    }
+  }
+
+  spinner?.stop()
+}

src/commands/fix/run-fix.ts

@@ -1,8 +1,11 @@
-import { npmFix } from './run-npm-fix'
+import { logger } from '@socketsecurity/registry/lib/logger'
+
+import { npmFix } from './npm-fix'
+import { pnpmFix } from './pnpm-fix'
 import constants from '../../constants'
-import { detectPackageEnvironment } from '../../utils/package-environment-detector'
+import { detectAndValidatePackageEnvironment } from '../optimize/detect-and-validate-package-environment'
 
-const { NPM } = constants
+const { NPM, PNPM } = constants
 
 export async function runFix() {
   // Lazily access constants.spinner.
@@ -11,9 +14,24 @@ export async function runFix() {
   spinner.start()
 
   const cwd = process.cwd()
-  const details = await detectPackageEnvironment({ cwd })
-  if (details.agent === NPM) {
-    await npmFix(cwd)
+
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    logger
+  })
+  if (!pkgEnvDetails) {
+    spinner.stop()
+    return
+  }
+
+  switch (pkgEnvDetails.agent) {
+    case NPM: {
+      await npmFix(pkgEnvDetails, cwd)
+      break
+    }
+    case PNPM: {
+      await pnpmFix(pkgEnvDetails, cwd)
+      break
+    }
   }
-  spinner.stop()
+  spinner.successAndStop('Socket.dev fix successful')
 }