Optimize CVE download script (#15)

* fix cve download command

* Fix isPostinstallConfigured to handle non-string postinstall values

Handle edge cases where package.json scripts.postinstall is null, an
object, or an array instead of a string. Previously this would throw
"currentScript.includes is not a function".

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Bump version to 0.2.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: mikolalysenko

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/socket-patch",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "packageManager": "[email protected]",
   "description": "CLI tool for applying security patches to dependencies",
   "main": "dist/index.js",

src/commands/download.ts

@@ -27,6 +27,65 @@ const GHSA_PATTERN = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
 
 type IdentifierType = 'uuid' | 'cve' | 'ghsa' | 'purl' | 'package'
 
+/**
+ * Parse a PURL to extract the package directory path and version
+ * @example parsePurl('pkg:npm/[email protected]') => { packageDir: 'lodash', version: '4.17.21' }
+ * @example parsePurl('pkg:npm/@types/[email protected]') => { packageDir: '@types/node', version: '20.0.0' }
+ */
+function parsePurl(purl: string): { packageDir: string; version: string } | null {
+  const match = purl.match(/^pkg:npm\/(.+)@([^@]+)$/)
+  if (!match) return null
+  return { packageDir: match[1], version: match[2] }
+}
+
+/**
+ * Check which PURLs from search results are actually installed in node_modules.
+ * This is O(n) where n = number of unique packages in search results,
+ * NOT O(m) where m = total packages in node_modules.
+ */
+async function findInstalledPurls(
+  cwd: string,
+  purls: string[],
+): Promise<Set<string>> {
+  const nodeModulesPath = path.join(cwd, 'node_modules')
+  const installedPurls = new Set<string>()
+
+  // Group PURLs by package directory to handle multiple versions of same package
+  const packageVersions = new Map<string, Set<string>>()
+  const purlLookup = new Map<string, string>() // "packageDir@version" -> original purl
+
+  for (const purl of purls) {
+    const parsed = parsePurl(purl)
+    if (!parsed) continue
+
+    if (!packageVersions.has(parsed.packageDir)) {
+      packageVersions.set(parsed.packageDir, new Set())
+    }
+    packageVersions.get(parsed.packageDir)!.add(parsed.version)
+    purlLookup.set(`${parsed.packageDir}@${parsed.version}`, purl)
+  }
+
+  // Check only the specific packages we need - O(n) filesystem operations
+  for (const [packageDir, versions] of packageVersions) {
+    const pkgJsonPath = path.join(nodeModulesPath, packageDir, 'package.json')
+    try {
+      const content = await fs.readFile(pkgJsonPath, 'utf-8')
+      const pkg = JSON.parse(content)
+      if (pkg.version && versions.has(pkg.version)) {
+        const key = `${packageDir}@${pkg.version}`
+        const originalPurl = purlLookup.get(key)
+        if (originalPurl) {
+          installedPurls.add(originalPurl)
+        }
+      }
+    } catch {
+      // Package not found or invalid package.json - skip
+    }
+  }
+
+  return installedPurls
+}
+
 interface DownloadArgs {
   identifier: string
   org?: string
@@ -390,14 +449,41 @@ async function downloadPatches(args: DownloadArgs): Promise<boolean> {
     return true
   }
 
+  // For CVE/GHSA searches, filter to only show patches for installed packages
+  // Uses O(n) filesystem operations where n = unique packages in results,
+  // NOT O(m) where m = all packages in node_modules
+  let filteredResults = searchResults
+  let notInstalledCount = 0
+
+  if (idType === 'cve' || idType === 'ghsa') {
+    console.log(`Checking which packages are installed...`)
+    const searchPurls = searchResults.map(patch => patch.purl)
+    const installedPurls = await findInstalledPurls(cwd, searchPurls)
+
+    filteredResults = searchResults.filter(patch => installedPurls.has(patch.purl))
+    notInstalledCount = searchResults.length - filteredResults.length
+
+    if (filteredResults.length === 0) {
+      console.log(`No patches found for installed packages.`)
+      if (notInstalledCount > 0) {
+        console.log(`  (${notInstalledCount} patch(es) exist for packages not installed in this project)`)
+      }
+      return true
+    }
+  }
+
   // Filter patches based on tier access
-  const accessiblePatches = searchResults.filter(
+  const accessiblePatches = filteredResults.filter(
     patch => patch.tier === 'free' || canAccessPaidPatches,
   )
-  const inaccessibleCount = searchResults.length - accessiblePatches.length
+  const inaccessibleCount = filteredResults.length - accessiblePatches.length
 
   // Display search results
-  displaySearchResults(searchResults, canAccessPaidPatches)
+  displaySearchResults(filteredResults, canAccessPaidPatches)
+
+  if (notInstalledCount > 0) {
+    console.log(`Note: ${notInstalledCount} patch(es) for packages not installed in this project were hidden.`)
+  }
 
   if (inaccessibleCount > 0) {
     console.log(

src/package-json/detect.ts

@@ -33,7 +33,9 @@ export function isPostinstallConfigured(
     packageJson = packageJsonContent
   }
 
-  const currentScript = packageJson.scripts?.postinstall || ''
+  const rawPostinstall = packageJson.scripts?.postinstall
+  // Handle non-string values (null, object, array) by treating as empty string
+  const currentScript = typeof rawPostinstall === 'string' ? rawPostinstall : ''
 
   // Check if socket-patch apply is already present
   const configured = currentScript.includes('socket-patch apply')

src/utils/api-client.ts

@@ -91,6 +91,7 @@ export class APIClient {
 
       const headers: Record<string, string> = {
         Accept: 'application/json',
+        'User-Agent': 'SocketPatchCLI/1.0',
       }
 
       // Only add auth header if we have a token (not using public proxy)