Revert "fix(lint): resolve lint errors and remove dead getInternals code"

This reverts commit 7cfefac.

Author: jdalton

packages/cli/.config/eslint.config.mjs

@@ -365,23 +365,16 @@ export default [
     },
   },
   {
-    // Relax rules for script and config files
-    files: [
-      'scripts/**/*.{mjs,js}',
-      'bin/**/*.{mjs,js}',
-      '.config/**/*.{mjs,js}',
-    ],
+    // Relax rules for script files
+    files: ['scripts/**/*.{mjs,js}', 'bin/**/*.{mjs,js}'],
     rules: {
-      'n/no-extraneous-import': 'off',
-      'n/no-extraneous-require': 'off',
       'n/no-process-exit': 'off',
       'n/no-unsupported-features/node-builtins': 'off',
       'n/no-missing-import': 'off',
       'import-x/no-unresolved': 'off',
       'no-await-in-loop': 'off',
       'no-unused-vars': 'off',
       'no-undef': 'off',
-      'unicorn/consistent-function-scoping': 'off',
     },
   },
   {
@@ -406,10 +399,6 @@ export default [
       'no-undef': 'off',
       // Allow console in tests
       'no-console': 'off',
-      // Allow process.exit in tests
-      'n/no-process-exit': 'off',
-      // Allow scoped functions in tests
-      'unicorn/consistent-function-scoping': 'off',
     },
   },
 ]

packages/cli/src/constants.mts

@@ -248,6 +248,7 @@ import {
   REPORT_LEVEL_WARN,
 } from './constants/reporting.mts'
 import {
+  getInternals,
   getShadowNpmBinPath as SHADOW_getShadowNpmBinPath,
   getShadowNpxBinPath as SHADOW_getShadowNpxBinPath,
   getShadowPnpmBinPath as SHADOW_getShadowPnpmBinPath,
@@ -368,6 +369,7 @@ export {
   getExecPath,
   getGithubCachePath,
   getInstrumentWithSentryPath,
+  getInternals,
   getMinimumVersionByAgent,
   getNmBunPath,
   getNmNodeGypPath,
@@ -619,6 +621,7 @@ export default {
   getExecPath,
   getGithubCachePath,
   getInstrumentWithSentryPath,
+  getInternals,
   getMinimumVersionByAgent,
   getNmBunPath,
   getNmNodeGypPath,

packages/cli/src/constants/shadow.mts

@@ -30,6 +30,14 @@ export const SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'
 export const SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'
 export const SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'
 
+/**
+ * Get registry internals for accessing IPC and Sentry instances.
+ */
+export function getInternals(): RegistryInternals {
+  const registry = require('@socketsecurity/registry')
+  return registry.internals ?? {}
+}
+
 /**
  * Get the path to the shadow npm binary.
  */

packages/cli/src/shadow/npm/arborist/lib/arborist/index.mts

@@ -10,9 +10,11 @@ import { NPX } from '../../../../../constants/agents.mts'
 import ENV from '../../../../../constants/env.mts'
 import { NODE_MODULES } from '../../../../../constants/packages.mts'
 import {
+  getInternals,
   SOCKET_CLI_ACCEPT_RISKS,
   SOCKET_CLI_SHADOW_ACCEPT_RISKS,
   SOCKET_CLI_SHADOW_API_TOKEN,
+  SOCKET_CLI_SHADOW_BIN,
   SOCKET_CLI_SHADOW_PROGRESS,
   SOCKET_CLI_SHADOW_SILENT,
   SOCKET_CLI_VIEW_ALL_RISKS,
@@ -30,6 +32,9 @@ import type {
   NodeClass,
 } from '../../types.mts'
 
+const internals = getInternals()
+const getIpc = internals.getIpc
+
 export const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   __proto__: null,
   audit: false,
@@ -96,7 +101,97 @@ export class SafeArborist extends Arborist {
     this: SafeArborist,
     ...args: Parameters<InstanceType<ArboristClass>['reify']>
   ): Promise<NodeClass> {
-    // Note: Registry no longer provides IPC, always use risky reify.
+    const options = {
+      __proto__: null,
+      ...(args.length ? args[0] : undefined),
+    } as ArboristReifyOptions
+
+    const ipc = getIpc ? await getIpc() : undefined
+
+    const binName = ipc?.[SOCKET_CLI_SHADOW_BIN]
+    if (!binName) {
+      return await this[kRiskyReify](...args)
+    }
+
+    await super.reify(
+      {
+        ...options,
+        ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
+        progress: false,
+      },
+      // @ts-expect-error: TypeScript gets grumpy about rest parameters.
+      ...args.slice(1),
+    )
+
+    const shadowAcceptRisks = !!ipc?.[SOCKET_CLI_SHADOW_ACCEPT_RISKS]
+    const shadowProgress = !!ipc?.[SOCKET_CLI_SHADOW_PROGRESS]
+    const shadowSilent = !!ipc?.[SOCKET_CLI_SHADOW_SILENT]
+
+    const acceptRisks = shadowAcceptRisks || ENV.SOCKET_CLI_ACCEPT_RISKS
+    const reportOnlyBlocking =
+      acceptRisks || options['dryRun'] || options['yes']
+    const silent = !!options['silent']
+    const spinnerInstance =
+      silent || !shadowProgress ? undefined : (getSpinner() ?? undefined)
+
+    const isShadowNpx = binName === NPX
+    const hasExisting = await findUp(NODE_MODULES, {
+      cwd: process.cwd(),
+      onlyDirectories: true,
+    })
+    const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx
+
+    const needInfoOn = getDetailsFromDiff(this.diff, {
+      filter: {
+        existing: shouldCheckExisting,
+      },
+    })
+
+    const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {
+      apiToken: ipc?.[SOCKET_CLI_SHADOW_API_TOKEN],
+      spinner: spinnerInstance,
+      filter: reportOnlyBlocking
+        ? {
+            actions: ['error'],
+            blocked: true,
+            existing: shouldCheckExisting,
+          }
+        : {
+            actions: ['error', 'monitor', 'warn'],
+            existing: shouldCheckExisting,
+          },
+    })
+
+    if (alertsMap.size) {
+      process.exitCode = 1
+      const viewAllRisks = ENV.SOCKET_CLI_VIEW_ALL_RISKS
+      logAlertsMap(alertsMap, {
+        hideAt: viewAllRisks ? 'none' : 'middle',
+        output: process.stderr,
+      })
+      throw new Error(
+        `
+          Socket ${binName} exiting due to risks.${
+            viewAllRisks
+              ? ''
+              : `\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`
+          }${
+            acceptRisks
+              ? ''
+              : `\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`
+          }
+        `.trim(),
+      )
+    }
+    if (!silent && !shadowSilent) {
+      logger.success(
+        `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,
+      )
+      if (isShadowNpx) {
+        logger.log(`Running ${options.add?.[0]}`)
+      }
+    }
+
     return await this[kRiskyReify](...args)
   }
 }

packages/cli/src/types.test.mts

@@ -33,6 +33,7 @@ describe('types', () => {
 
     it('can be used as a union type', () => {
       // Intentionally defined inline to test type inference in specific context.
+      // eslint-disable-next-line unicorn/consistent-function-scoping
       const processResult = (value: number): CResult<string> => {
         if (value > 0) {
           return { ok: true, data: `Positive: ${value}` }

packages/cli/src/utils/promise/queue.test.mts

@@ -98,8 +98,10 @@ describe('PromiseQueue', () => {
     const queue = new PromiseQueue(1)
 
     // Intentionally defined inline for test simplicity.
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const goodTask = () => Promise.resolve('success')
     // Intentionally defined inline for test simplicity.
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const badTask = () => Promise.reject(new Error('failure'))
 
     const result1 = await queue.add(goodTask)

packages/cli/src/utils/registry/npm-registry.mts

@@ -169,10 +169,8 @@ export async function retryWithBackoff<T>(
   let lastError: Error | unknown
   let delay = baseDelayMs
 
-  // Retry logic requires sequential attempts.
   for (let attempt = 0; attempt <= maxRetries; attempt += 1) {
     try {
-      // eslint-disable-next-line no-await-in-loop
       return await fn()
     } catch (error) {
       lastError = error
@@ -182,7 +180,6 @@ export async function retryWithBackoff<T>(
         attempt < maxRetries &&
         (code === 'EBUSY' || code === 'EMFILE' || code === 'ENFILE')
       ) {
-        // eslint-disable-next-line no-await-in-loop
         await new Promise(resolve => setTimeout(resolve, delay))
         delay *= backoffFactor
         continue
@@ -272,14 +269,12 @@ export async function extractTarball(
     }
 
     // Extract files to target directory.
-    // Files must be extracted sequentially.
     for (const file of files) {
       // Sanitize file path to prevent directory traversal attacks.
       const sanitizedPath = sanitizeTarballPath(file.name)
       const targetPath = path.join(targetDir, sanitizedPath)
 
       if (file.type === 'directory') {
-        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.mkdir(targetPath, { recursive: true }),
         ).catch(error => {
@@ -290,7 +285,6 @@ export async function extractTarball(
       } else if (file.type === 'file' && file.data) {
         // Ensure parent directory exists.
         const parentDir = path.dirname(targetPath)
-        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.mkdir(parentDir, { recursive: true }),
         ).catch(error => {
@@ -306,7 +300,6 @@ export async function extractTarball(
         })
 
         // Write file.
-        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.writeFile(targetPath, file.data as Uint8Array<ArrayBufferLike>),
         ).catch(error => {
@@ -326,7 +319,6 @@ export async function extractTarball(
           const mode = Number.parseInt(file.attrs.mode, 8)
           // Validate mode is a valid number before attempting chmod.
           if (!Number.isNaN(mode) && mode > 0) {
-            // eslint-disable-next-line no-await-in-loop
             await retryWithBackoff(() => fs.chmod(targetPath, mode)).catch(
               error => {
                 // Chmod failures are non-fatal - log but continue.

packages/cli/src/utils/terminal/lazy-ink.mts

@@ -36,9 +36,7 @@ export async function loadInkTable() {
 export function isInkAvailable(): boolean {
   try {
     // Check if modules exist without loading them
-    // eslint-disable-next-line n/no-extraneous-require
     require.resolve('ink')
-    // eslint-disable-next-line n/no-extraneous-require
     require.resolve('react')
     return true
   } catch {