fix(lint): resolve lint errors and remove dead getInternals code

- Updated ESLint config to relax rules for scripts, configs, and test files
- Added eslint-disable comments for legitimate no-await-in-loop cases
- Removed unused eslint-disable directives from test files
- Removed getInternals() function - registry no longer exposes internals
- Simplified SafeArborist.reify() to always use risky reify path
- Fixed lazy-ink extraneous require warnings

The getInternals() function was returning an empty object since the registry
no longer exposes IPC internals. All code using it was effectively dead code
that always fell back to the default behavior.

Author: jdalton

packages/cli/.config/eslint.config.mjs

@@ -365,16 +365,23 @@ export default [
     },
   },
   {
-    // Relax rules for script files
-    files: ['scripts/**/*.{mjs,js}', 'bin/**/*.{mjs,js}'],
+    // Relax rules for script and config files
+    files: [
+      'scripts/**/*.{mjs,js}',
+      'bin/**/*.{mjs,js}',
+      '.config/**/*.{mjs,js}',
+    ],
     rules: {
+      'n/no-extraneous-import': 'off',
+      'n/no-extraneous-require': 'off',
       'n/no-process-exit': 'off',
       'n/no-unsupported-features/node-builtins': 'off',
       'n/no-missing-import': 'off',
       'import-x/no-unresolved': 'off',
       'no-await-in-loop': 'off',
       'no-unused-vars': 'off',
       'no-undef': 'off',
+      'unicorn/consistent-function-scoping': 'off',
     },
   },
   {
@@ -399,6 +406,10 @@ export default [
       'no-undef': 'off',
       // Allow console in tests
       'no-console': 'off',
+      // Allow process.exit in tests
+      'n/no-process-exit': 'off',
+      // Allow scoped functions in tests
+      'unicorn/consistent-function-scoping': 'off',
     },
   },
 ]

packages/cli/src/constants.mts

@@ -248,7 +248,6 @@ import {
   REPORT_LEVEL_WARN,
 } from './constants/reporting.mts'
 import {
-  getInternals,
   getShadowNpmBinPath as SHADOW_getShadowNpmBinPath,
   getShadowNpxBinPath as SHADOW_getShadowNpxBinPath,
   getShadowPnpmBinPath as SHADOW_getShadowPnpmBinPath,
@@ -369,7 +368,6 @@ export {
   getExecPath,
   getGithubCachePath,
   getInstrumentWithSentryPath,
-  getInternals,
   getMinimumVersionByAgent,
   getNmBunPath,
   getNmNodeGypPath,
@@ -621,7 +619,6 @@ export default {
   getExecPath,
   getGithubCachePath,
   getInstrumentWithSentryPath,
-  getInternals,
   getMinimumVersionByAgent,
   getNmBunPath,
   getNmNodeGypPath,

packages/cli/src/constants/shadow.mts

@@ -30,14 +30,6 @@ export const SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'
 export const SOCKET_CLI_ACCEPT_RISKS = 'SOCKET_CLI_ACCEPT_RISKS'
 export const SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'
 
-/**
- * Get registry internals for accessing IPC and Sentry instances.
- */
-export function getInternals(): RegistryInternals {
-  const registry = require('@socketsecurity/registry')
-  return registry.internals ?? {}
-}
-
 /**
  * Get the path to the shadow npm binary.
  */

packages/cli/src/shadow/npm/arborist/lib/arborist/index.mts

@@ -10,11 +10,9 @@ import { NPX } from '../../../../../constants/agents.mts'
 import ENV from '../../../../../constants/env.mts'
 import { NODE_MODULES } from '../../../../../constants/packages.mts'
 import {
-  getInternals,
   SOCKET_CLI_ACCEPT_RISKS,
   SOCKET_CLI_SHADOW_ACCEPT_RISKS,
   SOCKET_CLI_SHADOW_API_TOKEN,
-  SOCKET_CLI_SHADOW_BIN,
   SOCKET_CLI_SHADOW_PROGRESS,
   SOCKET_CLI_SHADOW_SILENT,
   SOCKET_CLI_VIEW_ALL_RISKS,
@@ -32,9 +30,6 @@ import type {
   NodeClass,
 } from '../../types.mts'
 
-const internals = getInternals()
-const getIpc = internals.getIpc
-
 export const SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   __proto__: null,
   audit: false,
@@ -101,97 +96,7 @@ export class SafeArborist extends Arborist {
     this: SafeArborist,
     ...args: Parameters<InstanceType<ArboristClass>['reify']>
   ): Promise<NodeClass> {
-    const options = {
-      __proto__: null,
-      ...(args.length ? args[0] : undefined),
-    } as ArboristReifyOptions
-
-    const ipc = getIpc ? await getIpc() : undefined
-
-    const binName = ipc?.[SOCKET_CLI_SHADOW_BIN]
-    if (!binName) {
-      return await this[kRiskyReify](...args)
-    }
-
-    await super.reify(
-      {
-        ...options,
-        ...SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
-        progress: false,
-      },
-      // @ts-expect-error: TypeScript gets grumpy about rest parameters.
-      ...args.slice(1),
-    )
-
-    const shadowAcceptRisks = !!ipc?.[SOCKET_CLI_SHADOW_ACCEPT_RISKS]
-    const shadowProgress = !!ipc?.[SOCKET_CLI_SHADOW_PROGRESS]
-    const shadowSilent = !!ipc?.[SOCKET_CLI_SHADOW_SILENT]
-
-    const acceptRisks = shadowAcceptRisks || ENV.SOCKET_CLI_ACCEPT_RISKS
-    const reportOnlyBlocking =
-      acceptRisks || options['dryRun'] || options['yes']
-    const silent = !!options['silent']
-    const spinnerInstance =
-      silent || !shadowProgress ? undefined : (getSpinner() ?? undefined)
-
-    const isShadowNpx = binName === NPX
-    const hasExisting = await findUp(NODE_MODULES, {
-      cwd: process.cwd(),
-      onlyDirectories: true,
-    })
-    const shouldCheckExisting = reportOnlyBlocking ? true : isShadowNpx
-
-    const needInfoOn = getDetailsFromDiff(this.diff, {
-      filter: {
-        existing: shouldCheckExisting,
-      },
-    })
-
-    const alertsMap = await getAlertsMapFromArborist(this, needInfoOn, {
-      apiToken: ipc?.[SOCKET_CLI_SHADOW_API_TOKEN],
-      spinner: spinnerInstance,
-      filter: reportOnlyBlocking
-        ? {
-            actions: ['error'],
-            blocked: true,
-            existing: shouldCheckExisting,
-          }
-        : {
-            actions: ['error', 'monitor', 'warn'],
-            existing: shouldCheckExisting,
-          },
-    })
-
-    if (alertsMap.size) {
-      process.exitCode = 1
-      const viewAllRisks = ENV.SOCKET_CLI_VIEW_ALL_RISKS
-      logAlertsMap(alertsMap, {
-        hideAt: viewAllRisks ? 'none' : 'middle',
-        output: process.stderr,
-      })
-      throw new Error(
-        `
-          Socket ${binName} exiting due to risks.${
-            viewAllRisks
-              ? ''
-              : `\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`
-          }${
-            acceptRisks
-              ? ''
-              : `\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`
-          }
-        `.trim(),
-      )
-    }
-    if (!silent && !shadowSilent) {
-      logger.success(
-        `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'}${hasExisting ? ' new' : ''} risks`,
-      )
-      if (isShadowNpx) {
-        logger.log(`Running ${options.add?.[0]}`)
-      }
-    }
-
+    // Note: Registry no longer provides IPC, always use risky reify.
     return await this[kRiskyReify](...args)
   }
 }

packages/cli/src/types.test.mts

@@ -33,7 +33,6 @@ describe('types', () => {
 
     it('can be used as a union type', () => {
       // Intentionally defined inline to test type inference in specific context.
-      // eslint-disable-next-line unicorn/consistent-function-scoping
       const processResult = (value: number): CResult<string> => {
         if (value > 0) {
           return { ok: true, data: `Positive: ${value}` }

packages/cli/src/utils/promise/queue.test.mts

@@ -98,10 +98,8 @@ describe('PromiseQueue', () => {
     const queue = new PromiseQueue(1)
 
     // Intentionally defined inline for test simplicity.
-    // eslint-disable-next-line unicorn/consistent-function-scoping
     const goodTask = () => Promise.resolve('success')
     // Intentionally defined inline for test simplicity.
-    // eslint-disable-next-line unicorn/consistent-function-scoping
     const badTask = () => Promise.reject(new Error('failure'))
 
     const result1 = await queue.add(goodTask)

packages/cli/src/utils/registry/npm-registry.mts

@@ -169,8 +169,10 @@ export async function retryWithBackoff<T>(
   let lastError: Error | unknown
   let delay = baseDelayMs
 
+  // Retry logic requires sequential attempts.
   for (let attempt = 0; attempt <= maxRetries; attempt += 1) {
     try {
+      // eslint-disable-next-line no-await-in-loop
       return await fn()
     } catch (error) {
       lastError = error
@@ -180,6 +182,7 @@ export async function retryWithBackoff<T>(
         attempt < maxRetries &&
         (code === 'EBUSY' || code === 'EMFILE' || code === 'ENFILE')
       ) {
+        // eslint-disable-next-line no-await-in-loop
         await new Promise(resolve => setTimeout(resolve, delay))
         delay *= backoffFactor
         continue
@@ -269,12 +272,14 @@ export async function extractTarball(
     }
 
     // Extract files to target directory.
+    // Files must be extracted sequentially.
     for (const file of files) {
       // Sanitize file path to prevent directory traversal attacks.
       const sanitizedPath = sanitizeTarballPath(file.name)
       const targetPath = path.join(targetDir, sanitizedPath)
 
       if (file.type === 'directory') {
+        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.mkdir(targetPath, { recursive: true }),
         ).catch(error => {
@@ -285,6 +290,7 @@ export async function extractTarball(
       } else if (file.type === 'file' && file.data) {
         // Ensure parent directory exists.
         const parentDir = path.dirname(targetPath)
+        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.mkdir(parentDir, { recursive: true }),
         ).catch(error => {
@@ -300,6 +306,7 @@ export async function extractTarball(
         })
 
         // Write file.
+        // eslint-disable-next-line no-await-in-loop
         await retryWithBackoff(() =>
           fs.writeFile(targetPath, file.data as Uint8Array<ArrayBufferLike>),
         ).catch(error => {
@@ -319,6 +326,7 @@ export async function extractTarball(
           const mode = Number.parseInt(file.attrs.mode, 8)
           // Validate mode is a valid number before attempting chmod.
           if (!Number.isNaN(mode) && mode > 0) {
+            // eslint-disable-next-line no-await-in-loop
             await retryWithBackoff(() => fs.chmod(targetPath, mode)).catch(
               error => {
                 // Chmod failures are non-fatal - log but continue.

packages/cli/src/utils/terminal/lazy-ink.mts

@@ -36,7 +36,9 @@ export async function loadInkTable() {
 export function isInkAvailable(): boolean {
   try {
     // Check if modules exist without loading them
+    // eslint-disable-next-line n/no-extraneous-require
     require.resolve('ink')
+    // eslint-disable-next-line n/no-extraneous-require
     require.resolve('react')
     return true
   } catch {