Merge branch 'main' of github.com:SocketDev/socket-cli into no-apply-fixes

Author: mtorp

.config/rollup.sea.config.mjs

@@ -0,0 +1,42 @@
+/**
+ * Rollup configuration for building SEA bootstrap thin wrapper.
+ * Compiles TypeScript bootstrap to CommonJS for Node.js SEA compatibility.
+ */
+
+import path from 'node:path'
+import url from 'node:url'
+
+import { babel as babelPlugin } from '@rollup/plugin-babel'
+import commonjsPlugin from '@rollup/plugin-commonjs'
+import { nodeResolve } from '@rollup/plugin-node-resolve'
+
+const __dirname = path.dirname(url.fileURLToPath(import.meta.url))
+const rootDir = path.join(__dirname, '..')
+
+export default {
+  input:
+    process.env.SEA_BOOTSTRAP || path.join(rootDir, 'src/sea/bootstrap.mts'),
+  output: {
+    file:
+      process.env.SEA_OUTPUT || path.join(rootDir, 'dist/sea/bootstrap.cjs'),
+    format: 'cjs',
+    interop: 'auto',
+  },
+  external: [
+    // Only externalize Node.js built-ins for the thin wrapper.
+    /^node:/,
+  ],
+  plugins: [
+    nodeResolve({
+      preferBuiltins: true,
+      exportConditions: ['node'],
+    }),
+    babelPlugin({
+      babelHelpers: 'runtime',
+      babelrc: false,
+      configFile: path.join(__dirname, 'babel.config.js'),
+      extensions: ['.mjs', '.js', '.ts', '.mts'],
+    }),
+    commonjsPlugin(),
+  ],
+}

.github/workflows/lint.yml

@@ -12,5 +12,5 @@ permissions:
   contents: read
 
 jobs:
-  lint:
+  lint-check:
     uses: SocketDev/socket-registry/.github/workflows/lint.yml@main

.github/workflows/provenance.yml

@@ -1,4 +1,4 @@
-name: Provenance
+name: Publish to npm registry
 
 on:
   workflow_dispatch:

.github/workflows/socket-auto-pr.yml

@@ -1,4 +1,4 @@
-name: Socket Fix
+name: Socket Fix Auto Pull Request
 
 on:
   schedule:
@@ -15,8 +15,12 @@ on:
           - '0'
           - '1'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  fix:
+  socket-auto-pr:
     uses: SocketDev/socket-registry/.github/workflows/socket-auto-pr.yml@main
     with:
       debug: ${{ inputs.debug }}

README.md

@@ -3,7 +3,7 @@
 [![Socket Badge](https://socket.dev/api/badge/npm/package/socket)](https://socket.dev/npm/package/socket)
 [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
 
-> CLI tool for [Socket.dev]
+CLI for [Socket.dev] security analysis
 
 ## Usage
 
@@ -14,97 +14,78 @@ socket --help
 
 ## Commands
 
-- `socket npm [args...]` and `socket npx [args...]` - Wraps `npm` and `npx` to
-  integrate [Socket.dev] and preempt installation of alerted packages using the
-  builtin resolution of `npm` to precisely determine package installations
+- `socket npm [args...]` and `socket npx [args...]` - Wraps npm/npx with Socket security scanning
 
-- `socket optimize` - Optimize dependencies with
-  [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
-  _(👀 [our blog post](https://socket.dev/blog/introducing-socket-optimize))_
+- `socket fix` - Fix CVEs in dependencies
 
-  - `--pin` - Pin overrides to their latest version
-  - `--prod` - Add overrides for only production dependencies
+- `socket optimize` - Optimize dependencies with [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
 
-- `socket cdxgen [command]` - Call out to
-  [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started). See
-  [their documentation](https://cyclonedx.github.io/cdxgen/#/CLI?id=getting-help)
-  for commands.
+- `socket cdxgen [command]` - Run [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started) for SBOM generation
 
 ## Aliases
 
 All aliases support the flags and arguments of the commands they alias.
 
-- `socket ci` - alias for `socket scan create --report` which creates a report for the current directory and quits with an exit code if the result is unhealthy
+- `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy)
 
 ## Flags
 
 ### Output flags
 
-- `--json` - Outputs result as JSON which can be piped into [`jq`](https://stedolan.github.io/jq/) and other tools
-- `--markdown` - Outputs result as Markdown which can be copied into issues, pull requests, or chats
+- `--json` - Output as JSON
+- `--markdown` - Output as Markdown
 
 ### Other flags
 
-- `--dry-run` - Run a command without uploading anything
-- `--debug` - Output additional debug
-- `--help` - Prints help documentation
-- `--max-old-space-size` - Set Node's V8 [`--max-old-space-size`](https://nodejs.org/api/cli.html#--max-old-space-sizesize-in-mib) option
-- `--max-semi-space-size` - Set Node's V8 [`--max-semi-space-size`](https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib) option
-- `--version` - Prints the Socket CLI version
+- `--dry-run` - Run without uploading
+- `--debug` - Show debug output
+- `--help` - Show help
+- `--max-old-space-size` - Set Node.js memory limit
+- `--max-semi-space-size` - Set Node.js heap size
+- `--version` - Show version
 
 ## Configuration files
 
-Socket CLI reads and uses data from a
-[`socket.yml` file](https://docs.socket.dev/docs/socket-yml) in the folder you
-run it in. It supports the version 2 of the `socket.yml` file format and makes
-use of the `projectIgnorePaths` to excludes files when creating a report.
+Socket CLI reads [`socket.yml`](https://docs.socket.dev/docs/socket-yml) configuration files.
+Supports version 2 format with `projectIgnorePaths` for excluding files from reports.
 
 ## Environment variables
 
-- `SOCKET_CLI_API_TOKEN` - Set the Socket API token
-- `SOCKET_CLI_CONFIG` - A JSON stringified Socket configuration object
-- `SOCKET_CLI_GITHUB_API_URL` - Change the base URL for GitHub REST API calls
-- `SOCKET_CLI_GIT_USER_EMAIL` - The git config `user.email` used by Socket CLI<br>
-  *Defaults:* `github-actions[bot]@users.noreply.github.com`<br>
-- `SOCKET_CLI_GIT_USER_NAME` - The git config `user.name` used by Socket CLI<br>
-  *Defaults:* `github-actions[bot]`<br>
-- `SOCKET_CLI_GITHUB_TOKEN` - A classic or fine-grained [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) with the "repo" scope or read/write permissions set for "Contents" and "Pull Request"<br>
-  *Aliases:* `GITHUB_TOKEN`<br>
-- `SOCKET_CLI_NO_API_TOKEN` - Make the default API token `undefined`
-- `SOCKET_CLI_NPM_PATH` - The absolute location of the npm directory
-- `SOCKET_CLI_ORG_SLUG` - Specify the Socket organization slug<br><br>
-- `SOCKET_CLI_ACCEPT_RISKS` - Accept risks of a Socket wrapped npm/npx run
-- `SOCKET_CLI_VIEW_ALL_RISKS` - View all risks of a Socket wrapped npm/npx run
+- `SOCKET_CLI_API_TOKEN` - Socket API token
+- `SOCKET_CLI_CONFIG` - JSON configuration object
+- `SOCKET_CLI_GITHUB_API_URL` - GitHub API base URL
+- `SOCKET_CLI_GIT_USER_EMAIL` - Git user email (default: `github-actions[bot]@users.noreply.github.com`)
+- `SOCKET_CLI_GIT_USER_NAME` - Git user name (default: `github-actions[bot]`)
+- `SOCKET_CLI_GITHUB_TOKEN` - GitHub token with repo access (alias: `GITHUB_TOKEN`)
+- `SOCKET_CLI_NO_API_TOKEN` - Disable default API token
+- `SOCKET_CLI_NPM_PATH` - Path to npm directory
+- `SOCKET_CLI_ORG_SLUG` - Socket organization slug
+- `SOCKET_CLI_ACCEPT_RISKS` - Accept npm/npx risks
+- `SOCKET_CLI_VIEW_ALL_RISKS` - Show all npm/npx risks
 
 ## Contributing
 
-### Setup
-
-To run locally execute the following commands:
+Run locally:
 
 ```
 npm install
 npm run build
 npm exec socket
 ```
 
-### Environment variables for development
+### Development environment variables
 
-- `SOCKET_CLI_API_BASE_URL` - Change the base URL for Socket API calls<br>
-  *Defaults:* The "apiBaseUrl" value of socket/settings local app data if present, else `https://api.socket.dev/v0/`<br>
-- `SOCKET_CLI_API_PROXY` - Set the proxy Socket API requests are routed through, e.g. if set to<br>
-  [`http://127.0.0.1:9090`](https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries), then all request are passed through that proxy<br>
-  *Aliases:* `HTTPS_PROXY`, `https_proxy`, `HTTP_PROXY`, and `http_proxy`<br>
-- `SOCKET_CLI_API_TIMEOUT` - Set the timeout in milliseconds for Socket API requests
-- `SOCKET_CLI_DEBUG` - Enable debug logging in Socket CLI
-- `DEBUG` - Enable debug logging based on the [`debug`](https://socket.dev/npm/package/debug) package
+- `SOCKET_CLI_API_BASE_URL` - API base URL (default: `https://api.socket.dev/v0/`)
+- `SOCKET_CLI_API_PROXY` - Proxy for API requests (aliases: `HTTPS_PROXY`, `https_proxy`, `HTTP_PROXY`, `http_proxy`)
+- `SOCKET_CLI_API_TIMEOUT` - API request timeout in milliseconds
+- `SOCKET_CLI_DEBUG` - Enable debug logging
+- `DEBUG` - Enable [`debug`](https://socket.dev/npm/package/debug) package logging
 
 ## See also
 
-- [Announcement blog post](https://socket.dev/blog/announcing-socket-cli-preview)
-- [Socket API Reference](https://docs.socket.dev/reference) - The API used by Socket CLI
-- [Socket GitHub App](https://github.com/apps/socket-security) - The plug-and-play GitHub App
-- [`@socketsecurity/sdk`](https://github.com/SocketDev/socket-sdk-js) - The SDK used by Socket CLI
+- [Socket API Reference](https://docs.socket.dev/reference)
+- [Socket GitHub App](https://github.com/apps/socket-security)
+- [`@socketsecurity/sdk`](https://github.com/SocketDev/socket-sdk-js)
 
 [Socket.dev]: https://socket.dev/
 

package.json

@@ -36,6 +36,8 @@
     "build:dist": "pnpm build:dist:src && pnpm build:dist:types",
     "build:dist:src": "run-p -c clean:dist clean:external && dotenvx -q run -f .env.local -- rollup -c .config/rollup.dist.config.mjs",
     "build:dist:types": "pnpm clean:dist:types && tsgo --project tsconfig.dts.json",
+    "build:sea": "node src/sea/build-sea.mts",
+    "build:sea:internal:bootstrap": "rollup -c .config/rollup.sea.config.mjs",
     "check": "pnpm check:lint && pnpm check:tsc",
     "check:lint": "dotenvx -q run -f .env.local -- eslint --report-unused-disable-directives .",
     "check:tsc": "tsgo",
@@ -167,6 +169,7 @@
     "open": "10.2.0",
     "oxlint": "1.15.0",
     "pony-cause": "2.1.11",
+    "postject": "1.0.0-alpha.6",
     "registry-auth-token": "5.1.0",
     "registry-url": "7.2.0",
     "rollup": "4.50.1",