Make safe npm alerts prettier

Author: jdalton

src/constants.ts

@@ -47,6 +47,7 @@ type ENV = Remap<
       SOCKET_CLI_ACCEPT_RISKS: boolean
       SOCKET_CLI_DEBUG: boolean
       SOCKET_CLI_NO_API_TOKEN: boolean
+      SOCKET_CLI_VIEW_ALL_RISKS: boolean
       SOCKET_SECURITY_API_BASE_URL: string
       SOCKET_SECURITY_API_TOKEN: string
       XDG_DATA_HOME: string
@@ -110,6 +111,7 @@ type Constants = Remap<
     readonly SOCKET_CLI_SENTRY_NPM_BIN_NAME: 'socket-npm-with-sentry'
     readonly SOCKET_CLI_SENTRY_NPX_BIN_NAME: 'socket-npx-with-sentry'
     readonly SOCKET_CLI_SENTRY_PACKAGE_NAME: '@socketsecurity/cli-with-sentry'
+    readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'
     readonly SOCKET_SECURITY_API_BASE_URL: 'SOCKET_SECURITY_API_BASE_URL'
     readonly SOCKET_SECURITY_API_TOKEN: 'SOCKET_SECURITY_API_TOKEN'
     readonly VLT: 'vlt'
@@ -183,6 +185,7 @@ const SOCKET_CLI_SENTRY_BIN_NAME_ALIAS = 'cli-with-sentry'
 const SOCKET_CLI_SENTRY_NPM_BIN_NAME = 'socket-npm-with-sentry'
 const SOCKET_CLI_SENTRY_NPX_BIN_NAME = 'socket-npx-with-sentry'
 const SOCKET_CLI_SENTRY_PACKAGE_NAME = `${SOCKET_SECURITY_SCOPE}/cli-with-sentry`
+const SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'
 const SOCKET_SECURITY_API_BASE_URL = 'SOCKET_SECURITY_API_BASE_URL'
 const SOCKET_SECURITY_API_TOKEN = 'SOCKET_SECURITY_API_TOKEN'
 const VLT = 'vlt'
@@ -221,12 +224,14 @@ const LAZY_ENV = () => {
     // non-roaming application data, like temporary files, cached data, and program
     // settings, that are specific to the current machine and user.
     LOCALAPPDATA: envAsString(env['LOCALAPPDATA']),
-    // Flag to accepts risks of previous safe npm/npx run.
+    // Flag to accepts risks of safe-npm and safe-npx run.
     SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env['SOCKET_CLI_ACCEPT_RISKS']),
     // Flag to help debug Socket CLI.
     SOCKET_CLI_DEBUG: envAsBoolean(env['SOCKET_CLI_DEBUG']),
     // Flag to make the default API token `undefined`.
     SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),
+    // Flag to view all risks of safe-npm and safe-npx run.
+    SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env['SOCKET_CLI_VIEW_ALL_RISKS']),
     // Flag to change the base URL for all API-calls.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
     SOCKET_SECURITY_API_BASE_URL: envAsString(
@@ -386,6 +391,7 @@ const constants = createConstantsObject(
     SOCKET_CLI_SENTRY_NPM_BIN_NAME,
     SOCKET_CLI_SENTRY_NPX_BIN_NAME,
     SOCKET_CLI_SENTRY_PACKAGE_NAME,
+    SOCKET_CLI_VIEW_ALL_RISKS,
     SOCKET_SECURITY_API_BASE_URL,
     SOCKET_SECURITY_API_TOKEN,
     VLT,

src/shadow/npm/arborist/lib/arborist/index.ts

@@ -1,5 +1,7 @@
 import process from 'node:process'
 
+import { stripIndents } from 'common-tags'
+
 import { logger } from '@socketsecurity/registry/lib/logger'
 
 import constants from '../../../../../constants'
@@ -15,6 +17,7 @@ const {
   NPX,
   SOCKET_CLI_ACCEPT_RISKS,
   SOCKET_CLI_SAFE_WRAPPER,
+  SOCKET_CLI_VIEW_ALL_RISKS,
   kInternalsSymbol,
   [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc }
 } = constants
@@ -121,9 +124,17 @@ export class SafeArborist extends Arborist {
     })
     if (alertsMap.size) {
       process.exitCode = 1
-      logAlertsMap(alertsMap, { output: process.stderr })
+      logAlertsMap(alertsMap, {
+        // Lazily access constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS].
+        hideAt: constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS] ? 'none' : 'middle',
+        output: process.stderr
+      })
       throw new Error(
-        `Socket ${binName} exiting due to risks.\nRerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1 to accept risks.`
+        stripIndents`
+          Socket ${binName} exiting due to risks.
+          To view all risks rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.
+          To accept risks rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.
+        `
       )
     } else {
       logger.success(`Socket ${binName} found no risks!`)

src/utils/alert/artifact.ts

@@ -1,17 +1,23 @@
 import constants from '../../constants'
 
 import type { Remap } from '@socketsecurity/registry/lib/objects'
-import type { components } from '@socketsecurity/sdk/types/api'
+import type { components, operations } from '@socketsecurity/sdk/types/api'
+
+export type ALERT_TYPE = keyof NonNullable<
+  operations['getOrgSecurityPolicy']['responses']['200']['content']['application/json']['securityPolicyRules']
+>
+
+export type CVE_ALERT_TYPE = 'cve' | 'mediumCVE' | 'mildCVE' | 'criticalCVE'
 
 export type ArtifactAlertCve = Remap<
   Omit<CompactSocketArtifactAlert, 'type'> & {
-    type: CveAlertType
+    type: CVE_ALERT_TYPE
   }
 >
 
 export type ArtifactAlertCveFixable = Remap<
   Omit<CompactSocketArtifactAlert, 'props' | 'type'> & {
-    type: CveAlertType
+    type: CVE_ALERT_TYPE
     props: {
       firstPatchedVersionIdentifier: string
       vulnerableVersionRange: string
@@ -26,8 +32,6 @@ export type ArtifactAlertUpgrade = Remap<
   }
 >
 
-export type CveAlertType = 'cve' | 'mediumCVE' | 'mildCVE' | 'criticalCVE'
-
 export type CompactSocketArtifactAlert = Remap<
   Omit<SocketArtifactAlert, 'category' | 'end' | 'file' | 'start'>
 >
@@ -38,10 +42,16 @@ export type CompactSocketArtifact = Remap<
   }
 >
 
-export type SocketArtifact = components['schemas']['SocketArtifact']
+export type SocketArtifact = Remap<
+  Omit<components['schemas']['SocketArtifact'], 'alerts'> & {
+    alerts?: SocketArtifactAlert[]
+  }
+>
 
 export type SocketArtifactAlert = Remap<
-  Omit<components['schemas']['SocketAlert'], 'props'> & {
+  Omit<components['schemas']['SocketAlert'], 'action' | 'props' | 'type'> & {
+    type: ALERT_TYPE
+    action?: 'error' | 'monitor' | 'warn' | 'ignore'
     props?: any | undefined
   }
 >

src/utils/config.ts

@@ -136,9 +136,8 @@ function normalizeConfigKey(key: keyof LocalConfig): keyof LocalConfig {
   return normalizedKey
 }
 
-export function findSocketYmlSync() {
+export function findSocketYmlSync(dir = process.cwd()) {
   let prevDir = null
-  let dir = process.cwd()
   while (dir !== prevDir) {
     let ymlPath = path.join(dir, 'socket.yml')
     let yml = safeReadFileSync(ymlPath)