Bundle zod as external dependency

Author: jdalton

.config/rollup.base.config.mjs

@@ -154,7 +154,8 @@ export default function baseConfig(extendConfig = {}) {
       if (
         id.includes('/external/') &&
         !id.endsWith('/external/ink-table.mjs') &&
-        !id.endsWith('/external/yoga-layout.mjs')
+        !id.endsWith('/external/yoga-layout.mjs') &&
+        !id.endsWith('/external/zod.mjs')
       ) {
         return true
       }

.config/rollup.dist.config.mjs

@@ -352,6 +352,7 @@ export default async () => {
         [SHADOW_PNPM_BIN]: `${srcPath}/shadow/pnpm/bin.mts`,
         'external/ink-table': `${srcPath}/external/ink-table.mjs`,
         'external/yoga-layout': `${srcPath}/external/yoga-layout.mjs`,
+        'external/zod': `${srcPath}/external/zod.mjs`,
         ...(constants.ENV[INLINED_SOCKET_CLI_SENTRY_BUILD]
           ? {
               [INSTRUMENT_WITH_SENTRY]: `${srcPath}/${INSTRUMENT_WITH_SENTRY}.mts`,

.github/workflows/publish-socketbin.yml

@@ -66,12 +66,40 @@ jobs:
       - name: Build stub
         run: pnpm run build:sea:stub
 
+      - name: Setup UPX (Linux/Windows)
+        if: matrix.platform != 'darwin'
+        uses: crazy-max/ghaction-upx@v3
+        with:
+          install-only: true
+
       - name: Build binary
         run: |
           pnpm run build:sea -- \
             --platform=${{ matrix.platform }} \
             --arch=${{ matrix.arch }}
 
+      - name: Compress binary with UPX (Linux/Windows)
+        if: matrix.platform != 'darwin'
+        run: |
+          # Find the binary file (different extensions for different platforms)
+          BINARY_FILE=$(find dist/sea -name "socket-*" -type f | head -1)
+          if [ -f "$BINARY_FILE" ]; then
+            echo "Compressing $BINARY_FILE with UPX..."
+            upx --best --lzma "$BINARY_FILE" || echo "UPX compression failed, continuing anyway"
+            ls -lh "$BINARY_FILE"
+          fi
+
+      - name: Sign binary (macOS)
+        if: matrix.platform == 'darwin'
+        run: |
+          # Sign the macOS binary with ad-hoc signature for distribution
+          BINARY_FILE=$(find dist/sea -name "socket-*" -type f | head -1)
+          if [ -f "$BINARY_FILE" ]; then
+            echo "Signing macOS binary: $BINARY_FILE"
+            codesign --sign - --force "$BINARY_FILE"
+            codesign -dv "$BINARY_FILE"
+          fi
+
       - name: Verify binary
         run: |
           ls -la dist/sea/socket-*

scripts/create-placeholder-packages.mjs

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 
 /**
  * @fileoverview Creates minimal placeholder packages for @socketbin/* to enable trusted publisher.
@@ -131,11 +130,9 @@ npm install -g socket
 async function main() {
   console.log('Creating @socketbin placeholder packages...\n')
 
-  const packageDirs = []
-  for (const { platform, arch } of platforms) {
-    const dir = await createPlaceholderPackage(platform, arch)
-    packageDirs.push(dir)
-  }
+  const packageDirs = await Promise.all(
+    platforms.map(({ arch, platform }) => createPlaceholderPackage(platform, arch))
+  )
 
   console.log('\n📦 Placeholder packages created!\n')
   console.log('To publish them:')
@@ -230,5 +227,5 @@ main()
 
 main().catch(error => {
   console.error('Error:', error)
-  process.exit(1)
+  throw error
 })

scripts/generate-binary-package.mjs

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 
 /**
  * @fileoverview Generates package.json for @socketbin/* binary packages.
@@ -7,8 +6,8 @@
 
 import { promises as fs } from 'node:fs'
 import path from 'node:path'
-import { parseArgs } from 'node:util'
 import { fileURLToPath } from 'node:url'
+import { parseArgs } from 'node:util'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootDir = path.join(__dirname, '..')
@@ -23,11 +22,10 @@ const { values } = parseArgs({
   }
 })
 
-const { platform, arch, version, tool = 'cli', outdir } = values
+const { arch, outdir, platform, tool = 'cli', version } = values
 
 if (!platform || !arch || !version) {
-  console.error('Usage: generate-binary-package.mjs --platform=darwin --arch=arm64 --version=1.1.24')
-  process.exit(1)
+  throw new Error('Usage: generate-binary-package.mjs --platform=darwin --arch=arm64 --version=1.1.24')
 }
 
 // Clean version (remove 'v' prefix if present)
@@ -154,7 +152,7 @@ async function generatePackage() {
         await fs.chmod(targetBinary, 0o755)
       }
       console.log(`Copied binary: ${sourceBinary} -> ${targetBinary}`)
-    } catch (error) {
+    } catch {
       console.warn(`Warning: Binary not found at ${sourceBinary}`)
       console.warn('Binary should be copied manually or in CI')
     }
@@ -163,7 +161,7 @@ async function generatePackage() {
     console.log(`\nTo publish:\n  cd ${packageDir}\n  npm publish --provenance --access public`)
   } catch (error) {
     console.error('Error generating package:', error)
-    process.exit(1)
+    throw error
   }
 }
 

scripts/lint-affected.mjs

@@ -4,9 +4,9 @@
  * Supports cross-repository linting for Socket projects.
  */
 
+import { promises as fs } from 'node:fs'
 import path from 'node:path'
 
-import { promises as fs } from 'node:fs'
 
 import WIN32 from '@socketsecurity/registry/lib/constants/WIN32'
 import { logger } from '@socketsecurity/registry/lib/logger'

scripts/verify-socketbin-packages.mjs

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 
 /**
  * @fileoverview Verifies that all @socketbin/* packages exist on npm registry.

src/cli.mts

@@ -46,9 +46,12 @@ import { scheduleUpdateCheck } from './utils/update-manager.mts'
 
 const __filename = fileURLToPath(import.meta.url)
 
-// Check for --no-log flag early and silence logger if present
+// Check for --no-log or --json flag early and silence logger if present
+// When --json is set, we want clean JSON output without any logger noise
 const noLog =
-  process.argv.includes('--no-log') || process.argv.includes('--noLog')
+  process.argv.includes('--no-log') ||
+  process.argv.includes('--noLog') ||
+  process.argv.includes('--json')
 if (noLog) {
   // Silence all logger methods
   const noop = () => logger
@@ -117,7 +120,8 @@ void (async () => {
 
     if (isJson) {
       const errorResult = formatErrorForJson(e)
-      logger.log(serializeResultJson(errorResult))
+      // Use console.log directly for JSON output to ensure it's not silenced
+      console.log(serializeResultJson(errorResult))
     } else {
       // Add 2 newlines in stderr to bump below any spinner.
       logger.error('\n')

src/commands/manifest/output-requirements.mts

@@ -32,7 +32,8 @@ export async function outputRequirements(
     const json = serializeResultJson(result)
 
     if (out === '-') {
-      logger.log(json)
+      // Use console.log directly for JSON output to ensure it's not silenced
+      console.log(json)
     } else {
       fs.writeFileSync(out, json, 'utf8')
     }

src/commands/patch/manifest-schema.mts

@@ -1,6 +1,6 @@
 /** @fileoverview Patch manifest schema for Socket CLI. Defines Zod validation schemas for patch manifest format including patch records with package specifiers, file hashes, and patch file locations. */
 
-import { z } from 'zod'
+import { z } from '../../external/zod.mjs'
 
 export type PatchManifest = z.infer<typeof PatchManifestSchema>