Add pr creation to npm fix as well

Author: jdalton

src/commands/fix/npm-fix.ts

@@ -1,10 +1,12 @@
 import { getManifestData } from '@socketsecurity/registry'
+import { logger } from '@socketsecurity/registry/lib/logger'
 import { runScript } from '@socketsecurity/registry/lib/npm'
 import {
   fetchPackagePackument,
   readPackageJson
 } from '@socketsecurity/registry/lib/packages'
 
+import { openGitHubPullRequest } from './open-pr'
 import constants from '../../constants'
 import {
   Arborist,
@@ -14,18 +16,32 @@ import {
 import {
   findPackageNodes,
   getAlertsMapFromArborist,
-  updateNode
-} from '../../utils/lockfile/package-lock-json'
+  updateNode,
+  updatePackageJsonFromNode
+} from '../../utils/arborist-helpers'
 import { getCveInfoByAlertsMap } from '../../utils/socket-package-alert'
 
 import type { SafeNode } from '../../shadow/npm/arborist/lib/node'
 import type { EnvDetails } from '../../utils/package-environment'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
-const { NPM } = constants
+const { CI, NPM } = constants
 
-function isTopLevel(tree: SafeNode, node: SafeNode): boolean {
-  return tree.children.get(node.name) === node
+type InstallOptions = {
+  cwd?: string | undefined
+}
+
+async function install(
+  idealTree: SafeNode,
+  options: InstallOptions
+): Promise<void> {
+  const { cwd = process.cwd() } = {
+    __proto__: null,
+    ...options
+  } as InstallOptions
+  const arb2 = new Arborist({ path: cwd })
+  arb2.idealTree = idealTree
+  await arb2.reify()
 }
 
 type NpmFixOptions = {
@@ -78,9 +94,9 @@ export async function npmFix(
   for (const { 0: name, 1: infos } of infoByPkg) {
     const revertToIdealTree = arb.idealTree!
     arb.idealTree = null
+
     // eslint-disable-next-line no-await-in-loop
     await arb.buildIdealTree()
-
     const tree = arb.idealTree!
 
     const hasUpgrade = !!getManifestData(NPM, name)
@@ -100,16 +116,14 @@ export async function npmFix(
       continue
     }
 
-    for (let i = 0, { length: nodesLength } = nodes; i < nodesLength; i += 1) {
-      const node = nodes[i]!
-      for (
-        let j = 0, { length: infosLength } = infos;
-        j < infosLength;
-        j += 1
-      ) {
-        const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
-          infos[j]!
+    for (const node of nodes) {
+      for (const {
+        firstPatchedVersionIdentifier,
+        vulnerableVersionRange
+      } of infos) {
+        spinner?.stop()
         const { version: oldVersion } = node
+        const oldSpec = `${name}@${oldVersion}`
         if (
           updateNode(
             node,
@@ -118,45 +132,42 @@ export async function npmFix(
             firstPatchedVersionIdentifier
           )
         ) {
+          const targetVersion = node.package.version!
+          const fixSpec = `${name}@^${targetVersion}`
           try {
+            spinner?.start()
+            spinner?.info(`Installing ${fixSpec}`)
+            // eslint-disable-next-line no-await-in-loop
+            await install(arb.idealTree!, { cwd })
             if (test) {
+              spinner?.info(`Testing ${fixSpec}`)
               // eslint-disable-next-line no-await-in-loop
               await runScript(testScript, [], { spinner, stdio: 'ignore' })
             }
-
-            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`)
-
-            if (isTopLevel(tree, node)) {
-              for (const depField of [
-                'dependencies',
-                'optionalDependencies',
-                'peerDependencies'
-              ]) {
-                const { content: pkgJson } = editablePkgJson
-                const oldVersion = (pkgJson[depField] as any)?.[name]
-                if (oldVersion) {
-                  const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? ''
-                  ;(pkgJson as any)[depField][name] =
-                    `${decorator}${node.version}`
-                }
-              }
+            // Lazily access constants.ENV[CI].
+            if (constants.ENV[CI]) {
+              // eslint-disable-next-line no-await-in-loop
+              await openGitHubPullRequest(name, targetVersion, cwd)
             }
+            updatePackageJsonFromNode(editablePkgJson, tree, node)
             // eslint-disable-next-line no-await-in-loop
             await editablePkgJson.save()
+            spinner?.info(`Fixed ${name}`)
           } catch {
-            spinner?.error(`Reverting ${name} to ${oldVersion}`)
+            spinner?.error(`Reverting ${fixSpec}`)
             arb.idealTree = revertToIdealTree
+            // eslint-disable-next-line no-await-in-loop
+            await install(arb.idealTree!, { cwd })
+            spinner?.stop()
+            logger.error(`Failed to fix ${oldSpec}`)
           }
         } else {
-          spinner?.error(`Could not patch ${name} ${oldVersion}`)
+          spinner?.stop()
+          logger.error(`Could not patch ${oldSpec}`)
         }
       }
     }
   }
 
-  const arb2 = new Arborist({ path: cwd })
-  arb2.idealTree = arb.idealTree
-  await arb2.reify()
-
   spinner?.stop()
 }

src/commands/fix/open-pr.ts

@@ -0,0 +1,132 @@
+import { Octokit } from '@octokit/rest'
+
+import { logger } from '@socketsecurity/registry/lib/logger'
+import { spawn } from '@socketsecurity/registry/lib/spawn'
+
+import constants from '../../constants'
+
+const {
+  GITHUB_ACTIONS,
+  GITHUB_REF_NAME,
+  GITHUB_REPOSITORY,
+  SOCKET_SECURITY_GITHUB_PAT
+} = constants
+
+async function branchExists(
+  branch: string,
+  cwd: string | undefined = process.cwd()
+): Promise<boolean> {
+  try {
+    await spawn(
+      'git',
+      ['show-ref', '--verify', '--quiet', `refs/heads/${branch}`],
+      {
+        cwd,
+        stdio: 'ignore'
+      }
+    )
+    return true
+  } catch {}
+  return false
+}
+
+async function checkoutBaseBranchIfAvailable(
+  baseBranch: string,
+  cwd: string | undefined = process.cwd()
+) {
+  try {
+    const currentBranch = (
+      await spawn('git', ['rev-parse', '--abbrev-ref', 'HEAD'], { cwd })
+    ).stdout.trim()
+    if (currentBranch === baseBranch) {
+      logger.info(`Already on ${baseBranch}`)
+      return
+    }
+    logger.info(`Switching branch from ${currentBranch} to ${baseBranch}...`)
+    await spawn('git', ['checkout', baseBranch], { cwd })
+    logger.info(`Checked out ${baseBranch}`)
+  } catch {
+    logger.warn(`Could not switch to ${baseBranch}. Proceeding with HEAD.`)
+  }
+}
+
+type GitHubRepoInfo = {
+  owner: string
+  repo: string
+}
+
+function getGitHubRepoInfo(): GitHubRepoInfo {
+  // Lazily access constants.ENV[GITHUB_REPOSITORY].
+  const ownerSlashRepo = constants.ENV[GITHUB_REPOSITORY]
+  const slashIndex = ownerSlashRepo.indexOf('/')
+  if (slashIndex === -1) {
+    throw new Error('GITHUB_REPOSITORY environment variable not set')
+  }
+  return {
+    owner: ownerSlashRepo.slice(0, slashIndex),
+    repo: ownerSlashRepo.slice(slashIndex + 1)
+  }
+}
+
+let _octokit: Octokit | undefined
+function getOctokit() {
+  if (_octokit === undefined) {
+    _octokit = new Octokit({
+      // Lazily access constants.ENV[SOCKET_SECURITY_GITHUB_PAT].
+      auth: constants.ENV[SOCKET_SECURITY_GITHUB_PAT]
+    })
+  }
+  return _octokit
+}
+
+export async function openGitHubPullRequest(
+  name: string,
+  targetVersion: string,
+  cwd = process.cwd()
+) {
+  // Lazily access constants.ENV[GITHUB_ACTIONS].
+  if (constants.ENV[GITHUB_ACTIONS]) {
+    // Lazily access constants.ENV[SOCKET_SECURITY_GITHUB_PAT].
+    const pat = constants.ENV[SOCKET_SECURITY_GITHUB_PAT]
+    if (!pat) {
+      throw new Error('Missing SOCKET_SECURITY_GITHUB_PAT environment variable')
+    }
+    const baseBranch =
+      // Lazily access constants.ENV[GITHUB_REF_NAME].
+      constants.ENV[GITHUB_REF_NAME] ??
+      // GitHub defaults to branch name "main"
+      // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
+      'main'
+    const branch = `socket-fix-${name}-${targetVersion.replace(/\./g, '-')}`
+    const commitMsg = `chore: upgrade ${name} to ${targetVersion}`
+    const { owner, repo } = getGitHubRepoInfo()
+    const url = `https://x-access-token:${pat}@github.com/${owner}/${repo}`
+
+    await spawn('git', ['remote', 'set-url', 'origin', url], {
+      cwd
+    })
+
+    if (await branchExists(branch, cwd)) {
+      logger.warn(`Branch "${branch}" already exists. Skipping creation.`)
+    } else {
+      await checkoutBaseBranchIfAvailable(baseBranch, cwd)
+      await spawn('git', ['checkout', '-b', branch], { cwd })
+      await spawn('git', ['add', 'package.json', 'pnpm-lock.yaml'], { cwd })
+      await spawn('git', ['commit', '-m', commitMsg], { cwd })
+      await spawn('git', ['push', '--set-upstream', 'origin', branch], { cwd })
+    }
+    const octokit = getOctokit()
+    await octokit.pulls.create({
+      owner,
+      repo,
+      title: commitMsg,
+      head: branch,
+      base: baseBranch,
+      body: `[socket] Upgrade \`${name}\` to ${targetVersion}`
+    })
+  } else {
+    throw new Error(
+      'Unsupported CI platform or missing GITHUB_ACTIONS environment variable'
+    )
+  }
+}