-
Notifications
You must be signed in to change notification settings - Fork 44
Expand file tree
/
Copy pathupdate.mts
More file actions
75 lines (71 loc) · 2.24 KB
/
update.mts
File metadata and controls
75 lines (71 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/**
* Update: two-pass taze to apply the fleet's maturity policy correctly.
*
* Pass 1: default config (.config/taze.config.mts) — non-Socket deps respect
* maturityPeriod: 7.
*
* Pass 2: CLI-flag override — Socket-owned scopes only, maturityPeriod: 0.
* taze's config auto-discovery is path-based and doesn't support a --config
* override, so the second pass uses `--include <scopes> --maturity- period 0`
* flags instead of a second config file.
*
* Pass 3: pnpm install to refresh the lockfile against the updated
* package.json.
*
* SOCKET_SCOPES below MUST match the `exclude` list in .config/taze.config.mts
* — drift causes double-bumps or misses.
*
* This is a reference script. Consuming repos can drop it into their own
* scripts/ dir and wire it in via a `"update": "node scripts/update.mts"`
* package.json entry.
*/
import { spawn } from '@socketsecurity/lib-stable/process/spawn/child'
async function run(cmd: string, args: string[]): Promise<boolean> {
try {
await spawn(cmd, args, { stdio: 'inherit' })
return true
} catch (e) {
process.exitCode = (e as { code?: number | undefined }).code ?? 1
return false
}
}
/* Socket-owned scopes — keep in lockstep with the exclude list
* in .config/taze.config.mts. */
const SOCKET_SCOPES = [
'@socketregistry/*',
'@socketsecurity/*',
'@socketdev/*',
'socket-*',
'ecc-agentshield',
'sfw',
]
const steps: Array<[string, string[]]> = [
/* Pass 1 — third-party deps, respects the 7-day cooldown.
*
* `--maturity-period 7` MUST be passed on the CLI even though
* the config file (.config/taze.config.mts) sets the same
* value. Taze's CLI default for this flag is 0, and CLI
* defaults override config — without this flag, the cooldown
* is silently disabled. */
['pnpm', ['exec', 'taze', '--maturity-period', '7', '--write']],
/* Pass 2 — Socket deps, no cooldown. --include is comma-separated. */
[
'pnpm',
[
'exec',
'taze',
'--include',
SOCKET_SCOPES.join(','),
'--maturity-period',
'0',
'--write',
],
],
/* Pass 3 — resync lockfile against the updated package.json. */
['pnpm', ['install']],
]
for (const [cmd, args] of steps) {
if (!(await run(cmd, args))) {
break
}
}