Skip to content

fix: update lib to 5.4.0 and modernize asset extraction#1025

Closed
John-David Dalton (jdalton) wants to merge 8 commits into
mainfrom
fix/lib-5.4.0-asset-helpers
Closed

fix: update lib to 5.4.0 and modernize asset extraction#1025
John-David Dalton (jdalton) wants to merge 8 commits into
mainfrom
fix/lib-5.4.0-asset-helpers

Conversation

@jdalton

@jdalton John-David Dalton (jdalton) commented Jan 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Updates @socketsecurity/lib from 5.3.0 to 5.4.0 and modernizes extraction scripts to use lib utilities consistently.

Fixes CI failures where all test jobs failed during build phase with ENOENT errors when trying to write yoga-sync.mjs.

Changes

  • Bump @socketsecurity/lib to 5.4.0 for glob pattern support
  • Replace ensureOutputDir with safeMkdir from @socketsecurity/lib/fs
  • Inline socket-btm-releases helpers into extract-yoga-wasm.mjs
  • Add defensive directory creation before all file writes

Root Cause

The extraction scripts used glob pattern syntax (yoga-sync-*.mjs) that requires lib 5.4.0, but the project was pinned to 5.3.0. Pattern matching failed, triggering fallback placeholder generation which crashed because the build/ directory didn't exist in CI.

Fixes

  • Primary: Glob pattern matching now works correctly with lib 5.4.0
  • Secondary: Fallback placeholder generation now creates directories as needed

Resolves failures in Integration Tests, E2E Tests (shards 1-2), and Unit Tests (shards 1-3).


Note

Modernizes build-time asset extraction and bumps core lib.

  • Bumps @socketsecurity/lib to 5.4.0 across workspace/lockfile
  • Switches to safeMkdir/safeMkdirSync for robust directory creation in extract-models.mjs and extract-onnx-runtime.mjs
  • Refactors extract-yoga-wasm.mjs to use globbed downloads (yoga-sync-*.mjs), inline computeFileHash/generateHeader, add version check/caching, and generate a safer placeholder; ensures output dirs before writes
  • Removes scripts/utils/socket-btm-releases.mjs (helpers now inlined)

Written by Cursor Bugbot for commit 083e692. Configure here.

Updates @socketsecurity/lib from 5.3.0 to 5.4.0 to enable glob pattern
support for asset downloads. Modernizes extraction scripts to use lib
utilities consistently.

Fixes CI failures where all test jobs failed during build phase with
ENOENT errors when trying to write yoga-sync.mjs.

Changes:
- Bump @socketsecurity/lib to 5.4.0 for glob pattern support
- Replace ensureOutputDir with safeMkdir from @socketsecurity/lib/fs
- Inline socket-btm-releases helpers into extract-yoga-wasm.mjs
- Add defensive directory creation before all file writes

Resolves build failures in Integration Tests, E2E Tests, and Unit Tests.
Add dedicated generate-packages.mjs script and prebuild hook to ensure
template packages (cli-with-sentry, socket, socketbin) are generated
before the CLI build runs.

This fixes ENOENT errors in CI when trying to read
packages/package-builder/build/socket/package.json during the build.

Previous approach used --skip-prereqs flag which was unnecessary since
we don't need to verify Node/pnpm versions during build - they're
guaranteed to exist in the build environment.
The build now always copies build/cli.js to dist/cli.js, not just in
production mode. This is required because dist/index.js (the entry point)
loads cli.js from its own directory.

Previously, running 'pnpm build' would create dist/index.js but not
dist/cli.js, causing integration tests to fail with MODULE_NOT_FOUND errors.

This fixes integration test failures where dist/index.js couldn't find cli.js.
When --help or other Node.js CLI flags were passed, they were being
forwarded to the Python CLI before the Node.js CLI could handle them.
This caused integration tests to fail because they received Python's
socketcli help output instead of the Node.js CLI help.

Added a whitelist of Node.js CLI flags (--help, --version, --config,
etc.) that should not be forwarded to Python CLI. This allows the
Node.js CLI to handle its own built-in flags correctly.
The @socketsecurity/lib@5.4.0 package has a bundling issue with the debug
module that causes 'import_debug210.default.enable is not a function' errors
when the CLI re-bundles the already-bundled lib code.

Changes:
- Reverted @socketsecurity/lib from 5.4.0 to 5.3.0
- Modified extract-yoga-wasm.mjs to download 'assets' directory and manually
  find the yoga-sync-*.mjs file instead of using glob patterns
- This works around the glob pattern limitation in lib 5.3.0 while avoiding
  the debug bundling bug in lib 5.4.0
- Fixed lint issues (import order)
The lib@5.3.0 bundles a stub for the debug module that was missing the
`enable()` and `disable()` methods. When the CLI re-bundles this code,
it fails with "import_debug2.default.enable is not a function".

This patch adds the missing methods as no-op functions to the stub.
The lib@5.4.0 has helpers for asset downloads that the CLI needs.
The lib's bundled debug stub was missing enable/disable methods,
which caused errors when the CLI re-bundled the code.

This patch adds the missing methods to the debug stub.
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​@​socketsecurity/​lib@​5.3.0 ⏵ 5.4.0100100100100100

View full report

@socket-security-staging

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​@​socketsecurity/​lib@​5.3.0 ⏵ 5.4.0100100100100100

View full report

@jdalton

Copy link
Copy Markdown
Collaborator Author

Superseded by direct merge to main - @socketsecurity/lib updated to 5.4.1 which includes the external bundling fixes (debug, supports-color, etc.) and asset helper improvements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant