socket npm cannot be used with the brave-browser repo

[fmarier]

Something that npm run init does in the brave-browser repo doesn't work with socket npm, preventing me from aliasing npm to socket npm system-wide (and recommending that my colleagues do the same).

Here's how to reproduce this:

$ git clone https://github.com/brave/brave-browser

$ git clone https://github.com/brave/brave-core brave-browser/src/brave

$ alias npm="${HOME}/node_modules/.bin/socket npm"

$ ${HOME}/node_modules/.bin/socket --version
0.6.0

$ cd brave-browser/

$ npm install

added 28 packages, and audited 29 packages in 9s

7 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm run init

> brave@1.54.49 init
> node ./scripts/init.js

Performing initial checkout of brave-core
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/francois/test/brave-browser/src/brave
> git rev-parse HEAD
brave-core repo at /home/francois/test/brave-browser/src/brave is at commit ID 6ac0b31194d7ce2a62e5307bbe3da10f7ffd1deb
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/francois/test/brave-browser/src/brave
> npm install

npm ERR! Assignment to constant variable.

npm ERR! A complete log of this run can be found in:
npm ERR!     2023-06-09T22_35_41_224Z-debug-0.log

and here's a copy of that log file: https://github.com/SocketDev/socket-cli-js/files/11710503/2023-06-09T22_35_41_224Z-debug-0.log

[fmarier]

Maybe it has to do this npm install in brave-core prompting for confirmation before installing the packages?

Here's what I see when I run it manually (outside of npm run init):

$ git clone https://github.com/brave/brave-core

$ cd brave-core/

$ alias npm="${HOME}/node_modules/.bin/socket npm"

$ ${HOME}/node_modules/.bin/socket --version
0.6.0

$ npm install
(socket) protobufjs@6.11.3 contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) fsevents@1.2.13 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) keccak@3.0.2 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) secp256k1@4.0.3 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) svelte-preprocess@5.0.1 contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) tiny-secp256k1@1.1.6 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) svelte-preprocess@5.0.1 contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) utf-8-validate@5.0.8 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) utp-native@2.5.3 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) bigint-buffer@1.1.5 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) blake-hash@2.0.0 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) bufferutil@4.0.6 contains risks:
  Native code - Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
(socket) core-js@3.20.3 contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) core-js-pure@3.27.2 contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
(socket) ip-set@2.1.0 contains risks:
  Potential typo squat - Package name is similar to other popular packages and may not be the package you want.
(socket) styled-components@5.3.9 contains risks:
  Protestware/Troll package - This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
(socket) http-node@1.2.0 contains risks:
  Potential typo squat - Package name is similar to other popular packages and may not be the package you want.
Accept risks of installing these packages (y/N)? y
npm WARN deprecated @types/jszip@3.4.1: This is a stub types definition. jszip provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/array-move@2.0.0: This is a stub types definition. array-move provides its own type definitions, so you do not need this installed.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated multibase@3.1.2: This module has been superseded by the multiformats module
npm WARN deprecated @storybook/addon-knobs@6.4.0: deprecating @storybook/addon-knobs in favor of @storybook/addon-controls

added 2398 packages, and audited 2399 packages in 4m

353 packages are looking for funding
  run `npm fund` for details

47 vulnerabilities (6 moderate, 41 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

[bmeck]

Thanks for the issue, it does look like TTY contention which is going to be hard to fix since there isn't a protocol for brave/us to use, I will be looking at this shortly in a more generic way for packages to be fixed.