Skip to content

refactor(cli)!: remove shadow bins for pnpm and yarn #889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

refactor(cli)!: remove shadow bins for pnpm and yarn #889

wants to merge 5 commits into from
+61 −566

Conversation

@jdalton
Copy link
Contributor

@jdalton jdalton commented Nov 6, 2025

Summary

This PR removes shadow bin wrappers for pnpm and yarn, using direct spawning instead. Shadow bins are only needed for npm/npx security scanning. This change also converts all lazy require() calls to static ES module imports throughout the refactored code paths.

Changes

  1. Remove shadow bins - Delete shadow pnpm/yarn directories and entry points
  2. Direct spawning - pnpm/yarn commands now use direct spawn() with WIN32 shell option
  3. Static imports - Replace all createRequire() and lazy require() with ES module imports
  4. CLI dispatch - Use static imports and direct command calls (no subprocess spawning)
  5. SEA constant - Extract NODE_SEA_FUSE to dedicated module with static import

Breaking Change

⚠️ BREAKING CHANGE: socket-pnpm and socket-yarn binaries no longer use shadow wrappers. Commands now spawn package managers directly.

This is unlikely to affect users in practice since the functionality remains the same, but the internal mechanism has changed fundamentally.

Benefits

  • ✅ Reduced code complexity (removed ~450 lines)
  • ✅ Better performance (no shadow wrapper overhead)
  • ✅ Improved bundling (static imports enable tree-shaking)
  • ✅ Cleaner architecture (shadow wrappers only for npm/npx)
  • ✅ Eliminated all refactorable lazy require() calls

Test Plan

  • Type check passes
  • Security checks pass
  • Manual testing of socket pnpm commands
  • Manual testing of socket yarn commands
  • Verify cross-platform compatibility (Windows shell handling)

Related

Part of broader effort to eliminate dynamic require() usage and simplify package manager command architecture.

Test User added 5 commits November 6, 2025 09:19
refactor(sea): replace require() with ES module import for NODE_SEA_FUSE
b21b138 
Create dedicated module for NODE_SEA_FUSE constant and use static import
instead of lazy require(). This improves bundling and eliminates dynamic
require() calls.

Changes:
- Create src/utils/sea/constants/NODE_SEA_FUSE.mts with fuse constant
- Update src/utils/sea/build.mts to use static import
- Replace 3 require() calls with direct constant usage
refactor(cli)!: remove shadow bins for pnpm and yarn
07d547c 
Remove shadow bin wrappers for pnpm and yarn, using direct spawn instead.
Shadow bins are only needed for npm/npx security scanning. For pnpm/yarn,
we use direct spawn with WIN32 shell option for cross-platform compatibility.

BREAKING CHANGE: socket-pnpm and socket-yarn binaries no longer use shadow
wrappers. Commands now spawn package managers directly.

Changes:
- Remove src/shadow/pnpm/ and src/shadow/yarn/ directories
- Remove src/pnpm-cli.mts and src/yarn-cli.mts entry points
- Update cmd-pnpm.mts to use direct spawn() with WIN32 shell
- Update cmd-yarn.mts to use direct spawn() with WIN32 shell
- Replace lazy require() with static imports from @socketsecurity/lib
refactor(cli): replace lazy require() with static imports in npm/npx …
1dcba25 
…commands

Convert npm and npx commands from lazy require() to static ES module imports
for shadow bins. This improves bundling and eliminates dynamic loading.

Changes:
- Remove createRequire usage from cmd-npm.mts and cmd-npx.mts
- Add static imports for shadowNpmBin and shadowNpxBin
- Add type cast (as any) for spawnPromise.process to fix TypeScript error
- Maintain same functionality with cleaner static imports
refactor(cli): replace dynamic imports with static imports in cli-dis…
43b3795 
…patch

Update cli-dispatch to use static imports and direct command calls instead
of dynamic imports and subprocess spawning. This improves performance,
reduces overhead, and enables better tree-shaking.

Changes:
- Add static imports for cmdNpm, cmdNpx, cmdPnpm, cmdYarn
- Replace dynamic import() calls with direct command.run() calls
- Remove subprocess spawning for package manager commands
- All commands now call handlers directly in same process
- Update comments to reflect direct command execution

Benefits:
- Faster execution (no subprocess overhead)
- Better bundling (static imports)
- Cleaner code flow (direct function calls)
refactor(shadow): remove pnpm/yarn support and use static imports in …
61248ce 
…runner

Simplify shadow runner to only support npm/npx since pnpm/yarn now use
direct spawning. Replace lazy require() with static imports for shadow bins.

Changes:
- Remove createRequire and lazy require() usage
- Add static imports for shadowNpmBin and shadowNpxBin
- Remove agent parameter from ShadowRunnerOptions
- Remove detectPackageManager() function (no longer needed)
- Remove pnpm/yarn logic from runShadowCommand()
- Update docs to clarify npm/npx-only support
- Simplify runShadowCommand to always use shadowNpxBin

Note: pnpm/yarn commands now use direct spawn in their respective
command files instead of shadow wrappers.
@jdalton jdalton closed this Nov 8, 2025
@jdalton jdalton deleted the jdalton/remove-shadow-bins-pnpm-yarn branch November 8, 2025 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton