refactor: simplify package structure by consolidating lib packages #882
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 12 commits
November 5, 2025 17:06
Add lib-internal and SDK to BUILD_PACKAGES array as the first two build steps to ensure they are built before the CLI package, which depends on both of them. This fixes the build order issue where CLI would fail because it imports from @socketsecurity/lib-internal and @socketsecurity/sdk but their dist folders didn't exist yet.
- Scripts (build.mjs, etc.) → @socketsecurity/lib-external - Build infrastructure → @socketsecurity/lib-external - CLI source code (src/) → @socketsecurity/lib-internal - Add lib-external alias to root devDependencies This ensures proper separation between: - Published package (lib-external) for build scripts - Workspace package (lib-internal) for application source
Change the workspace package name from @socketsecurity/lib to @socketsecurity/lib-internal to clearly distinguish it from the published npm package. This ensures: - CLI source imports from @socketsecurity/lib-internal (workspace) - Scripts import from @socketsecurity/lib-external (published package) Updated CLI package.json to use @socketsecurity/lib-internal workspace dependency.
Update all package.json files across the monorepo to use the renamed @socketsecurity/lib-internal workspace dependency. Git renamed packages/lib → packages/lib-internal to match the new package name.
Remove bootstrap-smol source file, config, and exports as it's no longer needed. Keep bootstrap-npm and bootstrap-sea.
…-node-versions Fixed TypeError where CLI crashed on startup with "Cannot read properties of null (reading 'major')". The issue was that maintained-node-versions exports a default export, but the require() calls were not accessing the .default property. This caused semver.parse() to receive undefined instead of the version string. Changes: - packages/lib-internal/src/package-default-node-range.ts: Added .default to require - packages/lib-internal/src/constants/node.ts: Added .default to require This fix resolves 19 test failures in the CLI test suite (from 66 to 47 failures).
After renaming @socketsecurity/lib to @socketsecurity/lib-internal, test mocks were still referencing the old package name, causing 47 test failures. Updated all vi.mock() statements and related imports in test files to use the correct lib-internal package. Changes: - Updated vi.mock() statements from @socketsecurity/lib/* to @socketsecurity/lib-internal/* - Updated await import() statements in tests to match mocked package paths - Fixed import statement in handle-purls-shallow-score.test.mts to match its mock Test results: - Before: 47 failed tests across 10 test files - After: All 2255 tests passing (196 test files, 100% pass rate) Files modified: - test/unit/commands/ci/handle-ci.test.mts - test/unit/commands/fix/ghsa-tracker.test.mts - test/unit/commands/fix/handle-fix.test.mts - test/unit/commands/fix/pr-lifecycle-logger.test.mts - test/unit/commands/package/handle-purl-deep-score.test.mts - test/unit/commands/package/handle-purls-shallow-score.test.mts - test/unit/commands/scan/fetch-diff-scan.test.mts - test/unit/commands/scan/fetch-scan.test.mts - test/unit/commands/scan/output-create-new-scan.test.mts - test/unit/commands/threat-feed/output-threat-feed.test.mts
Fixed two pre-existing TypeScript errors that were preventing successful builds: 1. bin.ts: Removed incompatible 'env' property from WhichOptions interface - The 'which' package has strict type checking that doesn't allow env property - This was causing TS2345 errors during build 2. versions.ts: Added 'release' to versionDiff return type - semver.diff() can return 'release' type which wasn't in the union type - This was causing TS2322 error These fixes allow lib-internal to build successfully with TypeScript type declarations.
Moved SECURITY.md file to comply with monorepo markdown filename conventions. SCREAMING_CASE files are only allowed at root, docs/, or .claude/ directories.
Removed types export for babel-plugin-inline-require-calls as the .d.ts file doesn't exist. This was causing build warnings.
Removes fix-external-imports.mjs script and its call from fix-build.mjs.
The external bundling system (build-externals.mjs + fix-external-imports.mjs)
was designed for standalone npm package distribution, not monorepo usage.
In standalone distribution, it would:
- Bundle 30+ external dependencies into dist/external/
- Rewrite imports from require('package') to require('./external/package')
- Create a zero-dependency npm package
In monorepo context:
- All packages are in node_modules/ via pnpm workspaces
- External bundling is explicitly disabled (build.mjs:409)
- No need to bundle or rewrite imports
The build now runs:
- Package exports generation
- Path alias fixing
- CommonJS exports fixing
Verified that built files have correct imports (e.g., require("picomatch")
instead of require("./external/picomatch")).
Removes SECURITY.md from sdk package root. This file was orphaned and not part of the sdk package documentation structure.
mikolalysenko
approved these changes
Nov 5, 2025
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
added 2 commits
November 5, 2025 18:52
The CLI package now depends on @socketsecurity/lib-internal and @socketsecurity/sdk as workspace dependencies. These packages must be built before the CLI can be type-checked or built. Updated all CI job steps to build dependencies in the correct order: 1. lib-internal 2. SDK 3. CLI This fixes TypeScript compilation errors in CI where modules could not be resolved.
Changed from manually chaining build commands to using pnpm's recursive filter syntax (`--filter @socketsecurity/cli...`) which automatically builds all workspace dependencies in the correct order. The `...` suffix tells pnpm to include all dependencies of the CLI package, ensuring lib-internal and SDK are built before CLI. This is more maintainable and follows pnpm best practices.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR simplifies the package structure by consolidating internal library packages and establishing clear boundaries between internal and external dependencies:
@socketsecurity/lib→@socketsecurity/lib-internalto clarify it's for internal use only@socketsecurity/lib-externalas an npm alias pointing to the published@socketsecurity/lib@3.2.8@socketsecurity/lib-internalfor internal imports@socketsecurity/lib-externalfor external (published) importsBenefits
Test plan
🤖 Generated with Claude Code