Fix dep-stats dependency preservation

Author: jdalton

.config/rollup.dist.config.mjs

@@ -1,7 +1,6 @@
 import { existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs'
 import path from 'node:path'
 
-import semver from 'semver'
 import { globSync as tinyGlobSync } from 'tinyglobby'
 
 import { toSortedObject } from '@socketsecurity/registry/lib/objects'
@@ -23,8 +22,6 @@ import {
 
 const {
   BABEL_RUNTIME,
-  CYCLONEDX_CDXGEN,
-  SYNP,
   ROLLUP_EXTERNAL_SUFFIX,
   depStatsPath,
   rootDistPath,
@@ -55,19 +52,14 @@ function updateDepStatsSync(depStats) {
   const oldDepStats = existsSync(depStatsPath)
     ? readJsonSync(depStatsPath)
     : undefined
-  const oldDeps = oldDepStats?.dependencies
   Object.assign(depStats.dependencies, {
-    // Manually add @cyclonedx/cdxgen and synp as they are not directly
-    // referenced in the code but used through spawned processes.
-    [CYCLONEDX_CDXGEN]: pkgJson.dependencies[CYCLONEDX_CDXGEN],
-    [SYNP]: pkgJson.dependencies[SYNP],
+    // Add existing package.json dependencies without old transitives. This
+    // preserves dependencies like '@cyclonedx/cdxgen' and 'synp' that are
+    // indirectly referenced through spawned processes and not directly imported.
     ...Object.fromEntries(
-      // Assign old dep stats dependencies to preserve them.
-      Object.entries(oldDeps ?? {}).filter(({ 0: key, 1: oldSpec }) => {
-        // Skip old deps that are replaced with higher versions.
-        const s = depStats.dependencies[key]
-        return !s || semver.gt(semver.coerce(oldSpec), semver.coerce(s))
-      })
+      Object.entries(pkgJson.dependencies).filter(
+        ({ 0: key }) => !oldDepStats?.transitives?.[key]
+      )
     )
   })
   // Remove transitives from dependencies.

src/constants.ts

@@ -9,15 +9,12 @@ type RegistryEnv = typeof registryConstants.ENV
 type Constants = {
   readonly API_V0_URL: 'https://api.socket.dev/v0'
   readonly BABEL_RUNTIME: '@babel/runtime'
-  readonly CDXGEN: 'cdxgen'
-  readonly CYCLONEDX_CDXGEN: '@cyclonedx/cdxgen'
   readonly ENV: RegistryEnv & {
     UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: boolean
   }
   readonly DIST_TYPE: 'module-sync' | 'require'
   readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'
   readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'
-  readonly SYNP: 'synp'
   readonly UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: 'UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE'
   readonly cdxgenBinPath: string
   readonly distPath: string
@@ -40,11 +37,8 @@ const {
 
 const API_V0_URL = 'https://api.socket.dev/v0'
 const BABEL_RUNTIME = '@babel/runtime'
-const CDXGEN = 'cdxgen'
-const CYCLONEDX_CDXGEN = `@cyclonedx/${CDXGEN}`
 const NPM_REGISTRY_URL = 'https://registry.npmjs.org'
 const SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'
-const SYNP = 'synp'
 const UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE =
   'UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE'
 const ENV: Constants['ENV'] = Object.freeze({
@@ -60,9 +54,9 @@ const rootDistPath = path.join(rootPath, 'dist')
 const rootBinPath = path.join(rootPath, 'bin')
 const rootPkgJsonPath = path.join(rootPath, PACKAGE_JSON)
 const nmBinPath = path.join(rootPath, 'node_modules/.bin')
-const cdxgenBinPath = path.join(nmBinPath, CDXGEN)
+const cdxgenBinPath = path.join(nmBinPath, 'cdxgen')
 const shadowBinPath = path.join(rootPath, 'shadow-bin')
-const synpBinPath = path.join(nmBinPath, SYNP)
+const synpBinPath = path.join(nmBinPath, 'synp')
 
 const LAZY_DIST_TYPE = () =>
   registryConstants.SUPPORTS_NODE_REQUIRE_MODULE ? 'module-sync' : 'require'
@@ -73,14 +67,11 @@ const constants = <Constants>createConstantsObject(
   {
     API_V0_URL,
     BABEL_RUNTIME,
-    CDXGEN,
-    CYCLONEDX_CDXGEN,
     ENV,
     // Lazily defined values are initialized as `undefined` to keep their key order.
     DIST_TYPE: undefined,
     NPM_REGISTRY_URL,
     SOCKET_CLI_ISSUES_URL,
-    SYNP,
     UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE,
     cdxgenBinPath,
     distPath: undefined,