feat: add Socket Firewall integration for secure package installation

[MarshallOfSound]

Summary

Integrates Socket Firewall into Electron Fiddle to protect against supply chain attacks when installing npm dependencies from fiddle gists. The sfw CLI is embedded with the app — no global install required.

When enabled (the default), package installations are routed through sfw, which scans packages during installation and blocks malicious dependencies before they can execute (e.g., node sfw.mjs npm install instead of npm install).

Slack thread: https://electronhq.slack.com/archives/C3ANJ97H6/p1775171094186889?thread_ts=1775164754.105949&cid=C3ANJ97H6

Key Changes

• Embedded sfw CLI: The sfw npm package's bundled script (sfw.mjs) is copied into the webpack output via CopyPlugin, so it ships with the packaged app
• Runtime resolution via getSfwPath() in src/main/npm.ts — resolves the embedded script path relative to __dirname and verifies it exists with fs.existsSync
• Execution via system Node.js: Runs as node sfw.mjs npm install ... using the system node (not process.execPath, which is the Electron binary)
• New UI toggle in Execution Settings for enabling/disabling Socket Firewall, with isUsingSocketFirewall persisted to localStorage (defaults to true)
• Graceful fallback: If the embedded sfw script is missing, falls back to direct npm/yarn execution with a console warning
• IPC plumbing: New NPM_IS_SFW_INSTALLED event, useSocketFirewall flag threaded through PMOperationOptions and the module installation pipeline
• License attribution: THIRD_PARTY_NOTICES.md with the full PolyForm Shield License 1.0.0 text (for the sfw-free binary downloaded at runtime by the sfw wrapper)
• Tests: Comprehensive coverage for getSfwPath(), getIsSfwInstalled(), and addModules() with sfw enabled/disabled/missing scenarios

Test plan

• Verify sfw script is copied to webpack output during build
• Run a fiddle with npm dependencies — confirm sfw wraps the install (check console output)
• Disable Socket Firewall in Settings > Execution — confirm direct npm/yarn is used
• Package the app and verify sfw works in the packaged build
• Run yarn test — all npm.spec.ts tests pass

https://claude.ai/code/session_01K6g5VZoNQRGLr4stRvHEVw

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​sfw@​2.0.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Low adoption: npm sfw Location: Package overview From: package.json → npm/sfw@2.0.4 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sfw@2.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coveralls]

coverage: 89.461% (-0.01%) from 89.475%
when pulling e03c60b on claude/slack-session-LrFFw
into 9030f27 on main.