@coana-tech/cli 14.12.41 → 14.12.43

package/cli.mjs

@@ -207483,7 +207483,29 @@ import { existsSync as existsSync11 } from "fs";
 import { readFile as readFile16, writeFile as writeFile6 } from "fs/promises";
 function applyUpgradesToPackageJson(packageJsonContent, upgrades, rangeStyle) {
   let modifiedContent = packageJsonContent;
-  for (const upgrade of upgrades) {
+  for (const upgrade of sortUpgradesByOffset(upgrades)) {
+    if (upgrade.manifestRef?.start !== void 0 && upgrade.manifestRef?.end !== void 0) {
+      const { start, end: end2 } = upgrade.manifestRef;
+      const originalVersionString = modifiedContent.substring(start, end2);
+      let newVersionString;
+      if (rangeStyle === "pin") {
+        const quotedContent = originalVersionString.slice(1, -1);
+        if (quotedContent.startsWith("npm:") && quotedContent.includes("@")) {
+          const atIndex = quotedContent.lastIndexOf("@");
+          const packageRef = quotedContent.substring(0, atIndex + 1);
+          newVersionString = `"${packageRef}${upgrade.upgradeVersion}"`;
+        } else {
+          newVersionString = `"${upgrade.upgradeVersion}"`;
+        }
+      } else {
+        const quotedContent = originalVersionString.slice(1, -1);
+        const specifierMatch = quotedContent.match(/^([^\d]*)/);
+        const specifier = specifierMatch ? specifierMatch[1] : "";
+        newVersionString = `"${specifier}${upgrade.upgradeVersion}"`;
+      }
+      modifiedContent = modifiedContent.substring(0, start) + newVersionString + modifiedContent.substring(end2);
+      continue;
+    }
     const escapedPackageName = upgrade.packageName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
     const depSection = upgrade.isDev ? "devDependencies" : "dependencies";
     const pattern = new RegExp(`("${escapedPackageName}"\\s*:\\s*")([^"]*)"`, "g");
@@ -207603,10 +207625,12 @@ var NpmSocketUpgradeManager = class {
       const upgradesWithPackageNames = upgradesToDirectDependencies.map(
         (upgrade) => {
           const artifact = artifacts[upgrade.idx];
+          const manifestRef = artifact.manifestFiles?.find((manifest) => manifest.file === packageJsonPath);
           return {
             packageName: artifact.namespace ? `${artifact.namespace}/${artifact.name}` : artifact.name,
             upgradeVersion: upgrade.upgradeVersion,
-            isDev: artifact.dev ?? false
+            isDev: artifact.dev ?? false,
+            manifestRef
           };
         }
       );
@@ -207633,7 +207657,25 @@ function getPackageMangerForDirectory(directory) {
   } else if (existsSync11(join9(directory, "package-lock.json"))) {
     return "NPM";
   }
-  throw new Error("Upgrading packages is currently only supported for NPM projects using a lock file.");
+  throw new Error(
+    `Upgrading packages is currently only supported for NPM projects using a lock file. Failed to find a lock file in ${directory}`
+  );
+}
+function sortUpgradesByOffset(upgrades) {
+  return [...upgrades].sort((a4, b) => {
+    const aStart = a4.manifestRef?.start;
+    const bStart = b.manifestRef?.start;
+    if (aStart !== void 0 && bStart !== void 0) {
+      return bStart - aStart;
+    }
+    if (aStart !== void 0 && bStart === void 0) {
+      return -1;
+    }
+    if (aStart === void 0 && bStart !== void 0) {
+      return 1;
+    }
+    return 0;
+  });
 }
 
 // ../fixing-management/src/fixing-management/npm/rush-fixing-manager.ts
@@ -212347,362 +212389,995 @@ ${detailsString}` : ""}`;
   }
 };
 
-// dist/cli-core.js
-import { writeFileSync as writeFileSync3 } from "fs";
-import { mkdir as mkdir2, writeFile as writeFile10 } from "fs/promises";
-
-// ../../node_modules/.pnpm/kleur@4.1.5/node_modules/kleur/index.mjs
-var FORCE_COLOR;
-var NODE_DISABLE_COLORS;
-var NO_COLOR;
-var TERM;
-var isTTY = true;
-if (typeof process !== "undefined") {
-  ({ FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM } = process.env || {});
-  isTTY = process.stdout && process.stdout.isTTY;
-}
-var $ = {
-  enabled: !NODE_DISABLE_COLORS && NO_COLOR == null && TERM !== "dumb" && (FORCE_COLOR != null && FORCE_COLOR !== "0" || isTTY),
-  // modifiers
-  reset: init(0, 0),
-  bold: init(1, 22),
-  dim: init(2, 22),
-  italic: init(3, 23),
-  underline: init(4, 24),
-  inverse: init(7, 27),
-  hidden: init(8, 28),
-  strikethrough: init(9, 29),
-  // colors
-  black: init(30, 39),
-  red: init(31, 39),
-  green: init(32, 39),
-  yellow: init(33, 39),
-  blue: init(34, 39),
-  magenta: init(35, 39),
-  cyan: init(36, 39),
-  white: init(37, 39),
-  gray: init(90, 39),
-  grey: init(90, 39),
-  // background colors
-  bgBlack: init(40, 49),
-  bgRed: init(41, 49),
-  bgGreen: init(42, 49),
-  bgYellow: init(43, 49),
-  bgBlue: init(44, 49),
-  bgMagenta: init(45, 49),
-  bgCyan: init(46, 49),
-  bgWhite: init(47, 49)
-};
-function run(arr, str) {
-  let i7 = 0, tmp, beg = "", end2 = "";
-  for (; i7 < arr.length; i7++) {
-    tmp = arr[i7];
-    beg += tmp.open;
-    end2 += tmp.close;
-    if (!!~str.indexOf(tmp.close)) {
-      str = str.replace(tmp.rgx, tmp.close + tmp.open);
+// ../utils/src/promise-queue.ts
+var PromiseQueue = class {
+  /*
+   * @param maxConcurrency The maximum number of tasks that can run in parallel.
+   * @param maxQueueLength The maximum number of tasks that can be queued. If the queue is full, the oldest task is removed.
+   */
+  constructor(maxConcurrency, maxQueueLength) {
+    this.maxConcurrency = maxConcurrency;
+    this.maxQueueLength = maxQueueLength;
+    if (maxQueueLength && maxQueueLength < 1) {
+      throw new Error("maxQueueLength must be at least 1");
     }
+    this.maxConcurrency = maxConcurrency;
   }
-  return beg + str + end2;
-}
-function chain(has2, keys) {
-  let ctx = { has: has2, keys };
-  ctx.reset = $.reset.bind(ctx);
-  ctx.bold = $.bold.bind(ctx);
-  ctx.dim = $.dim.bind(ctx);
-  ctx.italic = $.italic.bind(ctx);
-  ctx.underline = $.underline.bind(ctx);
-  ctx.inverse = $.inverse.bind(ctx);
-  ctx.hidden = $.hidden.bind(ctx);
-  ctx.strikethrough = $.strikethrough.bind(ctx);
-  ctx.black = $.black.bind(ctx);
-  ctx.red = $.red.bind(ctx);
-  ctx.green = $.green.bind(ctx);
-  ctx.yellow = $.yellow.bind(ctx);
-  ctx.blue = $.blue.bind(ctx);
-  ctx.magenta = $.magenta.bind(ctx);
-  ctx.cyan = $.cyan.bind(ctx);
-  ctx.white = $.white.bind(ctx);
-  ctx.gray = $.gray.bind(ctx);
-  ctx.grey = $.grey.bind(ctx);
-  ctx.bgBlack = $.bgBlack.bind(ctx);
-  ctx.bgRed = $.bgRed.bind(ctx);
-  ctx.bgGreen = $.bgGreen.bind(ctx);
-  ctx.bgYellow = $.bgYellow.bind(ctx);
-  ctx.bgBlue = $.bgBlue.bind(ctx);
-  ctx.bgMagenta = $.bgMagenta.bind(ctx);
-  ctx.bgCyan = $.bgCyan.bind(ctx);
-  ctx.bgWhite = $.bgWhite.bind(ctx);
-  return ctx;
-}
-function init(open, close) {
-  let blk = {
-    open: `\x1B[${open}m`,
-    close: `\x1B[${close}m`,
-    rgx: new RegExp(`\\x1b\\[${close}m`, "g")
-  };
-  return function(txt) {
-    if (this !== void 0 && this.has !== void 0) {
-      !!~this.has.indexOf(open) || (this.has.push(open), this.keys.push(blk));
-      return txt === void 0 ? this : $.enabled ? run(this.keys, txt + "") : txt + "";
+  queue = [];
+  activeTasks = 0;
+  idleResolver = null;
+  idleRejector = null;
+  error = null;
+  async runNextTask() {
+    if (this.activeTasks >= this.maxConcurrency) {
+      return;
+    }
+    const task = this.queue.shift();
+    if (task) {
+      this.activeTasks++;
+      try {
+        await task();
+      } catch (e) {
+        this.error = e;
+      } finally {
+        this.activeTasks--;
+        this.runNextTask();
+        this.checkIdle();
+      }
+    } else {
+      this.checkIdle();
     }
-    return txt === void 0 ? chain([open], [blk]) : $.enabled ? run([blk], txt + "") : txt + "";
-  };
-}
-var kleur_default = $;
-
-// ../../node_modules/.pnpm/yoctocolors@2.1.2/node_modules/yoctocolors/base.js
-import tty from "node:tty";
-var hasColors = tty?.WriteStream?.prototype?.hasColors?.() ?? false;
-var format5 = (open, close) => {
-  if (!hasColors) {
-    return (input) => input;
   }
-  const openCode = `\x1B[${open}m`;
-  const closeCode = `\x1B[${close}m`;
-  return (input) => {
-    const string = input + "";
-    let index2 = string.indexOf(closeCode);
-    if (index2 === -1) {
-      return openCode + string + closeCode;
+  checkIdle() {
+    if (!this.idleResolver || !this.idleRejector) return;
+    const shouldResolve = this.queue.length === 0 && this.activeTasks === 0;
+    if (this.error) this.idleRejector(this.error);
+    else if (shouldResolve) this.idleResolver();
+    const resolvedOrRejected = !!this.error || shouldResolve;
+    if (resolvedOrRejected) {
+      this.error = null;
+      this.idleResolver = null;
+      this.idleRejector = null;
     }
-    let result = openCode;
-    let lastIndex = 0;
-    const reopenOnNestedClose = close === 22;
-    const replaceCode = (reopenOnNestedClose ? closeCode : "") + openCode;
-    while (index2 !== -1) {
-      result += string.slice(lastIndex, index2) + replaceCode;
-      lastIndex = index2 + closeCode.length;
-      index2 = string.indexOf(closeCode, lastIndex);
+  }
+  enqueueTask(task) {
+    if (this.maxQueueLength && this.queue.length >= this.maxQueueLength) {
+      this.queue.shift();
     }
-    result += string.slice(lastIndex) + closeCode;
-    return result;
-  };
+    this.queue.push(task);
+    this.runNextTask();
+  }
+  async onIdle() {
+    return new Promise((resolve36, reject) => {
+      if (this.error) {
+        reject(this.error);
+        this.error = null;
+      } else if (this.queue.length === 0 && this.activeTasks === 0) {
+        resolve36();
+      } else {
+        this.idleResolver = resolve36;
+        this.idleRejector = reject;
+      }
+    });
+  }
 };
-var reset = format5(0, 0);
-var bold = format5(1, 22);
-var dim = format5(2, 22);
-var italic = format5(3, 23);
-var underline = format5(4, 24);
-var overline = format5(53, 55);
-var inverse = format5(7, 27);
-var hidden = format5(8, 28);
-var strikethrough = format5(9, 29);
-var black = format5(30, 39);
-var red = format5(31, 39);
-var green = format5(32, 39);
-var yellow = format5(33, 39);
-var blue = format5(34, 39);
-var magenta = format5(35, 39);
-var cyan = format5(36, 39);
-var white = format5(37, 39);
-var gray = format5(90, 39);
-var bgBlack = format5(40, 49);
-var bgRed = format5(41, 49);
-var bgGreen = format5(42, 49);
-var bgYellow = format5(43, 49);
-var bgBlue = format5(44, 49);
-var bgMagenta = format5(45, 49);
-var bgCyan = format5(46, 49);
-var bgWhite = format5(47, 49);
-var bgGray = format5(100, 49);
-var redBright = format5(91, 39);
-var greenBright = format5(92, 39);
-var yellowBright = format5(93, 39);
-var blueBright = format5(94, 39);
-var magentaBright = format5(95, 39);
-var cyanBright = format5(96, 39);
-var whiteBright = format5(97, 39);
-var bgRedBright = format5(101, 49);
-var bgGreenBright = format5(102, 49);
-var bgYellowBright = format5(103, 49);
-var bgBlueBright = format5(104, 49);
-var bgMagentaBright = format5(105, 49);
-var bgCyanBright = format5(106, 49);
-var bgWhiteBright = format5(107, 49);
 
-// dist/cli-core.js
-var import_lodash15 = __toESM(require_lodash(), 1);
-import os from "os";
-import { join as join26, relative as relative14, resolve as resolve33 } from "path";
+// dist/cli-upgrade-purl.js
+import { join as join25, relative as relative14, resolve as resolve32 } from "node:path";
 
-// ../utils/src/dashboard-api/shared-api.ts
-var DashboardAPI = class {
-  socketMode;
-  coanaAPI;
-  socketAPI;
-  disableAnalyticsSharing;
-  constructor(socketMode, disableAnalyticsSharing) {
-    this.socketMode = socketMode;
-    this.disableAnalyticsSharing = disableAnalyticsSharing;
-    this.coanaAPI = getCoanaAPI();
-    this.socketAPI = getSocketAPI();
-  }
-  async createReport(repoUrl, projectName, cliVersion, commitSha, branchName, cliOptions, apiKey, cliRunEnv) {
-    if (this.disableAnalyticsSharing) {
-      return;
-    }
-    if (this.socketMode) {
-      return (await this.socketAPI.createSocketTier1Scan(cliOptions, cliVersion)).tier1_reachability_scan_id;
-    } else {
-      return await this.coanaAPI.createCoanaReport(
-        repoUrl,
-        projectName,
-        cliVersion,
-        commitSha,
-        branchName,
-        cliOptions,
-        apiKey,
-        cliRunEnv
-      );
-    }
-  }
-  async sendErrorReport(apiKey, stackTrace, shouldLogSharing, reportId, repoUrl, projectName, logContent) {
-    if (this.disableAnalyticsSharing) {
-      return;
-    }
-    if (this.socketMode) {
-      await this.socketAPI.sendErrorReportToSocketDashboard(stackTrace, shouldLogSharing, reportId, logContent);
-    } else {
-      await this.coanaAPI.sendErrorReportToCoanaDashboard(
-        apiKey,
-        stackTrace,
-        shouldLogSharing,
-        reportId,
-        repoUrl,
-        projectName,
-        logContent
-      );
+// ../web-compat-utils/src/assertions.ts
+function assertDefined(value) {
+  if (value === void 0 || value === null) throw new Error("Expected value to be defined");
+  return value;
+}
+
+// dist/cli-upgrade-purl.js
+var import_packageurl_js3 = __toESM(require_packageurl_js(), 1);
+
+// dist/internal/socket-mode-helpers-socket-dependency-trees.js
+var import_packageurl_js2 = __toESM(require_packageurl_js(), 1);
+var import_picomatch4 = __toESM(require_picomatch2(), 1);
+import { basename as basename10, dirname as dirname13, join as join24, sep as sep5 } from "path";
+var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
+function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
+  switch (ecosystem) {
+    case "NPM": {
+      const base = basename10(manifestPath);
+      const dir = dirname13(manifestPath);
+      return base === "package.json" ? dir || "." : void 0;
     }
-  }
-  async registerSubprojects(subprojects, reportId, apiKey) {
-    if (this.disableAnalyticsSharing) {
-      return;
+    case "MAVEN": {
+      return ".";
     }
-    if (this.socketMode) {
-      await this.socketAPI.registerSubprojectsSocket(subprojects, reportId);
-    } else {
-      await this.coanaAPI.registerSubprojectsCoana(subprojects, reportId, apiKey);
+    case "PIP": {
+      const base = basename10(manifestPath);
+      const dir = dirname13(manifestPath);
+      const workspaceDir = dir === "" ? "." : dir;
+      if (properPythonProjects.includes(workspaceDir)) {
+        return workspaceDir;
+      }
+      if (base === "poetry.lock" || base === "Pipfile.lock" || base === "uv.lock") {
+        return workspaceDir;
+      }
+      if (base.endsWith(".txt")) {
+        const properProjectDirs = properPythonProjects.filter((properProjectDir) => (properProjectDir === "." || workspaceDir === "." || workspaceDir.startsWith(properProjectDir)) && workspaceDir.replace(properProjectDir, "").split(sep5).length <= REQUIREMENTS_FILES_SEARCH_DEPTH2);
+        const longestProperProjectDir = l5(properProjectDirs, [(d4) => d4.length, "desc"]);
+        if (longestProperProjectDir) {
+          return longestProperProjectDir;
+        }
+        return workspaceDir;
+      }
+      logger.warn(`No workspace found for manifest file ${manifestPath}`);
+      return void 0;
     }
-  }
-  async registerCLIProgress(cliProgressEvent, isStartEvent, reportId, apiKey) {
-    if (this.disableAnalyticsSharing) {
-      return;
+    case "NUGET": {
+      return ".";
     }
-    if (this.socketMode) {
-      await this.socketAPI.registerCLIProgressSocket(isStartEvent, cliProgressEvent, reportId);
-    } else {
-      await this.coanaAPI.registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey);
+    case "RUST": {
+      return dirname13(manifestPath) || ".";
     }
-  }
-  async registerAnalysisMetadata(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey) {
-    if (this.disableAnalyticsSharing) {
-      return;
+    case "GO": {
+      const base = basename10(manifestPath);
+      const dir = dirname13(manifestPath);
+      return base === "go.mod" ? dir || "." : void 0;
     }
-    if (this.socketMode) {
-      await this.socketAPI.registerAnalysisMetadataSocket(
-        subprojectPath,
-        workspacePath,
-        ecosystem,
-        analysisMetadata,
-        reportId
-      );
-    } else {
-      await this.coanaAPI.registerAnalysisMetadataCoana(
-        subprojectPath,
-        workspacePath,
-        ecosystem,
-        analysisMetadata,
-        reportId,
-        apiKey
-      );
+    default: {
+      return ".";
     }
   }
-  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey) {
-    if (this.socketMode) {
-      return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
-    } else {
-      return await this.coanaAPI.getBucketsForLastReport(
-        subprojectPath,
-        workspacePath,
-        ecosystem,
-        reportId,
-        apiKey
-      );
+}
+function inferProjectFromManifestPath(ecosystem, manifestPath) {
+  switch (ecosystem) {
+    case "NPM": {
+      const filename = basename10(manifestPath);
+      if (["package-lock.json", "pnpm-lock.yaml", "pnpm-lock.yml", "yarn.lock"].includes(filename)) {
+        return dirname13(manifestPath) || ".";
+      }
+      return void 0;
     }
   }
-};
-
-// ../utils/src/promise-queue.ts
-var PromiseQueue = class {
-  /*
-   * @param maxConcurrency The maximum number of tasks that can run in parallel.
-   * @param maxQueueLength The maximum number of tasks that can be queued. If the queue is full, the oldest task is removed.
-   */
-  constructor(maxConcurrency, maxQueueLength) {
-    this.maxConcurrency = maxConcurrency;
-    this.maxQueueLength = maxQueueLength;
-    if (maxQueueLength && maxQueueLength < 1) {
-      throw new Error("maxQueueLength must be at least 1");
+}
+function getAllToplevelAncestors(artifactMap, artifactId) {
+  const visited = /* @__PURE__ */ new Set();
+  const toplevelAncestors = /* @__PURE__ */ new Set();
+  function findAncestors(currentId) {
+    if (visited.has(currentId)) {
+      return;
     }
-    this.maxConcurrency = maxConcurrency;
-  }
-  queue = [];
-  activeTasks = 0;
-  idleResolver = null;
-  idleRejector = null;
-  error = null;
-  async runNextTask() {
-    if (this.activeTasks >= this.maxConcurrency) {
+    visited.add(currentId);
+    const artifact = artifactMap.get(currentId);
+    if (!artifact) {
       return;
     }
-    const task = this.queue.shift();
-    if (task) {
-      this.activeTasks++;
-      try {
-        await task();
-      } catch (e) {
-        this.error = e;
-      } finally {
-        this.activeTasks--;
-        this.runNextTask();
-        this.checkIdle();
+    if (artifact.toplevelAncestors && artifact.toplevelAncestors.length > 0) {
+      for (const ancestorId of artifact.toplevelAncestors) {
+        toplevelAncestors.add(ancestorId);
+        findAncestors(ancestorId);
       }
-    } else {
-      this.checkIdle();
     }
   }
-  checkIdle() {
-    if (!this.idleResolver || !this.idleRejector) return;
-    const shouldResolve = this.queue.length === 0 && this.activeTasks === 0;
-    if (this.error) this.idleRejector(this.error);
-    else if (shouldResolve) this.idleResolver();
-    const resolvedOrRejected = !!this.error || shouldResolve;
-    if (resolvedOrRejected) {
-      this.error = null;
-      this.idleResolver = null;
-      this.idleRejector = null;
+  findAncestors(artifactId);
+  return Array.from(toplevelAncestors);
+}
+async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode) {
+  logger.info("Fetching artifacts from Socket backend using manifests tar hash", manifestsTarHash);
+  try {
+    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash);
+    const properPythonProjects = [];
+    const pipArtifactToRepresentativeManifest = {};
+    for (const artifact of artifacts) {
+      if (artifact.type === "pypi" && artifact.manifestFiles) {
+        pipArtifactToRepresentativeManifest[simplePurl(artifact.type, artifact.namespace ?? "", artifact.name, artifact.version ?? "")] = artifact;
+      }
     }
-  }
-  enqueueTask(task) {
-    if (this.maxQueueLength && this.queue.length >= this.maxQueueLength) {
-      this.queue.shift();
+    const venvExcludes = [
+      "venv",
+      ".venv",
+      "env",
+      ".env",
+      "virtualenv",
+      ".virtualenv",
+      "venvs",
+      ".venvs",
+      "envs",
+      ".envs",
+      "__pycache__",
+      ".tox",
+      ".nox",
+      ".pytest_cache",
+      "site-packages",
+      "dist-packages",
+      "conda-meta",
+      "conda-bld",
+      ".mypy_cache",
+      ".ruff_cache",
+      ".hypothesis"
+    ];
+    const allFiles = await getFilesRelative(rootWorkingDirectory, venvExcludes);
+    for (const file of allFiles) {
+      const base = basename10(file);
+      const workspaceDir = dirname13(file) || ".";
+      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join24(rootWorkingDirectory, file))) {
+        if (!properPythonProjects.includes(workspaceDir)) {
+          properPythonProjects.push(workspaceDir);
+        }
+      }
+    }
+    const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
+    const ecosystemToWorkspaceToAnalysisData = {};
+    const ecosystemWorkspaceVulnIds = /* @__PURE__ */ new Set();
+    const ecosystemToWorkspaceToVulnerabilities = {};
+    const purlsFailedToFindWorkspace = /* @__PURE__ */ new Set();
+    for (const artifact of artifacts) {
+      let processToplevelAncestors2 = function(artifact2) {
+        const allAncestorIds = getAllToplevelAncestors(artifactMap, artifact2.id);
+        allAncestorIds.forEach((ancestorId) => artifactMap.get(ancestorId)?.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file)));
+      };
+      var processToplevelAncestors = processToplevelAncestors2;
+      const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
+      if (!ecosystem)
+        continue;
+      const manifestFiles = [];
+      switch (ecosystem) {
+        case "MAVEN": {
+          manifestFiles.push(...(await getFilesRelative(rootWorkingDirectory)).filter((file) => (0, import_picomatch4.default)("{{*-*.,}pom{.xml,},gradle.lockfile}")(basename10(file))));
+          break;
+        }
+        case "NUGET": {
+          manifestFiles.push(...(await getFilesRelative(rootWorkingDirectory)).filter((file) => (0, import_picomatch4.default)("{*.csproj,packages.lock.json}")(basename10(file))));
+          break;
+        }
+        case "PIP": {
+          const sPurl = simplePurl(artifact.type, artifact.namespace ?? "", artifact.name, artifact.version ?? "");
+          if (pipArtifactToRepresentativeManifest[sPurl]) {
+            manifestFiles.push(...(pipArtifactToRepresentativeManifest[sPurl].manifestFiles ?? []).map((ref) => ref.file));
+          }
+          processToplevelAncestors2(artifact);
+          break;
+        }
+        default: {
+          artifact.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file));
+          processToplevelAncestors2(artifact);
+          break;
+        }
+      }
+      const workspaceToManifestFiles = {};
+      manifestFiles.forEach((manifestFile) => {
+        const workspace = inferWorkspaceFromManifestPath(ecosystem, manifestFile, properPythonProjects);
+        if (!workspace)
+          return;
+        (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
+      });
+      if (Object.keys(workspaceToManifestFiles).length === 0) {
+        manifestFiles.forEach((manifestFile) => {
+          const workspace = inferProjectFromManifestPath(ecosystem, manifestFile);
+          if (!workspace)
+            return;
+          (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
+        });
+      }
+      if (Object.keys(workspaceToManifestFiles).length === 0 && artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
+        const purl = new import_packageurl_js2.PackageURL(artifact.type, artifact.namespace, artifact.name, artifact.version, artifact.qualifiers).toString();
+        purlsFailedToFindWorkspace.add(purl);
+      }
+      for (const [workspace, manifestFiles2] of Object.entries(workspaceToManifestFiles)) {
+        const workspaceData = (ecosystemToWorkspaceToAnalysisData[ecosystem] ??= {})[workspace] ??= {
+          type: "socket",
+          data: {
+            type: ecosystem,
+            manifestFiles: manifestFiles2,
+            artifacts: []
+          }
+        };
+        workspaceData.type;
+        workspaceData.data.artifacts.push(artifact);
+      }
+      if (artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
+        for (const workspace of Object.keys(workspaceToManifestFiles)) {
+          for (const vuln of artifact.vulnerabilities) {
+            const vulnerability = {
+              url: vuln.ghsaId,
+              purlType: artifact.type,
+              range: vuln.range,
+              name: artifact.name ?? "",
+              dependency: artifact.name ?? "",
+              vulnChainDetails: computeVulnChainDetails(artifacts, artifact.id),
+              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
+              ecosystem,
+              artifactId: artifact.id
+            };
+            const vulnId = `${ecosystem}-${workspace}-${vulnerability.url}`;
+            if (!ecosystemWorkspaceVulnIds.has(vulnId)) {
+              ecosystemWorkspaceVulnIds.add(vulnId);
+              ((ecosystemToWorkspaceToVulnerabilities[ecosystem] ??= {})[workspace] ??= []).push(vulnerability);
+            }
+          }
+        }
+      }
+    }
+    if (purlsFailedToFindWorkspace.size > 0) {
+      logger.warn(`Failed to find workspace for the following purls with vulnerabilities: ${Array.from(purlsFailedToFindWorkspace).join(", ")}.
+${mode === "reachability" ? "This means that we will not do a full reachability analysis for these vulnerabilities, but fallback to the results from the pre-computed reachability analysis." : ""}`);
+    }
+    return {
+      artifacts,
+      ecosystemToWorkspaceToAnalysisData,
+      ecosystemToWorkspaceToVulnerabilities
+    };
+  } catch (error) {
+    logger.error("Failed to fetch artifacts from Socket backend", error);
+    throw error;
+  }
+}
+function computeVulnChainDetails(artifacts, vulnerableArtifactId) {
+  const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
+  const parentsMap = /* @__PURE__ */ new Map();
+  for (const artifact of artifacts) {
+    if (artifact.dependencies) {
+      for (const depId of artifact.dependencies) {
+        if (!parentsMap.has(depId)) {
+          parentsMap.set(depId, []);
+        }
+        parentsMap.get(depId).push(artifact.id);
+      }
+    }
+  }
+  const res = {
+    packageName: "root",
+    version: "0.0.0",
+    children: [],
+    transitiveDependencies: {}
+  };
+  function addNode(currentId, childId, visited) {
+    if (visited.has(currentId))
+      return;
+    const currentArtifact = artifactMap.get(currentId);
+    if (!currentArtifact)
+      return;
+    const parents4 = parentsMap.get(currentId);
+    const newCurrentNode = {
+      packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
+      version: currentArtifact.version ?? void 0,
+      children: []
+    };
+    res.transitiveDependencies[currentId] = newCurrentNode;
+    if (childId && !newCurrentNode.children.includes(childId)) {
+      newCurrentNode.children.push(childId);
+    }
+    if (currentId === vulnerableArtifactId) {
+      newCurrentNode.vulnerable = true;
+    }
+    if (currentArtifact.direct && !res.children.includes(currentId)) {
+      res.children.push(currentId);
+    }
+    visited.add(currentId);
+    if (parents4) {
+      for (const parentId of parents4) {
+        addNode(parentId, currentId, visited);
+      }
+    }
+  }
+  addNode(vulnerableArtifactId, void 0, /* @__PURE__ */ new Set());
+  return res;
+}
+
+// dist/cli-upgrade-purl.js
+var ECOSYSTEMS_WITH_SOCKET_UPGRADES = ["NPM", "MAVEN", "NUGET", "GO", "RUST"];
+async function upgradePurl(rootDir, upgrades, options, logFile, cliFixRunId) {
+  if (options.rangeStyle && options.rangeStyle !== "pin") {
+    throw new Error('Range style must be "pin"');
+  }
+  logger.initWinstonLogger(options.debug);
+  logger.silent = options.silent;
+  let cliRunId = cliFixRunId;
+  if (!cliRunId && options.manifestsTarHash) {
+    cliRunId = await getSocketAPI().registerAutofixOrUpgradePurlRun(options.manifestsTarHash, options, "upgrade-purls");
+  }
+  const upgradePurlRunId = cliRunId && await getSocketAPI().registerUpgradePurlRun(cliRunId, upgrades);
+  Spinner.instance({
+    text: "Running Coana Upgrade Purl CLI",
+    isSilent: options.silentSpinner ?? options.silent
+  }).start();
+  try {
+    logger.info(`Upgrading purls for ${rootDir}: 
+${upgrades.map(({ purl, upgradeVersion }) => `	${prettyPrintPurlUpgrade(purl, upgradeVersion)}`).join("\n")}`);
+    if (options.manifestsTarHash) {
+      const { supportedUpgrades, unsupportedUpgrades } = upgrades.reduce((acc, upgrade) => {
+        const ecosystem = getAdvisoryEcosystemFromPurl(upgrade.purl);
+        const target = ECOSYSTEMS_WITH_SOCKET_UPGRADES.includes(ecosystem) ? "supportedUpgrades" : "unsupportedUpgrades";
+        acc[target].push(upgrade);
+        return acc;
+      }, { supportedUpgrades: [], unsupportedUpgrades: [] });
+      if (unsupportedUpgrades.length > 0) {
+        logger.warn(`The following upgrades are not supported due to missing support for upgrading their ecosystem: ${unsupportedUpgrades.map(({ purl, upgradeVersion }) => `	${prettyPrintPurlUpgrade(purl, upgradeVersion)}`).join("\n")}`);
+      }
+      if (supportedUpgrades.length === 0) {
+        return "fixed-none";
+      }
+      try {
+        const purlToUpgradeVersion = new Map(supportedUpgrades.map((upgrade) => [upgrade.purl, upgrade.upgradeVersion]));
+        const [manifestFiles, artifacts] = await Promise.all([
+          fetchManifestFilesFromManifestsTarHash(options.manifestsTarHash),
+          (await fetchArtifactsFromSocket(rootDir, options.manifestsTarHash, "upgrade-purls")).artifacts
+        ]);
+        const ecosystemToSocketArtifactUpgrades = /* @__PURE__ */ new Map();
+        artifacts.forEach((artifact, idx) => {
+          if (!artifact.name)
+            return;
+          if (!artifact.version)
+            return;
+          const purl = new import_packageurl_js3.PackageURL(artifact.type, artifact.namespace, artifact.name, artifact.version, artifact.qualifiers).toString();
+          const upgradeVersion = purlToUpgradeVersion.get(purl);
+          if (!upgradeVersion)
+            return;
+          const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
+          if (!ecosystemToSocketArtifactUpgrades.has(ecosystem)) {
+            ecosystemToSocketArtifactUpgrades.set(ecosystem, /* @__PURE__ */ new Map());
+          }
+          const currentUpgradeVersion = ecosystemToSocketArtifactUpgrades.get(ecosystem).get(idx);
+          if (currentUpgradeVersion === void 0) {
+            ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, upgradeVersion);
+          } else {
+            const versions = sortVersions(ecosystem, [artifact.version, currentUpgradeVersion, upgradeVersion]);
+            if (versionSatisfiesRelation(ecosystem, artifact.version, "=", versions[0])) {
+              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[versions.length - 1]);
+            } else if (versionSatisfiesRelation(ecosystem, artifact.version, "=", versions[versions.length - 1])) {
+              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[0]);
+            } else {
+              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[versions.length - 1]);
+            }
+          }
+        });
+        let anyErrors = false;
+        for (const [ecosystem, upgrades2] of ecosystemToSocketArtifactUpgrades) {
+          if (options.rangeStyle && !["NPM", "MAVEN", "NUGET", "RUST"].includes(ecosystem)) {
+            logger.warn(`Range style is not supported for ${ecosystem}, skipping upgrades`);
+            continue;
+          }
+          const statusUpdater = (update2) => {
+            const statusIcons = {
+              success: "\u2705",
+              skipped: "\u26AA",
+              warn: "\u26A0\uFE0F",
+              error: "\u274C"
+            };
+            logger.info(`${statusIcons[update2.status]} ${update2.message} \u2500 ${relative14(rootDir, resolve32(rootDir, update2.file))}`);
+            update2.artifacts.forEach((idx, i7) => {
+              logger.info(`${" ".repeat(3)}${i7 === update2.artifacts.length - 1 ? "\u2514\u2500" : "\u251C\u2500"} ${prettyPrintSocketFactArtifactUpgrade(artifacts[idx], upgrades2.get(idx))}`);
+            });
+            for (const detail of update2.details ?? []) {
+              logger.debug(detail);
+            }
+            if (update2.patch)
+              logger.debug(update2.patch);
+            if (update2.status === "error")
+              anyErrors = true;
+          };
+          const ctxt = {
+            manifestFiles,
+            upgrades: upgrades2,
+            artifacts,
+            rangeStyle: options.rangeStyle,
+            statusUpdater
+          };
+          await applySocketUpgrades(ecosystem, rootDir, ctxt);
+        }
+        if (upgradePurlRunId) {
+          await getSocketAPI().finalizeUpgradePurlRun(upgradePurlRunId, "succeeded");
+        }
+        return unsupportedUpgrades.length === 0 && !anyErrors ? "fixed-all" : "fixed-some";
+      } catch (error) {
+        if (upgradePurlRunId) {
+          await getSocketAPI().finalizeUpgradePurlRun(
+            upgradePurlRunId,
+            "error",
+            !cliFixRunId ? error.stack : void 0,
+            // do not send stack trace and logContent for computeFixes runs, as that will be handled by that command.
+            !cliFixRunId && logFile ? await logger.getLogContent(logFile) : void 0
+          );
+        }
+        throw error;
+      }
+    }
+    const otherModulesCommunicator = new OtherModulesCommunicator(rootDir, options, {
+      type: "missing"
+    });
+    const ecosystems = upgrades.map((upgrade) => getAdvisoryEcosystemFromPurl(upgrade.purl));
+    const manager = await ProjectManager.create(rootDir, otherModulesCommunicator, ecosystems);
+    const { reachabilitySupport, traditionalScaSupport } = manager.getSubprojectsWithWorkspacePaths();
+    const supportedSubprojects = reachabilitySupport.concat(traditionalScaSupport).filter((p3) => getPackageManagerSupport(p3.packageManagerName).supportsApplyingFixes);
+    if (supportedSubprojects.length === 0) {
+      throw new Error(`No supported projects found in ${rootDir}.`);
+    }
+    const subprojectPromiseQueue = new PromiseQueue(Number(options.concurrency));
+    supportedSubprojects.forEach((subproject) => {
+      subprojectPromiseQueue.enqueueTask(async () => {
+        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join25(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
+        if (workspacePathsMatchingGlob.length === 0)
+          return;
+        logger.info(`Found workspaces for subproject ${subproject.subprojectPath}${options.globPattern ? `matching glob ${options.globPattern}` : ""}:
+${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
+        const fixingData = await otherModulesCommunicator.getFixingData(subproject.packageManagerName, subproject.subprojectPath, workspacePathsMatchingGlob);
+        const workspaceToFixes = {};
+        Object.entries(fixingData.dependencyTrees).forEach(([wsPath, depTree]) => {
+          const vulnerabilityFixes = [];
+          const simplePurlToDepId = getPurlStrings(depTree);
+          upgrades.forEach((upgrade) => {
+            const purl = import_packageurl_js3.PackageURL.fromString(upgrade.purl);
+            if (purl.version === void 0)
+              throw Error(`Undefined version for purl ${upgrade.purl}`);
+            const simplePurl2 = `pkg:${purl.type}/${purl.namespace ? `${purl.namespace}/` : ""}${purl.name}${purl.version ? `@${purl.version}` : ""}`;
+            for (const depIdMatchingPurl of simplePurlToDepId[simplePurl2] ?? []) {
+              const node = depTree.transitiveDependencies[depIdMatchingPurl];
+              if (!node)
+                throw Error("should not happen!");
+              vulnerabilityFixes.push({
+                dependencyName: node.packageName,
+                currentVersion: assertDefined(node.version),
+                dependencyIdentifier: depIdMatchingPurl,
+                fixedVersion: upgrade.upgradeVersion
+              });
+            }
+          });
+          if (vulnerabilityFixes.length === 0)
+            return;
+          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join25(subproject.subprojectPath, wsPath)}`);
+          workspaceToFixes[wsPath] = [
+            {
+              fixId: "dummy",
+              vulnerabilityFixes
+            }
+          ];
+        });
+        if (Object.entries(workspaceToFixes).length === 0) {
+          logger.info(`No dependencies matching upgrade specs found for subproject ${subproject.subprojectPath}`);
+          return;
+        }
+        await applySecurityFixes(subproject.packageManagerName, rootDir, relative14(rootDir, subproject.subprojectPath) || ".", otherModulesCommunicator, workspaceToFixes, fixingData, signalFixApplied);
+      });
+    });
+    await subprojectPromiseQueue.onIdle();
+  } finally {
+    Spinner.instance().stop();
+  }
+}
+var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixes) => {
+  logger.info(`Successfully upgraded purls for: ${join25(subprojectPath, workspacePath)}`);
+  logger.info(`Upgraded: 
+${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
+};
+
+// dist/cli-compute-fixes-and-upgrade-purls.js
+async function computeFixesAndUpgradePurls(path2, options, logFile) {
+  const autofixRunId = options.manifestsTarHash && await getSocketAPI().registerAutofixOrUpgradePurlRun(options.manifestsTarHash, options, "autofix");
+  const { artifacts, ghsaToVulnerableArtifactIds } = await computeInputForComputingFixes(path2, options);
+  if (Object.keys(ghsaToVulnerableArtifactIds).length === 0) {
+    logger.info("No vulnerabilities to compute fixes for");
+    return { type: "no-vulnerabilities-found" };
+  }
+  if (options.applyFixesTo.length === 0) {
+    logger.info("Vulnerabilities found:", Object.keys(ghsaToVulnerableArtifactIds).join(", "));
+    logger.info("Run again with --apply-fixes-to GHSA_IDS to fix those vulnerabilities by computing packages to upgrade and apply them");
+    return { type: "no-ghsas-fix-requested", ghsas: Object.keys(ghsaToVulnerableArtifactIds) };
+  }
+  const ghsaToVulnerableArtifactIdsToApply = options.applyFixesTo.includes("all") ? ghsaToVulnerableArtifactIds : Object.fromEntries(Object.entries(ghsaToVulnerableArtifactIds).filter(([ghsa]) => options.applyFixesTo.includes(ghsa)));
+  const computedFix = await useSocketComputeFixEndpoint(autofixRunId, artifacts, ghsaToVulnerableArtifactIdsToApply, {
+    noMajorUpdates: options.disableMajorUpdates,
+    minimumReleaseAgeInMinutes: options.minimumReleaseAgeInMinutes
+  });
+  if (computedFix.type !== "success") {
+    throw new Error(`No fix found for the given vulnerabilities`);
+  }
+  const ghsasFailedToFix = Object.keys(ghsaToVulnerableArtifactIdsToApply).filter((ghsa) => {
+    const artifactIds = ghsaToVulnerableArtifactIdsToApply[ghsa];
+    if (!artifactIds)
+      return false;
+    return artifactIds.some((artifactId) => computedFix.ghsaToResult[ghsa].failedArtifacts?.includes(artifactId));
+  });
+  if (ghsasFailedToFix.length > 0) {
+    logger.info("Failed to compute fixes for the following vulnerabilities:");
+  }
+  for (const ghsa of ghsasFailedToFix) {
+    logger.info(`  - ${ghsa} (${ghsaToVulnerableArtifactIdsToApply[ghsa].map((id) => simplePurl(artifacts[id].type, artifacts[id].namespace ?? null, artifacts[id].name ?? "", artifacts[id].version ?? null)).join(", ")})`);
+  }
+  const fixesFound = Object.entries(computedFix.ghsaToResult).filter(([_, result]) => result.failedArtifacts === void 0 || result.failedArtifacts.length === 0);
+  if (options.onlyDirectDependencyUpgrades) {
+    return computeDirectDependencyUpgrades(artifacts, fixesFound);
+  }
+  const combinedFixes = fixesFound.flatMap(([_, result]) => result.fixes);
+  if (options.dryRun) {
+    logger.info("Fixes found:");
+    for (const [ghsa, result] of fixesFound) {
+      logger.info(`  - ${ghsa}:`);
+      for (const fix of result.fixes) {
+        logger.info(`    - ${fix.purl} -> ${fix.fixedVersion}`);
+      }
+    }
+    return {
+      type: "dry-run-result",
+      fixes: Object.fromEntries(fixesFound.map(([ghsa, result]) => [ghsa, result.fixes])),
+      ...ghsasFailedToFix.length > 0 && { failedToFix: ghsasFailedToFix }
+    };
+  }
+  if (combinedFixes.length === 0) {
+    if (autofixRunId) {
+      await getSocketAPI().finalizeAutofixRun(autofixRunId, "fixed-none");
+    }
+    throw new Error("Failed to find a fix for the given vulnerabilities");
+  }
+  try {
+    const applyFixesStatus = await upgradePurl(path2, T3(combinedFixes, (fix) => `${fix.purl}${fix.fixedVersion}`).map((fix) => ({
+      purl: fix.purl,
+      upgradeVersion: fix.fixedVersion
+    })), {
+      debug: options.debug,
+      silent: options.silent,
+      runWithoutDocker: options.runWithoutDocker,
+      manifestsTarHash: options.manifestsTarHash,
+      concurrency: "1",
+      globPattern: options.globPattern,
+      rangeStyle: options.rangeStyle
+    }, void 0, autofixRunId) ?? "fixed-all";
+    if (autofixRunId) {
+      await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasFailedToFix.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : ghsasFailedToFix.length === Object.keys(ghsaToVulnerableArtifactIdsToApply).length || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some");
+    }
+    return {
+      type: "applied-fixes",
+      fixes: Object.fromEntries(fixesFound.map(([ghsa, result]) => [ghsa, result.fixes]))
+    };
+  } catch (error) {
+    if (autofixRunId) {
+      await getSocketAPI().finalizeAutofixRun(autofixRunId, "error", error.stack, await logger.getLogContent(logFile));
+    }
+    logger.error("Error applying fixes:", error);
+    throw error;
+  }
+}
+async function computeInputForComputingFixes(path2, options) {
+  if (options.manifestsTarHash) {
+    const { artifacts } = await fetchArtifactsFromSocket(path2, options.manifestsTarHash, "autofix");
+    const ghsaToVulnerableArtifactIds = {};
+    for (const [index2, artifact] of artifacts.entries()) {
+      if (!artifact.vulnerabilities)
+        continue;
+      for (const vulnerability of artifact.vulnerabilities) {
+        if (!(ghsaToVulnerableArtifactIds[vulnerability.ghsaId] ??= []).includes(index2)) {
+          ghsaToVulnerableArtifactIds[vulnerability.ghsaId].push(index2);
+        }
+      }
+    }
+    const sbomTaskArtifacts = artifacts.map((artifact) => ({
+      type: artifact.type,
+      name: artifact.name ?? "",
+      version: artifact.version ?? "",
+      namespace: artifact.namespace ?? void 0,
+      adj: artifact.dependencies?.map((dep) => artifacts.findIndex((a4) => a4.id === dep)) ?? [],
+      direct: artifact.direct,
+      topLevelAncestors: artifact.toplevelAncestors?.map((ancestor) => artifacts.findIndex((a4) => a4.id === ancestor)) ?? []
+    }));
+    return { artifacts: sbomTaskArtifacts, ghsaToVulnerableArtifactIds };
+  }
+  throw new Error("Fixes are only supported when using --manifests-tar-hash");
+}
+async function computeDirectDependencyUpgrades(artifacts, fixesFound) {
+  const purlToArtifact = Object.fromEntries(artifacts.map((a4) => [simplePurl(a4.type, a4.namespace ?? null, a4.name ?? "", a4.version ?? null), a4]));
+  const packageFixes = {};
+  for (const [ghsa, result2] of fixesFound) {
+    const directUpdates = {};
+    for (const directFix of result2.fixes.filter((fix) => purlToArtifact[fix.purl]?.direct)) {
+      directUpdates[directFix.purl] = { fixedVersion: directFix.fixedVersion };
+    }
+    const directUpdatePurls = Object.keys(directUpdates);
+    for (const indirectFix of result2.fixes.filter((fix) => !purlToArtifact[fix.purl]?.direct)) {
+      const directDependencies = purlToArtifact[indirectFix.purl]?.topLevelAncestors;
+      for (const directDependency of directDependencies) {
+        const artifact = artifacts[directDependency];
+        const purl = simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? "", artifact.version ?? null);
+        if (directUpdatePurls.includes(purl))
+          continue;
+        if (directUpdates[purl]) {
+          (directUpdates[purl].transitiveFixes ??= []).push(indirectFix);
+        } else {
+          directUpdates[purl] = { transitiveFixes: [indirectFix] };
+        }
+        directUpdates[purl] = { transitiveFixes: [indirectFix] };
+      }
+    }
+    packageFixes[ghsa] = {
+      directDependencies: Object.entries(directUpdates).map(([purl, update2]) => ({ purl, ...update2 }))
+    };
+  }
+  const result = {
+    type: "only-direct-dependency-upgrades",
+    fixes: packageFixes
+  };
+  logger.info("Affected direct dependencies and upgrades to fix (--show-affected-direct-dependencies does not apply the upgrades):", JSON.stringify(result, null, 2));
+  return result;
+}
+
+// dist/cli-core.js
+import { writeFileSync as writeFileSync3 } from "fs";
+import { mkdir as mkdir2, writeFile as writeFile10 } from "fs/promises";
+
+// ../../node_modules/.pnpm/kleur@4.1.5/node_modules/kleur/index.mjs
+var FORCE_COLOR;
+var NODE_DISABLE_COLORS;
+var NO_COLOR;
+var TERM;
+var isTTY = true;
+if (typeof process !== "undefined") {
+  ({ FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM } = process.env || {});
+  isTTY = process.stdout && process.stdout.isTTY;
+}
+var $ = {
+  enabled: !NODE_DISABLE_COLORS && NO_COLOR == null && TERM !== "dumb" && (FORCE_COLOR != null && FORCE_COLOR !== "0" || isTTY),
+  // modifiers
+  reset: init(0, 0),
+  bold: init(1, 22),
+  dim: init(2, 22),
+  italic: init(3, 23),
+  underline: init(4, 24),
+  inverse: init(7, 27),
+  hidden: init(8, 28),
+  strikethrough: init(9, 29),
+  // colors
+  black: init(30, 39),
+  red: init(31, 39),
+  green: init(32, 39),
+  yellow: init(33, 39),
+  blue: init(34, 39),
+  magenta: init(35, 39),
+  cyan: init(36, 39),
+  white: init(37, 39),
+  gray: init(90, 39),
+  grey: init(90, 39),
+  // background colors
+  bgBlack: init(40, 49),
+  bgRed: init(41, 49),
+  bgGreen: init(42, 49),
+  bgYellow: init(43, 49),
+  bgBlue: init(44, 49),
+  bgMagenta: init(45, 49),
+  bgCyan: init(46, 49),
+  bgWhite: init(47, 49)
+};
+function run(arr, str) {
+  let i7 = 0, tmp, beg = "", end2 = "";
+  for (; i7 < arr.length; i7++) {
+    tmp = arr[i7];
+    beg += tmp.open;
+    end2 += tmp.close;
+    if (!!~str.indexOf(tmp.close)) {
+      str = str.replace(tmp.rgx, tmp.close + tmp.open);
+    }
+  }
+  return beg + str + end2;
+}
+function chain(has2, keys) {
+  let ctx = { has: has2, keys };
+  ctx.reset = $.reset.bind(ctx);
+  ctx.bold = $.bold.bind(ctx);
+  ctx.dim = $.dim.bind(ctx);
+  ctx.italic = $.italic.bind(ctx);
+  ctx.underline = $.underline.bind(ctx);
+  ctx.inverse = $.inverse.bind(ctx);
+  ctx.hidden = $.hidden.bind(ctx);
+  ctx.strikethrough = $.strikethrough.bind(ctx);
+  ctx.black = $.black.bind(ctx);
+  ctx.red = $.red.bind(ctx);
+  ctx.green = $.green.bind(ctx);
+  ctx.yellow = $.yellow.bind(ctx);
+  ctx.blue = $.blue.bind(ctx);
+  ctx.magenta = $.magenta.bind(ctx);
+  ctx.cyan = $.cyan.bind(ctx);
+  ctx.white = $.white.bind(ctx);
+  ctx.gray = $.gray.bind(ctx);
+  ctx.grey = $.grey.bind(ctx);
+  ctx.bgBlack = $.bgBlack.bind(ctx);
+  ctx.bgRed = $.bgRed.bind(ctx);
+  ctx.bgGreen = $.bgGreen.bind(ctx);
+  ctx.bgYellow = $.bgYellow.bind(ctx);
+  ctx.bgBlue = $.bgBlue.bind(ctx);
+  ctx.bgMagenta = $.bgMagenta.bind(ctx);
+  ctx.bgCyan = $.bgCyan.bind(ctx);
+  ctx.bgWhite = $.bgWhite.bind(ctx);
+  return ctx;
+}
+function init(open, close) {
+  let blk = {
+    open: `\x1B[${open}m`,
+    close: `\x1B[${close}m`,
+    rgx: new RegExp(`\\x1b\\[${close}m`, "g")
+  };
+  return function(txt) {
+    if (this !== void 0 && this.has !== void 0) {
+      !!~this.has.indexOf(open) || (this.has.push(open), this.keys.push(blk));
+      return txt === void 0 ? this : $.enabled ? run(this.keys, txt + "") : txt + "";
+    }
+    return txt === void 0 ? chain([open], [blk]) : $.enabled ? run([blk], txt + "") : txt + "";
+  };
+}
+var kleur_default = $;
+
+// ../../node_modules/.pnpm/yoctocolors@2.1.2/node_modules/yoctocolors/base.js
+import tty from "node:tty";
+var hasColors = tty?.WriteStream?.prototype?.hasColors?.() ?? false;
+var format5 = (open, close) => {
+  if (!hasColors) {
+    return (input) => input;
+  }
+  const openCode = `\x1B[${open}m`;
+  const closeCode = `\x1B[${close}m`;
+  return (input) => {
+    const string = input + "";
+    let index2 = string.indexOf(closeCode);
+    if (index2 === -1) {
+      return openCode + string + closeCode;
+    }
+    let result = openCode;
+    let lastIndex = 0;
+    const reopenOnNestedClose = close === 22;
+    const replaceCode = (reopenOnNestedClose ? closeCode : "") + openCode;
+    while (index2 !== -1) {
+      result += string.slice(lastIndex, index2) + replaceCode;
+      lastIndex = index2 + closeCode.length;
+      index2 = string.indexOf(closeCode, lastIndex);
+    }
+    result += string.slice(lastIndex) + closeCode;
+    return result;
+  };
+};
+var reset = format5(0, 0);
+var bold = format5(1, 22);
+var dim = format5(2, 22);
+var italic = format5(3, 23);
+var underline = format5(4, 24);
+var overline = format5(53, 55);
+var inverse = format5(7, 27);
+var hidden = format5(8, 28);
+var strikethrough = format5(9, 29);
+var black = format5(30, 39);
+var red = format5(31, 39);
+var green = format5(32, 39);
+var yellow = format5(33, 39);
+var blue = format5(34, 39);
+var magenta = format5(35, 39);
+var cyan = format5(36, 39);
+var white = format5(37, 39);
+var gray = format5(90, 39);
+var bgBlack = format5(40, 49);
+var bgRed = format5(41, 49);
+var bgGreen = format5(42, 49);
+var bgYellow = format5(43, 49);
+var bgBlue = format5(44, 49);
+var bgMagenta = format5(45, 49);
+var bgCyan = format5(46, 49);
+var bgWhite = format5(47, 49);
+var bgGray = format5(100, 49);
+var redBright = format5(91, 39);
+var greenBright = format5(92, 39);
+var yellowBright = format5(93, 39);
+var blueBright = format5(94, 39);
+var magentaBright = format5(95, 39);
+var cyanBright = format5(96, 39);
+var whiteBright = format5(97, 39);
+var bgRedBright = format5(101, 49);
+var bgGreenBright = format5(102, 49);
+var bgYellowBright = format5(103, 49);
+var bgBlueBright = format5(104, 49);
+var bgMagentaBright = format5(105, 49);
+var bgCyanBright = format5(106, 49);
+var bgWhiteBright = format5(107, 49);
+
+// dist/cli-core.js
+var import_lodash15 = __toESM(require_lodash(), 1);
+import os from "os";
+import { join as join27, relative as relative15, resolve as resolve34 } from "path";
+
+// ../utils/src/dashboard-api/shared-api.ts
+var DashboardAPI = class {
+  socketMode;
+  coanaAPI;
+  socketAPI;
+  disableAnalyticsSharing;
+  constructor(socketMode, disableAnalyticsSharing) {
+    this.socketMode = socketMode;
+    this.disableAnalyticsSharing = disableAnalyticsSharing;
+    this.coanaAPI = getCoanaAPI();
+    this.socketAPI = getSocketAPI();
+  }
+  async createReport(repoUrl, projectName, cliVersion, commitSha, branchName, cliOptions, apiKey, cliRunEnv) {
+    if (this.disableAnalyticsSharing) {
+      return;
+    }
+    if (this.socketMode) {
+      return (await this.socketAPI.createSocketTier1Scan(cliOptions, cliVersion)).tier1_reachability_scan_id;
+    } else {
+      return await this.coanaAPI.createCoanaReport(
+        repoUrl,
+        projectName,
+        cliVersion,
+        commitSha,
+        branchName,
+        cliOptions,
+        apiKey,
+        cliRunEnv
+      );
     }
-    this.queue.push(task);
-    this.runNextTask();
   }
-  async onIdle() {
-    return new Promise((resolve36, reject) => {
-      if (this.error) {
-        reject(this.error);
-        this.error = null;
-      } else if (this.queue.length === 0 && this.activeTasks === 0) {
-        resolve36();
-      } else {
-        this.idleResolver = resolve36;
-        this.idleRejector = reject;
-      }
-    });
+  async sendErrorReport(apiKey, stackTrace, shouldLogSharing, reportId, repoUrl, projectName, logContent) {
+    if (this.disableAnalyticsSharing) {
+      return;
+    }
+    if (this.socketMode) {
+      await this.socketAPI.sendErrorReportToSocketDashboard(stackTrace, shouldLogSharing, reportId, logContent);
+    } else {
+      await this.coanaAPI.sendErrorReportToCoanaDashboard(
+        apiKey,
+        stackTrace,
+        shouldLogSharing,
+        reportId,
+        repoUrl,
+        projectName,
+        logContent
+      );
+    }
+  }
+  async registerSubprojects(subprojects, reportId, apiKey) {
+    if (this.disableAnalyticsSharing) {
+      return;
+    }
+    if (this.socketMode) {
+      await this.socketAPI.registerSubprojectsSocket(subprojects, reportId);
+    } else {
+      await this.coanaAPI.registerSubprojectsCoana(subprojects, reportId, apiKey);
+    }
+  }
+  async registerCLIProgress(cliProgressEvent, isStartEvent, reportId, apiKey) {
+    if (this.disableAnalyticsSharing) {
+      return;
+    }
+    if (this.socketMode) {
+      await this.socketAPI.registerCLIProgressSocket(isStartEvent, cliProgressEvent, reportId);
+    } else {
+      await this.coanaAPI.registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey);
+    }
+  }
+  async registerAnalysisMetadata(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey) {
+    if (this.disableAnalyticsSharing) {
+      return;
+    }
+    if (this.socketMode) {
+      await this.socketAPI.registerAnalysisMetadataSocket(
+        subprojectPath,
+        workspacePath,
+        ecosystem,
+        analysisMetadata,
+        reportId
+      );
+    } else {
+      await this.coanaAPI.registerAnalysisMetadataCoana(
+        subprojectPath,
+        workspacePath,
+        ecosystem,
+        analysisMetadata,
+        reportId,
+        apiKey
+      );
+    }
+  }
+  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey) {
+    if (this.socketMode) {
+      return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
+    } else {
+      return await this.coanaAPI.getBucketsForLastReport(
+        subprojectPath,
+        workspacePath,
+        ecosystem,
+        reportId,
+        apiKey
+      );
+    }
   }
 };
 
@@ -212845,13 +213520,13 @@ var DEFAULT_REPORT_FILENAME_BASE = "coana-report";
 // dist/internal/exclude-dirs-from-configuration-files.js
 import { existsSync as existsSync20 } from "fs";
 import { readFile as readFile27 } from "fs/promises";
-import { basename as basename10, resolve as resolve32 } from "path";
+import { basename as basename11, resolve as resolve33 } from "path";
 var import_yaml2 = __toESM(require_dist11(), 1);
 async function inferExcludeDirsFromConfigurationFiles(rootWorkingDir) {
-  const socketYmlConfigFile = resolve32(rootWorkingDir, "socket.yml");
+  const socketYmlConfigFile = resolve33(rootWorkingDir, "socket.yml");
   if (existsSync20(socketYmlConfigFile))
     return inferExcludeDirsFromSocketConfig(socketYmlConfigFile);
-  const socketYamlConfigFile = resolve32(rootWorkingDir, "socket.yaml");
+  const socketYamlConfigFile = resolve33(rootWorkingDir, "socket.yaml");
   if (existsSync20(socketYamlConfigFile))
     return inferExcludeDirsFromSocketConfig(socketYamlConfigFile);
   return void 0;
@@ -212865,398 +213540,111 @@ async function inferExcludeDirsFromSocketConfig(socketConfigFile) {
       return void 0;
     if (ignorePaths.some((ignorePath) => ignorePath.includes("!")))
       return void 0;
-    logger.info(`Inferring paths to exclude based on Socket config file: ${basename10(socketConfigFile)}`);
-    return config3.projectIgnorePaths;
-  } catch (e) {
-    return void 0;
-  }
-}
-
-// dist/internal/socket-mode-helpers-coana-dependency-trees.js
-var ROOT_IDENTIFIER = "ROOT";
-async function scanForVulnerabilitiesSocketMode(dependencyTree) {
-  if (!dependencyTree.ecosystem)
-    dependencyTree.ecosystem = "NPM";
-  const purlStringsToIdentifier = getPurlStrings(dependencyTree);
-  const components = await augmentArtifactsWithVulnerabilities(Object.keys(purlStringsToIdentifier).map((purl) => ({ purl })));
-  const parentsMap = /* @__PURE__ */ new Map();
-  for (const [depId, node] of [
-    ...Object.entries(dependencyTree.transitiveDependencies),
-    [ROOT_IDENTIFIER, dependencyTree]
-  ]) {
-    for (const childId of node.dependencies ?? []) {
-      if (!parentsMap.has(childId)) {
-        parentsMap.set(childId, []);
-      }
-      parentsMap.get(childId).push(depId);
-    }
-  }
-  const vulnerabilities = [];
-  const dependencyIdentifiersNotFound = new Set(Object.keys(dependencyTree.transitiveDependencies));
-  for (const c3 of components) {
-    let simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, c3.version);
-    if (!(simplePurlForComponent in purlStringsToIdentifier))
-      simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, null);
-    const dependencyIdentifiers = purlStringsToIdentifier[simplePurlForComponent];
-    for (const dependencyIdentifier of dependencyIdentifiers) {
-      dependencyIdentifiersNotFound.delete(dependencyIdentifier);
-      const dependencyTreeNode = dependencyTree.transitiveDependencies[dependencyIdentifier];
-      if (!dependencyTreeNode)
-        throw new Error(`Dependency tree does not contain dependency ${simplePurlForComponent}`);
-      dependencyTreeNode.purlObj = {
-        type: c3.purl_type,
-        namespace: c3.namespace ?? void 0,
-        name: c3.name,
-        version: c3.version ?? void 0,
-        subpath: c3.subpath ?? void 0,
-        artifactId: c3.artifactId ?? void 0,
-        artifact_id: c3.artifact_id ?? void 0,
-        qualifiers: c3.qualifiers ?? void 0,
-        purlString: c3.purl
-      };
-      for (const vulnerability of c3.vulnerabilities) {
-        vulnerabilities.push({
-          url: vulnerability.ghsaId,
-          purl: c3.purl,
-          purlType: c3.purl_type,
-          range: vulnerability.range,
-          name: dependencyTreeNode.packageName,
-          dependency: dependencyTreeNode.packageName,
-          vulnChainDetails: computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap),
-          vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern ?? null,
-          ecosystem: dependencyTree.ecosystem
-        });
-      }
-    }
-  }
-  for (const dependencyIdentifier of dependencyIdentifiersNotFound) {
-    logger.warn(`Dependency ${dependencyIdentifier} not found in Socket mode`, dependencyTree.transitiveDependencies[dependencyIdentifier]);
-  }
-  return vulnerabilities;
-}
-function computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap) {
-  const res = {
-    packageName: "root",
-    version: "0.0.0",
-    children: [],
-    transitiveDependencies: {}
-  };
-  function addNode(currentIdentifier, childIdentifier, visited) {
-    if (visited.has(currentIdentifier))
-      return;
-    const parents4 = parentsMap.get(currentIdentifier);
-    const newCurrentNode = transformToVulnChainNode(dependencyTree.transitiveDependencies[currentIdentifier]);
-    res.transitiveDependencies[currentIdentifier] = newCurrentNode;
-    if (childIdentifier && !newCurrentNode.children.includes(childIdentifier))
-      newCurrentNode.children.push(childIdentifier);
-    if (!childIdentifier)
-      newCurrentNode.vulnerable = true;
-    if (!parents4)
-      return res;
-    visited.add(currentIdentifier);
-    for (const parent2 of parents4) {
-      if (parent2 === ROOT_IDENTIFIER)
-        res.children.push(currentIdentifier);
-      else
-        addNode(parent2, currentIdentifier, visited);
-    }
-  }
-  addNode(dependencyIdentifier, void 0, /* @__PURE__ */ new Set());
-  return res;
-}
-function transformToVulnChainNode(dependencyTree) {
-  return {
-    ...a3(dependencyTree, ["packageName", "version"]),
-    children: []
-  };
-}
-
-// dist/internal/socket-mode-helpers-socket-dependency-trees.js
-var import_packageurl_js2 = __toESM(require_packageurl_js(), 1);
-var import_picomatch4 = __toESM(require_picomatch2(), 1);
-import { basename as basename11, dirname as dirname13, join as join24, sep as sep5 } from "path";
-var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
-function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
-  switch (ecosystem) {
-    case "NPM": {
-      const base = basename11(manifestPath);
-      const dir = dirname13(manifestPath);
-      return base === "package.json" ? dir || "." : void 0;
-    }
-    case "MAVEN": {
-      return ".";
-    }
-    case "PIP": {
-      const base = basename11(manifestPath);
-      const dir = dirname13(manifestPath);
-      const workspaceDir = dir === "" ? "." : dir;
-      if (properPythonProjects.includes(workspaceDir)) {
-        return workspaceDir;
-      }
-      if (base === "poetry.lock" || base === "Pipfile.lock" || base === "uv.lock") {
-        return workspaceDir;
-      }
-      if (base.endsWith(".txt")) {
-        const properProjectDirs = properPythonProjects.filter((properProjectDir) => (properProjectDir === "." || workspaceDir === "." || workspaceDir.startsWith(properProjectDir)) && workspaceDir.replace(properProjectDir, "").split(sep5).length <= REQUIREMENTS_FILES_SEARCH_DEPTH2);
-        const longestProperProjectDir = l5(properProjectDirs, [(d4) => d4.length, "desc"]);
-        if (longestProperProjectDir) {
-          return longestProperProjectDir;
-        }
-        return workspaceDir;
-      }
-      logger.warn(`No workspace found for manifest file ${manifestPath}`);
-      return void 0;
-    }
-    case "NUGET": {
-      return ".";
-    }
-    case "RUST": {
-      return dirname13(manifestPath) || ".";
-    }
-    case "GO": {
-      const base = basename11(manifestPath);
-      const dir = dirname13(manifestPath);
-      return base === "go.mod" ? dir || "." : void 0;
-    }
-    default: {
-      return ".";
-    }
-  }
-}
-function inferProjectFromManifestPath(ecosystem, manifestPath) {
-  switch (ecosystem) {
-    case "NPM": {
-      const filename = basename11(manifestPath);
-      if (["package-lock.json", "pnpm-lock.yaml", "pnpm-lock.yml", "yarn.lock"].includes(filename)) {
-        return dirname13(manifestPath) || ".";
-      }
-      return void 0;
-    }
+    logger.info(`Inferring paths to exclude based on Socket config file: ${basename11(socketConfigFile)}`);
+    return config3.projectIgnorePaths;
+  } catch (e) {
+    return void 0;
   }
 }
-function getAllToplevelAncestors(artifactMap, artifactId) {
-  const visited = /* @__PURE__ */ new Set();
-  const toplevelAncestors = /* @__PURE__ */ new Set();
-  function findAncestors(currentId) {
-    if (visited.has(currentId)) {
-      return;
-    }
-    visited.add(currentId);
-    const artifact = artifactMap.get(currentId);
-    if (!artifact) {
-      return;
-    }
-    if (artifact.toplevelAncestors && artifact.toplevelAncestors.length > 0) {
-      for (const ancestorId of artifact.toplevelAncestors) {
-        toplevelAncestors.add(ancestorId);
-        findAncestors(ancestorId);
+
+// dist/internal/socket-mode-helpers-coana-dependency-trees.js
+var ROOT_IDENTIFIER = "ROOT";
+async function scanForVulnerabilitiesSocketMode(dependencyTree) {
+  if (!dependencyTree.ecosystem)
+    dependencyTree.ecosystem = "NPM";
+  const purlStringsToIdentifier = getPurlStrings(dependencyTree);
+  const components = await augmentArtifactsWithVulnerabilities(Object.keys(purlStringsToIdentifier).map((purl) => ({ purl })));
+  const parentsMap = /* @__PURE__ */ new Map();
+  for (const [depId, node] of [
+    ...Object.entries(dependencyTree.transitiveDependencies),
+    [ROOT_IDENTIFIER, dependencyTree]
+  ]) {
+    for (const childId of node.dependencies ?? []) {
+      if (!parentsMap.has(childId)) {
+        parentsMap.set(childId, []);
       }
+      parentsMap.get(childId).push(depId);
     }
   }
-  findAncestors(artifactId);
-  return Array.from(toplevelAncestors);
-}
-async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode) {
-  logger.info("Fetching artifacts from Socket backend using manifests tar hash", manifestsTarHash);
-  try {
-    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash);
-    const properPythonProjects = [];
-    const pipArtifactToRepresentativeManifest = {};
-    for (const artifact of artifacts) {
-      if (artifact.type === "pypi" && artifact.manifestFiles) {
-        pipArtifactToRepresentativeManifest[simplePurl(artifact.type, artifact.namespace ?? "", artifact.name, artifact.version ?? "")] = artifact;
-      }
-    }
-    const venvExcludes = [
-      "venv",
-      ".venv",
-      "env",
-      ".env",
-      "virtualenv",
-      ".virtualenv",
-      "venvs",
-      ".venvs",
-      "envs",
-      ".envs",
-      "__pycache__",
-      ".tox",
-      ".nox",
-      ".pytest_cache",
-      "site-packages",
-      "dist-packages",
-      "conda-meta",
-      "conda-bld",
-      ".mypy_cache",
-      ".ruff_cache",
-      ".hypothesis"
-    ];
-    const allFiles = await getFilesRelative(rootWorkingDirectory, venvExcludes);
-    for (const file of allFiles) {
-      const base = basename11(file);
-      const workspaceDir = dirname13(file) || ".";
-      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join24(rootWorkingDirectory, file))) {
-        if (!properPythonProjects.includes(workspaceDir)) {
-          properPythonProjects.push(workspaceDir);
-        }
-      }
-    }
-    const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
-    const ecosystemToWorkspaceToAnalysisData = {};
-    const ecosystemWorkspaceVulnIds = /* @__PURE__ */ new Set();
-    const ecosystemToWorkspaceToVulnerabilities = {};
-    const purlsFailedToFindWorkspace = /* @__PURE__ */ new Set();
-    for (const artifact of artifacts) {
-      let processToplevelAncestors2 = function(artifact2) {
-        const allAncestorIds = getAllToplevelAncestors(artifactMap, artifact2.id);
-        allAncestorIds.forEach((ancestorId) => artifactMap.get(ancestorId)?.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file)));
+  const vulnerabilities = [];
+  const dependencyIdentifiersNotFound = new Set(Object.keys(dependencyTree.transitiveDependencies));
+  for (const c3 of components) {
+    let simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, c3.version);
+    if (!(simplePurlForComponent in purlStringsToIdentifier))
+      simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, null);
+    const dependencyIdentifiers = purlStringsToIdentifier[simplePurlForComponent];
+    for (const dependencyIdentifier of dependencyIdentifiers) {
+      dependencyIdentifiersNotFound.delete(dependencyIdentifier);
+      const dependencyTreeNode = dependencyTree.transitiveDependencies[dependencyIdentifier];
+      if (!dependencyTreeNode)
+        throw new Error(`Dependency tree does not contain dependency ${simplePurlForComponent}`);
+      dependencyTreeNode.purlObj = {
+        type: c3.purl_type,
+        namespace: c3.namespace ?? void 0,
+        name: c3.name,
+        version: c3.version ?? void 0,
+        subpath: c3.subpath ?? void 0,
+        artifactId: c3.artifactId ?? void 0,
+        artifact_id: c3.artifact_id ?? void 0,
+        qualifiers: c3.qualifiers ?? void 0,
+        purlString: c3.purl
       };
-      var processToplevelAncestors = processToplevelAncestors2;
-      const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
-      if (!ecosystem)
-        continue;
-      const manifestFiles = [];
-      switch (ecosystem) {
-        case "MAVEN": {
-          manifestFiles.push(...(await getFilesRelative(rootWorkingDirectory)).filter((file) => (0, import_picomatch4.default)("{{*-*.,}pom{.xml,},gradle.lockfile}")(basename11(file))));
-          break;
-        }
-        case "NUGET": {
-          manifestFiles.push(...(await getFilesRelative(rootWorkingDirectory)).filter((file) => (0, import_picomatch4.default)("{*.csproj,packages.lock.json}")(basename11(file))));
-          break;
-        }
-        case "PIP": {
-          const sPurl = simplePurl(artifact.type, artifact.namespace ?? "", artifact.name, artifact.version ?? "");
-          if (pipArtifactToRepresentativeManifest[sPurl]) {
-            manifestFiles.push(...(pipArtifactToRepresentativeManifest[sPurl].manifestFiles ?? []).map((ref) => ref.file));
-          }
-          processToplevelAncestors2(artifact);
-          break;
-        }
-        default: {
-          artifact.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file));
-          processToplevelAncestors2(artifact);
-          break;
-        }
-      }
-      const workspaceToManifestFiles = {};
-      manifestFiles.forEach((manifestFile) => {
-        const workspace = inferWorkspaceFromManifestPath(ecosystem, manifestFile, properPythonProjects);
-        if (!workspace)
-          return;
-        (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
-      });
-      if (Object.keys(workspaceToManifestFiles).length === 0) {
-        manifestFiles.forEach((manifestFile) => {
-          const workspace = inferProjectFromManifestPath(ecosystem, manifestFile);
-          if (!workspace)
-            return;
-          (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
+      for (const vulnerability of c3.vulnerabilities) {
+        vulnerabilities.push({
+          url: vulnerability.ghsaId,
+          purl: c3.purl,
+          purlType: c3.purl_type,
+          range: vulnerability.range,
+          name: dependencyTreeNode.packageName,
+          dependency: dependencyTreeNode.packageName,
+          vulnChainDetails: computeVulnChainDetails2(dependencyTree, dependencyIdentifier, parentsMap),
+          vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern ?? null,
+          ecosystem: dependencyTree.ecosystem
         });
       }
-      if (Object.keys(workspaceToManifestFiles).length === 0 && artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
-        const purl = new import_packageurl_js2.PackageURL(artifact.type, artifact.namespace, artifact.name, artifact.version, artifact.qualifiers).toString();
-        purlsFailedToFindWorkspace.add(purl);
-      }
-      for (const [workspace, manifestFiles2] of Object.entries(workspaceToManifestFiles)) {
-        const workspaceData = (ecosystemToWorkspaceToAnalysisData[ecosystem] ??= {})[workspace] ??= {
-          type: "socket",
-          data: {
-            type: ecosystem,
-            manifestFiles: manifestFiles2,
-            artifacts: []
-          }
-        };
-        workspaceData.type;
-        workspaceData.data.artifacts.push(artifact);
-      }
-      if (artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
-        for (const workspace of Object.keys(workspaceToManifestFiles)) {
-          for (const vuln of artifact.vulnerabilities) {
-            const vulnerability = {
-              url: vuln.ghsaId,
-              purlType: artifact.type,
-              range: vuln.range,
-              name: artifact.name ?? "",
-              dependency: artifact.name ?? "",
-              vulnChainDetails: computeVulnChainDetails2(artifacts, artifact.id),
-              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
-              ecosystem,
-              artifactId: artifact.id
-            };
-            const vulnId = `${ecosystem}-${workspace}-${vulnerability.url}`;
-            if (!ecosystemWorkspaceVulnIds.has(vulnId)) {
-              ecosystemWorkspaceVulnIds.add(vulnId);
-              ((ecosystemToWorkspaceToVulnerabilities[ecosystem] ??= {})[workspace] ??= []).push(vulnerability);
-            }
-          }
-        }
-      }
     }
-    if (purlsFailedToFindWorkspace.size > 0) {
-      logger.warn(`Failed to find workspace for the following purls with vulnerabilities: ${Array.from(purlsFailedToFindWorkspace).join(", ")}.
-${mode === "reachability" ? "This means that we will not do a full reachability analysis for these vulnerabilities, but fallback to the results from the pre-computed reachability analysis." : ""}`);
-    }
-    return {
-      artifacts,
-      ecosystemToWorkspaceToAnalysisData,
-      ecosystemToWorkspaceToVulnerabilities
-    };
-  } catch (error) {
-    logger.error("Failed to fetch artifacts from Socket backend", error);
-    throw error;
   }
-}
-function computeVulnChainDetails2(artifacts, vulnerableArtifactId) {
-  const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
-  const parentsMap = /* @__PURE__ */ new Map();
-  for (const artifact of artifacts) {
-    if (artifact.dependencies) {
-      for (const depId of artifact.dependencies) {
-        if (!parentsMap.has(depId)) {
-          parentsMap.set(depId, []);
-        }
-        parentsMap.get(depId).push(artifact.id);
-      }
-    }
+  for (const dependencyIdentifier of dependencyIdentifiersNotFound) {
+    logger.warn(`Dependency ${dependencyIdentifier} not found in Socket mode`, dependencyTree.transitiveDependencies[dependencyIdentifier]);
   }
+  return vulnerabilities;
+}
+function computeVulnChainDetails2(dependencyTree, dependencyIdentifier, parentsMap) {
   const res = {
     packageName: "root",
     version: "0.0.0",
     children: [],
     transitiveDependencies: {}
   };
-  function addNode(currentId, childId, visited) {
-    if (visited.has(currentId))
-      return;
-    const currentArtifact = artifactMap.get(currentId);
-    if (!currentArtifact)
+  function addNode(currentIdentifier, childIdentifier, visited) {
+    if (visited.has(currentIdentifier))
       return;
-    const parents4 = parentsMap.get(currentId);
-    const newCurrentNode = {
-      packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
-      version: currentArtifact.version ?? void 0,
-      children: []
-    };
-    res.transitiveDependencies[currentId] = newCurrentNode;
-    if (childId && !newCurrentNode.children.includes(childId)) {
-      newCurrentNode.children.push(childId);
-    }
-    if (currentId === vulnerableArtifactId) {
-      newCurrentNode.vulnerable = true;
-    }
-    if (currentArtifact.direct && !res.children.includes(currentId)) {
-      res.children.push(currentId);
-    }
-    visited.add(currentId);
-    if (parents4) {
-      for (const parentId of parents4) {
-        addNode(parentId, currentId, visited);
-      }
+    const parents4 = parentsMap.get(currentIdentifier);
+    const newCurrentNode = transformToVulnChainNode(dependencyTree.transitiveDependencies[currentIdentifier]);
+    res.transitiveDependencies[currentIdentifier] = newCurrentNode;
+    if (childIdentifier && !newCurrentNode.children.includes(childIdentifier))
+      newCurrentNode.children.push(childIdentifier);
+    if (!childIdentifier)
+      newCurrentNode.vulnerable = true;
+    if (!parents4)
+      return res;
+    visited.add(currentIdentifier);
+    for (const parent2 of parents4) {
+      if (parent2 === ROOT_IDENTIFIER)
+        res.children.push(currentIdentifier);
+      else
+        addNode(parent2, currentIdentifier, visited);
     }
   }
-  addNode(vulnerableArtifactId, void 0, /* @__PURE__ */ new Set());
+  addNode(dependencyIdentifier, void 0, /* @__PURE__ */ new Set());
   return res;
 }
+function transformToVulnChainNode(dependencyTree) {
+  return {
+    ...a3(dependencyTree, ["packageName", "version"]),
+    children: []
+  };
+}
 
 // dist/internal/socket-report-coana-dependency-tree.js
 var MAX_STACKS_TO_SEND = 10;
@@ -226948,7 +227336,7 @@ var { root: root2 } = static_exports;
 // ../utils/src/maven-utils.ts
 var import_lodash14 = __toESM(require_lodash(), 1);
 import { existsSync as existsSync21, readdirSync as readdirSync4, statSync as statSync3 } from "fs";
-import { join as join25 } from "path";
+import { join as join26 } from "path";
 var { memoize: memoize3 } = import_lodash14.default;
 var memoizedParseShellArgs = memoize3(parseShellArgs);
 var MAVEN_PUBLIC_REPOSITORIES = [
@@ -227631,12 +228019,6 @@ var InMemoryVulnerabilityMetadataStore = class {
   }
 };
 
-// ../web-compat-utils/src/assertions.ts
-function assertDefined(value) {
-  if (value === void 0 || value === null) throw new Error("Expected value to be defined");
-  return value;
-}
-
 // ../security-auditor/security-auditor-api/src/fixes-task.ts
 var MESSAGE_PREFIX_FOR_FAILED_TO_PICK_VERSION = `Failed to pick a version`;
 var MESSAGE_PREFIX_FOR_NO_POTENTIAL_VERSIONS = `No potential versions`;
@@ -228319,7 +228701,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.41";
+var version2 = "14.12.43";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -228349,7 +228731,7 @@ var CliCore = class {
         throw new Error("Invalid analysis timeout value");
       }
     }
-    this.rootWorkingDirectory = resolve33(rootWorkingDirectory);
+    this.rootWorkingDirectory = resolve34(rootWorkingDirectory);
     this.spinner = Spinner.instance({
       text: "Running Coana CLI",
       isSilent: this.options.silentSpinner ?? this.options.silent
@@ -228424,7 +228806,7 @@ var CliCore = class {
     }
   }
   async main() {
-    this.coanaLogPath = join26(await createTmpDirectory("coana-cli-"), "coana-log.txt");
+    this.coanaLogPath = join27(await createTmpDirectory("coana-cli-"), "coana-log.txt");
     logger.initWinstonLogger(this.options.debug, this.coanaLogPath);
     logger.silent = this.options.silent;
     try {
@@ -228522,7 +228904,7 @@ var CliCore = class {
       this.sendProgress("RUN_ON_SUBPROJECT", false, this.rootWorkingDirectory);
     }
     const socketReport = toSocketFactsSocketDependencyTree(artifacts, vulnsWithResults, this.reportId);
-    const outputFile = resolve33(this.options.socketMode);
+    const outputFile = resolve34(this.options.socketMode);
     await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
     logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
   }
@@ -228540,13 +228922,13 @@ var CliCore = class {
         throw new Error("Dependency trees should be available when using --socket-mode");
       }
       const socketReport = toSocketFacts(report, this.reportDependencyTrees, subPjToWsPathToDirectDependencies);
-      const outputFile = resolve33(this.options.socketMode);
+      const outputFile = resolve34(this.options.socketMode);
       await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
       logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
       return;
     }
     if (outputDir) {
-      const jsonReportPath = resolve33(outputDir, `${DEFAULT_REPORT_FILENAME_BASE}.json`);
+      const jsonReportPath = resolve34(outputDir, `${DEFAULT_REPORT_FILENAME_BASE}.json`);
       await mkdir2(outputDir, { recursive: true });
       writeFileSync3(jsonReportPath, JSON.stringify(report, null, 2));
       logger.info(kleur_default.green(`JSON report written to: ${jsonReportPath}`));
@@ -228584,7 +228966,7 @@ var CliCore = class {
     const { reachabilitySupport, traditionalScaSupport, noSupport } = manager.getSubprojectsWithWorkspacePaths();
     await this.dashboardAPI.registerSubprojects([...reachabilitySupport, ...traditionalScaSupport, ...noSupport].map((sp) => ({
       ...sp,
-      subprojectPath: relative14(this.rootWorkingDirectory, sp.subprojectPath) || "."
+      subprojectPath: relative15(this.rootWorkingDirectory, sp.subprojectPath) || "."
     })), this.reportId, this.apiKey);
     for (const unsupported of noSupport)
       logger.warn(unsupported.unsupportedMsg);
@@ -228613,7 +228995,7 @@ var CliCore = class {
           await this.spinner.succeed();
         } catch (error) {
           if (this.options.ignoreFailingWorkspaces) {
-            const relativeSubprojectPath = relative14(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
+            const relativeSubprojectPath = relative15(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
             this.failedSubprojects.push({
               subproject: relativeSubprojectPath,
               error: error.message || "Unknown error"
@@ -228672,7 +229054,7 @@ Subproject: ${subproject}`);
   }
   async updateSpinnerTextOnNewSubproject(subprojectAndWsPath, numberSubprojects, index2) {
     this.spinner.start();
-    const relativeSubprojectPath = relative14(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
+    const relativeSubprojectPath = relative15(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
     await this.spinner.setText(numberSubprojects > 1 ? `Processing subproject ${relativeSubprojectPath} (${index2 + 1}/${numberSubprojects})${+this.options.concurrency > 1 ? `. May process up to ${+this.options.concurrency - 1} other workspaces in parallel` : ""}` : `Processing ${relativeSubprojectPath}`);
   }
   async initialize() {
@@ -228750,7 +229132,7 @@ Subproject: ${subproject}`);
         return workspaceToAugmentedVulnerabilities[workspacePath] !== void 0;
       }).map((workspacePath) => {
         return {
-          subprojectPath: relative14(this.rootWorkingDirectory, subprojectPath) || ".",
+          subprojectPath: relative15(this.rootWorkingDirectory, subprojectPath) || ".",
           workspacePath,
           directDependencies: projectInfo[workspacePath].dataForAnalysis.directDependenciesMap ?? {},
           vulnerabilities: workspaceToAugmentedVulnerabilities[workspacePath],
@@ -228849,7 +229231,7 @@ Subproject: ${subproject}`);
       excludeDirs: this.options.excludeDirs ?? [],
       changedFiles: this.options.changedFiles,
       includeDirs: this.options.includeDirs ?? []
-    }, resolve33(subprojectPath, workspacePath));
+    }, resolve34(subprojectPath, workspacePath));
     if (shouldExcludeWorkspaceForAnalysis) {
       logger.info(`Skipping reachability analysis for workspace ${workspacePath} due to it being excluded.`);
     }
@@ -228880,7 +229262,7 @@ Subproject: ${subproject}`);
   async sendProgress(type, isStartEvent, subprojectPath, workspacePath) {
     await this.dashboardAPI.registerCLIProgress({
       type,
-      ...subprojectPath ? { subprojectPath: relative14(this.rootWorkingDirectory, subprojectPath) || "." } : {},
+      ...subprojectPath ? { subprojectPath: relative15(this.rootWorkingDirectory, subprojectPath) || "." } : {},
       ...workspacePath ? { workspacePath } : {}
     }, isStartEvent, this.reportId, this.apiKey);
   }
@@ -228919,471 +229301,108 @@ Subproject: ${subproject}`);
         artifactId: v.artifactId
       };
     });
-  }
-  async getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subProjAndWsPath) {
-    const { packageManagerName, subprojectPath, workspacePaths } = subProjAndWsPath;
-    this.sendProgress("RUN_ON_SUBPROJECT", true, subprojectPath);
-    const rootWorkingDirectory = this.rootWorkingDirectory;
-    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", true, subprojectPath);
-    const projectInfo = await otherModulesCommunicator.prepareProjectAndGetProjectData(packageManagerName, subprojectPath, workspacePaths, this.options.lightweightReachability, this.options.providerProject ? await this.runOnProvider(this.options.providerProject) : void 0);
-    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
-    const workspaceToPlainDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
-      workspacePath,
-      toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree)
-    ]));
-    const dependencyTrees = workspacePaths.map((workspacePath) => ({
-      treeType: "v1",
-      dependencyTree: workspaceToPlainDependencyTree[workspacePath],
-      ecosystem: workspaceToPlainDependencyTree[workspacePath].ecosystem ?? "NPM",
-      workspacePath,
-      subprojectPath: relative14(rootWorkingDirectory, subprojectPath) || "."
-    }));
-    if (this.options.socketMode) {
-      this.reportDependencyTrees = workspacePaths.map((workspacePath) => ({
-        treeType: "v1",
-        dependencyTree: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree,
-        ecosystem: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree.ecosystem ?? "NPM",
-        workspacePath,
-        subprojectPath: relative14(rootWorkingDirectory, subprojectPath) || "."
-      }));
-    }
-    if (this.shareWithDashboard)
-      sendDependencyTreesToDashboard(dependencyTrees, this.reportId, this.apiKey);
-    const workspaceToVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath, idx) => this.spinner.wrap(`Scanning for vulnerabilities: (${subProjAndWsPath.packageManagerName}) (${idx + 1}/${workspacePaths.length}) ${workspacePath}`, async () => {
-      const dependencyTree = projectInfo[workspacePath].dataForAnalysis.data.dependencyTree;
-      this.sendProgress("SCAN_FOR_VULNERABILITIES", true, subprojectPath, workspacePath);
-      try {
-        return [
-          workspacePath,
-          this.options.socketMode ? await scanForVulnerabilitiesSocketMode(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
-        ];
-      } catch (e) {
-        logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
-        if (this.options.ignoreFailingWorkspaces) {
-          const relativeSubprojectPath = relative14(this.rootWorkingDirectory, subprojectPath) || ".";
-          this.failedWorkspaces.push({
-            subproject: relativeSubprojectPath,
-            workspace: workspacePath,
-            error: e.message || "Unknown error",
-            phase: "vulnerability-scanning"
-          });
-          return [workspacePath, void 0];
-        }
-        throw e;
-      } finally {
-        this.sendProgress("SCAN_FOR_VULNERABILITIES", false, subprojectPath, workspacePath);
-      }
-    })));
-    const successfulWorkspaceToVulnerabilities = Object.fromEntries(Object.entries(workspaceToVulnerabilities).filter(([_, vulns]) => vulns !== void 0));
-    return { projectInfo, workspaceToVulnerabilities: successfulWorkspaceToVulnerabilities };
-  }
-};
-function getRelativeSubprojectPath(subprojectPath, projectDir) {
-  return relative14(projectDir, subprojectPath) || ".";
-}
-function getDependencyType(vulnChainDetails, codeAwareScanResults, directDependencies, reachability) {
-  if (reachability === "UNREACHABLE" || reachability === "UNKNOWN") {
-    return getDependencyTypeForUnreachableVulnerability(vulnChainDetails, directDependencies);
-  }
-  if (codeAwareScanResults.type === "noAnalysisCheck") {
-    const affectedPackages = [
-      "",
-      ...Object.values(vulnChainDetails?.transitiveDependencies ?? []).map((n2) => `${n2.packageName}@${n2.version}`)
-    ];
-    return getDependencyTypeForReachableVulnerability(vulnChainDetails, directDependencies, affectedPackages);
-  }
-  if (codeAwareScanResults.type !== "success") {
-    throw new Error(`AssertionError: Expected codeAwareScanResults to be either success or noAnalysisCheck when reachability is REACHABLE`);
-  }
-  const detectedOccurrences = codeAwareScanResults.detectedOccurrences;
-  let dependencyType = "unknown";
-  for (const detectedOccurrence of Array.isArray(detectedOccurrences) ? detectedOccurrences : [detectedOccurrences]) {
-    const affectedPackages = detectedOccurrence.affectedPackages;
-    const dependencyTypeForOccurrence = getDependencyTypeForReachableVulnerability(vulnChainDetails, directDependencies, affectedPackages);
-    if (dependencyType === "unknown") {
-      dependencyType = dependencyTypeForOccurrence;
-    } else if (dependencyType !== dependencyTypeForOccurrence) {
-      return "prod&dev";
-    }
-  }
-  if (dependencyType === "unknown") {
-    dependencyType = getDependencyTypeForUnreachableVulnerability(vulnChainDetails, directDependencies);
-  }
-  return dependencyType;
-}
-async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
-  const base = cmdt`git -c safe.directory=${rootWorkingDirectory} rev-parse`;
-  try {
-    return {
-      sha: await runCommandResolveStdOut([...base, "HEAD"], rootWorkingDirectory),
-      branchName: await runCommandResolveStdOut([...base, "--abbrev-ref", "HEAD"], rootWorkingDirectory)
-    };
-  } catch (e) {
-    logger.debug("Unable to get git data. Is the folder even in a git repository?", e);
-  }
-}
-
-// dist/cli-upgrade-purl.js
-import { join as join27, relative as relative15, resolve as resolve34 } from "node:path";
-var import_packageurl_js3 = __toESM(require_packageurl_js(), 1);
-var ECOSYSTEMS_WITH_SOCKET_UPGRADES = ["NPM", "MAVEN", "NUGET", "GO", "RUST"];
-async function upgradePurl(rootDir, upgrades, options, logFile, cliFixRunId) {
-  if (options.rangeStyle && options.rangeStyle !== "pin") {
-    throw new Error('Range style must be "pin"');
-  }
-  logger.initWinstonLogger(options.debug);
-  logger.silent = options.silent;
-  let cliRunId = cliFixRunId;
-  if (!cliRunId && options.manifestsTarHash) {
-    cliRunId = await getSocketAPI().registerAutofixOrUpgradePurlRun(options.manifestsTarHash, options, "upgrade-purls");
-  }
-  const upgradePurlRunId = cliRunId && await getSocketAPI().registerUpgradePurlRun(cliRunId, upgrades);
-  Spinner.instance({
-    text: "Running Coana Upgrade Purl CLI",
-    isSilent: options.silentSpinner ?? options.silent
-  }).start();
-  try {
-    logger.info(`Upgrading purls for ${rootDir}: 
-${upgrades.map(({ purl, upgradeVersion }) => `	${prettyPrintPurlUpgrade(purl, upgradeVersion)}`).join("\n")}`);
-    if (options.manifestsTarHash) {
-      const { supportedUpgrades, unsupportedUpgrades } = upgrades.reduce((acc, upgrade) => {
-        const ecosystem = getAdvisoryEcosystemFromPurl(upgrade.purl);
-        const target = ECOSYSTEMS_WITH_SOCKET_UPGRADES.includes(ecosystem) ? "supportedUpgrades" : "unsupportedUpgrades";
-        acc[target].push(upgrade);
-        return acc;
-      }, { supportedUpgrades: [], unsupportedUpgrades: [] });
-      if (unsupportedUpgrades.length > 0) {
-        logger.warn(`The following upgrades are not supported due to missing support for upgrading their ecosystem: ${unsupportedUpgrades.map(({ purl, upgradeVersion }) => `	${prettyPrintPurlUpgrade(purl, upgradeVersion)}`).join("\n")}`);
-      }
-      if (supportedUpgrades.length === 0) {
-        return "fixed-none";
-      }
-      try {
-        const purlToUpgradeVersion = new Map(supportedUpgrades.map((upgrade) => [upgrade.purl, upgrade.upgradeVersion]));
-        const [manifestFiles, artifacts] = await Promise.all([
-          fetchManifestFilesFromManifestsTarHash(options.manifestsTarHash),
-          (await fetchArtifactsFromSocket(rootDir, options.manifestsTarHash, "upgrade-purls")).artifacts
-        ]);
-        const ecosystemToSocketArtifactUpgrades = /* @__PURE__ */ new Map();
-        artifacts.forEach((artifact, idx) => {
-          if (!artifact.name)
-            return;
-          if (!artifact.version)
-            return;
-          const purl = new import_packageurl_js3.PackageURL(artifact.type, artifact.namespace, artifact.name, artifact.version, artifact.qualifiers).toString();
-          const upgradeVersion = purlToUpgradeVersion.get(purl);
-          if (!upgradeVersion)
-            return;
-          const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
-          if (!ecosystemToSocketArtifactUpgrades.has(ecosystem)) {
-            ecosystemToSocketArtifactUpgrades.set(ecosystem, /* @__PURE__ */ new Map());
-          }
-          const currentUpgradeVersion = ecosystemToSocketArtifactUpgrades.get(ecosystem).get(idx);
-          if (currentUpgradeVersion === void 0) {
-            ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, upgradeVersion);
-          } else {
-            const versions = sortVersions(ecosystem, [artifact.version, currentUpgradeVersion, upgradeVersion]);
-            if (versionSatisfiesRelation(ecosystem, artifact.version, "=", versions[0])) {
-              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[versions.length - 1]);
-            } else if (versionSatisfiesRelation(ecosystem, artifact.version, "=", versions[versions.length - 1])) {
-              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[0]);
-            } else {
-              ecosystemToSocketArtifactUpgrades.get(ecosystem).set(idx, versions[versions.length - 1]);
-            }
-          }
-        });
-        let anyErrors = false;
-        for (const [ecosystem, upgrades2] of ecosystemToSocketArtifactUpgrades) {
-          if (options.rangeStyle && !["NPM", "MAVEN", "NUGET", "RUST"].includes(ecosystem)) {
-            logger.warn(`Range style is not supported for ${ecosystem}, skipping upgrades`);
-            continue;
-          }
-          const statusUpdater = (update2) => {
-            const statusIcons = {
-              success: "\u2705",
-              skipped: "\u26AA",
-              warn: "\u26A0\uFE0F",
-              error: "\u274C"
-            };
-            logger.info(`${statusIcons[update2.status]} ${update2.message} \u2500 ${relative15(rootDir, resolve34(rootDir, update2.file))}`);
-            update2.artifacts.forEach((idx, i7) => {
-              logger.info(`${" ".repeat(3)}${i7 === update2.artifacts.length - 1 ? "\u2514\u2500" : "\u251C\u2500"} ${prettyPrintSocketFactArtifactUpgrade(artifacts[idx], upgrades2.get(idx))}`);
-            });
-            for (const detail of update2.details ?? []) {
-              logger.debug(detail);
-            }
-            if (update2.patch)
-              logger.debug(update2.patch);
-            if (update2.status === "error")
-              anyErrors = true;
-          };
-          const ctxt = {
-            manifestFiles,
-            upgrades: upgrades2,
-            artifacts,
-            rangeStyle: options.rangeStyle,
-            statusUpdater
-          };
-          await applySocketUpgrades(ecosystem, rootDir, ctxt);
-        }
-        if (upgradePurlRunId) {
-          await getSocketAPI().finalizeUpgradePurlRun(upgradePurlRunId, "succeeded");
-        }
-        return unsupportedUpgrades.length === 0 && !anyErrors ? "fixed-all" : "fixed-some";
-      } catch (error) {
-        if (upgradePurlRunId) {
-          await getSocketAPI().finalizeUpgradePurlRun(
-            upgradePurlRunId,
-            "error",
-            !cliFixRunId ? error.stack : void 0,
-            // do not send stack trace and logContent for computeFixes runs, as that will be handled by that command.
-            !cliFixRunId && logFile ? await logger.getLogContent(logFile) : void 0
-          );
-        }
-        throw error;
-      }
-    }
-    const otherModulesCommunicator = new OtherModulesCommunicator(rootDir, options, {
-      type: "missing"
-    });
-    const ecosystems = upgrades.map((upgrade) => getAdvisoryEcosystemFromPurl(upgrade.purl));
-    const manager = await ProjectManager.create(rootDir, otherModulesCommunicator, ecosystems);
-    const { reachabilitySupport, traditionalScaSupport } = manager.getSubprojectsWithWorkspacePaths();
-    const supportedSubprojects = reachabilitySupport.concat(traditionalScaSupport).filter((p3) => getPackageManagerSupport(p3.packageManagerName).supportsApplyingFixes);
-    if (supportedSubprojects.length === 0) {
-      throw new Error(`No supported projects found in ${rootDir}.`);
+  }
+  async getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subProjAndWsPath) {
+    const { packageManagerName, subprojectPath, workspacePaths } = subProjAndWsPath;
+    this.sendProgress("RUN_ON_SUBPROJECT", true, subprojectPath);
+    const rootWorkingDirectory = this.rootWorkingDirectory;
+    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", true, subprojectPath);
+    const projectInfo = await otherModulesCommunicator.prepareProjectAndGetProjectData(packageManagerName, subprojectPath, workspacePaths, this.options.lightweightReachability, this.options.providerProject ? await this.runOnProvider(this.options.providerProject) : void 0);
+    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
+    const workspaceToPlainDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
+      workspacePath,
+      toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree)
+    ]));
+    const dependencyTrees = workspacePaths.map((workspacePath) => ({
+      treeType: "v1",
+      dependencyTree: workspaceToPlainDependencyTree[workspacePath],
+      ecosystem: workspaceToPlainDependencyTree[workspacePath].ecosystem ?? "NPM",
+      workspacePath,
+      subprojectPath: relative15(rootWorkingDirectory, subprojectPath) || "."
+    }));
+    if (this.options.socketMode) {
+      this.reportDependencyTrees = workspacePaths.map((workspacePath) => ({
+        treeType: "v1",
+        dependencyTree: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree,
+        ecosystem: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree.ecosystem ?? "NPM",
+        workspacePath,
+        subprojectPath: relative15(rootWorkingDirectory, subprojectPath) || "."
+      }));
     }
-    const subprojectPromiseQueue = new PromiseQueue(Number(options.concurrency));
-    supportedSubprojects.forEach((subproject) => {
-      subprojectPromiseQueue.enqueueTask(async () => {
-        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join27(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
-        if (workspacePathsMatchingGlob.length === 0)
-          return;
-        logger.info(`Found workspaces for subproject ${subproject.subprojectPath}${options.globPattern ? `matching glob ${options.globPattern}` : ""}:
-${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
-        const fixingData = await otherModulesCommunicator.getFixingData(subproject.packageManagerName, subproject.subprojectPath, workspacePathsMatchingGlob);
-        const workspaceToFixes = {};
-        Object.entries(fixingData.dependencyTrees).forEach(([wsPath, depTree]) => {
-          const vulnerabilityFixes = [];
-          const simplePurlToDepId = getPurlStrings(depTree);
-          upgrades.forEach((upgrade) => {
-            const purl = import_packageurl_js3.PackageURL.fromString(upgrade.purl);
-            if (purl.version === void 0)
-              throw Error(`Undefined version for purl ${upgrade.purl}`);
-            const simplePurl2 = `pkg:${purl.type}/${purl.namespace ? `${purl.namespace}/` : ""}${purl.name}${purl.version ? `@${purl.version}` : ""}`;
-            for (const depIdMatchingPurl of simplePurlToDepId[simplePurl2] ?? []) {
-              const node = depTree.transitiveDependencies[depIdMatchingPurl];
-              if (!node)
-                throw Error("should not happen!");
-              vulnerabilityFixes.push({
-                dependencyName: node.packageName,
-                currentVersion: assertDefined(node.version),
-                dependencyIdentifier: depIdMatchingPurl,
-                fixedVersion: upgrade.upgradeVersion
-              });
-            }
+    if (this.shareWithDashboard)
+      sendDependencyTreesToDashboard(dependencyTrees, this.reportId, this.apiKey);
+    const workspaceToVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath, idx) => this.spinner.wrap(`Scanning for vulnerabilities: (${subProjAndWsPath.packageManagerName}) (${idx + 1}/${workspacePaths.length}) ${workspacePath}`, async () => {
+      const dependencyTree = projectInfo[workspacePath].dataForAnalysis.data.dependencyTree;
+      this.sendProgress("SCAN_FOR_VULNERABILITIES", true, subprojectPath, workspacePath);
+      try {
+        return [
+          workspacePath,
+          this.options.socketMode ? await scanForVulnerabilitiesSocketMode(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
+        ];
+      } catch (e) {
+        logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
+        if (this.options.ignoreFailingWorkspaces) {
+          const relativeSubprojectPath = relative15(this.rootWorkingDirectory, subprojectPath) || ".";
+          this.failedWorkspaces.push({
+            subproject: relativeSubprojectPath,
+            workspace: workspacePath,
+            error: e.message || "Unknown error",
+            phase: "vulnerability-scanning"
           });
-          if (vulnerabilityFixes.length === 0)
-            return;
-          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join27(subproject.subprojectPath, wsPath)}`);
-          workspaceToFixes[wsPath] = [
-            {
-              fixId: "dummy",
-              vulnerabilityFixes
-            }
-          ];
-        });
-        if (Object.entries(workspaceToFixes).length === 0) {
-          logger.info(`No dependencies matching upgrade specs found for subproject ${subproject.subprojectPath}`);
-          return;
+          return [workspacePath, void 0];
         }
-        await applySecurityFixes(subproject.packageManagerName, rootDir, relative15(rootDir, subproject.subprojectPath) || ".", otherModulesCommunicator, workspaceToFixes, fixingData, signalFixApplied);
-      });
-    });
-    await subprojectPromiseQueue.onIdle();
-  } finally {
-    Spinner.instance().stop();
+        throw e;
+      } finally {
+        this.sendProgress("SCAN_FOR_VULNERABILITIES", false, subprojectPath, workspacePath);
+      }
+    })));
+    const successfulWorkspaceToVulnerabilities = Object.fromEntries(Object.entries(workspaceToVulnerabilities).filter(([_, vulns]) => vulns !== void 0));
+    return { projectInfo, workspaceToVulnerabilities: successfulWorkspaceToVulnerabilities };
   }
-}
-var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixes) => {
-  logger.info(`Successfully upgraded purls for: ${join27(subprojectPath, workspacePath)}`);
-  logger.info(`Upgraded: 
-${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
 };
-
-// dist/cli-compute-fixes-and-upgrade-purls.js
-async function computeFixesAndUpgradePurls(path2, options, logFile) {
-  const autofixRunId = options.manifestsTarHash && await getSocketAPI().registerAutofixOrUpgradePurlRun(options.manifestsTarHash, options, "autofix");
-  const { artifacts, ghsaToVulnerableArtifactIds } = await computeInputForComputingFixes(path2, options);
-  if (Object.keys(ghsaToVulnerableArtifactIds).length === 0) {
-    logger.info("No vulnerabilities to compute fixes for");
-    return { type: "no-vulnerabilities-found" };
-  }
-  if (options.applyFixesTo.length === 0) {
-    logger.info("Vulnerabilities found:", Object.keys(ghsaToVulnerableArtifactIds).join(", "));
-    logger.info("Run again with --apply-fixes-to GHSA_IDS to fix those vulnerabilities by computing packages to upgrade and apply them");
-    return { type: "no-ghsas-fix-requested", ghsas: Object.keys(ghsaToVulnerableArtifactIds) };
-  }
-  const ghsaToVulnerableArtifactIdsToApply = options.applyFixesTo.includes("all") ? ghsaToVulnerableArtifactIds : Object.fromEntries(Object.entries(ghsaToVulnerableArtifactIds).filter(([ghsa]) => options.applyFixesTo.includes(ghsa)));
-  const computedFix = await useSocketComputeFixEndpoint(autofixRunId, artifacts, ghsaToVulnerableArtifactIdsToApply, {
-    noMajorUpdates: options.disableMajorUpdates,
-    minimumReleaseAgeInMinutes: options.minimumReleaseAgeInMinutes
-  });
-  if (computedFix.type !== "success") {
-    throw new Error(`No fix found for the given vulnerabilities`);
+function getRelativeSubprojectPath(subprojectPath, projectDir) {
+  return relative15(projectDir, subprojectPath) || ".";
+}
+function getDependencyType(vulnChainDetails, codeAwareScanResults, directDependencies, reachability) {
+  if (reachability === "UNREACHABLE" || reachability === "UNKNOWN") {
+    return getDependencyTypeForUnreachableVulnerability(vulnChainDetails, directDependencies);
   }
-  const ghsasFailedToFix = Object.keys(ghsaToVulnerableArtifactIdsToApply).filter((ghsa) => {
-    const artifactIds = ghsaToVulnerableArtifactIdsToApply[ghsa];
-    if (!artifactIds)
-      return false;
-    return artifactIds.some((artifactId) => computedFix.ghsaToResult[ghsa].failedArtifacts?.includes(artifactId));
-  });
-  if (ghsasFailedToFix.length > 0) {
-    logger.info("Failed to compute fixes for the following vulnerabilities:");
+  if (codeAwareScanResults.type === "noAnalysisCheck") {
+    const affectedPackages = [
+      "",
+      ...Object.values(vulnChainDetails?.transitiveDependencies ?? []).map((n2) => `${n2.packageName}@${n2.version}`)
+    ];
+    return getDependencyTypeForReachableVulnerability(vulnChainDetails, directDependencies, affectedPackages);
   }
-  for (const ghsa of ghsasFailedToFix) {
-    logger.info(`  - ${ghsa} (${ghsaToVulnerableArtifactIdsToApply[ghsa].map((id) => simplePurl(artifacts[id].type, artifacts[id].namespace ?? null, artifacts[id].name ?? "", artifacts[id].version ?? null)).join(", ")})`);
+  if (codeAwareScanResults.type !== "success") {
+    throw new Error(`AssertionError: Expected codeAwareScanResults to be either success or noAnalysisCheck when reachability is REACHABLE`);
   }
-  const fixesFound = Object.entries(computedFix.ghsaToResult).filter(([_, result]) => result.failedArtifacts === void 0 || result.failedArtifacts.length === 0);
-  const combinedFixes = fixesFound.flatMap(([_, result]) => result.fixes);
-  if (options.dryRun) {
-    logger.info("Fixes found:");
-    for (const [ghsa, result] of fixesFound) {
-      logger.info(`  - ${ghsa}:`);
-      for (const fix of result.fixes) {
-        logger.info(`    - ${fix.purl} -> ${fix.fixedVersion}`);
-      }
+  const detectedOccurrences = codeAwareScanResults.detectedOccurrences;
+  let dependencyType = "unknown";
+  for (const detectedOccurrence of Array.isArray(detectedOccurrences) ? detectedOccurrences : [detectedOccurrences]) {
+    const affectedPackages = detectedOccurrence.affectedPackages;
+    const dependencyTypeForOccurrence = getDependencyTypeForReachableVulnerability(vulnChainDetails, directDependencies, affectedPackages);
+    if (dependencyType === "unknown") {
+      dependencyType = dependencyTypeForOccurrence;
+    } else if (dependencyType !== dependencyTypeForOccurrence) {
+      return "prod&dev";
     }
-    return {
-      type: "dry-run-result",
-      fixes: Object.fromEntries(fixesFound.map(([ghsa, result]) => [ghsa, result.fixes])),
-      ...ghsasFailedToFix.length > 0 && { failedToFix: ghsasFailedToFix }
-    };
   }
-  if (combinedFixes.length === 0) {
-    if (autofixRunId) {
-      await getSocketAPI().finalizeAutofixRun(autofixRunId, "fixed-none");
-    }
-    throw new Error("Failed to find a fix for the given vulnerabilities");
+  if (dependencyType === "unknown") {
+    dependencyType = getDependencyTypeForUnreachableVulnerability(vulnChainDetails, directDependencies);
   }
+  return dependencyType;
+}
+async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
+  const base = cmdt`git -c safe.directory=${rootWorkingDirectory} rev-parse`;
   try {
-    const applyFixesStatus = await upgradePurl(path2, T3(combinedFixes, (fix) => `${fix.purl}${fix.fixedVersion}`).map((fix) => ({
-      purl: fix.purl,
-      upgradeVersion: fix.fixedVersion
-    })), {
-      debug: options.debug,
-      silent: options.silent,
-      runWithoutDocker: options.runWithoutDocker,
-      manifestsTarHash: options.manifestsTarHash,
-      concurrency: "1",
-      globPattern: options.globPattern,
-      rangeStyle: options.rangeStyle
-    }, void 0, autofixRunId) ?? "fixed-all";
-    if (autofixRunId) {
-      await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasFailedToFix.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : ghsasFailedToFix.length === Object.keys(ghsaToVulnerableArtifactIdsToApply).length || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some");
-    }
     return {
-      type: "applied-fixes",
-      fixes: Object.fromEntries(fixesFound.map(([ghsa, result]) => [ghsa, result.fixes]))
+      sha: await runCommandResolveStdOut([...base, "HEAD"], rootWorkingDirectory),
+      branchName: await runCommandResolveStdOut([...base, "--abbrev-ref", "HEAD"], rootWorkingDirectory)
     };
-  } catch (error) {
-    if (autofixRunId) {
-      await getSocketAPI().finalizeAutofixRun(autofixRunId, "error", error.stack, await logger.getLogContent(logFile));
-    }
-    logger.error("Error applying fixes:", error);
-    throw error;
-  }
-}
-async function computeInputForComputingFixes(path2, options) {
-  if (options.manifestsTarHash) {
-    const { artifacts: artifacts2 } = await fetchArtifactsFromSocket(path2, options.manifestsTarHash, "autofix");
-    const ghsaToVulnerableArtifactIds2 = {};
-    for (const [index2, artifact] of artifacts2.entries()) {
-      if (!artifact.vulnerabilities)
-        continue;
-      for (const vulnerability of artifact.vulnerabilities) {
-        if (!(ghsaToVulnerableArtifactIds2[vulnerability.ghsaId] ??= []).includes(index2)) {
-          ghsaToVulnerableArtifactIds2[vulnerability.ghsaId].push(index2);
-        }
-      }
-    }
-    const sbomTaskArtifacts = artifacts2.map((artifact) => ({
-      type: artifact.type,
-      name: artifact.name ?? "",
-      version: artifact.version ?? "",
-      namespace: artifact.namespace ?? void 0,
-      adj: artifact.dependencies?.map((dep) => artifacts2.findIndex((a4) => a4.id === dep)) ?? []
-    }));
-    return { artifacts: sbomTaskArtifacts, ghsaToVulnerableArtifactIds: ghsaToVulnerableArtifactIds2 };
-  }
-  const otherModulesCommunicator = new OtherModulesCommunicator(path2, options, {
-    type: "missing"
-  });
-  const manager = await ProjectManager.create(path2, otherModulesCommunicator);
-  const { reachabilitySupport, traditionalScaSupport } = manager.getSubprojectsWithWorkspacePaths();
-  const supportedSubprojects = reachabilitySupport.concat(traditionalScaSupport).filter((p3) => getPackageManagerSupport(p3.packageManagerName).supportsApplyingFixes);
-  if (supportedSubprojects.length === 0) {
-    throw new Error(`No supported projects found in ${path2}.`);
-  }
-  const cliCore = new CliCore(path2, { ...defaultCliOptions, socketMode: "true" });
-  const results = await asyncMap(supportedSubprojects, async (subproject) => cliCore.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subproject));
-  const { artifacts, purlToIndex } = computeSBOMTaskArtifacts(results.flatMap((r3) => Object.values(r3.projectInfo).map((info) => info.dataForAnalysis.data.dependencyTree)));
-  const ghsaToVulnerableArtifactIds = computeVulnerableArtifactIdsPerVulnerability(results.flatMap((r3) => Object.values(r3.workspaceToVulnerabilities).flat()), purlToIndex);
-  return { artifacts, ghsaToVulnerableArtifactIds };
-}
-function computeVulnerableArtifactIdsPerVulnerability(vulnerabilities, purlToIndex) {
-  const vulnerableArtifactIdsPerVulnerability = {};
-  for (const vulnerability of vulnerabilities) {
-    if (!vulnerableArtifactIdsPerVulnerability[vulnerability.url]) {
-      vulnerableArtifactIdsPerVulnerability[vulnerability.url] = [];
-    }
-    if (!vulnerability.purl)
-      throw new Error(`Vulnerability ${vulnerability.url} has no purl`);
-    if (!purlToIndex.has(vulnerability.purl)) {
-      throw new Error(`Vulnerability ${vulnerability.url} has no purl in sbomTaskArtifacts`);
-    }
-    const index2 = purlToIndex.get(vulnerability.purl);
-    if (!vulnerableArtifactIdsPerVulnerability[vulnerability.url].includes(index2)) {
-      vulnerableArtifactIdsPerVulnerability[vulnerability.url].push(index2);
-    }
-  }
-  return vulnerableArtifactIdsPerVulnerability;
-}
-function computeSBOMTaskArtifacts(dependencyTrees) {
-  const components = [];
-  const purlToIndex = /* @__PURE__ */ new Map();
-  for (const dependencyTree of dependencyTrees) {
-    const depIdentifierToPurl = Object.fromEntries(Object.entries(dependencyTree.transitiveDependencies).filter(([_depIdentifier, dep]) => dep.purlObj).map(([depIdentifier, dep]) => {
-      const purl = dep.purlObj.purlString;
-      if (purl && !purlToIndex.has(purl)) {
-        purlToIndex.set(purl, components.length);
-        const depTreeNode = dependencyTree.transitiveDependencies[depIdentifier];
-        components[purlToIndex.get(purl)] = {
-          type: depTreeNode.purlObj.type,
-          name: depTreeNode.purlObj.name,
-          version: depTreeNode.purlObj.version,
-          namespace: depTreeNode.purlObj.namespace,
-          adj: []
-        };
-      }
-      return [depIdentifier, purl];
-    }));
-    for (const [depIdentifier, purl] of Object.entries(depIdentifierToPurl)) {
-      const depTreeNode = dependencyTree.transitiveDependencies[depIdentifier];
-      if (!depTreeNode.purlObj) {
-        continue;
-      }
-      const component = components[purlToIndex.get(purl)];
-      depTreeNode.dependencies?.forEach((dep) => {
-        const depPurl = depIdentifierToPurl[dep];
-        const depIndex = purlToIndex.get(depPurl);
-        if (depIndex && !component.adj?.includes(depIndex)) {
-          component.adj.push(depIndex);
-        }
-      });
-    }
+  } catch (e) {
+    logger.debug("Unable to get git data. Is the folder even in a git repository?", e);
   }
-  return { artifacts: components, purlToIndex };
 }
 
 // dist/index.js
@@ -229419,7 +229438,7 @@ upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the f
   });
 }).configureHelp({ sortOptions: true });
 var computeFixesAndUpgradePurlsCmd = new Command();
-computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
+computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").option("--show-affected-direct-dependencies", "Show the affected direct dependencies for each vulnerability and what upgrades could fix them - does not apply the upgrades.", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   if (options.outputFile && !options.outputFile.endsWith(".json")) {
     throw new Error("Output file must have a .json extension");