@socketsecurity/cli-with-sentry 0.14.102 → 0.14.104

package/dist/module-sync/shadow-npm-inject.js

@@ -5,9 +5,9 @@ const process$1 = require('node:process')
 const vendor = require('./vendor.js')
 const logger = require('@socketsecurity/registry/lib/logger')
 const constants = require('./constants.js')
+const arrays = require('@socketsecurity/registry/lib/arrays')
 const packageurlJs = require('@socketregistry/packageurl-js')
 const registry = require('@socketsecurity/registry')
-const arrays = require('@socketsecurity/registry/lib/arrays')
 const debug = require('@socketsecurity/registry/lib/debug')
 const objects = require('@socketsecurity/registry/lib/objects')
 const isInteractive = require('@socketregistry/is-interactive/index.cjs')
@@ -15,7 +15,7 @@ const registryConstants = require('@socketsecurity/registry/lib/constants')
 const prompts = require('@socketsecurity/registry/lib/prompts')
 const strings = require('@socketsecurity/registry/lib/strings')
 const sdk = require('@socketsecurity/sdk')
-const require$$0 = require('node:fs')
+const fs = require('node:fs')
 const os = require('node:os')
 const path = require('node:path')
 const promises = require('node:timers/promises')
@@ -36,7 +36,7 @@ async function findUp(name, { cwd = process$1.cwd(), signal = abortSignal }) {
       const filePath = path.join(dir, name)
       try {
         // eslint-disable-next-line no-await-in-loop
-        const stats = await require$$0.promises.stat(filePath)
+        const stats = await fs.promises.stat(filePath)
         if (stats.isFile()) {
           return filePath
         }
@@ -47,14 +47,14 @@ async function findUp(name, { cwd = process$1.cwd(), signal = abortSignal }) {
   return undefined
 }
 async function readFileBinary(filepath, options) {
-  return await require$$0.promises.readFile(filepath, {
+  return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'binary'
   })
 }
 async function readFileUtf8(filepath, options) {
-  return await require$$0.promises.readFile(filepath, {
+  return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'utf8'
@@ -62,7 +62,7 @@ async function readFileUtf8(filepath, options) {
 }
 async function safeReadFile(filepath, options) {
   try {
-    return await require$$0.promises.readFile(filepath, {
+    return await fs.promises.readFile(filepath, {
       encoding: 'utf8',
       signal: abortSignal,
       ...(typeof options === 'string'
@@ -76,7 +76,7 @@ async function safeReadFile(filepath, options) {
 }
 function safeReadFileSync(filepath, options) {
   try {
-    return require$$0.readFileSync(filepath, {
+    return fs.readFileSync(filepath, {
       encoding: 'utf8',
       ...(typeof options === 'string'
         ? {
@@ -107,6 +107,7 @@ let _cachedConfig
 // When using --config or SOCKET_CLI_CONFIG, do not persist the config.
 let _readOnlyConfig = false
 function overrideCachedConfig(jsonConfig) {
+  debug.debugLog('Overriding entire config, marking config as read-only')
   let config
   try {
     config = JSON.parse(String(jsonConfig))
@@ -123,7 +124,7 @@ function overrideCachedConfig(jsonConfig) {
     }
   }
 
-  // @ts-ignore if you want to override an illegal object, so be it?
+  // @ts-ignore Override an illegal object.
   _cachedConfig = config
   _readOnlyConfig = true
 
@@ -143,6 +144,7 @@ function overrideCachedConfig(jsonConfig) {
   }
 }
 function overrideConfigApiToken(apiToken) {
+  debug.debugLog('Overriding API token, marking config as read-only')
   // Set token to the local cached config and mark it read-only so it doesn't persist
   _cachedConfig = {
     ...vendor.configExports,
@@ -178,7 +180,7 @@ function getConfigValues() {
           updateConfigValue('apiToken', token)
         }
       } else {
-        require$$0.mkdirSync(path.dirname(configPath), {
+        fs.mkdirSync(path.dirname(configPath), {
           recursive: true
         })
       }
@@ -282,7 +284,7 @@ function updateConfigValue(key, value) {
       _pendingSave = false
       const configPath = getConfigPath()
       if (configPath) {
-        require$$0.writeFileSync(
+        fs.writeFileSync(
           configPath,
           Buffer.from(JSON.stringify(localConfig)).toString('base64')
         )
@@ -389,34 +391,14 @@ async function setupSdk(
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: '@socketsecurity/cli',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: '0.14.102',
+      version: '0.14.104',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: 'https://github.com/SocketDev/socket-cli'
     })
   })
 }
 
-function assignDefaultFixOptions(options) {
-  if (options.autoPilot === undefined) {
-    options.autoPilot = false
-  }
-  if (options.autoMerge === undefined) {
-    options.autoMerge = !!options.autoPilot
-  }
-  if (options.cwd === undefined) {
-    options.cwd = process.cwd()
-  }
-  if (options.rangeStyle === undefined) {
-    options.rangeStyle = 'preserve'
-  }
-  if (options.test === undefined) {
-    options.test = !!options.autoPilot || !!options.testScript
-  }
-  if (options.testScript === undefined) {
-    options.testScript = 'test'
-  }
-  return options
-}
+const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde']
 function applyRange(refRange, version, style = 'preserve') {
   switch (style) {
     case 'caret':
@@ -445,7 +427,6 @@ function applyRange(refRange, version, style = 'preserve') {
       return version
   }
 }
-const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde']
 
 const DiffAction = /*#__PURE__*/ (function (DiffAction) {
   DiffAction['add'] = 'ADD'
@@ -1192,135 +1173,400 @@ class SafeEdge extends Edge {
   }
 }
 
-const {
-  ALERT_TYPE_CRITICAL_CVE,
-  ALERT_TYPE_CVE,
-  ALERT_TYPE_MEDIUM_CVE,
-  ALERT_TYPE_MILD_CVE
-} = constants
-function isArtifactAlertCve(alert) {
-  const { type } = alert
-  return (
-    type === ALERT_TYPE_CVE ||
-    type === ALERT_TYPE_MEDIUM_CVE ||
-    type === ALERT_TYPE_MILD_CVE ||
-    type === ALERT_TYPE_CRITICAL_CVE
-  )
-}
-
-const ALERT_FIX_TYPE = /*#__PURE__*/ (function (ALERT_FIX_TYPE) {
-  ALERT_FIX_TYPE['cve'] = 'cve'
-  ALERT_FIX_TYPE['upgrade'] = 'upgrade'
-  return ALERT_FIX_TYPE
-})({})
-
-function pick(input, keys) {
-  const result = {}
-  for (const key of keys) {
-    result[key] = input[key]
-  }
-  return result
+const { LOOP_SENTINEL, NPM: NPM$2, NPM_REGISTRY_URL } = constants
+function getUrlOrigin(input) {
+  try {
+    // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
+    // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base
+    // return URL.parse(input)?.origin ?? ''
+    return new URL(input).origin ?? ''
+  } catch {}
+  return ''
 }
-
-function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean)
-  const { length } = values
-  if (!length) {
-    return ''
-  }
-  if (length === 1) {
-    return values[0]
+function findBestPatchVersion(
+  node,
+  availableVersions,
+  vulnerableVersionRange,
+  _firstPatchedVersionIdentifier
+) {
+  const manifestData = registry.getManifestData(NPM$2, node.name)
+  let eligibleVersions
+  if (manifestData && manifestData.name === manifestData.package) {
+    const major = vendor.semverExports.major(manifestData.version)
+    eligibleVersions = availableVersions.filter(
+      v => vendor.semverExports.major(v) === major
+    )
+  } else {
+    const major = vendor.semverExports.major(node.version)
+    eligibleVersions = availableVersions.filter(
+      v =>
+        // Filter for versions that are within the current major version and
+        // are NOT in the vulnerable range.
+        vendor.semverExports.major(v) === major &&
+        (!vulnerableVersionRange ||
+          !vendor.semverExports.satisfies(v, vulnerableVersionRange))
+    )
   }
-  const finalValue = values.pop()
-  return `${values.join(', ')}${separator}${finalValue}`
+  return vendor.semverExports.maxSatisfying(eligibleVersions, '*')
 }
-
-const ALERT_SEVERITY = /*#__PURE__*/ (function (ALERT_SEVERITY) {
-  ALERT_SEVERITY['critical'] = 'critical'
-  ALERT_SEVERITY['high'] = 'high'
-  ALERT_SEVERITY['middle'] = 'middle'
-  ALERT_SEVERITY['low'] = 'low'
-  return ALERT_SEVERITY
-})({})
-// Ordered from most severe to least.
-const ALERT_SEVERITIES_SORTED = Object.freeze([
-  'critical',
-  'high',
-  'middle',
-  'low'
-])
-function getDesiredSeverities(lowestToInclude) {
-  const result = []
-  for (const severity of ALERT_SEVERITIES_SORTED) {
-    result.push(severity)
-    if (severity === lowestToInclude) {
-      break
+function findPackageNode(tree, name, version) {
+  const queue = [tree]
+  let sentinel = 0
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackageNodes')
     }
-  }
-  return result
-}
-function formatSeverityCount(severityCount) {
-  const summary = []
-  for (const severity of ALERT_SEVERITIES_SORTED) {
-    if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`)
+    const currentNode = queue.pop()
+    const node = currentNode.children.get(name)
+    if (node && (typeof version !== 'string' || node.version === version)) {
+      return node
+    }
+    const children = [...currentNode.children.values()]
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push(children[i])
     }
   }
-  return stringJoinWithSeparateFinalSeparator(summary)
 }
-function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick(
-    {
-      low: 0,
-      middle: 0,
-      high: 0,
-      critical: 0
-    },
-    getDesiredSeverities(lowestToInclude)
-  )
-  for (const issue of issues) {
-    const { value } = issue
-    if (!value) {
-      continue
+function findPackageNodes(tree, name, version) {
+  const queue = [tree]
+  const matches = []
+  let sentinel = 0
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackageNodes')
     }
-    const { severity } = value
-    if (severityCount[severity] !== undefined) {
-      severityCount[severity] += 1
+    const currentNode = queue.pop()
+    const node = currentNode.children.get(name)
+    if (node && 'undefined' !== 'string') {
+      matches.push(node)
+    }
+    const children = [...currentNode.children.values()]
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push(children[i])
     }
   }
-  return severityCount
+  return matches
 }
-
-class ColorOrMarkdown {
-  constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown
-  }
-  bold(text) {
-    return this.useMarkdown
-      ? `**${text}**`
-      : vendor.yoctocolorsCjsExports.bold(`${text}`)
+function getDetailsFromDiff(diff_, options) {
+  const details = []
+  // `diff_` is `null` when `npm install --package-lock-only` is passed.
+  if (!diff_) {
+    return details
   }
-  header(text, level = 1) {
-    return this.useMarkdown
-      ? `\n${''.padStart(level, '#')} ${text}\n`
-      : vendor.yoctocolorsCjsExports.underline(
-          `\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`
-        )
+  const include = {
+    __proto__: null,
+    unchanged: false,
+    unknownOrigin: false,
+    ...{
+      __proto__: null,
+      ...options
+    }.include
   }
-  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
-    if (url) {
-      return this.useMarkdown
-        ? `[${text}](${url})`
-        : vendor.terminalLinkExports(text, url, {
-            fallback: fallbackToUrl ? (_text, url) => url : fallback
+  const queue = [...diff_.children]
+  let pos = 0
+  let { length: queueLength } = queue
+  while (pos < queueLength) {
+    if (pos === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop while walking Arborist diff')
+    }
+    const diff = queue[pos++]
+    const { action } = diff
+    if (action) {
+      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
+      // action is 'REMOVE'
+      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
+      // action is 'ADD'.
+      const { actual: oldNode, ideal: pkgNode } = diff
+      let existing
+      let keep = false
+      if (action === DiffAction.change) {
+        if (pkgNode?.package.version !== oldNode?.package.version) {
+          keep = true
+          if (
+            oldNode?.package.name &&
+            oldNode.package.name === pkgNode?.package.name
+          ) {
+            existing = oldNode
+          }
+        } else {
+          debug.debugLog('SKIPPING META CHANGE ON\n', diff)
+        }
+      } else {
+        keep = action !== DiffAction.remove
+      }
+      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
+        if (
+          include.unknownOrigin ||
+          getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
+        ) {
+          details.push({
+            node: pkgNode,
+            existing
           })
+        }
+      }
+    }
+    for (const child of diff.children) {
+      queue[queueLength++] = child
     }
-    return text
   }
-  indent(...args) {
-    return indentString(...args)
+  if (include.unchanged) {
+    const { unchanged } = diff_
+    for (let i = 0, { length } = unchanged; i < length; i += 1) {
+      const pkgNode = unchanged[i]
+      if (
+        include.unknownOrigin ||
+        getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
+      ) {
+        details.push({
+          node: pkgNode,
+          existing: pkgNode
+        })
+      }
+    }
   }
-  italic(text) {
+  return details
+}
+function isTopLevel(tree, node) {
+  return tree.children.get(node.name) === node
+}
+function updateNode(
+  node,
+  packument,
+  vulnerableVersionRange,
+  firstPatchedVersionIdentifier
+) {
+  const availableVersions = Object.keys(packument.versions)
+  // Find the highest non-vulnerable version within the same major range
+  const targetVersion = findBestPatchVersion(
+    node,
+    availableVersions,
+    vulnerableVersionRange
+  )
+  const targetPackument = targetVersion
+    ? packument.versions[targetVersion]
+    : undefined
+  // Check !targetVersion to make TypeScript happy.
+  if (!targetVersion || !targetPackument) {
+    // No suitable patch version found.
+    return false
+  }
+  // Object.defineProperty is needed to set the version property and replace
+  // the old value with targetVersion.
+  Object.defineProperty(node, 'version', {
+    configurable: true,
+    enumerable: true,
+    get: () => targetVersion
+  })
+  // Update package.version associated with the node.
+  node.package.version = targetVersion
+  // Update node.resolved.
+  const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`)
+  node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`
+  // Update node.integrity with the targetPackument.dist.integrity value if available
+  // else delete node.integrity so a new value is resolved for the target version.
+  const { integrity } = targetPackument.dist
+  if (integrity) {
+    node.integrity = integrity
+  } else {
+    delete node.integrity
+  }
+  // Update node.package.deprecated based on targetPackument.deprecated.
+  if (objects.hasOwn(targetPackument, 'deprecated')) {
+    node.package['deprecated'] = targetPackument.deprecated
+  } else {
+    delete node.package['deprecated']
+  }
+  // Update node.package.dependencies.
+  const newDeps = {
+    ...targetPackument.dependencies
+  }
+  const { dependencies: oldDeps } = node.package
+  node.package.dependencies = newDeps
+  if (oldDeps) {
+    for (const oldDepName of Object.keys(oldDeps)) {
+      if (!objects.hasOwn(newDeps, oldDepName)) {
+        // Detach old edges for dependencies that don't exist on the updated
+        // node.package.dependencies.
+        node.edgesOut.get(oldDepName)?.detach()
+      }
+    }
+  }
+  for (const newDepName of Object.keys(newDeps)) {
+    if (!objects.hasOwn(oldDeps, newDepName)) {
+      // Add new edges for dependencies that don't exist on the old
+      // node.package.dependencies.
+      node.addEdgeOut(
+        new Edge({
+          from: node,
+          name: newDepName,
+          spec: newDeps[newDepName],
+          type: 'prod'
+        })
+      )
+    }
+  }
+  return true
+}
+function updatePackageJsonFromNode(
+  editablePkgJson,
+  tree,
+  node,
+  targetVersion,
+  rangeStyle
+) {
+  if (isTopLevel(tree, node)) {
+    const { name } = node
+    for (const depField of [
+      'dependencies',
+      'optionalDependencies',
+      'peerDependencies'
+    ]) {
+      const oldValue = editablePkgJson.content[depField]
+      if (oldValue) {
+        const refRange = oldValue[name]
+        if (refRange) {
+          editablePkgJson.update({
+            [depField]: {
+              ...oldValue,
+              [name]: applyRange(refRange, targetVersion, rangeStyle)
+            }
+          })
+        }
+      }
+    }
+  }
+}
+
+const {
+  ALERT_TYPE_CRITICAL_CVE,
+  ALERT_TYPE_CVE,
+  ALERT_TYPE_MEDIUM_CVE,
+  ALERT_TYPE_MILD_CVE
+} = constants
+function isArtifactAlertCve(alert) {
+  const { type } = alert
+  return (
+    type === ALERT_TYPE_CVE ||
+    type === ALERT_TYPE_MEDIUM_CVE ||
+    type === ALERT_TYPE_MILD_CVE ||
+    type === ALERT_TYPE_CRITICAL_CVE
+  )
+}
+
+const ALERT_FIX_TYPE = /*#__PURE__*/ (function (ALERT_FIX_TYPE) {
+  ALERT_FIX_TYPE['cve'] = 'cve'
+  ALERT_FIX_TYPE['upgrade'] = 'upgrade'
+  return ALERT_FIX_TYPE
+})({})
+
+function pick(input, keys) {
+  const result = {}
+  for (const key of keys) {
+    result[key] = input[key]
+  }
+  return result
+}
+
+function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
+  const values = list.filter(Boolean)
+  const { length } = values
+  if (!length) {
+    return ''
+  }
+  if (length === 1) {
+    return values[0]
+  }
+  const finalValue = values.pop()
+  return `${values.join(', ')}${separator}${finalValue}`
+}
+
+const ALERT_SEVERITY = /*#__PURE__*/ (function (ALERT_SEVERITY) {
+  ALERT_SEVERITY['critical'] = 'critical'
+  ALERT_SEVERITY['high'] = 'high'
+  ALERT_SEVERITY['middle'] = 'middle'
+  ALERT_SEVERITY['low'] = 'low'
+  return ALERT_SEVERITY
+})({})
+// Ordered from most severe to least.
+const ALERT_SEVERITIES_SORTED = Object.freeze([
+  'critical',
+  'high',
+  'middle',
+  'low'
+])
+function getDesiredSeverities(lowestToInclude) {
+  const result = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
+    result.push(severity)
+    if (severity === lowestToInclude) {
+      break
+    }
+  }
+  return result
+}
+function formatSeverityCount(severityCount) {
+  const summary = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
+    if (severityCount[severity]) {
+      summary.push(`${severityCount[severity]} ${severity}`)
+    }
+  }
+  return stringJoinWithSeparateFinalSeparator(summary)
+}
+function getSeverityCount(issues, lowestToInclude) {
+  const severityCount = pick(
+    {
+      low: 0,
+      middle: 0,
+      high: 0,
+      critical: 0
+    },
+    getDesiredSeverities(lowestToInclude)
+  )
+  for (const issue of issues) {
+    const { value } = issue
+    if (!value) {
+      continue
+    }
+    const { severity } = value
+    if (severityCount[severity] !== undefined) {
+      severityCount[severity] += 1
+    }
+  }
+  return severityCount
+}
+
+class ColorOrMarkdown {
+  constructor(useMarkdown) {
+    this.useMarkdown = !!useMarkdown
+  }
+  bold(text) {
+    return this.useMarkdown
+      ? `**${text}**`
+      : vendor.yoctocolorsCjsExports.bold(`${text}`)
+  }
+  header(text, level = 1) {
+    return this.useMarkdown
+      ? `\n${''.padStart(level, '#')} ${text}\n`
+      : vendor.yoctocolorsCjsExports.underline(
+          `\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`
+        )
+  }
+  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
+    if (url) {
+      return this.useMarkdown
+        ? `[${text}](${url})`
+        : vendor.terminalLinkExports(text, url, {
+            fallback: fallbackToUrl ? (_text, url) => url : fallback
+          })
+    }
+    return text
+  }
+  indent(...args) {
+    return indentString(...args)
+  }
+  italic(text) {
     return this.useMarkdown
       ? `_${text}_`
       : vendor.yoctocolorsCjsExports.italic(`${text}`)
@@ -1371,7 +1617,7 @@ const ALERT_SEVERITY_ORDER = /*#__PURE__*/ (function (ALERT_SEVERITY_ORDER) {
   ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['none'] = 4)] = 'none'
   return ALERT_SEVERITY_ORDER
 })({})
-const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$2 } =
+const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$1 } =
   constants
 const MIN_ABOVE_THE_FOLD_COUNT = 3
 const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1
@@ -1585,7 +1831,7 @@ function getCveInfoByAlertsMap(alertsMap, options) {
       const alert = sockPkgAlert.raw
       if (
         alert.fix?.type !== ALERT_FIX_TYPE.cve ||
-        (exclude.upgradable && registry.getManifestData(NPM$2, name))
+        (exclude.upgradable && registry.getManifestData(NPM$1, name))
       ) {
         continue
       }
@@ -1728,7 +1974,7 @@ function logAlertsMap(alertsMap, options) {
     const hyperlink = format.hyperlink(
       pkgId,
       getSocketDevPackageOverviewUrl(
-        NPM$2,
+        NPM$1,
         packages.resolvePackageName(purlObj),
         purlObj.version
       )
@@ -1785,161 +2031,57 @@ function logAlertsMap(alertsMap, options) {
   output.write('\n')
 }
 
-const { LOOP_SENTINEL, NPM: NPM$1, NPM_REGISTRY_URL } = constants
-function getDetailsFromDiff(diff_, options) {
-  const details = []
-  // `diff_` is `null` when `npm install --package-lock-only` is passed.
-  if (!diff_) {
-    return details
+async function getAlertsMapFromArborist(arb, options_) {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    nothrow: false,
+    ...options_
   }
   const include = {
     __proto__: null,
-    unchanged: false,
-    unknownOrigin: false,
-    ...{
-      __proto__: null,
-      ...options
-    }.include
-  }
-  const queue = [...diff_.children]
-  let pos = 0
-  let { length: queueLength } = queue
-  while (pos < queueLength) {
-    if (pos === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop while walking Arborist diff')
-    }
-    const diff = queue[pos++]
-    const { action } = diff
-    if (action) {
-      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
-      // action is 'REMOVE'
-      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
-      // action is 'ADD'.
-      const { actual: oldNode, ideal: pkgNode } = diff
-      let existing
-      let keep = false
-      if (action === DiffAction.change) {
-        if (pkgNode?.package.version !== oldNode?.package.version) {
-          keep = true
-          if (
-            oldNode?.package.name &&
-            oldNode.package.name === pkgNode?.package.name
-          ) {
-            existing = oldNode
-          }
-        } else {
-          debug.debugLog('SKIPPING META CHANGE ON\n', diff)
-        }
-      } else {
-        keep = action !== DiffAction.remove
-      }
-      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        if (
-          include.unknownOrigin ||
-          getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
-        ) {
-          details.push({
-            node: pkgNode,
-            existing
-          })
-        }
-      }
-    }
-    for (const child of diff.children) {
-      queue[queueLength++] = child
-    }
+    existing: false,
+    ...options.include
   }
-  if (include.unchanged) {
-    const { unchanged } = diff_
-    for (let i = 0, { length } = unchanged; i < length; i += 1) {
-      const pkgNode = unchanged[i]
-      if (
-        include.unknownOrigin ||
-        getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
-      ) {
-        details.push({
-          node: pkgNode,
-          existing: pkgNode
-        })
-      }
+  const needInfoOn = getDetailsFromDiff(arb.diff, {
+    include: {
+      unchanged: include.existing
     }
-  }
-  return details
-}
-function getUrlOrigin(input) {
-  try {
-    // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
-    // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base
-    // return URL.parse(input)?.origin ?? ''
-    return new URL(input).origin ?? ''
-  } catch {}
-  return ''
-}
-function findBestPatchVersion(
-  node,
-  availableVersions,
-  vulnerableVersionRange,
-  _firstPatchedVersionIdentifier
-) {
-  const manifestData = registry.getManifestData(NPM$1, node.name)
-  let eligibleVersions
-  if (manifestData && manifestData.name === manifestData.package) {
-    const major = vendor.semverExports.major(manifestData.version)
-    eligibleVersions = availableVersions.filter(
-      v => vendor.semverExports.major(v) === major
-    )
-  } else {
-    const major = vendor.semverExports.major(node.version)
-    eligibleVersions = availableVersions.filter(
-      v =>
-        // Filter for versions that are within the current major version and
-        // are NOT in the vulnerable range.
-        vendor.semverExports.major(v) === major &&
-        (!vulnerableVersionRange ||
-          !vendor.semverExports.satisfies(v, vulnerableVersionRange))
+  })
+  const purls = needInfoOn.map(d => `pkg:npm/${d.node.pkgid}`)
+  let overrides
+  const overridesMap = (
+    arb.actualTree ??
+    arb.idealTree ??
+    (await arb.loadActual())
+  )?.overrides?.children
+  if (overridesMap) {
+    overrides = Object.fromEntries(
+      [...overridesMap.entries()].map(([key, overrideSet]) => {
+        return [key, overrideSet.value]
+      })
     )
   }
-  return vendor.semverExports.maxSatisfying(eligibleVersions, '*')
-}
-function findPackageNode(tree, name, version) {
-  const queue = [tree]
-  let sentinel = 0
-  while (queue.length) {
-    if (sentinel++ === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop in findPackageNodes')
-    }
-    const currentNode = queue.pop()
-    const node = currentNode.children.get(name)
-    if (node && (typeof version !== 'string' || node.version === version)) {
-      return node
-    }
-    const children = [...currentNode.children.values()]
-    for (let i = children.length - 1; i >= 0; i -= 1) {
-      queue.push(children[i])
-    }
-  }
+  return await getAlertsMapFromPurls(purls, {
+    overrides,
+    ...options
+  })
 }
-function findPackageNodes(tree, name, version) {
-  const queue = [tree]
-  const matches = []
-  let sentinel = 0
-  while (queue.length) {
-    if (sentinel++ === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop in findPackageNodes')
-    }
-    const currentNode = queue.pop()
-    const node = currentNode.children.get(name)
-    if (node && 'undefined' !== 'string') {
-      matches.push(node)
-    }
-    const children = [...currentNode.children.values()]
-    for (let i = children.length - 1; i >= 0; i -= 1) {
-      queue.push(children[i])
-    }
+async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    nothrow: false,
+    ...options_
   }
-  return matches
+  const depTypes = vendor.libExports$1.detectDepTypes(lockfile)
+  const purls = Object.keys(depTypes).map(id => `pkg:npm/${id}`)
+  return await getAlertsMapFromPurls(purls, {
+    overrides: lockfile.overrides,
+    ...options
+  })
 }
-async function getAlertsMapFromArborist(arb, options_) {
+async function getAlertsMapFromPurls(purls, options_) {
   const options = {
     __proto__: null,
     consolidate: false,
@@ -1958,35 +2100,17 @@ async function getAlertsMapFromArborist(arb, options_) {
     ...options.include
   }
   const { spinner } = options
-  const needInfoOn = getDetailsFromDiff(arb.diff, {
-    include: {
-      unchanged: include.existing
-    }
-  })
-  const pkgIds = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid))
-  let { length: remaining } = pkgIds
+  const uniqPurls = arrays.arrayUnique(purls)
+  let { length: remaining } = uniqPurls
   const alertsByPkgId = new Map()
   if (!remaining) {
     return alertsByPkgId
   }
   const getText = () => `Looking up data for ${remaining} packages`
   spinner?.start(getText())
-  let overrides
-  const overridesMap = (
-    arb.actualTree ??
-    arb.idealTree ??
-    (await arb.loadActual())
-  )?.overrides?.children
-  if (overridesMap) {
-    overrides = Object.fromEntries(
-      [...overridesMap.entries()].map(([key, overrideSet]) => {
-        return [key, overrideSet.value]
-      })
-    )
-  }
   const sockSdk = await setupSdk(getPublicToken())
   const toAlertsMapOptions = {
-    overrides,
+    overrides: options.overrides,
     consolidate: options.consolidate,
     include,
     spinner
@@ -2007,8 +2131,8 @@ async function getAlertsMapFromArborist(arb, options_) {
           })
     },
     {
-      components: pkgIds.map(id => ({
-        purl: `pkg:npm/${id}`
+      components: uniqPurls.map(purl => ({
+        purl
       }))
     }
   )) {
@@ -2034,116 +2158,6 @@ async function getAlertsMapFromArborist(arb, options_) {
   spinner?.stop()
   return alertsByPkgId
 }
-function isTopLevel(tree, node) {
-  return tree.children.get(node.name) === node
-}
-function updateNode(
-  node,
-  packument,
-  vulnerableVersionRange,
-  firstPatchedVersionIdentifier
-) {
-  const availableVersions = Object.keys(packument.versions)
-  // Find the highest non-vulnerable version within the same major range
-  const targetVersion = findBestPatchVersion(
-    node,
-    availableVersions,
-    vulnerableVersionRange
-  )
-  const targetPackument = targetVersion
-    ? packument.versions[targetVersion]
-    : undefined
-  // Check !targetVersion to make TypeScript happy.
-  if (!targetVersion || !targetPackument) {
-    // No suitable patch version found.
-    return false
-  }
-  // Object.defineProperty is needed to set the version property and replace
-  // the old value with targetVersion.
-  Object.defineProperty(node, 'version', {
-    configurable: true,
-    enumerable: true,
-    get: () => targetVersion
-  })
-  // Update package.version associated with the node.
-  node.package.version = targetVersion
-  // Update node.resolved.
-  const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`)
-  node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`
-  // Update node.integrity with the targetPackument.dist.integrity value if available
-  // else delete node.integrity so a new value is resolved for the target version.
-  const { integrity } = targetPackument.dist
-  if (integrity) {
-    node.integrity = integrity
-  } else {
-    delete node.integrity
-  }
-  // Update node.package.deprecated based on targetPackument.deprecated.
-  if (objects.hasOwn(targetPackument, 'deprecated')) {
-    node.package['deprecated'] = targetPackument.deprecated
-  } else {
-    delete node.package['deprecated']
-  }
-  // Update node.package.dependencies.
-  const newDeps = {
-    ...targetPackument.dependencies
-  }
-  const { dependencies: oldDeps } = node.package
-  node.package.dependencies = newDeps
-  if (oldDeps) {
-    for (const oldDepName of Object.keys(oldDeps)) {
-      if (!objects.hasOwn(newDeps, oldDepName)) {
-        // Detach old edges for dependencies that don't exist on the updated
-        // node.package.dependencies.
-        node.edgesOut.get(oldDepName)?.detach()
-      }
-    }
-  }
-  for (const newDepName of Object.keys(newDeps)) {
-    if (!objects.hasOwn(oldDeps, newDepName)) {
-      // Add new edges for dependencies that don't exist on the old
-      // node.package.dependencies.
-      node.addEdgeOut(
-        new Edge({
-          from: node,
-          name: newDepName,
-          spec: newDeps[newDepName],
-          type: 'prod'
-        })
-      )
-    }
-  }
-  return true
-}
-function updatePackageJsonFromNode(
-  editablePkgJson,
-  tree,
-  node,
-  targetVersion,
-  rangeStyle
-) {
-  if (isTopLevel(tree, node)) {
-    const { name } = node
-    for (const depField of [
-      'dependencies',
-      'optionalDependencies',
-      'peerDependencies'
-    ]) {
-      const oldValue = editablePkgJson.content[depField]
-      if (oldValue) {
-        const refRange = oldValue[name]
-        if (refRange) {
-          editablePkgJson.update({
-            [depField]: {
-              ...oldValue,
-              [name]: applyRange(refRange, targetVersion, rangeStyle)
-            }
-          })
-        }
-      }
-    }
-  }
-}
 
 const {
   NPM,
@@ -2222,7 +2236,7 @@ class SafeArborist extends Arborist {
         ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
         progress: false
       },
-      // @ts-ignore: TS gets grumpy about rest parameters.
+      // @ts-ignore: TypeScript gets grumpy about rest parameters.
       ...args.slice(1)
     )
     // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
@@ -2260,7 +2274,7 @@ class SafeArborist extends Arborist {
         hideAt: viewAllRisks ? 'none' : 'middle',
         output: process$1.stderr
       })
-      throw new Error(vendor.stripIndents`
+      throw new Error(vendor.html`
           Socket ${binName} exiting due to risks.${viewAllRisks ? '' : `\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`}${acceptRisks ? '' : `\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`}
         `)
     } else if (!options['silent']) {
@@ -2304,9 +2318,7 @@ exports.RangeStyles = RangeStyles
 exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES =
   SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
 exports.SafeArborist = SafeArborist
-exports.addArtifactToAlertsMap = addArtifactToAlertsMap
 exports.applyRange = applyRange
-exports.assignDefaultFixOptions = assignDefaultFixOptions
 exports.captureException = captureException
 exports.findBestPatchVersion = findBestPatchVersion
 exports.findPackageNode = findPackageNode
@@ -2314,6 +2326,8 @@ exports.findPackageNodes = findPackageNodes
 exports.findUp = findUp
 exports.formatSeverityCount = formatSeverityCount
 exports.getAlertsMapFromArborist = getAlertsMapFromArborist
+exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile
+exports.getAlertsMapFromPurls = getAlertsMapFromPurls
 exports.getConfigValue = getConfigValue
 exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap
 exports.getDefaultToken = getDefaultToken
@@ -2333,5 +2347,5 @@ exports.supportedConfigKeys = supportedConfigKeys
 exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode
-//# debugId=5e56549f-4b4f-499a-9a57-6c490f9f653d
+//# debugId=3e95ade4-7c46-4ebf-8b3a-87daba9d5c80
 //# sourceMappingURL=shadow-npm-inject.js.map