@socketsecurity/cli-with-sentry 0.14.123 → 0.14.125

package/dist/instrument-with-sentry.js

@@ -41,7 +41,7 @@ const relConstantsPath = './constants'
   Sentry.setTag(
     'version',
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
-    '0.14.123:ac83b62:6bf8f885:pub'
+    '0.14.125:11530dd:4065fadc:pub'
   )
   const constants = require(relConstantsPath)
   if (constants.ENV.SOCKET_CLI_DEBUG) {
@@ -56,5 +56,5 @@ const relConstantsPath = './constants'
   } = constants
   setSentry(Sentry)
 }
-//# debugId=73287fc2-b2fe-4793-8310-d084716f176a
+//# debugId=c1ddbf6d-9662-4963-8b89-6c5e285bcd37
 //# sourceMappingURL=instrument-with-sentry.js.map

package/dist/instrument-with-sentry.js.map

@@ -1 +1 @@
-{"version":3,"file":"instrument-with-sentry.js","sources":["../../src/instrument-with-sentry.ts"],"sourcesContent":["// This should ONLY be included in the special Sentry build!\n// Otherwise the Sentry dependency won't even be present in the manifest.\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\n// Require constants with require(relConstantsPath) instead of require('./constants')\n// so Rollup doesn't generate a constants2.js chunk.\nconst relConstantsPath = './constants'\n// The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\nif (process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']) {\n  const Sentry = require('@sentry/node')\n  Sentry.init({\n    onFatalError(error: Error) {\n      // Defer module loads until after Sentry.init is called.\n      if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n        logger.fail('[DEBUG] [Sentry onFatalError]:', error)\n      }\n    },\n    dsn: 'https://66736701db8e4ffac046bd09fa6aaced@o555220.ingest.us.sentry.io/4508846967619585',\n    enabled: true,\n    integrations: []\n  })\n  Sentry.setTag(\n    'environment',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\n      ? 'pub'\n      : // The NODE_ENV convention is used by apps to define the runtime environment.\n        // https://nodejs.org/en/learn/getting-started/nodejs-the-difference-between-development-and-production\n        process.env['NODE_ENV']\n  )\n  Sentry.setTag(\n    'version',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n    process.env['INLINED_SOCKET_CLI_VERSION_HASH']\n  )\n  const constants = require(relConstantsPath)\n  if (constants.ENV.SOCKET_CLI_DEBUG) {\n    Sentry.setTag('debugging', true)\n    logger.log('[DEBUG] Set up Sentry.')\n  } else {\n    Sentry.setTag('debugging', false)\n  }\n  const {\n    kInternalsSymbol,\n    [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { setSentry }\n  } = constants\n  setSentry(Sentry)\n} else if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n  logger.log('[DEBUG] Sentry disabled explicitly.')\n}\n"],"names":["logger","dsn","enabled","integrations","process","Sentry","setSentry"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;;;AAIA;AACA;AACA;AACA;AACoD;AAClD;;;AAGI;;AAEEA;AACF;;AAEFC;AACAC;AACAC;AACF;;AAGE;AACAC;;AAQA;AACAA;AAEF;AACA;AACEC;AACAL;AACF;AACEK;AACF;;;AAGE;AAA+DC;AAAU;AAC3E;;AAEF","debugId":"73287fc2-b2fe-4793-8310-d084716f176a"}
+{"version":3,"file":"instrument-with-sentry.js","sources":["../../src/instrument-with-sentry.ts"],"sourcesContent":["// This should ONLY be included in the special Sentry build!\n// Otherwise the Sentry dependency won't even be present in the manifest.\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\n// Require constants with require(relConstantsPath) instead of require('./constants')\n// so Rollup doesn't generate a constants2.js chunk.\nconst relConstantsPath = './constants'\n// The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\nif (process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']) {\n  const Sentry = require('@sentry/node')\n  Sentry.init({\n    onFatalError(error: Error) {\n      // Defer module loads until after Sentry.init is called.\n      if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n        logger.fail('[DEBUG] [Sentry onFatalError]:', error)\n      }\n    },\n    dsn: 'https://66736701db8e4ffac046bd09fa6aaced@o555220.ingest.us.sentry.io/4508846967619585',\n    enabled: true,\n    integrations: []\n  })\n  Sentry.setTag(\n    'environment',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\n      ? 'pub'\n      : // The NODE_ENV convention is used by apps to define the runtime environment.\n        // https://nodejs.org/en/learn/getting-started/nodejs-the-difference-between-development-and-production\n        process.env['NODE_ENV']\n  )\n  Sentry.setTag(\n    'version',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n    process.env['INLINED_SOCKET_CLI_VERSION_HASH']\n  )\n  const constants = require(relConstantsPath)\n  if (constants.ENV.SOCKET_CLI_DEBUG) {\n    Sentry.setTag('debugging', true)\n    logger.log('[DEBUG] Set up Sentry.')\n  } else {\n    Sentry.setTag('debugging', false)\n  }\n  const {\n    kInternalsSymbol,\n    [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { setSentry }\n  } = constants\n  setSentry(Sentry)\n} else if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n  logger.log('[DEBUG] Sentry disabled explicitly.')\n}\n"],"names":["logger","dsn","enabled","integrations","process","Sentry","setSentry"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;;;AAIA;AACA;AACA;AACA;AACoD;AAClD;;;AAGI;;AAEEA;AACF;;AAEFC;AACAC;AACAC;AACF;;AAGE;AACAC;;AAQA;AACAA;AAEF;AACA;AACEC;AACAL;AACF;AACEK;AACF;;;AAGE;AAA+DC;AAAU;AAC3E;;AAEF","debugId":"c1ddbf6d-9662-4963-8b89-6c5e285bcd37"}

package/dist/module-sync/cli.js

@@ -917,7 +917,7 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.123:ac83b62:6bf8f885:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.125:11530dd:4065fadc:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
   const apiToken = shadowNpmInject.getDefaultToken()
   const defaultOrg = shadowNpmInject.getConfigValue('defaultOrg')
@@ -3739,7 +3739,7 @@ function getPkgNameFromPurlObj(purlObj) {
 function getBaseGitBranch() {
   // Lazily access constants.ENV[GITHUB_REF_NAME].
   return (
-    constants.ENV[GITHUB_REF_NAME] ??
+    constants.ENV[GITHUB_REF_NAME] ||
     // GitHub defaults to branch name "main"
     // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
     'main'
@@ -3858,16 +3858,6 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
   const rawFiles = stdout?.trim().split('\n') ?? []
   return rawFiles.map(relPath => path.normalizePath(relPath))
 }
-async function isInGitRepo(cwd = process.cwd()) {
-  try {
-    await spawn.spawn('git', ['rev-parse', '--is-inside-work-tree'], {
-      cwd,
-      stdio: 'ignore'
-    })
-    return true
-  } catch {}
-  return false
-}
 
 const { GITHUB_ACTIONS, GITHUB_REPOSITORY, SOCKET_SECURITY_GITHUB_PAT } =
   constants
@@ -4054,10 +4044,10 @@ async function npmFix(
 
   // Lazily access constants.ENV[CI].
   const isCi = constants.ENV[CI$1]
-  const { 0: isRepo, 1: workspacePkgJsonPaths } = await Promise.all([
-    isInGitRepo(cwd),
-    shadowNpmInject.globWorkspace(pkgEnvDetails.agent, rootPath)
-  ])
+  const workspacePkgJsonPaths = await shadowNpmInject.globWorkspace(
+    pkgEnvDetails.agent,
+    rootPath
+  )
   const pkgJsonPaths = [
     ...workspacePkgJsonPaths,
     // Process the workspace root last since it will add an override to package.json.
@@ -4075,7 +4065,7 @@ async function npmFix(
     const oldVersions = arrays.arrayUnique(
       shadowNpmInject
         .findPackageNodes(arb.idealTree, name)
-        .map(n => n.version)
+        .map(n => n.target?.version ?? n.version)
         .filter(Boolean)
     )
     const packument =
@@ -4190,7 +4180,6 @@ async function npmFix(
           )
           let error
           let errored = false
-          let installed = false
           let saved = false
 
           // eslint-disable-next-line no-await-in-loop
@@ -4206,7 +4195,6 @@ async function npmFix(
             await install$1(arb.idealTree, {
               cwd
             })
-            installed = true
             if (test) {
               if (!testedSpecs.has(newSpecKey)) {
                 testedSpecs.add(newSpecKey)
@@ -4272,15 +4260,15 @@ async function npmFix(
             // eslint-disable-next-line no-await-in-loop
             await Promise.all([
               shadowNpmInject.removeNodeModules(cwd),
-              ...(isRepo ? [gitHardReset(cwd)] : []),
-              ...(saved && !isRepo ? [editablePkgJson.save()] : [])
+              ...(isCi
+                ? [gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)]
+                : []),
+              ...(saved && !isCi ? [editablePkgJson.save()] : [])
             ])
-            if (!isRepo && installed) {
-              // eslint-disable-next-line no-await-in-loop
-              await install$1(revertTree, {
-                cwd
-              })
-            }
+            // eslint-disable-next-line no-await-in-loop
+            await install$1(revertTree, {
+              cwd
+            })
             if (errored) {
               if (!failedSpecs.has(newSpecKey)) {
                 failedSpecs.add(newSpecKey)
@@ -4480,37 +4468,34 @@ async function pnpmFix(
 
   // Lazily access constants.ENV[CI].
   const isCi = constants.ENV[CI]
-  const { 0: isRepo, 1: workspacePkgJsonPaths } = await Promise.all([
-    isInGitRepo(cwd),
-    shadowNpmInject.globWorkspace(pkgEnvDetails.agent, rootPath)
-  ])
+  const workspacePkgJsonPaths = await shadowNpmInject.globWorkspace(
+    pkgEnvDetails.agent,
+    rootPath
+  )
+  const baseBranch = isCi ? getBaseGitBranch() : ''
+  const { owner, repo } = isCi
+    ? getGitHubEnvRepoInfo()
+    : {
+        owner: '',
+        repo: ''
+      }
   const pkgJsonPaths = [
     ...workspacePkgJsonPaths,
     // Process the workspace root last since it will add an override to package.json.
     pkgEnvDetails.editablePkgJson.filename
   ]
-  let actualTree
+  let actualTree = await getActualTree(cwd)
   for (const { 0: name, 1: infos } of infoByPkg) {
     if (registry.getManifestData(NPM$c, name)) {
       spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
       continue
     }
-    // eslint-disable-next-line no-await-in-loop
-    await Promise.all([
-      shadowNpmInject.removeNodeModules(cwd),
-      ...(isRepo ? [gitHardReset(cwd)] : [])
-    ])
-    // eslint-disable-next-line no-await-in-loop
-    actualTree = await install(pkgEnvDetails, {
-      spinner
-    })
     const oldVersions = arrays.arrayUnique(
       shadowNpmInject
         .findPackageNodes(actualTree, name)
-        .map(n => n.version)
+        .map(n => n.target?.version ?? n.version)
         .filter(Boolean)
     )
-    debug.debugLog(name, 'oldVersions', oldVersions)
     const packument =
       oldVersions.length && infos.length
         ? // eslint-disable-next-line no-await-in-loop
@@ -4519,41 +4504,43 @@ async function pnpmFix(
     if (!packument) {
       continue
     }
-    const failedSpecs = new Set()
     const fixedSpecs = new Set()
-    const installedSpecs = new Set()
-    const testedSpecs = new Set()
-    const unavailableSpecs = new Set()
-    const revertedSpecs = new Set()
     for (const pkgJsonPath of pkgJsonPaths) {
+      // Re-read actualTree to avoid lockfile state issues
+      // eslint-disable-next-line no-await-in-loop
+      actualTree = await getActualTree(cwd)
+      const pkgPath = path$1.dirname(pkgJsonPath)
+      const isWorkspaceRoot =
+        pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
+      const workspaceName = isWorkspaceRoot
+        ? 'root'
+        : path$1.relative(rootPath, pkgPath)
+      const editablePkgJson = isWorkspaceRoot
+        ? pkgEnvDetails.editablePkgJson
+        : // eslint-disable-next-line no-await-in-loop
+          await packages.readPackageJson(pkgJsonPath, {
+            editable: true
+          })
+
+      // Get current overrides for revert logic
+      const oldPnpmSection = editablePkgJson.content[PNPM$8]
+      const oldOverrides = oldPnpmSection?.[OVERRIDES$2]
       for (const oldVersion of oldVersions) {
         const oldSpec = `${name}@${oldVersion}`
         const oldPurl = `pkg:npm/${oldSpec}`
+        const node = shadowNpmInject.findPackageNode(
+          actualTree,
+          name,
+          oldVersion
+        )
+        if (!node) {
+          debug.debugLog(`Skipping ${oldSpec}, no node found in ${pkgJsonPath}`)
+          continue
+        }
         for (const {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
         } of infos) {
-          // eslint-disable-next-line no-await-in-loop
-          await Promise.all([
-            shadowNpmInject.removeNodeModules(cwd),
-            ...(isRepo ? [gitHardReset(cwd)] : [])
-          ])
-          // eslint-disable-next-line no-await-in-loop
-          actualTree = await install(pkgEnvDetails, {
-            spinner
-          })
-          const node = shadowNpmInject.findPackageNode(
-            actualTree,
-            name,
-            oldVersion
-          )
-          if (!node) {
-            debug.debugLog(
-              `Skipping ${oldSpec}, no node found in arborist.actualTree`,
-              pkgJsonPath
-            )
-            continue
-          }
           const availableVersions = Object.keys(packument.versions)
           const newVersion = shadowNpmInject.findBestPatchVersion(
             node,
@@ -4564,30 +4551,9 @@ async function pnpmFix(
             ? packument.versions[newVersion]
             : undefined
           if (!(newVersion && newVersionPackument)) {
-            if (!unavailableSpecs.has(oldSpec)) {
-              unavailableSpecs.add(oldSpec)
-              spinner?.fail(`No update available for ${oldSpec}`)
-            }
+            spinner?.fail(`No update available for ${oldSpec}`)
             continue
           }
-          const isWorkspaceRoot =
-            pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
-          const workspaceName = isWorkspaceRoot
-            ? ''
-            : path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
-          const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
-          const editablePkgJson = isWorkspaceRoot
-            ? pkgEnvDetails.editablePkgJson
-            : // eslint-disable-next-line no-await-in-loop
-              await packages.readPackageJson(pkgJsonPath, {
-                editable: true
-              })
-          const oldPnpm = editablePkgJson.content[PNPM$8]
-          const oldPnpmKeyCount = oldPnpm ? Object.keys(oldPnpm).length : 0
-          const oldOverrides = oldPnpm?.[OVERRIDES$2]
-          const oldOverridesCount = oldOverrides
-            ? Object.keys(oldOverrides).length
-            : 0
           const overrideKey = `${name}@${vulnerableVersionRange}`
           const newVersionRange = shadowNpmInject.applyRange(
             oldOverrides?.[overrideKey] ?? oldVersion,
@@ -4595,14 +4561,20 @@ async function pnpmFix(
             rangeStyle
           )
           const newSpec = `${name}@${newVersionRange}`
-          const newSpecKey = `${workspaceName ? `${workspaceName}>` : ''}${newSpec}`
+          const newSpecKey = `${workspaceName}:${newSpec}`
+          if (fixedSpecs.has(newSpecKey)) {
+            debug.debugLog(
+              `Already fixed ${newSpec} in ${workspaceName}, skipping`
+            )
+            continue
+          }
           const updateData = isWorkspaceRoot
             ? {
                 [PNPM$8]: {
-                  ...oldPnpm,
+                  ...oldPnpmSection,
                   [OVERRIDES$2]: {
-                    [overrideKey]: newVersionRange,
-                    ...oldOverrides
+                    ...oldOverrides,
+                    [overrideKey]: newVersionRange
                   }
                 }
               }
@@ -4610,54 +4582,27 @@ async function pnpmFix(
           const revertData = {
             ...(isWorkspaceRoot
               ? {
-                  [PNPM$8]: oldPnpmKeyCount
-                    ? {
-                        ...oldPnpm,
-                        [OVERRIDES$2]:
-                          oldOverridesCount === 1
-                            ? undefined
-                            : {
-                                [overrideKey]: undefined,
-                                ...oldOverrides
-                              }
-                      }
-                    : undefined
+                  [PNPM$8]: {
+                    ...oldPnpmSection,
+                    [OVERRIDES$2]:
+                      oldOverrides && Object.keys(oldOverrides).length > 1
+                        ? {
+                            ...oldOverrides,
+                            [overrideKey]: undefined
+                          }
+                        : undefined
+                  }
                 }
               : {}),
-            ...(editablePkgJson.content.dependencies
-              ? {
-                  dependencies: editablePkgJson.content.dependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.optionalDependencies
-              ? {
-                  optionalDependencies:
-                    editablePkgJson.content.optionalDependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.peerDependencies
-              ? {
-                  peerDependencies: editablePkgJson.content.peerDependencies
-                }
-              : undefined)
-          }
-          const branch = isCi
-            ? getSocketBranchName(oldPurl, newVersion, workspaceName)
-            : ''
-          const baseBranch = isCi ? getBaseGitBranch() : ''
-          const { owner, repo } = isCi
-            ? getGitHubEnvRepoInfo()
-            : {
-                owner: '',
-                repo: ''
-              }
-          const shouldOpenPr = isCi
-            ? // eslint-disable-next-line no-await-in-loop
-              !(await doesPullRequestExistForBranch(owner, repo, branch))
-            : false
-          if (isCi) {
-            // eslint-disable-next-line no-await-in-loop
-            await gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)
+            ...(editablePkgJson.content.dependencies && {
+              dependencies: editablePkgJson.content.dependencies
+            }),
+            ...(editablePkgJson.content.optionalDependencies && {
+              optionalDependencies: editablePkgJson.content.optionalDependencies
+            }),
+            ...(editablePkgJson.content.peerDependencies && {
+              peerDependencies: editablePkgJson.content.peerDependencies
+            })
           }
           if (updateData) {
             editablePkgJson.update(updateData)
@@ -4670,107 +4615,99 @@ async function pnpmFix(
             rangeStyle
           )
           debug.debugLog(`Updated package.json from node: ${modded}`)
-          let error
-          let errored = false
-          let installed = false
 
           // eslint-disable-next-line no-await-in-loop
           if (!(await editablePkgJson.save())) {
             debug.debugLog(
-              `Skipping nothing changed in ${editablePkgJson.filename}`
+              `No changes saved for ${pkgJsonPath}, skipping install`
             )
             continue
           }
-          if (!installedSpecs.has(newSpecKey)) {
-            installedSpecs.add(newSpecKey)
-            spinner?.info(`Installing ${newSpec}${workspaceDetails}`)
-          }
+          spinner?.info(`Installing ${newSpec} in ${workspaceName}`)
+          let errored = false
+          let error
           try {
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
               spinner
             })
-            installed = true
             if (test) {
-              if (!testedSpecs.has(newSpecKey)) {
-                testedSpecs.add(newSpecKey)
-                spinner?.info(`Testing ${newSpec}${workspaceDetails}`)
-              }
+              spinner?.info(`Testing ${newSpec} in ${workspaceName}`)
               // eslint-disable-next-line no-await-in-loop
               await npm.runScript(testScript, [], {
                 spinner,
                 stdio: 'ignore'
               })
             }
-            if (!fixedSpecs.has(newSpecKey)) {
-              fixedSpecs.add(newSpecKey)
-              spinner?.successAndStop(`Fixed ${name}${workspaceDetails}`)
-              spinner?.start()
-            }
-          } catch (e) {
-            error = e
-            errored = true
-          }
-          if (
-            !errored &&
-            shouldOpenPr &&
-            // eslint-disable-next-line no-await-in-loop
-            (await gitCreateAndPushBranchIfNeeded(
-              branch,
-              getSocketCommitMessage(oldPurl, newVersion, workspaceName),
-              cwd
-            ))
-          ) {
-            // eslint-disable-next-line no-await-in-loop
-            const prResponse = await openGitHubPullRequest(
-              owner,
-              repo,
-              baseBranch,
-              branch,
+            fixedSpecs.add(newSpecKey)
+            spinner?.successAndStop(`Fixed ${name} in ${workspaceName}`)
+            spinner?.start()
+            const branch = getSocketBranchName(
               oldPurl,
               newVersion,
-              {
-                cwd,
-                workspaceName
-              }
+              workspaceName
             )
-            if (prResponse) {
-              const { data } = prResponse
-              spinner?.info(`PR #${data.number} opened.`)
-              if (autoMerge) {
-                // eslint-disable-next-line no-await-in-loop
-                await enableAutoMerge(data)
+            const shouldOpenPr = isCi
+              ? // eslint-disable-next-line no-await-in-loop
+                !(await doesPullRequestExistForBranch(owner, repo, branch))
+              : false
+            if (
+              isCi &&
+              shouldOpenPr &&
+              // eslint-disable-next-line no-await-in-loop
+              (await gitCreateAndPushBranchIfNeeded(
+                branch,
+                getSocketCommitMessage(oldPurl, newVersion, workspaceName),
+                cwd
+              ))
+            ) {
+              // eslint-disable-next-line no-await-in-loop
+              const prResponse = await openGitHubPullRequest(
+                owner,
+                repo,
+                baseBranch,
+                branch,
+                oldPurl,
+                newVersion,
+                {
+                  cwd,
+                  workspaceName
+                }
+              )
+              if (prResponse) {
+                const { data } = prResponse
+                spinner?.info(`PR #${data.number} opened.`)
+                if (autoMerge) {
+                  // eslint-disable-next-line no-await-in-loop
+                  await enableAutoMerge(data)
+                }
               }
             }
+          } catch (e) {
+            error = e
+            errored = true
           }
           if (errored || isCi) {
-            if (errored) {
-              if (!revertedSpecs.has(newSpecKey)) {
-                revertedSpecs.add(newSpecKey)
-                spinner?.error(`Reverting ${newSpec}${workspaceDetails}`, error)
-              }
-            }
             editablePkgJson.update(revertData)
+
             // eslint-disable-next-line no-await-in-loop
             await Promise.all([
               shadowNpmInject.removeNodeModules(cwd),
-              ...(isRepo
-                ? [gitHardReset(cwd)]
-                : installed
-                  ? [editablePkgJson.save()]
-                  : [])
+              ...(isCi
+                ? [gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)]
+                : []),
+              ...(isCi ? [] : [editablePkgJson.save()])
             ])
+
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
               spinner
             })
             if (errored) {
-              if (!failedSpecs.has(newSpecKey)) {
-                failedSpecs.add(newSpecKey)
-                spinner?.failAndStop(
-                  `Update failed for ${oldSpec}${workspaceDetails}`
-                )
-              }
+              spinner?.failAndStop(
+                `Update failed for ${oldSpec} in ${workspaceName}`,
+                error
+              )
             }
           }
         }
@@ -12345,7 +12282,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.123',
+    version: '0.14.125',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -12413,5 +12350,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=645892ec-7104-4af0-915a-c1219b90c91c
+//# debugId=67b97c4d-7bde-463e-9396-0773b05c0b3a
 //# sourceMappingURL=cli.js.map