@socketsecurity/cli-with-sentry 0.14.134 → 0.14.136

package/dist/instrument-with-sentry.js

@@ -30,7 +30,7 @@ const relConstantsPath = './constants'
   Sentry.setTag(
     'version',
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
-    '0.14.134:c664da6:7e80f505:pub'
+    '0.14.136:113c579:70b9ca75:pub'
   )
   const constants = require(relConstantsPath)
   if (constants.ENV.SOCKET_CLI_DEBUG) {
@@ -45,5 +45,5 @@ const relConstantsPath = './constants'
   } = constants
   setSentry(Sentry)
 }
-//# debugId=f4ea1bb5-ee15-4115-b62f-342021fa364a
+//# debugId=539c1f71-3119-4172-9a80-62d22fb2c66f
 //# sourceMappingURL=instrument-with-sentry.js.map

package/dist/instrument-with-sentry.js.map

@@ -1 +1 @@
-{"version":3,"file":"instrument-with-sentry.js","sources":["../src/instrument-with-sentry.ts"],"sourcesContent":["// This should ONLY be included in the special Sentry build!\n// Otherwise the Sentry dependency won't even be present in the manifest.\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\n// Require constants with require(relConstantsPath) instead of require('./constants')\n// so Rollup doesn't generate a constants2.js chunk.\nconst relConstantsPath = './constants'\n// The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\nif (process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']) {\n  const Sentry = require('@sentry/node')\n  Sentry.init({\n    onFatalError(error: Error) {\n      // Defer module loads until after Sentry.init is called.\n      if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n        logger.fail('[DEBUG] [Sentry onFatalError]:', error)\n      }\n    },\n    dsn: 'https://66736701db8e4ffac046bd09fa6aaced@o555220.ingest.us.sentry.io/4508846967619585',\n    enabled: true,\n    integrations: []\n  })\n  Sentry.setTag(\n    'environment',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\n      ? 'pub'\n      : // The NODE_ENV convention is used by apps to define the runtime environment.\n        // https://nodejs.org/en/learn/getting-started/nodejs-the-difference-between-development-and-production\n        process.env['NODE_ENV']\n  )\n  Sentry.setTag(\n    'version',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n    process.env['INLINED_SOCKET_CLI_VERSION_HASH']\n  )\n  const constants = require(relConstantsPath)\n  if (constants.ENV.SOCKET_CLI_DEBUG) {\n    Sentry.setTag('debugging', true)\n    logger.log('[DEBUG] Set up Sentry.')\n  } else {\n    Sentry.setTag('debugging', false)\n  }\n  const {\n    kInternalsSymbol,\n    [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { setSentry }\n  } = constants\n  setSentry(Sentry)\n} else if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n  logger.log('[DEBUG] Sentry disabled explicitly.')\n}\n"],"names":["logger","dsn","enabled","integrations","process","Sentry","setSentry"],"mappings":";;;;AAAA;AACA;;;AAIA;AACA;AACA;AACA;AACoD;AAClD;;;AAGI;;AAEEA;AACF;;AAEFC;AACAC;AACAC;AACF;;AAGE;AACAC;;AAQA;AACAA;AAEF;AACA;AACEC;AACAL;AACF;AACEK;AACF;;;AAGE;AAA+DC;AAAU;AAC3E;;AAEF","debugId":"f4ea1bb5-ee15-4115-b62f-342021fa364a"}
+{"version":3,"file":"instrument-with-sentry.js","sources":["../src/instrument-with-sentry.ts"],"sourcesContent":["// This should ONLY be included in the special Sentry build!\n// Otherwise the Sentry dependency won't even be present in the manifest.\n\nimport { logger } from '@socketsecurity/registry/lib/logger'\n\n// Require constants with require(relConstantsPath) instead of require('./constants')\n// so Rollup doesn't generate a constants2.js chunk.\nconst relConstantsPath = './constants'\n// The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\".\nif (process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']) {\n  const Sentry = require('@sentry/node')\n  Sentry.init({\n    onFatalError(error: Error) {\n      // Defer module loads until after Sentry.init is called.\n      if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n        logger.fail('[DEBUG] [Sentry onFatalError]:', error)\n      }\n    },\n    dsn: 'https://66736701db8e4ffac046bd09fa6aaced@o555220.ingest.us.sentry.io/4508846967619585',\n    enabled: true,\n    integrations: []\n  })\n  Sentry.setTag(\n    'environment',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\".\n    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']\n      ? 'pub'\n      : // The NODE_ENV convention is used by apps to define the runtime environment.\n        // https://nodejs.org/en/learn/getting-started/nodejs-the-difference-between-development-and-production\n        process.env['NODE_ENV']\n  )\n  Sentry.setTag(\n    'version',\n    // The '@rollup/plugin-replace' will replace \"process.env['INLINED_SOCKET_CLI_VERSION_HASH']\".\n    process.env['INLINED_SOCKET_CLI_VERSION_HASH']\n  )\n  const constants = require(relConstantsPath)\n  if (constants.ENV.SOCKET_CLI_DEBUG) {\n    Sentry.setTag('debugging', true)\n    logger.log('[DEBUG] Set up Sentry.')\n  } else {\n    Sentry.setTag('debugging', false)\n  }\n  const {\n    kInternalsSymbol,\n    [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { setSentry }\n  } = constants\n  setSentry(Sentry)\n} else if (require(relConstantsPath).ENV.SOCKET_CLI_DEBUG) {\n  logger.log('[DEBUG] Sentry disabled explicitly.')\n}\n"],"names":["logger","dsn","enabled","integrations","process","Sentry","setSentry"],"mappings":";;;;AAAA;AACA;;;AAIA;AACA;AACA;AACA;AACoD;AAClD;;;AAGI;;AAEEA;AACF;;AAEFC;AACAC;AACAC;AACF;;AAGE;AACAC;;AAQA;AACAA;AAEF;AACA;AACEC;AACAL;AACF;AACEK;AACF;;;AAGE;AAA+DC;AAAU;AAC3E;;AAEF","debugId":"539c1f71-3119-4172-9a80-62d22fb2c66f"}

package/dist/shadow-bin.js

@@ -8,57 +8,6 @@ const path = require('node:path')
 const vendor = require('./vendor.js')
 const shadowNpmPaths = require('./shadow-npm-paths.js')
 const constants = require('./constants.js')
-require('node:fs')
-require('node:os')
-require('node:fs/promises')
-require('node:buffer')
-require('node:util')
-require('node:path')
-require('node:fs')
-require('node:tty')
-require('node:https')
-require('node:http')
-require('node:url')
-require('node:process')
-require('node:events')
-require('node:http')
-require('node:https')
-require('node:readline')
-require('@socketsecurity/registry/lib/constants/abort-signal')
-require('node:util')
-require('node:url')
-require('node:fs/promises')
-require('node:child_process')
-require('node:os')
-require('node:tty')
-require('node:crypto')
-require('node:constants')
-require('node:stream')
-require('node:assert')
-require('node:stream')
-require('node:string_decoder')
-require('node:path/win32')
-require('node:module')
-require('node:events')
-require('node:buffer')
-require('node:string_decoder')
-require('node:child_process')
-require('node:module')
-require('@socketsecurity/registry/lib/logger')
-require('@socketsecurity/registry/lib/path')
-require('@socketsecurity/registry/lib/words')
-require('./shadow-npm-inject.js')
-require('@socketsecurity/registry/lib/arrays')
-require('@socketsecurity/registry')
-require('@socketsecurity/registry/lib/objects')
-require('@socketsecurity/registry/lib/constants')
-require('@socketsecurity/registry/lib/prompts')
-require('@socketsecurity/registry/lib/strings')
-require('@socketsecurity/registry/lib/fs')
-require('@socketsecurity/registry/lib/packages')
-require('node:timers/promises')
-require('@socketsecurity/registry/lib/sorts')
-require('@socketsecurity/registry/lib/env')
 
 const { CLI, NPX } = constants
 async function installLinks(realBinPath, binName) {
@@ -157,5 +106,5 @@ async function shadowBin(binName, args = process.argv.slice(2)) {
 }
 
 module.exports = shadowBin
-//# debugId=61305e42-84d7-4c37-8d89-64d659ab9d56
+//# debugId=a3ff14de-2729-4213-91d1-6f1ab7249f1d
 //# sourceMappingURL=shadow-bin.js.map

package/dist/shadow-bin.js.map

@@ -1 +1 @@
-{"version":3,"file":"shadow-bin.js","sources":["../src/shadow/npm/link.ts","../src/shadow/npm/bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './paths'\nimport constants from '../../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../../constants'\n\nconst { SOCKET_CLI_SAFE_BIN, SOCKET_CLI_SAFE_PROGRESS, SOCKET_IPC_HANDSHAKE } =\n  constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2)\n) {\n  process.exitCode = 1\n  const useDebug = isDebug()\n  const terminatorPos = args.indexOf('--')\n  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const progressArg = rawBinArgs.findLast(isProgressFlag) !== '--no-progress'\n  const binArgs = rawBinArgs.filter(a => !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const isSilent = !useDebug && !binArgs.some(isLoglevelFlag)\n  // The default value of loglevel is \"notice\". We default to \"error\" which is\n  // two levels quieter.\n  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeHardenFlags.\n      ...constants.nodeHardenFlags,\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'].\n      ...(process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\n        ? [\n            '--require',\n            // Lazily access constants.distInstrumentWithSentryPath.\n            constants.distInstrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.distShadowNpmInjectPath.\n      constants.distShadowNpmInjectPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add '--no-progress' to fix input being swallowed by the npm spinner.\n      '--no-progress',\n      // Add '--loglevel=error' if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...logLevelArgs,\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      // eslint-disable-next-line n/no-process-exit\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_BIN]: binName,\n      [SOCKET_CLI_SAFE_PROGRESS]: progressArg\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","env","SOCKET_IPC_HANDSHAKE","constants","process","spawnPromise"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;AC9BA;;;AAAuDC;AAAqB;AAG7D;;AAKb;AACA;AACA;;AAEA;AACA;;AAEA;AACA;;;AAGE;;AAGE;;AAEA;;AAEA;;AAIM;AACAC;AAIN;AACAA;AACA;AACA;AACA;;AAEA;AACA;;AAMA;;AAEF;AAEF;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AACAC;AACE;;AAEE;AACF;AACF;AACA;AACF;;","debugId":"61305e42-84d7-4c37-8d89-64d659ab9d56"}
+{"version":3,"file":"shadow-bin.js","sources":["../src/shadow/npm/link.ts","../src/shadow/npm/bin.ts"],"sourcesContent":["import path from 'node:path'\nimport process from 'node:process'\n\nimport cmdShim from 'cmd-shim'\n\nimport {\n  getNpmBinPath,\n  getNpxBinPath,\n  isNpmBinPathShadowed,\n  isNpxBinPathShadowed\n} from './paths'\nimport constants from '../../constants'\n\nconst { CLI, NPX } = constants\n\nexport async function installLinks(\n  realBinPath: string,\n  binName: 'npm' | 'npx'\n): Promise<string> {\n  const isNpx = binName === NPX\n  // Find package manager being shadowed by this process.\n  const binPath = isNpx ? getNpxBinPath() : getNpmBinPath()\n  // Lazily access constants.WIN32.\n  const { WIN32 } = constants\n  // TODO: Is this early exit needed?\n  if (WIN32 && binPath) {\n    return binPath\n  }\n  const shadowed = isNpx ? isNpxBinPathShadowed() : isNpmBinPathShadowed()\n  // Move our bin directory to front of PATH so its found first.\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        // Lazily access constants.rootDistPath.\n        path.join(constants.rootDistPath, `${binName}-${CLI}.js`),\n        path.join(realBinPath, binName)\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${realBinPath}${path.delimiter}${env['PATH']}`\n  }\n  return binPath\n}\n","import process from 'node:process'\n\nimport { isDebug } from '@socketsecurity/registry/lib/debug'\nimport {\n  isLoglevelFlag,\n  isProgressFlag\n} from '@socketsecurity/registry/lib/npm'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link'\nimport constants from '../../constants'\n\nconst { SOCKET_CLI_SAFE_BIN, SOCKET_CLI_SAFE_PROGRESS, SOCKET_IPC_HANDSHAKE } =\n  constants\n\nexport default async function shadowBin(\n  binName: 'npm' | 'npx',\n  args = process.argv.slice(2)\n) {\n  process.exitCode = 1\n  const useDebug = isDebug()\n  const terminatorPos = args.indexOf('--')\n  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const progressArg = rawBinArgs.findLast(isProgressFlag) !== '--no-progress'\n  const binArgs = rawBinArgs.filter(a => !isProgressFlag(a))\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n  const isSilent = !useDebug && !binArgs.some(isLoglevelFlag)\n  // The default value of loglevel is \"notice\". We default to \"error\" which is\n  // two levels quieter.\n  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : []\n  const spawnPromise = spawn(\n    // Lazily access constants.execPath.\n    constants.execPath,\n    [\n      // Lazily access constants.nodeHardenFlags.\n      ...constants.nodeHardenFlags,\n      // Lazily access constants.nodeNoWarningsFlags.\n      ...constants.nodeNoWarningsFlags,\n      // Lazily access process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'].\n      ...(process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']\n        ? [\n            '--require',\n            // Lazily access constants.distInstrumentWithSentryPath.\n            constants.distInstrumentWithSentryPath\n          ]\n        : []),\n      '--require',\n      // Lazily access constants.distShadowNpmInjectPath.\n      constants.distShadowNpmInjectPath,\n      // Lazily access constants.shadowBinPath.\n      await installLinks(constants.shadowBinPath, binName),\n      // Add '--no-progress' to fix input being swallowed by the npm spinner.\n      '--no-progress',\n      // Add '--loglevel=error' if a loglevel flag is not provided and the\n      // SOCKET_CLI_DEBUG environment variable is not truthy.\n      ...logLevelArgs,\n      ...binArgs,\n      ...otherArgs\n    ],\n    {\n      // 'inherit' + 'ipc'\n      stdio: [0, 1, 2, 'ipc']\n    }\n  )\n  // See https://nodejs.org/api/all.html#all_child_process_event-exit.\n  spawnPromise.process.on('exit', (code, signalName) => {\n    if (signalName) {\n      process.kill(process.pid, signalName)\n    } else if (code !== null) {\n      // eslint-disable-next-line n/no-process-exit\n      process.exit(code)\n    }\n  })\n  spawnPromise.process.send({\n    [SOCKET_IPC_HANDSHAKE]: {\n      [SOCKET_CLI_SAFE_BIN]: binName,\n      [SOCKET_CLI_SAFE_PROGRESS]: progressArg\n    }\n  })\n  await spawnPromise\n}\n"],"names":["NPX","WIN32","env","SOCKET_IPC_HANDSHAKE","constants","process","spawnPromise"],"mappings":";;;;;;;;;;;AAaA;;AAAaA;AAAI;AAEV;AAIL;AACA;;AAEA;;AACQC;AAAM;AACd;;AAEE;AACF;;AAEA;;AAEE;AACE;AACE;;AAIJ;;AACQC;AAAI;AACZA;AACF;AACA;AACF;;AC9BA;;;AAAuDC;AAAqB;AAG7D;;AAKb;AACA;AACA;;AAEA;AACA;;AAEA;AACA;;;AAGE;;AAGE;;AAEA;;AAEA;;AAIM;AACAC;AAIN;AACAA;AACA;AACA;AACA;;AAEA;AACA;;AAMA;;AAEF;AAEF;;AAEE;;AAEA;AACE;AACAC;AACF;AACF;AACAC;AACE;;AAEE;AACF;AACF;AACA;AACF;;","debugId":"a3ff14de-2729-4213-91d1-6f1ab7249f1d"}

package/dist/shadow-npm-inject.js

@@ -6,6 +6,7 @@ const vendor = require('./vendor.js')
 const logger = require('@socketsecurity/registry/lib/logger')
 const constants = require('./constants.js')
 const arrays = require('@socketsecurity/registry/lib/arrays')
+const packages = require('@socketsecurity/registry/lib/packages')
 const registry = require('@socketsecurity/registry')
 const objects = require('@socketsecurity/registry/lib/objects')
 const debug = require('@socketsecurity/registry/lib/debug')
@@ -16,48 +17,8 @@ const fs = require('node:fs')
 const os = require('node:os')
 const path = require('node:path')
 const fs$1 = require('@socketsecurity/registry/lib/fs')
-const packages = require('@socketsecurity/registry/lib/packages')
 const promises = require('node:timers/promises')
 const sorts = require('@socketsecurity/registry/lib/sorts')
-require('node:module')
-require('@socketsecurity/registry/lib/path')
-require('@socketsecurity/registry/lib/npm')
-require('@socketsecurity/registry/lib/words')
-require('./shadow-npm-inject.js')
-require('node:fs/promises')
-require('node:buffer')
-require('node:util')
-require('node:path')
-require('node:fs')
-require('node:tty')
-require('node:https')
-require('node:http')
-require('node:url')
-require('node:process')
-require('node:events')
-require('node:http')
-require('node:https')
-require('node:readline')
-require('@socketsecurity/registry/lib/constants/abort-signal')
-require('node:util')
-require('node:url')
-require('node:fs/promises')
-require('node:child_process')
-require('node:os')
-require('node:tty')
-require('node:crypto')
-require('node:constants')
-require('node:stream')
-require('node:assert')
-require('node:stream')
-require('node:string_decoder')
-require('node:path/win32')
-require('node:module')
-require('node:events')
-require('node:buffer')
-require('node:string_decoder')
-require('node:child_process')
-require('@socketsecurity/registry/lib/env')
 
 const { NPM: NPM$3, PNPM } = constants
 const PNPM_WORKSPACE = `${PNPM}-workspace`
@@ -662,7 +623,7 @@ async function setupSdk(
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
       name: '@socketsecurity/cli',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: '0.14.134',
+      version: '0.14.136',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
       homepage: 'https://github.com/SocketDev/socket-cli'
     })
@@ -2365,10 +2326,11 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
   }
   const depTypes = vendor.libExports$1.detectDepTypes(lockfile)
   const purls = Object.keys(depTypes).map(id => {
-    const lastAtSignIndex = id.lastIndexOf('@')
-    const name = id.slice(0, lastAtSignIndex)
-    const version = id.slice(lastAtSignIndex + 1)
-    return `pkg:npm/${name}@${vendor.semverExports.coerce(version)}`
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      `pkg:npm/${id}`
+    )
+    const name = packages.resolvePackageName(purlObj)
+    return `pkg:npm/${name}@${vendor.semverExports.coerce(purlObj.version)}`
   })
   return await getAlertsMapFromPurls(purls, {
     overrides: lockfile.overrides,
@@ -2646,5 +2608,5 @@ exports.supportedConfigKeys = supportedConfigKeys
 exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode
-//# debugId=e0148269-7fb3-4bfb-96b4-79b980d11acd
+//# debugId=878c5317-f475-4291-9d19-41d7bb98de62
 //# sourceMappingURL=shadow-npm-inject.js.map