@socketsecurity/cli-with-sentry 0.14.154 → 0.14.155

package/dist/shadow-npm-inject.js

@@ -1,777 +1,96 @@
 'use strict'
 
 const Module = require('node:module')
-const shadowNpmPaths = require('./shadow-npm-paths.js')
-const logger = require('../external/@socketsecurity/registry/lib/logger')
+const path = require('node:path')
+const path$1 = require('../external/@socketsecurity/registry/lib/path')
 const constants = require('./constants.js')
-const arrays = require('../external/@socketsecurity/registry/lib/arrays')
+const utils = require('./utils.js')
+const logger = require('../external/@socketsecurity/registry/lib/logger')
 const vendor = require('./vendor.js')
 const registry = require('../external/@socketsecurity/registry')
 const objects = require('../external/@socketsecurity/registry/lib/objects')
-const debug = require('../external/@socketsecurity/registry/lib/debug')
-const packages = require('../external/@socketsecurity/registry/lib/packages')
-const prompts = require('../external/@socketsecurity/registry/lib/prompts')
-const strings = require('../external/@socketsecurity/registry/lib/strings')
-const fs = require('node:fs')
-const os = require('node:os')
-const path = require('node:path')
-const fs$1 = require('../external/@socketsecurity/registry/lib/fs')
-const promises = require('node:timers/promises')
-const sorts = require('../external/@socketsecurity/registry/lib/sorts')
 
 const _documentCurrentScript =
   typeof document !== 'undefined' ? document.currentScript : null
-const { NPM: NPM$3, PNPM } = constants
-const PNPM_WORKSPACE = `${PNPM}-workspace`
-const ignoredDirs = [
-  // Taken from ignore-by-default:
-  // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
-  '.git',
-  // Git repository files, see <https://git-scm.com/>
-  '.log',
-  // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
-  '.nyc_output',
-  // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
-  '.sass-cache',
-  // Cache folder for node-sass, see <https://github.com/sass/node-sass>
-  '.yarn',
-  // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
-  'bower_components',
-  // Where Bower packages are installed, see <http://bower.io/>
-  'coverage',
-  // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
-  'node_modules',
-  // Where Node modules are installed, see <https://nodejs.org/>
-  // Taken from globby:
-  // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
-  'flow-typed'
-]
-const ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`)
-async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
-  let workspacePatterns
-  if (agent === PNPM) {
-    for (const workspacePath of [
-      path.join(cwd, `${PNPM_WORKSPACE}.yaml`),
-      path.join(cwd, `${PNPM_WORKSPACE}.yml`)
-    ]) {
-      // eslint-disable-next-line no-await-in-loop
-      const yml = await safeReadFile(workspacePath)
-      if (yml) {
-        try {
-          workspacePatterns = vendor.distExports$1.parse(yml)?.packages
-        } catch {}
-        if (workspacePatterns) {
-          break
-        }
-      }
-    }
-  } else {
-    workspacePatterns = (
-      await packages.readPackageJson(cwd, {
-        throws: false
-      })
-    )?.['workspaces']
-  }
-  return Array.isArray(workspacePatterns)
-    ? workspacePatterns
-        .filter(strings.isNonEmptyString)
-        .map(workspacePatternToGlobPattern)
-    : []
-}
-function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
-  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/')
-  const patterns = []
-  for (let i = 0, { length } = lines; i < length; i += 1) {
-    const pattern = lines[i].trim()
-    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
-      patterns.push(
-        ignorePatternToMinimatch(
-          pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/
-            ? `!${path.posix.join(base, pattern.slice(1))}`
-            : path.posix.join(base, pattern)
-        )
-      )
-    }
-  }
-  return patterns
-}
-function ignoreFileToGlobPatterns(content, filepath, cwd) {
-  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd)
-}
+const DiffAction = utils.createEnum({
+  add: 'ADD',
+  change: 'CHANGE',
+  remove: 'REMOVE'
+})
 
-// Based on `@eslint/compat` convertIgnorePatternToMinimatch.
-// Apache v2.0 licensed
-// Copyright Nicholas C. Zakas
-// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
-function ignorePatternToMinimatch(pattern) {
-  const isNegated = pattern.startsWith('!')
-  const negatedPrefix = isNegated ? '!' : ''
-  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()
-  // Special cases.
-  if (
-    patternToTest === '' ||
-    patternToTest === '**' ||
-    patternToTest === '/**' ||
-    patternToTest === '**'
-  ) {
-    return `${negatedPrefix}${patternToTest}`
-  }
-  const firstIndexOfSlash = patternToTest.indexOf('/')
-  const matchEverywherePrefix =
-    firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1
-      ? '**/'
-      : ''
-  const patternWithoutLeadingSlash =
-    firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest
-  // Escape `{` and `(` because in gitignore patterns they are just
-  // literal characters without any specific syntactic meaning,
-  // while in minimatch patterns they can form brace expansion or extglob syntax.
-  //
-  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
-  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
-  // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
-  const escapedPatternWithoutLeadingSlash =
-    patternWithoutLeadingSlash.replaceAll(
-      /(?=((?:\\.|[^{(])*))\1([{(])/guy,
-      '$1\\$2'
+let _arboristPkgPath
+function getArboristPackagePath() {
+  if (_arboristPkgPath === undefined) {
+    const pkgName = '@npmcli/arborist'
+    const mainPathWithForwardSlashes = path$1.normalizePath(
+      utils.getNpmRequire().resolve(pkgName)
+    )
+    const arboristPkgPathWithForwardSlashes = mainPathWithForwardSlashes.slice(
+      0,
+      mainPathWithForwardSlashes.lastIndexOf(pkgName) + pkgName.length
     )
-  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : ''
-  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`
-}
-function workspacePatternToGlobPattern(workspace) {
-  const { length } = workspace
-  if (!length) {
-    return ''
-  }
-  // If the workspace ends with "/"
-  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
-    return `${workspace}/*/package.json`
-  }
-  // If the workspace ends with "/**"
-  if (
-    workspace.charCodeAt(length - 1) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 2) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 3) === 47 /*'/'*/
-  ) {
-    return `${workspace}/*/**/package.json`
-  }
-  // Things like "packages/a" or "packages/*"
-  return `${workspace}/package.json`
-}
-async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
-  const patterns = ['golang', NPM$3, 'maven', 'pypi', 'gem', 'nuget'].reduce(
-    (r, n) => {
-      const supported = supportedFiles[n]
-      r.push(
-        ...(supported
-          ? Object.values(supported).map(p => `**/${p.pattern}`)
-          : [])
-      )
-      return r
-    },
-    []
-  )
-  return entries.filter(p => vendor.micromatchExports.some(p, patterns))
-}
-async function globWithGitIgnore(patterns, options) {
-  const {
-    cwd = process.cwd(),
-    socketConfig,
-    ...additionalOptions
-  } = {
-    __proto__: null,
-    ...options
-  }
-  const projectIgnorePaths = socketConfig?.projectIgnorePaths
-  const ignoreFiles = await vendor.distExports.glob(['**/.gitignore'], {
-    absolute: true,
-    cwd,
-    expandDirectories: true
-  })
-  const ignores = [
-    ...ignoredDirPatterns,
-    ...(Array.isArray(projectIgnorePaths)
-      ? ignoreFileLinesToGlobPatterns(
-          projectIgnorePaths,
-          path.join(cwd, '.gitignore'),
-          cwd
-        )
-      : []),
-    ...(
-      await Promise.all(
-        ignoreFiles.map(async filepath =>
-          ignoreFileToGlobPatterns(
-            await fs.promises.readFile(filepath, 'utf8'),
-            filepath,
-            cwd
-          )
-        )
-      )
-    ).flat()
-  ]
-  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/)
-  const globOptions = {
-    absolute: true,
-    cwd,
-    expandDirectories: false,
-    ignore: hasNegatedPattern ? [] : ignores,
-    ...additionalOptions
-  }
-  const result = await vendor.distExports.glob(patterns, globOptions)
-  if (!hasNegatedPattern) {
-    return result
-  }
-  const { absolute } = globOptions
-
-  // Note: the input files must be INSIDE the cwd. If you get strange looking
-  // relative path errors here, most likely your path is outside the given cwd.
-  const filtered = vendor
-    .ignoreExports()
-    .add(ignores)
-    .filter(absolute ? result.map(p => path.relative(cwd, p)) : result)
-  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered
-}
-async function globNodeModules(cwd = process.cwd()) {
-  return await vendor.distExports.glob('**/node_modules/**', {
-    absolute: true,
-    cwd
-  })
-}
-async function globWorkspace(agent, cwd = process.cwd()) {
-  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)
-  return workspaceGlobs.length
-    ? await vendor.distExports.glob(workspaceGlobs, {
-        absolute: true,
-        cwd,
-        ignore: ['**/node_modules/**', '**/bower_components/**']
-      })
-    : []
-}
-function pathsToGlobPatterns(paths) {
-  // TODO: Does not support `~/` paths.
-  return paths.map(p => (p === '.' || p === './' ? '**/*' : p))
-}
-
-const { abortSignal } = constants
-async function removeNodeModules(cwd = process.cwd()) {
-  const nodeModulesPaths = await globNodeModules(cwd)
-  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)))
-}
-async function findUp(name, { cwd = process.cwd(), signal = abortSignal }) {
-  let dir = path.resolve(cwd)
-  const { root } = path.parse(dir)
-  const names = [name].flat()
-  while (dir && dir !== root) {
-    for (const name of names) {
-      if (signal?.aborted) {
-        return undefined
-      }
-      const filePath = path.join(dir, name)
-      try {
-        // eslint-disable-next-line no-await-in-loop
-        const stats = await fs.promises.stat(filePath)
-        if (stats.isFile()) {
-          return filePath
-        }
-      } catch {}
-    }
-    dir = path.dirname(dir)
-  }
-  return undefined
-}
-async function readFileBinary(filepath, options) {
-  return await fs.promises.readFile(filepath, {
-    signal: abortSignal,
-    ...options,
-    encoding: 'binary'
-  })
-}
-async function readFileUtf8(filepath, options) {
-  return await fs.promises.readFile(filepath, {
-    signal: abortSignal,
-    ...options,
-    encoding: 'utf8'
-  })
-}
-async function safeReadFile(filepath, options) {
-  try {
-    return await fs.promises.readFile(filepath, {
-      encoding: 'utf8',
-      signal: abortSignal,
-      ...(typeof options === 'string'
-        ? {
-            encoding: options
-          }
-        : options)
-    })
-  } catch {}
-  return undefined
-}
-function safeReadFileSync(filepath, options) {
-  try {
-    return fs.readFileSync(filepath, {
-      encoding: 'utf8',
-      ...(typeof options === 'string'
-        ? {
-            encoding: options
-          }
-        : options)
-    })
-  } catch {}
-  return undefined
-}
-
-const { LOCALAPPDATA, SOCKET_APP_DIR } = constants
-const supportedConfigKeys = new Map([
-  ['apiBaseUrl', 'Base URL of the API endpoint'],
-  ['apiProxy', 'A proxy through which to access the API'],
-  ['apiToken', 'The API token required to access most API endpoints'],
-  [
-    'defaultOrg',
-    'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.'
-  ],
-  [
-    'enforcedOrgs',
-    'Orgs in this list have their security policies enforced on this machine'
-  ],
-  ['isTestingV1', 'For development of testing the next major bump']
-])
-const sensitiveConfigKeys = new Set(['apiToken'])
-let _cachedConfig
-// When using --config or SOCKET_CLI_CONFIG, do not persist the config.
-let _readOnlyConfig = false
-function overrideCachedConfig(jsonConfig) {
-  debug.debugLog('Overriding entire config, marking config as read-only')
-  let config
-  try {
-    config = JSON.parse(String(jsonConfig))
-    if (!config || typeof config !== 'object') {
-      // `null` is valid json, so are primitive values. They're not valid config objects :)
-      return {
-        ok: false,
-        message: 'Could not parse Config as JSON',
-        cause:
-          "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
-      }
-    }
-  } catch {
-    // Force set an empty config to prevent accidentally using system settings
-    _cachedConfig = {}
-    _readOnlyConfig = true
-    return {
-      ok: false,
-      message: 'Could not parse Config as JSON',
-      cause:
-        "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
-    }
-  }
-
-  // @ts-ignore Override an illegal object.
-  _cachedConfig = config
-  _readOnlyConfig = true
-
-  // Normalize apiKey to apiToken.
-  if (_cachedConfig['apiKey']) {
-    if (_cachedConfig['apiToken']) {
-      logger.logger.warn(
-        'Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.'
-      )
-    }
-    _cachedConfig['apiToken'] = _cachedConfig['apiKey']
-    delete _cachedConfig['apiKey']
-  }
-  return {
-    ok: true,
-    data: undefined
-  }
-}
-function overrideConfigApiToken(apiToken) {
-  debug.debugLog('Overriding API token, marking config as read-only')
-  // Set token to the local cached config and mark it read-only so it doesn't persist
-  _cachedConfig = {
-    ...vendor.configExports,
-    ...(apiToken === undefined
-      ? {}
-      : {
-          apiToken: String(apiToken)
-        })
-  }
-  _readOnlyConfig = true
-}
-function getConfigValues() {
-  if (_cachedConfig === undefined) {
-    _cachedConfig = {}
-    // Order: env var > --config flag > file
-    const configPath = getConfigPath()
-    if (configPath) {
-      const raw = safeReadFileSync(configPath)
-      if (raw) {
-        try {
-          Object.assign(
-            _cachedConfig,
-            JSON.parse(Buffer.from(raw, 'base64').toString())
-          )
-        } catch {
-          logger.logger.warn(`Failed to parse config at ${configPath}`)
-        }
-        // Normalize apiKey to apiToken and persist it.
-        // This is a one time migration per user.
-        if (_cachedConfig['apiKey']) {
-          const token = _cachedConfig['apiKey']
-          delete _cachedConfig['apiKey']
-          updateConfigValue('apiToken', token)
-        }
-      } else {
-        fs.mkdirSync(path.dirname(configPath), {
-          recursive: true
-        })
-      }
-    }
-  }
-  return _cachedConfig
-}
-let _configPath
-let _warnedConfigPathWin32Missing = false
-function getConfigPath() {
-  // Get the OS app data folder:
-  // - Win: %LOCALAPPDATA% or fail?
-  // - Mac: %XDG_DATA_HOME% or fallback to "~/Library/Application Support/"
-  // - Linux: %XDG_DATA_HOME% or fallback to "~/.local/share/"
-  // Note: LOCALAPPDATA is typically: C:\Users\USERNAME\AppData
-  // Note: XDG stands for "X Desktop Group", nowadays "freedesktop.org"
-  //       On most systems that path is: $HOME/.local/share
-  // Then append `socket/settings`, so:
-  // - Win: %LOCALAPPDATA%\socket\settings or return undefined
-  // - Mac: %XDG_DATA_HOME%/socket/settings or "~/Library/Application Support/socket/settings"
-  // - Linux: %XDG_DATA_HOME%/socket/settings or "~/.local/share/socket/settings"
-
-  if (_configPath === undefined) {
     // Lazily access constants.WIN32.
-    const { WIN32 } = constants
-    let dataHome = WIN32
-      ? // Lazily access constants.ENV.LOCALAPPDATA
-        constants.ENV.LOCALAPPDATA
-      : // Lazily access constants.ENV.XDG_DATA_HOME
-        constants.ENV.XDG_DATA_HOME
-    if (!dataHome) {
-      if (WIN32) {
-        if (!_warnedConfigPathWin32Missing) {
-          _warnedConfigPathWin32Missing = true
-          logger.logger.warn(`Missing %${LOCALAPPDATA}%`)
-        }
-      } else {
-        dataHome = path.join(
-          os.homedir(),
-          ...(process.platform === 'darwin'
-            ? ['Library', 'Application Support']
-            : ['.local', 'share'])
-        )
-      }
-    }
-    _configPath = dataHome ? path.join(dataHome, SOCKET_APP_DIR) : undefined
-  }
-  return _configPath
-}
-function normalizeConfigKey(key) {
-  // Note: apiKey was the old name of the token. When we load a config with
-  //       property apiKey, we'll copy that to apiToken and delete the old property.
-  const normalizedKey = key === 'apiKey' ? 'apiToken' : key
-  if (!supportedConfigKeys.has(normalizedKey)) {
-    return {
-      ok: false,
-      message: `Invalid config key: ${normalizedKey}`,
-      data: undefined
-    }
-  }
-  return {
-    ok: true,
-    data: key
-  }
-}
-function findSocketYmlSync(dir = process.cwd()) {
-  let prevDir = null
-  while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml')
-    let yml = safeReadFileSync(ymlPath)
-    if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml')
-      yml = safeReadFileSync(ymlPath)
-    }
-    if (typeof yml === 'string') {
-      try {
-        return {
-          path: ymlPath,
-          parsed: vendor.configExports.parseSocketConfig(yml)
-        }
-      } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`)
-      }
-    }
-    prevDir = dir
-    dir = path.join(dir, '..')
-  }
-  return null
-}
-function getConfigValue(key) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
-  if (!keyResult.ok) {
-    return keyResult
-  }
-  return {
-    ok: true,
-    data: localConfig[keyResult.data]
-  }
-}
-// This version squashes errors, returning undefined instead.
-// Should be used when we can reasonably predict the call can't fail.
-function getConfigValueOrUndef(key) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
-  if (!keyResult.ok) {
-    return undefined
-  }
-  return localConfig[keyResult.data]
-}
-function isReadOnlyConfig() {
-  return _readOnlyConfig
-}
-let _pendingSave = false
-function updateConfigValue(key, value) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
-  if (!keyResult.ok) {
-    return keyResult
-  }
-  localConfig[keyResult.data] = value
-  if (_readOnlyConfig) {
-    return {
-      ok: true,
-      message: `Config key '${key}' was updated`,
-      data: 'Change applied but not persisted; current config is overridden through env var or flag'
-    }
-  }
-  if (!_pendingSave) {
-    _pendingSave = true
-    process.nextTick(() => {
-      _pendingSave = false
-      const configPath = getConfigPath()
-      if (configPath) {
-        fs.writeFileSync(
-          configPath,
-          Buffer.from(JSON.stringify(localConfig)).toString('base64')
-        )
-      }
-    })
-  }
-  return {
-    ok: true,
-    message: `Config key '${key}' was updated`,
-    data: undefined
-  }
-}
-function isTestingV1() {
-  return !!getConfigValueOrUndef('isTestingV1')
-}
-
-const {
-  kInternalsSymbol: kInternalsSymbol$1,
-  [kInternalsSymbol$1]: { getSentry }
-} = constants
-class AuthError extends Error {}
-class InputError extends Error {
-  constructor(message, body) {
-    super(message)
-    this.body = body
-  }
-}
-async function captureException(exception, hint) {
-  const result = captureExceptionSync(exception, hint)
-  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
-  await promises.setTimeout(1000)
-  return result
-}
-function captureExceptionSync(exception, hint) {
-  const Sentry = getSentry()
-  if (!Sentry) {
-    return ''
-  }
-  debug.debugLog('captureException: Sending exception to Sentry')
-  return Sentry.captureException(exception, hint)
-}
-
-const { SOCKET_PUBLIC_API_TOKEN } = constants
-
-// The API server that should be used for operations.
-function getDefaultApiBaseUrl() {
-  const baseUrl =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
-    constants.ENV.SOCKET_SECURITY_API_BASE_URL ||
-    getConfigValueOrUndef('apiBaseUrl')
-  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined
-}
-
-// The API server that should be used for operations.
-function getDefaultHttpProxy() {
-  const apiProxy =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_PROXY.
-    constants.ENV.SOCKET_SECURITY_API_PROXY || getConfigValueOrUndef('apiProxy')
-  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined
-}
-
-// This API key should be stored globally for the duration of the CLI execution.
-let _defaultToken
-function getDefaultToken() {
-  // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.
-  if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {
-    _defaultToken = undefined
-  } else {
-    const key =
-      // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-      constants.ENV.SOCKET_SECURITY_API_TOKEN ||
-      getConfigValueOrUndef('apiToken') ||
-      _defaultToken
-    _defaultToken = strings.isNonEmptyString(key) ? key : undefined
+    _arboristPkgPath = constants.WIN32
+      ? path.normalize(arboristPkgPathWithForwardSlashes)
+      : arboristPkgPathWithForwardSlashes
+  }
+  return _arboristPkgPath
+}
+let _arboristClassPath
+function getArboristClassPath() {
+  if (_arboristClassPath === undefined) {
+    _arboristClassPath = path.join(
+      getArboristPackagePath(),
+      'lib/arborist/index.js'
+    )
   }
-  return _defaultToken
+  return _arboristClassPath
 }
-function getPublicToken() {
-  return (
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-    (constants.ENV.SOCKET_SECURITY_API_TOKEN || getDefaultToken()) ??
-    SOCKET_PUBLIC_API_TOKEN
-  )
-}
-async function setupSdk(
-  apiToken = getDefaultToken(),
-  apiBaseUrl = getDefaultApiBaseUrl(),
-  proxy = getDefaultHttpProxy()
-) {
-  if (typeof apiToken !== 'string' && vendor.isInteractiveExports()) {
-    apiToken = await prompts.password({
-      message:
-        'Enter your Socket.dev API key (not saved, use socket login to persist)'
-    })
-    _defaultToken = apiToken
-  }
-  if (!apiToken) {
-    // TODO: eliminate this throw in favor of CResult (or anything else)
-    throw new AuthError('You need to provide an API key')
+let _arboristDepValidPath
+function getArboristDepValidPath() {
+  if (_arboristDepValidPath === undefined) {
+    _arboristDepValidPath = path.join(
+      getArboristPackagePath(),
+      'lib/dep-valid.js'
+    )
   }
-  return new vendor.distExports$2.SocketSdk(apiToken, {
-    agent: proxy
-      ? new vendor.HttpsProxyAgent({
-          proxy
-        })
-      : undefined,
-    baseUrl: apiBaseUrl,
-    userAgent: vendor.distExports$2.createUserAgentFromPkgJson({
-      // Lazily access constants.ENV.INLINED_SOCKET_CLI_NAME.
-      name: constants.ENV.INLINED_SOCKET_CLI_NAME,
-      // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION.
-      version: constants.ENV.INLINED_SOCKET_CLI_VERSION,
-      // Lazily access constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE.
-      homepage: constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE
-    })
-  })
+  return _arboristDepValidPath
 }
-
-const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde']
-function applyRange(refRange, version, style = 'preserve') {
-  switch (style) {
-    case 'caret':
-      return `^${version}`
-    case 'gt':
-      return `>${version}`
-    case 'gte':
-      return `>=${version}`
-    case 'lt':
-      return `<${version}`
-    case 'lte':
-      return `<=${version}`
-    case 'preserve': {
-      const range = new vendor.semverExports.Range(refRange)
-      const { raw } = range
-      const comparators = [...range.set].flat()
-      const { length } = comparators
-      if (length === 1) {
-        const char = /^[<>]=?/.exec(raw)?.[0]
-        if (char) {
-          return `${char}${version}`
-        }
-      } else if (length === 2) {
-        const char = /^[~^]/.exec(raw)?.[0]
-        if (char) {
-          return `${char}${version}`
-        }
-      }
-      return version
-    }
-    case 'tilde':
-      return `~${version}`
-    case 'pin':
-    default:
-      return version
+let _arboristEdgeClassPath
+function getArboristEdgeClassPath() {
+  if (_arboristEdgeClassPath === undefined) {
+    _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js')
   }
+  return _arboristEdgeClassPath
 }
-function getMajor(version) {
-  const coerced = vendor.semverExports.coerce(version)
-  if (coerced) {
-    try {
-      return vendor.semverExports.major(coerced)
-    } catch (e) {
-      debug.debugLog(`Error parsing '${version}':\n`, e)
-    }
+let _arboristNodeClassPath
+function getArboristNodeClassPath() {
+  if (_arboristNodeClassPath === undefined) {
+    _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js')
   }
-  return null
-}
-
-function idToPurl(id) {
-  return `pkg:npm/${id}`
-}
-function resolvePackageVersion(purlObj) {
-  const { version } = purlObj
-  return version
-    ? (vendor.semverExports.coerce(stripPeerSuffix(version))?.version ?? '')
-    : ''
-}
-function stripLeadingSlash(path) {
-  return path.startsWith('/') ? path.slice(1) : path
-}
-function stripPeerSuffix(depPath) {
-  const idx = depPath.indexOf('(')
-  return idx === -1 ? depPath : depPath.slice(0, idx)
-}
-
-function createEnum(obj) {
-  return Object.freeze({
-    __proto__: null,
-    ...obj
-  })
+  return _arboristNodeClassPath
 }
-function pick(input, keys) {
-  const result = {}
-  for (const key of keys) {
-    result[key] = input[key]
+let _arboristOverrideSetClassPath
+function getArboristOverrideSetClassPath() {
+  if (_arboristOverrideSetClassPath === undefined) {
+    _arboristOverrideSetClassPath = path.join(
+      getArboristPackagePath(),
+      'lib/override-set.js'
+    )
   }
-  return result
+  return _arboristOverrideSetClassPath
 }
 
-const DiffAction = createEnum({
-  add: 'ADD',
-  change: 'CHANGE',
-  remove: 'REMOVE'
-})
-
 const require$6 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
-const depValid = require$6(shadowNpmPaths.getArboristDepValidPath())
+let _depValid
+function depValid(child, requested, accept, requester) {
+  if (_depValid === undefined) {
+    _depValid = require$6(getArboristDepValidPath())
+  }
+  return _depValid(child, requested, accept, requester)
+}
 
 const { UNDEFINED_TOKEN } = constants
 function tryRequire(req, ...ids) {
@@ -800,7 +119,7 @@ let _log = UNDEFINED_TOKEN
 function getLogger() {
   if (_log === UNDEFINED_TOKEN) {
     _log = tryRequire(
-      shadowNpmPaths.getNpmRequire(),
+      utils.getNpmRequire(),
       [
         'proc-log/lib/index.js',
         // The proc-log DefinitelyTyped definition is incorrect. The type definition
@@ -814,14 +133,9 @@ function getLogger() {
 }
 
 const require$5 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
-const OverrideSet = require$5(shadowNpmPaths.getArboristOverrideSetClassPath())
+const OverrideSet = require$5(getArboristOverrideSetClassPath())
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
@@ -951,14 +265,9 @@ class SafeOverrideSet extends OverrideSet {
 }
 
 const require$4 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
-const Node = require$4(shadowNpmPaths.getArboristNodeClassPath())
+const Node = require$4(getArboristNodeClassPath())
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
@@ -1266,14 +575,9 @@ class SafeNode extends Node {
 }
 
 const require$3 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
-const Edge = require$3(shadowNpmPaths.getArboristEdgeClassPath())
+const Edge = require$3(getArboristEdgeClassPath())
 
 // The Edge class makes heavy use of private properties which subclasses do NOT
 // have access to. So we have to recreate any functionality that relies on those
@@ -1533,7 +837,7 @@ class SafeEdge extends Edge {
   }
 }
 
-const { LOOP_SENTINEL, NPM: NPM$2, NPM_REGISTRY_URL } = constants
+const { LOOP_SENTINEL, NPM: NPM$1, NPM_REGISTRY_URL } = constants
 function getUrlOrigin(input) {
   try {
     // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
@@ -1549,16 +853,18 @@ function findBestPatchVersion(
   vulnerableVersionRange,
   _firstPatchedVersionIdentifier
 ) {
-  const manifestData = registry.getManifestData(NPM$2, node.name)
+  const manifestData = registry.getManifestData(NPM$1, node.name)
   let eligibleVersions
   if (manifestData && manifestData.name === manifestData.package) {
-    const major = getMajor(manifestData.version)
+    const major = utils.getMajor(manifestData.version)
     if (typeof major !== 'number') {
       return null
     }
-    eligibleVersions = availableVersions.filter(v => getMajor(v) === major)
+    eligibleVersions = availableVersions.filter(
+      v => utils.getMajor(v) === major
+    )
   } else {
-    const major = getMajor(node.version)
+    const major = utils.getMajor(node.version)
     if (typeof major !== 'number') {
       return null
     }
@@ -1566,7 +872,7 @@ function findBestPatchVersion(
       v =>
         // Filter for versions that are within the current major version and
         // are NOT in the vulnerable range.
-        getMajor(v) === major &&
+        utils.getMajor(v) === major &&
         (!vulnerableVersionRange ||
           !vendor.semverExports.satisfies(v, vulnerableVersionRange))
     )
@@ -1613,6 +919,43 @@ function findPackageNodes(tree, name, version) {
   }
   return matches
 }
+async function getAlertsMapFromArborist(arb, options_) {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    limit: Infinity,
+    nothrow: false,
+    ...options_
+  }
+  const include = {
+    __proto__: null,
+    existing: false,
+    ...options.include
+  }
+  const needInfoOn = getDetailsFromDiff(arb.diff, {
+    include: {
+      unchanged: include.existing
+    }
+  })
+  const purls = needInfoOn.map(d => utils.idToPurl(d.node.pkgid))
+  let overrides
+  const overridesMap = (
+    arb.actualTree ??
+    arb.idealTree ??
+    (await arb.loadActual())
+  )?.overrides?.children
+  if (overridesMap) {
+    overrides = Object.fromEntries(
+      [...overridesMap.entries()].map(([key, overrideSet]) => {
+        return [key, overrideSet.value]
+      })
+    )
+  }
+  return await utils.getAlertsMapFromPurls(purls, {
+    overrides,
+    ...options
+  })
+}
 function getDetailsFromDiff(diff_, options) {
   const details = []
   // `diff_` is `null` when `npm install --package-lock-only` is passed.
@@ -1706,7 +1049,7 @@ function updateNode(node, newVersion, newVersionPackument) {
   node.package.version = newVersion
   // Update node.resolved.
   const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-    idToPurl(node.name)
+    utils.idToPurl(node.name)
   )
   node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${newVersion}.tgz`
   // Update node.integrity with the targetPackument.dist.integrity value if available
@@ -1774,7 +1117,7 @@ function updatePackageJsonFromNode(
     if (depObject) {
       const oldRange = depObject[name]
       if (oldRange) {
-        const newRange = applyRange(oldRange, newVersion, rangeStyle)
+        const newRange = utils.applyRange(oldRange, newVersion, rangeStyle)
         if (oldRange !== newRange) {
           result = true
           editablePkgJson.update({
@@ -1790,826 +1133,8 @@ function updatePackageJsonFromNode(
   return result
 }
 
-function extractPurlsFromPnpmLockfileV6(lockfile) {
-  const deps = new Set()
-  for (const importer of Object.values(lockfile.importers || {})) {
-    if (importer.dependencies) {
-      for (const { 0: alias, 1: ref } of Object.entries(
-        importer.dependencies
-      )) {
-        const id = resolvePnpmPackageId(alias, ref)
-        if (id) {
-          deps.add(idToPurl(id))
-        }
-      }
-    }
-    if (importer.devDependencies) {
-      for (const { 0: alias, 1: ref } of Object.entries(
-        importer.devDependencies
-      )) {
-        const id = resolvePnpmPackageId(alias, ref)
-        if (id) {
-          deps.add(idToPurl(id))
-        }
-      }
-    }
-    if (importer.optionalDependencies) {
-      for (const { 0: alias, 1: ref } of Object.entries(
-        importer.optionalDependencies
-      )) {
-        const id = resolvePnpmPackageId(alias, ref)
-        if (id) {
-          deps.add(idToPurl(id))
-        }
-      }
-    }
-  }
-  if (lockfile.packages) {
-    for (const pkgPath of Object.keys(lockfile.packages)) {
-      const id = resolvePnpmPackageIdFromPath(pkgPath, '')
-      if (id) {
-        deps.add(idToPurl(id))
-      }
-    }
-  }
-  return Array.from(deps)
-}
-function extractPurlsFromPnpmLockfileV9(lockfile) {
-  const depTypes = vendor.libExports$1.detectDepTypes(lockfile)
-  return Object.keys(depTypes).map(refId => {
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(refId)
-    )
-    const name = packages.resolvePackageName(purlObj)
-    const version = resolvePackageVersion(purlObj)
-    return idToPurl(`${name}@${version}`)
-  })
-}
-function extractPurlsFromPnpmLockfile(lockfile) {
-  return parsePnpmLockfileVersion(lockfile.lockfileVersion) >= 9
-    ? extractPurlsFromPnpmLockfileV9(lockfile)
-    : extractPurlsFromPnpmLockfileV6(lockfile)
-}
-function parsePnpmLockfileVersion(version) {
-  return parseInt(version.split('.')[0] ?? '', 10) || 0
-}
-function resolvePnpmPackageId(alias, ref) {
-  return ref.startsWith('/')
-    ? resolvePnpmPackageIdFromPath(ref, alias)
-    : `${alias}@${stripPeerSuffix(ref)}`
-}
-function resolvePnpmPackageIdFromPath(ref, alias) {
-  const relative = vendor.libExports$2.refToRelative(ref, alias)
-  if (relative) {
-    const id = stripLeadingSlash(relative)
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(id)
-    )
-    const name = packages.resolvePackageName(purlObj)
-    const version = resolvePackageVersion(purlObj)
-    return `${name}@${version}`
-  }
-  return null
-}
-
-const {
-  ALERT_TYPE_CRITICAL_CVE,
-  ALERT_TYPE_CVE,
-  ALERT_TYPE_MEDIUM_CVE,
-  ALERT_TYPE_MILD_CVE
-} = constants
-function isArtifactAlertCve(alert) {
-  const { type } = alert
-  return (
-    type === ALERT_TYPE_CVE ||
-    type === ALERT_TYPE_MEDIUM_CVE ||
-    type === ALERT_TYPE_MILD_CVE ||
-    type === ALERT_TYPE_CRITICAL_CVE
-  )
-}
-
-const ALERT_FIX_TYPE = createEnum({
-  cve: 'cve',
-  remove: 'remove',
-  upgrade: 'upgrade'
-})
-
-function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean)
-  const { length } = values
-  if (!length) {
-    return ''
-  }
-  if (length === 1) {
-    return values[0]
-  }
-  const finalValue = values.pop()
-  return `${values.join(', ')}${separator}${finalValue}`
-}
-
-const ALERT_SEVERITY = createEnum({
-  critical: 'critical',
-  high: 'high',
-  middle: 'middle',
-  low: 'low'
-})
-// Ordered from most severe to least.
-const ALERT_SEVERITIES_SORTED = Object.freeze([
-  'critical',
-  'high',
-  'middle',
-  'low'
-])
-function getDesiredSeverities(lowestToInclude) {
-  const result = []
-  for (const severity of ALERT_SEVERITIES_SORTED) {
-    result.push(severity)
-    if (severity === lowestToInclude) {
-      break
-    }
-  }
-  return result
-}
-function formatSeverityCount(severityCount) {
-  const summary = []
-  for (const severity of ALERT_SEVERITIES_SORTED) {
-    if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`)
-    }
-  }
-  return stringJoinWithSeparateFinalSeparator(summary)
-}
-function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick(
-    {
-      low: 0,
-      middle: 0,
-      high: 0,
-      critical: 0
-    },
-    getDesiredSeverities(lowestToInclude)
-  )
-  for (const issue of issues) {
-    const { value } = issue
-    if (!value) {
-      continue
-    }
-    const { severity } = value
-    if (severityCount[severity] !== undefined) {
-      severityCount[severity] += 1
-    }
-  }
-  return severityCount
-}
-
-class ColorOrMarkdown {
-  constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown
-  }
-  bold(text) {
-    return this.useMarkdown
-      ? `**${text}**`
-      : vendor.yoctocolorsCjsExports.bold(`${text}`)
-  }
-  header(text, level = 1) {
-    return this.useMarkdown
-      ? `\n${''.padStart(level, '#')} ${text}\n`
-      : vendor.yoctocolorsCjsExports.underline(
-          `\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`
-        )
-  }
-  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
-    if (url) {
-      return this.useMarkdown
-        ? `[${text}](${url})`
-        : vendor.terminalLinkExports(text, url, {
-            fallback: fallbackToUrl ? (_text, url) => url : fallback
-          })
-    }
-    return text
-  }
-  indent(...args) {
-    return vendor.indentStringExports(...args)
-  }
-  italic(text) {
-    return this.useMarkdown
-      ? `_${text}_`
-      : vendor.yoctocolorsCjsExports.italic(`${text}`)
-  }
-  json(value) {
-    return this.useMarkdown
-      ? '```json\n' + JSON.stringify(value) + '\n```'
-      : JSON.stringify(value)
-  }
-  list(items) {
-    const indentedContent = items.map(item => this.indent(item).trimStart())
-    return this.useMarkdown
-      ? `* ${indentedContent.join('\n* ')}\n`
-      : `${indentedContent.join('\n')}\n`
-  }
-}
-
-function getSocketDevAlertUrl(alertType) {
-  return `https://socket.dev/alerts/${alertType}`
-}
-function getSocketDevPackageOverviewUrl(eco, name, version) {
-  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`
-}
-
-let _translations
-function getTranslations() {
-  if (_translations === undefined) {
-    _translations = require(
-      // Lazily access constants.rootPath.
-      path.join(constants.rootPath, 'translations.json')
-    )
-  }
-  return _translations
-}
-
-const ALERT_SEVERITY_COLOR = createEnum({
-  critical: 'magenta',
-  high: 'red',
-  middle: 'yellow',
-  low: 'white'
-})
-const ALERT_SEVERITY_ORDER = createEnum({
-  critical: 0,
-  high: 1,
-  middle: 2,
-  low: 3,
-  none: 4
-})
-const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$1 } =
-  constants
-const MIN_ABOVE_THE_FOLD_COUNT = 3
-const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1
-const format = new ColorOrMarkdown(false)
-function alertsHaveBlocked(alerts) {
-  return alerts.find(a => a.blocked) !== undefined
-}
-function alertsHaveSeverity(alerts, severity) {
-  return alerts.find(a => a.raw.severity === severity) !== undefined
-}
-function alertSeverityComparator(a, b) {
-  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)
-}
-function getAlertSeverityOrder(alert) {
-  const { severity } = alert.raw
-  return severity === ALERT_SEVERITY.critical
-    ? 0
-    : severity === ALERT_SEVERITY.high
-      ? 1
-      : severity === ALERT_SEVERITY.middle
-        ? 2
-        : severity === ALERT_SEVERITY.low
-          ? 3
-          : 4
-}
-function getAlertsSeverityOrder(alerts) {
-  return alertsHaveBlocked(alerts) ||
-    alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)
-    ? 0
-    : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)
-      ? 1
-      : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)
-        ? 2
-        : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)
-          ? 3
-          : 4
-}
-function getHiddenRiskCounts(hiddenAlerts) {
-  const riskCounts = {
-    critical: 0,
-    high: 0,
-    middle: 0,
-    low: 0
-  }
-  for (const alert of hiddenAlerts) {
-    switch (getAlertSeverityOrder(alert)) {
-      case ALERT_SEVERITY_ORDER.critical:
-        riskCounts.critical += 1
-        break
-      case ALERT_SEVERITY_ORDER.high:
-        riskCounts.high += 1
-        break
-      case ALERT_SEVERITY_ORDER.middle:
-        riskCounts.middle += 1
-        break
-      case ALERT_SEVERITY_ORDER.low:
-        riskCounts.low += 1
-        break
-    }
-  }
-  return riskCounts
-}
-function getHiddenRisksDescription(riskCounts) {
-  const descriptions = []
-  if (riskCounts.critical) {
-    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)
-  }
-  if (riskCounts.high) {
-    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)
-  }
-  if (riskCounts.middle) {
-    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)
-  }
-  if (riskCounts.low) {
-    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)
-  }
-  return `(${descriptions.join('; ')})`
-}
-function getSeverityLabel(severity) {
-  return severity === 'middle' ? 'moderate' : severity
-}
-async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
-  // Make TypeScript happy.
-  if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-    return alertsByPkgId
-  }
-  const {
-    consolidate = false,
-    include: _include,
-    overrides
-  } = {
-    __proto__: null,
-    ...options
-  }
-  const include = {
-    __proto__: null,
-    blocked: true,
-    critical: true,
-    cve: true,
-    unfixable: true,
-    upgradable: false,
-    ..._include
-  }
-  const name = packages.resolvePackageName(artifact)
-  const { version } = artifact
-  const pkgId = `${name}@${version}`
-  const major = vendor.semverExports.major(version)
-  const socketYml = findSocketYmlSync()
-  const enabledState = {
-    __proto__: null,
-    ...socketYml?.parsed.issueRules
-  }
-  let sockPkgAlerts = []
-  for (const alert of artifact.alerts) {
-    const action = alert.action ?? ''
-    const enabledFlag = enabledState[alert.type]
-    if (
-      (action === 'ignore' && enabledFlag !== true) ||
-      enabledFlag === false
-    ) {
-      continue
-    }
-    const blocked = action === 'error'
-    const critical = alert.severity === ALERT_SEVERITY.critical
-    const cve = isArtifactAlertCve(alert)
-    const fixType = alert.fix?.type ?? ''
-    const fixableCve = fixType === ALERT_FIX_TYPE.cve
-    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade
-    const fixable = fixableCve || fixableUpgrade
-    const upgradable = fixableUpgrade && !objects.hasOwn(overrides, name)
-    if (
-      (include.blocked && blocked) ||
-      (include.critical && critical) ||
-      (include.cve && cve) ||
-      (include.unfixable && !fixable) ||
-      (include.upgradable && upgradable)
-    ) {
-      sockPkgAlerts.push({
-        name,
-        version,
-        key: alert.key,
-        type: alert.type,
-        blocked,
-        critical,
-        fixable,
-        raw: alert,
-        upgradable
-      })
-    }
-  }
-  if (!sockPkgAlerts.length) {
-    return alertsByPkgId
-  }
-  if (consolidate) {
-    const highestForCve = new Map()
-    const highestForUpgrade = new Map()
-    const unfixableAlerts = []
-    for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw
-      const fixType = alert.fix?.type ?? ''
-      if (fixType === ALERT_FIX_TYPE.cve) {
-        const patchedVersion =
-          alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER]
-        const patchedMajor = vendor.semverExports.major(patchedVersion)
-        const oldHighest = highestForCve.get(patchedMajor)
-        const highest = oldHighest?.version ?? '0.0.0'
-        if (vendor.semverExports.gt(patchedVersion, highest)) {
-          highestForCve.set(patchedMajor, {
-            alert: sockPkgAlert,
-            version: patchedVersion
-          })
-        }
-      } else if (fixType === ALERT_FIX_TYPE.upgrade) {
-        const oldHighest = highestForUpgrade.get(major)
-        const highest = oldHighest?.version ?? '0.0.0'
-        if (vendor.semverExports.gt(version, highest)) {
-          highestForUpgrade.set(major, {
-            alert: sockPkgAlert,
-            version
-          })
-        }
-      } else {
-        unfixableAlerts.push(sockPkgAlert)
-      }
-    }
-    sockPkgAlerts = [
-      ...unfixableAlerts,
-      ...[...highestForCve.values()].map(d => d.alert),
-      ...[...highestForUpgrade.values()].map(d => d.alert)
-    ]
-  }
-  if (sockPkgAlerts.length) {
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type))
-    alertsByPkgId.set(pkgId, sockPkgAlerts)
-  }
-  return alertsByPkgId
-}
-function getCveInfoByAlertsMap(alertsMap, options) {
-  const { exclude: _exclude, limit = Infinity } = {
-    __proto__: null,
-    ...options
-  }
-  const exclude = {
-    __proto__: null,
-    upgradable: true,
-    ..._exclude
-  }
-  let count = 0
-  let infoByPkg = null
-  alertsMapLoop: for (const [pkgId, sockPkgAlerts] of alertsMap) {
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(pkgId)
-    )
-    const name = packages.resolvePackageName(purlObj)
-    for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw
-      if (
-        alert.fix?.type !== ALERT_FIX_TYPE.cve ||
-        (exclude.upgradable && registry.getManifestData(NPM$1, name))
-      ) {
-        continue
-      }
-      if (!infoByPkg) {
-        infoByPkg = new Map()
-      }
-      let infos = infoByPkg.get(name)
-      if (!infos) {
-        infos = []
-        infoByPkg.set(name, infos)
-      }
-      const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
-        alert.props
-      try {
-        infos.push({
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange: new vendor.semverExports.Range(
-            // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
-            // semver.Range will parse it without erroring.
-            vulnerableVersionRange.replace(/, +/g, ' ')
-          ).format()
-        })
-        if (++count >= limit) {
-          break alertsMapLoop
-        }
-      } catch (e) {
-        debug.debugLog('getCveInfoByAlertsMap', {
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange
-        })
-        debug.debugLog(e)
-      }
-    }
-  }
-  return infoByPkg
-}
-function logAlertsMap(alertsMap, options) {
-  const { hideAt = 'middle', output = process.stderr } = {
-    __proto__: null,
-    ...options
-  }
-  const translations = getTranslations()
-  const sortedEntries = [...alertsMap.entries()].sort(
-    (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1])
-  )
-  const aboveTheFoldPkgIds = new Set()
-  const viewableAlertsByPkgId = new Map()
-  const hiddenAlertsByPkgId = new Map()
-  for (let i = 0, { length } = sortedEntries; i < length; i += 1) {
-    const { 0: pkgId, 1: alerts } = sortedEntries[i]
-    const hiddenAlerts = []
-    const viewableAlerts = alerts.filter(a => {
-      const keep =
-        a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]
-      if (!keep) {
-        hiddenAlerts.push(a)
-      }
-      return keep
-    })
-    if (hiddenAlerts.length) {
-      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator))
-    }
-    if (!viewableAlerts.length) {
-      continue
-    }
-    viewableAlerts.sort(alertSeverityComparator)
-    viewableAlertsByPkgId.set(pkgId, viewableAlerts)
-    if (
-      viewableAlerts.find(
-        a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle
-      )
-    ) {
-      aboveTheFoldPkgIds.add(pkgId)
-    }
-  }
-
-  // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
-  for (const { 0: pkgId } of viewableAlertsByPkgId.entries()) {
-    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break
-    }
-    aboveTheFoldPkgIds.add(pkgId)
-  }
-  // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
-  for (const { 0: pkgId, 1: hiddenAlerts } of hiddenAlertsByPkgId.entries()) {
-    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break
-    }
-    aboveTheFoldPkgIds.add(pkgId)
-    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? []
-    if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
-      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length
-      let removedHiddenAlerts
-      if (hiddenAlerts.length - neededCount > 0) {
-        removedHiddenAlerts = hiddenAlerts.splice(
-          0,
-          MIN_ABOVE_THE_FOLD_ALERT_COUNT
-        )
-      } else {
-        removedHiddenAlerts = hiddenAlerts
-        hiddenAlertsByPkgId.delete(pkgId)
-      }
-      viewableAlertsByPkgId.set(pkgId, [
-        ...viewableAlerts,
-        ...removedHiddenAlerts
-      ])
-    }
-  }
-  const mentionedPkgIdsWithHiddenAlerts = new Set()
-  for (
-    let i = 0,
-      prevAboveTheFold = true,
-      entries = [...viewableAlertsByPkgId.entries()],
-      { length } = entries;
-    i < length;
-    i += 1
-  ) {
-    const { 0: pkgId, 1: alerts } = entries[i]
-    const lines = new Set()
-    for (const alert of alerts) {
-      const { type } = alert
-      const severity = alert.raw.severity ?? ''
-      const attributes = [
-        ...(severity
-          ? [
-              vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](
-                getSeverityLabel(severity)
-              )
-            ]
-          : []),
-        ...(alert.blocked
-          ? [
-              vendor.yoctocolorsCjsExports.bold(
-                vendor.yoctocolorsCjsExports.red('blocked')
-              )
-            ]
-          : []),
-        ...(alert.fixable ? ['fixable'] : [])
-      ]
-      const maybeAttributes = attributes.length
-        ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}`
-        : ''
-      // Based data from { pageProps: { alertTypes } } of:
-      // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-      const info = translations.alerts[type]
-      const title = info?.title ?? type
-      const maybeDesc = info?.description ? ` - ${info.description}` : ''
-      const content = `${title}${maybeAttributes}${maybeDesc}`
-      // TODO: emoji seems to mis-align terminals sometimes
-      lines.add(`  ${content}`)
-    }
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(pkgId)
-    )
-    const hyperlink = format.hyperlink(
-      pkgId,
-      getSocketDevPackageOverviewUrl(
-        NPM$1,
-        packages.resolvePackageName(purlObj),
-        purlObj.version
-      )
-    )
-    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId)
-    if (isAboveTheFold) {
-      aboveTheFoldPkgIds.add(pkgId)
-      output.write(`${i ? '\n' : ''}${hyperlink}:\n`)
-    } else {
-      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`)
-    }
-    for (const line of lines) {
-      output.write(`${line}\n`)
-    }
-    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? []
-    const { length: hiddenAlertsCount } = hiddenAlerts
-    if (hiddenAlertsCount) {
-      mentionedPkgIdsWithHiddenAlerts.add(pkgId)
-      if (hiddenAlertsCount === 1) {
-        output.write(
-          `  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`
-        )
-      } else {
-        output.write(
-          `  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`
-        )
-      }
-    }
-    prevAboveTheFold = isAboveTheFold
-  }
-  const additionalHiddenCount =
-    hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size
-  if (additionalHiddenCount) {
-    const totalRiskCounts = {
-      critical: 0,
-      high: 0,
-      middle: 0,
-      low: 0
-    }
-    for (const { 0: pkgId, 1: alerts } of hiddenAlertsByPkgId.entries()) {
-      if (mentionedPkgIdsWithHiddenAlerts.has(pkgId)) {
-        continue
-      }
-      const riskCounts = getHiddenRiskCounts(alerts)
-      totalRiskCounts.critical += riskCounts.critical
-      totalRiskCounts.high += riskCounts.high
-      totalRiskCounts.middle += riskCounts.middle
-      totalRiskCounts.low += riskCounts.low
-    }
-    output.write(
-      `${aboveTheFoldPkgIds.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`
-    )
-  }
-  output.write('\n')
-}
-
-async function getAlertsMapFromArborist(arb, options_) {
-  const options = {
-    __proto__: null,
-    consolidate: false,
-    limit: Infinity,
-    nothrow: false,
-    ...options_
-  }
-  const include = {
-    __proto__: null,
-    existing: false,
-    ...options.include
-  }
-  const needInfoOn = getDetailsFromDiff(arb.diff, {
-    include: {
-      unchanged: include.existing
-    }
-  })
-  const purls = needInfoOn.map(d => idToPurl(d.node.pkgid))
-  let overrides
-  const overridesMap = (
-    arb.actualTree ??
-    arb.idealTree ??
-    (await arb.loadActual())
-  )?.overrides?.children
-  if (overridesMap) {
-    overrides = Object.fromEntries(
-      [...overridesMap.entries()].map(([key, overrideSet]) => {
-        return [key, overrideSet.value]
-      })
-    )
-  }
-  return await getAlertsMapFromPurls(purls, {
-    overrides,
-    ...options
-  })
-}
-async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
-  const options = {
-    __proto__: null,
-    consolidate: false,
-    limit: Infinity,
-    nothrow: false,
-    ...options_
-  }
-  const purls = extractPurlsFromPnpmLockfile(lockfile)
-  return await getAlertsMapFromPurls(purls, {
-    overrides: lockfile.overrides,
-    ...options
-  })
-}
-async function getAlertsMapFromPurls(purls, options_) {
-  const options = {
-    __proto__: null,
-    consolidate: false,
-    nothrow: false,
-    ...options_
-  }
-  const include = {
-    __proto__: null,
-    actions: undefined,
-    blocked: true,
-    critical: true,
-    cve: true,
-    existing: false,
-    unfixable: true,
-    upgradable: false,
-    ...options.include
-  }
-  const { spinner } = options
-  const uniqPurls = arrays.arrayUnique(purls)
-  let { length: remaining } = uniqPurls
-  const alertsByPkgId = new Map()
-  if (!remaining) {
-    return alertsByPkgId
-  }
-  const getText = () => `Looking up data for ${remaining} packages`
-  spinner?.start(getText())
-  const sockSdk = await setupSdk(getPublicToken())
-  const toAlertsMapOptions = {
-    overrides: options.overrides,
-    consolidate: options.consolidate,
-    include,
-    spinner
-  }
-  for await (const batchResult of sockSdk.batchPackageStream(
-    {
-      alerts: 'true',
-      compact: 'true',
-      ...(include.actions
-        ? {
-            actions: include.actions.join(',')
-          }
-        : {}),
-      ...(include.unfixable
-        ? {}
-        : {
-            fixable: 'true'
-          })
-    },
-    {
-      components: uniqPurls.map(purl => ({
-        purl
-      }))
-    }
-  )) {
-    if (batchResult.success) {
-      await addArtifactToAlertsMap(
-        batchResult.data,
-        alertsByPkgId,
-        toAlertsMapOptions
-      )
-    } else if (!options.nothrow) {
-      const statusCode = batchResult.status ?? 'unknown'
-      const statusMessage = batchResult.error ?? 'No status message'
-      throw new Error(
-        `Socket API server error (${statusCode}): ${statusMessage}`
-      )
-    }
-    remaining -= 1
-    if (spinner && remaining > 0) {
-      spinner.start()
-      spinner.setText(getText())
-    }
-  }
-  spinner?.stop()
-  return alertsByPkgId
-}
-
 const require$2 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
 const {
   NPM,
@@ -2634,7 +1159,7 @@ const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
 }
 const kCtorArgs = Symbol('ctorArgs')
 const kRiskyReify = Symbol('riskyReify')
-const Arborist = require$2(shadowNpmPaths.getArboristClassPath())
+const Arborist = require$2(getArboristClassPath())
 
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
@@ -2722,7 +1247,7 @@ class SafeArborist extends Arborist {
       process.exitCode = 1
       // Lazily access constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS.
       const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS
-      logAlertsMap(alertsMap, {
+      utils.logAlertsMap(alertsMap, {
         hideAt: viewAllRisks ? 'none' : 'middle',
         output: process.stderr
       })
@@ -2744,78 +1269,37 @@ class SafeArborist extends Arborist {
 }
 
 const require$1 = Module.createRequire(
-  typeof document === 'undefined'
-    ? require('u' + 'rl').pathToFileURL(__filename).href
-    : (_documentCurrentScript &&
-        _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' &&
-        _documentCurrentScript.src) ||
-        new URL('shadow-npm-inject.js', document.baseURI).href
+  require('u' + 'rl').pathToFileURL(__filename).href
 )
 function installSafeArborist() {
   // Override '@npmcli/arborist' module exports with patched variants based on
   // https://github.com/npm/cli/pull/8089.
   const cache = require$1.cache
-  cache[shadowNpmPaths.getArboristClassPath()] = {
+  cache[getArboristClassPath()] = {
     exports: SafeArborist
   }
-  cache[shadowNpmPaths.getArboristEdgeClassPath()] = {
+  cache[getArboristEdgeClassPath()] = {
     exports: SafeEdge
   }
-  cache[shadowNpmPaths.getArboristNodeClassPath()] = {
+  cache[getArboristNodeClassPath()] = {
     exports: SafeNode
   }
-  cache[shadowNpmPaths.getArboristOverrideSetClassPath()] = {
+  cache[getArboristOverrideSetClassPath()] = {
     exports: SafeOverrideSet
   }
 }
 
 installSafeArborist()
 
-exports.ALERT_SEVERITY = ALERT_SEVERITY
 exports.Arborist = Arborist
-exports.AuthError = AuthError
-exports.ColorOrMarkdown = ColorOrMarkdown
-exports.InputError = InputError
-exports.RangeStyles = RangeStyles
 exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES =
   SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
 exports.SafeArborist = SafeArborist
-exports.applyRange = applyRange
-exports.captureException = captureException
-exports.filterGlobResultToSupportedFiles = filterGlobResultToSupportedFiles
 exports.findBestPatchVersion = findBestPatchVersion
 exports.findPackageNode = findPackageNode
 exports.findPackageNodes = findPackageNodes
-exports.findUp = findUp
-exports.formatSeverityCount = formatSeverityCount
 exports.getAlertsMapFromArborist = getAlertsMapFromArborist
-exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile
-exports.getAlertsMapFromPurls = getAlertsMapFromPurls
-exports.getConfigValue = getConfigValue
-exports.getConfigValueOrUndef = getConfigValueOrUndef
-exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap
-exports.getDefaultToken = getDefaultToken
-exports.getPublicToken = getPublicToken
-exports.getSeverityCount = getSeverityCount
-exports.getSocketDevAlertUrl = getSocketDevAlertUrl
-exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl
-exports.globWithGitIgnore = globWithGitIgnore
-exports.globWorkspace = globWorkspace
-exports.idToPurl = idToPurl
-exports.isReadOnlyConfig = isReadOnlyConfig
-exports.isTestingV1 = isTestingV1
-exports.overrideCachedConfig = overrideCachedConfig
-exports.overrideConfigApiToken = overrideConfigApiToken
-exports.pathsToGlobPatterns = pathsToGlobPatterns
-exports.readFileBinary = readFileBinary
-exports.readFileUtf8 = readFileUtf8
-exports.removeNodeModules = removeNodeModules
-exports.safeReadFile = safeReadFile
-exports.sensitiveConfigKeys = sensitiveConfigKeys
-exports.setupSdk = setupSdk
-exports.supportedConfigKeys = supportedConfigKeys
-exports.updateConfigValue = updateConfigValue
 exports.updateNode = updateNode
 exports.updatePackageJsonFromNode = updatePackageJsonFromNode
-//# debugId=914bfb89-28c3-474b-b7c7-be1acda844d4
+//# debugId=abb3ad9d-815d-4325-99e6-528b98325c45
 //# sourceMappingURL=shadow-npm-inject.js.map