@socketsecurity/cli-with-sentry 0.14.154 → 0.15.0

package/dist/utils.js

@@ -0,0 +1,3323 @@
+'use strict'
+
+const vendor = require('./vendor.js')
+const logger = require('../external/@socketsecurity/registry/lib/logger')
+const debug = require('../external/@socketsecurity/registry/lib/debug')
+const path = require('node:path')
+const objects = require('../external/@socketsecurity/registry/lib/objects')
+const path$1 = require('../external/@socketsecurity/registry/lib/path')
+const regexps = require('../external/@socketsecurity/registry/lib/regexps')
+const constants = require('./constants.js')
+const prompts = require('../external/@socketsecurity/registry/lib/prompts')
+const strings = require('../external/@socketsecurity/registry/lib/strings')
+const promises = require('node:timers/promises')
+const arrays = require('../external/@socketsecurity/registry/lib/arrays')
+const packages = require('../external/@socketsecurity/registry/lib/packages')
+const fs = require('node:fs')
+const os = require('node:os')
+const registry = require('../external/@socketsecurity/registry')
+const sorts = require('../external/@socketsecurity/registry/lib/sorts')
+const Module = require('node:module')
+const spawn = require('../external/@socketsecurity/registry/lib/spawn')
+const npm = require('../external/@socketsecurity/registry/lib/npm')
+const words = require('../external/@socketsecurity/registry/lib/words')
+const fs$1 = require('../external/@socketsecurity/registry/lib/fs')
+
+const _documentCurrentScript =
+  typeof document !== 'undefined' ? document.currentScript : null
+const { NPM: NPM$6, PNPM: PNPM$2 } = constants
+const PNPM_WORKSPACE = `${PNPM$2}-workspace`
+const ignoredDirs = [
+  // Taken from ignore-by-default:
+  // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
+  '.git',
+  // Git repository files, see <https://git-scm.com/>
+  '.log',
+  // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
+  '.nyc_output',
+  // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
+  '.sass-cache',
+  // Cache folder for node-sass, see <https://github.com/sass/node-sass>
+  '.yarn',
+  // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
+  'bower_components',
+  // Where Bower packages are installed, see <http://bower.io/>
+  'coverage',
+  // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
+  'node_modules',
+  // Where Node modules are installed, see <https://nodejs.org/>
+  // Taken from globby:
+  // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
+  'flow-typed'
+]
+const ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`)
+async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
+  let workspacePatterns
+  if (agent === PNPM$2) {
+    for (const workspacePath of [
+      path.join(cwd, `${PNPM_WORKSPACE}.yaml`),
+      path.join(cwd, `${PNPM_WORKSPACE}.yml`)
+    ]) {
+      // eslint-disable-next-line no-await-in-loop
+      const yml = await safeReadFile(workspacePath)
+      if (yml) {
+        try {
+          workspacePatterns = vendor.distExports$1.parse(yml)?.packages
+        } catch {}
+        if (workspacePatterns) {
+          break
+        }
+      }
+    }
+  } else {
+    workspacePatterns = (
+      await packages.readPackageJson(cwd, {
+        throws: false
+      })
+    )?.['workspaces']
+  }
+  return Array.isArray(workspacePatterns)
+    ? workspacePatterns
+        .filter(strings.isNonEmptyString)
+        .map(workspacePatternToGlobPattern)
+    : []
+}
+function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
+  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/')
+  const patterns = []
+  for (let i = 0, { length } = lines; i < length; i += 1) {
+    const pattern = lines[i].trim()
+    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
+      patterns.push(
+        ignorePatternToMinimatch(
+          pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/
+            ? `!${path.posix.join(base, pattern.slice(1))}`
+            : path.posix.join(base, pattern)
+        )
+      )
+    }
+  }
+  return patterns
+}
+function ignoreFileToGlobPatterns(content, filepath, cwd) {
+  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd)
+}
+
+// Based on `@eslint/compat` convertIgnorePatternToMinimatch.
+// Apache v2.0 licensed
+// Copyright Nicholas C. Zakas
+// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
+function ignorePatternToMinimatch(pattern) {
+  const isNegated = pattern.startsWith('!')
+  const negatedPrefix = isNegated ? '!' : ''
+  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()
+  // Special cases.
+  if (
+    patternToTest === '' ||
+    patternToTest === '**' ||
+    patternToTest === '/**' ||
+    patternToTest === '**'
+  ) {
+    return `${negatedPrefix}${patternToTest}`
+  }
+  const firstIndexOfSlash = patternToTest.indexOf('/')
+  const matchEverywherePrefix =
+    firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1
+      ? '**/'
+      : ''
+  const patternWithoutLeadingSlash =
+    firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest
+  // Escape `{` and `(` because in gitignore patterns they are just
+  // literal characters without any specific syntactic meaning,
+  // while in minimatch patterns they can form brace expansion or extglob syntax.
+  //
+  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
+  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
+  // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
+  const escapedPatternWithoutLeadingSlash =
+    patternWithoutLeadingSlash.replaceAll(
+      /(?=((?:\\.|[^{(])*))\1([{(])/guy,
+      '$1\\$2'
+    )
+  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : ''
+  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`
+}
+function workspacePatternToGlobPattern(workspace) {
+  const { length } = workspace
+  if (!length) {
+    return ''
+  }
+  // If the workspace ends with "/"
+  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
+    return `${workspace}/*/package.json`
+  }
+  // If the workspace ends with "/**"
+  if (
+    workspace.charCodeAt(length - 1) === 42 /*'*'*/ &&
+    workspace.charCodeAt(length - 2) === 42 /*'*'*/ &&
+    workspace.charCodeAt(length - 3) === 47 /*'/'*/
+  ) {
+    return `${workspace}/*/**/package.json`
+  }
+  // Things like "packages/a" or "packages/*"
+  return `${workspace}/package.json`
+}
+async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
+  const patterns = ['golang', NPM$6, 'maven', 'pypi', 'gem', 'nuget'].reduce(
+    (r, n) => {
+      const supported = supportedFiles[n]
+      r.push(
+        ...(supported
+          ? Object.values(supported).map(p => `**/${p.pattern}`)
+          : [])
+      )
+      return r
+    },
+    []
+  )
+  return entries.filter(p => vendor.micromatchExports.some(p, patterns))
+}
+async function globWithGitIgnore(patterns, options) {
+  const {
+    cwd = process.cwd(),
+    socketConfig,
+    ...additionalOptions
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const projectIgnorePaths = socketConfig?.projectIgnorePaths
+  const ignoreFiles = await vendor.distExports.glob(['**/.gitignore'], {
+    absolute: true,
+    cwd,
+    expandDirectories: true
+  })
+  const ignores = [
+    ...ignoredDirPatterns,
+    ...(Array.isArray(projectIgnorePaths)
+      ? ignoreFileLinesToGlobPatterns(
+          projectIgnorePaths,
+          path.join(cwd, '.gitignore'),
+          cwd
+        )
+      : []),
+    ...(
+      await Promise.all(
+        ignoreFiles.map(async filepath =>
+          ignoreFileToGlobPatterns(
+            await fs.promises.readFile(filepath, 'utf8'),
+            filepath,
+            cwd
+          )
+        )
+      )
+    ).flat()
+  ]
+  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/)
+  const globOptions = {
+    absolute: true,
+    cwd,
+    expandDirectories: false,
+    ignore: hasNegatedPattern ? [] : ignores,
+    ...additionalOptions
+  }
+  const result = await vendor.distExports.glob(patterns, globOptions)
+  if (!hasNegatedPattern) {
+    return result
+  }
+  const { absolute } = globOptions
+
+  // Note: the input files must be INSIDE the cwd. If you get strange looking
+  // relative path errors here, most likely your path is outside the given cwd.
+  const filtered = vendor
+    .ignoreExports()
+    .add(ignores)
+    .filter(absolute ? result.map(p => path.relative(cwd, p)) : result)
+  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered
+}
+async function globNodeModules(cwd = process.cwd()) {
+  return await vendor.distExports.glob('**/node_modules/**', {
+    absolute: true,
+    cwd
+  })
+}
+async function globWorkspace(agent, cwd = process.cwd()) {
+  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)
+  return workspaceGlobs.length
+    ? await vendor.distExports.glob(workspaceGlobs, {
+        absolute: true,
+        cwd,
+        ignore: ['**/node_modules/**', '**/bower_components/**']
+      })
+    : []
+}
+function pathsToGlobPatterns(paths) {
+  // TODO: Does not support `~/` paths.
+  return paths.map(p => (p === '.' || p === './' ? '**/*' : p))
+}
+
+const { abortSignal } = constants
+async function removeNodeModules(cwd = process.cwd()) {
+  const nodeModulesPaths = await globNodeModules(cwd)
+  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)))
+}
+async function findUp(name, { cwd = process.cwd(), signal = abortSignal }) {
+  let dir = path.resolve(cwd)
+  const { root } = path.parse(dir)
+  const names = [name].flat()
+  while (dir && dir !== root) {
+    for (const name of names) {
+      if (signal?.aborted) {
+        return undefined
+      }
+      const filePath = path.join(dir, name)
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        const stats = await fs.promises.stat(filePath)
+        if (stats.isFile()) {
+          return filePath
+        }
+      } catch {}
+    }
+    dir = path.dirname(dir)
+  }
+  return undefined
+}
+async function readFileBinary(filepath, options) {
+  return await fs.promises.readFile(filepath, {
+    signal: abortSignal,
+    ...options,
+    encoding: 'binary'
+  })
+}
+async function readFileUtf8(filepath, options) {
+  return await fs.promises.readFile(filepath, {
+    signal: abortSignal,
+    ...options,
+    encoding: 'utf8'
+  })
+}
+async function safeReadFile(filepath, options) {
+  try {
+    return await fs.promises.readFile(filepath, {
+      encoding: 'utf8',
+      signal: abortSignal,
+      ...(typeof options === 'string'
+        ? {
+            encoding: options
+          }
+        : options)
+    })
+  } catch {}
+  return undefined
+}
+function safeReadFileSync(filepath, options) {
+  try {
+    return fs.readFileSync(filepath, {
+      encoding: 'utf8',
+      ...(typeof options === 'string'
+        ? {
+            encoding: options
+          }
+        : options)
+    })
+  } catch {}
+  return undefined
+}
+
+const { LOCALAPPDATA, SOCKET_APP_DIR } = constants
+const supportedConfigKeys = new Map([
+  ['apiBaseUrl', 'Base URL of the API endpoint'],
+  ['apiProxy', 'A proxy through which to access the API'],
+  ['apiToken', 'The API token required to access most API endpoints'],
+  [
+    'defaultOrg',
+    'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.'
+  ],
+  [
+    'enforcedOrgs',
+    'Orgs in this list have their security policies enforced on this machine'
+  ],
+  ['isTestingV1', 'For development of testing the next major bump']
+])
+const sensitiveConfigKeys = new Set(['apiToken'])
+let _cachedConfig
+// When using --config or SOCKET_CLI_CONFIG, do not persist the config.
+let _readOnlyConfig = false
+function overrideCachedConfig(jsonConfig) {
+  debug.debugLog('Overriding entire config, marking config as read-only')
+  let config
+  try {
+    config = JSON.parse(String(jsonConfig))
+    if (!config || typeof config !== 'object') {
+      // `null` is valid json, so are primitive values. They're not valid config objects :)
+      return {
+        ok: false,
+        message: 'Could not parse Config as JSON',
+        cause:
+          "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
+      }
+    }
+  } catch {
+    // Force set an empty config to prevent accidentally using system settings
+    _cachedConfig = {}
+    _readOnlyConfig = true
+    return {
+      ok: false,
+      message: 'Could not parse Config as JSON',
+      cause:
+        "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
+    }
+  }
+
+  // @ts-ignore Override an illegal object.
+  _cachedConfig = config
+  _readOnlyConfig = true
+
+  // Normalize apiKey to apiToken.
+  if (_cachedConfig['apiKey']) {
+    if (_cachedConfig['apiToken']) {
+      logger.logger.warn(
+        'Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.'
+      )
+    }
+    _cachedConfig['apiToken'] = _cachedConfig['apiKey']
+    delete _cachedConfig['apiKey']
+  }
+  return {
+    ok: true,
+    data: undefined
+  }
+}
+function overrideConfigApiToken(apiToken) {
+  debug.debugLog('Overriding API token, marking config as read-only')
+  // Set token to the local cached config and mark it read-only so it doesn't persist
+  _cachedConfig = {
+    ...vendor.configExports,
+    ...(apiToken === undefined
+      ? {}
+      : {
+          apiToken: String(apiToken)
+        })
+  }
+  _readOnlyConfig = true
+}
+function getConfigValues() {
+  if (_cachedConfig === undefined) {
+    _cachedConfig = {}
+    // Order: env var > --config flag > file
+    const configPath = getConfigPath()
+    if (configPath) {
+      const raw = safeReadFileSync(configPath)
+      if (raw) {
+        try {
+          Object.assign(
+            _cachedConfig,
+            JSON.parse(Buffer.from(raw, 'base64').toString())
+          )
+        } catch {
+          logger.logger.warn(`Failed to parse config at ${configPath}`)
+        }
+        // Normalize apiKey to apiToken and persist it.
+        // This is a one time migration per user.
+        if (_cachedConfig['apiKey']) {
+          const token = _cachedConfig['apiKey']
+          delete _cachedConfig['apiKey']
+          updateConfigValue('apiToken', token)
+        }
+      } else {
+        fs.mkdirSync(path.dirname(configPath), {
+          recursive: true
+        })
+      }
+    }
+  }
+  return _cachedConfig
+}
+let _configPath
+let _warnedConfigPathWin32Missing = false
+function getConfigPath() {
+  // Get the OS app data folder:
+  // - Win: %LOCALAPPDATA% or fail?
+  // - Mac: %XDG_DATA_HOME% or fallback to "~/Library/Application Support/"
+  // - Linux: %XDG_DATA_HOME% or fallback to "~/.local/share/"
+  // Note: LOCALAPPDATA is typically: C:\Users\USERNAME\AppData
+  // Note: XDG stands for "X Desktop Group", nowadays "freedesktop.org"
+  //       On most systems that path is: $HOME/.local/share
+  // Then append `socket/settings`, so:
+  // - Win: %LOCALAPPDATA%\socket\settings or return undefined
+  // - Mac: %XDG_DATA_HOME%/socket/settings or "~/Library/Application Support/socket/settings"
+  // - Linux: %XDG_DATA_HOME%/socket/settings or "~/.local/share/socket/settings"
+
+  if (_configPath === undefined) {
+    // Lazily access constants.WIN32.
+    const { WIN32 } = constants
+    let dataHome = WIN32
+      ? // Lazily access constants.ENV.LOCALAPPDATA
+        constants.ENV.LOCALAPPDATA
+      : // Lazily access constants.ENV.XDG_DATA_HOME
+        constants.ENV.XDG_DATA_HOME
+    if (!dataHome) {
+      if (WIN32) {
+        if (!_warnedConfigPathWin32Missing) {
+          _warnedConfigPathWin32Missing = true
+          logger.logger.warn(`Missing %${LOCALAPPDATA}%`)
+        }
+      } else {
+        dataHome = path.join(
+          os.homedir(),
+          ...(process.platform === 'darwin'
+            ? ['Library', 'Application Support']
+            : ['.local', 'share'])
+        )
+      }
+    }
+    _configPath = dataHome ? path.join(dataHome, SOCKET_APP_DIR) : undefined
+  }
+  return _configPath
+}
+function normalizeConfigKey(key) {
+  // Note: apiKey was the old name of the token. When we load a config with
+  //       property apiKey, we'll copy that to apiToken and delete the old property.
+  const normalizedKey = key === 'apiKey' ? 'apiToken' : key
+  if (!supportedConfigKeys.has(normalizedKey)) {
+    return {
+      ok: false,
+      message: `Invalid config key: ${normalizedKey}`,
+      data: undefined
+    }
+  }
+  return {
+    ok: true,
+    data: key
+  }
+}
+function findSocketYmlSync(dir = process.cwd()) {
+  let prevDir = null
+  while (dir !== prevDir) {
+    let ymlPath = path.join(dir, 'socket.yml')
+    let yml = safeReadFileSync(ymlPath)
+    if (yml === undefined) {
+      ymlPath = path.join(dir, 'socket.yaml')
+      yml = safeReadFileSync(ymlPath)
+    }
+    if (typeof yml === 'string') {
+      try {
+        return {
+          path: ymlPath,
+          parsed: vendor.configExports.parseSocketConfig(yml)
+        }
+      } catch {
+        throw new Error(`Found file but was unable to parse ${ymlPath}`)
+      }
+    }
+    prevDir = dir
+    dir = path.join(dir, '..')
+  }
+  return null
+}
+function getConfigValue(key) {
+  const localConfig = getConfigValues()
+  const keyResult = normalizeConfigKey(key)
+  if (!keyResult.ok) {
+    return keyResult
+  }
+  return {
+    ok: true,
+    data: localConfig[keyResult.data]
+  }
+}
+// This version squashes errors, returning undefined instead.
+// Should be used when we can reasonably predict the call can't fail.
+function getConfigValueOrUndef(key) {
+  const localConfig = getConfigValues()
+  const keyResult = normalizeConfigKey(key)
+  if (!keyResult.ok) {
+    return undefined
+  }
+  return localConfig[keyResult.data]
+}
+function isReadOnlyConfig() {
+  return _readOnlyConfig
+}
+let _pendingSave = false
+function updateConfigValue(key, value) {
+  const localConfig = getConfigValues()
+  const keyResult = normalizeConfigKey(key)
+  if (!keyResult.ok) {
+    return keyResult
+  }
+  localConfig[keyResult.data] = value
+  if (_readOnlyConfig) {
+    return {
+      ok: true,
+      message: `Config key '${key}' was updated`,
+      data: 'Change applied but not persisted; current config is overridden through env var or flag'
+    }
+  }
+  if (!_pendingSave) {
+    _pendingSave = true
+    process.nextTick(() => {
+      _pendingSave = false
+      const configPath = getConfigPath()
+      if (configPath) {
+        fs.writeFileSync(
+          configPath,
+          Buffer.from(JSON.stringify(localConfig)).toString('base64')
+        )
+      }
+    })
+  }
+  return {
+    ok: true,
+    message: `Config key '${key}' was updated`,
+    data: undefined
+  }
+}
+function isTestingV1() {
+  return !!getConfigValueOrUndef('isTestingV1')
+}
+
+const {
+  kInternalsSymbol,
+  [kInternalsSymbol]: { getSentry }
+} = constants
+class AuthError extends Error {}
+class InputError extends Error {
+  constructor(message, body) {
+    super(message)
+    this.body = body
+  }
+}
+async function captureException(exception, hint) {
+  const result = captureExceptionSync(exception, hint)
+  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
+  await promises.setTimeout(1000)
+  return result
+}
+function captureExceptionSync(exception, hint) {
+  const Sentry = getSentry()
+  if (!Sentry) {
+    return ''
+  }
+  debug.debugLog('captureException: Sending exception to Sentry')
+  return Sentry.captureException(exception, hint)
+}
+
+function failMsgWithBadge(badge, msg) {
+  return `${vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}${msg ? ': ' : ''}`)))}${msg ? ' ' + vendor.yoctocolorsCjsExports.bold(msg) : ''}`
+}
+
+const { SOCKET_PUBLIC_API_TOKEN } = constants
+
+// The API server that should be used for operations.
+function getDefaultApiBaseUrl$1() {
+  const baseUrl =
+    // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
+    constants.ENV.SOCKET_SECURITY_API_BASE_URL ||
+    getConfigValueOrUndef('apiBaseUrl')
+  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined
+}
+
+// The API server that should be used for operations.
+function getDefaultHttpProxy() {
+  const apiProxy =
+    // Lazily access constants.ENV.SOCKET_SECURITY_API_PROXY.
+    constants.ENV.SOCKET_SECURITY_API_PROXY || getConfigValueOrUndef('apiProxy')
+  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined
+}
+
+// This API key should be stored globally for the duration of the CLI execution.
+let _defaultToken
+function getDefaultToken() {
+  // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.
+  if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {
+    _defaultToken = undefined
+  } else {
+    const key =
+      // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
+      constants.ENV.SOCKET_SECURITY_API_TOKEN ||
+      getConfigValueOrUndef('apiToken') ||
+      _defaultToken
+    _defaultToken = strings.isNonEmptyString(key) ? key : undefined
+  }
+  return _defaultToken
+}
+function getVisibleTokenPrefix() {
+  const apiToken = getDefaultToken()
+  if (!apiToken) {
+    return ''
+  }
+  const PREFIX = 'sktsec_'
+  return apiToken.slice(PREFIX.length, PREFIX.length + 5)
+}
+function hasDefaultToken() {
+  return !!getDefaultToken()
+}
+function getPublicToken() {
+  return (
+    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
+    (constants.ENV.SOCKET_SECURITY_API_TOKEN || getDefaultToken()) ??
+    SOCKET_PUBLIC_API_TOKEN
+  )
+}
+async function setupSdk(
+  apiToken = getDefaultToken(),
+  apiBaseUrl = getDefaultApiBaseUrl$1(),
+  proxy = getDefaultHttpProxy()
+) {
+  if (typeof apiToken !== 'string' && vendor.isInteractiveExports()) {
+    apiToken = await prompts.password({
+      message:
+        'Enter your Socket.dev API key (not saved, use socket login to persist)'
+    })
+    _defaultToken = apiToken
+  }
+  if (!apiToken) {
+    return {
+      ok: false,
+      message: 'Auth Error',
+      cause: 'You need to provide an API Token. Run `socket login` first.'
+    }
+  }
+  return {
+    ok: true,
+    data: new vendor.distExports$2.SocketSdk(apiToken, {
+      agent: proxy
+        ? new vendor.HttpsProxyAgent({
+            proxy
+          })
+        : undefined,
+      baseUrl: apiBaseUrl,
+      userAgent: vendor.distExports$2.createUserAgentFromPkgJson({
+        // Lazily access constants.ENV.INLINED_SOCKET_CLI_NAME.
+        name: constants.ENV.INLINED_SOCKET_CLI_NAME,
+        // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION.
+        version: constants.ENV.INLINED_SOCKET_CLI_VERSION,
+        // Lazily access constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE.
+        homepage: constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE
+      })
+    })
+  }
+}
+
+// TODO: this function is removed after v1.0.0
+function handleUnsuccessfulApiResponse(_name, error, cause, status) {
+  const message = `${error || 'No error message returned'}${cause ? ` (reason: ${cause})` : ''}`
+  if (status === 401 || status === 403) {
+    // Lazily access constants.spinner.
+    const { spinner } = constants
+    spinner.stop()
+    throw new AuthError(message)
+  }
+  logger.logger.fail(failMsgWithBadge('Socket API returned an error', message))
+  // eslint-disable-next-line n/no-process-exit
+  process.exit(1)
+}
+async function handleApiCall(value, fetchingDesc) {
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  spinner.start(`Requesting ${fetchingDesc} from API...`)
+  let result
+  try {
+    result = await value
+
+    // TODO: info, not success (looks weird when response is non-200)
+    spinner.successAndStop(
+      `Received API response (after requesting ${fetchingDesc}).`
+    )
+  } catch (e) {
+    spinner.failAndStop(`An error was thrown while requesting ${fetchingDesc}`)
+    debug.debugLog(`handleApiCall(${fetchingDesc}) threw error:\n`, e)
+    const message = `${e || 'No error message returned'}`
+    const cause = `${e || 'No error message returned'}`
+    return {
+      ok: false,
+      message: 'Socket API returned an error',
+      cause: `${message}${cause ? ` ( Reason: ${cause} )` : ''}`
+    }
+  } finally {
+    spinner.stop()
+  }
+
+  // Note: TS can't narrow down the type of result due to generics
+  if (result.success === false) {
+    const err = result
+    const message = `${err.error || 'No error message returned'}`
+    debug.debugLog(`handleApiCall(${fetchingDesc}) bad response:\n`, err)
+    return {
+      ok: false,
+      message: 'Socket API returned an error',
+      cause: `${message}${err.cause ? ` ( Reason: ${err.cause} )` : ''}`,
+      data: {
+        code: result.status
+      }
+    }
+  } else {
+    const ok = result
+    return {
+      ok: true,
+      data: ok.data
+    }
+  }
+}
+async function handleApiCallNoSpinner(value, description) {
+  let result
+  try {
+    result = await value
+  } catch (e) {
+    debug.debugLog(`handleApiCall(${description}) threw error:\n`, e)
+    const message = `${e || 'No error message returned'}`
+    const cause = `${e || 'No error message returned'}`
+    return {
+      ok: false,
+      message: 'Socket API returned an error',
+      cause: `${message}${cause ? ` ( Reason: ${cause} )` : ''}`
+    }
+  }
+
+  // Note: TS can't narrow down the type of result due to generics
+  if (result.success === false) {
+    const err = result
+    const message = `${err.error || 'No error message returned'}`
+    debug.debugLog(`handleApiCall(${description}) bad response:\n`, err)
+    return {
+      ok: false,
+      message: 'Socket API returned an error',
+      cause: `${message}${err.cause ? ` ( Reason: ${err.cause} )` : ''}`,
+      data: {
+        code: result.status
+      }
+    }
+  } else {
+    const ok = result
+    return {
+      ok: true,
+      data: ok.data
+    }
+  }
+}
+async function getErrorMessageForHttpStatusCode(code) {
+  if (code === 400) {
+    return 'One of the options passed might be incorrect'
+  }
+  if (code === 403 || code === 401) {
+    return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with'
+  }
+  if (code === 404) {
+    return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. If unexpected, this could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.'
+  }
+  if (code === 500) {
+    return 'There was an unknown server side problem with your request. This ought to be temporary. Please let us know if this problem persists.'
+  }
+  return `Server responded with status code ${code}`
+}
+
+// The API server that should be used for operations.
+function getDefaultApiBaseUrl() {
+  // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
+  const SOCKET_SECURITY_API_BASE_URL =
+    constants.ENV.SOCKET_SECURITY_API_BASE_URL
+  const baseUrl =
+    SOCKET_SECURITY_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl')
+  if (strings.isNonEmptyString(baseUrl)) {
+    return baseUrl
+  }
+  // Lazily access constants.API_V0_URL.
+  const API_V0_URL = constants.API_V0_URL
+  return API_V0_URL
+}
+async function queryApi(path, apiToken) {
+  const baseUrl = getDefaultApiBaseUrl() || ''
+  if (!baseUrl) {
+    logger.logger.warn(
+      'API endpoint is not set and default was empty. Request is likely to fail.'
+    )
+  }
+  return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {
+    method: 'GET',
+    headers: {
+      Authorization: `Basic ${btoa(`${apiToken}:`)}`
+    }
+  })
+}
+async function queryApiSafeText(path, fetchSpinnerDesc) {
+  const apiToken = getDefaultToken()
+  if (!apiToken) {
+    return {
+      ok: false,
+      message: 'Authentication Error',
+      cause:
+        'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.'
+    }
+  }
+  if (fetchSpinnerDesc) {
+    // Lazily access constants.spinner.
+    const { spinner } = constants
+    spinner.start(`Requesting ${fetchSpinnerDesc} from API...`)
+  }
+  let result
+  try {
+    result = await queryApi(path, apiToken)
+    if (fetchSpinnerDesc) {
+      // Lazily access constants.spinner.
+      const { spinner } = constants
+      spinner.successAndStop(
+        `Received API response (after requesting ${fetchSpinnerDesc}).`
+      )
+    }
+  } catch (e) {
+    if (fetchSpinnerDesc) {
+      // Lazily access constants.spinner.
+      const { spinner } = constants
+      spinner.failAndStop(
+        `An error was thrown while requesting ${fetchSpinnerDesc}`
+      )
+    }
+    debug.debugLog('Error thrown trying to await queryApi():')
+    debug.debugLog(e)
+    const msg = e?.message
+    return {
+      ok: false,
+      message: 'API Request failed to complete',
+      ...(msg
+        ? {
+            cause: msg
+          }
+        : {})
+    }
+  }
+  if (!result.ok) {
+    const cause = await getErrorMessageForHttpStatusCode(result.status)
+    return {
+      ok: false,
+      message: 'Socket API returned an error',
+      cause: `${result.statusText}${cause ? ` (cause: ${cause})` : ''}`
+    }
+  }
+  try {
+    const data = await result.text()
+    return {
+      ok: true,
+      data
+    }
+  } catch (e) {
+    debug.debugLog('Error thrown trying to await result.text():')
+    debug.debugLog(e)
+    return {
+      ok: false,
+      message: 'API Request failed to complete',
+      cause: 'There was an unexpected error trying to read the response text'
+    }
+  }
+}
+async function queryApiSafeJson(path, fetchSpinnerDesc = '') {
+  const result = await queryApiSafeText(path, fetchSpinnerDesc)
+  if (!result.ok) {
+    return result
+  }
+  try {
+    return {
+      ok: true,
+      data: JSON.parse(result.data)
+    }
+  } catch (e) {
+    return {
+      ok: false,
+      message: 'Server returned invalid JSON',
+      cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\``
+    }
+  }
+}
+
+function mdTableStringNumber(title1, title2, obj) {
+  // | Date        | Counts |
+  // | ----------- | ------ |
+  // | Header      | 201464 |
+  // | Paragraph   |     18 |
+  let mw1 = title1.length
+  let mw2 = title2.length
+  for (const [key, value] of Object.entries(obj)) {
+    mw1 = Math.max(mw1, key.length)
+    mw2 = Math.max(mw2, String(value ?? '').length)
+  }
+  const lines = []
+  lines.push(`| ${title1.padEnd(mw1, ' ')} | ${title2.padEnd(mw2)} |`)
+  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`)
+  for (const [key, value] of Object.entries(obj)) {
+    lines.push(
+      `| ${key.padEnd(mw1, ' ')} | ${String(value ?? '').padStart(mw2, ' ')} |`
+    )
+  }
+  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`)
+  return lines.join('\n')
+}
+function mdTable(
+  logs,
+  // This is saying "an array of strings and the strings are a valid key of elements of T"
+  // In turn, T is defined above as the audit log event type from our OpenAPI docs.
+  cols,
+  titles = cols
+) {
+  // Max col width required to fit all data in that column
+  const cws = cols.map(col => col.length)
+  for (const log of logs) {
+    for (let i = 0, { length } = cols; i < length; i += 1) {
+      // @ts-ignore
+      const val = log[cols[i] ?? ''] ?? ''
+      cws[i] = Math.max(
+        cws[i] ?? 0,
+        String(val).length,
+        (titles[i] || '').length
+      )
+    }
+  }
+  let div = '|'
+  for (const cw of cws) {
+    div += ' ' + '-'.repeat(cw) + ' |'
+  }
+  let header = '|'
+  for (let i = 0, { length } = titles; i < length; i += 1) {
+    header += ' ' + String(titles[i]).padEnd(cws[i] ?? 0, ' ') + ' |'
+  }
+  let body = ''
+  for (const log of logs) {
+    body += '|'
+    for (let i = 0, { length } = cols; i < length; i += 1) {
+      // @ts-ignore
+      const val = log[cols[i] ?? ''] ?? ''
+      body += ' ' + String(val).padEnd(cws[i] ?? 0, ' ') + ' |'
+    }
+    body += '\n'
+  }
+  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n')
+}
+function mdTableOfPairs(
+  arr,
+  // This is saying "an array of strings and the strings are a valid key of elements of T"
+  // In turn, T is defined above as the audit log event type from our OpenAPI docs.
+  cols
+) {
+  // Max col width required to fit all data in that column
+  const cws = cols.map(col => col.length)
+  for (const [key, val] of arr) {
+    cws[0] = Math.max(cws[0] ?? 0, String(key).length)
+    cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length)
+  }
+  let div = '|'
+  for (const cw of cws) {
+    div += ' ' + '-'.repeat(cw) + ' |'
+  }
+  let header = '|'
+  for (let i = 0, { length } = cols; i < length; i += 1) {
+    header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' |'
+  }
+  let body = ''
+  for (const [key, val] of arr) {
+    body += '|'
+    body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' |'
+    body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' |'
+    body += '\n'
+  }
+  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n')
+}
+
+// Serialize the final result object before printing it
+// All commands that support the --json flag should call this before printing
+function serializeResultJson(data) {
+  if (typeof data !== 'object' || !data) {
+    process.exitCode = 1
+    // We should not allow to expect the json value to be "null", or a boolean/number/string, even if they are valid "json".
+    const msg =
+      'There was a problem converting the data set to JSON. The JSON was not an object. Please try again without --json'
+    debug.debugLog('typeof data=', typeof data)
+    if (typeof data !== 'object' && data) {
+      debug.debugLog('data:\n', data)
+    }
+    return (
+      JSON.stringify({
+        ok: false,
+        message: 'Unable to serialize JSON',
+        data: msg
+      }).trim() + '\n'
+    )
+  }
+  try {
+    return JSON.stringify(data, null, 2).trim() + '\n'
+  } catch (e) {
+    debug.debugLog('Error:\n', e)
+    process.exitCode = 1
+    // This could be caused by circular references, which is an "us" problem
+    const msg =
+      'There was a problem converting the data set to JSON. Please try again without --json'
+    logger.logger.error(msg)
+    return (
+      JSON.stringify({
+        ok: false,
+        message: 'Unable to serialize JSON',
+        data: msg
+      }).trim() + '\n'
+    )
+  }
+}
+
+// TODO: not sure if I'm missing something but meow doesn't seem to expose this?
+
+// Note: we use this description in getFlagListOutput, meow doesn't care
+
+const commonFlags = {
+  config: {
+    type: 'string',
+    default: '',
+    hidden: true,
+    description: 'Override the local config with this JSON'
+  },
+  dryRun: {
+    type: 'boolean',
+    default: false,
+    hidden: true,
+    // Only show in root command
+    description: 'Do input validation for a command and exit 0 when input is ok'
+  },
+  help: {
+    type: 'boolean',
+    default: false,
+    shortFlag: 'h',
+    description: 'Print this help'
+  },
+  silent: {
+    type: 'boolean',
+    default: false,
+    hidden: true,
+    shortFlag: 's',
+    description: 'Make the CLI less chatty'
+  }
+}
+const outputFlags = {
+  json: {
+    type: 'boolean',
+    shortFlag: 'j',
+    default: false,
+    description: 'Output result as json'
+  },
+  markdown: {
+    type: 'boolean',
+    shortFlag: 'm',
+    default: false,
+    description: 'Output result as markdown'
+  }
+}
+const validationFlags = {
+  all: {
+    type: 'boolean',
+    default: false,
+    description: 'Include all issues'
+  },
+  strict: {
+    type: 'boolean',
+    default: false,
+    description: 'Exits with an error code if any matching issues are found'
+  }
+}
+
+function checkCommandInput(outputKind, ...checks) {
+  if (checks.every(d => d.test)) {
+    return true
+  }
+  const msg = ['Please review the input requirements and try again', '']
+  for (const d of checks) {
+    // If nook, then ignore when test is ok
+    if (d.nook && d.test) {
+      continue
+    }
+    const lines = d.message.split('\n')
+    const { length: lineCount } = lines
+    if (!lineCount) {
+      continue
+    }
+    // If the message has newlines then format the first line with the input
+    // expectation and the rest indented below it.
+    msg.push(
+      `  - ${lines[0]} (${d.test ? vendor.yoctocolorsCjsExports.green(d.pass) : vendor.yoctocolorsCjsExports.red(d.fail)})`
+    )
+    if (lineCount > 1) {
+      msg.push(...lines.slice(1).map(str => `    ${str}`))
+    }
+    msg.push('')
+  }
+
+  // Use exit status of 2 to indicate incorrect usage, generally invalid
+  // options or missing arguments.
+  // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
+  process.exitCode = 2
+  if (outputKind === 'json') {
+    logger.logger.log(
+      serializeResultJson({
+        ok: false,
+        message: 'Input error',
+        data: msg.join('\n')
+      })
+    )
+  } else {
+    logger.logger.fail(failMsgWithBadge('Input error', msg.join('\n')))
+  }
+  return false
+}
+
+function getOutputKind(json, markdown) {
+  if (json) {
+    return 'json'
+  }
+  if (markdown) {
+    return 'markdown'
+  }
+  return 'text'
+}
+
+function getFlagListOutput(list, indent, { keyPrefix = '--', padName } = {}) {
+  return getHelpListOutput(
+    {
+      ...list
+    },
+    indent,
+    {
+      keyPrefix,
+      padName
+    }
+  )
+}
+function getHelpListOutput(
+  list,
+  indent,
+  { keyPrefix = '', padName = 18 } = {}
+) {
+  let result = ''
+  const names = Object.keys(list).sort()
+  for (const name of names) {
+    const entry = list[name]
+    if (entry && 'hidden' in entry && entry?.hidden) {
+      continue
+    }
+    const description =
+      (typeof entry === 'object' ? entry.description : entry) || ''
+    result +=
+      ''.padEnd(indent) +
+      (keyPrefix + name).padEnd(padName) +
+      description +
+      '\n'
+  }
+  return result.trim() || '(none)'
+}
+
+async function meowWithSubcommands(subcommands, options) {
+  const {
+    aliases = {},
+    argv,
+    defaultSub,
+    importMeta,
+    name,
+    ...additionalOptions
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const [commandOrAliasName_, ...rawCommandArgv] = argv
+  let commandOrAliasName = commandOrAliasName_
+  if (!commandOrAliasName && defaultSub) {
+    commandOrAliasName = defaultSub
+  }
+  const flags = {
+    ...commonFlags,
+    ...additionalOptions.flags
+  }
+
+  // No further args or first arg is a flag (shrug)
+  if (
+    name === 'socket' &&
+    (!commandOrAliasName || commandOrAliasName?.startsWith('-'))
+  ) {
+    flags['dryRun'] = {
+      type: 'boolean',
+      default: false,
+      hidden: false,
+      // Only show on root
+      description:
+        'Do input validation for a command and exit 0 when input is ok. Every command should support this flag (not shown on help screens)'
+    }
+  }
+
+  // This is basically a dry-run parse of cli args and flags. We use this to
+  // determine config overrides and expected output mode.
+  const cli1 = vendor.meow(`(this should never be printed)`, {
+    argv,
+    importMeta,
+    ...additionalOptions,
+    flags,
+    // Do not strictly check for flags here.
+    allowUnknownFlags: true,
+    // We will emit help when we're ready
+    // Plus, if we allow this then meow() can just exit here.
+    autoHelp: false
+  })
+
+  // Hard override the config if instructed to do so.
+  // The env var overrides the --flag, which overrides the persisted config
+  // Also, when either of these are used, config updates won't persist.
+  let configOverrideResult
+  // Lazily access constants.ENV.SOCKET_CLI_CONFIG.
+  if (constants.ENV.SOCKET_CLI_CONFIG) {
+    configOverrideResult = overrideCachedConfig(
+      // Lazily access constants.ENV.SOCKET_CLI_CONFIG.
+      constants.ENV.SOCKET_CLI_CONFIG
+    )
+  } else if (cli1.flags['config']) {
+    configOverrideResult = overrideCachedConfig(
+      String(cli1.flags['config'] || '')
+    )
+  }
+
+  // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.
+  if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {
+    // This overrides the config override and even the explicit token env var.
+    // The config will be marked as readOnly to prevent persisting it.
+    overrideConfigApiToken(undefined)
+  } else {
+    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
+    const tokenOverride = constants.ENV.SOCKET_SECURITY_API_TOKEN
+    if (tokenOverride) {
+      // This will set the token (even if there was a config override) and
+      // set it to readOnly, making sure the temp token won't be persisted.
+      overrideConfigApiToken(tokenOverride)
+    }
+  }
+  if (configOverrideResult?.ok === false) {
+    emitBanner(name)
+    logger.logger.fail(configOverrideResult.message)
+    process.exitCode = 2
+    return
+  }
+
+  // If we got at least some args, then lets find out if we can find a command.
+  if (commandOrAliasName) {
+    const alias = aliases[commandOrAliasName]
+    // First: Resolve argv data from alias if its an alias that's been given.
+    const [commandName, ...commandArgv] = alias
+      ? [...alias.argv, ...rawCommandArgv]
+      : [commandOrAliasName, ...rawCommandArgv]
+    // Second: Find a command definition using that data.
+    const commandDefinition = commandName ? subcommands[commandName] : undefined
+    // Third: If a valid command has been found, then we run it...
+    if (commandDefinition) {
+      return await commandDefinition.run(commandArgv, importMeta, {
+        parentName: name
+      })
+    }
+  }
+  if (isTestingV1()) {
+    delete subcommands['diff-scan']
+    delete subcommands['info']
+    delete subcommands['report']
+  }
+
+  // Parse it again. Config overrides should now be applied (may affect help).
+  const cli2 = vendor.meow(
+    `
+    Usage
+      $ ${name} <command>
+
+    Commands
+      ${getHelpListOutput(
+        {
+          ...objects.toSortedObject(
+            Object.fromEntries(
+              Object.entries(subcommands).filter(
+                ({ 1: subcommand }) => !subcommand.hidden
+              )
+            )
+          ),
+          ...objects.toSortedObject(
+            Object.fromEntries(
+              Object.entries(aliases).filter(({ 1: alias }) => {
+                const { hidden } = alias
+                const cmdName = hidden ? '' : alias.argv[0]
+                const subcommand = cmdName ? subcommands[cmdName] : undefined
+                return subcommand && !subcommand.hidden
+              })
+            )
+          )
+        },
+        6
+      )}
+
+    Options
+      ${getFlagListOutput(flags, 6)}
+
+    Examples
+      $ ${name} --help
+  `,
+    {
+      argv,
+      importMeta,
+      ...additionalOptions,
+      flags,
+      // Do not strictly check for flags here.
+      allowUnknownFlags: true,
+      // We will emit help when we're ready
+      // Plus, if we allow this then meow() can just exit here.
+      autoHelp: false
+    }
+  )
+
+  // ...else we provide basic instructions and help.
+  if (!cli2.flags['silent']) {
+    emitBanner(name)
+  }
+  if (!cli2.flags['help'] && cli2.flags['dryRun']) {
+    process.exitCode = 0
+    // Lazily access constants.DRY_RUN_LABEL.
+    logger.logger.log(
+      `${constants.DRY_RUN_LABEL}: No-op, call a sub-command; ok`
+    )
+  } else {
+    // When you explicitly request --help, the command should be successful
+    // so we exit(0). If we do it because we need more input, we exit(2).
+    cli2.showHelp(cli2.flags['help'] ? 0 : 2)
+  }
+}
+
+/**
+ * Note: meow will exit immediately if it calls its .showHelp()
+ */
+function meowOrExit({
+  allowUnknownFlags,
+  // commands that pass-through args need to allow this
+  argv,
+  config,
+  importMeta,
+  parentName
+}) {
+  const command = `${parentName} ${config.commandName}`
+
+  // This exits if .printHelp() is called either by meow itself or by us.
+  const cli = vendor.meow({
+    argv,
+    description: config.description,
+    help: config.help(command, config),
+    importMeta,
+    flags: config.flags,
+    allowUnknownFlags: true,
+    // meow will exit(1) before printing the banner
+    autoHelp: false // meow will exit(0) before printing the banner
+  })
+  if (!cli.flags['silent']) {
+    emitBanner(command)
+  }
+  if (!allowUnknownFlags) {
+    // Run meow specifically with the flag setting. It will exit(2) if an
+    // invalid flag is set and print a message.
+    vendor.meow({
+      argv,
+      description: config.description,
+      help: config.help(command, config),
+      importMeta,
+      flags: config.flags,
+      allowUnknownFlags: false,
+      autoHelp: false
+    })
+  }
+  if (cli.flags['help']) {
+    cli.showHelp(0)
+  }
+  // Now test for help state. Run meow again. If it exits now, it must be due
+  // to wanting to print the help screen. But it would exit(0) and we want a
+  // consistent exit(2) for that case (missing input). TODO: move away from meow
+  process.exitCode = 2
+  vendor.meow({
+    argv,
+    description: config.description,
+    help: config.help(command, config),
+    importMeta,
+    flags: config.flags,
+    allowUnknownFlags: Boolean(allowUnknownFlags),
+    autoHelp: false
+  })
+  // Ok, no help, reset to default.
+  process.exitCode = 0
+  return cli
+}
+function emitBanner(name) {
+  // Print a banner at the top of each command.
+  // This helps with brand recognition and marketing.
+  // It also helps with debugging since it contains version and command details.
+  // Note: print over stderr to preserve stdout for flags like --json and
+  //       --markdown. If we don't do this, you can't use --json in particular
+  //       and pipe the result to other tools. By emitting the banner over stderr
+  //       you can do something like `socket scan view xyz | jq | process`.
+  //       The spinner also emits over stderr for example.
+  logger.logger.error(getAsciiHeader(name))
+}
+function getAsciiHeader(command) {
+  // Note: In tests we return <redacted> because otherwise snapshots will fail.
+  const { REDACTED } = constants
+  // Lazily access constants.ENV.VITEST.
+  const redacting = constants.ENV.VITEST
+  const cliVersion = redacting
+    ? REDACTED
+    : // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH.
+      constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH
+  const nodeVersion = redacting ? REDACTED : process.version
+  const defaultOrg = getConfigValueOrUndef('defaultOrg')
+  const readOnlyConfig = isReadOnlyConfig() ? '*' : '.'
+  const v1test = isTestingV1() ? ' (is testing v1)' : ''
+  const feedback = isTestingV1()
+    ? vendor.yoctocolorsCjsExports.green(
+        '   (Thank you for testing the v1 bump! Please send us any feedback you might have!)\n'
+      )
+    : ''
+  const shownToken = redacting ? REDACTED : getVisibleTokenPrefix() || 'no'
+  const relCwd = redacting
+    ? REDACTED
+    : path$1.normalizePath(
+        process
+          .cwd()
+          .replace(
+            new RegExp(
+              `^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`,
+              'i'
+            ),
+            '~/'
+          )
+      )
+  let nodeVerWarn = ''
+  if ((vendor.semverExports.parse(constants.NODE_VERSION)?.major ?? 0) < 20) {
+    nodeVerWarn += vendor.yoctocolorsCjsExports.bold(
+      `   ${vendor.yoctocolorsCjsExports.red('Warning:')} NodeJS version 19 and lower will be ${vendor.yoctocolorsCjsExports.red('unsupported')} after April 30th, 2025.`
+    )
+    nodeVerWarn += '\n'
+    nodeVerWarn +=
+      '            Soon after the Socket CLI will require NodeJS version 20 or higher.'
+    nodeVerWarn += '\n'
+  }
+  const body = `
+   _____         _       _        /---------------
+  |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}${v1test}
+  |__   | ${readOnlyConfig} |  _| '_| -_|  _|     | Node: ${nodeVersion}, API token set: ${shownToken}${defaultOrg ? `, default org: ${redacting ? REDACTED : defaultOrg}` : ''}
+  |_____|___|___|_,_|___|_|.dev   | Command: \`${command}\`, cwd: ${relCwd}`.trimStart()
+  return `   ${body}\n${nodeVerWarn}${feedback}`
+}
+
+async function suggestOrgSlug() {
+  const sockSdkResult = await setupSdk()
+  if (!sockSdkResult.ok) {
+    return
+  }
+  const sockSdk = sockSdkResult.data
+  const result = await handleApiCall(
+    sockSdk.getOrganizations(),
+    'list of organizations'
+  )
+
+  // Ignore a failed request here. It was not the primary goal of
+  // running this command and reporting it only leads to end-user confusion.
+  if (result.ok) {
+    const proceed = await prompts.select({
+      message:
+        'Missing org name; do you want to use any of these orgs for this scan?',
+      choices: [
+        ...Object.values(result.data.organizations).map(org => {
+          const name = org.name ?? org.slug
+          return {
+            name: `Yes [${name}]`,
+            value: name,
+            description: `Use "${name}" as the organization`
+          }
+        }),
+        {
+          name: 'No',
+          value: '',
+          description:
+            'Do not use any of these organizations (will end in a no-op)'
+        }
+      ]
+    })
+    if (proceed) {
+      return proceed
+    }
+  } else {
+    logger.logger.fail(
+      'Failed to lookup organization list from API, unable to suggest'
+    )
+  }
+}
+
+async function determineOrgSlug(orgFlag, firstArg, interactive, dryRun) {
+  const defaultOrgSlug = getConfigValueOrUndef('defaultOrg')
+  let orgSlug = String(orgFlag || defaultOrgSlug || '')
+  if (!orgSlug) {
+    if (isTestingV1()) {
+      // ask from server
+      logger.logger.error(
+        'Missing the org slug and no --org flag set. Trying to auto-discover the org now...'
+      )
+      logger.logger.error(
+        'Note: you can set the default org slug to prevent this issue. You can also override all that with the --org flag.'
+      )
+      if (dryRun) {
+        logger.logger.fail('Skipping auto-discovery of org in dry-run mode')
+      } else if (!interactive) {
+        logger.logger.fail(
+          'Skipping auto-discovery of org when interactive = false'
+        )
+      } else {
+        orgSlug = (await suggestOrgSlug()) || ''
+      }
+    } else {
+      orgSlug = firstArg || ''
+    }
+  }
+  return [orgSlug, defaultOrgSlug]
+}
+
+const { NODE_MODULES: NODE_MODULES$1, NPM: NPM$5, shadowBinPath } = constants
+function findBinPathDetailsSync(binName) {
+  const binPaths =
+    vendor.libExports$1.sync(binName, {
+      all: true,
+      nothrow: true
+    }) ?? []
+  let shadowIndex = -1
+  let theBinPath
+  for (let i = 0, { length } = binPaths; i < length; i += 1) {
+    const binPath = binPaths[i]
+    // Skip our bin directory if it's in the front.
+    if (path.dirname(binPath) === shadowBinPath) {
+      shadowIndex = i
+    } else {
+      theBinPath = npm.resolveBinPath(binPath)
+      break
+    }
+  }
+  return {
+    name: binName,
+    path: theBinPath,
+    shadowed: shadowIndex !== -1
+  }
+}
+function findNpmPathSync(npmBinPath) {
+  // Lazily access constants.WIN32.
+  const { WIN32 } = constants
+  let thePath = npmBinPath
+  while (true) {
+    const libNmNpmPath = path.join(thePath, 'lib', NODE_MODULES$1, NPM$5)
+    // mise puts its npm bin in a path like:
+    //   /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/bin/npm.
+    // HOWEVER, the location of the npm install is:
+    //   /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/lib/node_modules/npm.
+    if (
+      // Use existsSync here because statsSync, even with { throwIfNoEntry: false },
+      // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.
+      // See https://github.com/nodejs/node/issues/56993.
+      fs.existsSync(libNmNpmPath) &&
+      fs
+        .statSync(libNmNpmPath, {
+          throwIfNoEntry: false
+        })
+        ?.isDirectory()
+    ) {
+      thePath = path.join(libNmNpmPath, NPM$5)
+    }
+    const nmPath = path.join(thePath, NODE_MODULES$1)
+    if (
+      // npm bin paths may look like:
+      //   /usr/local/share/npm/bin/npm
+      //   /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm
+      //   C:\Users\SomeUsername\AppData\Roaming\npm\bin\npm.cmd
+      // OR
+      //   C:\Program Files\nodejs\npm.cmd
+      //
+      // In practically all cases the npm path contains a node_modules folder:
+      //   /usr/local/share/npm/bin/npm/node_modules
+      //   C:\Program Files\nodejs\node_modules
+      fs.existsSync(nmPath) &&
+      fs
+        .statSync(nmPath, {
+          throwIfNoEntry: false
+        })
+        ?.isDirectory() &&
+      // Optimistically look for the default location.
+      (path.basename(thePath) === NPM$5 ||
+        // Chocolatey installs npm bins in the same directory as node bins.
+        (WIN32 && fs.existsSync(path.join(thePath, `${NPM$5}.cmd`))))
+    ) {
+      return thePath
+    }
+    const parent = path.dirname(thePath)
+    if (parent === thePath) {
+      return undefined
+    }
+    thePath = parent
+  }
+}
+async function getPackageFilesForScan(cwd, inputPaths, supportedFiles, config) {
+  debug.debugLog(
+    `getPackageFilesForScan: resolving ${inputPaths.length} paths:\n`,
+    inputPaths
+  )
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  const patterns = pathsToGlobPatterns(inputPaths)
+  spinner.start('Searching for local files to include in scan...')
+  const entries = await globWithGitIgnore(patterns, {
+    cwd,
+    socketConfig: config
+  })
+  if (debug.isDebug()) {
+    spinner.stop()
+    debug.debugLog(
+      `Resolved ${inputPaths.length} paths to ${entries.length} local paths:\n`,
+      entries
+    )
+    spinner.start('Searching for files now...')
+  } else {
+    spinner.start(
+      `Resolved ${inputPaths.length} paths to ${entries.length} local paths, searching for files now...`
+    )
+  }
+  const packageFiles = await filterGlobResultToSupportedFiles(
+    entries,
+    supportedFiles
+  )
+  spinner.successAndStop(
+    `Found ${packageFiles.length} local ${words.pluralize('file', packageFiles.length)}`
+  )
+  debug.debugLog('Absolute paths:\n', packageFiles)
+  return packageFiles
+}
+
+const { NODE_MODULES, NPM: NPM$4, NPX, SOCKET_CLI_ISSUES_URL } = constants
+function exitWithBinPathError(binName) {
+  logger.logger.fail(
+    `Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`
+  )
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  // eslint-disable-next-line n/no-process-exit
+  process.exit(127)
+}
+let _npmBinPathDetails
+function getNpmBinPathDetails() {
+  if (_npmBinPathDetails === undefined) {
+    _npmBinPathDetails = findBinPathDetailsSync(NPM$4)
+  }
+  return _npmBinPathDetails
+}
+let _npxBinPathDetails
+function getNpxBinPathDetails() {
+  if (_npxBinPathDetails === undefined) {
+    _npxBinPathDetails = findBinPathDetailsSync(NPX)
+  }
+  return _npxBinPathDetails
+}
+function isNpmBinPathShadowed() {
+  return getNpmBinPathDetails().shadowed
+}
+function isNpxBinPathShadowed() {
+  return getNpxBinPathDetails().shadowed
+}
+let _npmBinPath
+function getNpmBinPath() {
+  if (_npmBinPath === undefined) {
+    _npmBinPath = getNpmBinPathDetails().path
+    if (!_npmBinPath) {
+      exitWithBinPathError(NPM$4)
+    }
+  }
+  return _npmBinPath
+}
+let _npmPath
+function getNpmPath() {
+  if (_npmPath === undefined) {
+    const npmBinPath = getNpmBinPath()
+    _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined
+    if (!_npmPath) {
+      let message = 'Unable to find npm CLI install directory.'
+      if (npmBinPath) {
+        message += `\nSearched parent directories of ${path.dirname(npmBinPath)}.`
+      }
+      message += `\n\nThis is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`
+      logger.logger.fail(message)
+      // The exit code 127 indicates that the command or binary being executed
+      // could not be found.
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(127)
+    }
+  }
+  return _npmPath
+}
+let _npmRequire
+function getNpmRequire() {
+  if (_npmRequire === undefined) {
+    const npmPath = getNpmPath()
+    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM$4)
+    _npmRequire = Module.createRequire(
+      path.join(
+        fs.existsSync(npmNmPath) ? npmNmPath : npmPath,
+        '<dummy-basename>'
+      )
+    )
+  }
+  return _npmRequire
+}
+let _npxBinPath
+function getNpxBinPath() {
+  if (_npxBinPath === undefined) {
+    _npxBinPath = getNpxBinPathDetails().path
+    if (!_npxBinPath) {
+      exitWithBinPathError(NPX)
+    }
+  }
+  return _npxBinPath
+}
+
+const helpFlags = new Set(['--help', '-h'])
+function cmdFlagsToString(args) {
+  const result = []
+  for (let i = 0, { length } = args; i < length; i += 1) {
+    if (args[i].startsWith('--')) {
+      // Check if the next item exists and is NOT another flag.
+      if (i + 1 < length && !args[i + 1].startsWith('--')) {
+        result.push(`${args[i]}=${args[i + 1]}`)
+        i += 1
+      } else {
+        result.push(args[i])
+      }
+    }
+  }
+  return result.join(' ')
+}
+function cmdPrefixMessage(cmdName, text) {
+  const cmdPrefix = cmdName ? `${cmdName}: ` : ''
+  return `${cmdPrefix}${text}`
+}
+function isHelpFlag(cmdArg) {
+  return helpFlags.has(cmdArg)
+}
+
+function getPkgFullNameFromPurlObj(purlObj) {
+  const { name, namespace } = purlObj
+  return namespace
+    ? `${namespace}${purlObj.type === 'maven' ? ':' : '/'}${name}`
+    : name
+}
+function getSocketDevAlertUrl(alertType) {
+  return `https://socket.dev/alerts/${alertType}`
+}
+function getSocketDevPackageOverviewUrlFromPurl(purlObj) {
+  const fullName = getPkgFullNameFromPurlObj(purlObj)
+  return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version)
+}
+function getSocketDevPackageOverviewUrl(ecosystem, fullName, version) {
+  if (ecosystem === 'go') {
+    return `https://socket.dev/go/package/${fullName}${version ? `?section=overview&version=${version}` : ''}`
+  } else {
+    return `https://socket.dev/${ecosystem}/package/${fullName}${version ? `/overview/${version}` : ''}`
+  }
+}
+
+/**
+ * Convert a Map<string, Map|string> to a nested object of similar shape.
+ * The goal is to serialize it with JSON.stringify, which Map can't do.
+ */
+function mapToObject(map) {
+  return Object.fromEntries(
+    Array.from(map.entries()).map(([k, v]) => [
+      k,
+      v instanceof Map ? mapToObject(v) : v
+    ])
+  )
+}
+
+function* walkNestedMap(map, keys = []) {
+  for (const [key, value] of map.entries()) {
+    if (value instanceof Map) {
+      yield* walkNestedMap(value, keys.concat(key))
+    } else {
+      yield {
+        keys: keys.concat(key),
+        value: value
+      }
+    }
+  }
+}
+
+const {
+  ALERT_TYPE_CRITICAL_CVE,
+  ALERT_TYPE_CVE,
+  ALERT_TYPE_MEDIUM_CVE,
+  ALERT_TYPE_MILD_CVE
+} = constants
+function isArtifactAlertCve(alert) {
+  const { type } = alert
+  return (
+    type === ALERT_TYPE_CVE ||
+    type === ALERT_TYPE_MEDIUM_CVE ||
+    type === ALERT_TYPE_MILD_CVE ||
+    type === ALERT_TYPE_CRITICAL_CVE
+  )
+}
+
+function createEnum(obj) {
+  return Object.freeze({
+    __proto__: null,
+    ...obj
+  })
+}
+function pick(input, keys) {
+  const result = {}
+  for (const key of keys) {
+    result[key] = input[key]
+  }
+  return result
+}
+
+const ALERT_FIX_TYPE = createEnum({
+  cve: 'cve',
+  remove: 'remove',
+  upgrade: 'upgrade'
+})
+
+function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
+  const values = list.filter(Boolean)
+  const { length } = values
+  if (!length) {
+    return ''
+  }
+  if (length === 1) {
+    return values[0]
+  }
+  const finalValue = values.pop()
+  return `${values.join(', ')}${separator}${finalValue}`
+}
+
+const ALERT_SEVERITY = createEnum({
+  critical: 'critical',
+  high: 'high',
+  middle: 'middle',
+  low: 'low'
+})
+// Ordered from most severe to least.
+const ALERT_SEVERITIES_SORTED = Object.freeze([
+  'critical',
+  'high',
+  'middle',
+  'low'
+])
+function getDesiredSeverities(lowestToInclude) {
+  const result = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
+    result.push(severity)
+    if (severity === lowestToInclude) {
+      break
+    }
+  }
+  return result
+}
+function formatSeverityCount(severityCount) {
+  const summary = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
+    if (severityCount[severity]) {
+      summary.push(`${severityCount[severity]} ${severity}`)
+    }
+  }
+  return stringJoinWithSeparateFinalSeparator(summary)
+}
+function getSeverityCount(issues, lowestToInclude) {
+  const severityCount = pick(
+    {
+      low: 0,
+      middle: 0,
+      high: 0,
+      critical: 0
+    },
+    getDesiredSeverities(lowestToInclude)
+  )
+  for (const issue of issues) {
+    const { value } = issue
+    if (!value) {
+      continue
+    }
+    const { severity } = value
+    if (severityCount[severity] !== undefined) {
+      severityCount[severity] += 1
+    }
+  }
+  return severityCount
+}
+
+class ColorOrMarkdown {
+  constructor(useMarkdown) {
+    this.useMarkdown = !!useMarkdown
+  }
+  bold(text) {
+    return this.useMarkdown
+      ? `**${text}**`
+      : vendor.yoctocolorsCjsExports.bold(`${text}`)
+  }
+  header(text, level = 1) {
+    return this.useMarkdown
+      ? `\n${''.padStart(level, '#')} ${text}\n`
+      : vendor.yoctocolorsCjsExports.underline(
+          `\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`
+        )
+  }
+  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
+    if (url) {
+      return this.useMarkdown
+        ? `[${text}](${url})`
+        : vendor.terminalLinkExports(text, url, {
+            fallback: fallbackToUrl ? (_text, url) => url : fallback
+          })
+    }
+    return text
+  }
+  indent(...args) {
+    return vendor.indentStringExports(...args)
+  }
+  italic(text) {
+    return this.useMarkdown
+      ? `_${text}_`
+      : vendor.yoctocolorsCjsExports.italic(`${text}`)
+  }
+  json(value) {
+    return this.useMarkdown
+      ? '```json\n' + JSON.stringify(value) + '\n```'
+      : JSON.stringify(value)
+  }
+  list(items) {
+    const indentedContent = items.map(item => this.indent(item).trimStart())
+    return this.useMarkdown
+      ? `* ${indentedContent.join('\n* ')}\n`
+      : `${indentedContent.join('\n')}\n`
+  }
+}
+
+const require$1 = Module.createRequire(
+  require('u' + 'rl').pathToFileURL(__filename).href
+)
+let _translations
+function getTranslations() {
+  if (_translations === undefined) {
+    _translations = require$1(
+      // Lazily access constants.rootPath.
+      path.join(constants.rootPath, 'translations.json')
+    )
+  }
+  return _translations
+}
+
+function idToPurl(id) {
+  return `pkg:npm/${id}`
+}
+function resolvePackageVersion(purlObj) {
+  const { version } = purlObj
+  return version
+    ? (vendor.semverExports.coerce(stripPeerSuffix(version))?.version ?? '')
+    : ''
+}
+function stripLeadingSlash(path) {
+  return path.startsWith('/') ? path.slice(1) : path
+}
+function stripPeerSuffix(depPath) {
+  const idx = depPath.indexOf('(')
+  return idx === -1 ? depPath : depPath.slice(0, idx)
+}
+
+const ALERT_SEVERITY_COLOR = createEnum({
+  critical: 'magenta',
+  high: 'red',
+  middle: 'yellow',
+  low: 'white'
+})
+const ALERT_SEVERITY_ORDER = createEnum({
+  critical: 0,
+  high: 1,
+  middle: 2,
+  low: 3,
+  none: 4
+})
+const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$3 } =
+  constants
+const MIN_ABOVE_THE_FOLD_COUNT = 3
+const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1
+const format = new ColorOrMarkdown(false)
+function alertsHaveBlocked(alerts) {
+  return alerts.find(a => a.blocked) !== undefined
+}
+function alertsHaveSeverity(alerts, severity) {
+  return alerts.find(a => a.raw.severity === severity) !== undefined
+}
+function alertSeverityComparator(a, b) {
+  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)
+}
+function getAlertSeverityOrder(alert) {
+  const { severity } = alert.raw
+  return severity === ALERT_SEVERITY.critical
+    ? 0
+    : severity === ALERT_SEVERITY.high
+      ? 1
+      : severity === ALERT_SEVERITY.middle
+        ? 2
+        : severity === ALERT_SEVERITY.low
+          ? 3
+          : 4
+}
+function getAlertsSeverityOrder(alerts) {
+  return alertsHaveBlocked(alerts) ||
+    alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)
+    ? 0
+    : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)
+      ? 1
+      : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)
+        ? 2
+        : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)
+          ? 3
+          : 4
+}
+function getHiddenRiskCounts(hiddenAlerts) {
+  const riskCounts = {
+    critical: 0,
+    high: 0,
+    middle: 0,
+    low: 0
+  }
+  for (const alert of hiddenAlerts) {
+    switch (getAlertSeverityOrder(alert)) {
+      case ALERT_SEVERITY_ORDER.critical:
+        riskCounts.critical += 1
+        break
+      case ALERT_SEVERITY_ORDER.high:
+        riskCounts.high += 1
+        break
+      case ALERT_SEVERITY_ORDER.middle:
+        riskCounts.middle += 1
+        break
+      case ALERT_SEVERITY_ORDER.low:
+        riskCounts.low += 1
+        break
+    }
+  }
+  return riskCounts
+}
+function getHiddenRisksDescription(riskCounts) {
+  const descriptions = []
+  if (riskCounts.critical) {
+    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)
+  }
+  if (riskCounts.high) {
+    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)
+  }
+  if (riskCounts.middle) {
+    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)
+  }
+  if (riskCounts.low) {
+    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)
+  }
+  return `(${descriptions.join('; ')})`
+}
+function getSeverityLabel(severity) {
+  return severity === 'middle' ? 'moderate' : severity
+}
+async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
+  // Make TypeScript happy.
+  if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
+    return alertsByPkgId
+  }
+  const {
+    consolidate = false,
+    include: _include,
+    overrides
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const include = {
+    __proto__: null,
+    blocked: true,
+    critical: true,
+    cve: true,
+    unfixable: true,
+    upgradable: false,
+    ..._include
+  }
+  const name = packages.resolvePackageName(artifact)
+  const { version } = artifact
+  const pkgId = `${name}@${version}`
+  const major = vendor.semverExports.major(version)
+  const socketYml = findSocketYmlSync()
+  const enabledState = {
+    __proto__: null,
+    ...socketYml?.parsed.issueRules
+  }
+  let sockPkgAlerts = []
+  for (const alert of artifact.alerts) {
+    const action = alert.action ?? ''
+    const enabledFlag = enabledState[alert.type]
+    if (
+      (action === 'ignore' && enabledFlag !== true) ||
+      enabledFlag === false
+    ) {
+      continue
+    }
+    const blocked = action === 'error'
+    const critical = alert.severity === ALERT_SEVERITY.critical
+    const cve = isArtifactAlertCve(alert)
+    const fixType = alert.fix?.type ?? ''
+    const fixableCve = fixType === ALERT_FIX_TYPE.cve
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade
+    const fixable = fixableCve || fixableUpgrade
+    const upgradable = fixableUpgrade && !objects.hasOwn(overrides, name)
+    if (
+      (include.blocked && blocked) ||
+      (include.critical && critical) ||
+      (include.cve && cve) ||
+      (include.unfixable && !fixable) ||
+      (include.upgradable && upgradable)
+    ) {
+      sockPkgAlerts.push({
+        name,
+        version,
+        key: alert.key,
+        type: alert.type,
+        blocked,
+        critical,
+        fixable,
+        raw: alert,
+        upgradable
+      })
+    }
+  }
+  if (!sockPkgAlerts.length) {
+    return alertsByPkgId
+  }
+  if (consolidate) {
+    const highestForCve = new Map()
+    const highestForUpgrade = new Map()
+    const unfixableAlerts = []
+    for (const sockPkgAlert of sockPkgAlerts) {
+      const alert = sockPkgAlert.raw
+      const fixType = alert.fix?.type ?? ''
+      if (fixType === ALERT_FIX_TYPE.cve) {
+        const patchedVersion =
+          alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER]
+        const patchedMajor = vendor.semverExports.major(patchedVersion)
+        const oldHighest = highestForCve.get(patchedMajor)
+        const highest = oldHighest?.version ?? '0.0.0'
+        if (vendor.semverExports.gt(patchedVersion, highest)) {
+          highestForCve.set(patchedMajor, {
+            alert: sockPkgAlert,
+            version: patchedVersion
+          })
+        }
+      } else if (fixType === ALERT_FIX_TYPE.upgrade) {
+        const oldHighest = highestForUpgrade.get(major)
+        const highest = oldHighest?.version ?? '0.0.0'
+        if (vendor.semverExports.gt(version, highest)) {
+          highestForUpgrade.set(major, {
+            alert: sockPkgAlert,
+            version
+          })
+        }
+      } else {
+        unfixableAlerts.push(sockPkgAlert)
+      }
+    }
+    sockPkgAlerts = [
+      ...unfixableAlerts,
+      ...[...highestForCve.values()].map(d => d.alert),
+      ...[...highestForUpgrade.values()].map(d => d.alert)
+    ]
+  }
+  if (sockPkgAlerts.length) {
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type))
+    alertsByPkgId.set(pkgId, sockPkgAlerts)
+  }
+  return alertsByPkgId
+}
+function getCveInfoByAlertsMap(alertsMap, options) {
+  const { exclude: _exclude, limit = Infinity } = {
+    __proto__: null,
+    ...options
+  }
+  const exclude = {
+    __proto__: null,
+    upgradable: true,
+    ..._exclude
+  }
+  let count = 0
+  let infoByPkg = null
+  alertsMapLoop: for (const [pkgId, sockPkgAlerts] of alertsMap) {
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      idToPurl(pkgId)
+    )
+    const name = packages.resolvePackageName(purlObj)
+    for (const sockPkgAlert of sockPkgAlerts) {
+      const alert = sockPkgAlert.raw
+      if (
+        alert.fix?.type !== ALERT_FIX_TYPE.cve ||
+        (exclude.upgradable && registry.getManifestData(NPM$3, name))
+      ) {
+        continue
+      }
+      if (!infoByPkg) {
+        infoByPkg = new Map()
+      }
+      let infos = infoByPkg.get(name)
+      if (!infos) {
+        infos = []
+        infoByPkg.set(name, infos)
+      }
+      const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
+        alert.props
+      try {
+        infos.push({
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange: new vendor.semverExports.Range(
+            // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
+            // semver.Range will parse it without erroring.
+            vulnerableVersionRange.replace(/, +/g, ' ')
+          ).format()
+        })
+        if (++count >= limit) {
+          break alertsMapLoop
+        }
+      } catch (e) {
+        debug.debugLog('getCveInfoByAlertsMap', {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        })
+        debug.debugLog(e)
+      }
+    }
+  }
+  return infoByPkg
+}
+function logAlertsMap(alertsMap, options) {
+  const { hideAt = 'middle', output = process.stderr } = {
+    __proto__: null,
+    ...options
+  }
+  const translations = getTranslations()
+  const sortedEntries = [...alertsMap.entries()].sort(
+    (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1])
+  )
+  const aboveTheFoldPkgIds = new Set()
+  const viewableAlertsByPkgId = new Map()
+  const hiddenAlertsByPkgId = new Map()
+  for (let i = 0, { length } = sortedEntries; i < length; i += 1) {
+    const { 0: pkgId, 1: alerts } = sortedEntries[i]
+    const hiddenAlerts = []
+    const viewableAlerts = alerts.filter(a => {
+      const keep =
+        a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]
+      if (!keep) {
+        hiddenAlerts.push(a)
+      }
+      return keep
+    })
+    if (hiddenAlerts.length) {
+      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator))
+    }
+    if (!viewableAlerts.length) {
+      continue
+    }
+    viewableAlerts.sort(alertSeverityComparator)
+    viewableAlertsByPkgId.set(pkgId, viewableAlerts)
+    if (
+      viewableAlerts.find(
+        a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle
+      )
+    ) {
+      aboveTheFoldPkgIds.add(pkgId)
+    }
+  }
+
+  // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
+  for (const { 0: pkgId } of viewableAlertsByPkgId.entries()) {
+    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break
+    }
+    aboveTheFoldPkgIds.add(pkgId)
+  }
+  // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
+  for (const { 0: pkgId, 1: hiddenAlerts } of hiddenAlertsByPkgId.entries()) {
+    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break
+    }
+    aboveTheFoldPkgIds.add(pkgId)
+    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? []
+    if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
+      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length
+      let removedHiddenAlerts
+      if (hiddenAlerts.length - neededCount > 0) {
+        removedHiddenAlerts = hiddenAlerts.splice(
+          0,
+          MIN_ABOVE_THE_FOLD_ALERT_COUNT
+        )
+      } else {
+        removedHiddenAlerts = hiddenAlerts
+        hiddenAlertsByPkgId.delete(pkgId)
+      }
+      viewableAlertsByPkgId.set(pkgId, [
+        ...viewableAlerts,
+        ...removedHiddenAlerts
+      ])
+    }
+  }
+  const mentionedPkgIdsWithHiddenAlerts = new Set()
+  for (
+    let i = 0,
+      prevAboveTheFold = true,
+      entries = [...viewableAlertsByPkgId.entries()],
+      { length } = entries;
+    i < length;
+    i += 1
+  ) {
+    const { 0: pkgId, 1: alerts } = entries[i]
+    const lines = new Set()
+    for (const alert of alerts) {
+      const { type } = alert
+      const severity = alert.raw.severity ?? ''
+      const attributes = [
+        ...(severity
+          ? [
+              vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](
+                getSeverityLabel(severity)
+              )
+            ]
+          : []),
+        ...(alert.blocked
+          ? [
+              vendor.yoctocolorsCjsExports.bold(
+                vendor.yoctocolorsCjsExports.red('blocked')
+              )
+            ]
+          : []),
+        ...(alert.fixable ? ['fixable'] : [])
+      ]
+      const maybeAttributes = attributes.length
+        ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}`
+        : ''
+      // Based data from { pageProps: { alertTypes } } of:
+      // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
+      const info = translations.alerts[type]
+      const title = info?.title ?? type
+      const maybeDesc = info?.description ? ` - ${info.description}` : ''
+      const content = `${title}${maybeAttributes}${maybeDesc}`
+      // TODO: emoji seems to mis-align terminals sometimes
+      lines.add(`  ${content}`)
+    }
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      idToPurl(pkgId)
+    )
+    const hyperlink = format.hyperlink(
+      pkgId,
+      getSocketDevPackageOverviewUrl(
+        NPM$3,
+        packages.resolvePackageName(purlObj),
+        purlObj.version
+      )
+    )
+    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId)
+    if (isAboveTheFold) {
+      aboveTheFoldPkgIds.add(pkgId)
+      output.write(`${i ? '\n' : ''}${hyperlink}:\n`)
+    } else {
+      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`)
+    }
+    for (const line of lines) {
+      output.write(`${line}\n`)
+    }
+    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? []
+    const { length: hiddenAlertsCount } = hiddenAlerts
+    if (hiddenAlertsCount) {
+      mentionedPkgIdsWithHiddenAlerts.add(pkgId)
+      if (hiddenAlertsCount === 1) {
+        output.write(
+          `  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`
+        )
+      } else {
+        output.write(
+          `  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`
+        )
+      }
+    }
+    prevAboveTheFold = isAboveTheFold
+  }
+  const additionalHiddenCount =
+    hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size
+  if (additionalHiddenCount) {
+    const totalRiskCounts = {
+      critical: 0,
+      high: 0,
+      middle: 0,
+      low: 0
+    }
+    for (const { 0: pkgId, 1: alerts } of hiddenAlertsByPkgId.entries()) {
+      if (mentionedPkgIdsWithHiddenAlerts.has(pkgId)) {
+        continue
+      }
+      const riskCounts = getHiddenRiskCounts(alerts)
+      totalRiskCounts.critical += riskCounts.critical
+      totalRiskCounts.high += riskCounts.high
+      totalRiskCounts.middle += riskCounts.middle
+      totalRiskCounts.low += riskCounts.low
+    }
+    output.write(
+      `${aboveTheFoldPkgIds.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`
+    )
+  }
+  output.write('\n')
+}
+
+const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde']
+function applyRange(refRange, version, style = 'preserve') {
+  switch (style) {
+    case 'caret':
+      return `^${version}`
+    case 'gt':
+      return `>${version}`
+    case 'gte':
+      return `>=${version}`
+    case 'lt':
+      return `<${version}`
+    case 'lte':
+      return `<=${version}`
+    case 'preserve': {
+      const range = new vendor.semverExports.Range(refRange)
+      const { raw } = range
+      const comparators = [...range.set].flat()
+      const { length } = comparators
+      if (length === 1) {
+        const char = /^[<>]=?/.exec(raw)?.[0]
+        if (char) {
+          return `${char}${version}`
+        }
+      } else if (length === 2) {
+        const char = /^[~^]/.exec(raw)?.[0]
+        if (char) {
+          return `${char}${version}`
+        }
+      }
+      return version
+    }
+    case 'tilde':
+      return `~${version}`
+    case 'pin':
+    default:
+      return version
+  }
+}
+function getMajor(version) {
+  const coerced = vendor.semverExports.coerce(version)
+  if (coerced) {
+    try {
+      return vendor.semverExports.major(coerced)
+    } catch (e) {
+      debug.debugLog(`Error parsing '${version}':\n`, e)
+    }
+  }
+  return null
+}
+
+function extractPurlsFromPnpmLockfileV6(lockfile) {
+  const deps = new Set()
+  for (const importer of Object.values(lockfile.importers || {})) {
+    if (importer.dependencies) {
+      for (const { 0: alias, 1: ref } of Object.entries(
+        importer.dependencies
+      )) {
+        const id = resolvePnpmPackageId(alias, ref)
+        if (id) {
+          deps.add(idToPurl(id))
+        }
+      }
+    }
+    if (importer.devDependencies) {
+      for (const { 0: alias, 1: ref } of Object.entries(
+        importer.devDependencies
+      )) {
+        const id = resolvePnpmPackageId(alias, ref)
+        if (id) {
+          deps.add(idToPurl(id))
+        }
+      }
+    }
+    if (importer.optionalDependencies) {
+      for (const { 0: alias, 1: ref } of Object.entries(
+        importer.optionalDependencies
+      )) {
+        const id = resolvePnpmPackageId(alias, ref)
+        if (id) {
+          deps.add(idToPurl(id))
+        }
+      }
+    }
+  }
+  if (lockfile.packages) {
+    for (const pkgPath of Object.keys(lockfile.packages)) {
+      const id = resolvePnpmPackageIdFromPath(pkgPath, '')
+      if (id) {
+        deps.add(idToPurl(id))
+      }
+    }
+  }
+  return Array.from(deps)
+}
+function extractPurlsFromPnpmLockfileV9(lockfile) {
+  const depTypes = vendor.libExports$2.detectDepTypes(lockfile)
+  return Object.keys(depTypes).map(refId => {
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      idToPurl(refId)
+    )
+    const name = packages.resolvePackageName(purlObj)
+    const version = resolvePackageVersion(purlObj)
+    return idToPurl(`${name}@${version}`)
+  })
+}
+function extractPurlsFromPnpmLockfile(lockfile) {
+  return parsePnpmLockfileVersion(lockfile.lockfileVersion).major <= 6
+    ? extractPurlsFromPnpmLockfileV6(lockfile)
+    : extractPurlsFromPnpmLockfileV9(lockfile)
+}
+function parsePnpmLockfileVersion(version) {
+  return vendor.semverExports.coerce(version)
+}
+function resolvePnpmPackageId(alias, ref) {
+  return ref.startsWith('/')
+    ? resolvePnpmPackageIdFromPath(ref, alias)
+    : `${alias}@${stripPeerSuffix(ref)}`
+}
+function resolvePnpmPackageIdFromPath(ref, alias) {
+  const relative = vendor.libExports$3.refToRelative(ref, alias)
+  if (relative) {
+    const id = stripLeadingSlash(relative)
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
+      idToPurl(id)
+    )
+    const name = packages.resolvePackageName(purlObj)
+    const version = resolvePackageVersion(purlObj)
+    return `${name}@${version}`
+  }
+  return null
+}
+
+async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    limit: Infinity,
+    nothrow: false,
+    ...options_
+  }
+  const purls = extractPurlsFromPnpmLockfile(lockfile)
+  return await getAlertsMapFromPurls(purls, {
+    overrides: lockfile.overrides,
+    ...options
+  })
+}
+async function getAlertsMapFromPurls(purls, options_) {
+  const options = {
+    __proto__: null,
+    consolidate: false,
+    nothrow: false,
+    ...options_
+  }
+  const include = {
+    __proto__: null,
+    actions: undefined,
+    blocked: true,
+    critical: true,
+    cve: true,
+    existing: false,
+    unfixable: true,
+    upgradable: false,
+    ...options.include
+  }
+  const { spinner } = options
+  const uniqPurls = arrays.arrayUnique(purls)
+  let { length: remaining } = uniqPurls
+  const alertsByPkgId = new Map()
+  if (!remaining) {
+    return alertsByPkgId
+  }
+  const getText = () => `Looking up data for ${remaining} packages`
+  spinner?.start(getText())
+  const sockSdkResult = await setupSdk(getPublicToken())
+  if (!sockSdkResult.ok) {
+    throw new Error('Auth error: Try to run `socket login` first')
+  }
+  const sockSdk = sockSdkResult.data
+  const toAlertsMapOptions = {
+    overrides: options.overrides,
+    consolidate: options.consolidate,
+    include,
+    spinner
+  }
+  for await (const batchResult of sockSdk.batchPackageStream(
+    {
+      alerts: 'true',
+      compact: 'true',
+      ...(include.actions
+        ? {
+            actions: include.actions.join(',')
+          }
+        : {}),
+      ...(include.unfixable
+        ? {}
+        : {
+            fixable: 'true'
+          })
+    },
+    {
+      components: uniqPurls.map(purl => ({
+        purl
+      }))
+    }
+  )) {
+    if (batchResult.success) {
+      await addArtifactToAlertsMap(
+        batchResult.data,
+        alertsByPkgId,
+        toAlertsMapOptions
+      )
+    } else if (!options.nothrow) {
+      const statusCode = batchResult.status ?? 'unknown'
+      const statusMessage = batchResult.error ?? 'No status message'
+      throw new Error(
+        `Socket API server error (${statusCode}): ${statusMessage}`
+      )
+    }
+    remaining -= 1
+    if (spinner && remaining > 0) {
+      spinner.start()
+      spinner.setText(getText())
+    }
+  }
+  spinner?.stop()
+  return alertsByPkgId
+}
+
+const {
+  NPM: NPM$2,
+  SOCKET_CLI_SAFE_BIN,
+  SOCKET_CLI_SAFE_PROGRESS,
+  SOCKET_IPC_HANDSHAKE
+} = constants
+function safeNpmInstall(options) {
+  const {
+    agentExecPath = getNpmBinPath(),
+    args = [],
+    ipc,
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  }
+  let stdio = spawnOptions.stdio
+  const useIpc = objects.isObject(ipc)
+  // Include 'ipc' in the spawnOptions.stdio when an options.ipc object is provided.
+  // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+  // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+  if (typeof stdio === 'string') {
+    stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio]
+  } else if (useIpc && Array.isArray(stdio) && !stdio.includes('ipc')) {
+    stdio = stdio.concat('ipc')
+  }
+  const useDebug = debug.isDebug()
+  const terminatorPos = args.indexOf('--')
+  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)
+  const progressArg =
+    rawBinArgs.findLast(npm.isProgressFlag) !== '--no-progress'
+  const binArgs = rawBinArgs.filter(
+    a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a)
+  )
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)
+  const isSilent = !useDebug && !binArgs.some(npm.isLoglevelFlag)
+  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : []
+  const spawnPromise = spawn.spawn(
+    // Lazily access constants.execPath.
+    constants.execPath,
+    [
+      // Lazily access constants.nodeHardenFlags.
+      ...constants.nodeHardenFlags,
+      // Lazily access constants.nodeNoWarningsFlags.
+      ...constants.nodeNoWarningsFlags,
+      // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.
+      ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD
+        ? [
+            '--require',
+            // Lazily access constants.distInstrumentWithSentryPath.
+            constants.distInstrumentWithSentryPath
+          ]
+        : []),
+      '--require',
+      // Lazily access constants.distShadowNpmInjectPath.
+      constants.distShadowNpmInjectPath,
+      npm.realExecPathSync(agentExecPath),
+      'install',
+      // Avoid code paths for 'audit' and 'fund'.
+      '--no-audit',
+      '--no-fund',
+      // Add '--no-progress' to fix input being swallowed by the npm spinner.
+      '--no-progress',
+      // Add '--loglevel=silent' if a loglevel flag is not provided and the
+      // SOCKET_CLI_DEBUG environment variable is not truthy.
+      ...logLevelArgs,
+      ...binArgs,
+      ...otherArgs
+    ],
+    {
+      spinner,
+      ...spawnOptions,
+      stdio,
+      env: {
+        ...process.env,
+        ...spawnOptions.env
+      }
+    }
+  )
+  if (useIpc) {
+    spawnPromise.process.send({
+      [SOCKET_IPC_HANDSHAKE]: {
+        [SOCKET_CLI_SAFE_BIN]: NPM$2,
+        [SOCKET_CLI_SAFE_PROGRESS]: progressArg,
+        ...ipc
+      }
+    })
+  }
+  return spawnPromise
+}
+
+const { NPM: NPM$1, PNPM: PNPM$1 } = constants
+function runAgentInstall(pkgEnvDetails, options) {
+  const { agent, agentExecPath } = pkgEnvDetails
+  // All package managers support the "install" command.
+  if (agent === NPM$1) {
+    return safeNpmInstall({
+      agentExecPath,
+      ...options
+    })
+  }
+  const {
+    args = [],
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const skipNodeHardenFlags =
+    agent === PNPM$1 && pkgEnvDetails.agentVersion.major < 11
+  return spawn.spawn(agentExecPath, ['install', ...args], {
+    // Lazily access constants.WIN32.
+    shell: constants.WIN32,
+    spinner,
+    stdio: 'inherit',
+    ...spawnOptions,
+    env: {
+      ...process.env,
+      NODE_OPTIONS: cmdFlagsToString([
+        ...(skipNodeHardenFlags
+          ? []
+          : // Lazily access constants.nodeHardenFlags.
+            constants.nodeHardenFlags),
+        // Lazily access constants.nodeNoWarningsFlags.
+        ...constants.nodeNoWarningsFlags
+      ]),
+      ...spawnOptions.env
+    }
+  })
+}
+
+const {
+  BINARY_LOCK_EXT,
+  BUN,
+  HIDDEN_PACKAGE_LOCK_JSON,
+  LOCK_EXT,
+  NPM,
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
+  PACKAGE_JSON,
+  PNPM,
+  VLT,
+  YARN,
+  YARN_BERRY,
+  YARN_CLASSIC
+} = constants
+const AGENTS = new Set([BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT])
+const binByAgent = new Map([
+  [BUN, BUN],
+  [NPM, NPM],
+  [PNPM, PNPM],
+  [YARN_BERRY, YARN],
+  [YARN_CLASSIC, YARN],
+  [VLT, VLT]
+])
+async function getAgentExecPath(agent) {
+  const binName = binByAgent.get(agent)
+  if (binName === NPM) {
+    // Lazily access constants.npmExecPath.
+    return constants.npmExecPath
+  }
+  return (
+    (await vendor.libExports$1(binName, {
+      nothrow: true
+    })) ?? binName
+  )
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result
+  try {
+    result =
+      // Coerce version output into a valid semver version by passing it through
+      // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
+      // and tildes (~).
+      vendor.semverExports.coerce(
+        // All package managers support the "--version" flag.
+        (
+          await spawn.spawn(agentExecPath, ['--version'], {
+            cwd,
+            // Lazily access constants.WIN32.
+            shell: constants.WIN32
+          })
+        ).stdout
+      ) ?? undefined
+  } catch (e) {
+    debug.debugLog('getAgentVersion error:\n', e)
+  }
+  return result
+}
+
+// The order of LOCKS properties IS significant as it affects iteration order.
+const LOCKS = {
+  [`bun${LOCK_EXT}`]: BUN,
+  [`bun${BINARY_LOCK_EXT}`]: BUN,
+  // If both package-lock.json and npm-shrinkwrap.json are present in the root
+  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
+  // will be ignored.
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
+  'npm-shrinkwrap.json': NPM,
+  'package-lock.json': NPM,
+  'pnpm-lock.yaml': PNPM,
+  'pnpm-lock.yml': PNPM,
+  [`yarn${LOCK_EXT}`]: YARN_CLASSIC,
+  'vlt-lock.json': VLT,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
+  //
+  // Unlike the other LOCKS keys this key contains a directory AND filename so
+  // it has to be handled differently.
+  'node_modules/.package-lock.json': NPM
+}
+const readLockFileByAgent = (() => {
+  function wrapReader(reader) {
+    return async (...args) => {
+      try {
+        return await reader(...args)
+      } catch {}
+      return undefined
+    }
+  }
+  const binaryReader = wrapReader(readFileBinary)
+  const defaultReader = wrapReader(
+    async lockPath => await readFileUtf8(lockPath)
+  )
+  return new Map([
+    [
+      BUN,
+      wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
+        const ext = path.extname(lockPath)
+        if (ext === LOCK_EXT) {
+          return await defaultReader(lockPath)
+        }
+        if (ext === BINARY_LOCK_EXT) {
+          const lockBuffer = await binaryReader(lockPath)
+          if (lockBuffer) {
+            try {
+              return vendor.hyrious__bun_lockbExports.parse(lockBuffer)
+            } catch {}
+          }
+          // To print a Yarn lockfile to your console without writing it to disk
+          // use `bun bun.lockb`.
+          // https://bun.sh/guides/install/yarnlock
+          return (
+            await spawn.spawn(agentExecPath, [lockPath], {
+              cwd,
+              // Lazily access constants.WIN32.
+              shell: constants.WIN32
+            })
+          ).stdout.trim()
+        }
+        return undefined
+      })
+    ],
+    [NPM, defaultReader],
+    [PNPM, defaultReader],
+    [VLT, defaultReader],
+    [YARN_BERRY, defaultReader],
+    [YARN_CLASSIC, defaultReader]
+  ])
+})()
+async function detectPackageEnvironment({
+  cwd = process.cwd(),
+  onUnknown
+} = {}) {
+  let lockPath = await findUp(Object.keys(LOCKS), {
+    cwd
+  })
+  let lockName = lockPath ? path.basename(lockPath) : undefined
+  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON
+  const pkgJsonPath = lockPath
+    ? path.resolve(
+        lockPath,
+        `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`
+      )
+    : await findUp(PACKAGE_JSON, {
+        cwd
+      })
+  const pkgPath =
+    pkgJsonPath && fs.existsSync(pkgJsonPath)
+      ? path.dirname(pkgJsonPath)
+      : undefined
+  const editablePkgJson = pkgPath
+    ? await packages.readPackageJson(pkgPath, {
+        editable: true
+      })
+    : undefined
+  // Read Corepack `packageManager` field in package.json:
+  // https://nodejs.org/api/packages.html#packagemanager
+  const pkgManager = strings.isNonEmptyString(
+    editablePkgJson?.content?.packageManager
+  )
+    ? editablePkgJson.content.packageManager
+    : undefined
+  let agent
+  if (pkgManager) {
+    // A valid "packageManager" field value is "<package manager name>@<version>".
+    // https://nodejs.org/api/packages.html#packagemanager
+    const atSignIndex = pkgManager.lastIndexOf('@')
+    if (atSignIndex !== -1) {
+      const name = pkgManager.slice(0, atSignIndex)
+      const version = pkgManager.slice(atSignIndex + 1)
+      if (version && AGENTS.has(name)) {
+        agent = name
+      }
+    }
+  }
+  if (
+    agent === undefined &&
+    !isHiddenLockFile &&
+    typeof pkgJsonPath === 'string' &&
+    typeof lockName === 'string'
+  ) {
+    agent = LOCKS[lockName]
+  }
+  if (agent === undefined) {
+    agent = NPM
+    onUnknown?.(pkgManager)
+  }
+  const agentExecPath = await getAgentExecPath(agent)
+  const agentVersion = await getAgentVersion(agentExecPath, cwd)
+  if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY
+  }
+  // Lazily access constants.maintainedNodeVersions.
+  const { maintainedNodeVersions } = constants
+  // Lazily access constants.minimumVersionByAgent.
+  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent)
+  const minSupportedNodeVersion = maintainedNodeVersions.last
+  const nodeVersion = vendor.semverExports.coerce(process.version)
+  let lockSrc
+  let pkgAgentRange
+  let pkgNodeRange
+  let pkgMinAgentVersion = minSupportedAgentVersion
+  let pkgMinNodeVersion = minSupportedNodeVersion
+  if (editablePkgJson?.content) {
+    const { engines } = editablePkgJson.content
+    const engineAgentRange = engines?.[agent]
+    const engineNodeRange = engines?.['node']
+    if (strings.isNonEmptyString(engineAgentRange)) {
+      pkgAgentRange = engineAgentRange
+      // Roughly check agent range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = vendor.semverExports.coerce(pkgAgentRange)
+      if (coerced && vendor.semverExports.lt(coerced, pkgMinAgentVersion)) {
+        pkgMinAgentVersion = coerced.version
+      }
+    }
+    if (strings.isNonEmptyString(engineNodeRange)) {
+      pkgNodeRange = engineNodeRange
+      // Roughly check Node range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = vendor.semverExports.coerce(pkgNodeRange)
+      if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
+        pkgMinNodeVersion = coerced.version
+      }
+    }
+    const browserslistQuery = editablePkgJson.content['browserslist']
+    if (Array.isArray(browserslistQuery)) {
+      // List Node targets in ascending version order.
+      const browserslistNodeTargets = vendor
+        .browserslistExports(browserslistQuery)
+        .filter(v => /^node /i.test(v))
+        .map(v => v.slice(5 /*'node '.length*/))
+        .sort(sorts.naturalCompare)
+      if (browserslistNodeTargets.length) {
+        // browserslistNodeTargets[0] is the lowest Node target version.
+        const coerced = vendor.semverExports.coerce(browserslistNodeTargets[0])
+        if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
+          pkgMinNodeVersion = coerced.version
+        }
+      }
+    }
+    lockSrc =
+      typeof lockPath === 'string'
+        ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath, cwd)
+        : undefined
+  } else {
+    lockName = undefined
+    lockPath = undefined
+  }
+  // Does the system agent version meet our minimum supported agent version?
+  const agentSupported =
+    !!agentVersion &&
+    vendor.semverExports.satisfies(
+      agentVersion,
+      `>=${minSupportedAgentVersion}`
+    )
+
+  // Does the system Node version meet our minimum supported Node version?
+  const nodeSupported = vendor.semverExports.satisfies(
+    nodeVersion,
+    `>=${minSupportedNodeVersion}`
+  )
+  const npmExecPath =
+    agent === NPM ? agentExecPath : await getAgentExecPath(NPM)
+  const npmBuggyOverrides =
+    agent === NPM &&
+    !!agentVersion &&
+    vendor.semverExports.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION)
+  return {
+    agent,
+    agentExecPath,
+    agentSupported,
+    agentVersion,
+    editablePkgJson,
+    features: {
+      npmBuggyOverrides
+    },
+    lockName,
+    lockPath,
+    lockSrc,
+    nodeSupported,
+    nodeVersion,
+    npmExecPath,
+    pkgPath,
+    pkgRequirements: {
+      agent: pkgAgentRange ?? `>=${pkgMinAgentVersion}`,
+      node: pkgNodeRange ?? `>=${pkgMinNodeVersion}`
+    },
+    pkgSupports: {
+      // Does our minimum supported agent version meet the package's requirements?
+      agent: vendor.semverExports.satisfies(
+        minSupportedAgentVersion,
+        `>=${pkgMinAgentVersion}`
+      ),
+      // Does our supported Node versions meet the package's requirements?
+      node: maintainedNodeVersions.some(v =>
+        vendor.semverExports.satisfies(v, `>=${pkgMinNodeVersion}`)
+      )
+    }
+  }
+}
+async function detectAndValidatePackageEnvironment(cwd, options) {
+  const {
+    cmdName = '',
+    logger,
+    prod
+  } = {
+    __proto__: null,
+    ...options
+  }
+  const details = await detectPackageEnvironment({
+    cwd,
+    onUnknown(pkgManager) {
+      logger?.warn(
+        cmdPrefixMessage(
+          cmdName,
+          `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`
+        )
+      )
+    }
+  })
+  const { agent, nodeVersion, pkgRequirements } = details
+  const agentVersion = details.agentVersion ?? 'unknown'
+  if (!details.agentSupported) {
+    const minVersion = constants.minimumVersionByAgent.get(agent)
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`
+      )
+    )
+    return
+  }
+  if (!details.nodeSupported) {
+    const minVersion = constants.maintainedNodeVersions.last
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`
+      )
+    )
+    return
+  }
+  if (!details.pkgSupports.agent) {
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`
+      )
+    )
+    return
+  }
+  if (!details.pkgSupports.node) {
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`
+      )
+    )
+    return
+  }
+  if (agent === VLT) {
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `${agent} does not support overrides. Soon, though ⚡`
+      )
+    )
+    return
+  }
+  const lockName = details.lockName ?? 'lock file'
+  if (details.lockName === undefined || details.lockSrc === undefined) {
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${lockName} found`))
+    return
+  }
+  if (details.lockSrc.trim() === '') {
+    logger?.fail(cmdPrefixMessage(cmdName, `${lockName} is empty`))
+    return
+  }
+  if (details.pkgPath === undefined) {
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`))
+    return
+  }
+  if (prod && (agent === BUN || agent === YARN_BERRY)) {
+    logger?.fail(
+      cmdPrefixMessage(
+        cmdName,
+        `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`
+      )
+    )
+    return
+  }
+  if (
+    details.lockPath &&
+    path.relative(cwd, details.lockPath).startsWith('.')
+  ) {
+    // Note: In tests we return <redacted> because otherwise snapshots will fail.
+    const { REDACTED } = constants
+    // Lazily access constants.ENV.VITEST.
+    const redacting = constants.ENV.VITEST
+    logger?.warn(
+      cmdPrefixMessage(
+        cmdName,
+        `Package ${lockName} found at ${redacting ? REDACTED : details.lockPath}`
+      )
+    )
+  }
+  return details
+}
+
+exports.ALERT_SEVERITY = ALERT_SEVERITY
+exports.AuthError = AuthError
+exports.ColorOrMarkdown = ColorOrMarkdown
+exports.InputError = InputError
+exports.RangeStyles = RangeStyles
+exports.applyRange = applyRange
+exports.captureException = captureException
+exports.checkCommandInput = checkCommandInput
+exports.cmdPrefixMessage = cmdPrefixMessage
+exports.commonFlags = commonFlags
+exports.createEnum = createEnum
+exports.detectAndValidatePackageEnvironment =
+  detectAndValidatePackageEnvironment
+exports.determineOrgSlug = determineOrgSlug
+exports.failMsgWithBadge = failMsgWithBadge
+exports.formatSeverityCount = formatSeverityCount
+exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile
+exports.getAlertsMapFromPurls = getAlertsMapFromPurls
+exports.getConfigValue = getConfigValue
+exports.getConfigValueOrUndef = getConfigValueOrUndef
+exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap
+exports.getFlagListOutput = getFlagListOutput
+exports.getMajor = getMajor
+exports.getNpmBinPath = getNpmBinPath
+exports.getNpmRequire = getNpmRequire
+exports.getNpxBinPath = getNpxBinPath
+exports.getOutputKind = getOutputKind
+exports.getPackageFilesForScan = getPackageFilesForScan
+exports.getPkgFullNameFromPurlObj = getPkgFullNameFromPurlObj
+exports.getPublicToken = getPublicToken
+exports.getSeverityCount = getSeverityCount
+exports.getSocketDevAlertUrl = getSocketDevAlertUrl
+exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl
+exports.getSocketDevPackageOverviewUrlFromPurl =
+  getSocketDevPackageOverviewUrlFromPurl
+exports.getVisibleTokenPrefix = getVisibleTokenPrefix
+exports.globWorkspace = globWorkspace
+exports.handleApiCall = handleApiCall
+exports.handleApiCallNoSpinner = handleApiCallNoSpinner
+exports.handleUnsuccessfulApiResponse = handleUnsuccessfulApiResponse
+exports.hasDefaultToken = hasDefaultToken
+exports.idToPurl = idToPurl
+exports.isHelpFlag = isHelpFlag
+exports.isNpmBinPathShadowed = isNpmBinPathShadowed
+exports.isNpxBinPathShadowed = isNpxBinPathShadowed
+exports.isReadOnlyConfig = isReadOnlyConfig
+exports.isTestingV1 = isTestingV1
+exports.logAlertsMap = logAlertsMap
+exports.mapToObject = mapToObject
+exports.mdTable = mdTable
+exports.mdTableOfPairs = mdTableOfPairs
+exports.mdTableStringNumber = mdTableStringNumber
+exports.meowOrExit = meowOrExit
+exports.meowWithSubcommands = meowWithSubcommands
+exports.outputFlags = outputFlags
+exports.parsePnpmLockfileVersion = parsePnpmLockfileVersion
+exports.queryApiSafeJson = queryApiSafeJson
+exports.queryApiSafeText = queryApiSafeText
+exports.removeNodeModules = removeNodeModules
+exports.runAgentInstall = runAgentInstall
+exports.safeReadFile = safeReadFile
+exports.sensitiveConfigKeys = sensitiveConfigKeys
+exports.serializeResultJson = serializeResultJson
+exports.setupSdk = setupSdk
+exports.suggestOrgSlug = suggestOrgSlug
+exports.supportedConfigKeys = supportedConfigKeys
+exports.updateConfigValue = updateConfigValue
+exports.validationFlags = validationFlags
+exports.walkNestedMap = walkNestedMap
+//# debugId=ce901e44-4e3e-43e6-8016-50895b08fc53
+//# sourceMappingURL=utils.js.map