@socketsecurity/cli-with-sentry 0.14.44

package/dist/module-sync/index.js

@@ -0,0 +1,1879 @@
+'use strict';
+
+function _socketInterop(e) {
+  let c = 0
+  for (const k in e ?? {}) {
+    c = c === 0 && k === 'default' ? 1 : 0
+    if (!c && k !== '__esModule') break
+  }
+  return c ? e.default : e
+}
+
+var process = require('node:process');
+var path = require('node:path');
+var semver = _socketInterop(require('semver'));
+var packageurlJs = require('@socketregistry/packageurl-js');
+var registry = require('@socketsecurity/registry');
+var arrays = require('@socketsecurity/registry/lib/arrays');
+var objects = require('@socketsecurity/registry/lib/objects');
+var packages = require('@socketsecurity/registry/lib/packages');
+var prompts = require('@socketsecurity/registry/lib/prompts');
+var sorts = require('@socketsecurity/registry/lib/sorts');
+var spinner = require('@socketsecurity/registry/lib/spinner');
+var constants = require('./constants2.js');
+var events = require('node:events');
+var https = require('node:https');
+var readline = require('node:readline');
+var hpagent = _socketInterop(require('hpagent'));
+var isInteractive = require('@socketregistry/is-interactive/index.cjs');
+var registryConstants = require('@socketsecurity/registry/lib/constants');
+var strings = require('@socketsecurity/registry/lib/strings');
+var sdk = require('@socketsecurity/sdk');
+var promises = require('node:timers/promises');
+var npmPaths = require('./npm-paths.js');
+var fs = require('node:fs');
+var os = require('node:os');
+var config = require('@socketsecurity/config');
+var terminalLink = _socketInterop(require('terminal-link'));
+var colors = _socketInterop(require('yoctocolors-cjs'));
+var indentString = require('@socketregistry/indent-string/index.cjs');
+var npa = _socketInterop(require('npm-package-arg'));
+
+const {
+  kInternalsSymbol: kInternalsSymbol$1,
+  [kInternalsSymbol$1]: {
+    getSentry
+  }
+} = constants.constants;
+class AuthError extends Error {}
+class InputError extends Error {
+  constructor(message, body) {
+    super(message);
+    this.body = body;
+  }
+}
+async function captureException(exception, hint) {
+  const result = captureExceptionSync(exception, hint);
+  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
+  await promises.setTimeout(1000);
+  return result;
+}
+function captureExceptionSync(exception, hint) {
+  const Sentry = getSentry();
+  if (!Sentry) {
+    return '';
+  }
+  npmPaths.debugLog('captureException: Sending exception to Sentry.');
+  return Sentry.captureException(exception, hint);
+}
+function isErrnoException(value) {
+  if (!(value instanceof Error)) {
+    return false;
+  }
+  return value.code !== undefined;
+}
+
+async function findUp(name, {
+  cwd = process.cwd()
+}) {
+  let dir = path.resolve(cwd);
+  const {
+    root
+  } = path.parse(dir);
+  const names = [name].flat();
+  while (dir && dir !== root) {
+    for (const name of names) {
+      const filePath = path.join(dir, name);
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        const stats = await fs.promises.stat(filePath);
+        if (stats.isFile()) {
+          return filePath;
+        }
+      } catch {}
+    }
+    dir = path.dirname(dir);
+  }
+  return undefined;
+}
+async function readFileBinary(filepath, options) {
+  return await fs.promises.readFile(filepath, {
+    ...options,
+    encoding: 'binary'
+  });
+}
+async function readFileUtf8(filepath, options) {
+  return await fs.promises.readFile(filepath, {
+    ...options,
+    encoding: 'utf8'
+  });
+}
+function safeReadFile(...args) {
+  try {
+    return fs.promises.readFile(...args);
+  } catch {}
+  return undefined;
+}
+function safeReadFileSync(...args) {
+  try {
+    return fs.readFileSync(...args);
+  } catch {}
+  return undefined;
+}
+
+const LOCALAPPDATA = 'LOCALAPPDATA';
+const supportedApiKeys = new Set(['apiBaseUrl', 'apiKey', 'apiProxy', 'enforcedOrgs']);
+let _settings;
+function getSettings() {
+  if (_settings === undefined) {
+    _settings = {};
+    const settingsPath = getSettingsPath();
+    if (settingsPath) {
+      const raw = safeReadFileSync(settingsPath, 'utf8');
+      if (raw) {
+        try {
+          Object.assign(_settings, JSON.parse(Buffer.from(raw, 'base64').toString()));
+        } catch {
+          npmPaths.logger.warn(`Failed to parse settings at ${settingsPath}`);
+        }
+      } else {
+        fs.mkdirSync(path.dirname(settingsPath), {
+          recursive: true
+        });
+      }
+    }
+  }
+  return _settings;
+}
+let _settingsPath;
+let _warnedSettingPathWin32Missing = false;
+function getSettingsPath() {
+  if (_settingsPath === undefined) {
+    // Lazily access constants.WIN32.
+    const {
+      WIN32
+    } = constants.constants;
+    let dataHome = WIN32 ? process.env[LOCALAPPDATA] : process.env['XDG_DATA_HOME'];
+    if (!dataHome) {
+      if (WIN32) {
+        if (!_warnedSettingPathWin32Missing) {
+          _warnedSettingPathWin32Missing = true;
+          npmPaths.logger.warn(`Missing %${LOCALAPPDATA}%`);
+        }
+      } else {
+        dataHome = path.join(os.homedir(), ...(process.platform === 'darwin' ? ['Library', 'Application Support'] : ['.local', 'share']));
+      }
+    }
+    _settingsPath = dataHome ? path.join(dataHome, 'socket/settings') : undefined;
+  }
+  return _settingsPath;
+}
+function normalizeSettingsKey(key) {
+  const normalizedKey = key === 'apiToken' ? 'apiKey' : key;
+  if (!supportedApiKeys.has(normalizedKey)) {
+    throw new Error(`Invalid settings key: ${normalizedKey}`);
+  }
+  return normalizedKey;
+}
+function findSocketYmlSync() {
+  let prevDir = null;
+  let dir = process.cwd();
+  while (dir !== prevDir) {
+    let ymlPath = path.join(dir, 'socket.yml');
+    let yml = safeReadFileSync(ymlPath, 'utf8');
+    if (yml === undefined) {
+      ymlPath = path.join(dir, 'socket.yaml');
+      yml = safeReadFileSync(ymlPath, 'utf8');
+    }
+    if (typeof yml === 'string') {
+      try {
+        return {
+          path: ymlPath,
+          parsed: config.parseSocketConfig(yml)
+        };
+      } catch {
+        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+      }
+    }
+    prevDir = dir;
+    dir = path.join(dir, '..');
+  }
+  return null;
+}
+function getSetting(key) {
+  return getSettings()[normalizeSettingsKey(key)];
+}
+let pendingSave = false;
+function updateSetting(key, value) {
+  const settings = getSettings();
+  settings[normalizeSettingsKey(key)] = value;
+  if (!pendingSave) {
+    pendingSave = true;
+    process.nextTick(() => {
+      pendingSave = false;
+      const settingsPath = getSettingsPath();
+      if (settingsPath) {
+        fs.writeFileSync(settingsPath, Buffer.from(JSON.stringify(settings)).toString('base64'));
+      }
+    });
+  }
+}
+
+// The API server that should be used for operations.
+function getDefaultApiBaseUrl() {
+  const baseUrl = process.env['SOCKET_SECURITY_API_BASE_URL'] || getSetting('apiBaseUrl');
+  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined;
+}
+
+// The API server that should be used for operations.
+function getDefaultHttpProxy() {
+  const apiProxy = process.env['SOCKET_SECURITY_API_PROXY'] || getSetting('apiProxy');
+  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined;
+}
+
+// This API key should be stored globally for the duration of the CLI execution.
+let _defaultToken;
+function getDefaultToken() {
+  const key = process.env['SOCKET_SECURITY_API_TOKEN'] ||
+  // Keep 'SOCKET_SECURITY_API_KEY' as an alias of 'SOCKET_SECURITY_API_TOKEN'.
+  // TODO: Remove 'SOCKET_SECURITY_API_KEY' alias.
+  process.env['SOCKET_SECURITY_API_KEY'] || getSetting('apiToken') || _defaultToken;
+  _defaultToken = strings.isNonEmptyString(key) ? key : undefined;
+  return _defaultToken;
+}
+function getPublicToken() {
+  return getDefaultToken() ?? registryConstants.SOCKET_PUBLIC_API_TOKEN;
+}
+async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApiBaseUrl(), proxy = getDefaultHttpProxy()) {
+  if (typeof apiToken !== 'string' && isInteractive()) {
+    apiToken = await prompts.password({
+      message: 'Enter your Socket.dev API key (not saved, use socket login to persist)'
+    });
+    _defaultToken = apiToken;
+  }
+  if (!apiToken) {
+    throw new AuthError('You need to provide an API key');
+  }
+  return new sdk.SocketSdk(apiToken, {
+    agent: proxy ? {
+      http: new hpagent.HttpProxyAgent({
+        proxy
+      }),
+      https: new hpagent.HttpsProxyAgent({
+        proxy
+      })
+    } : undefined,
+    baseUrl: apiBaseUrl,
+    // Lazily access constants.rootPkgJsonPath.
+    userAgent: sdk.createUserAgentFromPkgJson(require(constants.constants.rootPkgJsonPath))
+  });
+}
+
+const {
+  LOOP_SENTINEL: LOOP_SENTINEL$2,
+  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1
+} = constants.constants;
+function getUrlOrigin(input) {
+  try {
+    return URL.parse(input)?.origin ?? '';
+  } catch {}
+  return '';
+}
+function getPackagesToQueryFromDiff(diff_, options) {
+  const {
+    includeUnchanged = false,
+    includeUnknownOrigin = false
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const details = [];
+  // `diff_` is `null` when `npm install --package-lock-only` is passed.
+  if (!diff_) {
+    return details;
+  }
+  const queue = [...diff_.children];
+  let pos = 0;
+  let {
+    length: queueLength
+  } = queue;
+  while (pos < queueLength) {
+    if (pos === LOOP_SENTINEL$2) {
+      throw new Error('Detected infinite loop while walking Arborist diff');
+    }
+    const diff = queue[pos++];
+    const {
+      action
+    } = diff;
+    if (action) {
+      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
+      // action is 'REMOVE'
+      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
+      // action is 'ADD'.
+      const {
+        actual: oldNode,
+        ideal: pkgNode
+      } = diff;
+      let existing;
+      let keep = false;
+      if (action === 'CHANGE') {
+        if (pkgNode?.package.version !== oldNode?.package.version) {
+          keep = true;
+          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
+            existing = oldNode;
+          }
+        }
+      } else {
+        keep = action !== 'REMOVE';
+      }
+      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
+        if (includeUnknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL$1) {
+          details.push({
+            node: pkgNode,
+            existing
+          });
+        }
+      }
+    }
+    for (const child of diff.children) {
+      queue[queueLength++] = child;
+    }
+  }
+  if (includeUnchanged) {
+    const {
+      unchanged
+    } = diff_;
+    for (let i = 0, {
+        length
+      } = unchanged; i < length; i += 1) {
+      const pkgNode = unchanged[i];
+      if (includeUnknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL$1) {
+        details.push({
+          node: pkgNode,
+          existing: pkgNode
+        });
+      }
+    }
+  }
+  return details;
+}
+
+const {
+  ALERT_TYPE_CRITICAL_CVE,
+  ALERT_TYPE_CVE,
+  ALERT_TYPE_MEDIUM_CVE,
+  ALERT_TYPE_MILD_CVE,
+  ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1,
+  CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE,
+  abortSignal: abortSignal$2
+} = constants.constants;
+async function* createBatchGenerator(chunk) {
+  // Adds the first 'abort' listener to abortSignal.
+  const req = https
+  // Lazily access constants.BATCH_PURL_ENDPOINT.
+  .request(constants.constants.BATCH_PURL_ENDPOINT, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${btoa(`${getPublicToken()}:`)}`
+    },
+    signal: abortSignal$2
+  }).end(JSON.stringify({
+    components: chunk.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  }));
+  // Adds the second 'abort' listener to abortSignal.
+  const {
+    0: res
+  } = await events.once(req, 'response', {
+    signal: abortSignal$2
+  });
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = readline.createInterface({
+    input: res,
+    crlfDelay: Infinity,
+    signal: abortSignal$2
+  });
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
+}
+async function* batchScan(pkgIds, concurrencyLimit = 50) {
+  // The createBatchGenerator method will add 2 'abort' event listeners to
+  // abortSignal so we multiply the concurrencyLimit by 2.
+  const neededMaxListeners = concurrencyLimit * 2;
+  // Increase abortSignal max listeners count to avoid Node's MaxListenersExceededWarning.
+  const oldAbortSignalMaxListeners = events.getMaxListeners(abortSignal$2);
+  let abortSignalMaxListeners = oldAbortSignalMaxListeners;
+  if (oldAbortSignalMaxListeners < neededMaxListeners) {
+    abortSignalMaxListeners = oldAbortSignalMaxListeners + neededMaxListeners;
+    events.setMaxListeners(abortSignalMaxListeners, abortSignal$2);
+  }
+  const {
+    length: pkgIdsCount
+  } = pkgIds;
+  const running = [];
+  let index = 0;
+  const enqueueGen = () => {
+    if (index >= pkgIdsCount) {
+      // No more work to do.
+      return;
+    }
+    const chunk = pkgIds.slice(index, index + 25);
+    index += 25;
+    const generator = createBatchGenerator(chunk);
+    continueGen(generator);
+  };
+  const continueGen = generator => {
+    let resolveFn;
+    running.push({
+      generator,
+      promise: new Promise(resolve => resolveFn = resolve)
+    });
+    void generator.next().then(res => resolveFn({
+      generator,
+      iteratorResult: res
+    }));
+  };
+  // Start initial batch of generators.
+  while (running.length < concurrencyLimit && index < pkgIdsCount) {
+    enqueueGen();
+  }
+  while (running.length > 0) {
+    // eslint-disable-next-line no-await-in-loop
+    const {
+      generator,
+      iteratorResult
+    } = await Promise.race(running.map(entry => entry.promise));
+    // Remove generator.
+    running.splice(running.findIndex(entry => entry.generator === generator), 1);
+    if (iteratorResult.done) {
+      // Start a new generator if available.
+      enqueueGen();
+    } else {
+      yield iteratorResult.value;
+      // Keep fetching values from this generator.
+      continueGen(generator);
+    }
+  }
+  // Reset abortSignal max listeners count.
+  if (abortSignalMaxListeners > oldAbortSignalMaxListeners) {
+    events.setMaxListeners(oldAbortSignalMaxListeners, abortSignal$2);
+  }
+}
+function isArtifactAlertCveFixable(alert) {
+  const {
+    type
+  } = alert;
+  return (type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE) && !!alert.props?.[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1] && !!alert.props?.[CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE];
+}
+function isArtifactAlertUpgradeFixable(alert) {
+  return alert.type === ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE;
+}
+
+const {
+  abortSignal: abortSignal$1
+} = constants.constants;
+const ERROR_UX = {
+  block: true,
+  display: true
+};
+const IGNORE_UX = {
+  block: false,
+  display: false
+};
+const WARN_UX = {
+  block: false,
+  display: true
+};
+
+// Iterates over all entries with ordered issue rule for deferral.  Iterates over
+// all issue rules and finds the first defined value that does not defer otherwise
+// uses the defaultValue. Takes the value and converts into a UX workflow.
+function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
+  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
+    defaultValue = {
+      action: 'error'
+    };
+  } else if (defaultValue === false) {
+    defaultValue = {
+      action: 'ignore'
+    };
+  }
+  let block = false;
+  let display = false;
+  let needDefault = true;
+  iterate_entries: for (const rules of orderedRulesCollection) {
+    for (const rule of rules) {
+      if (ruleValueDoesNotDefer(rule)) {
+        needDefault = false;
+        const narrowingFilter = uxForDefinedNonDeferValue(rule);
+        block = block || narrowingFilter.block;
+        display = display || narrowingFilter.display;
+        continue iterate_entries;
+      }
+    }
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  if (needDefault) {
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  return {
+    block,
+    display
+  };
+}
+
+// Negative form because it is narrowing the type.
+function ruleValueDoesNotDefer(rule) {
+  if (rule === undefined) {
+    return false;
+  }
+  if (objects.isObject(rule)) {
+    const {
+      action
+    } = rule;
+    if (action === undefined || action === 'defer') {
+      return false;
+    }
+  }
+  return true;
+}
+
+// Handles booleans for backwards compatibility.
+function uxForDefinedNonDeferValue(ruleValue) {
+  if (typeof ruleValue === 'boolean') {
+    return ruleValue ? ERROR_UX : IGNORE_UX;
+  }
+  const {
+    action
+  } = ruleValue;
+  if (action === 'warn') {
+    return WARN_UX;
+  } else if (action === 'ignore') {
+    return IGNORE_UX;
+  }
+  return ERROR_UX;
+}
+function createAlertUXLookup(settings) {
+  const cachedUX = new Map();
+  return context => {
+    const {
+      type
+    } = context.alert;
+    let ux = cachedUX.get(type);
+    if (ux) {
+      return ux;
+    }
+    const orderedRulesCollection = [];
+    for (const settingsEntry of settings.entries) {
+      const orderedRules = [];
+      let target = settingsEntry.start;
+      while (target !== null) {
+        const resolvedTarget = settingsEntry.settings[target];
+        if (!resolvedTarget) {
+          break;
+        }
+        const issueRuleValue = resolvedTarget.issueRules?.[type];
+        if (typeof issueRuleValue !== 'undefined') {
+          orderedRules.push(issueRuleValue);
+        }
+        target = resolvedTarget.deferTo ?? null;
+      }
+      orderedRulesCollection.push(orderedRules);
+    }
+    const defaultValue = settings.defaults.issueRules[type];
+    let resolvedDefaultValue = {
+      action: 'error'
+    };
+    if (defaultValue === false) {
+      resolvedDefaultValue = {
+        action: 'ignore'
+      };
+    } else if (defaultValue && defaultValue !== true) {
+      resolvedDefaultValue = {
+        action: defaultValue.action ?? 'error'
+      };
+    }
+    ux = resolveAlertRuleUX(orderedRulesCollection, resolvedDefaultValue);
+    cachedUX.set(type, ux);
+    return ux;
+  };
+}
+let _uxLookup;
+async function uxLookup(settings) {
+  while (_uxLookup === undefined) {
+    // eslint-disable-next-line no-await-in-loop
+    await promises.setTimeout(1, {
+      signal: abortSignal$1
+    });
+  }
+  return _uxLookup(settings);
+}
+
+// Start initializing the AlertUxLookupResult immediately.
+void (async () => {
+  const {
+    orgs,
+    settings
+  } = await (async () => {
+    try {
+      const sockSdk = await setupSdk(getPublicToken());
+      const orgResult = await sockSdk.getOrganizations();
+      if (!orgResult.success) {
+        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
+      }
+      const orgs = [];
+      for (const org of Object.values(orgResult.data.organizations)) {
+        if (org) {
+          orgs.push(org);
+        }
+      }
+      const result = await sockSdk.postSettings(orgs.map(org => ({
+        organization: org.id
+      })));
+      if (!result.success) {
+        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
+      }
+      return {
+        orgs,
+        settings: result.data
+      };
+    } catch (e) {
+      const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
+      if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
+        throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
+          cause: e
+        });
+      }
+      throw e;
+    }
+  })();
+
+  // Remove any organizations not being enforced.
+  const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
+  for (const {
+    0: i,
+    1: org
+  } of orgs.entries()) {
+    if (!enforcedOrgs.includes(org.id)) {
+      settings.entries.splice(i, 1);
+    }
+  }
+  const socketYml = findSocketYmlSync();
+  if (socketYml) {
+    settings.entries.push({
+      start: socketYml.path,
+      settings: {
+        [socketYml.path]: {
+          deferTo: null,
+          // TODO: TypeScript complains about the type not matching. We should
+          // figure out why are providing
+          // issueRules: { [issueName: string]: boolean }
+          // but expecting
+          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
+          issueRules: socketYml.parsed.issueRules
+        }
+      }
+    });
+  }
+  _uxLookup = createAlertUXLookup(settings);
+})();
+
+const markdownLogSymbols = {
+  __proto__: null,
+  info: ':information_source:',
+  error: ':stop_sign:',
+  success: ':white_check_mark:',
+  warning: ':warning:'
+};
+class ColorOrMarkdown {
+  constructor(useMarkdown) {
+    this.useMarkdown = !!useMarkdown;
+  }
+  bold(text) {
+    return this.useMarkdown ? `**${text}**` : colors.bold(`${text}`);
+  }
+  header(text, level = 1) {
+    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : colors.underline(`\n${level === 1 ? colors.bold(text) : text}\n`);
+  }
+  hyperlink(text, url, {
+    fallback = true,
+    fallbackToUrl
+  } = {}) {
+    if (url) {
+      return this.useMarkdown ? `[${text}](${url})` : terminalLink(text, url, {
+        fallback: fallbackToUrl ? (_text, url) => url : fallback
+      });
+    }
+    return text;
+  }
+  indent(...args) {
+    return indentString(...args);
+  }
+  italic(text) {
+    return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`);
+  }
+  json(value) {
+    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
+  }
+  list(items) {
+    const indentedContent = items.map(item => this.indent(item).trimStart());
+    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
+  }
+  get logSymbols() {
+    return this.useMarkdown ? markdownLogSymbols : npmPaths.getLogSymbols();
+  }
+}
+
+function getSocketDevAlertUrl(alertType) {
+  return `https://socket.dev/alerts/${alertType}`;
+}
+function getSocketDevPackageOverviewUrl(eco, name, version) {
+  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`;
+}
+
+const depValid = require(npmPaths.getArboristDepValidPath());
+
+const {
+  UNDEFINED_TOKEN
+} = constants.constants;
+function tryRequire(req, ...ids) {
+  for (const data of ids) {
+    let id;
+    let transformer;
+    if (Array.isArray(data)) {
+      id = data[0];
+      transformer = data[1];
+    } else {
+      id = data;
+      transformer = mod => mod;
+    }
+    try {
+      // Check that the transformed value isn't `undefined` because older
+      // versions of packages like 'proc-log' may not export a `log` method.
+      const exported = transformer(req(id));
+      if (exported !== undefined) {
+        return exported;
+      }
+    } catch {}
+  }
+  return undefined;
+}
+let _log = UNDEFINED_TOKEN;
+function getLogger() {
+  if (_log === UNDEFINED_TOKEN) {
+    _log = tryRequire(npmPaths.getNpmRequire(), ['proc-log/lib/index.js',
+    // The proc-log DefinitelyTyped definition is incorrect. The type definition
+    // is really that of its export log.
+    mod => mod.log], 'npmlog/lib/log.js');
+  }
+  return _log;
+}
+
+const {
+  LOOP_SENTINEL: LOOP_SENTINEL$1
+} = constants.constants;
+const OverrideSet = require(npmPaths.getArboristOverrideSetClassPath());
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
+class SafeOverrideSet extends OverrideSet {
+  // Patch adding doOverrideSetsConflict is based on
+  // https://github.com/npm/cli/pull/7025.
+  static doOverrideSetsConflict(first, second) {
+    // If override sets contain one another then we can try to use the more specific
+    // one. However, if neither one is more specific, then we consider them to be
+    // in conflict.
+    return this.findSpecificOverrideSet(first, second) === undefined;
+  }
+
+  // Patch adding findSpecificOverrideSet is based on
+  // https://github.com/npm/cli/pull/7025.
+  static findSpecificOverrideSet(first, second) {
+    let overrideSet = second;
+    while (overrideSet) {
+      if (overrideSet.isEqual(first)) {
+        return second;
+      }
+      overrideSet = overrideSet.parent;
+    }
+    overrideSet = first;
+    while (overrideSet) {
+      if (overrideSet.isEqual(second)) {
+        return first;
+      }
+      overrideSet = overrideSet.parent;
+    }
+    // The override sets are incomparable. Neither one contains the other.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', first, second);
+    return undefined;
+  }
+
+  // Patch adding childrenAreEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  childrenAreEqual(otherOverrideSet) {
+    const queue = [[this, otherOverrideSet]];
+    let pos = 0;
+    let {
+      length: queueLength
+    } = queue;
+    while (pos < queueLength) {
+      if (pos === LOOP_SENTINEL$1) {
+        throw new Error('Detected infinite loop while comparing override sets');
+      }
+      const {
+        0: currSet,
+        1: currOtherSet
+      } = queue[pos++];
+      const {
+        children
+      } = currSet;
+      const {
+        children: otherChildren
+      } = currOtherSet;
+      if (children.size !== otherChildren.size) {
+        return false;
+      }
+      for (const key of children.keys()) {
+        if (!otherChildren.has(key)) {
+          return false;
+        }
+        const child = children.get(key);
+        const otherChild = otherChildren.get(key);
+        if (child.value !== otherChild.value) {
+          return false;
+        }
+        queue[queueLength++] = [child, otherChild];
+      }
+    }
+    return true;
+  }
+  getEdgeRule(edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue;
+      }
+      // If keySpec is * we found our override.
+      if (rule.keySpec === '*') {
+        return rule;
+      }
+      // Patch replacing
+      // let spec = npa(`${edge.name}@${edge.spec}`)
+      // is based on https://github.com/npm/cli/pull/7025.
+      //
+      // We need to use the rawSpec here, because the spec has the overrides
+      // applied to it already.
+      let spec = npa(`${edge.name}@${edge.rawSpec}`);
+      if (spec.type === 'alias') {
+        spec = spec.subSpec;
+      }
+      if (spec.type === 'git') {
+        if (spec.gitRange && rule.keySpec && semver.intersects(spec.gitRange, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      if (spec.type === 'range' || spec.type === 'version') {
+        if (rule.keySpec && semver.intersects(spec.fetchSpec, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      // If we got this far, the spec type is one of tag, directory or file
+      // which means we have no real way to make version comparisons, so we
+      // just accept the override.
+      return rule;
+    }
+    return this;
+  }
+
+  // Patch adding isEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  isEqual(otherOverrideSet) {
+    if (this === otherOverrideSet) {
+      return true;
+    }
+    if (!otherOverrideSet) {
+      return false;
+    }
+    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
+      return false;
+    }
+    if (!this.childrenAreEqual(otherOverrideSet)) {
+      return false;
+    }
+    if (!this.parent) {
+      return !otherOverrideSet.parent;
+    }
+    return this.parent.isEqual(otherOverrideSet.parent);
+  }
+}
+
+const Node = require(npmPaths.getArboristNodeClassPath());
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
+class SafeNode extends Node {
+  // Return true if it's safe to remove this node, because anything that is
+  // depending on it would be fine with the thing that they would resolve to if
+  // it was removed, or nothing is depending on it in the first place.
+  canDedupe(preferDedupe = false) {
+    // Not allowed to mess with shrinkwraps or bundles.
+    if (this.inDepBundle || this.inShrinkwrap) {
+      return false;
+    }
+    // It's a top level pkg, or a dep of one.
+    if (!this.resolveParent?.resolveParent) {
+      return false;
+    }
+    // No one wants it, remove it.
+    if (this.edgesIn.size === 0) {
+      return true;
+    }
+    const other = this.resolveParent.resolveParent.resolve(this.name);
+    // Nothing else, need this one.
+    if (!other) {
+      return false;
+    }
+    // If it's the same thing, then always fine to remove.
+    if (other.matches(this)) {
+      return true;
+    }
+    // If the other thing can't replace this, then skip it.
+    if (!other.canReplace(this)) {
+      return false;
+    }
+    // Patch replacing
+    // if (preferDedupe || semver.gte(other.version, this.version)) {
+    //   return true
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If we prefer dedupe, or if the version is equal, take the other.
+    if (preferDedupe || semver.eq(other.version, this.version)) {
+      return true;
+    }
+    // If our current version isn't the result of an override, then prefer to
+    // take the greater version.
+    if (!this.overridden && semver.gt(other.version, this.version)) {
+      return true;
+    }
+    return false;
+  }
+
+  // Is it safe to replace one node with another?  check the edges to
+  // make sure no one will get upset.  Note that the node might end up
+  // having its own unmet dependencies, if the new node has new deps.
+  // Note that there are cases where Arborist will opt to insert a node
+  // into the tree even though this function returns false!  This is
+  // necessary when a root dependency is added or updated, or when a
+  // root dependency brings peer deps along with it.  In that case, we
+  // will go ahead and create the invalid state, and then try to resolve
+  // it with more tree construction, because it's a user request.
+  canReplaceWith(node, ignorePeers) {
+    if (this.name !== node.name || this.packageName !== node.packageName) {
+      return false;
+    }
+    // Patch replacing
+    // if (node.overrides !== this.overrides) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If this node has no dependencies, then it's irrelevant to check the
+    // override rules of the replacement node.
+    if (this.edgesOut.size) {
+      // XXX need to check for two root nodes?
+      if (node.overrides) {
+        if (!node.overrides.isEqual(this.overrides)) {
+          return false;
+        }
+      } else {
+        if (this.overrides) {
+          return false;
+        }
+      }
+    }
+    // To satisfy the patch we ensure `node.overrides === this.overrides`
+    // so that the condition we want to replace,
+    // if (this.overrides !== node.overrides) {
+    // , is not hit.`
+    const oldOverrideSet = this.overrides;
+    let result = true;
+    if (oldOverrideSet !== node.overrides) {
+      this.overrides = node.overrides;
+    }
+    try {
+      result = super.canReplaceWith(node, ignorePeers);
+      this.overrides = oldOverrideSet;
+    } catch (e) {
+      this.overrides = oldOverrideSet;
+      throw e;
+    }
+    return result;
+  }
+
+  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/7025.
+  deleteEdgeIn(edge) {
+    this.edgesIn.delete(edge);
+    const {
+      overrides
+    } = edge;
+    if (overrides) {
+      this.updateOverridesEdgeInRemoved(overrides);
+    }
+  }
+  addEdgeIn(edge) {
+    // Patch replacing
+    // if (edge.overrides) {
+    //   this.overrides = edge.overrides
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // We need to handle the case where the new edge in has an overrides field
+    // which is different from the current value.
+    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
+      this.updateOverridesEdgeInAdded(edge.overrides);
+    }
+    this.edgesIn.add(edge);
+    // Try to get metadata from the yarn.lock file.
+    this.root.meta?.addEdge(edge);
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get overridden() {
+    // Patch replacing
+    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+      return false;
+    }
+    // The overrides rule is for a package with this name, but some override rules
+    // only apply to specific versions. To make sure this package was actually
+    // overridden, we check whether any edge going in had the rule applied to it,
+    // in which case its overrides set is different than its source node.
+    for (const edge of this.edgesIn) {
+      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
+        if (!edge.overrides?.isEqual(edge.from?.overrides)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  // Patch adding recalculateOutEdgesOverrides is based on
+  // https://github.com/npm/cli/pull/7025.
+  recalculateOutEdgesOverrides() {
+    // For each edge out propagate the new overrides through.
+    for (const edge of this.edgesOut.values()) {
+      edge.reload(true);
+      if (edge.to) {
+        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+      }
+    }
+  }
+
+  // @ts-ignore: Incorrectly typed to accept null.
+  set root(newRoot) {
+    // Patch removing
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    //   this.overrides = this.parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // The "root" setter is a really large and complex function. To satisfy the
+    // patch we add a dummy value to `this.overrides` so that the condition we
+    // want to remove,
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    // , is not hit.
+    if (!this.overrides) {
+      this.overrides = new SafeOverrideSet({
+        overrides: ''
+      });
+    }
+    try {
+      super.root = newRoot;
+      this.overrides = undefined;
+    } catch (e) {
+      this.overrides = undefined;
+      throw e;
+    }
+  }
+
+  // Patch adding updateOverridesEdgeInAdded is based on
+  // https://github.com/npm/cli/pull/7025.
+  //
+  // This logic isn't perfect either. When we have two edges in that have
+  // different override sets, then we have to decide which set is correct. This
+  // function assumes the more specific override set is applicable, so if we have
+  // dependencies A->B->C and A->C and an override set that specifies what happens
+  // for C under A->B, this will work even if the new A->C edge comes along and
+  // tries to change the override set. The strictly correct logic is not to allow
+  // two edges with different overrides to point to the same node, because even
+  // if this node can satisfy both, one of its dependencies might need to be
+  // different depending on the edge leading to it. However, this might cause a
+  // lot of duplication, because the conflict in the dependencies might never
+  // actually happen.
+  updateOverridesEdgeInAdded(otherOverrideSet) {
+    if (!otherOverrideSet) {
+      // Assuming there are any overrides at all, the overrides field is never
+      // undefined for any node at the end state of the tree. So if the new edge's
+      // overrides is undefined it will be updated later. So we can wait with
+      // updating the node's overrides field.
+      return false;
+    }
+    if (!this.overrides) {
+      this.overrides = otherOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    if (this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    if (newOverrideSet) {
+      if (this.overrides.isEqual(newOverrideSet)) {
+        return false;
+      }
+      this.overrides = newOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    // This is an error condition. We can only get here if the new override set
+    // is in conflict with the existing.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', this.name);
+    return false;
+  }
+
+  // Patch adding updateOverridesEdgeInRemoved is based on
+  // https://github.com/npm/cli/pull/7025.
+  updateOverridesEdgeInRemoved(otherOverrideSet) {
+    // If this edge's overrides isn't equal to this node's overrides,
+    // then removing it won't change newOverrideSet later.
+    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    let newOverrideSet;
+    for (const edge of this.edgesIn) {
+      const {
+        overrides: edgeOverrides
+      } = edge;
+      if (newOverrideSet && edgeOverrides) {
+        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+      } else {
+        newOverrideSet = edgeOverrides;
+      }
+    }
+    if (this.overrides.isEqual(newOverrideSet)) {
+      return false;
+    }
+    this.overrides = newOverrideSet;
+    if (newOverrideSet) {
+      // Optimization: If there's any override set at all, then no non-extraneous
+      // node has an empty override set. So if we temporarily have no override set
+      // (for example, we removed all the edges in), there's no use updating all
+      // the edges out right now. Let's just wait until we have an actual override
+      // set later.
+      this.recalculateOutEdgesOverrides();
+    }
+    return true;
+  }
+}
+
+const Edge = require(npmPaths.getArboristEdgeClassPath());
+
+// The Edge class makes heavy use of private properties which subclasses do NOT
+// have access to. So we have to recreate any functionality that relies on those
+// private properties and use our own "safe" prefixed non-conflicting private
+// properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
+//
+// The npm application
+// Copyright (c) npm, Inc. and Contributors
+// Licensed on the terms of The Artistic License 2.0
+//
+// An edge in the dependency graph.
+// Represents a dependency relationship of some kind.
+const initializedSafeEdges = new WeakSet();
+class SafeEdge extends Edge {
+  #safeAccept;
+  #safeError;
+  #safeExplanation;
+  #safeFrom;
+  #safeName;
+  #safeTo;
+  constructor(options) {
+    const {
+      accept,
+      from,
+      name
+    } = options;
+    // Defer to supper to validate options and assign non-private values.
+    super(options);
+    if (accept !== undefined) {
+      this.#safeAccept = accept || '*';
+    }
+    if (from.constructor !== SafeNode) {
+      Reflect.setPrototypeOf(from, SafeNode.prototype);
+    }
+    this.#safeError = null;
+    this.#safeExplanation = null;
+    this.#safeFrom = from;
+    this.#safeName = name;
+    this.#safeTo = null;
+    initializedSafeEdges.add(this);
+    this.reload(true);
+  }
+  get accept() {
+    return this.#safeAccept;
+  }
+  get bundled() {
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  }
+  get error() {
+    if (!this.#safeError) {
+      if (!this.#safeTo) {
+        if (this.optional) {
+          this.#safeError = null;
+        } else {
+          this.#safeError = 'MISSING';
+        }
+      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
+        this.#safeError = 'PEER LOCAL';
+      } else if (!this.satisfiedBy(this.#safeTo)) {
+        this.#safeError = 'INVALID';
+      }
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
+      } else {
+        this.#safeError = 'OK';
+      }
+    }
+    if (this.#safeError === 'OK') {
+      return null;
+    }
+    return this.#safeError;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get from() {
+    return this.#safeFrom;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get spec() {
+    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+      // Patch adding "if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      //
+      // If this edge has the same overrides field as the source, then we're not
+      // applying an override for this edge.
+      if (this.overrides === this.#safeFrom?.overrides) {
+        // The Edge rawSpec getter will retrieve the private Edge #spec property.
+        return this.rawSpec;
+      }
+      if (this.overrides.value.startsWith('$')) {
+        const ref = this.overrides.value.slice(1);
+        // We may be a virtual root, if we are we want to resolve reference
+        // overrides from the real root, not the virtual one.
+        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root?.package;
+        if (pkg?.devDependencies?.[ref]) {
+          return pkg.devDependencies[ref];
+        }
+        if (pkg?.optionalDependencies?.[ref]) {
+          return pkg.optionalDependencies[ref];
+        }
+        if (pkg?.dependencies?.[ref]) {
+          return pkg.dependencies[ref];
+        }
+        if (pkg?.peerDependencies?.[ref]) {
+          return pkg.peerDependencies[ref];
+        }
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
+      }
+      return this.overrides.value;
+    }
+    return this.rawSpec;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get to() {
+    return this.#safeTo;
+  }
+  detach() {
+    this.#safeExplanation = null;
+    // Patch replacing
+    // if (this.#safeTo) {
+    //   this.#safeTo.edgesIn.delete(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    this.#safeTo?.deleteEdgeIn(this);
+    this.#safeFrom?.edgesOut.delete(this.name);
+    this.#safeTo = null;
+    this.#safeError = 'DETACHED';
+    this.#safeFrom = null;
+  }
+
+  // Return the edge data, and an explanation of how that edge came to be here.
+  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
+  explain() {
+    if (!this.#safeExplanation) {
+      const explanation = {
+        type: this.type,
+        name: this.name,
+        spec: this.spec,
+        bundled: false,
+        overridden: false,
+        error: undefined,
+        from: undefined,
+        rawSpec: undefined
+      };
+      if (this.rawSpec !== this.spec) {
+        explanation.rawSpec = this.rawSpec;
+        explanation.overridden = true;
+      }
+      if (this.bundled) {
+        explanation.bundled = this.bundled;
+      }
+      if (this.error) {
+        explanation.error = this.error;
+      }
+      if (this.#safeFrom) {
+        explanation.from = this.#safeFrom.explain();
+      }
+      this.#safeExplanation = explanation;
+    }
+    return this.#safeExplanation;
+  }
+  reload(hard = false) {
+    if (!initializedSafeEdges.has(this)) {
+      // Skip if called during super constructor.
+      return;
+    }
+    this.#safeExplanation = null;
+    // Patch adding newOverrideSet and oldOverrideSet is based on
+    // https://github.com/npm/cli/pull/7025.
+    let newOverrideSet;
+    let oldOverrideSet;
+    if (this.#safeFrom?.overrides) {
+      // Patch replacing
+      // this.overrides = this.#safeFrom.overrides.getEdgeRule(this)
+      // is based on https://github.com/npm/cli/pull/7025.
+      const newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
+        // If there's a new different override set we need to propagate it to
+        // the nodes. If we're deleting the override set then there's no point
+        // propagating it right now since it will be filled with another value
+        // later.
+        oldOverrideSet = this.overrides;
+        this.overrides = newOverrideSet;
+      }
+    } else {
+      this.overrides = undefined;
+    }
+    const newTo = this.#safeFrom?.resolve(this.name);
+    if (newTo !== this.#safeTo) {
+      // Patch replacing
+      // if (this.#safeTo) {
+      //   this.#safeTo.edgesIn.delete(this)
+      // }
+      // is based on https://github.com/npm/cli/pull/7025.
+      this.#safeTo?.deleteEdgeIn(this);
+      this.#safeTo = newTo ?? null;
+      this.#safeError = null;
+      this.#safeTo?.addEdgeIn(this);
+    } else if (hard) {
+      this.#safeError = null;
+    }
+    // Patch adding "else if" condition based on
+    // https://github.com/npm/cli/pull/7025.
+    else if (oldOverrideSet) {
+      // Propagate the new override set to the target node.
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+    }
+  }
+  satisfiedBy(node) {
+    // Patch replacing
+    // if (node.name !== this.#name) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (node.name !== this.#safeName || !this.#safeFrom) {
+      return false;
+    }
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+      return depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom);
+    }
+    // Patch replacing
+    // return depValid(node, this.spec, this.#accept, this.#from)
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If there's no override we just use the spec.
+    if (!this.overrides?.keySpec) {
+      return depValid(node, this.spec, this.#safeAccept, this.#safeFrom);
+    }
+    // There's some override. If the target node satisfies the overriding spec
+    // then it's okay.
+    if (depValid(node, this.spec, this.#safeAccept, this.#safeFrom)) {
+      return true;
+    }
+    // If it doesn't, then it should at least satisfy the original spec.
+    if (!depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom)) {
+      return false;
+    }
+    // It satisfies the original spec, not the overriding spec. We need to make
+    // sure it doesn't use the overridden spec.
+    // For example, we might have an ^8.0.0 rawSpec, and an override that makes
+    // keySpec=8.23.0 and the override value spec=9.0.0.
+    // If the node is 9.0.0, then it's okay because it's consistent with spec.
+    // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
+    // If the node is 8.23.0, then it's not okay because even though it's consistent
+    // with the rawSpec, it's also consistent with the keySpec.
+    // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
+    return !depValid(node, this.overrides.keySpec, this.#safeAccept, this.#safeFrom);
+  }
+}
+
+const {
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
+  LOOP_SENTINEL,
+  NPM,
+  NPM_REGISTRY_URL,
+  OVERRIDES,
+  PNPM,
+  RESOLUTIONS,
+  abortSignal
+} = constants.constants;
+const formatter = new ColorOrMarkdown(false);
+function findBestPatchVersion(node, availableVersions, vulnerableVersionRange, _firstPatchedVersionIdentifier) {
+  const manifestData = registry.getManifestData(NPM, node.name);
+  let eligibleVersions;
+  if (manifestData && manifestData.name === manifestData.package) {
+    const major = semver.major(manifestData.version);
+    eligibleVersions = availableVersions.filter(v => semver.major(v) === major);
+  } else {
+    const major = semver.major(node.version);
+    eligibleVersions = availableVersions.filter(v =>
+    // Filter for versions that are within the current major version
+    // and are not in the vulnerable range
+    semver.major(v) === major && (!vulnerableVersionRange || !semver.satisfies(v, vulnerableVersionRange)));
+  }
+  return semver.maxSatisfying(eligibleVersions, '*');
+}
+function findPackageNodes(tree, packageName) {
+  const queue = [{
+    node: tree
+  }];
+  const matches = [];
+  let sentinel = 0;
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackageNodes');
+    }
+    const {
+      node: currentNode
+    } = queue.pop();
+    const node = currentNode.children.get(packageName);
+    if (node) {
+      matches.push(node);
+    }
+    const children = [...currentNode.children.values()];
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push({
+        node: children[i]
+      });
+    }
+  }
+  return matches;
+}
+let _translations;
+function getTranslations() {
+  if (_translations === undefined) {
+    _translations = require(
+    // Lazily access constants.rootPath.
+    path.join(constants.constants.rootPath, 'translations.json'));
+  }
+  return _translations;
+}
+function hasOverride(pkgJson, name) {
+  return !!(pkgJson?.[OVERRIDES]?.[name] || pkgJson?.[RESOLUTIONS]?.[name] || pkgJson?.[PNPM]?.[OVERRIDES]?.[name]);
+}
+function updateNode(node, packument, vulnerableVersionRange, firstPatchedVersionIdentifier) {
+  const availableVersions = Object.keys(packument.versions);
+  // Find the highest non-vulnerable version within the same major range
+  const targetVersion = findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+  const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+  // Check !targetVersion to make TypeScript happy.
+  if (!targetVersion || !targetPackument) {
+    // No suitable patch version found.
+    return false;
+  }
+  // Use Object.defineProperty to override the version.
+  Object.defineProperty(node, 'version', {
+    configurable: true,
+    enumerable: true,
+    get: () => targetVersion
+  });
+  node.package.version = targetVersion;
+  // Update resolved and clear integrity for the new version.
+  const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`);
+  node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`;
+  const {
+    integrity
+  } = targetPackument.dist;
+  if (integrity) {
+    node.integrity = integrity;
+  } else {
+    delete node.integrity;
+  }
+  if ('deprecated' in targetPackument) {
+    node.package['deprecated'] = targetPackument.deprecated;
+  } else {
+    delete node.package['deprecated'];
+  }
+  const newDeps = {
+    ...targetPackument.dependencies
+  };
+  const {
+    dependencies: oldDeps
+  } = node.package;
+  node.package.dependencies = newDeps;
+  if (oldDeps) {
+    for (const oldDepName of Object.keys(oldDeps)) {
+      if (!objects.hasOwn(newDeps, oldDepName)) {
+        node.edgesOut.get(oldDepName)?.detach();
+      }
+    }
+  }
+  for (const newDepName of Object.keys(newDeps)) {
+    if (!objects.hasOwn(oldDeps, newDepName)) {
+      node.addEdgeOut(new Edge({
+        from: node,
+        name: newDepName,
+        spec: newDeps[newDepName],
+        type: 'prod'
+      }));
+    }
+  }
+  return true;
+}
+async function getPackagesAlerts(arb, options) {
+  const {
+    consolidate = false,
+    includeExisting = false,
+    includeUnfixable = true,
+    output
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const needInfoOn = getPackagesToQueryFromDiff(arb.diff, {
+    includeUnchanged: includeExisting
+  });
+  const purls = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid));
+  let {
+    length: remaining
+  } = purls;
+  const results = [];
+  if (!remaining) {
+    return results;
+  }
+  const pkgJson = (arb.actualTree ?? arb.idealTree).package;
+  const spinner$1 = output ? new spinner.Spinner({
+    stream: output
+  }) : undefined;
+  const getText = () => `Looking up data for ${remaining} packages`;
+  const decrementRemaining = () => {
+    remaining -= 1;
+    if (spinner$1 && remaining > 0) {
+      spinner$1.start();
+      spinner$1.text = getText();
+    }
+  };
+  spinner$1?.start(getText());
+  for await (const artifact of batchScan(purls)) {
+    if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
+      decrementRemaining();
+      continue;
+    }
+    const name = packages.resolvePackageName(artifact);
+    const {
+      version
+    } = artifact;
+    let displayWarning = false;
+    let sockPkgAlerts = [];
+    for (const alert of artifact.alerts) {
+      // eslint-disable-next-line no-await-in-loop
+      const ux = await uxLookup({
+        package: {
+          name,
+          version
+        },
+        alert: {
+          type: alert.type
+        }
+      });
+      if (ux.display) {
+        displayWarning = !!output;
+      }
+      const fixableCve = isArtifactAlertCveFixable(alert);
+      const fixableUpgrade = isArtifactAlertUpgradeFixable(alert);
+      if ((fixableCve || fixableUpgrade || includeUnfixable) && !(fixableUpgrade && hasOverride(pkgJson, name))) {
+        sockPkgAlerts.push({
+          name,
+          version,
+          key: alert.key,
+          type: alert.type,
+          block: ux.block,
+          raw: alert,
+          fixable: fixableCve || fixableUpgrade
+        });
+      }
+    }
+    if (!includeExisting && sockPkgAlerts.length) {
+      // Before we ask about problematic issues, check to see if they
+      // already existed in the old version if they did, be quiet.
+      const allExisting = needInfoOn.filter(d => d.existing?.pkgid.startsWith(`${name}@`));
+      for (const {
+        existing
+      } of allExisting) {
+        const oldAlerts =
+        // eslint-disable-next-line no-await-in-loop
+        (await batchScan([existing.pkgid]).next()).value?.alerts;
+        if (oldAlerts?.length) {
+          // SocketArtifactAlert and SocketPackageAlert both have the 'key' property.
+          sockPkgAlerts = sockPkgAlerts.filter(({
+            key
+          }) => !oldAlerts.find(a => a.key === key));
+        }
+      }
+    }
+    if (consolidate && sockPkgAlerts.length) {
+      const highestForCve = new Map();
+      const highestForUpgrade = new Map();
+      const unfixableAlerts = [];
+      for (const sockPkgAlert of sockPkgAlerts) {
+        if (isArtifactAlertCveFixable(sockPkgAlert.raw)) {
+          const version = sockPkgAlert.raw.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
+          const major = semver.major(version);
+          const highest = highestForCve.get(major)?.raw[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER] ?? '0.0.0';
+          if (semver.gt(version, highest)) {
+            highestForCve.set(major, sockPkgAlert);
+          }
+        } else if (isArtifactAlertUpgradeFixable(sockPkgAlert.raw)) {
+          const {
+            version
+          } = sockPkgAlert;
+          const major = semver.major(version);
+          const highest = highestForUpgrade.get(major)?.version ?? '0.0.0';
+          if (semver.gt(version, highest)) {
+            highestForUpgrade.set(major, sockPkgAlert);
+          }
+        } else {
+          unfixableAlerts.push(sockPkgAlert);
+        }
+      }
+      sockPkgAlerts = [...unfixableAlerts, ...highestForCve.values(), ...highestForUpgrade.values()];
+    }
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
+    spinner$1?.stop();
+    if (displayWarning && sockPkgAlerts.length) {
+      const lines = new Set();
+      const translations = getTranslations();
+      for (const sockPkgAlert of sockPkgAlerts) {
+        const attributes = [...(sockPkgAlert.fixable ? ['fixable'] : []), ...(sockPkgAlert.block ? [] : ['non-blocking'])];
+        const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
+        // Based data from { pageProps: { alertTypes } } of:
+        // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
+        const info = translations.alerts[sockPkgAlert.type];
+        const title = info?.title ?? sockPkgAlert.type;
+        const maybeDesc = info?.description ? ` - ${info.description}` : '';
+        // TODO: emoji seems to mis-align terminals sometimes
+        lines.add(`  ${title}${maybeAttributes}${maybeDesc}\n`);
+      }
+      output?.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, getSocketDevPackageOverviewUrl(NPM, name, version))} contains risks:\n`);
+      for (const line of lines) {
+        output?.write(line);
+      }
+    }
+    results.push(...sockPkgAlerts);
+    decrementRemaining();
+  }
+  spinner$1?.stop();
+  return results;
+}
+function getCveInfoByPackage(alerts, options) {
+  const {
+    excludeUpgrades
+  } = {
+    __proto__: null,
+    ...options
+  };
+  let infoByPkg = null;
+  for (const alert of alerts) {
+    if (!isArtifactAlertCveFixable(alert.raw) || excludeUpgrades && registry.getManifestData(NPM, alert.name)) {
+      continue;
+    }
+    if (!infoByPkg) {
+      infoByPkg = new Map();
+    }
+    const {
+      name
+    } = alert;
+    let infos = infoByPkg.get(name);
+    if (!infos) {
+      infos = [];
+      infoByPkg.set(name, infos);
+    }
+    const {
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
+    } = alert.raw.props;
+    infos.push({
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
+    });
+  }
+  return infoByPkg;
+}
+const kRiskyReify = Symbol('riskyReify');
+async function reify(...args) {
+  const {
+    stderr: output,
+    stdin: input
+  } = process;
+  const alerts = await getPackagesAlerts(this, {
+    output
+  });
+  if (alerts.length && !(await prompts.confirm({
+    message: 'Accept risks of installing these packages?',
+    default: false
+  }, {
+    input,
+    output,
+    signal: abortSignal
+  }))) {
+    throw new Error('Socket npm exiting due to risks');
+  }
+  return await this[kRiskyReify](...args);
+}
+
+const {
+  SOCKET_CLI_SAFE_WRAPPER,
+  kInternalsSymbol,
+  [kInternalsSymbol]: {
+    getIPC
+  }
+} = constants.constants;
+const Arborist = require(npmPaths.getArboristClassPath());
+const kCtorArgs = Symbol('ctorArgs');
+const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
+  __proto__: null,
+  audit: false,
+  dryRun: true,
+  fund: false,
+  ignoreScripts: true,
+  progress: false,
+  save: false,
+  saveBundle: false,
+  silent: true
+};
+
+// Implementation code not related to our custom behavior is based on
+// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
+class SafeArborist extends Arborist {
+  constructor(...ctorArgs) {
+    super({
+      path: (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),
+      ...(ctorArgs.length ? ctorArgs[0] : undefined),
+      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+    }, ...ctorArgs.slice(1));
+    this[kCtorArgs] = ctorArgs;
+  }
+  async [kRiskyReify](...args) {
+    const ctorArgs = this[kCtorArgs];
+    const arb = new Arborist({
+      ...(ctorArgs.length ? ctorArgs[0] : undefined),
+      progress: false
+    }, ...ctorArgs.slice(1));
+    arb.actualTree = this.actualTree;
+    arb.idealTree = this.idealTree;
+    const ret = await arb.reify({
+      ...(args.length ? args[0] : undefined),
+      progress: false
+    }, ...args.slice(1));
+    Object.assign(this, arb);
+    return ret;
+  }
+
+  // @ts-ignore Incorrectly typed.
+  async reify(...args) {
+    const options = {
+      __proto__: null,
+      ...(args.length ? args[0] : undefined)
+    };
+    const safeArgs = [{
+      ...options,
+      progress: false
+    }, ...args.slice(1)];
+    if (options.dryRun || !(await getIPC(SOCKET_CLI_SAFE_WRAPPER))) {
+      return await this[kRiskyReify](...safeArgs);
+    }
+    Object.assign(options, SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES);
+    const old = args[0];
+    args[0] = options;
+    await super.reify(...safeArgs);
+    args[0] = old;
+    return await Reflect.apply(reify, this, safeArgs);
+  }
+}
+
+exports.Arborist = Arborist;
+exports.AuthError = AuthError;
+exports.ColorOrMarkdown = ColorOrMarkdown;
+exports.InputError = InputError;
+exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES;
+exports.SafeArborist = SafeArborist;
+exports.SafeEdge = SafeEdge;
+exports.SafeNode = SafeNode;
+exports.SafeOverrideSet = SafeOverrideSet;
+exports.captureException = captureException;
+exports.findPackageNodes = findPackageNodes;
+exports.findUp = findUp;
+exports.getCveInfoByPackage = getCveInfoByPackage;
+exports.getDefaultToken = getDefaultToken;
+exports.getPackagesAlerts = getPackagesAlerts;
+exports.getPublicToken = getPublicToken;
+exports.getSetting = getSetting;
+exports.getSocketDevAlertUrl = getSocketDevAlertUrl;
+exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl;
+exports.readFileBinary = readFileBinary;
+exports.readFileUtf8 = readFileUtf8;
+exports.safeReadFile = safeReadFile;
+exports.setupSdk = setupSdk;
+exports.updateNode = updateNode;
+exports.updateSetting = updateSetting;
+//# debugId=e258de92-cf4c-4739-8f4a-4ec18acff673
+//# sourceMappingURL=index.js.map