@socketsecurity/cli-with-sentry 0.14.56 → 0.14.58

package/dist/module-sync/cli.js

@@ -24,10 +24,11 @@ var fs = require('node:fs');
 var path = require('node:path');
 var ndjson = _socketInterop(require('ndjson'));
 var rest = _socketInterop(require('@octokit/rest'));
-var index = require('./index.js');
+var shadowNpmInject = require('./shadow-npm-inject.js');
 var constants = require('./constants.js');
 var meow = _socketInterop(require('meow'));
 var objects = require('@socketsecurity/registry/lib/objects');
+var path$1 = require('@socketsecurity/registry/lib/path');
 var regexps = require('@socketsecurity/registry/lib/regexps');
 var commonTags = _socketInterop(require('common-tags'));
 var fs$1 = require('node:fs/promises');
@@ -42,27 +43,30 @@ var util = require('node:util');
 var registry = require('@socketsecurity/registry');
 var npm = require('@socketsecurity/registry/lib/npm');
 var packages = require('@socketsecurity/registry/lib/packages');
-var registryConstants = require('@socketsecurity/registry/lib/constants');
-var isInteractive = require('@socketregistry/is-interactive/index.cjs');
-var terminalLink = _socketInterop(require('terminal-link'));
+var lockfileFile = _socketInterop(require('@pnpm/lockfile-file'));
+var lockfile_detectDepTypes = _socketInterop(require('@pnpm/lockfile.detect-dep-types'));
+var debug = require('@socketsecurity/registry/lib/debug');
 var spawn = require('@socketsecurity/registry/lib/spawn');
-var npa = _socketInterop(require('npm-package-arg'));
-var semver = _socketInterop(require('semver'));
-var tinyglobby = _socketInterop(require('tinyglobby'));
-var promises = require('@socketsecurity/registry/lib/promises');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
 var browserslist = _socketInterop(require('browserslist'));
+var semver = _socketInterop(require('semver'));
 var which = _socketInterop(require('which'));
 var index_cjs = require('@socketregistry/hyrious__bun.lockb/index.cjs');
 var sorts = require('@socketsecurity/registry/lib/sorts');
 var strings = require('@socketsecurity/registry/lib/strings');
+var registryConstants = require('@socketsecurity/registry/lib/constants');
+var isInteractive = require('@socketregistry/is-interactive/index.cjs');
+var terminalLink = _socketInterop(require('terminal-link'));
+var npa = _socketInterop(require('npm-package-arg'));
+var tinyglobby = _socketInterop(require('tinyglobby'));
+var promises = require('@socketsecurity/registry/lib/promises');
 var yaml = _socketInterop(require('yaml'));
-var debug = require('@socketsecurity/registry/lib/debug');
-var npmPaths = require('./npm-paths.js');
 var betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'));
 var config$A = require('@socketsecurity/config');
 var assert = require('node:assert');
 var readline = require('node:readline/promises');
 var open = _socketInterop(require('open'));
+var BoxWidget = _socketInterop(require('blessed/lib/widgets/box'));
 var TableWidget = _socketInterop(require('blessed-contrib/lib/widget/table'));
 var readline$1 = require('node:readline');
 
@@ -324,7 +328,7 @@ class Core {
   }) {
     const introducedBy = [];
     if (pkg.direct) {
-      let manifests = pkg.manifestFiles.map(({
+      const manifests = pkg.manifestFiles.map(({
         file
       }) => file).join(';');
       introducedBy.push(['direct', manifests]);
@@ -335,7 +339,7 @@ class Core {
           continue;
         }
         const topPurl = `${topPackage.type}/${topPackage.name}@${topPackage.version}`;
-        let manifests = topPackage.manifestFiles.map(({
+        const manifests = topPackage.manifestFiles.map(({
           file
         }) => file).join(';');
         introducedBy.push([topPurl, manifests]);
@@ -767,7 +771,7 @@ function processSecurityComment({
   const result = [];
   let start = false;
   let ignoreAll = false;
-  let ignoredPackages = [];
+  const ignoredPackages = [];
   for (const ignoreComment of ignoreComments) {
     const parsed = parseIgnoreCommand(ignoreComment.body?.split('\n').at(0) ?? '');
     if (parsed.ignoreAll) {
@@ -791,7 +795,7 @@ function processSecurityComment({
       const [_, _title, packageLink, _introducedBy, _manifest, _ci] = line.split('|');
 
       // Parsing package link [npm/pkg](url)
-      let [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
+      const [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
       const [pkgName, pkgVersion] = pkg.split('@');
 
       // Checking if this package should be ignored
@@ -840,7 +844,7 @@ function getIgnoreOptions({
           ignoreCommands.push(data);
         }
       } catch (e) {
-        logger.logger.error(`Unable to process ignore command for ${comment}`);
+        logger.logger.fail(`Unable to process ignore command for ${comment}`);
         logger.logger.error(e);
       }
     }
@@ -1114,8 +1118,8 @@ function createSources(alert) {
       manifests.push(addStr);
     }
   }
-  let manifestList = manifests.join('');
-  let sourceList = sources.join('');
+  const manifestList = manifests.join('');
+  const sourceList = sources.join('');
   const manifestStr = `<ul>${manifestList}</ul>`;
   const sourcesStr = `<ul>${sourceList}</ul>`;
   return [manifestStr, sourcesStr];
@@ -1226,7 +1230,7 @@ function securityCommentTemplate(diff) {
 // TODO: is this a github action handler?
 async function runAction(githubEventBefore, githubEventAfter) {
   //TODO
-  const socket = new sdk.SocketSdk(index.getDefaultToken());
+  const socket = new sdk.SocketSdk(shadowNpmInject.getDefaultToken());
   const git = simpleGit.simpleGit();
   const changedFiles = (await git.diff(process.env['GITHUB_EVENT_NAME'] === 'pull_request' ? ['--name-only', 'HEAD^1', 'HEAD'] : ['--name-only', githubEventBefore, githubEventAfter])).split('\n');
   logger.logger.log({
@@ -1260,8 +1264,8 @@ async function runAction(githubEventBefore, githubEventAfter) {
     const securityComment = securityCommentTemplate(diff);
     let newSecurityComment = true;
     let newOverviewComment = true;
-    let updateOldSecurityComment = comments.security !== undefined;
-    let updateOldOverviewComment = comments.overview !== undefined;
+    const updateOldSecurityComment = comments.security !== undefined;
+    const updateOldOverviewComment = comments.overview !== undefined;
     if (diff.newAlerts.length === 0) {
       if (!updateOldSecurityComment) {
         newSecurityComment = false;
@@ -1291,15 +1295,14 @@ async function runAction(githubEventBefore, githubEventAfter) {
 const {
   API_V0_URL
 } = constants;
-function handleUnsuccessfulApiResponse(_name, result, spinner) {
+function handleUnsuccessfulApiResponse(_name, result) {
   // SocketSdkErrorType['error'] is not typed.
   const resultErrorMessage = result.error?.message;
   const message = typeof resultErrorMessage === 'string' ? resultErrorMessage : 'No error message returned';
   if (result.status === 401 || result.status === 403) {
-    spinner.stop();
-    throw new index.AuthError(message);
+    throw new shadowNpmInject.AuthError(message);
   }
-  spinner.errorAndStop(`${colors.bgRed(colors.white('API returned an error:'))} ${message}`);
+  logger.logger.fail(`${colors.bgRed(colors.white('API returned an error:'))} ${message}`);
   process$1.exit(1);
 }
 async function handleApiCall(value, description) {
@@ -1404,8 +1407,7 @@ const validationFlags = {
 
 const {
   DRY_RUN_LABEL: DRY_RUN_LABEL$1,
-  REDACTED,
-  SOCKET_CLI_SHOW_BANNER
+  REDACTED
 } = constants;
 async function meowWithSubcommands(subcommands, options) {
   const {
@@ -1439,11 +1441,7 @@ async function meowWithSubcommands(subcommands, options) {
   };
   // ...else we provide basic instructions and help.
 
-  // Temp disable until we clear the --json and --markdown usage
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(name));
-  }
+  emitBanner(name);
   const cli = meow(`
     Usage
       $ ${name} <command>
@@ -1478,8 +1476,8 @@ async function meowWithSubcommands(subcommands, options) {
     autoHelp: false // otherwise we can't exit(0)
   });
   if (!cli.flags['help'] && cli.flags['dryRun']) {
-    logger.logger.log(`${DRY_RUN_LABEL$1}: No-op, call a sub-command; ok`);
     process.exitCode = 0;
+    logger.logger.log(`${DRY_RUN_LABEL$1}: No-op, call a sub-command; ok`);
   } else {
     cli.showHelp();
   }
@@ -1497,11 +1495,7 @@ function meowOrExit({
   parentName
 }) {
   const command = `${parentName} ${config.commandName}`;
-  // Temp disable until we clear the --json and --markdown usage.
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(command));
-  }
+  emitBanner(command);
 
   // This exits if .printHelp() is called either by meow itself or by us.
   const cli = meow({
@@ -1518,13 +1512,24 @@ function meowOrExit({
   }
   return cli;
 }
+function emitBanner(name) {
+  // Print a banner at the top of each command.
+  // This helps with brand recognition and marketing.
+  // It also helps with debugging since it contains version and command details.
+  // Note: print over stderr to preserve stdout for flags like --json and
+  //       --markdown. If we don't do this, you can't use --json in particular
+  //       and pipe the result to other tools. By emiting the banner over stderr
+  //       you can do something like `socket scan view xyz | jq | process`.
+  //       The spinner also emits over stderr for example.
+  logger.logger.error(getAsciiHeader(name));
+}
 function getAsciiHeader(command) {
   const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['SOCKET_CLI_VERSION_HASH']".
-  "0.14.56:5a261bf:186ce7ee:pub";
+  "0.14.58:f270068:05655527:pub";
   const nodeVersion = process.version;
-  const apiToken = index.getSetting('apiToken');
+  const apiToken = shadowNpmInject.getSetting('apiToken');
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no';
-  const relCwd = process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}`, 'i'), '~/');
+  const relCwd = path$1.normalizePath(process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`, 'i'), '~/'));
   const body = `
    _____         _       _        /---------------
   |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}
@@ -1595,10 +1600,10 @@ async function run$z(argv, importMeta, {
 }
 
 async function fetchOrgAnalyticsData(time, spinner, apiToken) {
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrgAnalytics(time.toString()), 'fetching analytics data');
   if (result.success === false) {
-    handleUnsuccessfulApiResponse('getOrgAnalytics', result, spinner);
+    handleUnsuccessfulApiResponse('getOrgAnalytics', result);
     return undefined;
   }
   spinner.stop();
@@ -1610,10 +1615,10 @@ async function fetchOrgAnalyticsData(time, spinner, apiToken) {
 }
 
 async function fetchRepoAnalyticsData(repo, time, spinner, apiToken) {
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getRepoAnalytics(repo, time.toString()), 'fetching analytics data');
   if (result.success === false) {
-    handleUnsuccessfulApiResponse('getRepoAnalytics', result, spinner);
+    handleUnsuccessfulApiResponse('getRepoAnalytics', result);
     return undefined;
   }
   spinner.stop();
@@ -1687,9 +1692,9 @@ async function displayAnalytics({
   scope,
   time
 }) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API token.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API token.');
   }
   await outputAnalyticsWithToken({
     apiToken,
@@ -1723,16 +1728,16 @@ async function outputAnalyticsWithToken({
   // A message should already have been printed if we have no data here
   if (!data) return;
   if (outputKind === 'json') {
-    let serialized = renderJson(data);
+    const serialized = renderJson(data);
     if (!serialized) return;
     if (filePath && filePath !== '-') {
       try {
         await fs$1.writeFile(filePath, serialized, 'utf8');
         logger.logger.log(`Data successfully written to ${filePath}`);
       } catch (e) {
-        logger.logger.error('There was an error trying to write the json to disk');
-        logger.logger.error(e);
         process.exitCode = 1;
+        logger.logger.fail('There was an error trying to write the json to disk');
+        logger.logger.error(e);
       }
     } else {
       logger.logger.log(serialized);
@@ -1760,9 +1765,9 @@ function renderJson(data) {
   try {
     return JSON.stringify(data, null, 2);
   } catch (e) {
-    // This could be caused by circular references, which is an "us" problem
-    logger.logger.error('There was a problem converting the data set to JSON. Please try without --json or with --markdown');
     process.exitCode = 1;
+    // This could be caused by circular references, which is an "us" problem
+    logger.logger.fail('There was a problem converting the data set to JSON. Please try without --json or with --markdown');
     return;
   }
 }
@@ -1997,7 +2002,7 @@ async function run$y(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Scope must be "repo" or "org" ${badScope ? colors.red('(bad!)') : colors.green('(ok)')}
 
@@ -2031,9 +2036,9 @@ async function getAuditLog({
   page,
   perPage
 }) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   const auditLogs = await getAuditLogWithToken({
     apiToken,
@@ -2077,8 +2082,8 @@ async function outputAsJson(auditLogs, orgSlug, logType, page, perPage) {
       })
     }, null, 2);
   } catch (e) {
-    logger.logger.error('There was a problem converting the logs to JSON, please try without the `--json` flag');
     process.exitCode = 1;
+    logger.logger.fail('There was a problem converting the logs to JSON, please try without the `--json` flag');
     return;
   }
   logger.logger.log(json);
@@ -2099,9 +2104,9 @@ These are the Socket.dev audit logs as per requested query.
 ${table}
 `);
   } catch (e) {
-    logger.logger.error('There was a problem converting the logs to JSON, please try without the `--json` flag');
-    logger.logger.error(e);
     process.exitCode = 1;
+    logger.logger.fail('There was a problem converting the logs to JSON, please try without the `--json` flag');
+    logger.logger.error(e);
     return;
   }
 }
@@ -2143,7 +2148,7 @@ async function getAuditLogWithToken({
     spinner
   } = constants;
   spinner.start(`Looking up audit log for ${orgSlug}`);
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getAuditLogEvents(orgSlug, {
     outputJson: outputKind === 'json',
     // I'm not sure this is used at all
@@ -2155,7 +2160,7 @@ async function getAuditLogWithToken({
     per_page: perPage
   }), `Looking up audit log for ${orgSlug}\n`);
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getAuditLogEvents', result, spinner);
+    handleUnsuccessfulApiResponse('getAuditLogEvents', result);
     return;
   }
   spinner.stop();
@@ -2195,6 +2200,9 @@ const config$x = {
     Usage
       $ ${command} <org slug>
 
+    This feature requires an Enterprise Plan. To learn more about getting access
+    to this feature and many more, please visit https://socket.dev/pricing
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -2230,7 +2238,7 @@ async function run$x(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
     `);
@@ -2250,22 +2258,22 @@ async function run$x(argv, importMeta, {
 }
 
 const {
-  NPM: NPM$e,
+  NPM: NPM$g,
   NPX: NPX$3,
-  PNPM: PNPM$8
+  PNPM: PNPM$a
 } = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$e, PNPM$8, 'ts', 'tsx', 'typescript']);
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$g, PNPM$a, 'ts', 'tsx', 'typescript']);
 async function runCycloneDX(yargv) {
   let cleanupPackageLock = false;
   if (yargv.type !== 'yarn' && nodejsPlatformTypes.has(yargv.type) && fs.existsSync('./yarn.lock')) {
     if (fs.existsSync('./package-lock.json')) {
-      yargv.type = NPM$e;
+      yargv.type = NPM$g;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
         await shadowBin(NPX$3, ['synp@1.9.14', '--', '--source-file', './yarn.lock'], 2);
-        yargv.type = NPM$e;
+        yargv.type = NPM$g;
         cleanupPackageLock = true;
       } catch {}
     }
@@ -2416,7 +2424,7 @@ async function run$w(argv, importMeta, {
   //
   //
   // if (cli.input.length)
-  //   logger.error(
+  //   logger.fail(
   //     stripIndents`
   //       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
   //
@@ -2440,7 +2448,7 @@ async function run$w(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process$1.exitCode = 2;
-    logger.logger.error(`Unknown ${words.pluralize('argument', unknownLength)}: ${yargv._.join(', ')}`);
+    logger.logger.fail(`Unknown ${words.pluralize('argument', unknownLength)}: ${yargv._.join(', ')}`);
     return;
   }
   if (yargv.output === undefined) {
@@ -2459,22 +2467,22 @@ async function findDependencies({
   offset,
   outputJson
 }) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   // Lazily access constants.spinner.
   const {
     spinner
   } = constants;
   spinner.start('Searching dependencies...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.searchDependencies({
     limit,
     offset
   }), 'Searching dependencies');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('searchDependencies', result, spinner);
+    handleUnsuccessfulApiResponse('searchDependencies', result);
     return;
   }
   spinner.stop('Organization dependencies:');
@@ -2579,9 +2587,9 @@ async function getDiffScan({
   orgSlug,
   outputJson
 }) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   await getDiffScanWithToken({
     after,
@@ -2626,16 +2634,17 @@ async function getDiffScanWithToken({
     try {
       json = JSON.stringify(result, null, 2);
     } catch (e) {
-      // Most likely caused by a circular reference (or OOM)
-      logger.logger.error('There was a problem converting the data to JSON');
       process.exitCode = 1;
+      // Most likely caused by a circular reference (or OOM)
+      logger.logger.fail('There was a problem converting the data to JSON');
+      logger.logger.error(e);
       return;
     }
     if (file && file !== '-') {
       logger.logger.log(`Writing json to \`${file}\``);
       fs.writeFile(file, JSON.stringify(result, null, 2), err => {
         if (err) {
-          logger.logger.error(`Writing to \`${file}\` failed...`);
+          logger.logger.fail(`Writing to \`${file}\` failed...`);
           logger.logger.error(err);
         } else {
           logger.logger.log(`Data successfully written to \`${file}\``);
@@ -2741,7 +2750,7 @@ async function run$u(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
+    logger.logger.fail(`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
       - Specify a before and after full scan ID ${!before && !after ? colors.red('(missing before and after!)') : !before ? colors.red('(missing before!)') : !after ? colors.red('(missing after!)') : colors.green('(ok)')}\n
           - To get full scans IDs, you can run the command "socket scan list <your org slug>".
             The args are expecting a full \`aaa0aa0a-aaaa-0000-0a0a-0000000a00a0\` ID.\n
@@ -2784,254 +2793,766 @@ const cmdDiffScan = {
   }
 };
 
-// import { detect } from '../../utils/package-environment-detector'
-
 const {
-  NPM: NPM$d
+  NPM: NPM$f
 } = constants;
 function isTopLevel(tree, node) {
   return tree.children.get(node.name) === node;
 }
-async function runFix() {
-  // Lazily access constants.spinner.
+async function npmFix(_pkgEnvDetails, cwd, options) {
   const {
     spinner
-  } = constants;
-  spinner.start();
-  const cwd = process.cwd();
-  const editablePkgJson = await packages.readPackageJson(cwd, {
-    editable: true
-  });
-  // const agentDetails = await detect()
-
-  const arb = new index.SafeArborist({
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
+  const arb = new shadowNpmInject.SafeArborist({
     path: cwd,
-    ...index.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
   });
   await arb.reify();
-  const alerts = await index.getPackagesAlerts(arb, {
+  const alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, {
     consolidate: true,
-    includeExisting: true,
-    includeUnfixable: false
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
+    }
   });
-  const infoByPkg = index.getCveInfoByPackage(alerts);
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
+  }
   await arb.buildIdealTree();
-  if (infoByPkg) {
-    for (const {
-      0: name,
-      1: infos
-    } of infoByPkg) {
-      let revertToIdealTree = arb.idealTree;
-      arb.idealTree = null;
-      // eslint-disable-next-line no-await-in-loop
-      await arb.buildIdealTree();
-      const tree = arb.idealTree;
-      const hasUpgrade = !!registry.getManifestData(NPM$d, name);
-      if (hasUpgrade) {
-        spinner.info(`Skipping ${name}. Socket Optimize package exists.`);
-        continue;
-      }
-      const nodes = index.findPackageNodes(tree, name);
-      const packument = nodes.length && infos.length ?
-      // eslint-disable-next-line no-await-in-loop
-      await packages.fetchPackagePackument(name) : null;
-      if (packument) {
-        for (let i = 0, {
-            length: nodesLength
-          } = nodes; i < nodesLength; i += 1) {
-          const node = nodes[i];
-          for (let j = 0, {
-              length: infosLength
-            } = infos; j < infosLength; j += 1) {
-            const {
-              firstPatchedVersionIdentifier,
-              vulnerableVersionRange
-            } = infos[j];
-            const {
-              version: oldVersion
-            } = node;
-            if (index.updateNode(node, packument, vulnerableVersionRange)) {
-              try {
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runScript('test', [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-                spinner.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
-                if (isTopLevel(tree, node)) {
-                  for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
-                    const oldVersion = editablePkgJson.content[depField]?.[name];
-                    if (oldVersion) {
-                      const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
-                      editablePkgJson.content[depField][name] = `${decorator}${node.version}`;
-                    }
-                  }
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const revertToIdealTree = arb.idealTree;
+    arb.idealTree = null;
+    // eslint-disable-next-line no-await-in-loop
+    await arb.buildIdealTree();
+    const tree = arb.idealTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$f, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
+      continue;
+    }
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
+    }
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        if (shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await npm.runScript('test', [], {
+              spinner,
+              stdio: 'ignore'
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
+            if (isTopLevel(tree, node)) {
+              for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
+                const {
+                  content: pkgJson
+                } = editablePkgJson;
+                const oldVersion = pkgJson[depField]?.[name];
+                if (oldVersion) {
+                  const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
+                  pkgJson[depField][name] = `${decorator}${node.version}`;
                 }
-                // eslint-disable-next-line no-await-in-loop
-                await editablePkgJson.save();
-              } catch {
-                spinner.error(`Reverting ${name} to ${oldVersion}`);
-                arb.idealTree = revertToIdealTree;
               }
-            } else {
-              spinner.error(`Could not patch ${name} ${oldVersion}`);
             }
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+            arb.idealTree = revertToIdealTree;
           }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
         }
       }
     }
   }
-  const arb2 = new index.Arborist({
+  const arb2 = new shadowNpmInject.Arborist({
     path: cwd
   });
   arb2.idealTree = arb.idealTree;
   await arb2.reify();
-  spinner.stop();
+  spinner?.stop();
 }
 
-const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
-} = constants;
-const config$t = {
-  commandName: 'fix',
-  description: 'Fix "fixable" Socket alerts',
-  hidden: true,
-  flags: {
-    ...commonFlags
-  },
-  help: (command, config) => `
-    Usage
-      $ ${command}
-
-    Options
-      ${getFlagListOutput(config.flags, 6)}
-  `
-};
-const cmdFix = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
-};
-async function run$t(argv, importMeta, {
-  parentName
-}) {
-  const cli = meowOrExit({
-    argv,
-    config: config$t,
-    importMeta,
-    parentName
-  });
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
-    return;
+async function getAlertsMapFromPnpmLockfile(lockfile, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const depTypes = lockfile_detectDepTypes.detectDepTypes(lockfile);
+  const pkgIds = Object.keys(depTypes);
+  let {
+    length: remaining
+  } = pkgIds;
+  const alertsByPkgId = new Map();
+  if (!remaining) {
+    return alertsByPkgId;
+  }
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  const toAlertsMapOptions = {
+    overrides: lockfile.overrides,
+    ...options
+  };
+  for await (const artifact of shadowNpmInject.batchScan(pkgIds)) {
+    await shadowNpmInject.addArtifactToAlertsMap(artifact, alertsByPkgId, toAlertsMapOptions);
+    remaining -= 1;
+    if (spinner && remaining > 0) {
+      spinner.start();
+      spinner.setText(getText());
+    }
   }
-  await runFix();
+  spinner?.stop();
+  return alertsByPkgId;
 }
 
-function objectSome(obj) {
-  for (const key in obj) {
-    if (obj[key]) {
-      return true;
+function cmdFlagsToString(args) {
+  const result = [];
+  for (let i = 0, {
+      length
+    } = args; i < length; i += 1) {
+    if (args[i].startsWith('--')) {
+      // Check if the next item exists and is NOT another flag.
+      if (i + 1 < length && !args[i + 1].startsWith('--')) {
+        result.push(`${args[i]}=${args[i + 1]}`);
+        i += 1;
+      } else {
+        result.push(args[i]);
+      }
     }
   }
-  return false;
+  return result.join(' ');
 }
-function pick(input, keys) {
-  const result = {};
-  for (const key of keys) {
-    result[key] = input[key];
+
+const {
+  SOCKET_IPC_HANDSHAKE
+} = constants;
+function safeNpmInstall(options) {
+  const {
+    agentExecPath = shadowNpmPaths.getNpmBinPath(),
+    args = [],
+    ipc,
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const useIpc = objects.isObject(ipc);
+  const useDebug = debug.isDebug();
+  const terminatorPos = args.indexOf('--');
+  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : [];
+  const spawnPromise = spawn.spawn(
+  // Lazily access constants.execPath.
+  constants.execPath, [
+  // Lazily access constants.nodeHardenFlags.
+  ...constants.nodeHardenFlags,
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags, '--require',
+  // Lazily access constants.distShadowNpmInjectPath.
+  constants.distShadowNpmInjectPath, agentExecPath, 'install',
+  // Avoid code paths for 'audit' and 'fund'.
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` flag to fix input being swallowed by the spinner
+  // when running the command with recent versions of npm.
+  '--no-progress',
+  // Add '--loglevel=error' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...npmArgs, ...otherArgs], {
+    spinner,
+    // Set stdio to include 'ipc'.
+    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+    stdio: useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
+    ...spawnOptions,
+    env: {
+      ...process$1.env,
+      ...spawnOptions.env
+    }
+  });
+  if (useIpc) {
+    spawnPromise.process.send({
+      [SOCKET_IPC_HANDSHAKE]: ipc
+    });
   }
-  return result;
+  return spawnPromise;
 }
 
-function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean);
+const {
+  NPM: NPM$e
+} = constants;
+function runAgentInstall(pkgEnvDetails, options) {
   const {
-    length
-  } = values;
-  if (!length) {
-    return '';
-  }
-  if (length === 1) {
-    return values[0];
+    agent,
+    agentExecPath
+  } = pkgEnvDetails;
+  // All package managers support the "install" command.
+  if (agent === NPM$e) {
+    return safeNpmInstall({
+      agentExecPath,
+      ...options
+    });
   }
-  const finalValue = values.pop();
-  return `${values.join(', ')}${separator}${finalValue}`;
+  const {
+    args = [],
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  return spawn.spawn(agentExecPath, ['install', ...args], {
+    spinner,
+    stdio: debug.isDebug() ? 'inherit' : 'ignore',
+    ...spawnOptions,
+    env: {
+      ...process.env,
+      NODE_OPTIONS: cmdFlagsToString([
+      // Lazily access constants.nodeHardenFlags.
+      ...constants.nodeHardenFlags,
+      // Lazily access constants.nodeNoWarningsFlags.
+      ...constants.nodeNoWarningsFlags]),
+      ...spawnOptions.env
+    }
+  });
 }
 
-// Ordered from most severe to least.
-const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
-function getDesiredSeverities(lowestToInclude) {
-  const result = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    result.push(severity);
-    if (severity === lowestToInclude) {
-      break;
-    }
+const {
+  NPM: NPM$d,
+  OVERRIDES: OVERRIDES$2,
+  PNPM: PNPM$9
+} = constants;
+async function pnpmFix(pkgEnvDetails, cwd, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
+  const lockfile = await lockfileFile.readWantedLockfile(cwd, {
+    ignoreIncompatible: false
+  });
+  if (!lockfile) {
+    spinner?.stop();
+    return;
   }
-  return result;
-}
-function formatSeverityCount(severityCount) {
-  const summary = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`);
+  const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {
+    consolidate: true,
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
     }
+  });
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
   }
-  return stringJoinWithSeparateFinalSeparator(summary);
-}
-function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick({
-    low: 0,
-    middle: 0,
-    high: 0,
-    critical: 0
-  }, getDesiredSeverities(lowestToInclude));
-  for (const issue of issues) {
-    const {
-      value
-    } = issue;
-    if (!value) {
+  const arb = new shadowNpmInject.SafeArborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  await arb.loadActual();
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  const {
+    content: pkgJson
+  } = editablePkgJson;
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const tree = arb.actualTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$d, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
       continue;
     }
-    if (severityCount[value.severity] !== undefined) {
-      severityCount[value.severity] += 1;
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
     }
-  }
-  return severityCount;
-}
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        const availableVersions = Object.keys(packument.versions);
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+        const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+        if (targetPackument) {
+          const oldPnpm = pkgJson[PNPM$9];
+          const oldOverrides = oldPnpm?.[OVERRIDES$2];
+          try {
+            editablePkgJson.update({
+              [PNPM$9]: {
+                ...oldPnpm,
+                [OVERRIDES$2]: {
+                  [`${node.name}@${vulnerableVersionRange}`]: `^${targetVersion}`,
+                  ...oldOverrides
+                }
+              }
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
 
-async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
-  // Lazily access constants.spinner.
-  const {
-    spinner
-  } = constants;
-  spinner.start(pkgVersion === 'latest' ? `Looking up data for the latest version of ${pkgName}` : `Looking up data for version ${pkgVersion} of ${pkgName}`);
-  const socketSdk = await index.setupSdk(index.getPublicToken());
-  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
-  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
-  if (result.success === false) {
-    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result, spinner);
-  }
-  if (scoreResult.success === false) {
-    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult, spinner);
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+            // eslint-disable-next-line no-await-in-loop
+            await runAgentInstall(pkgEnvDetails, {
+              spinner
+            });
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+          }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
+        }
+      }
+    }
   }
-  const severityCount = getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
-  spinner?.successAndStop('Data fetched');
-  return {
-    data: result.data,
-    severityCount,
-    score: scoreResult.data
-  };
+  spinner?.stop();
 }
 
 const {
-  NPM: NPM$c
-} = registryConstants;
-function formatPackageInfo({
-  data,
-  score,
-  severityCount
+  BINARY_LOCK_EXT,
+  BUN: BUN$6,
+  LOCK_EXT: LOCK_EXT$1,
+  NPM: NPM$c,
+  PNPM: PNPM$8,
+  VLT: VLT$6,
+  YARN,
+  YARN_BERRY: YARN_BERRY$6,
+  YARN_CLASSIC: YARN_CLASSIC$6
+} = constants;
+const AGENTS = [BUN$6, NPM$c, PNPM$8, YARN_BERRY$6, YARN_CLASSIC$6, VLT$6];
+const binByAgent = {
+  __proto__: null,
+  [BUN$6]: BUN$6,
+  [NPM$c]: NPM$c,
+  [PNPM$8]: PNPM$8,
+  [YARN_BERRY$6]: YARN,
+  [YARN_CLASSIC$6]: YARN,
+  [VLT$6]: VLT$6
+};
+async function getAgentExecPath(agent) {
+  const binName = binByAgent[agent];
+  return (await which(binName, {
+    nothrow: true
+  })) ?? binName;
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result;
+  try {
+    result = semver.coerce(
+    // All package managers support the "--version" flag.
+    (await spawn.spawn(agentExecPath, ['--version'], {
+      cwd
+    })).stdout) ?? undefined;
+  } catch {}
+  return result;
+}
+
+// The order of LOCKS properties IS significant as it affects iteration order.
+const LOCKS = {
+  [`bun${LOCK_EXT$1}`]: BUN$6,
+  [`bun${BINARY_LOCK_EXT}`]: BUN$6,
+  // If both package-lock.json and npm-shrinkwrap.json are present in the root
+  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
+  // will be ignored.
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
+  'npm-shrinkwrap.json': NPM$c,
+  'package-lock.json': NPM$c,
+  'pnpm-lock.yaml': PNPM$8,
+  'pnpm-lock.yml': PNPM$8,
+  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$6,
+  'vlt-lock.json': VLT$6,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
+  //
+  // Unlike the other LOCKS keys this key contains a directory AND filename so
+  // it has to be handled differently.
+  'node_modules/.package-lock.json': NPM$c
+};
+const readLockFileByAgent = (() => {
+  function wrapReader(reader) {
+    return async (...args) => {
+      try {
+        return await reader(...args);
+      } catch {}
+      return undefined;
+    };
+  }
+  const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
+  return {
+    [BUN$6]: wrapReader(async (lockPath, agentExecPath) => {
+      const ext = path.extname(lockPath);
+      if (ext === LOCK_EXT$1) {
+        return await defaultReader(lockPath);
+      }
+      if (ext === BINARY_LOCK_EXT) {
+        const lockBuffer = await binaryReader(lockPath);
+        if (lockBuffer) {
+          try {
+            return index_cjs.parse(lockBuffer);
+          } catch {}
+        }
+        // To print a Yarn lockfile to your console without writing it to disk
+        // use `bun bun.lockb`.
+        // https://bun.sh/guides/install/yarnlock
+        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
+      }
+      return undefined;
+    }),
+    [NPM$c]: defaultReader,
+    [PNPM$8]: defaultReader,
+    [VLT$6]: defaultReader,
+    [YARN_BERRY$6]: defaultReader,
+    [YARN_CLASSIC$6]: defaultReader
+  };
+})();
+async function detectPackageEnvironment({
+  cwd = process$1.cwd(),
+  onUnknown
+} = {}) {
+  let lockPath = await shadowNpmInject.findUp(Object.keys(LOCKS), {
+    cwd
+  });
+  let lockName = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockName === '.package-lock.json';
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
+    cwd
+  });
+  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
+    editable: true
+  }) : undefined;
+  const pkgJson = editablePkgJson?.content;
+  // Read Corepack `packageManager` field in package.json:
+  // https://nodejs.org/api/packages.html#packagemanager
+  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
+  let agent;
+  let agentVersion;
+  if (pkgManager) {
+    const atSignIndex = pkgManager.lastIndexOf('@');
+    if (atSignIndex !== -1) {
+      const name = pkgManager.slice(0, atSignIndex);
+      const version = pkgManager.slice(atSignIndex + 1);
+      if (version && AGENTS.includes(name)) {
+        agent = name;
+        agentVersion = semver.coerce(version) ?? undefined;
+      }
+    }
+  }
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
+    agent = LOCKS[lockName];
+  }
+  if (agent === undefined) {
+    agent = NPM$c;
+    onUnknown?.(pkgManager);
+  }
+  const agentExecPath = await getAgentExecPath(agent);
+  const npmExecPath = agent === NPM$c ? agentExecPath : await getAgentExecPath(NPM$c);
+  if (agentVersion === undefined) {
+    agentVersion = await getAgentVersion(agentExecPath, cwd);
+  }
+  if (agent === YARN_CLASSIC$6 && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY$6;
+  }
+  const targets = {
+    browser: false,
+    node: true
+  };
+  let lockSrc;
+  // Lazily access constants.maintainedNodeVersions.
+  let minimumNodeVersion = constants.maintainedNodeVersions.last;
+  if (pkgJson) {
+    const browserField = pkgJson.browser;
+    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
+      targets.browser = true;
+    }
+    const nodeRange = pkgJson.engines?.['node'];
+    if (strings.isNonEmptyString(nodeRange)) {
+      const coerced = semver.coerce(nodeRange);
+      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+        minimumNodeVersion = coerced.version;
+      }
+    }
+    const browserslistQuery = pkgJson['browserslist'];
+    if (Array.isArray(browserslistQuery)) {
+      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
+      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
+      if (!targets.browser && browserslistTargets.length) {
+        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
+      }
+      if (browserslistNodeTargets.length) {
+        const coerced = semver.coerce(browserslistNodeTargets[0]);
+        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+          minimumNodeVersion = coerced.version;
+        }
+      }
+    }
+    // Lazily access constants.maintainedNodeVersions.
+    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
+  } else {
+    lockName = undefined;
+    lockPath = undefined;
+  }
+  return {
+    agent,
+    agentExecPath,
+    agentVersion,
+    lockName,
+    lockPath,
+    lockSrc,
+    minimumNodeVersion,
+    npmExecPath,
+    pkgJson: editablePkgJson,
+    pkgPath,
+    supported: targets.browser || targets.node,
+    targets
+  };
+}
+
+const {
+  BUN: BUN$5,
+  VLT: VLT$5,
+  YARN_BERRY: YARN_BERRY$5
+} = constants;
+const COMMAND_TITLE$2 = 'Socket Optimize';
+async function detectAndValidatePackageEnvironment(cwd, options) {
+  const {
+    logger,
+    prod
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const details = await detectPackageEnvironment({
+    cwd,
+    onUnknown(pkgManager) {
+      logger?.warn(`${COMMAND_TITLE$2}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
+    }
+  });
+  if (!details.supported) {
+    logger?.fail(`${COMMAND_TITLE$2}: No supported Node or browser range detected`);
+    return;
+  }
+  if (details.agent === VLT$5) {
+    logger?.fail(`${COMMAND_TITLE$2}: ${details.agent} does not support overrides. Soon, though ⚡`);
+    return;
+  }
+  const lockName = details.lockName ?? 'lock file';
+  if (details.lockName === undefined || details.lockSrc === undefined) {
+    logger?.fail(`${COMMAND_TITLE$2}: No ${lockName} found`);
+    return;
+  }
+  if (details.lockSrc.trim() === '') {
+    logger?.fail(`${COMMAND_TITLE$2}: ${lockName} is empty`);
+    return;
+  }
+  if (details.pkgPath === undefined) {
+    logger?.fail(`${COMMAND_TITLE$2}: No package.json found`);
+    return;
+  }
+  if (prod && (details.agent === BUN$5 || details.agent === YARN_BERRY$5)) {
+    logger?.fail(`${COMMAND_TITLE$2}: --prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.toString()}` : ''}`);
+    return;
+  }
+  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
+    logger?.warn(`${COMMAND_TITLE$2}: Package ${lockName} found at ${details.lockPath}`);
+  }
+  return details;
+}
+
+const {
+  NPM: NPM$b,
+  PNPM: PNPM$7
+} = constants;
+async function runFix() {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start();
+  const cwd = process.cwd();
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    logger: logger.logger
+  });
+  if (!pkgEnvDetails) {
+    spinner.stop();
+    return;
+  }
+  switch (pkgEnvDetails.agent) {
+    case NPM$b:
+      {
+        await npmFix(pkgEnvDetails, cwd);
+        break;
+      }
+    case PNPM$7:
+      {
+        await pnpmFix(pkgEnvDetails, cwd);
+        break;
+      }
+  }
+  spinner.successAndStop('Socket.dev fix successful');
+}
+
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
+} = constants;
+const config$t = {
+  commandName: 'fix',
+  description: 'Fix "fixable" Socket alerts',
+  hidden: true,
+  flags: {
+    ...commonFlags
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command}
+
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+  `
+};
+const cmdFix = {
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
+};
+async function run$t(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$t,
+    importMeta,
+    parentName
+  });
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
+    return;
+  }
+  await runFix();
+}
+
+async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
+  const socketSdk = await shadowNpmInject.setupSdk(shadowNpmInject.getPublicToken());
+  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
+  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
+  if (result.success === false) {
+    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result);
+  }
+  if (scoreResult.success === false) {
+    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult);
+  }
+  const severityCount = shadowNpmInject.getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
+  return {
+    data: result.data,
+    severityCount,
+    score: scoreResult.data
+  };
+}
+
+const {
+  NPM: NPM$a
+} = registryConstants;
+function formatScore(score) {
+  if (score > 80) {
+    return colors.green(`${score}`);
+  } else if (score < 80 && score > 60) {
+    return colors.yellow(`${score}`);
+  }
+  return colors.red(`${score}`);
+}
+function logPackageIssuesDetails(packageData, outputMarkdown) {
+  const issueDetails = packageData.filter(d => d.value?.severity === shadowNpmInject.SEVERITY.critical || d.value?.severity === shadowNpmInject.SEVERITY.high);
+  const uniqueIssueDetails = issueDetails.reduce((acc, issue) => {
+    const {
+      type
+    } = issue;
+    if (type) {
+      const details = acc.get(type);
+      if (details) {
+        details.count += 1;
+      } else {
+        acc.set(type, {
+          label: issue.value?.label ?? '',
+          count: 1
+        });
+      }
+    }
+    return acc;
+  }, new Map());
+  const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
+  for (const [type, details] of uniqueIssueDetails.entries()) {
+    const issueWithLink = format.hyperlink(details.label, shadowNpmInject.getSocketDevAlertUrl(type), {
+      fallbackToUrl: true
+    });
+    if (details.count === 1) {
+      logger.logger.log(`- ${issueWithLink}`);
+    } else {
+      logger.logger.log(`- ${issueWithLink}: ${details.count}`);
+    }
+  }
+}
+function logPackageInfo({
+  data,
+  score,
+  severityCount
 }, {
   name,
   outputKind,
@@ -3043,10 +3564,13 @@ function formatPackageInfo({
     return;
   }
   if (outputKind === 'markdown') {
-    logger.logger.log(`\n# Package report for ${pkgName}\n`);
-    logger.logger.log('Package report card:\n');
+    logger.logger.log(commonTags.stripIndents`
+      # Package report for ${pkgName}
+
+      Package report card:
+    `);
   } else {
-    logger.logger.log(`\nPackage report card for ${pkgName}:\n`);
+    logger.logger.log(`Package report card for ${pkgName}:`);
   }
   const scoreResult = {
     'Supply Chain Risk': Math.floor(score.supplyChainRisk.score * 100),
@@ -3055,19 +3579,20 @@ function formatPackageInfo({
     Vulnerabilities: Math.floor(score.vulnerability.score * 100),
     License: Math.floor(score.license.score * 100)
   };
+  logger.logger.log('\n');
   Object.entries(scoreResult).map(score => logger.logger.log(`- ${score[0]}: ${formatScore(score[1])}`));
   logger.logger.log('\n');
-  if (objectSome(severityCount)) {
+  if (objects.hasKeys(severityCount)) {
     if (outputKind === 'markdown') {
       logger.logger.log('# Issues\n');
     }
-    logger.logger.log(`Package has these issues: ${formatSeverityCount(severityCount)}\n`);
-    formatPackageIssuesDetails(data, outputKind === 'markdown');
+    logger.logger.log(`Package has these issues: ${shadowNpmInject.formatSeverityCount(severityCount)}\n`);
+    logPackageIssuesDetails(data, outputKind === 'markdown');
   } else {
     logger.logger.log('Package has no issues');
   }
-  const format = new index.ColorOrMarkdown(outputKind === 'markdown');
-  const url = index.getSocketDevPackageOverviewUrl(NPM$c, pkgName, pkgVersion);
+  const format = new shadowNpmInject.ColorOrMarkdown(outputKind === 'markdown');
+  const url = shadowNpmInject.getSocketDevPackageOverviewUrl(NPM$a, pkgName, pkgVersion);
   logger.logger.log('\n');
   if (pkgVersion === 'latest') {
     logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName}`, url, {
@@ -3084,44 +3609,6 @@ function formatPackageInfo({
     logger.logger.log('');
   }
 }
-function formatPackageIssuesDetails(packageData, outputMarkdown) {
-  const issueDetails = packageData.filter(d => d.value?.severity === 'high' || d.value?.severity === 'critical');
-  const uniqueIssues = issueDetails.reduce((acc, issue) => {
-    const {
-      type
-    } = issue;
-    if (type) {
-      if (acc[type] === undefined) {
-        acc[type] = {
-          label: issue.value?.label,
-          count: 1
-        };
-      } else {
-        acc[type].count += 1;
-      }
-    }
-    return acc;
-  }, {});
-  const format = new index.ColorOrMarkdown(outputMarkdown);
-  for (const issue of Object.keys(uniqueIssues)) {
-    const issueWithLink = format.hyperlink(`${uniqueIssues[issue]?.label}`, index.getSocketDevAlertUrl(issue), {
-      fallbackToUrl: true
-    });
-    if (uniqueIssues[issue]?.count === 1) {
-      logger.logger.log(`- ${issueWithLink}`);
-    } else {
-      logger.logger.log(`- ${issueWithLink}: ${uniqueIssues[issue]?.count}`);
-    }
-  }
-}
-function formatScore(score) {
-  if (score > 80) {
-    return colors.green(`${score}`);
-  } else if (score < 80 && score > 60) {
-    return colors.yellow(`${score}`);
-  }
-  return colors.red(`${score}`);
-}
 
 async function getPackageInfo({
   commandName,
@@ -3131,15 +3618,21 @@ async function getPackageInfo({
   pkgVersion,
   strict
 }) {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start(pkgVersion === 'latest' ? `Looking up data for the latest version of ${pkgName}` : `Looking up data for version ${pkgVersion} of ${pkgName}`);
   const packageData = await fetchPackageInfo(pkgName, pkgVersion, includeAllIssues);
+  spinner.successAndStop('Data fetched');
   if (packageData) {
-    formatPackageInfo(packageData, {
+    logPackageInfo(packageData, {
       name: commandName,
       outputKind,
       pkgName,
       pkgVersion
     });
-    if (strict && objectSome(packageData.severityCount)) {
+    if (strict && objects.hasKeys(packageData.severityCount)) {
       // Let NodeJS exit gracefully but with exit(1)
       process$1.exitCode = 1;
     }
@@ -3196,7 +3689,7 @@ async function run$s(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
+    logger.logger.fail(`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
       - Expecting a package name ${!rawPkgName ? colors.red('(missing!)') : colors.green('(ok)')}\n
       - Can only accept one package at a time ${cli.input.length > 1 ? colors.red('(got ' + cli.input.length + '!)') : colors.green('(ok)')}\n`);
     return;
@@ -3219,18 +3712,18 @@ async function run$s(argv, importMeta, {
 }
 
 function applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy) {
-  index.updateSetting('enforcedOrgs', enforcedOrgs);
-  index.updateSetting('apiToken', apiToken);
-  index.updateSetting('apiBaseUrl', apiBaseUrl);
-  index.updateSetting('apiProxy', apiProxy);
+  shadowNpmInject.updateSetting('enforcedOrgs', enforcedOrgs);
+  shadowNpmInject.updateSetting('apiToken', apiToken);
+  shadowNpmInject.updateSetting('apiBaseUrl', apiBaseUrl);
+  shadowNpmInject.updateSetting('apiProxy', apiProxy);
 }
 
 const {
   SOCKET_PUBLIC_API_TOKEN
 } = constants;
 async function attemptLogin(apiBaseUrl, apiProxy) {
-  apiBaseUrl ??= index.getSetting('apiBaseUrl') ?? undefined;
-  apiProxy ??= index.getSetting('apiProxy') ?? undefined;
+  apiBaseUrl ??= shadowNpmInject.getSetting('apiBaseUrl') ?? undefined;
+  apiProxy ??= shadowNpmInject.getSetting('apiProxy') ?? undefined;
   const apiToken = (await prompts.password({
     message: `Enter your ${terminalLink('Socket.dev API key', 'https://docs.socket.dev/docs/api-keys')} (leave blank for a public key)`
   })) || SOCKET_PUBLIC_API_TOKEN;
@@ -3241,13 +3734,13 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   spinner.start('Verifying API key...');
   let orgs;
   try {
-    const sdk = await index.setupSdk(apiToken, apiBaseUrl, apiProxy);
+    const sdk = await shadowNpmInject.setupSdk(apiToken, apiBaseUrl, apiProxy);
     const result = await sdk.getOrganizations();
     if (!result.success) {
-      throw new index.AuthError();
+      throw new shadowNpmInject.AuthError();
     }
     orgs = result.data;
-    spinner.successAndStop('API key verified');
+    spinner.success('API key verified');
   } catch {
     spinner.errorAndStop('Invalid API key');
     return;
@@ -3285,14 +3778,13 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
       }
     }
   }
-  const oldToken = index.getSetting('apiToken');
+  spinner.stop();
+  const oldToken = shadowNpmInject.getSetting('apiToken');
   try {
     applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy);
-    spinner.start();
-    spinner.successAndStop(`API credentials ${oldToken ? 'updated' : 'set'}`);
+    logger.logger.success(`API credentials ${oldToken ? 'updated' : 'set'}`);
   } catch {
-    spinner.start();
-    spinner.errorAndStop(`API login failed`);
+    logger.logger.fail(`API login failed`);
   }
 }
 
@@ -3342,23 +3834,23 @@ async function run$r(argv, importMeta, {
     importMeta,
     parentName
   });
-  let apiBaseUrl = cli.flags['apiBaseUrl'];
-  let apiProxy = cli.flags['apiProxy'];
+  const apiBaseUrl = cli.flags['apiBaseUrl'];
+  const apiProxy = cli.flags['apiProxy'];
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$q);
     return;
   }
   if (!isInteractive()) {
-    throw new index.InputError('Cannot prompt for credentials in a non-interactive shell');
+    throw new shadowNpmInject.InputError('Cannot prompt for credentials in a non-interactive shell');
   }
   await attemptLogin(apiBaseUrl, apiProxy);
 }
 
 function applyLogout() {
-  index.updateSetting('apiToken', null);
-  index.updateSetting('apiBaseUrl', null);
-  index.updateSetting('apiProxy', null);
-  index.updateSetting('enforcedOrgs', null);
+  shadowNpmInject.updateSetting('apiToken', null);
+  shadowNpmInject.updateSetting('apiBaseUrl', null);
+  shadowNpmInject.updateSetting('apiProxy', null);
+  shadowNpmInject.updateSetting('enforcedOrgs', null);
 }
 
 function attemptLogout() {
@@ -3366,7 +3858,7 @@ function attemptLogout() {
     applyLogout();
     logger.logger.success('Successfully logged out');
   } catch {
-    logger.logger.error('Failed to complete logout steps');
+    logger.logger.fail('Failed to complete logout steps');
   }
 }
 
@@ -3448,14 +3940,14 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
       logger.logger.groupEnd();
     }
     if (output.stderr) {
-      logger.logger.error('There were errors while running gradle');
+      process.exitCode = 1;
+      logger.logger.fail('There were errors while running gradle');
       // (In verbose mode, stderr was printed above, no need to repeat it)
       if (!verbose) {
         logger.logger.group('[VERBOSE] stderr:');
         logger.logger.error(output.stderr);
         logger.logger.groupEnd();
       }
-      process.exitCode = 1;
       return;
     }
     logger.logger.success('Executed gradle successfully');
@@ -3467,7 +3959,7 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
 
     // const loc = output.stdout?.match(/Wrote (.*?.pom)\n/)?.[1]?.trim()
     // if (!loc) {
-    //   logger.error(
+    //   logger.fail(
     //     'There were no errors from sbt but could not find the location of resulting .pom file either'
     //   )
     //   process.exit(1)
@@ -3493,15 +3985,14 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
     //   spinner.successAndStop(`OK. File should be available in \`${out}\``)
     // }
   } catch (e) {
-    spinner.errorAndStop('There was an unexpected error while running this' + (verbose ? '' : ' (use --verbose for details)'));
+    process.exitCode = 1;
+    spinner.stop();
+    logger.logger.fail('There was an unexpected error while running this' + (verbose ? '' : ' (use --verbose for details)'));
     if (verbose) {
       logger.logger.group('[VERBOSE] error:');
       logger.logger.log(e);
       logger.logger.groupEnd();
     }
-    process.exitCode = 1;
-  } finally {
-    spinner.stop();
   }
 }
 
@@ -3611,7 +4102,7 @@ async function run$p(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - The DIR arg is required ${!target ? colors.red('(missing!)') : target === '-' ? colors.red('(stdin is not supported)') : colors.green('(ok)')}
 
@@ -3687,14 +4178,14 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
       logger.logger.groupEnd();
     }
     if (output.stderr) {
-      logger.logger.error('There were errors while running sbt');
+      process.exitCode = 1;
+      logger.logger.fail('There were errors while running sbt');
       // (In verbose mode, stderr was printed above, no need to repeat it)
       if (!verbose) {
         logger.logger.group('[VERBOSE] stderr:');
         logger.logger.error(output.stderr);
         logger.logger.groupEnd();
       }
-      process.exitCode = 1;
       return;
     }
     const poms = [];
@@ -3703,8 +4194,8 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
       return fn;
     });
     if (!poms.length) {
-      logger.logger.error('There were no errors from sbt but it seems to not have generated any poms either');
       process.exitCode = 1;
+      logger.logger.fail('There were no errors from sbt but it seems to not have generated any poms either');
       return;
     }
     // Move the pom file to ...? initial cwd? loc will be an absolute path, or dump to stdout
@@ -3712,14 +4203,14 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
     // TODO: maybe we can add an option to target a specific file to dump to stdout
     if (out === '-' && poms.length === 1) {
       logger.logger.log('Result:\n```');
-      logger.logger.log(await index.safeReadFile(poms[0], 'utf8'));
+      logger.logger.log(await shadowNpmInject.safeReadFile(poms[0], 'utf8'));
       logger.logger.log('```');
       logger.logger.success(`OK`);
     } else if (out === '-') {
-      logger.logger.error('Requested out target was stdout but there are multiple generated files');
+      process.exitCode = 1;
+      logger.logger.fail('Requested out target was stdout but there are multiple generated files');
       poms.forEach(fn => logger.logger.error('-', fn));
       logger.logger.error('Exiting now...');
-      process.exitCode = 1;
       return;
     } else {
       // if (verbose) {
@@ -3736,15 +4227,14 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
       logger.logger.success(`OK`);
     }
   } catch (e) {
-    spinner?.errorAndStop('There was an unexpected error while running this' + (verbose ? '' : ' (use --verbose for details)'));
+    process.exitCode = 1;
+    spinner.stop();
+    logger.logger.fail('There was an unexpected error while running this' + (verbose ? '' : ' (use --verbose for details)'));
     if (verbose) {
       logger.logger.group('[VERBOSE] error:');
       logger.logger.log(e);
       logger.logger.groupEnd();
     }
-    process.exitCode = 1;
-  } finally {
-    spinner.stop();
   }
 }
 
@@ -3814,6 +4304,9 @@ const config$o = {
 
     Support is beta. Please report issues or give us feedback on what's missing.
 
+    This is only for SBT. If your Scala setup uses gradle, please see the help
+    sections for \`socket manifest gradle\` or \`socket cdxgen\`.
+
     Examples
 
       $ ${command} ./build.sbt
@@ -3852,7 +4345,7 @@ async function run$o(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - The DIR or FILE arg is required ${!target ? colors.red('(missing!)') : target === '-' ? colors.red('(stdin is not supported)') : colors.green('(ok)')}
 
@@ -4112,7 +4605,7 @@ async function run$m(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - The DIR arg is required ${!target ? colors.red('(missing!)') : target === '-' ? colors.red('(stdin is not supported)') : colors.green('(ok)')}
 
@@ -4187,22 +4680,21 @@ async function run$l(argv, importMeta, {
 }
 
 const {
-  NPM: NPM$b,
-  SHADOW_BIN: SHADOW_BIN$1
+  NPM: NPM$9
 } = constants;
 async function wrapNpm(argv) {
-  // Lazily access constants.distPath.
-  const shadowBin = require(`${constants.distPath}/${SHADOW_BIN$1}.js`);
-  await shadowBin(NPM$b, argv);
+  // Lazily access constants.distShadowNpmBinPath.
+  const shadowBin = require(constants.distShadowNpmBinPath);
+  await shadowBin(NPM$9, argv);
 }
 
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k,
-  NPM: NPM$a
+  NPM: NPM$8
 } = constants;
 const config$k = {
   commandName: 'npm',
-  description: `${NPM$a} wrapper functionality`,
+  description: `${NPM$8} wrapper functionality`,
   hidden: false,
   flags: {},
   help: (command, _config) => `
@@ -4233,12 +4725,11 @@ async function run$k(argv, importMeta, {
 }
 
 const {
-  NPX: NPX$2,
-  SHADOW_BIN
+  NPX: NPX$2
 } = constants;
 async function wrapNpx(argv) {
-  // Lazily access constants.distPath.
-  const shadowBin = require(`${constants.distPath}/${SHADOW_BIN}.js`);
+  // Lazily access constants.distShadowNpmBinPath.
+  const shadowBin = require(constants.distShadowNpmBinPath);
   await shadowBin(NPX$2, argv);
 }
 
@@ -4301,289 +4792,36 @@ const cmdOops = {
   run: run$i
 };
 async function run$i(argv, importMeta, {
-  parentName
-}) {
-  const cli = meowOrExit({
-    argv,
-    config: config$i,
-    importMeta,
-    parentName
-  });
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$i);
-    return;
-  }
-  throw new Error('This error was intentionally left blank');
-}
-
-const {
-  BUN: BUN$6,
-  NPM: NPM$9,
-  PNPM: PNPM$7,
-  VLT: VLT$6,
-  YARN_BERRY: YARN_BERRY$6,
-  YARN_CLASSIC: YARN_CLASSIC$6
-} = constants;
-function matchHumanStdout(stdout, name) {
-  return stdout.includes(` ${name}@`);
-}
-function matchQueryStdout(stdout, name) {
-  return stdout.includes(`"${name}"`);
-}
-const depsIncludesByAgent = new Map([[BUN$6, matchHumanStdout], [NPM$9, matchQueryStdout], [PNPM$7, matchQueryStdout], [VLT$6, matchQueryStdout], [YARN_BERRY$6, matchHumanStdout], [YARN_CLASSIC$6, matchHumanStdout]]);
-
-const {
-  BINARY_LOCK_EXT,
-  BUN: BUN$5,
-  LOCK_EXT: LOCK_EXT$1,
-  NPM: NPM$8,
-  PNPM: PNPM$6,
-  VLT: VLT$5,
-  YARN,
-  YARN_BERRY: YARN_BERRY$5,
-  YARN_CLASSIC: YARN_CLASSIC$5
-} = constants;
-const AGENTS = [BUN$5, NPM$8, PNPM$6, YARN_BERRY$5, YARN_CLASSIC$5, VLT$5];
-const binByAgent = {
-  __proto__: null,
-  [BUN$5]: BUN$5,
-  [NPM$8]: NPM$8,
-  [PNPM$6]: PNPM$6,
-  [YARN_BERRY$5]: YARN,
-  [YARN_CLASSIC$5]: YARN,
-  [VLT$5]: VLT$5
-};
-async function getAgentExecPath(agent) {
-  const binName = binByAgent[agent];
-  return (await which(binName, {
-    nothrow: true
-  })) ?? binName;
-}
-async function getAgentVersion(agentExecPath, cwd) {
-  let result;
-  try {
-    result = semver.coerce(
-    // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, ['--version'], {
-      cwd
-    })).stdout) ?? undefined;
-  } catch {}
-  return result;
-}
-
-// The order of LOCKS properties IS significant as it affects iteration order.
-const LOCKS = {
-  [`bun${LOCK_EXT$1}`]: BUN$5,
-  [`bun${BINARY_LOCK_EXT}`]: BUN$5,
-  // If both package-lock.json and npm-shrinkwrap.json are present in the root
-  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
-  // will be ignored.
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': NPM$8,
-  'package-lock.json': NPM$8,
-  'pnpm-lock.yaml': PNPM$6,
-  'pnpm-lock.yml': PNPM$6,
-  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$5,
-  'vlt-lock.json': VLT$5,
-  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
-  //
-  // Unlike the other LOCKS keys this key contains a directory AND filename so
-  // it has to be handled differently.
-  'node_modules/.package-lock.json': NPM$8
-};
-const readLockFileByAgent = (() => {
-  function wrapReader(reader) {
-    return async (...args) => {
-      try {
-        return await reader(...args);
-      } catch {}
-      return undefined;
-    };
-  }
-  const binaryReader = wrapReader(index.readFileBinary);
-  const defaultReader = wrapReader(async lockPath => await index.readFileUtf8(lockPath));
-  return {
-    [BUN$5]: wrapReader(async (lockPath, agentExecPath) => {
-      const ext = path.extname(lockPath);
-      if (ext === LOCK_EXT$1) {
-        return await defaultReader(lockPath);
-      }
-      if (ext === BINARY_LOCK_EXT) {
-        const lockBuffer = await binaryReader(lockPath);
-        if (lockBuffer) {
-          try {
-            return index_cjs.parse(lockBuffer);
-          } catch {}
-        }
-        // To print a Yarn lockfile to your console without writing it to disk
-        // use `bun bun.lockb`.
-        // https://bun.sh/guides/install/yarnlock
-        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
-      }
-      return undefined;
-    }),
-    [NPM$8]: defaultReader,
-    [PNPM$6]: defaultReader,
-    [VLT$5]: defaultReader,
-    [YARN_BERRY$5]: defaultReader,
-    [YARN_CLASSIC$5]: defaultReader
-  };
-})();
-async function detectPackageEnvironment({
-  cwd = process$1.cwd(),
-  onUnknown
-} = {}) {
-  let lockPath = await index.findUp(Object.keys(LOCKS), {
-    cwd
-  });
-  let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === '.package-lock.json';
-  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await index.findUp('package.json', {
-    cwd
-  });
-  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
-  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
-    editable: true
-  }) : undefined;
-  const pkgJson = editablePkgJson?.content;
-  // Read Corepack `packageManager` field in package.json:
-  // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
-  let agent;
-  let agentVersion;
-  if (pkgManager) {
-    const atSignIndex = pkgManager.lastIndexOf('@');
-    if (atSignIndex !== -1) {
-      const name = pkgManager.slice(0, atSignIndex);
-      const version = pkgManager.slice(atSignIndex + 1);
-      if (version && AGENTS.includes(name)) {
-        agent = name;
-        agentVersion = semver.coerce(version) ?? undefined;
-      }
-    }
-  }
-  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
-    agent = LOCKS[lockName];
-  }
-  if (agent === undefined) {
-    agent = NPM$8;
-    onUnknown?.(pkgManager);
-  }
-  const agentExecPath = await getAgentExecPath(agent);
-  const npmExecPath = agent === NPM$8 ? agentExecPath : await getAgentExecPath(NPM$8);
-  if (agentVersion === undefined) {
-    agentVersion = await getAgentVersion(agentExecPath, cwd);
-  }
-  if (agent === YARN_CLASSIC$5 && (agentVersion?.major ?? 0) > 1) {
-    agent = YARN_BERRY$5;
-  }
-  const targets = {
-    browser: false,
-    node: true
-  };
-  let lockSrc;
-  // Lazily access constants.maintainedNodeVersions.
-  let minimumNodeVersion = constants.maintainedNodeVersions.previous;
-  if (pkgJson) {
-    const browserField = pkgJson.browser;
-    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
-      targets.browser = true;
-    }
-    const nodeRange = pkgJson.engines?.['node'];
-    if (strings.isNonEmptyString(nodeRange)) {
-      const coerced = semver.coerce(nodeRange);
-      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-        minimumNodeVersion = coerced.version;
-      }
-    }
-    const browserslistQuery = pkgJson['browserslist'];
-    if (Array.isArray(browserslistQuery)) {
-      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
-      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
-      if (!targets.browser && browserslistTargets.length) {
-        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
-      }
-      if (browserslistNodeTargets.length) {
-        const coerced = semver.coerce(browserslistNodeTargets[0]);
-        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-          minimumNodeVersion = coerced.version;
-        }
-      }
-    }
-    // Lazily access constants.maintainedNodeVersions.
-    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
-    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
-  } else {
-    lockName = undefined;
-    lockPath = undefined;
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$i,
+    importMeta,
+    parentName
+  });
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$i);
+    return;
   }
-  return {
-    agent,
-    agentExecPath,
-    agentVersion,
-    lockName,
-    lockPath,
-    lockSrc,
-    minimumNodeVersion,
-    npmExecPath,
-    pkgJson: editablePkgJson,
-    pkgPath,
-    supported: targets.browser || targets.node,
-    targets
-  };
+  throw new Error('This error was intentionally left blank');
 }
 
 const {
   BUN: BUN$4,
+  NPM: NPM$7,
+  PNPM: PNPM$6,
   VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$4
+  YARN_BERRY: YARN_BERRY$4,
+  YARN_CLASSIC: YARN_CLASSIC$5
 } = constants;
-const COMMAND_TITLE$2 = 'Socket Optimize';
-async function detectAndValidatePackageEnvironment(cwd, options) {
-  const {
-    logger,
-    prod
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const details = await detectPackageEnvironment({
-    cwd,
-    onUnknown(pkgManager) {
-      logger?.warn(`⚠️ ${COMMAND_TITLE$2}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
-    }
-  });
-  if (!details.supported) {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: No supported Node or browser range detected`);
-    return;
-  }
-  if (details.agent === VLT$4) {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: ${details.agent} does not support overrides. Soon, though ⚡`);
-    return;
-  }
-  const lockName = details.lockName ?? 'lock file';
-  if (details.lockName === undefined || details.lockSrc === undefined) {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: No ${lockName} found`);
-    return;
-  }
-  if (details.lockSrc.trim() === '') {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: ${lockName} is empty`);
-    return;
-  }
-  if (details.pkgPath === undefined) {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: No package.json found`);
-    return;
-  }
-  if (prod && (details.agent === BUN$4 || details.agent === YARN_BERRY$4)) {
-    logger?.error(`✖️ ${COMMAND_TITLE$2}: --prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.toString()}` : ''}`);
-    return;
-  }
-  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
-    logger?.warn(`⚠️ ${COMMAND_TITLE$2}: Package ${lockName} found at ${details.lockPath}`);
-  }
-  return details;
+function matchLsCmdViewHumanStdout(stdout, name) {
+  return stdout.includes(` ${name}@`);
 }
+function matchQueryCmdStdout(stdout, name) {
+  return stdout.includes(`"${name}"`);
+}
+const depsIncludesByAgent = new Map([[BUN$4, matchLsCmdViewHumanStdout], [NPM$7, matchQueryCmdStdout], [PNPM$6, matchQueryCmdStdout], [VLT$4, matchQueryCmdStdout], [YARN_BERRY$4, matchLsCmdViewHumanStdout], [YARN_CLASSIC$5, matchLsCmdViewHumanStdout]]);
 
 function getDependencyEntries(pkgJson) {
   const {
@@ -4611,7 +4849,7 @@ function getDependencyEntries(pkgJson) {
 
 const {
   BUN: BUN$3,
-  NPM: NPM$7,
+  NPM: NPM$6,
   OVERRIDES: OVERRIDES$1,
   PNPM: PNPM$5,
   RESOLUTIONS: RESOLUTIONS$1,
@@ -4632,7 +4870,7 @@ function getOverridesDataBun(pkgJson) {
 function getOverridesDataNpm(pkgJson) {
   const overrides = pkgJson?.[OVERRIDES$1] ?? {};
   return {
-    type: NPM$7,
+    type: NPM$6,
     overrides
   };
 }
@@ -4673,7 +4911,7 @@ function getOverridesDataClassic(pkgJson) {
     overrides
   };
 }
-const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$7, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
+const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$6, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
 
 const {
   PNPM: PNPM$4
@@ -4684,7 +4922,7 @@ async function getWorkspaceGlobs(agent, pkgPath, pkgJson) {
   if (agent === PNPM$4) {
     for (const workspacePath of [path.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), path.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
       // eslint-disable-next-line no-await-in-loop
-      const yml = await index.safeReadFile(workspacePath, 'utf8');
+      const yml = await shadowNpmInject.safeReadFile(workspacePath, 'utf8');
       if (yml) {
         try {
           workspacePatterns = yaml.parse(yml)?.packages;
@@ -4721,26 +4959,26 @@ function workspacePatternToGlobPattern(workspace) {
 const {
   BUN: BUN$2,
   LOCK_EXT,
-  NPM: NPM$6,
+  NPM: NPM$5,
   PNPM: PNPM$3,
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$2,
   YARN_CLASSIC: YARN_CLASSIC$3
 } = constants;
-function lockIncludesNpm(lockSrc, name) {
+function includesNpm(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name":
   return lockSrc.includes(`"${name}":`);
 }
-function lockIncludesBun(lockSrc, name, lockName) {
+function includesBun(lockSrc, name, lockName) {
   // This is a bit counterintuitive. When lockName ends with a .lockb
   // we treat it as a yarn.lock. When lockName ends with a .lock we
   // treat it as a package-lock.json. The bun.lock format is not identical
   // package-lock.json, however it close enough for npmLockIncludes to work.
-  const lockScanner = lockName?.endsWith(LOCK_EXT) ? lockIncludesNpm : lockIncludesYarn;
-  return lockScanner(lockSrc, name);
+  const lockfileScanner = lockName?.endsWith(LOCK_EXT) ? includesNpm : includesYarn;
+  return lockfileScanner(lockSrc, name);
 }
-function lockIncludesPnpm(lockSrc, name) {
+function includesPnpm(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4750,12 +4988,12 @@ function lockIncludesPnpm(lockSrc, name) {
   //   name@
   `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
 }
-function lockIncludesVlt(lockSrc, name) {
+function includesVlt(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name"
   return lockSrc.includes(`"${name}"`);
 }
-function lockIncludesYarn(lockSrc, name) {
+function includesYarn(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4765,11 +5003,11 @@ function lockIncludesYarn(lockSrc, name) {
   //   , name@
   `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
 }
-const lockIncludesByAgent = new Map([[BUN$2, lockIncludesBun], [NPM$6, lockIncludesNpm], [PNPM$3, lockIncludesPnpm], [VLT$2, lockIncludesVlt], [YARN_BERRY$2, lockIncludesYarn], [YARN_CLASSIC$3, lockIncludesYarn]]);
+const lockfileIncludesByAgent = new Map([[BUN$2, includesBun], [NPM$5, includesNpm], [PNPM$3, includesPnpm], [VLT$2, includesVlt], [YARN_BERRY$2, includesYarn], [YARN_CLASSIC$3, includesYarn]]);
 
 const {
   BUN: BUN$1,
-  NPM: NPM$5,
+  NPM: NPM$4,
   PNPM: PNPM$2,
   VLT: VLT$1,
   YARN_BERRY: YARN_BERRY$1,
@@ -4805,11 +5043,11 @@ function cleanupQueryStdout(stdout) {
   }
   return JSON.stringify([...names], null, 2);
 }
-function parseableToQueryStdout(stdout) {
+function parsableToQueryStdout(stdout) {
   if (stdout === '') {
     return '';
   }
-  // Convert the parseable stdout into a json array of unique names.
+  // Convert the parsable stdout into a json array of unique names.
   // The matchAll regexp looks for a forward (posix) or backward (win32) slash
   // and matches one or more non-slashes until the newline.
   const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
@@ -4839,7 +5077,7 @@ async function lsNpm(agentExecPath, cwd) {
 }
 async function lsPnpm(agentExecPath, cwd, options) {
   const npmExecPath = options?.npmExecPath;
-  if (npmExecPath && npmExecPath !== NPM$5) {
+  if (npmExecPath && npmExecPath !== NPM$4) {
     const result = await npmQuery(npmExecPath, cwd);
     if (result) {
       return result;
@@ -4847,15 +5085,19 @@ async function lsPnpm(agentExecPath, cwd, options) {
   }
   let stdout = '';
   try {
-    stdout = (await spawn.spawn(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+    stdout = (await spawn.spawn(agentExecPath,
+    // Pnpm uses the alternative spelling of parsable.
+    // https://en.wiktionary.org/wiki/parsable
+    ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
       cwd
     })).stdout;
   } catch {}
-  return parseableToQueryStdout(stdout);
+  return parsableToQueryStdout(stdout);
 }
 async function lsVlt(agentExecPath, cwd) {
   let stdout = '';
   try {
+    // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd
     })).stdout;
@@ -4886,20 +5128,39 @@ async function lsYarnClassic(agentExecPath, cwd) {
   } catch {}
   return '';
 }
-const lsByAgent = {
-  // @ts-ignore
-  __proto__: null,
-  [BUN$1]: lsBun,
-  [NPM$5]: lsNpm,
-  [PNPM$2]: lsPnpm,
-  [VLT$1]: lsVlt,
-  [YARN_BERRY$1]: lsYarnBerry,
-  [YARN_CLASSIC$2]: lsYarnClassic
-};
+const lsByAgent = new Map([[BUN$1, lsBun], [NPM$4, lsNpm], [PNPM$2, lsPnpm], [VLT$1, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$2, lsYarnClassic]]);
+
+const {
+  NPM: NPM$3
+} = constants;
+const COMMAND_TITLE$1 = 'Socket Optimize';
+async function updateLockfile(pkgEnvDetails, options) {
+  const {
+    logger,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
+  try {
+    await runAgentInstall(pkgEnvDetails, {
+      spinner
+    });
+    spinner?.stop();
+    if (pkgEnvDetails.agent === NPM$3) {
+      logger?.log(`💡 Re-run ${COMMAND_TITLE$1} whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped once npm v11.2.0 is released.`);
+    }
+  } catch (e) {
+    spinner?.stop();
+    logger?.fail(`${COMMAND_TITLE$1}: ${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`);
+    logger?.error(e);
+  }
+}
 
 const {
   BUN,
-  NPM: NPM$4,
+  NPM: NPM$2,
   OVERRIDES,
   PNPM: PNPM$1,
   RESOLUTIONS,
@@ -4919,7 +5180,9 @@ function getHighestEntryIndex(entries, keys) {
   return getEntryIndexes(entries, keys).at(-1) ?? -1;
 }
 function updatePkgJson(editablePkgJson, field, value) {
-  const pkgJson = editablePkgJson.content;
+  const {
+    content: pkgJson
+  } = editablePkgJson;
   const oldValue = pkgJson[field];
   if (oldValue) {
     // The field already exists so we simply update the field value.
@@ -4975,205 +5238,43 @@ function updatePkgJson(editablePkgJson, field, value) {
   } else if (field === PNPM_FIELD_NAME) {
     insertIndex = getLowestEntryIndex(entries, [OVERRIDES, RESOLUTIONS]);
     if (insertIndex === -1) {
-      isPlacingHigher = true;
-      insertIndex = getHighestEntryIndex(entries, depFields);
-    }
-  }
-  if (insertIndex === -1) {
-    insertIndex = getLowestEntryIndex(entries, ['engines', 'files']);
-  }
-  if (insertIndex === -1) {
-    isPlacingHigher = true;
-    insertIndex = getHighestEntryIndex(entries, ['exports', 'imports', 'main']);
-  }
-  if (insertIndex === -1) {
-    insertIndex = entries.length;
-  } else if (isPlacingHigher) {
-    insertIndex += 1;
-  }
-  entries.splice(insertIndex, 0, [field, value]);
-  editablePkgJson.fromJSON(`${JSON.stringify(Object.fromEntries(entries), null, 2)}\n`);
-}
-function updateOverrides(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, OVERRIDES, overrides);
-}
-function updateResolutions(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, RESOLUTIONS, overrides);
-}
-function pnpmUpdatePkgJson(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
-}
-const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$4, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
-
-const {
-  SOCKET_IPC_HANDSHAKE
-} = constants;
-function safeNpmInstall(options) {
-  const {
-    args = [],
-    ipc,
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const terminatorPos = args.indexOf('--');
-  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const useIpc = objects.isObject(ipc);
-  const useDebug = debug.isDebug();
-  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
-  const spawnPromise = spawn.spawn(
-  // Lazily access constants.execPath.
-  constants.execPath, [
-  // Lazily access constants.nodeNoWarningsFlags.
-  ...constants.nodeNoWarningsFlags, '--require',
-  // Lazily access constants.npmInjectionPath.
-  constants.npmInjectionPath, npmPaths.getNpmBinPath(), 'install',
-  // Even though the '--silent' flag is passed npm will still run through
-  // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
-  // flags are passed.
-  '--no-audit', '--no-fund',
-  // Add `--no-progress` and `--silent` flags to fix input being swallowed
-  // by the spinner when running the command with recent versions of npm.
-  '--no-progress',
-  // Add the '--silent' flag if a loglevel flag is not provided and the
-  // SOCKET_CLI_DEBUG environment variable is not truthy.
-  ...(isSilent ? ['--silent'] : []), ...npmArgs, ...otherArgs], {
-    spinner,
-    // Set stdio to include 'ipc'.
-    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
-    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
-    stdio: isSilent ?
-    // 'ignore'
-    useIpc ? ['ignore', 'ignore', 'ignore', 'ipc'] : 'ignore' :
-    // 'inherit'
-    useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process$1.env,
-      ...spawnOptions.env
-    }
-  });
-  if (useIpc) {
-    spawnPromise.process.send({
-      [SOCKET_IPC_HANDSHAKE]: ipc
-    });
-  }
-  return spawnPromise;
-}
-
-const {
-  NPM: NPM$3,
-  abortSignal
-} = constants;
-function runAgentInstall(agent, agentExecPath, options) {
-  // All package managers support the "install" command.
-  if (agent === NPM$3) {
-    return safeNpmInstall(options);
-  }
-  const {
-    args = [],
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const isSilent = !debug.isDebug();
-  return spawn.spawn(agentExecPath, ['install', ...args], {
-    signal: abortSignal,
-    spinner,
-    stdio: isSilent ? 'ignore' : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process.env,
-      ...spawnOptions.env
-    }
-  });
-}
-
-const {
-  NPM: NPM$2
-} = constants;
-const COMMAND_TITLE$1 = 'Socket Optimize';
-async function updatePackageLockJson(pkgEnvDetails, options) {
-  const {
-    logger,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
-  try {
-    await runAgentInstall(pkgEnvDetails.agent, pkgEnvDetails.agentExecPath, {
-      spinner
-    });
-    spinner?.stop();
-    if (pkgEnvDetails.agent === NPM$2) {
-      logger?.log(`💡 Re-run ${COMMAND_TITLE$1} whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped once npm v11.2.0 is released.`);
-    }
-  } catch (e) {
-    spinner?.stop();
-    logger?.error(`${COMMAND_TITLE$1}: ${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`);
-    logger?.error(e);
-  }
-}
-
-const {
-  NPM: NPM$1,
-  PNPM,
-  YARN_CLASSIC
-} = constants;
-const COMMAND_TITLE = 'Socket Optimize';
-const manifestNpmOverrides = registry.getManifestData(NPM$1);
-async function applyOptimization(cwd, pin, prod) {
-  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
-    logger: logger.logger,
-    prod
-  });
-  if (!pkgEnvDetails) {
-    return;
-  }
-  // Lazily access constants.spinner.
-  const {
-    spinner
-  } = constants;
-  spinner.start('Socket optimizing...');
-  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
-    logger: logger.logger,
-    pin,
-    prod,
-    spinner
-  });
-  spinner.stop();
-  const addedCount = state.added.size;
-  const updatedCount = state.updated.size;
-  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
-  if (pkgJsonChanged) {
-    if (updatedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
-    }
-    if (addedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+      isPlacingHigher = true;
+      insertIndex = getHighestEntryIndex(entries, depFields);
     }
-  } else {
-    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
   }
-  if (pkgEnvDetails.agent === NPM$1 || pkgJsonChanged) {
-    // Always update package-lock.json until the npm overrides PR lands:
-    // https://github.com/npm/cli/pull/8089
-    await updatePackageLockJson(pkgEnvDetails, {
-      logger: logger.logger,
-      spinner
-    });
+  if (insertIndex === -1) {
+    insertIndex = getLowestEntryIndex(entries, ['engines', 'files']);
+  }
+  if (insertIndex === -1) {
+    isPlacingHigher = true;
+    insertIndex = getHighestEntryIndex(entries, ['exports', 'imports', 'main']);
   }
+  if (insertIndex === -1) {
+    insertIndex = entries.length;
+  } else if (isPlacingHigher) {
+    insertIndex += 1;
+  }
+  entries.splice(insertIndex, 0, [field, value]);
+  editablePkgJson.fromJSON(`${JSON.stringify(Object.fromEntries(entries), null, 2)}\n`);
 }
-function createActionMessage(verb, overrideCount, workspaceCount) {
-  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
+function updateOverrides(editablePkgJson, overrides) {
+  updatePkgJson(editablePkgJson, OVERRIDES, overrides);
+}
+function updateResolutions(editablePkgJson, overrides) {
+  updatePkgJson(editablePkgJson, RESOLUTIONS, overrides);
+}
+function pnpmUpdatePkgJson(editablePkgJson, overrides) {
+  updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
 }
+const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$2, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
+
+const {
+  NPM: NPM$1,
+  PNPM,
+  YARN_CLASSIC
+} = constants;
+const COMMAND_TITLE = 'Socket Optimize';
+const manifestNpmOverrides = registry.getManifestData(NPM$1);
 async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const {
     agent,
@@ -5217,16 +5318,16 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const isWorkspace = !!workspaceGlobs;
   if (isWorkspace && agent === PNPM && npmExecPath === NPM$1 && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
-    logger?.warn(`⚠️ ${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
+    logger?.warn(`${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
   }
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
     npmExecPath
   });
   // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
   // first two parameters. AgentLockIncludesFn accepts an optional third
   // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
   // as an AgentLockIncludesFn type.
-  const thingScanner = isLockScanned ? lockIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
+  const thingScanner = isLockScanned ? lockfileIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
   const depEntries = getDependencyEntries(pkgJson);
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
@@ -5352,6 +5453,51 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   }
   return state;
 }
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
+}
+async function applyOptimization(cwd, pin, prod) {
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    logger: logger.logger,
+    prod
+  });
+  if (!pkgEnvDetails) {
+    return;
+  }
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Socket optimizing...');
+  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
+    logger: logger.logger,
+    pin,
+    prod,
+    spinner
+  });
+  spinner.stop();
+  const addedCount = state.added.size;
+  const updatedCount = state.updated.size;
+  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
+  if (pkgJsonChanged) {
+    if (updatedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
+    }
+    if (addedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+    }
+  } else {
+    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
+  }
+  if (pkgEnvDetails.agent === NPM$1 || pkgJsonChanged) {
+    // Always update package-lock.json until the npm overrides PR lands:
+    // https://github.com/npm/cli/pull/8089
+    await updateLockfile(pkgEnvDetails, {
+      logger: logger.logger,
+      spinner
+    });
+  }
+}
 
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h
@@ -5408,9 +5554,9 @@ async function run$h(argv, importMeta, {
 }
 
 async function getOrganization(format = 'text') {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   await printOrganizationsFromToken(apiToken, format);
 }
@@ -5420,10 +5566,10 @@ async function printOrganizationsFromToken(apiToken, format = 'text') {
     spinner
   } = constants;
   spinner.start('Fetching organizations...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrganizations(), 'looking up organizations');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getOrganizations', result, spinner);
+    handleUnsuccessfulApiResponse('getOrganizations', result);
     return;
   }
   spinner.stop();
@@ -5514,7 +5660,7 @@ async function run$g(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
 ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
   - The json and markdown flags cannot be both set, pick one
@@ -5529,7 +5675,7 @@ ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields
 }
 
 async function runRawNpm(argv) {
-  const spawnPromise = spawn.spawn(npmPaths.getNpmBinPath(), argv, {
+  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpmBinPath(), argv, {
     stdio: 'inherit'
   });
   // See https://nodejs.org/api/all.html#all_child_process_event-exit.
@@ -5583,7 +5729,7 @@ async function run$f(argv, importMeta, {
 }
 
 async function runRawNpx(argv) {
-  const spawnPromise = spawn.spawn(npmPaths.getNpxBinPath(), argv, {
+  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpxBinPath(), argv, {
     stdio: 'inherit'
   });
   // See https://nodejs.org/api/all.html#all_child_process_event-exit.
@@ -5647,16 +5793,16 @@ async function createReport(socketConfig, inputPaths, {
   const {
     spinner
   } = constants;
-  const socketSdk = await index.setupSdk();
+  const socketSdk = await shadowNpmInject.setupSdk();
   const supportedFiles = await socketSdk.getReportSupportedFiles().then(res => {
-    if (!res.success) handleUnsuccessfulApiResponse('getReportSupportedFiles', res, spinner);
+    if (!res.success) handleUnsuccessfulApiResponse('getReportSupportedFiles', res);
     return res.data;
   }).catch(cause => {
     throw new Error('Failed getting supported files for report', {
       cause
     });
   });
-  const packagePaths = await npmPaths.getPackageFilesFullScans(cwd, inputPaths, supportedFiles, socketConfig);
+  const packagePaths = await shadowNpmPaths.getPackageFilesFullScans(cwd, inputPaths, supportedFiles, socketConfig);
   const packagePathsCount = packagePaths.length;
   if (packagePathsCount && debug.isDebug()) {
     for (const pkgPath of packagePaths) {
@@ -5671,7 +5817,7 @@ async function createReport(socketConfig, inputPaths, {
   const apiCall = socketSdk.createReportFromFilePaths(packagePaths, cwd, socketConfig?.issueRules);
   const result = await handleApiCall(apiCall, 'creating report');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('createReport', result, spinner);
+    handleUnsuccessfulApiResponse('createReport', result);
     return undefined;
   }
   spinner.successAndStop();
@@ -5689,7 +5835,7 @@ async function getSocketConfig(absoluteConfigPath) {
         errors: cause.validationErrors,
         schema: cause.schema
       });
-      throw new index.InputError('The socket.yml config is not valid', betterErrors.map(err => `[${err.path}] ${err.message}.${err.suggestion ? err.suggestion : ''}`).join('\n'));
+      throw new shadowNpmInject.InputError('The socket.yml config is not valid', betterErrors.map(err => `[${err.path}] ${err.message}.${err.suggestion ? err.suggestion : ''}`).join('\n'));
     } else {
       throw new Error('Failed to read socket.yml config', {
         cause
@@ -5707,7 +5853,7 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
     spinner
   } = constants;
   spinner.start(`Fetching report with ID ${reportId} (this could take a while)`);
-  const socketSdk = await index.setupSdk();
+  const socketSdk = await shadowNpmInject.setupSdk();
   let result;
   for (let retry = 1; !result; ++retry) {
     try {
@@ -5721,7 +5867,7 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
     }
   }
   if (!result.success) {
-    return handleUnsuccessfulApiResponse('getReport', result, spinner);
+    return handleUnsuccessfulApiResponse('getReport', result);
   }
 
   // Conclude the status of the API call.
@@ -5732,8 +5878,8 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
       spinner.error('Report result deemed unhealthy for project');
     }
   } else if (!result.data.healthy) {
-    const severityCount = getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
-    const issueSummary = formatSeverityCount(severityCount);
+    const severityCount = shadowNpmInject.getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
+    const issueSummary = shadowNpmInject.formatSeverityCount(severityCount);
     spinner.success(`Report has these issues: ${issueSummary}`);
   } else {
     spinner.success('Report has no issues');
@@ -5746,7 +5892,7 @@ function formatReportDataOutput(reportId, data, commandName, outputJson, outputM
   if (outputJson) {
     logger.logger.log(JSON.stringify(data, undefined, 2));
   } else {
-    const format = new index.ColorOrMarkdown(outputMarkdown);
+    const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
     logger.logger.log(commonTags.stripIndents`
       Detailed info on socket.dev: ${format.hyperlink(reportId, data.url, {
       fallbackToUrl: true
@@ -5850,7 +5996,7 @@ async function run$d(argv, importMeta, {
     } else if (json) {
       logger.logger.log(JSON.stringify(result.data, undefined, 2));
     } else {
-      const format = new index.ColorOrMarkdown(markdown);
+      const format = new shadowNpmInject.ColorOrMarkdown(markdown);
       logger.logger.log(`New report: ${format.hyperlink(result.data.id, result.data.url, {
         fallbackToUrl: true
       })}`);
@@ -5897,7 +6043,7 @@ async function run$c(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Need at least one report ID ${!reportId ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -5938,13 +6084,33 @@ const cmdReport = {
 };
 
 async function createRepo({
+  default_branch,
+  description,
+  homepage,
+  orgSlug,
+  repoName,
+  visibility
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await createRepoWithToken({
+    apiToken,
+    default_branch,
+    description,
+    homepage,
+    orgSlug,
+    repoName,
+    visibility
+  });
+}
+async function createRepoWithToken({
   apiToken,
   default_branch,
   description,
   homepage,
   orgSlug,
-  outputJson,
-  outputMarkdown,
   repoName,
   visibility
 }) {
@@ -5953,22 +6119,19 @@ async function createRepo({
     spinner
   } = constants;
   spinner.start('Creating repository...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.createOrgRepo(orgSlug, {
-    outputJson,
-    outputMarkdown,
-    orgSlug,
     name: repoName,
     description,
     homepage,
     default_branch,
     visibility
   }), 'creating repository');
-  if (result.success) {
-    spinner.successAndStop('Repository created successfully');
-  } else {
-    handleUnsuccessfulApiResponse('createOrgRepo', result, spinner);
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('createOrgRepo', result);
+    return;
   }
+  spinner.successAndStop('Repository created successfully');
 }
 
 const {
@@ -5980,7 +6143,6 @@ const config$b = {
   hidden: false,
   flags: {
     ...commonFlags,
-    ...outputFlags,
     repoName: {
       type: 'string',
       shortFlag: 'n',
@@ -6044,7 +6206,7 @@ async function run$b(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -6055,36 +6217,36 @@ async function run$b(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$b);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await createRepo({
-    outputJson: Boolean(cli.flags['json']),
-    outputMarkdown: Boolean(cli.flags['markdown']),
     orgSlug,
     repoName,
     description: String(cli.flags['repoDescription'] || ''),
     homepage: String(cli.flags['homepage'] || ''),
     default_branch: String(cli.flags['defaultBranch'] || ''),
-    visibility: String(cli.flags['visibility'] || 'private'),
-    apiToken
+    visibility: String(cli.flags['visibility'] || 'private')
   });
 }
 
-async function deleteRepo(orgSlug, repoName, apiToken) {
+async function deleteRepo(orgSlug, repoName) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await deleteRepoWithToken(orgSlug, repoName, apiToken);
+}
+async function deleteRepoWithToken(orgSlug, repoName, apiToken) {
   // Lazily access constants.spinner.
   const {
     spinner
   } = constants;
   spinner.start('Deleting repository...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.deleteOrgRepo(orgSlug, repoName), 'deleting repository');
-  if (result.success) {
-    spinner.successAndStop('Repository deleted successfully');
-  } else {
-    handleUnsuccessfulApiResponse('deleteOrgRepo', result, spinner);
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('deleteOrgRepo', result);
+    return;
   }
+  spinner.successAndStop('Repository deleted successfully');
 }
 
 const {
@@ -6128,7 +6290,7 @@ async function run$a(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -6141,20 +6303,37 @@ async function run$a(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$a);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
-  await deleteRepo(orgSlug, repoName, apiToken);
+  await deleteRepo(orgSlug, repoName);
 }
 
 // @ts-ignore
 async function listRepos({
+  direction,
+  orgSlug,
+  outputKind,
+  page,
+  per_page,
+  sort
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await listReposWithToken({
+    apiToken,
+    direction,
+    orgSlug,
+    outputKind,
+    page,
+    per_page,
+    sort
+  });
+}
+async function listReposWithToken({
   apiToken,
   direction,
   orgSlug,
-  outputJson,
-  outputMarkdown,
+  outputKind,
   page,
   per_page,
   sort
@@ -6163,23 +6342,20 @@ async function listRepos({
   const {
     spinner
   } = constants;
-  spinner.start('Listing repositories...');
-  const socketSdk = await index.setupSdk(apiToken);
+  spinner.start('Fetching list of repositories...');
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrgRepoList(orgSlug, {
-    outputJson,
-    outputMarkdown,
-    orgSlug,
     sort,
     direction,
     per_page,
     page
   }), 'listing repositories');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getOrgRepoList', result, spinner);
+    handleUnsuccessfulApiResponse('getOrgRepoList', result);
     return;
   }
-  spinner.stop();
-  if (outputJson) {
+  spinner.stop('Fetch complete.');
+  if (outputKind === 'json') {
     const data = result.data.results.map(o => ({
       id: o.id,
       name: o.name,
@@ -6276,7 +6452,7 @@ async function run$9(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -6287,30 +6463,44 @@ async function run$9(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$9);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await listRepos({
-    apiToken,
-    outputJson: Boolean(cli.flags['json']),
-    outputMarkdown: Boolean(cli.flags['markdown']),
-    orgSlug,
-    sort: String(cli.flags['sort'] || 'created_at'),
     direction: cli.flags['direction'] === 'asc' ? 'asc' : 'desc',
+    orgSlug,
+    outputKind: cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print',
     page: Number(cli.flags['page']) || 1,
-    per_page: Number(cli.flags['perPage']) || 30
+    per_page: Number(cli.flags['perPage']) || 30,
+    sort: String(cli.flags['sort'] || 'created_at')
   });
 }
 
 async function updateRepo({
+  default_branch,
+  description,
+  homepage,
+  orgSlug,
+  repoName,
+  visibility
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await updateRepoWithToken({
+    apiToken,
+    default_branch,
+    description,
+    homepage,
+    orgSlug,
+    repoName,
+    visibility
+  });
+}
+async function updateRepoWithToken({
   apiToken,
   default_branch,
   description,
   homepage,
   orgSlug,
-  outputJson,
-  outputMarkdown,
   repoName,
   visibility
 }) {
@@ -6319,10 +6509,8 @@ async function updateRepo({
     spinner
   } = constants;
   spinner.start('Updating repository...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.updateOrgRepo(orgSlug, repoName, {
-    outputJson,
-    outputMarkdown,
     orgSlug,
     name: repoName,
     description,
@@ -6330,11 +6518,11 @@ async function updateRepo({
     default_branch,
     visibility
   }), 'updating repository');
-  if (result.success) {
-    spinner.successAndStop('Repository updated successfully');
-  } else {
-    handleUnsuccessfulApiResponse('updateOrgRepo', result, spinner);
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('updateOrgRepo', result);
+    return;
   }
+  spinner.successAndStop('Repository updated successfully');
 }
 
 const {
@@ -6346,7 +6534,6 @@ const config$8 = {
   hidden: false,
   flags: {
     ...commonFlags,
-    ...outputFlags,
     repoName: {
       type: 'string',
       shortFlag: 'n',
@@ -6410,7 +6597,7 @@ async function run$8(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -6423,14 +6610,7 @@ async function run$8(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$8);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await updateRepo({
-    apiToken,
-    outputJson: Boolean(cli.flags['json']),
-    outputMarkdown: Boolean(cli.flags['markdown']),
     orgSlug,
     repoName,
     description: String(cli.flags['repoDescription'] || ''),
@@ -6441,16 +6621,45 @@ async function run$8(argv, importMeta, {
 }
 
 // @ts-ignore
-async function viewRepo(orgSlug, repoName, apiToken) {
+async function viewRepo(orgSlug, repoName, outputKind) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await viewRepoWithToken(orgSlug, repoName, apiToken, outputKind);
+}
+async function viewRepoWithToken(orgSlug, repoName, apiToken, outputKind) {
   // Lazily access constants.spinner.
   const {
     spinner
   } = constants;
-  spinner.start('Fetching repository...');
-  const socketSdk = await index.setupSdk(apiToken);
+  spinner.start('Fetching repository data...');
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrgRepo(orgSlug, repoName), 'fetching repository');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getOrgRepo', result, spinner);
+    handleUnsuccessfulApiResponse('getOrgRepo', result);
+    return;
+  }
+  spinner.stop('Fetched repository data.');
+  if (outputKind === 'json') {
+    const {
+      archived,
+      created_at,
+      default_branch,
+      homepage,
+      id,
+      name,
+      visibility
+    } = result.data;
+    logger.logger.log(JSON.stringify({
+      id,
+      name,
+      visibility,
+      default_branch,
+      homepage,
+      archived,
+      created_at
+    }, null, 2));
     return;
   }
   const options = {
@@ -6477,7 +6686,7 @@ async function viewRepo(orgSlug, repoName, apiToken) {
       name: colors.magenta('Created at')
     }]
   };
-  spinner.stop(chalkTable(options, [result.data]));
+  logger.logger.log(chalkTable(options, [result.data]));
 }
 
 const {
@@ -6489,7 +6698,12 @@ const config$7 = {
   hidden: false,
   flags: {
     ...commonFlags,
-    ...outputFlags
+    ...outputFlags,
+    repoName: {
+      description: 'The repository to check',
+      default: '',
+      type: 'string'
+    }
   },
   help: (command, config) => `
     Usage
@@ -6523,7 +6737,7 @@ async function run$7(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
@@ -6536,11 +6750,7 @@ async function run$7(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$7);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
-  await viewRepo(orgSlug, repoName, apiToken);
+  await viewRepo(orgSlug, repoName, cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print');
 }
 
 const description$1 = 'Repositories related commands';
@@ -6725,10 +6935,10 @@ async function createFullScan({
   const {
     spinner
   } = constants;
-  const socketSdk = await index.setupSdk();
+  const socketSdk = await shadowNpmInject.setupSdk();
   const supportedFiles = await socketSdk.getReportSupportedFiles().then(res => {
     if (!res.success) {
-      handleUnsuccessfulApiResponse('getReportSupportedFiles', res, spinner);
+      handleUnsuccessfulApiResponse('getReportSupportedFiles', res);
       assert(false, 'handleUnsuccessfulApiResponse should unconditionally throw');
     }
     return res.data;
@@ -6751,14 +6961,14 @@ async function createFullScan({
   // const absoluteConfigPath = path.join(cwd, 'socket.yml')
   // const socketConfig = await getSocketConfig(absoluteConfigPath)
 
-  const packagePaths = await npmPaths.getPackageFilesFullScans(cwd, targets, supportedFiles
+  const packagePaths = await shadowNpmPaths.getPackageFilesFullScans(cwd, targets, supportedFiles
   // socketConfig
   );
 
   // We're going to need an api token to suggest data because those suggestions
   // must come from data we already know. Don't error on missing api token yet.
   // If the api-token is not set, ignore it for the sake of suggestions.
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
 
   // If the current cwd is unknown and is used as a repo slug anyways, we will
   // first need to register the slug before we can use it.
@@ -6792,7 +7002,7 @@ async function createFullScan({
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process$1.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
@@ -6814,7 +7024,7 @@ async function createFullScan({
     logger.logger.log('```');
   }
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   if (readOnly) {
     logger.logger.log('[ReadOnly] Bailing now');
@@ -6830,7 +7040,7 @@ async function createFullScan({
     tmp
   }, packagePaths, cwd), 'Creating scan');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('CreateOrgFullScan', result, spinner);
+    handleUnsuccessfulApiResponse('CreateOrgFullScan', result);
     return;
   }
   spinner.successAndStop('Scan created successfully');
@@ -6970,20 +7180,21 @@ async function run$6(argv, importMeta, {
   });
   const [orgSlug = '', ...targets] = cli.input;
   const cwd = cli.flags['cwd'] && cli.flags['cwd'] !== 'process.cwd()' ? String(cli.flags['cwd']) : process$1.cwd();
-  let {
+  const {
     branch: branchName,
     repo: repoName
   } = cli.flags;
-  const apiToken = index.getDefaultToken(); // This checks if we _can_ suggest anything
+  const apiToken = shadowNpmInject.getDefaultToken(); // This checks if we _can_ suggest anything
 
   if (!apiToken && (!orgSlug || !repoName || !branchName || !targets.length)) {
     // Without api token we cannot recover because we can't request more info
     // from the server, to match and help with the current cwd/git status.
+    //
     // Use exit status of 2 to indicate incorrect usage, generally invalid
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process$1.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
@@ -7022,9 +7233,9 @@ async function run$6(argv, importMeta, {
 }
 
 async function deleteOrgFullScan(orgSlug, fullScanId) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   await deleteOrgFullScanWithToken(orgSlug, fullScanId, apiToken);
 }
@@ -7034,10 +7245,10 @@ async function deleteOrgFullScanWithToken(orgSlug, fullScanId, apiToken) {
     spinner
   } = constants;
   spinner.start('Deleting scan...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.deleteOrgFullScan(orgSlug, fullScanId), 'Deleting scan');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('deleteOrgFullScan', result, spinner);
+    handleUnsuccessfulApiResponse('deleteOrgFullScan', result);
     return;
   }
   spinner.successAndStop('Scan deleted successfully');
@@ -7085,7 +7296,7 @@ async function run$5(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -7109,9 +7320,9 @@ async function listFullScans({
   per_page,
   sort
 }) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   await listFullScansWithToken({
     apiToken,
@@ -7139,7 +7350,7 @@ async function listFullScansWithToken({
     spinner
   } = constants;
   spinner.start('Fetching list of scans...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrgFullScanList(orgSlug, {
     sort,
     direction,
@@ -7148,7 +7359,7 @@ async function listFullScansWithToken({
     from: from_time
   }), 'Listing scans');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getOrgFullScanList', result, spinner);
+    handleUnsuccessfulApiResponse('getOrgFullScanList', result);
     return;
   }
   spinner.stop(`Fetch complete`);
@@ -7264,7 +7475,7 @@ async function run$4(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
     - Org name as the argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}`);
     return;
@@ -7285,9 +7496,9 @@ async function run$4(argv, importMeta, {
 }
 
 async function getOrgScanMetadata(orgSlug, scanId, outputKind) {
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   await getOrgScanMetadataWithToken(orgSlug, scanId, apiToken, outputKind);
 }
@@ -7297,10 +7508,10 @@ async function getOrgScanMetadataWithToken(orgSlug, scanId, apiToken, outputKind
     spinner
   } = constants;
   spinner.start('Fetching meta data for a full scan...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const result = await handleApiCall(socketSdk.getOrgFullScanMetadata(orgSlug, scanId), 'Listing scans');
   if (!result.success) {
-    handleUnsuccessfulApiResponse('getOrgFullScanMetadata', result, spinner);
+    handleUnsuccessfulApiResponse('getOrgFullScanMetadata', result);
     return;
   }
   spinner?.successAndStop('Fetched the meta data\n');
@@ -7366,7 +7577,7 @@ async function run$3(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+    logger.logger.fail(commonTags.stripIndents`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
 
@@ -7385,15 +7596,15 @@ async function streamFullScan(orgSlug, fullScanId, file) {
   const {
     spinner
   } = constants;
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   spinner.start('Fetching scan...');
-  const socketSdk = await index.setupSdk(apiToken);
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
   const data = await handleApiCall(socketSdk.getOrgFullScan(orgSlug, fullScanId, file === '-' ? undefined : file), 'Fetching a scan');
   if (!data?.success) {
-    handleUnsuccessfulApiResponse('getOrgFullScan', data, spinner);
+    handleUnsuccessfulApiResponse('getOrgFullScan', data);
     return;
   }
   spinner?.successAndStop(file ? `Full scan details written to ${file}` : 'stdout');
@@ -7405,16 +7616,16 @@ async function getFullScan(orgSlug, fullScanId) {
   const {
     spinner
   } = constants;
-  const apiToken = index.getDefaultToken();
+  const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
   spinner.start('Fetching full-scan...');
   const response = await queryAPI(`orgs/${orgSlug}/full-scans/${encodeURIComponent(fullScanId)}`, apiToken);
   spinner.stop('Fetch complete.');
   if (!response.ok) {
     const err = await handleAPIError(response.status);
-    logger.logger.error(`${colors.bgRed(colors.white(response.statusText))}: Fetch error: ${err}`);
+    logger.logger.fail(`${colors.bgRed(colors.white(response.statusText))}: Fetch error: ${err}`);
     return;
   }
 
@@ -7462,9 +7673,9 @@ View this report at: https://socket.dev/dashboard/org/${orgSlug}/sbom/${fullScan
       await fs$1.writeFile(filePath, report, 'utf8');
       logger.logger.log(`Data successfully written to ${filePath}`);
     } catch (e) {
-      logger.logger.error('There was an error trying to write the json to disk');
-      logger.logger.error(e);
       process.exitCode = 1;
+      logger.logger.fail('There was an error trying to write the json to disk');
+      logger.logger.error(e);
     }
   } else {
     logger.logger.log(report);
@@ -7515,7 +7726,7 @@ async function run$2(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
 
       - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
@@ -7564,11 +7775,36 @@ const cmdScan = {
   }
 };
 
+// Note: Widgets does not seem to actually work as code :'(
+
 async function getThreatFeed({
+  direction,
+  ecosystem,
+  filter,
+  outputKind,
+  page,
+  perPage
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await getThreatFeedWithToken({
+    apiToken,
+    direction,
+    ecosystem,
+    filter,
+    outputKind,
+    page,
+    perPage
+  });
+}
+async function getThreatFeedWithToken({
   apiToken,
   direction,
+  ecosystem,
   filter,
-  outputJson,
+  outputKind,
   page,
   perPage
 }) {
@@ -7576,17 +7812,12 @@ async function getThreatFeed({
   const {
     spinner
   } = constants;
-  spinner.start('Looking up the threat feed');
-  const formattedQueryParams = formatQueryParams({
-    per_page: perPage,
-    page,
-    direction,
-    filter
-  }).join('&');
-  const response = await queryAPI(`threat-feed?${formattedQueryParams}`, apiToken);
+  const queryParams = new URLSearchParams([['direction', direction], ['ecosystem', ecosystem], ['filter', filter], ['page', page], ['per_page', String(perPage)]]);
+  spinner.start('Fetching Threat Feed data...');
+  const response = await queryAPI(`threat-feed?${queryParams}`, apiToken);
   const data = await response.json();
-  spinner.stop();
-  if (outputJson) {
+  spinner.stop('Threat feed data fetched');
+  if (outputKind === 'json') {
     logger.logger.log(data);
     return;
   }
@@ -7599,47 +7830,98 @@ async function getThreatFeed({
     interactive: 'true',
     label: 'Threat feed',
     width: '100%',
-    height: '100%',
+    height: '70%',
+    // Changed from 100% to 70%
+    border: {
+      type: 'line',
+      fg: 'cyan'
+    },
+    columnWidth: [10, 30, 20, 18, 15, 200],
+    // TODO: the truncation doesn't seem to work too well yet but when we add
+    //       `pad` alignment fails, when we extend columnSpacing alignment fails
+    columnSpacing: 1,
+    truncate: '_'
+  });
+
+  // Create details box at the bottom
+  const detailsBox = new BoxWidget({
+    bottom: 0,
+    height: '30%',
+    width: '100%',
     border: {
       type: 'line',
       fg: 'cyan'
     },
-    columnSpacing: 3,
-    //in chars
-    columnWidth: [9, 30, 10, 17, 13, 100] /*in chars*/
+    label: 'Details',
+    content: 'Use arrow keys to navigate. Press Enter to select a threat. Press q to exit.',
+    style: {
+      fg: 'white'
+    }
   });
 
   // allow control the table with the keyboard
   table.focus();
   screen.append(table);
+  screen.append(detailsBox);
   const formattedOutput = formatResults(data.results);
+  const descriptions = data.results.map(d => d.description);
   table.setData({
-    headers: ['Ecosystem', 'Name', 'Version', 'Threat type', 'Detected at', 'Details'],
+    headers: [' Ecosystem', ' Name', '  Version', '  Threat type', '  Detected at', ' Details'],
     data: formattedOutput
   });
+
+  // Update details box when selection changes
+  table.rows.on('select item', () => {
+    const selectedIndex = table.rows.selected;
+    if (selectedIndex !== undefined && selectedIndex >= 0) {
+      const selectedRow = formattedOutput[selectedIndex];
+      if (selectedRow) {
+        // Note: the spacing works around issues with the table; it refuses to pad!
+        detailsBox.setContent(`Ecosystem: ${selectedRow[0]}\n` + `Name: ${selectedRow[1]}\n` + `Version:${selectedRow[2]}\n` + `Threat type:${selectedRow[3]}\n` + `Detected at:${selectedRow[4]}\n` + `Details: ${selectedRow[5]}\n` + `Description: ${descriptions[selectedIndex]}`);
+        screen.render();
+      }
+    }
+  });
   screen.render();
   screen.key(['escape', 'q', 'C-c'], () => process$1.exit(0));
+  screen.key(['return'], () => {
+    const selectedIndex = table.rows.selected;
+    screen.destroy();
+    const selectedRow = formattedOutput[selectedIndex];
+    console.log(selectedRow);
+  });
 }
 function formatResults(data) {
   return data.map(d => {
     const ecosystem = d.purl.split('pkg:')[1].split('/')[0];
     const name = d.purl.split('/')[1].split('@')[0];
     const version = d.purl.split('@')[1];
-    const timeStart = new Date(d.createdAt).getMilliseconds();
-    const timeEnd = Date.now();
-    const diff = getHourDiff(timeStart, timeEnd);
-    const hourDiff = diff > 0 ? `${diff} hours ago` : `${getMinDiff(timeStart, timeEnd)} minutes ago`;
-    return [ecosystem, decodeURIComponent(name), version, d.threatType, hourDiff, d.locationHtmlUrl];
+    const timeDiff = msAtHome(d.createdAt);
+
+    // Note: the spacing works around issues with the table; it refuses to pad!
+    return [ecosystem, decodeURIComponent(name), ` ${version}`, ` ${d.threatType}`, ` ${timeDiff}`, d.locationHtmlUrl];
   });
 }
-function formatQueryParams(params) {
-  return Object.entries(params).map(entry => `${entry[0]}=${entry[1]}`);
-}
-function getHourDiff(start, end) {
-  return Math.floor((end - start) / 3600000);
-}
-function getMinDiff(start, end) {
-  return Math.floor((end - start) / 60000);
+function msAtHome(isoTimeStamp) {
+  const timeStart = Date.parse(isoTimeStamp);
+  const timeEnd = Date.now();
+  const rtf = new Intl.RelativeTimeFormat('en', {
+    numeric: 'always',
+    style: 'short'
+  });
+  const delta = timeEnd - timeStart;
+  if (delta < 60 * 60 * 1000) {
+    return rtf.format(-Math.round(delta / (60 * 1000)), 'minute');
+    // return Math.round(delta / (60 * 1000)) + ' min ago'
+  } else if (delta < 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (60 * 60 * 1000)).toFixed(1), 'hour');
+    // return (delta / (60 * 60 * 1000)).toFixed(1) + ' hr ago'
+  } else if (delta < 7 * 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (24 * 60 * 60 * 1000)).toFixed(1), 'day');
+    // return (delta / (24 * 60 * 60 * 1000)).toFixed(1) + ' day ago'
+  } else {
+    return isoTimeStamp.slice(0, 10);
+  }
 }
 
 const {
@@ -7647,7 +7929,7 @@ const {
 } = constants;
 const config$1 = {
   commandName: 'threat-feed',
-  description: 'Look up the threat feed',
+  description: '[beta] View the threat feed',
   hidden: false,
   flags: {
     ...commonFlags,
@@ -7670,6 +7952,12 @@ const config$1 = {
       default: 'desc',
       description: 'Order asc or desc by the createdAt attribute.'
     },
+    eco: {
+      type: 'string',
+      shortFlag: 'e',
+      default: '',
+      description: 'Only show threats for a particular ecosystem'
+    },
     filter: {
       type: 'string',
       shortFlag: 'f',
@@ -7681,9 +7969,35 @@ const config$1 = {
     Usage
       $ ${command}
 
+    This feature requires a Threat Feed license. Please contact
+    sales@socket.dev if you are interested in purchasing this access.
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
+    Valid filters:
+
+      - anom    Anomaly
+      - c       Do not filter
+      - fp      False Positives
+      - joke    Joke / Fake
+      - mal     Malware and Possible Malware [default]
+      - secret  Secrets
+      - spy     Telemetry
+      - tp      False Positives and Unreviewed
+      - typo    Typo-squat
+      - u       Unreviewed
+      - vuln    Vulnerability
+
+    Valid ecosystems:
+
+      - gem
+      - golang
+      - maven
+      - npm
+      - nuget
+      - pypi
+
     Examples
       $ ${command}
       $ ${command} --perPage=5 --page=2 --direction=asc --filter=joke
@@ -7707,17 +8021,13 @@ async function run$1(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$1);
     return;
   }
-  const apiToken = index.getDefaultToken();
-  if (!apiToken) {
-    throw new index.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await getThreatFeed({
-    apiToken,
     direction: String(cli.flags['direction'] || 'desc'),
+    ecosystem: String(cli.flags['eco'] || ''),
     filter: String(cli.flags['filter'] || 'mal'),
-    outputJson: Boolean(cli.flags['json']),
-    page: String(cli.flags['filter'] || '1'),
-    perPage: Number(cli.flags['per_page'] || 0)
+    outputKind: cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print',
+    page: String(cli.flags['page'] || '1'),
+    perPage: Number(cli.flags['perPage']) || 30
   });
 }
 
@@ -7804,7 +8114,7 @@ function askQuestion(rl, query) {
 function removeSocketWrapper(file) {
   return fs.readFile(file, 'utf8', function (err, data) {
     if (err) {
-      logger.logger.error('There was an error removing the alias:');
+      logger.logger.fail('There was an error removing the alias:');
       logger.logger.error(err);
       return;
     }
@@ -7881,7 +8191,7 @@ async function run(argv, importMeta, {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.error(commonTags.stripIndents`
+    logger.logger.fail(commonTags.stripIndents`
       ${colors.bgRed(colors.white('Input error'))}: Please provide the required flags:
 
       - Must use --enabled or --disabled
@@ -7914,7 +8224,7 @@ async function run(argv, importMeta, {
     }
   }
   if (!fs.existsSync(bashRcPath) && !fs.existsSync(zshRcPath)) {
-    logger.logger.error('There was an issue setting up the alias in your bash profile');
+    logger.logger.fail('There was an issue setting up the alias in your bash profile');
   }
 }
 
@@ -7973,10 +8283,10 @@ void (async () => {
     let errorBody;
     let errorTitle;
     let errorMessage = '';
-    if (e instanceof index.AuthError) {
+    if (e instanceof shadowNpmInject.AuthError) {
       errorTitle = 'Authentication error';
       errorMessage = e.message;
-    } else if (e instanceof index.InputError) {
+    } else if (e instanceof shadowNpmInject.InputError) {
       errorTitle = 'Invalid input';
       errorMessage = e.message;
       errorBody = e.body;
@@ -7987,12 +8297,12 @@ void (async () => {
     } else {
       errorTitle = 'Unexpected error with no details';
     }
-    logger.logger.error(`${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
+    logger.logger.fail(`${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
     if (errorBody) {
       logger.logger.error(`\n${errorBody}`);
     }
-    await index.captureException(e);
+    await shadowNpmInject.captureException(e);
   }
 })();
-//# debugId=4fe0e5e5-54cb-444b-88dc-36bf76ff766a
+//# debugId=e7fc426e-8da9-4a73-b05c-6a96ab758857
 //# sourceMappingURL=cli.js.map