npm - @socketsecurity/cli-with-sentry - Versions diffs - 0.14.57 → 0.14.58 - Mend

@socketsecurity/cli-with-sentry 0.14.57 → 0.14.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/bin/cli.js +2 -0
package/dist/constants.d.ts +1 -2
package/dist/constants.js +9 -6
package/dist/constants.js.map +1 -1
package/dist/instrument-with-sentry.js +2 -2
package/dist/instrument-with-sentry.js.map +1 -1
package/dist/module-sync/artifact.d.ts +75 -0
package/dist/module-sync/cli.js +1041 -791
package/dist/module-sync/cli.js.map +1 -1
package/dist/module-sync/index.d.ts +4 -3
package/dist/module-sync/shadow-bin.js +3 -1
package/dist/module-sync/shadow-bin.js.map +1 -1
package/dist/module-sync/shadow-npm-inject.js +1414 -1287
package/dist/module-sync/shadow-npm-inject.js.map +1 -1
package/dist/module-sync/shadow-npm-paths.js.map +1 -1
package/dist/module-sync/socket-package-alert.d.ts +46 -0
package/dist/module-sync/types.d.ts +11 -3
package/dist/require/cli.js +1041 -791
package/dist/require/cli.js.map +1 -1
package/package.json +12 -10
package/dist/module-sync/color-or-markdown.d.ts +0 -16
package/dist/module-sync/socket-url.d.ts +0 -3

package/dist/require/cli.js CHANGED Viewed

@@ -26,6 +26,7 @@ var ndjson = _socketInterop(require('ndjson'));
 var shadowNpmInject = require('./shadow-npm-inject.js');
 var constants = require('./constants.js');
 var objects = require('@socketsecurity/registry/lib/objects');
+var path$1 = require('@socketsecurity/registry/lib/path');
 var regexps = require('@socketsecurity/registry/lib/regexps');
 var commonTags = _socketInterop(require('common-tags'));
 var fs$1 = require('node:fs/promises');
@@ -40,26 +41,29 @@ var require$$0$1 = require('node:util');
 var registry = require('@socketsecurity/registry');
 var npm = require('@socketsecurity/registry/lib/npm');
 var packages = require('@socketsecurity/registry/lib/packages');
-var registryConstants = require('@socketsecurity/registry/lib/constants');
-var isInteractive = require('@socketregistry/is-interactive/index.cjs');
-var terminalLink = _socketInterop(require('terminal-link'));
+var lockfileFile = _socketInterop(require('@pnpm/lockfile-file'));
+var lockfile_detectDepTypes = _socketInterop(require('@pnpm/lockfile.detect-dep-types'));
+var debug = require('@socketsecurity/registry/lib/debug');
 var spawn = require('@socketsecurity/registry/lib/spawn');
-var npa = _socketInterop(require('npm-package-arg'));
-var semver = _socketInterop(require('semver'));
-var tinyglobby = _socketInterop(require('tinyglobby'));
-var promises = require('@socketsecurity/registry/lib/promises');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
 var browserslist = _socketInterop(require('browserslist'));
+var semver = _socketInterop(require('semver'));
 var which = _socketInterop(require('which'));
 var index_cjs = require('@socketregistry/hyrious__bun.lockb/index.cjs');
 var sorts = require('@socketsecurity/registry/lib/sorts');
 var strings = require('@socketsecurity/registry/lib/strings');
+var registryConstants = require('@socketsecurity/registry/lib/constants');
+var isInteractive = require('@socketregistry/is-interactive/index.cjs');
+var terminalLink = _socketInterop(require('terminal-link'));
+var npa = _socketInterop(require('npm-package-arg'));
+var tinyglobby = _socketInterop(require('tinyglobby'));
+var promises = require('@socketsecurity/registry/lib/promises');
 var yaml = _socketInterop(require('yaml'));
-var debug = require('@socketsecurity/registry/lib/debug');
-var shadowNpmPaths = require('./shadow-npm-paths.js');
 var betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'));
 var config$A = require('@socketsecurity/config');
 var assert = require('node:assert');
 var readline = require('node:readline/promises');
+var BoxWidget = _socketInterop(require('blessed/lib/widgets/box'));
 var TableWidget = _socketInterop(require('blessed-contrib/lib/widget/table'));
 var readline$1 = require('node:readline');
@@ -321,7 +325,7 @@ class Core {
   }) {
     const introducedBy = [];
     if (pkg.direct) {
-      let manifests = pkg.manifestFiles.map(({
+      const manifests = pkg.manifestFiles.map(({
         file
       }) => file).join(';');
       introducedBy.push(['direct', manifests]);
@@ -332,7 +336,7 @@ class Core {
           continue;
         }
         const topPurl = `${topPackage.type}/${topPackage.name}@${topPackage.version}`;
-        let manifests = topPackage.manifestFiles.map(({
+        const manifests = topPackage.manifestFiles.map(({
           file
         }) => file).join(';');
         introducedBy.push([topPurl, manifests]);
@@ -764,7 +768,7 @@ function processSecurityComment({
   const result = [];
   let start = false;
   let ignoreAll = false;
-  let ignoredPackages = [];
+  const ignoredPackages = [];
   for (const ignoreComment of ignoreComments) {
     const parsed = parseIgnoreCommand(ignoreComment.body?.split('\n').at(0) ?? '');
     if (parsed.ignoreAll) {
@@ -788,7 +792,7 @@ function processSecurityComment({
       const [_, _title, packageLink, _introducedBy, _manifest, _ci] = line.split('|');
       // Parsing package link [npm/pkg](url)
-      let [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
+      const [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
       const [pkgName, pkgVersion] = pkg.split('@');
       // Checking if this package should be ignored
@@ -1111,8 +1115,8 @@ function createSources(alert) {
       manifests.push(addStr);
     }
   }
-  let manifestList = manifests.join('');
-  let sourceList = sources.join('');
+  const manifestList = manifests.join('');
+  const sourceList = sources.join('');
   const manifestStr = `<ul>${manifestList}</ul>`;
   const sourcesStr = `<ul>${sourceList}</ul>`;
   return [manifestStr, sourcesStr];
@@ -1257,8 +1261,8 @@ async function runAction(githubEventBefore, githubEventAfter) {
     const securityComment = securityCommentTemplate(diff);
     let newSecurityComment = true;
     let newOverviewComment = true;
-    let updateOldSecurityComment = comments.security !== undefined;
-    let updateOldOverviewComment = comments.overview !== undefined;
+    const updateOldSecurityComment = comments.security !== undefined;
+    const updateOldOverviewComment = comments.overview !== undefined;
     if (diff.newAlerts.length === 0) {
       if (!updateOldSecurityComment) {
         newSecurityComment = false;
@@ -1400,8 +1404,7 @@ const validationFlags = {
 const {
   DRY_RUN_LABEL: DRY_RUN_LABEL$1,
-  REDACTED,
-  SOCKET_CLI_SHOW_BANNER
+  REDACTED
 } = constants;
 async function meowWithSubcommands(subcommands, options) {
   const {
@@ -1435,11 +1438,7 @@ async function meowWithSubcommands(subcommands, options) {
   };
   // ...else we provide basic instructions and help.
-  // Temp disable until we clear the --json and --markdown usage
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(name));
-  }
+  emitBanner(name);
   const cli = vendor.meow(`
     Usage
       $ ${name} <command>
@@ -1493,11 +1492,7 @@ function meowOrExit({
   parentName
 }) {
   const command = `${parentName} ${config.commandName}`;
-  // Temp disable until we clear the --json and --markdown usage.
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(command));
-  }
+  emitBanner(command);
   // This exits if .printHelp() is called either by meow itself or by us.
   const cli = vendor.meow({
@@ -1514,13 +1509,24 @@ function meowOrExit({
   }
   return cli;
 }
+function emitBanner(name) {
+  // Print a banner at the top of each command.
+  // This helps with brand recognition and marketing.
+  // It also helps with debugging since it contains version and command details.
+  // Note: print over stderr to preserve stdout for flags like --json and
+  //       --markdown. If we don't do this, you can't use --json in particular
+  //       and pipe the result to other tools. By emiting the banner over stderr
+  //       you can do something like `socket scan view xyz | jq | process`.
+  //       The spinner also emits over stderr for example.
+  logger.logger.error(getAsciiHeader(name));
+}
 function getAsciiHeader(command) {
   const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['SOCKET_CLI_VERSION_HASH']".
-  "0.14.57:6783de7:236c7308:pub";
+  "0.14.58:f270068:05655527:pub";
   const nodeVersion = process.version;
   const apiToken = shadowNpmInject.getSetting('apiToken');
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no';
-  const relCwd = process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}`, 'i'), '~/');
+  const relCwd = path$1.normalizePath(process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`, 'i'), '~/'));
   const body = `
    _____         _       _        /---------------
   |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}
@@ -1719,7 +1725,7 @@ async function outputAnalyticsWithToken({
   // A message should already have been printed if we have no data here
   if (!data) return;
   if (outputKind === 'json') {
-    let serialized = renderJson(data);
+    const serialized = renderJson(data);
     if (!serialized) return;
     if (filePath && filePath !== '-') {
       try {
@@ -2191,6 +2197,9 @@ const config$x = {
     Usage
       $ ${command} <org slug>
+    This feature requires an Enterprise Plan. To learn more about getting access
+    to this feature and many more, please visit https://socket.dev/pricing
     Options
       ${getFlagListOutput(config.flags, 6)}
@@ -2246,22 +2255,22 @@ async function run$x(argv, importMeta, {
 }
 const {
-  NPM: NPM$e,
+  NPM: NPM$g,
   NPX: NPX$3,
-  PNPM: PNPM$8
+  PNPM: PNPM$a
 } = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$e, PNPM$8, 'ts', 'tsx', 'typescript']);
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$g, PNPM$a, 'ts', 'tsx', 'typescript']);
 async function runCycloneDX(yargv) {
   let cleanupPackageLock = false;
   if (yargv.type !== 'yarn' && nodejsPlatformTypes.has(yargv.type) && fs.existsSync('./yarn.lock')) {
     if (fs.existsSync('./package-lock.json')) {
-      yargv.type = NPM$e;
+      yargv.type = NPM$g;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
         await shadowBin(NPX$3, ['synp@1.9.14', '--', '--source-file', './yarn.lock'], 2);
-        yargv.type = NPM$e;
+        yargv.type = NPM$g;
         cleanupPackageLock = true;
       } catch {}
     }
@@ -2781,99 +2790,105 @@ const cmdDiffScan = {
   }
 };
-// import { detect } from '../../utils/package-environment-detector'
 const {
-  NPM: NPM$d
+  NPM: NPM$f
 } = constants;
 function isTopLevel(tree, node) {
   return tree.children.get(node.name) === node;
 }
-async function runFix() {
-  // Lazily access constants.spinner.
+async function npmFix(_pkgEnvDetails, cwd, options) {
   const {
     spinner
-  } = constants;
-  spinner.start();
-  const cwd = process.cwd();
-  const editablePkgJson = await packages.readPackageJson(cwd, {
-    editable: true
-  });
-  // const agentDetails = await detect()
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
   const arb = new shadowNpmInject.SafeArborist({
     path: cwd,
     ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
   });
   await arb.reify();
-  const alerts = await shadowNpmInject.getPackagesAlerts(arb, {
+  const alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, {
     consolidate: true,
-    includeExisting: true,
-    includeUnfixable: false
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
+    }
   });
-  const infoByPkg = shadowNpmInject.getCveInfoByPackage(alerts);
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
+  }
   await arb.buildIdealTree();
-  if (infoByPkg) {
-    for (const {
-      0: name,
-      1: infos
-    } of infoByPkg) {
-      let revertToIdealTree = arb.idealTree;
-      arb.idealTree = null;
-      // eslint-disable-next-line no-await-in-loop
-      await arb.buildIdealTree();
-      const tree = arb.idealTree;
-      const hasUpgrade = !!registry.getManifestData(NPM$d, name);
-      if (hasUpgrade) {
-        spinner.info(`Skipping ${name}. Socket Optimize package exists.`);
-        continue;
-      }
-      const nodes = shadowNpmInject.findPackageNodes(tree, name);
-      const packument = nodes.length && infos.length ?
-      // eslint-disable-next-line no-await-in-loop
-      await packages.fetchPackagePackument(name) : null;
-      if (packument) {
-        for (let i = 0, {
-            length: nodesLength
-          } = nodes; i < nodesLength; i += 1) {
-          const node = nodes[i];
-          for (let j = 0, {
-              length: infosLength
-            } = infos; j < infosLength; j += 1) {
-            const {
-              firstPatchedVersionIdentifier,
-              vulnerableVersionRange
-            } = infos[j];
-            const {
-              version: oldVersion
-            } = node;
-            if (shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)) {
-              try {
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runScript('test', [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-                spinner.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
-                if (isTopLevel(tree, node)) {
-                  for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
-                    const oldVersion = editablePkgJson.content[depField]?.[name];
-                    if (oldVersion) {
-                      const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
-                      editablePkgJson.content[depField][name] = `${decorator}${node.version}`;
-                    }
-                  }
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const revertToIdealTree = arb.idealTree;
+    arb.idealTree = null;
+    // eslint-disable-next-line no-await-in-loop
+    await arb.buildIdealTree();
+    const tree = arb.idealTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$f, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
+      continue;
+    }
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
+    }
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        if (shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await npm.runScript('test', [], {
+              spinner,
+              stdio: 'ignore'
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
+            if (isTopLevel(tree, node)) {
+              for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
+                const {
+                  content: pkgJson
+                } = editablePkgJson;
+                const oldVersion = pkgJson[depField]?.[name];
+                if (oldVersion) {
+                  const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
+                  pkgJson[depField][name] = `${decorator}${node.version}`;
                 }
-                // eslint-disable-next-line no-await-in-loop
-                await editablePkgJson.save();
-              } catch {
-                spinner.error(`Reverting ${name} to ${oldVersion}`);
-                arb.idealTree = revertToIdealTree;
               }
-            } else {
-              spinner.error(`Could not patch ${name} ${oldVersion}`);
             }
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+            arb.idealTree = revertToIdealTree;
           }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
         }
       }
     }
@@ -2883,161 +2898,676 @@ async function runFix() {
   });
   arb2.idealTree = arb.idealTree;
   await arb2.reify();
-  spinner.stop();
+  spinner?.stop();
 }
-const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
-} = constants;
-const config$t = {
-  commandName: 'fix',
-  description: 'Fix "fixable" Socket alerts',
-  hidden: true,
-  flags: {
-    ...commonFlags
-  },
-  help: (command, config) => `
-    Usage
-      $ ${command}
-    Options
-      ${getFlagListOutput(config.flags, 6)}
-  `
-};
-const cmdFix = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
-};
-async function run$t(argv, importMeta, {
-  parentName
-}) {
-  const cli = meowOrExit({
-    argv,
-    config: config$t,
-    importMeta,
-    parentName
-  });
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
-    return;
+async function getAlertsMapFromPnpmLockfile(lockfile, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const depTypes = lockfile_detectDepTypes.detectDepTypes(lockfile);
+  const pkgIds = Object.keys(depTypes);
+  let {
+    length: remaining
+  } = pkgIds;
+  const alertsByPkgId = new Map();
+  if (!remaining) {
+    return alertsByPkgId;
+  }
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  const toAlertsMapOptions = {
+    overrides: lockfile.overrides,
+    ...options
+  };
+  for await (const artifact of shadowNpmInject.batchScan(pkgIds)) {
+    await shadowNpmInject.addArtifactToAlertsMap(artifact, alertsByPkgId, toAlertsMapOptions);
+    remaining -= 1;
+    if (spinner && remaining > 0) {
+      spinner.start();
+      spinner.setText(getText());
+    }
   }
-  await runFix();
+  spinner?.stop();
+  return alertsByPkgId;
 }
-function objectSome(obj) {
-  for (const key in obj) {
-    if (obj[key]) {
-      return true;
+function cmdFlagsToString(args) {
+  const result = [];
+  for (let i = 0, {
+      length
+    } = args; i < length; i += 1) {
+    if (args[i].startsWith('--')) {
+      // Check if the next item exists and is NOT another flag.
+      if (i + 1 < length && !args[i + 1].startsWith('--')) {
+        result.push(`${args[i]}=${args[i + 1]}`);
+        i += 1;
+      } else {
+        result.push(args[i]);
+      }
     }
   }
-  return false;
+  return result.join(' ');
 }
-function pick(input, keys) {
-  const result = {};
-  for (const key of keys) {
-    result[key] = input[key];
+const {
+  SOCKET_IPC_HANDSHAKE
+} = constants;
+function safeNpmInstall(options) {
+  const {
+    agentExecPath = shadowNpmPaths.getNpmBinPath(),
+    args = [],
+    ipc,
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const useIpc = objects.isObject(ipc);
+  const useDebug = debug.isDebug();
+  const terminatorPos = args.indexOf('--');
+  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : [];
+  const spawnPromise = spawn.spawn(
+  // Lazily access constants.execPath.
+  constants.execPath, [
+  // Lazily access constants.nodeHardenFlags.
+  ...constants.nodeHardenFlags,
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags, '--require',
+  // Lazily access constants.distShadowNpmInjectPath.
+  constants.distShadowNpmInjectPath, agentExecPath, 'install',
+  // Avoid code paths for 'audit' and 'fund'.
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` flag to fix input being swallowed by the spinner
+  // when running the command with recent versions of npm.
+  '--no-progress',
+  // Add '--loglevel=error' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...npmArgs, ...otherArgs], {
+    spinner,
+    // Set stdio to include 'ipc'.
+    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+    stdio: useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
+    ...spawnOptions,
+    env: {
+      ...process$1.env,
+      ...spawnOptions.env
+    }
+  });
+  if (useIpc) {
+    spawnPromise.process.send({
+      [SOCKET_IPC_HANDSHAKE]: ipc
+    });
   }
-  return result;
+  return spawnPromise;
 }
-function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean);
+const {
+  NPM: NPM$e
+} = constants;
+function runAgentInstall(pkgEnvDetails, options) {
   const {
-    length
-  } = values;
-  if (!length) {
-    return '';
-  }
-  if (length === 1) {
-    return values[0];
+    agent,
+    agentExecPath
+  } = pkgEnvDetails;
+  // All package managers support the "install" command.
+  if (agent === NPM$e) {
+    return safeNpmInstall({
+      agentExecPath,
+      ...options
+    });
   }
-  const finalValue = values.pop();
-  return `${values.join(', ')}${separator}${finalValue}`;
+  const {
+    args = [],
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  return spawn.spawn(agentExecPath, ['install', ...args], {
+    spinner,
+    stdio: debug.isDebug() ? 'inherit' : 'ignore',
+    ...spawnOptions,
+    env: {
+      ...process.env,
+      NODE_OPTIONS: cmdFlagsToString([
+      // Lazily access constants.nodeHardenFlags.
+      ...constants.nodeHardenFlags,
+      // Lazily access constants.nodeNoWarningsFlags.
+      ...constants.nodeNoWarningsFlags]),
+      ...spawnOptions.env
+    }
+  });
 }
-// Ordered from most severe to least.
-const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
-function getDesiredSeverities(lowestToInclude) {
-  const result = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    result.push(severity);
-    if (severity === lowestToInclude) {
-      break;
-    }
+const {
+  NPM: NPM$d,
+  OVERRIDES: OVERRIDES$2,
+  PNPM: PNPM$9
+} = constants;
+async function pnpmFix(pkgEnvDetails, cwd, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
+  const lockfile = await lockfileFile.readWantedLockfile(cwd, {
+    ignoreIncompatible: false
+  });
+  if (!lockfile) {
+    spinner?.stop();
+    return;
   }
-  return result;
-}
-function formatSeverityCount(severityCount) {
-  const summary = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`);
+  const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {
+    consolidate: true,
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
     }
+  });
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
   }
-  return stringJoinWithSeparateFinalSeparator(summary);
-}
-function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick({
-    low: 0,
-    middle: 0,
-    high: 0,
-    critical: 0
-  }, getDesiredSeverities(lowestToInclude));
-  for (const issue of issues) {
-    const {
-      value
-    } = issue;
-    if (!value) {
+  const arb = new shadowNpmInject.SafeArborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  await arb.loadActual();
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  const {
+    content: pkgJson
+  } = editablePkgJson;
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const tree = arb.actualTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$d, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
       continue;
     }
-    if (severityCount[value.severity] !== undefined) {
-      severityCount[value.severity] += 1;
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
     }
-  }
-  return severityCount;
-}
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        const availableVersions = Object.keys(packument.versions);
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+        const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+        if (targetPackument) {
+          const oldPnpm = pkgJson[PNPM$9];
+          const oldOverrides = oldPnpm?.[OVERRIDES$2];
+          try {
+            editablePkgJson.update({
+              [PNPM$9]: {
+                ...oldPnpm,
+                [OVERRIDES$2]: {
+                  [`${node.name}@${vulnerableVersionRange}`]: `^${targetVersion}`,
+                  ...oldOverrides
+                }
+              }
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
-async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
-  const socketSdk = await shadowNpmInject.setupSdk(shadowNpmInject.getPublicToken());
-  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
-  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
-  if (result.success === false) {
-    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result);
-  }
-  if (scoreResult.success === false) {
-    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult);
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+            // eslint-disable-next-line no-await-in-loop
+            await runAgentInstall(pkgEnvDetails, {
+              spinner
+            });
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+          }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
+        }
+      }
+    }
   }
-  const severityCount = getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
-  return {
-    data: result.data,
-    severityCount,
-    score: scoreResult.data
-  };
+  spinner?.stop();
 }
 const {
-  NPM: NPM$c
-} = registryConstants;
-function formatPackageInfo({
-  data,
-  score,
-  severityCount
-}, {
-  name,
-  outputKind,
-  pkgName,
-  pkgVersion
-}) {
-  if (outputKind === 'json') {
-    logger.logger.log(JSON.stringify(data, undefined, 2));
-    return;
+  BINARY_LOCK_EXT,
+  BUN: BUN$6,
+  LOCK_EXT: LOCK_EXT$1,
+  NPM: NPM$c,
+  PNPM: PNPM$8,
+  VLT: VLT$6,
+  YARN,
+  YARN_BERRY: YARN_BERRY$6,
+  YARN_CLASSIC: YARN_CLASSIC$6
+} = constants;
+const AGENTS = [BUN$6, NPM$c, PNPM$8, YARN_BERRY$6, YARN_CLASSIC$6, VLT$6];
+const binByAgent = {
+  __proto__: null,
+  [BUN$6]: BUN$6,
+  [NPM$c]: NPM$c,
+  [PNPM$8]: PNPM$8,
+  [YARN_BERRY$6]: YARN,
+  [YARN_CLASSIC$6]: YARN,
+  [VLT$6]: VLT$6
+};
+async function getAgentExecPath(agent) {
+  const binName = binByAgent[agent];
+  return (await which(binName, {
+    nothrow: true
+  })) ?? binName;
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result;
+  try {
+    result = semver.coerce(
+    // All package managers support the "--version" flag.
+    (await spawn.spawn(agentExecPath, ['--version'], {
+      cwd
+    })).stdout) ?? undefined;
+  } catch {}
+  return result;
+}
+// The order of LOCKS properties IS significant as it affects iteration order.
+const LOCKS = {
+  [`bun${LOCK_EXT$1}`]: BUN$6,
+  [`bun${BINARY_LOCK_EXT}`]: BUN$6,
+  // If both package-lock.json and npm-shrinkwrap.json are present in the root
+  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
+  // will be ignored.
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
+  'npm-shrinkwrap.json': NPM$c,
+  'package-lock.json': NPM$c,
+  'pnpm-lock.yaml': PNPM$8,
+  'pnpm-lock.yml': PNPM$8,
+  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$6,
+  'vlt-lock.json': VLT$6,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
+  //
+  // Unlike the other LOCKS keys this key contains a directory AND filename so
+  // it has to be handled differently.
+  'node_modules/.package-lock.json': NPM$c
+};
+const readLockFileByAgent = (() => {
+  function wrapReader(reader) {
+    return async (...args) => {
+      try {
+        return await reader(...args);
+      } catch {}
+      return undefined;
+    };
+  }
+  const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
+  return {
+    [BUN$6]: wrapReader(async (lockPath, agentExecPath) => {
+      const ext = path.extname(lockPath);
+      if (ext === LOCK_EXT$1) {
+        return await defaultReader(lockPath);
+      }
+      if (ext === BINARY_LOCK_EXT) {
+        const lockBuffer = await binaryReader(lockPath);
+        if (lockBuffer) {
+          try {
+            return index_cjs.parse(lockBuffer);
+          } catch {}
+        }
+        // To print a Yarn lockfile to your console without writing it to disk
+        // use `bun bun.lockb`.
+        // https://bun.sh/guides/install/yarnlock
+        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
+      }
+      return undefined;
+    }),
+    [NPM$c]: defaultReader,
+    [PNPM$8]: defaultReader,
+    [VLT$6]: defaultReader,
+    [YARN_BERRY$6]: defaultReader,
+    [YARN_CLASSIC$6]: defaultReader
+  };
+})();
+async function detectPackageEnvironment({
+  cwd = process$1.cwd(),
+  onUnknown
+} = {}) {
+  let lockPath = await shadowNpmInject.findUp(Object.keys(LOCKS), {
+    cwd
+  });
+  let lockName = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockName === '.package-lock.json';
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
+    cwd
+  });
+  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
+    editable: true
+  }) : undefined;
+  const pkgJson = editablePkgJson?.content;
+  // Read Corepack `packageManager` field in package.json:
+  // https://nodejs.org/api/packages.html#packagemanager
+  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
+  let agent;
+  let agentVersion;
+  if (pkgManager) {
+    const atSignIndex = pkgManager.lastIndexOf('@');
+    if (atSignIndex !== -1) {
+      const name = pkgManager.slice(0, atSignIndex);
+      const version = pkgManager.slice(atSignIndex + 1);
+      if (version && AGENTS.includes(name)) {
+        agent = name;
+        agentVersion = semver.coerce(version) ?? undefined;
+      }
+    }
+  }
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
+    agent = LOCKS[lockName];
+  }
+  if (agent === undefined) {
+    agent = NPM$c;
+    onUnknown?.(pkgManager);
+  }
+  const agentExecPath = await getAgentExecPath(agent);
+  const npmExecPath = agent === NPM$c ? agentExecPath : await getAgentExecPath(NPM$c);
+  if (agentVersion === undefined) {
+    agentVersion = await getAgentVersion(agentExecPath, cwd);
+  }
+  if (agent === YARN_CLASSIC$6 && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY$6;
+  }
+  const targets = {
+    browser: false,
+    node: true
+  };
+  let lockSrc;
+  // Lazily access constants.maintainedNodeVersions.
+  let minimumNodeVersion = constants.maintainedNodeVersions.last;
+  if (pkgJson) {
+    const browserField = pkgJson.browser;
+    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
+      targets.browser = true;
+    }
+    const nodeRange = pkgJson.engines?.['node'];
+    if (strings.isNonEmptyString(nodeRange)) {
+      const coerced = semver.coerce(nodeRange);
+      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+        minimumNodeVersion = coerced.version;
+      }
+    }
+    const browserslistQuery = pkgJson['browserslist'];
+    if (Array.isArray(browserslistQuery)) {
+      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
+      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
+      if (!targets.browser && browserslistTargets.length) {
+        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
+      }
+      if (browserslistNodeTargets.length) {
+        const coerced = semver.coerce(browserslistNodeTargets[0]);
+        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+          minimumNodeVersion = coerced.version;
+        }
+      }
+    }
+    // Lazily access constants.maintainedNodeVersions.
+    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
+  } else {
+    lockName = undefined;
+    lockPath = undefined;
+  }
+  return {
+    agent,
+    agentExecPath,
+    agentVersion,
+    lockName,
+    lockPath,
+    lockSrc,
+    minimumNodeVersion,
+    npmExecPath,
+    pkgJson: editablePkgJson,
+    pkgPath,
+    supported: targets.browser || targets.node,
+    targets
+  };
+}
+const {
+  BUN: BUN$5,
+  VLT: VLT$5,
+  YARN_BERRY: YARN_BERRY$5
+} = constants;
+const COMMAND_TITLE$2 = 'Socket Optimize';
+async function detectAndValidatePackageEnvironment(cwd, options) {
+  const {
+    logger,
+    prod
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const details = await detectPackageEnvironment({
+    cwd,
+    onUnknown(pkgManager) {
+      logger?.warn(`${COMMAND_TITLE$2}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
+    }
+  });
+  if (!details.supported) {
+    logger?.fail(`${COMMAND_TITLE$2}: No supported Node or browser range detected`);
+    return;
+  }
+  if (details.agent === VLT$5) {
+    logger?.fail(`${COMMAND_TITLE$2}: ${details.agent} does not support overrides. Soon, though ⚡`);
+    return;
+  }
+  const lockName = details.lockName ?? 'lock file';
+  if (details.lockName === undefined || details.lockSrc === undefined) {
+    logger?.fail(`${COMMAND_TITLE$2}: No ${lockName} found`);
+    return;
+  }
+  if (details.lockSrc.trim() === '') {
+    logger?.fail(`${COMMAND_TITLE$2}: ${lockName} is empty`);
+    return;
+  }
+  if (details.pkgPath === undefined) {
+    logger?.fail(`${COMMAND_TITLE$2}: No package.json found`);
+    return;
+  }
+  if (prod && (details.agent === BUN$5 || details.agent === YARN_BERRY$5)) {
+    logger?.fail(`${COMMAND_TITLE$2}: --prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.toString()}` : ''}`);
+    return;
+  }
+  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
+    logger?.warn(`${COMMAND_TITLE$2}: Package ${lockName} found at ${details.lockPath}`);
+  }
+  return details;
+}
+const {
+  NPM: NPM$b,
+  PNPM: PNPM$7
+} = constants;
+async function runFix() {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start();
+  const cwd = process.cwd();
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    logger: logger.logger
+  });
+  if (!pkgEnvDetails) {
+    spinner.stop();
+    return;
+  }
+  switch (pkgEnvDetails.agent) {
+    case NPM$b:
+      {
+        await npmFix(pkgEnvDetails, cwd);
+        break;
+      }
+    case PNPM$7:
+      {
+        await pnpmFix(pkgEnvDetails, cwd);
+        break;
+      }
+  }
+  spinner.successAndStop('Socket.dev fix successful');
+}
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
+} = constants;
+const config$t = {
+  commandName: 'fix',
+  description: 'Fix "fixable" Socket alerts',
+  hidden: true,
+  flags: {
+    ...commonFlags
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command}
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+  `
+};
+const cmdFix = {
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
+};
+async function run$t(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$t,
+    importMeta,
+    parentName
+  });
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
+    return;
+  }
+  await runFix();
+}
+async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
+  const socketSdk = await shadowNpmInject.setupSdk(shadowNpmInject.getPublicToken());
+  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
+  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
+  if (result.success === false) {
+    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result);
+  }
+  if (scoreResult.success === false) {
+    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult);
+  }
+  const severityCount = shadowNpmInject.getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
+  return {
+    data: result.data,
+    severityCount,
+    score: scoreResult.data
+  };
+}
+const {
+  NPM: NPM$a
+} = registryConstants;
+function formatScore(score) {
+  if (score > 80) {
+    return colors.green(`${score}`);
+  } else if (score < 80 && score > 60) {
+    return colors.yellow(`${score}`);
+  }
+  return colors.red(`${score}`);
+}
+function logPackageIssuesDetails(packageData, outputMarkdown) {
+  const issueDetails = packageData.filter(d => d.value?.severity === shadowNpmInject.SEVERITY.critical || d.value?.severity === shadowNpmInject.SEVERITY.high);
+  const uniqueIssueDetails = issueDetails.reduce((acc, issue) => {
+    const {
+      type
+    } = issue;
+    if (type) {
+      const details = acc.get(type);
+      if (details) {
+        details.count += 1;
+      } else {
+        acc.set(type, {
+          label: issue.value?.label ?? '',
+          count: 1
+        });
+      }
+    }
+    return acc;
+  }, new Map());
+  const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
+  for (const [type, details] of uniqueIssueDetails.entries()) {
+    const issueWithLink = format.hyperlink(details.label, shadowNpmInject.getSocketDevAlertUrl(type), {
+      fallbackToUrl: true
+    });
+    if (details.count === 1) {
+      logger.logger.log(`- ${issueWithLink}`);
+    } else {
+      logger.logger.log(`- ${issueWithLink}: ${details.count}`);
+    }
+  }
+}
+function logPackageInfo({
+  data,
+  score,
+  severityCount
+}, {
+  name,
+  outputKind,
+  pkgName,
+  pkgVersion
+}) {
+  if (outputKind === 'json') {
+    logger.logger.log(JSON.stringify(data, undefined, 2));
+    return;
   }
   if (outputKind === 'markdown') {
-    logger.logger.log(`\n# Package report for ${pkgName}\n`);
-    logger.logger.log('Package report card:\n');
+    logger.logger.log(commonTags.stripIndents`
+      # Package report for ${pkgName}
+      Package report card:
+    `);
   } else {
-    logger.logger.log(`\nPackage report card for ${pkgName}:\n`);
+    logger.logger.log(`Package report card for ${pkgName}:`);
   }
   const scoreResult = {
     'Supply Chain Risk': Math.floor(score.supplyChainRisk.score * 100),
@@ -3046,19 +3576,20 @@ function formatPackageInfo({
     Vulnerabilities: Math.floor(score.vulnerability.score * 100),
     License: Math.floor(score.license.score * 100)
   };
+  logger.logger.log('\n');
   Object.entries(scoreResult).map(score => logger.logger.log(`- ${score[0]}: ${formatScore(score[1])}`));
   logger.logger.log('\n');
-  if (objectSome(severityCount)) {
+  if (objects.hasKeys(severityCount)) {
     if (outputKind === 'markdown') {
       logger.logger.log('# Issues\n');
     }
-    logger.logger.log(`Package has these issues: ${formatSeverityCount(severityCount)}\n`);
-    formatPackageIssuesDetails(data, outputKind === 'markdown');
+    logger.logger.log(`Package has these issues: ${shadowNpmInject.formatSeverityCount(severityCount)}\n`);
+    logPackageIssuesDetails(data, outputKind === 'markdown');
   } else {
     logger.logger.log('Package has no issues');
   }
   const format = new shadowNpmInject.ColorOrMarkdown(outputKind === 'markdown');
-  const url = shadowNpmInject.getSocketDevPackageOverviewUrl(NPM$c, pkgName, pkgVersion);
+  const url = shadowNpmInject.getSocketDevPackageOverviewUrl(NPM$a, pkgName, pkgVersion);
   logger.logger.log('\n');
   if (pkgVersion === 'latest') {
     logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName}`, url, {
@@ -3069,49 +3600,11 @@ function formatPackageInfo({
       fallbackToUrl: true
     })}`);
   }
-  if (outputKind !== 'markdown') {
-    logger.logger.log(colors.dim(`\nOr rerun ${colors.italic(name)} using the ${colors.italic('--json')} flag to get full JSON output`));
-  } else {
-    logger.logger.log('');
-  }
-}
-function formatPackageIssuesDetails(packageData, outputMarkdown) {
-  const issueDetails = packageData.filter(d => d.value?.severity === 'high' || d.value?.severity === 'critical');
-  const uniqueIssues = issueDetails.reduce((acc, issue) => {
-    const {
-      type
-    } = issue;
-    if (type) {
-      if (acc[type] === undefined) {
-        acc[type] = {
-          label: issue.value?.label,
-          count: 1
-        };
-      } else {
-        acc[type].count += 1;
-      }
-    }
-    return acc;
-  }, {});
-  const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
-  for (const issue of Object.keys(uniqueIssues)) {
-    const issueWithLink = format.hyperlink(`${uniqueIssues[issue]?.label}`, shadowNpmInject.getSocketDevAlertUrl(issue), {
-      fallbackToUrl: true
-    });
-    if (uniqueIssues[issue]?.count === 1) {
-      logger.logger.log(`- ${issueWithLink}`);
-    } else {
-      logger.logger.log(`- ${issueWithLink}: ${uniqueIssues[issue]?.count}`);
-    }
-  }
-}
-function formatScore(score) {
-  if (score > 80) {
-    return colors.green(`${score}`);
-  } else if (score < 80 && score > 60) {
-    return colors.yellow(`${score}`);
-  }
-  return colors.red(`${score}`);
+  if (outputKind !== 'markdown') {
+    logger.logger.log(colors.dim(`\nOr rerun ${colors.italic(name)} using the ${colors.italic('--json')} flag to get full JSON output`));
+  } else {
+    logger.logger.log('');
+  }
 }
 async function getPackageInfo({
@@ -3130,13 +3623,13 @@ async function getPackageInfo({
   const packageData = await fetchPackageInfo(pkgName, pkgVersion, includeAllIssues);
   spinner.successAndStop('Data fetched');
   if (packageData) {
-    formatPackageInfo(packageData, {
+    logPackageInfo(packageData, {
       name: commandName,
       outputKind,
       pkgName,
       pkgVersion
     });
-    if (strict && objectSome(packageData.severityCount)) {
+    if (strict && objects.hasKeys(packageData.severityCount)) {
       // Let NodeJS exit gracefully but with exit(1)
       process$1.exitCode = 1;
     }
@@ -3338,8 +3831,8 @@ async function run$r(argv, importMeta, {
     importMeta,
     parentName
   });
-  let apiBaseUrl = cli.flags['apiBaseUrl'];
-  let apiProxy = cli.flags['apiProxy'];
+  const apiBaseUrl = cli.flags['apiBaseUrl'];
+  const apiProxy = cli.flags['apiProxy'];
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$q);
     return;
@@ -3808,6 +4301,9 @@ const config$o = {
     Support is beta. Please report issues or give us feedback on what's missing.
+    This is only for SBT. If your Scala setup uses gradle, please see the help
+    sections for \`socket manifest gradle\` or \`socket cdxgen\`.
     Examples
       $ ${command} ./build.sbt
@@ -4181,21 +4677,21 @@ async function run$l(argv, importMeta, {
 }
 const {
-  NPM: NPM$b
+  NPM: NPM$9
 } = constants;
 async function wrapNpm(argv) {
   // Lazily access constants.distShadowNpmBinPath.
   const shadowBin = require(constants.distShadowNpmBinPath);
-  await shadowBin(NPM$b, argv);
+  await shadowBin(NPM$9, argv);
 }
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k,
-  NPM: NPM$a
+  NPM: NPM$8
 } = constants;
 const config$k = {
   commandName: 'npm',
-  description: `${NPM$a} wrapper functionality`,
+  description: `${NPM$8} wrapper functionality`,
   hidden: false,
   flags: {},
   help: (command, _config) => `
@@ -4309,273 +4805,20 @@ async function run$i(argv, importMeta, {
 }
 const {
-  BUN: BUN$6,
-  NPM: NPM$9,
-  PNPM: PNPM$7,
-  VLT: VLT$6,
-  YARN_BERRY: YARN_BERRY$6,
-  YARN_CLASSIC: YARN_CLASSIC$6
-} = constants;
-function matchHumanStdout(stdout, name) {
-  return stdout.includes(` ${name}@`);
-}
-function matchQueryStdout(stdout, name) {
-  return stdout.includes(`"${name}"`);
-}
-const depsIncludesByAgent = new Map([[BUN$6, matchHumanStdout], [NPM$9, matchQueryStdout], [PNPM$7, matchQueryStdout], [VLT$6, matchQueryStdout], [YARN_BERRY$6, matchHumanStdout], [YARN_CLASSIC$6, matchHumanStdout]]);
-const {
-  BINARY_LOCK_EXT,
-  BUN: BUN$5,
-  LOCK_EXT: LOCK_EXT$1,
-  NPM: NPM$8,
+  BUN: BUN$4,
+  NPM: NPM$7,
   PNPM: PNPM$6,
-  VLT: VLT$5,
-  YARN,
-  YARN_BERRY: YARN_BERRY$5,
+  VLT: VLT$4,
+  YARN_BERRY: YARN_BERRY$4,
   YARN_CLASSIC: YARN_CLASSIC$5
 } = constants;
-const AGENTS = [BUN$5, NPM$8, PNPM$6, YARN_BERRY$5, YARN_CLASSIC$5, VLT$5];
-const binByAgent = {
-  __proto__: null,
-  [BUN$5]: BUN$5,
-  [NPM$8]: NPM$8,
-  [PNPM$6]: PNPM$6,
-  [YARN_BERRY$5]: YARN,
-  [YARN_CLASSIC$5]: YARN,
-  [VLT$5]: VLT$5
-};
-async function getAgentExecPath(agent) {
-  const binName = binByAgent[agent];
-  return (await which(binName, {
-    nothrow: true
-  })) ?? binName;
-}
-async function getAgentVersion(agentExecPath, cwd) {
-  let result;
-  try {
-    result = semver.coerce(
-    // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, ['--version'], {
-      cwd
-    })).stdout) ?? undefined;
-  } catch {}
-  return result;
-}
-// The order of LOCKS properties IS significant as it affects iteration order.
-const LOCKS = {
-  [`bun${LOCK_EXT$1}`]: BUN$5,
-  [`bun${BINARY_LOCK_EXT}`]: BUN$5,
-  // If both package-lock.json and npm-shrinkwrap.json are present in the root
-  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
-  // will be ignored.
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': NPM$8,
-  'package-lock.json': NPM$8,
-  'pnpm-lock.yaml': PNPM$6,
-  'pnpm-lock.yml': PNPM$6,
-  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$5,
-  'vlt-lock.json': VLT$5,
-  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
-  //
-  // Unlike the other LOCKS keys this key contains a directory AND filename so
-  // it has to be handled differently.
-  'node_modules/.package-lock.json': NPM$8
-};
-const readLockFileByAgent = (() => {
-  function wrapReader(reader) {
-    return async (...args) => {
-      try {
-        return await reader(...args);
-      } catch {}
-      return undefined;
-    };
-  }
-  const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
-  const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
-  return {
-    [BUN$5]: wrapReader(async (lockPath, agentExecPath) => {
-      const ext = path.extname(lockPath);
-      if (ext === LOCK_EXT$1) {
-        return await defaultReader(lockPath);
-      }
-      if (ext === BINARY_LOCK_EXT) {
-        const lockBuffer = await binaryReader(lockPath);
-        if (lockBuffer) {
-          try {
-            return index_cjs.parse(lockBuffer);
-          } catch {}
-        }
-        // To print a Yarn lockfile to your console without writing it to disk
-        // use `bun bun.lockb`.
-        // https://bun.sh/guides/install/yarnlock
-        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
-      }
-      return undefined;
-    }),
-    [NPM$8]: defaultReader,
-    [PNPM$6]: defaultReader,
-    [VLT$5]: defaultReader,
-    [YARN_BERRY$5]: defaultReader,
-    [YARN_CLASSIC$5]: defaultReader
-  };
-})();
-async function detectPackageEnvironment({
-  cwd = process$1.cwd(),
-  onUnknown
-} = {}) {
-  let lockPath = await shadowNpmInject.findUp(Object.keys(LOCKS), {
-    cwd
-  });
-  let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === '.package-lock.json';
-  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
-    cwd
-  });
-  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
-  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
-    editable: true
-  }) : undefined;
-  const pkgJson = editablePkgJson?.content;
-  // Read Corepack `packageManager` field in package.json:
-  // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
-  let agent;
-  let agentVersion;
-  if (pkgManager) {
-    const atSignIndex = pkgManager.lastIndexOf('@');
-    if (atSignIndex !== -1) {
-      const name = pkgManager.slice(0, atSignIndex);
-      const version = pkgManager.slice(atSignIndex + 1);
-      if (version && AGENTS.includes(name)) {
-        agent = name;
-        agentVersion = semver.coerce(version) ?? undefined;
-      }
-    }
-  }
-  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
-    agent = LOCKS[lockName];
-  }
-  if (agent === undefined) {
-    agent = NPM$8;
-    onUnknown?.(pkgManager);
-  }
-  const agentExecPath = await getAgentExecPath(agent);
-  const npmExecPath = agent === NPM$8 ? agentExecPath : await getAgentExecPath(NPM$8);
-  if (agentVersion === undefined) {
-    agentVersion = await getAgentVersion(agentExecPath, cwd);
-  }
-  if (agent === YARN_CLASSIC$5 && (agentVersion?.major ?? 0) > 1) {
-    agent = YARN_BERRY$5;
-  }
-  const targets = {
-    browser: false,
-    node: true
-  };
-  let lockSrc;
-  // Lazily access constants.maintainedNodeVersions.
-  let minimumNodeVersion = constants.maintainedNodeVersions.previous;
-  if (pkgJson) {
-    const browserField = pkgJson.browser;
-    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
-      targets.browser = true;
-    }
-    const nodeRange = pkgJson.engines?.['node'];
-    if (strings.isNonEmptyString(nodeRange)) {
-      const coerced = semver.coerce(nodeRange);
-      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-        minimumNodeVersion = coerced.version;
-      }
-    }
-    const browserslistQuery = pkgJson['browserslist'];
-    if (Array.isArray(browserslistQuery)) {
-      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
-      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
-      if (!targets.browser && browserslistTargets.length) {
-        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
-      }
-      if (browserslistNodeTargets.length) {
-        const coerced = semver.coerce(browserslistNodeTargets[0]);
-        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-          minimumNodeVersion = coerced.version;
-        }
-      }
-    }
-    // Lazily access constants.maintainedNodeVersions.
-    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
-    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
-  } else {
-    lockName = undefined;
-    lockPath = undefined;
-  }
-  return {
-    agent,
-    agentExecPath,
-    agentVersion,
-    lockName,
-    lockPath,
-    lockSrc,
-    minimumNodeVersion,
-    npmExecPath,
-    pkgJson: editablePkgJson,
-    pkgPath,
-    supported: targets.browser || targets.node,
-    targets
-  };
+function matchLsCmdViewHumanStdout(stdout, name) {
+  return stdout.includes(` ${name}@`);
 }
-const {
-  BUN: BUN$4,
-  VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$4
-} = constants;
-const COMMAND_TITLE$2 = 'Socket Optimize';
-async function detectAndValidatePackageEnvironment(cwd, options) {
-  const {
-    logger,
-    prod
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const details = await detectPackageEnvironment({
-    cwd,
-    onUnknown(pkgManager) {
-      logger?.warn(`${COMMAND_TITLE$2}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
-    }
-  });
-  if (!details.supported) {
-    logger?.fail(`${COMMAND_TITLE$2}: No supported Node or browser range detected`);
-    return;
-  }
-  if (details.agent === VLT$4) {
-    logger?.fail(`${COMMAND_TITLE$2}: ${details.agent} does not support overrides. Soon, though ⚡`);
-    return;
-  }
-  const lockName = details.lockName ?? 'lock file';
-  if (details.lockName === undefined || details.lockSrc === undefined) {
-    logger?.fail(`${COMMAND_TITLE$2}: No ${lockName} found`);
-    return;
-  }
-  if (details.lockSrc.trim() === '') {
-    logger?.fail(`${COMMAND_TITLE$2}: ${lockName} is empty`);
-    return;
-  }
-  if (details.pkgPath === undefined) {
-    logger?.fail(`${COMMAND_TITLE$2}: No package.json found`);
-    return;
-  }
-  if (prod && (details.agent === BUN$4 || details.agent === YARN_BERRY$4)) {
-    logger?.fail(`${COMMAND_TITLE$2}: --prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.toString()}` : ''}`);
-    return;
-  }
-  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
-    logger?.warn(`${COMMAND_TITLE$2}: Package ${lockName} found at ${details.lockPath}`);
-  }
-  return details;
+function matchQueryCmdStdout(stdout, name) {
+  return stdout.includes(`"${name}"`);
 }
+const depsIncludesByAgent = new Map([[BUN$4, matchLsCmdViewHumanStdout], [NPM$7, matchQueryCmdStdout], [PNPM$6, matchQueryCmdStdout], [VLT$4, matchQueryCmdStdout], [YARN_BERRY$4, matchLsCmdViewHumanStdout], [YARN_CLASSIC$5, matchLsCmdViewHumanStdout]]);
 function getDependencyEntries(pkgJson) {
   const {
@@ -4603,7 +4846,7 @@ function getDependencyEntries(pkgJson) {
 const {
   BUN: BUN$3,
-  NPM: NPM$7,
+  NPM: NPM$6,
   OVERRIDES: OVERRIDES$1,
   PNPM: PNPM$5,
   RESOLUTIONS: RESOLUTIONS$1,
@@ -4624,7 +4867,7 @@ function getOverridesDataBun(pkgJson) {
 function getOverridesDataNpm(pkgJson) {
   const overrides = pkgJson?.[OVERRIDES$1] ?? {};
   return {
-    type: NPM$7,
+    type: NPM$6,
     overrides
   };
 }
@@ -4665,7 +4908,7 @@ function getOverridesDataClassic(pkgJson) {
     overrides
   };
 }
-const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$7, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
+const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$6, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
 const {
   PNPM: PNPM$4
@@ -4713,26 +4956,26 @@ function workspacePatternToGlobPattern(workspace) {
 const {
   BUN: BUN$2,
   LOCK_EXT,
-  NPM: NPM$6,
+  NPM: NPM$5,
   PNPM: PNPM$3,
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$2,
   YARN_CLASSIC: YARN_CLASSIC$3
 } = constants;
-function lockIncludesNpm(lockSrc, name) {
+function includesNpm(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name":
   return lockSrc.includes(`"${name}":`);
 }
-function lockIncludesBun(lockSrc, name, lockName) {
+function includesBun(lockSrc, name, lockName) {
   // This is a bit counterintuitive. When lockName ends with a .lockb
   // we treat it as a yarn.lock. When lockName ends with a .lock we
   // treat it as a package-lock.json. The bun.lock format is not identical
   // package-lock.json, however it close enough for npmLockIncludes to work.
-  const lockScanner = lockName?.endsWith(LOCK_EXT) ? lockIncludesNpm : lockIncludesYarn;
-  return lockScanner(lockSrc, name);
+  const lockfileScanner = lockName?.endsWith(LOCK_EXT) ? includesNpm : includesYarn;
+  return lockfileScanner(lockSrc, name);
 }
-function lockIncludesPnpm(lockSrc, name) {
+function includesPnpm(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4742,12 +4985,12 @@ function lockIncludesPnpm(lockSrc, name) {
   //   name@
   `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
 }
-function lockIncludesVlt(lockSrc, name) {
+function includesVlt(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name"
   return lockSrc.includes(`"${name}"`);
 }
-function lockIncludesYarn(lockSrc, name) {
+function includesYarn(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4757,11 +5000,11 @@ function lockIncludesYarn(lockSrc, name) {
   //   , name@
   `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
 }
-const lockIncludesByAgent = new Map([[BUN$2, lockIncludesBun], [NPM$6, lockIncludesNpm], [PNPM$3, lockIncludesPnpm], [VLT$2, lockIncludesVlt], [YARN_BERRY$2, lockIncludesYarn], [YARN_CLASSIC$3, lockIncludesYarn]]);
+const lockfileIncludesByAgent = new Map([[BUN$2, includesBun], [NPM$5, includesNpm], [PNPM$3, includesPnpm], [VLT$2, includesVlt], [YARN_BERRY$2, includesYarn], [YARN_CLASSIC$3, includesYarn]]);
 const {
   BUN: BUN$1,
-  NPM: NPM$5,
+  NPM: NPM$4,
   PNPM: PNPM$2,
   VLT: VLT$1,
   YARN_BERRY: YARN_BERRY$1,
@@ -4797,11 +5040,11 @@ function cleanupQueryStdout(stdout) {
   }
   return JSON.stringify([...names], null, 2);
 }
-function parseableToQueryStdout(stdout) {
+function parsableToQueryStdout(stdout) {
   if (stdout === '') {
     return '';
   }
-  // Convert the parseable stdout into a json array of unique names.
+  // Convert the parsable stdout into a json array of unique names.
   // The matchAll regexp looks for a forward (posix) or backward (win32) slash
   // and matches one or more non-slashes until the newline.
   const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
@@ -4831,7 +5074,7 @@ async function lsNpm(agentExecPath, cwd) {
 }
 async function lsPnpm(agentExecPath, cwd, options) {
   const npmExecPath = options?.npmExecPath;
-  if (npmExecPath && npmExecPath !== NPM$5) {
+  if (npmExecPath && npmExecPath !== NPM$4) {
     const result = await npmQuery(npmExecPath, cwd);
     if (result) {
       return result;
@@ -4839,15 +5082,19 @@ async function lsPnpm(agentExecPath, cwd, options) {
   }
   let stdout = '';
   try {
-    stdout = (await spawn.spawn(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+    stdout = (await spawn.spawn(agentExecPath,
+    // Pnpm uses the alternative spelling of parsable.
+    // https://en.wiktionary.org/wiki/parsable
+    ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
       cwd
     })).stdout;
   } catch {}
-  return parseableToQueryStdout(stdout);
+  return parsableToQueryStdout(stdout);
 }
 async function lsVlt(agentExecPath, cwd) {
   let stdout = '';
   try {
+    // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd
     })).stdout;
@@ -4878,20 +5125,39 @@ async function lsYarnClassic(agentExecPath, cwd) {
   } catch {}
   return '';
 }
-const lsByAgent = {
-  // @ts-ignore
-  __proto__: null,
-  [BUN$1]: lsBun,
-  [NPM$5]: lsNpm,
-  [PNPM$2]: lsPnpm,
-  [VLT$1]: lsVlt,
-  [YARN_BERRY$1]: lsYarnBerry,
-  [YARN_CLASSIC$2]: lsYarnClassic
-};
+const lsByAgent = new Map([[BUN$1, lsBun], [NPM$4, lsNpm], [PNPM$2, lsPnpm], [VLT$1, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$2, lsYarnClassic]]);
+const {
+  NPM: NPM$3
+} = constants;
+const COMMAND_TITLE$1 = 'Socket Optimize';
+async function updateLockfile(pkgEnvDetails, options) {
+  const {
+    logger,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
+  try {
+    await runAgentInstall(pkgEnvDetails, {
+      spinner
+    });
+    spinner?.stop();
+    if (pkgEnvDetails.agent === NPM$3) {
+      logger?.log(`💡 Re-run ${COMMAND_TITLE$1} whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped once npm v11.2.0 is released.`);
+    }
+  } catch (e) {
+    spinner?.stop();
+    logger?.fail(`${COMMAND_TITLE$1}: ${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`);
+    logger?.error(e);
+  }
+}
 const {
   BUN,
-  NPM: NPM$4,
+  NPM: NPM$2,
   OVERRIDES,
   PNPM: PNPM$1,
   RESOLUTIONS,
@@ -4911,7 +5177,9 @@ function getHighestEntryIndex(entries, keys) {
   return getEntryIndexes(entries, keys).at(-1) ?? -1;
 }
 function updatePkgJson(editablePkgJson, field, value) {
-  const pkgJson = editablePkgJson.content;
+  const {
+    content: pkgJson
+  } = editablePkgJson;
   const oldValue = pkgJson[field];
   if (oldValue) {
     // The field already exists so we simply update the field value.
@@ -4995,124 +5263,7 @@ function updateResolutions(editablePkgJson, overrides) {
 function pnpmUpdatePkgJson(editablePkgJson, overrides) {
   updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
 }
-const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$4, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
-const {
-  SOCKET_IPC_HANDSHAKE
-} = constants;
-function safeNpmInstall(options) {
-  const {
-    args = [],
-    ipc,
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const terminatorPos = args.indexOf('--');
-  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const useIpc = objects.isObject(ipc);
-  const useDebug = debug.isDebug();
-  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
-  const spawnPromise = spawn.spawn(
-  // Lazily access constants.execPath.
-  constants.execPath, [
-  // Lazily access constants.nodeNoWarningsFlags.
-  ...constants.nodeNoWarningsFlags, '--require',
-  // Lazily access constants.distShadowNpmInjectPath.
-  constants.distShadowNpmInjectPath, shadowNpmPaths.getNpmBinPath(), 'install',
-  // Even though the '--silent' flag is passed npm will still run through
-  // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
-  // flags are passed.
-  '--no-audit', '--no-fund',
-  // Add `--no-progress` and `--silent` flags to fix input being swallowed
-  // by the spinner when running the command with recent versions of npm.
-  '--no-progress',
-  // Add the '--silent' flag if a loglevel flag is not provided and the
-  // SOCKET_CLI_DEBUG environment variable is not truthy.
-  ...(isSilent ? ['--silent'] : []), ...npmArgs, ...otherArgs], {
-    spinner,
-    // Set stdio to include 'ipc'.
-    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
-    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
-    stdio: isSilent ?
-    // 'ignore'
-    useIpc ? ['ignore', 'ignore', 'ignore', 'ipc'] : 'ignore' :
-    // 'inherit'
-    useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process$1.env,
-      ...spawnOptions.env
-    }
-  });
-  if (useIpc) {
-    spawnPromise.process.send({
-      [SOCKET_IPC_HANDSHAKE]: ipc
-    });
-  }
-  return spawnPromise;
-}
-const {
-  NPM: NPM$3,
-  abortSignal
-} = constants;
-function runAgentInstall(agent, agentExecPath, options) {
-  // All package managers support the "install" command.
-  if (agent === NPM$3) {
-    return safeNpmInstall(options);
-  }
-  const {
-    args = [],
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const isSilent = !debug.isDebug();
-  return spawn.spawn(agentExecPath, ['install', ...args], {
-    signal: abortSignal,
-    spinner,
-    stdio: isSilent ? 'ignore' : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process.env,
-      ...spawnOptions.env
-    }
-  });
-}
-const {
-  NPM: NPM$2
-} = constants;
-const COMMAND_TITLE$1 = 'Socket Optimize';
-async function updatePackageLockJson(pkgEnvDetails, options) {
-  const {
-    logger,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
-  try {
-    await runAgentInstall(pkgEnvDetails.agent, pkgEnvDetails.agentExecPath, {
-      spinner
-    });
-    spinner?.stop();
-    if (pkgEnvDetails.agent === NPM$2) {
-      logger?.log(`💡 Re-run ${COMMAND_TITLE$1} whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped once npm v11.2.0 is released.`);
-    }
-  } catch (e) {
-    spinner?.stop();
-    logger?.fail(`${COMMAND_TITLE$1}: ${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`);
-    logger?.error(e);
-  }
-}
+const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$2, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
 const {
   NPM: NPM$1,
@@ -5121,51 +5272,6 @@ const {
 } = constants;
 const COMMAND_TITLE = 'Socket Optimize';
 const manifestNpmOverrides = registry.getManifestData(NPM$1);
-async function applyOptimization(cwd, pin, prod) {
-  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
-    logger: logger.logger,
-    prod
-  });
-  if (!pkgEnvDetails) {
-    return;
-  }
-  // Lazily access constants.spinner.
-  const {
-    spinner
-  } = constants;
-  spinner.start('Socket optimizing...');
-  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
-    logger: logger.logger,
-    pin,
-    prod,
-    spinner
-  });
-  spinner.stop();
-  const addedCount = state.added.size;
-  const updatedCount = state.updated.size;
-  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
-  if (pkgJsonChanged) {
-    if (updatedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
-    }
-    if (addedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
-    }
-  } else {
-    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
-  }
-  if (pkgEnvDetails.agent === NPM$1 || pkgJsonChanged) {
-    // Always update package-lock.json until the npm overrides PR lands:
-    // https://github.com/npm/cli/pull/8089
-    await updatePackageLockJson(pkgEnvDetails, {
-      logger: logger.logger,
-      spinner
-    });
-  }
-}
-function createActionMessage(verb, overrideCount, workspaceCount) {
-  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
-}
 async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const {
     agent,
@@ -5211,14 +5317,14 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     logger?.warn(`${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
   }
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
     npmExecPath
   });
   // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
   // first two parameters. AgentLockIncludesFn accepts an optional third
   // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
   // as an AgentLockIncludesFn type.
-  const thingScanner = isLockScanned ? lockIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
+  const thingScanner = isLockScanned ? lockfileIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
   const depEntries = getDependencyEntries(pkgJson);
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
@@ -5344,6 +5450,51 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   }
   return state;
 }
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
+}
+async function applyOptimization(cwd, pin, prod) {
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    logger: logger.logger,
+    prod
+  });
+  if (!pkgEnvDetails) {
+    return;
+  }
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Socket optimizing...');
+  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
+    logger: logger.logger,
+    pin,
+    prod,
+    spinner
+  });
+  spinner.stop();
+  const addedCount = state.added.size;
+  const updatedCount = state.updated.size;
+  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
+  if (pkgJsonChanged) {
+    if (updatedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
+    }
+    if (addedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+    }
+  } else {
+    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
+  }
+  if (pkgEnvDetails.agent === NPM$1 || pkgJsonChanged) {
+    // Always update package-lock.json until the npm overrides PR lands:
+    // https://github.com/npm/cli/pull/8089
+    await updateLockfile(pkgEnvDetails, {
+      logger: logger.logger,
+      spinner
+    });
+  }
+}
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h
@@ -5724,8 +5875,8 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
       spinner.error('Report result deemed unhealthy for project');
     }
   } else if (!result.data.healthy) {
-    const severityCount = getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
-    const issueSummary = formatSeverityCount(severityCount);
+    const severityCount = shadowNpmInject.getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
+    const issueSummary = shadowNpmInject.formatSeverityCount(severityCount);
     spinner.success(`Report has these issues: ${issueSummary}`);
   } else {
     spinner.success('Report has no issues');
@@ -7026,7 +7177,7 @@ async function run$6(argv, importMeta, {
   });
   const [orgSlug = '', ...targets] = cli.input;
   const cwd = cli.flags['cwd'] && cli.flags['cwd'] !== 'process.cwd()' ? String(cli.flags['cwd']) : process$1.cwd();
-  let {
+  const {
     branch: branchName,
     repo: repoName
   } = cli.flags;
@@ -7621,11 +7772,36 @@ const cmdScan = {
   }
 };
+// Note: Widgets does not seem to actually work as code :'(
 async function getThreatFeed({
+  direction,
+  ecosystem,
+  filter,
+  outputKind,
+  page,
+  perPage
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await getThreatFeedWithToken({
+    apiToken,
+    direction,
+    ecosystem,
+    filter,
+    outputKind,
+    page,
+    perPage
+  });
+}
+async function getThreatFeedWithToken({
   apiToken,
   direction,
+  ecosystem,
   filter,
-  outputJson,
+  outputKind,
   page,
   perPage
 }) {
@@ -7633,17 +7809,12 @@ async function getThreatFeed({
   const {
     spinner
   } = constants;
-  spinner.start('Looking up the threat feed');
-  const formattedQueryParams = formatQueryParams({
-    per_page: perPage,
-    page,
-    direction,
-    filter
-  }).join('&');
-  const response = await queryAPI(`threat-feed?${formattedQueryParams}`, apiToken);
+  const queryParams = new URLSearchParams([['direction', direction], ['ecosystem', ecosystem], ['filter', filter], ['page', page], ['per_page', String(perPage)]]);
+  spinner.start('Fetching Threat Feed data...');
+  const response = await queryAPI(`threat-feed?${queryParams}`, apiToken);
   const data = await response.json();
-  spinner.stop();
-  if (outputJson) {
+  spinner.stop('Threat feed data fetched');
+  if (outputKind === 'json') {
     logger.logger.log(data);
     return;
   }
@@ -7656,47 +7827,98 @@ async function getThreatFeed({
     interactive: 'true',
     label: 'Threat feed',
     width: '100%',
-    height: '100%',
+    height: '70%',
+    // Changed from 100% to 70%
     border: {
       type: 'line',
       fg: 'cyan'
     },
-    columnSpacing: 3,
-    //in chars
-    columnWidth: [9, 30, 10, 17, 13, 100] /*in chars*/
+    columnWidth: [10, 30, 20, 18, 15, 200],
+    // TODO: the truncation doesn't seem to work too well yet but when we add
+    //       `pad` alignment fails, when we extend columnSpacing alignment fails
+    columnSpacing: 1,
+    truncate: '_'
+  });
+  // Create details box at the bottom
+  const detailsBox = new BoxWidget({
+    bottom: 0,
+    height: '30%',
+    width: '100%',
+    border: {
+      type: 'line',
+      fg: 'cyan'
+    },
+    label: 'Details',
+    content: 'Use arrow keys to navigate. Press Enter to select a threat. Press q to exit.',
+    style: {
+      fg: 'white'
+    }
   });
   // allow control the table with the keyboard
   table.focus();
   screen.append(table);
+  screen.append(detailsBox);
   const formattedOutput = formatResults(data.results);
+  const descriptions = data.results.map(d => d.description);
   table.setData({
-    headers: ['Ecosystem', 'Name', 'Version', 'Threat type', 'Detected at', 'Details'],
+    headers: [' Ecosystem', ' Name', '  Version', '  Threat type', '  Detected at', ' Details'],
     data: formattedOutput
   });
+  // Update details box when selection changes
+  table.rows.on('select item', () => {
+    const selectedIndex = table.rows.selected;
+    if (selectedIndex !== undefined && selectedIndex >= 0) {
+      const selectedRow = formattedOutput[selectedIndex];
+      if (selectedRow) {
+        // Note: the spacing works around issues with the table; it refuses to pad!
+        detailsBox.setContent(`Ecosystem: ${selectedRow[0]}\n` + `Name: ${selectedRow[1]}\n` + `Version:${selectedRow[2]}\n` + `Threat type:${selectedRow[3]}\n` + `Detected at:${selectedRow[4]}\n` + `Details: ${selectedRow[5]}\n` + `Description: ${descriptions[selectedIndex]}`);
+        screen.render();
+      }
+    }
+  });
   screen.render();
   screen.key(['escape', 'q', 'C-c'], () => process$1.exit(0));
+  screen.key(['return'], () => {
+    const selectedIndex = table.rows.selected;
+    screen.destroy();
+    const selectedRow = formattedOutput[selectedIndex];
+    console.log(selectedRow);
+  });
 }
 function formatResults(data) {
   return data.map(d => {
     const ecosystem = d.purl.split('pkg:')[1].split('/')[0];
     const name = d.purl.split('/')[1].split('@')[0];
     const version = d.purl.split('@')[1];
-    const timeStart = new Date(d.createdAt).getMilliseconds();
-    const timeEnd = Date.now();
-    const diff = getHourDiff(timeStart, timeEnd);
-    const hourDiff = diff > 0 ? `${diff} hours ago` : `${getMinDiff(timeStart, timeEnd)} minutes ago`;
-    return [ecosystem, decodeURIComponent(name), version, d.threatType, hourDiff, d.locationHtmlUrl];
+    const timeDiff = msAtHome(d.createdAt);
+    // Note: the spacing works around issues with the table; it refuses to pad!
+    return [ecosystem, decodeURIComponent(name), ` ${version}`, ` ${d.threatType}`, ` ${timeDiff}`, d.locationHtmlUrl];
   });
 }
-function formatQueryParams(params) {
-  return Object.entries(params).map(entry => `${entry[0]}=${entry[1]}`);
-}
-function getHourDiff(start, end) {
-  return Math.floor((end - start) / 3600000);
-}
-function getMinDiff(start, end) {
-  return Math.floor((end - start) / 60000);
+function msAtHome(isoTimeStamp) {
+  const timeStart = Date.parse(isoTimeStamp);
+  const timeEnd = Date.now();
+  const rtf = new Intl.RelativeTimeFormat('en', {
+    numeric: 'always',
+    style: 'short'
+  });
+  const delta = timeEnd - timeStart;
+  if (delta < 60 * 60 * 1000) {
+    return rtf.format(-Math.round(delta / (60 * 1000)), 'minute');
+    // return Math.round(delta / (60 * 1000)) + ' min ago'
+  } else if (delta < 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (60 * 60 * 1000)).toFixed(1), 'hour');
+    // return (delta / (60 * 60 * 1000)).toFixed(1) + ' hr ago'
+  } else if (delta < 7 * 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (24 * 60 * 60 * 1000)).toFixed(1), 'day');
+    // return (delta / (24 * 60 * 60 * 1000)).toFixed(1) + ' day ago'
+  } else {
+    return isoTimeStamp.slice(0, 10);
+  }
 }
 const {
@@ -7704,7 +7926,7 @@ const {
 } = constants;
 const config$1 = {
   commandName: 'threat-feed',
-  description: 'Look up the threat feed',
+  description: '[beta] View the threat feed',
   hidden: false,
   flags: {
     ...commonFlags,
@@ -7727,6 +7949,12 @@ const config$1 = {
       default: 'desc',
       description: 'Order asc or desc by the createdAt attribute.'
     },
+    eco: {
+      type: 'string',
+      shortFlag: 'e',
+      default: '',
+      description: 'Only show threats for a particular ecosystem'
+    },
     filter: {
       type: 'string',
       shortFlag: 'f',
@@ -7738,9 +7966,35 @@ const config$1 = {
     Usage
       $ ${command}
+    This feature requires a Threat Feed license. Please contact
+    sales@socket.dev if you are interested in purchasing this access.
     Options
       ${getFlagListOutput(config.flags, 6)}
+    Valid filters:
+      - anom    Anomaly
+      - c       Do not filter
+      - fp      False Positives
+      - joke    Joke / Fake
+      - mal     Malware and Possible Malware [default]
+      - secret  Secrets
+      - spy     Telemetry
+      - tp      False Positives and Unreviewed
+      - typo    Typo-squat
+      - u       Unreviewed
+      - vuln    Vulnerability
+    Valid ecosystems:
+      - gem
+      - golang
+      - maven
+      - npm
+      - nuget
+      - pypi
     Examples
       $ ${command}
       $ ${command} --perPage=5 --page=2 --direction=asc --filter=joke
@@ -7764,17 +8018,13 @@ async function run$1(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$1);
     return;
   }
-  const apiToken = shadowNpmInject.getDefaultToken();
-  if (!apiToken) {
-    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await getThreatFeed({
-    apiToken,
     direction: String(cli.flags['direction'] || 'desc'),
+    ecosystem: String(cli.flags['eco'] || ''),
     filter: String(cli.flags['filter'] || 'mal'),
-    outputJson: Boolean(cli.flags['json']),
-    page: String(cli.flags['filter'] || '1'),
-    perPage: Number(cli.flags['per_page'] || 0)
+    outputKind: cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print',
+    page: String(cli.flags['page'] || '1'),
+    perPage: Number(cli.flags['perPage']) || 30
   });
 }
@@ -8051,5 +8301,5 @@ void (async () => {
     await shadowNpmInject.captureException(e);
   }
 })();
-//# debugId=da32be80-6a12-4a4c-b9c4-0cfdd490ce52
+//# debugId=b5131c8e-e05e-4ce0-8d35-03afa5b09043
 //# sourceMappingURL=cli.js.map