@socketsecurity/cli-with-sentry 0.14.57 → 0.14.59

package/dist/module-sync/cli.js

@@ -28,6 +28,7 @@ var shadowNpmInject = require('./shadow-npm-inject.js');
 var constants = require('./constants.js');
 var meow = _socketInterop(require('meow'));
 var objects = require('@socketsecurity/registry/lib/objects');
+var path$1 = require('@socketsecurity/registry/lib/path');
 var regexps = require('@socketsecurity/registry/lib/regexps');
 var commonTags = _socketInterop(require('common-tags'));
 var fs$1 = require('node:fs/promises');
@@ -42,27 +43,30 @@ var util = require('node:util');
 var registry = require('@socketsecurity/registry');
 var npm = require('@socketsecurity/registry/lib/npm');
 var packages = require('@socketsecurity/registry/lib/packages');
-var registryConstants = require('@socketsecurity/registry/lib/constants');
-var isInteractive = require('@socketregistry/is-interactive/index.cjs');
-var terminalLink = _socketInterop(require('terminal-link'));
+var lockfileFile = _socketInterop(require('@pnpm/lockfile-file'));
+var lockfile_detectDepTypes = _socketInterop(require('@pnpm/lockfile.detect-dep-types'));
+var debug = require('@socketsecurity/registry/lib/debug');
 var spawn = require('@socketsecurity/registry/lib/spawn');
-var npa = _socketInterop(require('npm-package-arg'));
-var semver = _socketInterop(require('semver'));
-var tinyglobby = _socketInterop(require('tinyglobby'));
-var promises = require('@socketsecurity/registry/lib/promises');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
 var browserslist = _socketInterop(require('browserslist'));
+var semver = _socketInterop(require('semver'));
 var which = _socketInterop(require('which'));
 var index_cjs = require('@socketregistry/hyrious__bun.lockb/index.cjs');
 var sorts = require('@socketsecurity/registry/lib/sorts');
 var strings = require('@socketsecurity/registry/lib/strings');
+var registryConstants = require('@socketsecurity/registry/lib/constants');
+var isInteractive = require('@socketregistry/is-interactive/index.cjs');
+var terminalLink = _socketInterop(require('terminal-link'));
+var npa = _socketInterop(require('npm-package-arg'));
+var tinyglobby = _socketInterop(require('tinyglobby'));
+var promises = require('@socketsecurity/registry/lib/promises');
 var yaml = _socketInterop(require('yaml'));
-var debug = require('@socketsecurity/registry/lib/debug');
-var shadowNpmPaths = require('./shadow-npm-paths.js');
 var betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'));
 var config$A = require('@socketsecurity/config');
 var assert = require('node:assert');
 var readline = require('node:readline/promises');
 var open = _socketInterop(require('open'));
+var BoxWidget = _socketInterop(require('blessed/lib/widgets/box'));
 var TableWidget = _socketInterop(require('blessed-contrib/lib/widget/table'));
 var readline$1 = require('node:readline');
 
@@ -324,7 +328,7 @@ class Core {
   }) {
     const introducedBy = [];
     if (pkg.direct) {
-      let manifests = pkg.manifestFiles.map(({
+      const manifests = pkg.manifestFiles.map(({
         file
       }) => file).join(';');
       introducedBy.push(['direct', manifests]);
@@ -335,7 +339,7 @@ class Core {
           continue;
         }
         const topPurl = `${topPackage.type}/${topPackage.name}@${topPackage.version}`;
-        let manifests = topPackage.manifestFiles.map(({
+        const manifests = topPackage.manifestFiles.map(({
           file
         }) => file).join(';');
         introducedBy.push([topPurl, manifests]);
@@ -767,7 +771,7 @@ function processSecurityComment({
   const result = [];
   let start = false;
   let ignoreAll = false;
-  let ignoredPackages = [];
+  const ignoredPackages = [];
   for (const ignoreComment of ignoreComments) {
     const parsed = parseIgnoreCommand(ignoreComment.body?.split('\n').at(0) ?? '');
     if (parsed.ignoreAll) {
@@ -791,7 +795,7 @@ function processSecurityComment({
       const [_, _title, packageLink, _introducedBy, _manifest, _ci] = line.split('|');
 
       // Parsing package link [npm/pkg](url)
-      let [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
+      const [_ecosystem, pkg] = packageLink.slice(1, packageLink.indexOf(']')).split('/', 2);
       const [pkgName, pkgVersion] = pkg.split('@');
 
       // Checking if this package should be ignored
@@ -1114,8 +1118,8 @@ function createSources(alert) {
       manifests.push(addStr);
     }
   }
-  let manifestList = manifests.join('');
-  let sourceList = sources.join('');
+  const manifestList = manifests.join('');
+  const sourceList = sources.join('');
   const manifestStr = `<ul>${manifestList}</ul>`;
   const sourcesStr = `<ul>${sourceList}</ul>`;
   return [manifestStr, sourcesStr];
@@ -1260,8 +1264,8 @@ async function runAction(githubEventBefore, githubEventAfter) {
     const securityComment = securityCommentTemplate(diff);
     let newSecurityComment = true;
     let newOverviewComment = true;
-    let updateOldSecurityComment = comments.security !== undefined;
-    let updateOldOverviewComment = comments.overview !== undefined;
+    const updateOldSecurityComment = comments.security !== undefined;
+    const updateOldOverviewComment = comments.overview !== undefined;
     if (diff.newAlerts.length === 0) {
       if (!updateOldSecurityComment) {
         newSecurityComment = false;
@@ -1403,8 +1407,7 @@ const validationFlags = {
 
 const {
   DRY_RUN_LABEL: DRY_RUN_LABEL$1,
-  REDACTED,
-  SOCKET_CLI_SHOW_BANNER
+  REDACTED
 } = constants;
 async function meowWithSubcommands(subcommands, options) {
   const {
@@ -1438,11 +1441,7 @@ async function meowWithSubcommands(subcommands, options) {
   };
   // ...else we provide basic instructions and help.
 
-  // Temp disable until we clear the --json and --markdown usage
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(name));
-  }
+  emitBanner(name);
   const cli = meow(`
     Usage
       $ ${name} <command>
@@ -1496,11 +1495,7 @@ function meowOrExit({
   parentName
 }) {
   const command = `${parentName} ${config.commandName}`;
-  // Temp disable until we clear the --json and --markdown usage.
-  // Lazily access constants.ENV[SOCKET_CLI_SHOW_BANNER].
-  if (constants.ENV[SOCKET_CLI_SHOW_BANNER]) {
-    logger.logger.log(getAsciiHeader(command));
-  }
+  emitBanner(command);
 
   // This exits if .printHelp() is called either by meow itself or by us.
   const cli = meow({
@@ -1517,13 +1512,24 @@ function meowOrExit({
   }
   return cli;
 }
+function emitBanner(name) {
+  // Print a banner at the top of each command.
+  // This helps with brand recognition and marketing.
+  // It also helps with debugging since it contains version and command details.
+  // Note: print over stderr to preserve stdout for flags like --json and
+  //       --markdown. If we don't do this, you can't use --json in particular
+  //       and pipe the result to other tools. By emiting the banner over stderr
+  //       you can do something like `socket scan view xyz | jq | process`.
+  //       The spinner also emits over stderr for example.
+  logger.logger.error(getAsciiHeader(name));
+}
 function getAsciiHeader(command) {
   const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['SOCKET_CLI_VERSION_HASH']".
-  "0.14.57:6783de7:236c7308:pub";
+  "0.14.59:e40b009:5200cfd8:pub";
   const nodeVersion = process.version;
   const apiToken = shadowNpmInject.getSetting('apiToken');
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no';
-  const relCwd = process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}`, 'i'), '~/');
+  const relCwd = path$1.normalizePath(process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`, 'i'), '~/'));
   const body = `
    _____         _       _        /---------------
   |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}
@@ -1722,7 +1728,7 @@ async function outputAnalyticsWithToken({
   // A message should already have been printed if we have no data here
   if (!data) return;
   if (outputKind === 'json') {
-    let serialized = renderJson(data);
+    const serialized = renderJson(data);
     if (!serialized) return;
     if (filePath && filePath !== '-') {
       try {
@@ -2194,6 +2200,9 @@ const config$x = {
     Usage
       $ ${command} <org slug>
 
+    This feature requires an Enterprise Plan. To learn more about getting access
+    to this feature and many more, please visit https://socket.dev/pricing
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -2249,22 +2258,22 @@ async function run$x(argv, importMeta, {
 }
 
 const {
-  NPM: NPM$e,
+  NPM: NPM$f,
   NPX: NPX$3,
-  PNPM: PNPM$8
+  PNPM: PNPM$a
 } = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$e, PNPM$8, 'ts', 'tsx', 'typescript']);
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$f, PNPM$a, 'ts', 'tsx', 'typescript']);
 async function runCycloneDX(yargv) {
   let cleanupPackageLock = false;
   if (yargv.type !== 'yarn' && nodejsPlatformTypes.has(yargv.type) && fs.existsSync('./yarn.lock')) {
     if (fs.existsSync('./package-lock.json')) {
-      yargv.type = NPM$e;
+      yargv.type = NPM$f;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
         await shadowBin(NPX$3, ['synp@1.9.14', '--', '--source-file', './yarn.lock'], 2);
-        yargv.type = NPM$e;
+        yargv.type = NPM$f;
         cleanupPackageLock = true;
       } catch {}
     }
@@ -2784,99 +2793,105 @@ const cmdDiffScan = {
   }
 };
 
-// import { detect } from '../../utils/package-environment-detector'
-
 const {
-  NPM: NPM$d
+  NPM: NPM$e
 } = constants;
 function isTopLevel(tree, node) {
   return tree.children.get(node.name) === node;
 }
-async function runFix() {
-  // Lazily access constants.spinner.
+async function npmFix(_pkgEnvDetails, cwd, options) {
   const {
     spinner
-  } = constants;
-  spinner.start();
-  const cwd = process.cwd();
-  const editablePkgJson = await packages.readPackageJson(cwd, {
-    editable: true
-  });
-  // const agentDetails = await detect()
-
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
   const arb = new shadowNpmInject.SafeArborist({
     path: cwd,
     ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
   });
   await arb.reify();
-  const alerts = await shadowNpmInject.getPackagesAlerts(arb, {
+  const alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, {
     consolidate: true,
-    includeExisting: true,
-    includeUnfixable: false
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
+    }
   });
-  const infoByPkg = shadowNpmInject.getCveInfoByPackage(alerts);
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
+  }
   await arb.buildIdealTree();
-  if (infoByPkg) {
-    for (const {
-      0: name,
-      1: infos
-    } of infoByPkg) {
-      let revertToIdealTree = arb.idealTree;
-      arb.idealTree = null;
-      // eslint-disable-next-line no-await-in-loop
-      await arb.buildIdealTree();
-      const tree = arb.idealTree;
-      const hasUpgrade = !!registry.getManifestData(NPM$d, name);
-      if (hasUpgrade) {
-        spinner.info(`Skipping ${name}. Socket Optimize package exists.`);
-        continue;
-      }
-      const nodes = shadowNpmInject.findPackageNodes(tree, name);
-      const packument = nodes.length && infos.length ?
-      // eslint-disable-next-line no-await-in-loop
-      await packages.fetchPackagePackument(name) : null;
-      if (packument) {
-        for (let i = 0, {
-            length: nodesLength
-          } = nodes; i < nodesLength; i += 1) {
-          const node = nodes[i];
-          for (let j = 0, {
-              length: infosLength
-            } = infos; j < infosLength; j += 1) {
-            const {
-              firstPatchedVersionIdentifier,
-              vulnerableVersionRange
-            } = infos[j];
-            const {
-              version: oldVersion
-            } = node;
-            if (shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)) {
-              try {
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runScript('test', [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-                spinner.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
-                if (isTopLevel(tree, node)) {
-                  for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
-                    const oldVersion = editablePkgJson.content[depField]?.[name];
-                    if (oldVersion) {
-                      const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
-                      editablePkgJson.content[depField][name] = `${decorator}${node.version}`;
-                    }
-                  }
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const revertToIdealTree = arb.idealTree;
+    arb.idealTree = null;
+    // eslint-disable-next-line no-await-in-loop
+    await arb.buildIdealTree();
+    const tree = arb.idealTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$e, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
+      continue;
+    }
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
+    }
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        if (shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await npm.runScript('test', [], {
+              spinner,
+              stdio: 'ignore'
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
+            if (isTopLevel(tree, node)) {
+              for (const depField of ['dependencies', 'optionalDependencies', 'peerDependencies']) {
+                const {
+                  content: pkgJson
+                } = editablePkgJson;
+                const oldVersion = pkgJson[depField]?.[name];
+                if (oldVersion) {
+                  const decorator = /^[~^]/.exec(oldVersion)?.[0] ?? '';
+                  pkgJson[depField][name] = `${decorator}${node.version}`;
                 }
-                // eslint-disable-next-line no-await-in-loop
-                await editablePkgJson.save();
-              } catch {
-                spinner.error(`Reverting ${name} to ${oldVersion}`);
-                arb.idealTree = revertToIdealTree;
               }
-            } else {
-              spinner.error(`Could not patch ${name} ${oldVersion}`);
             }
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+            arb.idealTree = revertToIdealTree;
           }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
         }
       }
     }
@@ -2886,161 +2901,687 @@ async function runFix() {
   });
   arb2.idealTree = arb.idealTree;
   await arb2.reify();
-  spinner.stop();
+  spinner?.stop();
 }
 
-const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
-} = constants;
-const config$t = {
-  commandName: 'fix',
-  description: 'Fix "fixable" Socket alerts',
-  hidden: true,
-  flags: {
-    ...commonFlags
-  },
-  help: (command, config) => `
-    Usage
-      $ ${command}
-
-    Options
-      ${getFlagListOutput(config.flags, 6)}
-  `
-};
-const cmdFix = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
-};
-async function run$t(argv, importMeta, {
-  parentName
-}) {
-  const cli = meowOrExit({
-    argv,
-    config: config$t,
-    importMeta,
-    parentName
-  });
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
-    return;
+async function getAlertsMapFromPnpmLockfile(lockfile, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const depTypes = lockfile_detectDepTypes.detectDepTypes(lockfile);
+  const pkgIds = Object.keys(depTypes);
+  let {
+    length: remaining
+  } = pkgIds;
+  const alertsByPkgId = new Map();
+  if (!remaining) {
+    return alertsByPkgId;
+  }
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  const toAlertsMapOptions = {
+    overrides: lockfile.overrides,
+    ...options
+  };
+  for await (const artifact of shadowNpmInject.batchScan(pkgIds)) {
+    await shadowNpmInject.addArtifactToAlertsMap(artifact, alertsByPkgId, toAlertsMapOptions);
+    remaining -= 1;
+    if (spinner && remaining > 0) {
+      spinner.start();
+      spinner.setText(getText());
+    }
   }
-  await runFix();
+  spinner?.stop();
+  return alertsByPkgId;
 }
 
-function objectSome(obj) {
-  for (const key in obj) {
-    if (obj[key]) {
-      return true;
+function cmdFlagsToString(args) {
+  const result = [];
+  for (let i = 0, {
+      length
+    } = args; i < length; i += 1) {
+    if (args[i].startsWith('--')) {
+      // Check if the next item exists and is NOT another flag.
+      if (i + 1 < length && !args[i + 1].startsWith('--')) {
+        result.push(`${args[i]}=${args[i + 1]}`);
+        i += 1;
+      } else {
+        result.push(args[i]);
+      }
     }
   }
-  return false;
+  return result.join(' ');
 }
-function pick(input, keys) {
-  const result = {};
-  for (const key of keys) {
-    result[key] = input[key];
-  }
-  return result;
+function cmdPrefixMessage(cmdName, text) {
+  const cmdPrefix = cmdName ? `${cmdName}: ` : '';
+  return `${cmdPrefix}${text}`;
 }
 
-function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean);
+const {
+  SOCKET_CLI_SENTRY_BUILD,
+  SOCKET_IPC_HANDSHAKE
+} = constants;
+function safeNpmInstall(options) {
   const {
-    length
-  } = values;
-  if (!length) {
-    return '';
-  }
-  if (length === 1) {
-    return values[0];
+    agentExecPath = shadowNpmPaths.getNpmBinPath(),
+    args = [],
+    ipc,
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const useIpc = objects.isObject(ipc);
+  const useDebug = debug.isDebug();
+  const terminatorPos = args.indexOf('--');
+  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : [];
+  const spawnPromise = spawn.spawn(
+  // Lazily access constants.execPath.
+  constants.execPath, [
+  // Lazily access constants.nodeHardenFlags.
+  ...constants.nodeHardenFlags,
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags,
+  // Lazily access constants.ENV[SOCKET_CLI_SENTRY_BUILD].
+  ...(constants.ENV[SOCKET_CLI_SENTRY_BUILD] ? ['--require',
+  // Lazily access constants.distInstrumentWithSentryPath.
+  constants.distInstrumentWithSentryPath] : []), '--require',
+  // Lazily access constants.distShadowNpmInjectPath.
+  constants.distShadowNpmInjectPath, agentExecPath, 'install',
+  // Avoid code paths for 'audit' and 'fund'.
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` flag to fix input being swallowed by the spinner
+  // when running the command with recent versions of npm.
+  '--no-progress',
+  // Add '--loglevel=error' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...npmArgs, ...otherArgs], {
+    spinner,
+    // Set stdio to include 'ipc'.
+    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+    stdio: useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
+    ...spawnOptions,
+    env: {
+      ...process$1.env,
+      ...spawnOptions.env
+    }
+  });
+  if (useIpc) {
+    spawnPromise.process.send({
+      [SOCKET_IPC_HANDSHAKE]: ipc
+    });
   }
-  const finalValue = values.pop();
-  return `${values.join(', ')}${separator}${finalValue}`;
+  return spawnPromise;
 }
 
-// Ordered from most severe to least.
-const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
-function getDesiredSeverities(lowestToInclude) {
-  const result = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    result.push(severity);
-    if (severity === lowestToInclude) {
-      break;
-    }
+const {
+  NPM: NPM$d
+} = constants;
+function runAgentInstall(pkgEnvDetails, options) {
+  const {
+    agent,
+    agentExecPath
+  } = pkgEnvDetails;
+  // All package managers support the "install" command.
+  if (agent === NPM$d) {
+    return safeNpmInstall({
+      agentExecPath,
+      ...options
+    });
   }
-  return result;
+  const {
+    args = [],
+    spinner,
+    ...spawnOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  return spawn.spawn(agentExecPath, ['install', ...args], {
+    spinner,
+    stdio: debug.isDebug() ? 'inherit' : 'ignore',
+    ...spawnOptions,
+    env: {
+      ...process.env,
+      NODE_OPTIONS: cmdFlagsToString([
+      // Lazily access constants.nodeHardenFlags.
+      ...constants.nodeHardenFlags,
+      // Lazily access constants.nodeNoWarningsFlags.
+      ...constants.nodeNoWarningsFlags]),
+      ...spawnOptions.env
+    }
+  });
 }
-function formatSeverityCount(severityCount) {
-  const summary = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`);
+
+const {
+  NPM: NPM$c,
+  OVERRIDES: OVERRIDES$2,
+  PNPM: PNPM$9
+} = constants;
+async function pnpmFix(pkgEnvDetails, cwd, options) {
+  const {
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start();
+  const lockfile = await lockfileFile.readWantedLockfile(cwd, {
+    ignoreIncompatible: false
+  });
+  if (!lockfile) {
+    spinner?.stop();
+    return;
+  }
+  const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {
+    consolidate: true,
+    include: {
+      existing: true,
+      unfixable: false,
+      upgrade: false
     }
+  });
+  const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap);
+  if (!infoByPkg) {
+    spinner?.stop();
+    return;
   }
-  return stringJoinWithSeparateFinalSeparator(summary);
-}
-function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick({
-    low: 0,
-    middle: 0,
-    high: 0,
-    critical: 0
-  }, getDesiredSeverities(lowestToInclude));
-  for (const issue of issues) {
-    const {
-      value
-    } = issue;
-    if (!value) {
+  const arb = new shadowNpmInject.SafeArborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  await arb.loadActual();
+  const editablePkgJson = await packages.readPackageJson(cwd, {
+    editable: true
+  });
+  const {
+    content: pkgJson
+  } = editablePkgJson;
+  for (const {
+    0: name,
+    1: infos
+  } of infoByPkg) {
+    const tree = arb.actualTree;
+    const hasUpgrade = !!registry.getManifestData(NPM$c, name);
+    if (hasUpgrade) {
+      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`);
       continue;
     }
-    if (severityCount[value.severity] !== undefined) {
-      severityCount[value.severity] += 1;
+    const nodes = shadowNpmInject.findPackageNodes(tree, name);
+    const packument = nodes.length && infos.length ?
+    // eslint-disable-next-line no-await-in-loop
+    await packages.fetchPackagePackument(name) : null;
+    if (!packument) {
+      continue;
     }
-  }
-  return severityCount;
-}
+    for (let i = 0, {
+        length: nodesLength
+      } = nodes; i < nodesLength; i += 1) {
+      const node = nodes[i];
+      for (let j = 0, {
+          length: infosLength
+        } = infos; j < infosLength; j += 1) {
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = infos[j];
+        const {
+          version: oldVersion
+        } = node;
+        const availableVersions = Object.keys(packument.versions);
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+        const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+        if (targetPackument) {
+          const oldPnpm = pkgJson[PNPM$9];
+          const oldOverrides = oldPnpm?.[OVERRIDES$2];
+          try {
+            editablePkgJson.update({
+              [PNPM$9]: {
+                ...oldPnpm,
+                [OVERRIDES$2]: {
+                  [`${node.name}@${vulnerableVersionRange}`]: `^${targetVersion}`,
+                  ...oldOverrides
+                }
+              }
+            });
+            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`);
 
-async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
-  const socketSdk = await shadowNpmInject.setupSdk(shadowNpmInject.getPublicToken());
-  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
-  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
-  if (result.success === false) {
-    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result);
-  }
-  if (scoreResult.success === false) {
-    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult);
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save();
+            // eslint-disable-next-line no-await-in-loop
+            await runAgentInstall(pkgEnvDetails, {
+              spinner
+            });
+          } catch {
+            spinner?.error(`Reverting ${name} to ${oldVersion}`);
+          }
+        } else {
+          spinner?.error(`Could not patch ${name} ${oldVersion}`);
+        }
+      }
+    }
   }
-  const severityCount = getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
-  return {
-    data: result.data,
-    severityCount,
-    score: scoreResult.data
-  };
+  spinner?.stop();
 }
 
 const {
-  NPM: NPM$c
-} = registryConstants;
-function formatPackageInfo({
-  data,
-  score,
-  severityCount
-}, {
-  name,
-  outputKind,
-  pkgName,
-  pkgVersion
-}) {
-  if (outputKind === 'json') {
+  BINARY_LOCK_EXT,
+  BUN: BUN$5,
+  LOCK_EXT: LOCK_EXT$1,
+  NPM: NPM$b,
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION: NPM_BUGGY_OVERRIDES_PATCHED_VERSION$1,
+  PNPM: PNPM$8,
+  VLT: VLT$5,
+  YARN,
+  YARN_BERRY: YARN_BERRY$5,
+  YARN_CLASSIC: YARN_CLASSIC$6
+} = constants;
+const AGENTS = [BUN$5, NPM$b, PNPM$8, YARN_BERRY$5, YARN_CLASSIC$6, VLT$5];
+const binByAgent = {
+  __proto__: null,
+  [BUN$5]: BUN$5,
+  [NPM$b]: NPM$b,
+  [PNPM$8]: PNPM$8,
+  [YARN_BERRY$5]: YARN,
+  [YARN_CLASSIC$6]: YARN,
+  [VLT$5]: VLT$5
+};
+async function getAgentExecPath(agent) {
+  const binName = binByAgent[agent];
+  return (await which(binName, {
+    nothrow: true
+  })) ?? binName;
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result;
+  try {
+    result = semver.coerce(
+    // All package managers support the "--version" flag.
+    (await spawn.spawn(agentExecPath, ['--version'], {
+      cwd
+    })).stdout) ?? undefined;
+  } catch {}
+  return result;
+}
+
+// The order of LOCKS properties IS significant as it affects iteration order.
+const LOCKS = {
+  [`bun${LOCK_EXT$1}`]: BUN$5,
+  [`bun${BINARY_LOCK_EXT}`]: BUN$5,
+  // If both package-lock.json and npm-shrinkwrap.json are present in the root
+  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
+  // will be ignored.
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
+  'npm-shrinkwrap.json': NPM$b,
+  'package-lock.json': NPM$b,
+  'pnpm-lock.yaml': PNPM$8,
+  'pnpm-lock.yml': PNPM$8,
+  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$6,
+  'vlt-lock.json': VLT$5,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
+  //
+  // Unlike the other LOCKS keys this key contains a directory AND filename so
+  // it has to be handled differently.
+  'node_modules/.package-lock.json': NPM$b
+};
+const readLockFileByAgent = (() => {
+  function wrapReader(reader) {
+    return async (...args) => {
+      try {
+        return await reader(...args);
+      } catch {}
+      return undefined;
+    };
+  }
+  const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
+  return {
+    [BUN$5]: wrapReader(async (lockPath, agentExecPath) => {
+      const ext = path.extname(lockPath);
+      if (ext === LOCK_EXT$1) {
+        return await defaultReader(lockPath);
+      }
+      if (ext === BINARY_LOCK_EXT) {
+        const lockBuffer = await binaryReader(lockPath);
+        if (lockBuffer) {
+          try {
+            return index_cjs.parse(lockBuffer);
+          } catch {}
+        }
+        // To print a Yarn lockfile to your console without writing it to disk
+        // use `bun bun.lockb`.
+        // https://bun.sh/guides/install/yarnlock
+        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
+      }
+      return undefined;
+    }),
+    [NPM$b]: defaultReader,
+    [PNPM$8]: defaultReader,
+    [VLT$5]: defaultReader,
+    [YARN_BERRY$5]: defaultReader,
+    [YARN_CLASSIC$6]: defaultReader
+  };
+})();
+async function detectPackageEnvironment({
+  cwd = process$1.cwd(),
+  onUnknown
+} = {}) {
+  let lockPath = await shadowNpmInject.findUp(Object.keys(LOCKS), {
+    cwd
+  });
+  let lockName = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockName === '.package-lock.json';
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
+    cwd
+  });
+  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
+    editable: true
+  }) : undefined;
+  const pkgJson = editablePkgJson?.content;
+  // Read Corepack `packageManager` field in package.json:
+  // https://nodejs.org/api/packages.html#packagemanager
+  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
+  let agent;
+  let agentVersion;
+  if (pkgManager) {
+    const atSignIndex = pkgManager.lastIndexOf('@');
+    if (atSignIndex !== -1) {
+      const name = pkgManager.slice(0, atSignIndex);
+      const version = pkgManager.slice(atSignIndex + 1);
+      if (version && AGENTS.includes(name)) {
+        agent = name;
+        agentVersion = semver.coerce(version) ?? undefined;
+      }
+    }
+  }
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
+    agent = LOCKS[lockName];
+  }
+  if (agent === undefined) {
+    agent = NPM$b;
+    onUnknown?.(pkgManager);
+  }
+  const agentExecPath = await getAgentExecPath(agent);
+  const npmExecPath = agent === NPM$b ? agentExecPath : await getAgentExecPath(NPM$b);
+  if (agentVersion === undefined) {
+    agentVersion = await getAgentVersion(agentExecPath, cwd);
+  }
+  if (agent === YARN_CLASSIC$6 && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY$5;
+  }
+  const targets = {
+    browser: false,
+    node: true
+  };
+  let lockSrc;
+  // Lazily access constants.maintainedNodeVersions.
+  let minimumNodeVersion = constants.maintainedNodeVersions.last;
+  if (pkgJson) {
+    const browserField = pkgJson.browser;
+    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
+      targets.browser = true;
+    }
+    const nodeRange = pkgJson.engines?.['node'];
+    if (strings.isNonEmptyString(nodeRange)) {
+      const coerced = semver.coerce(nodeRange);
+      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+        minimumNodeVersion = coerced.version;
+      }
+    }
+    const browserslistQuery = pkgJson['browserslist'];
+    if (Array.isArray(browserslistQuery)) {
+      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
+      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
+      if (!targets.browser && browserslistTargets.length) {
+        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
+      }
+      if (browserslistNodeTargets.length) {
+        const coerced = semver.coerce(browserslistNodeTargets[0]);
+        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
+          minimumNodeVersion = coerced.version;
+        }
+      }
+    }
+    // Lazily access constants.maintainedNodeVersions.
+    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
+  } else {
+    lockName = undefined;
+    lockPath = undefined;
+  }
+  const pkgSupported = targets.browser || targets.node;
+  const npmBuggyOverrides = agent === NPM$b && !!agentVersion && semver.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION$1);
+  return {
+    agent,
+    agentExecPath,
+    agentVersion,
+    lockName,
+    lockPath,
+    lockSrc,
+    minimumNodeVersion,
+    npmExecPath,
+    pkgJson: editablePkgJson,
+    pkgPath,
+    pkgSupported,
+    features: {
+      npmBuggyOverrides
+    },
+    targets
+  };
+}
+async function detectAndValidatePackageEnvironment(cwd, options) {
+  const {
+    cmdName = '',
+    logger,
+    prod
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const details = await detectPackageEnvironment({
+    cwd,
+    onUnknown(pkgManager) {
+      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
+    }
+  });
+  if (!details.pkgSupported) {
+    logger?.fail(cmdPrefixMessage(cmdName, 'No supported Node or browser range detected'));
+    return;
+  }
+  if (details.agent === VLT$5) {
+    logger?.fail(cmdPrefixMessage(cmdName, `${details.agent} does not support overrides. Soon, though ⚡`));
+    return;
+  }
+  const lockName = details.lockName ?? 'lock file';
+  if (details.lockName === undefined || details.lockSrc === undefined) {
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${lockName} found`));
+    return;
+  }
+  if (details.lockSrc.trim() === '') {
+    logger?.fail(cmdPrefixMessage(cmdName, `${lockName} is empty`));
+    return;
+  }
+  if (details.pkgPath === undefined) {
+    logger?.fail(cmdPrefixMessage(cmdName, 'No package.json found'));
+    return;
+  }
+  if (prod && (details.agent === BUN$5 || details.agent === YARN_BERRY$5)) {
+    logger?.fail(cmdPrefixMessage(cmdName, `--prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.version}` : ''}`));
+    return;
+  }
+  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
+    logger?.warn(cmdPrefixMessage(cmdName, `Package ${lockName} found at ${details.lockPath}`));
+  }
+  return details;
+}
+
+const {
+  NPM: NPM$a,
+  PNPM: PNPM$7
+} = constants;
+const CMD_NAME$1 = 'socket fix';
+async function runFix() {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start();
+  const cwd = process.cwd();
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    cmdName: CMD_NAME$1,
+    logger: logger.logger
+  });
+  if (!pkgEnvDetails) {
+    spinner.stop();
+    return;
+  }
+  switch (pkgEnvDetails.agent) {
+    case NPM$a:
+      {
+        await npmFix(pkgEnvDetails, cwd);
+        break;
+      }
+    case PNPM$7:
+      {
+        await pnpmFix(pkgEnvDetails, cwd);
+        break;
+      }
+  }
+  spinner.successAndStop('Socket.dev fix successful');
+}
+
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
+} = constants;
+const config$t = {
+  commandName: 'fix',
+  description: 'Fix "fixable" Socket alerts',
+  hidden: true,
+  flags: {
+    ...commonFlags
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command}
+
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+  `
+};
+const cmdFix = {
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
+};
+async function run$t(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$t,
+    importMeta,
+    parentName
+  });
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
+    return;
+  }
+  await runFix();
+}
+
+async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
+  const socketSdk = await shadowNpmInject.setupSdk(shadowNpmInject.getPublicToken());
+  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package');
+  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score');
+  if (result.success === false) {
+    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result);
+  }
+  if (scoreResult.success === false) {
+    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult);
+  }
+  const severityCount = shadowNpmInject.getSeverityCount(result.data, includeAllIssues ? undefined : 'high');
+  return {
+    data: result.data,
+    severityCount,
+    score: scoreResult.data
+  };
+}
+
+const {
+  NPM: NPM$9
+} = registryConstants;
+function formatScore(score) {
+  if (score > 80) {
+    return colors.green(`${score}`);
+  } else if (score < 80 && score > 60) {
+    return colors.yellow(`${score}`);
+  }
+  return colors.red(`${score}`);
+}
+function logPackageIssuesDetails(packageData, outputMarkdown) {
+  const issueDetails = packageData.filter(d => d.value?.severity === shadowNpmInject.SEVERITY.critical || d.value?.severity === shadowNpmInject.SEVERITY.high);
+  const uniqueIssueDetails = issueDetails.reduce((acc, issue) => {
+    const {
+      type
+    } = issue;
+    if (type) {
+      const details = acc.get(type);
+      if (details) {
+        details.count += 1;
+      } else {
+        acc.set(type, {
+          label: issue.value?.label ?? '',
+          count: 1
+        });
+      }
+    }
+    return acc;
+  }, new Map());
+  const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
+  for (const [type, details] of uniqueIssueDetails.entries()) {
+    const issueWithLink = format.hyperlink(details.label, shadowNpmInject.getSocketDevAlertUrl(type), {
+      fallbackToUrl: true
+    });
+    if (details.count === 1) {
+      logger.logger.log(`- ${issueWithLink}`);
+    } else {
+      logger.logger.log(`- ${issueWithLink}: ${details.count}`);
+    }
+  }
+}
+function logPackageInfo({
+  data,
+  score,
+  severityCount
+}, {
+  name,
+  outputKind,
+  pkgName,
+  pkgVersion
+}) {
+  if (outputKind === 'json') {
     logger.logger.log(JSON.stringify(data, undefined, 2));
     return;
   }
   if (outputKind === 'markdown') {
-    logger.logger.log(`\n# Package report for ${pkgName}\n`);
-    logger.logger.log('Package report card:\n');
+    logger.logger.log(commonTags.stripIndents`
+      # Package report for ${pkgName}
+
+      Package report card:
+    `);
   } else {
-    logger.logger.log(`\nPackage report card for ${pkgName}:\n`);
+    logger.logger.log(`Package report card for ${pkgName}:`);
   }
   const scoreResult = {
     'Supply Chain Risk': Math.floor(score.supplyChainRisk.score * 100),
@@ -3049,72 +3590,35 @@ function formatPackageInfo({
     Vulnerabilities: Math.floor(score.vulnerability.score * 100),
     License: Math.floor(score.license.score * 100)
   };
+  logger.logger.log('\n');
   Object.entries(scoreResult).map(score => logger.logger.log(`- ${score[0]}: ${formatScore(score[1])}`));
   logger.logger.log('\n');
-  if (objectSome(severityCount)) {
+  if (objects.hasKeys(severityCount)) {
     if (outputKind === 'markdown') {
       logger.logger.log('# Issues\n');
     }
-    logger.logger.log(`Package has these issues: ${formatSeverityCount(severityCount)}\n`);
-    formatPackageIssuesDetails(data, outputKind === 'markdown');
+    logger.logger.log(`Package has these issues: ${shadowNpmInject.formatSeverityCount(severityCount)}\n`);
+    logPackageIssuesDetails(data, outputKind === 'markdown');
   } else {
     logger.logger.log('Package has no issues');
   }
   const format = new shadowNpmInject.ColorOrMarkdown(outputKind === 'markdown');
-  const url = shadowNpmInject.getSocketDevPackageOverviewUrl(NPM$c, pkgName, pkgVersion);
-  logger.logger.log('\n');
-  if (pkgVersion === 'latest') {
-    logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName}`, url, {
-      fallbackToUrl: true
-    })}`);
-  } else {
-    logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName} v${pkgVersion}`, url, {
-      fallbackToUrl: true
-    })}`);
-  }
-  if (outputKind !== 'markdown') {
-    logger.logger.log(colors.dim(`\nOr rerun ${colors.italic(name)} using the ${colors.italic('--json')} flag to get full JSON output`));
-  } else {
-    logger.logger.log('');
-  }
-}
-function formatPackageIssuesDetails(packageData, outputMarkdown) {
-  const issueDetails = packageData.filter(d => d.value?.severity === 'high' || d.value?.severity === 'critical');
-  const uniqueIssues = issueDetails.reduce((acc, issue) => {
-    const {
-      type
-    } = issue;
-    if (type) {
-      if (acc[type] === undefined) {
-        acc[type] = {
-          label: issue.value?.label,
-          count: 1
-        };
-      } else {
-        acc[type].count += 1;
-      }
-    }
-    return acc;
-  }, {});
-  const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
-  for (const issue of Object.keys(uniqueIssues)) {
-    const issueWithLink = format.hyperlink(`${uniqueIssues[issue]?.label}`, shadowNpmInject.getSocketDevAlertUrl(issue), {
+  const url = shadowNpmInject.getSocketDevPackageOverviewUrl(NPM$9, pkgName, pkgVersion);
+  logger.logger.log('\n');
+  if (pkgVersion === 'latest') {
+    logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName}`, url, {
       fallbackToUrl: true
-    });
-    if (uniqueIssues[issue]?.count === 1) {
-      logger.logger.log(`- ${issueWithLink}`);
-    } else {
-      logger.logger.log(`- ${issueWithLink}: ${uniqueIssues[issue]?.count}`);
-    }
+    })}`);
+  } else {
+    logger.logger.log(`Detailed info on socket.dev: ${format.hyperlink(`${pkgName} v${pkgVersion}`, url, {
+      fallbackToUrl: true
+    })}`);
   }
-}
-function formatScore(score) {
-  if (score > 80) {
-    return colors.green(`${score}`);
-  } else if (score < 80 && score > 60) {
-    return colors.yellow(`${score}`);
+  if (outputKind !== 'markdown') {
+    logger.logger.log(colors.dim(`\nOr rerun ${colors.italic(name)} using the ${colors.italic('--json')} flag to get full JSON output`));
+  } else {
+    logger.logger.log('');
   }
-  return colors.red(`${score}`);
 }
 
 async function getPackageInfo({
@@ -3133,13 +3637,13 @@ async function getPackageInfo({
   const packageData = await fetchPackageInfo(pkgName, pkgVersion, includeAllIssues);
   spinner.successAndStop('Data fetched');
   if (packageData) {
-    formatPackageInfo(packageData, {
+    logPackageInfo(packageData, {
       name: commandName,
       outputKind,
       pkgName,
       pkgVersion
     });
-    if (strict && objectSome(packageData.severityCount)) {
+    if (strict && objects.hasKeys(packageData.severityCount)) {
       // Let NodeJS exit gracefully but with exit(1)
       process$1.exitCode = 1;
     }
@@ -3341,8 +3845,8 @@ async function run$r(argv, importMeta, {
     importMeta,
     parentName
   });
-  let apiBaseUrl = cli.flags['apiBaseUrl'];
-  let apiProxy = cli.flags['apiProxy'];
+  const apiBaseUrl = cli.flags['apiBaseUrl'];
+  const apiProxy = cli.flags['apiProxy'];
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$q);
     return;
@@ -3811,6 +4315,9 @@ const config$o = {
 
     Support is beta. Please report issues or give us feedback on what's missing.
 
+    This is only for SBT. If your Scala setup uses gradle, please see the help
+    sections for \`socket manifest gradle\` or \`socket cdxgen\`.
+
     Examples
 
       $ ${command} ./build.sbt
@@ -4184,21 +4691,21 @@ async function run$l(argv, importMeta, {
 }
 
 const {
-  NPM: NPM$b
+  NPM: NPM$8
 } = constants;
 async function wrapNpm(argv) {
   // Lazily access constants.distShadowNpmBinPath.
   const shadowBin = require(constants.distShadowNpmBinPath);
-  await shadowBin(NPM$b, argv);
+  await shadowBin(NPM$8, argv);
 }
 
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k,
-  NPM: NPM$a
+  NPM: NPM$7
 } = constants;
 const config$k = {
   commandName: 'npm',
-  description: `${NPM$a} wrapper functionality`,
+  description: `${NPM$7} wrapper functionality`,
   hidden: false,
   flags: {},
   help: (command, _config) => `
@@ -4312,273 +4819,20 @@ async function run$i(argv, importMeta, {
 }
 
 const {
-  BUN: BUN$6,
-  NPM: NPM$9,
-  PNPM: PNPM$7,
-  VLT: VLT$6,
-  YARN_BERRY: YARN_BERRY$6,
-  YARN_CLASSIC: YARN_CLASSIC$6
-} = constants;
-function matchHumanStdout(stdout, name) {
-  return stdout.includes(` ${name}@`);
-}
-function matchQueryStdout(stdout, name) {
-  return stdout.includes(`"${name}"`);
-}
-const depsIncludesByAgent = new Map([[BUN$6, matchHumanStdout], [NPM$9, matchQueryStdout], [PNPM$7, matchQueryStdout], [VLT$6, matchQueryStdout], [YARN_BERRY$6, matchHumanStdout], [YARN_CLASSIC$6, matchHumanStdout]]);
-
-const {
-  BINARY_LOCK_EXT,
-  BUN: BUN$5,
-  LOCK_EXT: LOCK_EXT$1,
-  NPM: NPM$8,
+  BUN: BUN$4,
+  NPM: NPM$6,
   PNPM: PNPM$6,
-  VLT: VLT$5,
-  YARN,
-  YARN_BERRY: YARN_BERRY$5,
+  VLT: VLT$4,
+  YARN_BERRY: YARN_BERRY$4,
   YARN_CLASSIC: YARN_CLASSIC$5
 } = constants;
-const AGENTS = [BUN$5, NPM$8, PNPM$6, YARN_BERRY$5, YARN_CLASSIC$5, VLT$5];
-const binByAgent = {
-  __proto__: null,
-  [BUN$5]: BUN$5,
-  [NPM$8]: NPM$8,
-  [PNPM$6]: PNPM$6,
-  [YARN_BERRY$5]: YARN,
-  [YARN_CLASSIC$5]: YARN,
-  [VLT$5]: VLT$5
-};
-async function getAgentExecPath(agent) {
-  const binName = binByAgent[agent];
-  return (await which(binName, {
-    nothrow: true
-  })) ?? binName;
-}
-async function getAgentVersion(agentExecPath, cwd) {
-  let result;
-  try {
-    result = semver.coerce(
-    // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, ['--version'], {
-      cwd
-    })).stdout) ?? undefined;
-  } catch {}
-  return result;
-}
-
-// The order of LOCKS properties IS significant as it affects iteration order.
-const LOCKS = {
-  [`bun${LOCK_EXT$1}`]: BUN$5,
-  [`bun${BINARY_LOCK_EXT}`]: BUN$5,
-  // If both package-lock.json and npm-shrinkwrap.json are present in the root
-  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
-  // will be ignored.
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': NPM$8,
-  'package-lock.json': NPM$8,
-  'pnpm-lock.yaml': PNPM$6,
-  'pnpm-lock.yml': PNPM$6,
-  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$5,
-  'vlt-lock.json': VLT$5,
-  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
-  //
-  // Unlike the other LOCKS keys this key contains a directory AND filename so
-  // it has to be handled differently.
-  'node_modules/.package-lock.json': NPM$8
-};
-const readLockFileByAgent = (() => {
-  function wrapReader(reader) {
-    return async (...args) => {
-      try {
-        return await reader(...args);
-      } catch {}
-      return undefined;
-    };
-  }
-  const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
-  const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
-  return {
-    [BUN$5]: wrapReader(async (lockPath, agentExecPath) => {
-      const ext = path.extname(lockPath);
-      if (ext === LOCK_EXT$1) {
-        return await defaultReader(lockPath);
-      }
-      if (ext === BINARY_LOCK_EXT) {
-        const lockBuffer = await binaryReader(lockPath);
-        if (lockBuffer) {
-          try {
-            return index_cjs.parse(lockBuffer);
-          } catch {}
-        }
-        // To print a Yarn lockfile to your console without writing it to disk
-        // use `bun bun.lockb`.
-        // https://bun.sh/guides/install/yarnlock
-        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
-      }
-      return undefined;
-    }),
-    [NPM$8]: defaultReader,
-    [PNPM$6]: defaultReader,
-    [VLT$5]: defaultReader,
-    [YARN_BERRY$5]: defaultReader,
-    [YARN_CLASSIC$5]: defaultReader
-  };
-})();
-async function detectPackageEnvironment({
-  cwd = process$1.cwd(),
-  onUnknown
-} = {}) {
-  let lockPath = await shadowNpmInject.findUp(Object.keys(LOCKS), {
-    cwd
-  });
-  let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === '.package-lock.json';
-  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
-    cwd
-  });
-  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
-  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
-    editable: true
-  }) : undefined;
-  const pkgJson = editablePkgJson?.content;
-  // Read Corepack `packageManager` field in package.json:
-  // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = strings.isNonEmptyString(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
-  let agent;
-  let agentVersion;
-  if (pkgManager) {
-    const atSignIndex = pkgManager.lastIndexOf('@');
-    if (atSignIndex !== -1) {
-      const name = pkgManager.slice(0, atSignIndex);
-      const version = pkgManager.slice(atSignIndex + 1);
-      if (version && AGENTS.includes(name)) {
-        agent = name;
-        agentVersion = semver.coerce(version) ?? undefined;
-      }
-    }
-  }
-  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
-    agent = LOCKS[lockName];
-  }
-  if (agent === undefined) {
-    agent = NPM$8;
-    onUnknown?.(pkgManager);
-  }
-  const agentExecPath = await getAgentExecPath(agent);
-  const npmExecPath = agent === NPM$8 ? agentExecPath : await getAgentExecPath(NPM$8);
-  if (agentVersion === undefined) {
-    agentVersion = await getAgentVersion(agentExecPath, cwd);
-  }
-  if (agent === YARN_CLASSIC$5 && (agentVersion?.major ?? 0) > 1) {
-    agent = YARN_BERRY$5;
-  }
-  const targets = {
-    browser: false,
-    node: true
-  };
-  let lockSrc;
-  // Lazily access constants.maintainedNodeVersions.
-  let minimumNodeVersion = constants.maintainedNodeVersions.previous;
-  if (pkgJson) {
-    const browserField = pkgJson.browser;
-    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
-      targets.browser = true;
-    }
-    const nodeRange = pkgJson.engines?.['node'];
-    if (strings.isNonEmptyString(nodeRange)) {
-      const coerced = semver.coerce(nodeRange);
-      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-        minimumNodeVersion = coerced.version;
-      }
-    }
-    const browserslistQuery = pkgJson['browserslist'];
-    if (Array.isArray(browserslistQuery)) {
-      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
-      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
-      if (!targets.browser && browserslistTargets.length) {
-        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
-      }
-      if (browserslistNodeTargets.length) {
-        const coerced = semver.coerce(browserslistNodeTargets[0]);
-        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-          minimumNodeVersion = coerced.version;
-        }
-      }
-    }
-    // Lazily access constants.maintainedNodeVersions.
-    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
-    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
-  } else {
-    lockName = undefined;
-    lockPath = undefined;
-  }
-  return {
-    agent,
-    agentExecPath,
-    agentVersion,
-    lockName,
-    lockPath,
-    lockSrc,
-    minimumNodeVersion,
-    npmExecPath,
-    pkgJson: editablePkgJson,
-    pkgPath,
-    supported: targets.browser || targets.node,
-    targets
-  };
+function matchLsCmdViewHumanStdout(stdout, name) {
+  return stdout.includes(` ${name}@`);
 }
-
-const {
-  BUN: BUN$4,
-  VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$4
-} = constants;
-const COMMAND_TITLE$2 = 'Socket Optimize';
-async function detectAndValidatePackageEnvironment(cwd, options) {
-  const {
-    logger,
-    prod
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const details = await detectPackageEnvironment({
-    cwd,
-    onUnknown(pkgManager) {
-      logger?.warn(`${COMMAND_TITLE$2}: Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`);
-    }
-  });
-  if (!details.supported) {
-    logger?.fail(`${COMMAND_TITLE$2}: No supported Node or browser range detected`);
-    return;
-  }
-  if (details.agent === VLT$4) {
-    logger?.fail(`${COMMAND_TITLE$2}: ${details.agent} does not support overrides. Soon, though ⚡`);
-    return;
-  }
-  const lockName = details.lockName ?? 'lock file';
-  if (details.lockName === undefined || details.lockSrc === undefined) {
-    logger?.fail(`${COMMAND_TITLE$2}: No ${lockName} found`);
-    return;
-  }
-  if (details.lockSrc.trim() === '') {
-    logger?.fail(`${COMMAND_TITLE$2}: ${lockName} is empty`);
-    return;
-  }
-  if (details.pkgPath === undefined) {
-    logger?.fail(`${COMMAND_TITLE$2}: No package.json found`);
-    return;
-  }
-  if (prod && (details.agent === BUN$4 || details.agent === YARN_BERRY$4)) {
-    logger?.fail(`${COMMAND_TITLE$2}: --prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.toString()}` : ''}`);
-    return;
-  }
-  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
-    logger?.warn(`${COMMAND_TITLE$2}: Package ${lockName} found at ${details.lockPath}`);
-  }
-  return details;
+function matchQueryCmdStdout(stdout, name) {
+  return stdout.includes(`"${name}"`);
 }
+const depsIncludesByAgent = new Map([[BUN$4, matchLsCmdViewHumanStdout], [NPM$6, matchQueryCmdStdout], [PNPM$6, matchQueryCmdStdout], [VLT$4, matchQueryCmdStdout], [YARN_BERRY$4, matchLsCmdViewHumanStdout], [YARN_CLASSIC$5, matchLsCmdViewHumanStdout]]);
 
 function getDependencyEntries(pkgJson) {
   const {
@@ -4606,7 +4860,7 @@ function getDependencyEntries(pkgJson) {
 
 const {
   BUN: BUN$3,
-  NPM: NPM$7,
+  NPM: NPM$5,
   OVERRIDES: OVERRIDES$1,
   PNPM: PNPM$5,
   RESOLUTIONS: RESOLUTIONS$1,
@@ -4627,7 +4881,7 @@ function getOverridesDataBun(pkgJson) {
 function getOverridesDataNpm(pkgJson) {
   const overrides = pkgJson?.[OVERRIDES$1] ?? {};
   return {
-    type: NPM$7,
+    type: NPM$5,
     overrides
   };
 }
@@ -4668,7 +4922,7 @@ function getOverridesDataClassic(pkgJson) {
     overrides
   };
 }
-const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$7, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
+const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$5, getOverridesDataNpm], [PNPM$5, getOverridesDataPnpm], [VLT$3, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataClassic]]);
 
 const {
   PNPM: PNPM$4
@@ -4716,26 +4970,26 @@ function workspacePatternToGlobPattern(workspace) {
 const {
   BUN: BUN$2,
   LOCK_EXT,
-  NPM: NPM$6,
+  NPM: NPM$4,
   PNPM: PNPM$3,
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$2,
   YARN_CLASSIC: YARN_CLASSIC$3
 } = constants;
-function lockIncludesNpm(lockSrc, name) {
+function includesNpm(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name":
   return lockSrc.includes(`"${name}":`);
 }
-function lockIncludesBun(lockSrc, name, lockName) {
+function includesBun(lockSrc, name, lockName) {
   // This is a bit counterintuitive. When lockName ends with a .lockb
   // we treat it as a yarn.lock. When lockName ends with a .lock we
   // treat it as a package-lock.json. The bun.lock format is not identical
   // package-lock.json, however it close enough for npmLockIncludes to work.
-  const lockScanner = lockName?.endsWith(LOCK_EXT) ? lockIncludesNpm : lockIncludesYarn;
-  return lockScanner(lockSrc, name);
+  const lockfileScanner = lockName?.endsWith(LOCK_EXT) ? includesNpm : includesYarn;
+  return lockfileScanner(lockSrc, name);
 }
-function lockIncludesPnpm(lockSrc, name) {
+function includesPnpm(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4745,12 +4999,12 @@ function lockIncludesPnpm(lockSrc, name) {
   //   name@
   `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
 }
-function lockIncludesVlt(lockSrc, name) {
+function includesVlt(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name"
   return lockSrc.includes(`"${name}"`);
 }
-function lockIncludesYarn(lockSrc, name) {
+function includesYarn(lockSrc, name) {
   const escapedName = regexps.escapeRegExp(name);
   return new RegExp(
   // Detects the package name in the following cases:
@@ -4760,11 +5014,11 @@ function lockIncludesYarn(lockSrc, name) {
   //   , name@
   `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
 }
-const lockIncludesByAgent = new Map([[BUN$2, lockIncludesBun], [NPM$6, lockIncludesNpm], [PNPM$3, lockIncludesPnpm], [VLT$2, lockIncludesVlt], [YARN_BERRY$2, lockIncludesYarn], [YARN_CLASSIC$3, lockIncludesYarn]]);
+const lockfileIncludesByAgent = new Map([[BUN$2, includesBun], [NPM$4, includesNpm], [PNPM$3, includesPnpm], [VLT$2, includesVlt], [YARN_BERRY$2, includesYarn], [YARN_CLASSIC$3, includesYarn]]);
 
 const {
   BUN: BUN$1,
-  NPM: NPM$5,
+  NPM: NPM$3,
   PNPM: PNPM$2,
   VLT: VLT$1,
   YARN_BERRY: YARN_BERRY$1,
@@ -4800,11 +5054,11 @@ function cleanupQueryStdout(stdout) {
   }
   return JSON.stringify([...names], null, 2);
 }
-function parseableToQueryStdout(stdout) {
+function parsableToQueryStdout(stdout) {
   if (stdout === '') {
     return '';
   }
-  // Convert the parseable stdout into a json array of unique names.
+  // Convert the parsable stdout into a json array of unique names.
   // The matchAll regexp looks for a forward (posix) or backward (win32) slash
   // and matches one or more non-slashes until the newline.
   const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
@@ -4834,7 +5088,7 @@ async function lsNpm(agentExecPath, cwd) {
 }
 async function lsPnpm(agentExecPath, cwd, options) {
   const npmExecPath = options?.npmExecPath;
-  if (npmExecPath && npmExecPath !== NPM$5) {
+  if (npmExecPath && npmExecPath !== NPM$3) {
     const result = await npmQuery(npmExecPath, cwd);
     if (result) {
       return result;
@@ -4842,15 +5096,19 @@ async function lsPnpm(agentExecPath, cwd, options) {
   }
   let stdout = '';
   try {
-    stdout = (await spawn.spawn(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+    stdout = (await spawn.spawn(agentExecPath,
+    // Pnpm uses the alternative spelling of parsable.
+    // https://en.wiktionary.org/wiki/parsable
+    ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
       cwd
     })).stdout;
   } catch {}
-  return parseableToQueryStdout(stdout);
+  return parsableToQueryStdout(stdout);
 }
 async function lsVlt(agentExecPath, cwd) {
   let stdout = '';
   try {
+    // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd
     })).stdout;
@@ -4881,20 +5139,39 @@ async function lsYarnClassic(agentExecPath, cwd) {
   } catch {}
   return '';
 }
-const lsByAgent = {
-  // @ts-ignore
-  __proto__: null,
-  [BUN$1]: lsBun,
-  [NPM$5]: lsNpm,
-  [PNPM$2]: lsPnpm,
-  [VLT$1]: lsVlt,
-  [YARN_BERRY$1]: lsYarnBerry,
-  [YARN_CLASSIC$2]: lsYarnClassic
-};
+const lsByAgent = new Map([[BUN$1, lsBun], [NPM$3, lsNpm], [PNPM$2, lsPnpm], [VLT$1, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$2, lsYarnClassic]]);
+
+const {
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION
+} = constants;
+async function updateLockfile(pkgEnvDetails, options) {
+  const {
+    cmdName = '',
+    logger,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
+  try {
+    await runAgentInstall(pkgEnvDetails, {
+      spinner
+    });
+    spinner?.stop();
+    if (pkgEnvDetails.features.npmBuggyOverrides) {
+      logger?.log(`💡 Re-run ${cmdName ? `${cmdName} ` : ''}whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped for ${pkgEnvDetails.agent} >=${NPM_BUGGY_OVERRIDES_PATCHED_VERSION}.`);
+    }
+  } catch (e) {
+    spinner?.stop();
+    logger?.fail(cmdPrefixMessage(cmdName, `${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`));
+    logger?.error(e);
+  }
+}
 
 const {
   BUN,
-  NPM: NPM$4,
+  NPM: NPM$2,
   OVERRIDES,
   PNPM: PNPM$1,
   RESOLUTIONS,
@@ -4914,7 +5191,9 @@ function getHighestEntryIndex(entries, keys) {
   return getEntryIndexes(entries, keys).at(-1) ?? -1;
 }
 function updatePkgJson(editablePkgJson, field, value) {
-  const pkgJson = editablePkgJson.content;
+  const {
+    content: pkgJson
+  } = editablePkgJson;
   const oldValue = pkgJson[field];
   if (oldValue) {
     // The field already exists so we simply update the field value.
@@ -4998,177 +5277,15 @@ function updateResolutions(editablePkgJson, overrides) {
 function pnpmUpdatePkgJson(editablePkgJson, overrides) {
   updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
 }
-const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$4, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
-
-const {
-  SOCKET_IPC_HANDSHAKE
-} = constants;
-function safeNpmInstall(options) {
-  const {
-    args = [],
-    ipc,
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const terminatorPos = args.indexOf('--');
-  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const useIpc = objects.isObject(ipc);
-  const useDebug = debug.isDebug();
-  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
-  const spawnPromise = spawn.spawn(
-  // Lazily access constants.execPath.
-  constants.execPath, [
-  // Lazily access constants.nodeNoWarningsFlags.
-  ...constants.nodeNoWarningsFlags, '--require',
-  // Lazily access constants.distShadowNpmInjectPath.
-  constants.distShadowNpmInjectPath, shadowNpmPaths.getNpmBinPath(), 'install',
-  // Even though the '--silent' flag is passed npm will still run through
-  // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
-  // flags are passed.
-  '--no-audit', '--no-fund',
-  // Add `--no-progress` and `--silent` flags to fix input being swallowed
-  // by the spinner when running the command with recent versions of npm.
-  '--no-progress',
-  // Add the '--silent' flag if a loglevel flag is not provided and the
-  // SOCKET_CLI_DEBUG environment variable is not truthy.
-  ...(isSilent ? ['--silent'] : []), ...npmArgs, ...otherArgs], {
-    spinner,
-    // Set stdio to include 'ipc'.
-    // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
-    // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
-    stdio: isSilent ?
-    // 'ignore'
-    useIpc ? ['ignore', 'ignore', 'ignore', 'ipc'] : 'ignore' :
-    // 'inherit'
-    useIpc ? [0, 1, 2, 'ipc'] : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process$1.env,
-      ...spawnOptions.env
-    }
-  });
-  if (useIpc) {
-    spawnPromise.process.send({
-      [SOCKET_IPC_HANDSHAKE]: ipc
-    });
-  }
-  return spawnPromise;
-}
-
-const {
-  NPM: NPM$3,
-  abortSignal
-} = constants;
-function runAgentInstall(agent, agentExecPath, options) {
-  // All package managers support the "install" command.
-  if (agent === NPM$3) {
-    return safeNpmInstall(options);
-  }
-  const {
-    args = [],
-    spinner,
-    ...spawnOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const isSilent = !debug.isDebug();
-  return spawn.spawn(agentExecPath, ['install', ...args], {
-    signal: abortSignal,
-    spinner,
-    stdio: isSilent ? 'ignore' : 'inherit',
-    ...spawnOptions,
-    env: {
-      ...process.env,
-      ...spawnOptions.env
-    }
-  });
-}
-
-const {
-  NPM: NPM$2
-} = constants;
-const COMMAND_TITLE$1 = 'Socket Optimize';
-async function updatePackageLockJson(pkgEnvDetails, options) {
-  const {
-    logger,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
-  try {
-    await runAgentInstall(pkgEnvDetails.agent, pkgEnvDetails.agentExecPath, {
-      spinner
-    });
-    spinner?.stop();
-    if (pkgEnvDetails.agent === NPM$2) {
-      logger?.log(`💡 Re-run ${COMMAND_TITLE$1} whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped once npm v11.2.0 is released.`);
-    }
-  } catch (e) {
-    spinner?.stop();
-    logger?.fail(`${COMMAND_TITLE$1}: ${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`);
-    logger?.error(e);
-  }
-}
+const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$2, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
 
 const {
   NPM: NPM$1,
   PNPM,
   YARN_CLASSIC
 } = constants;
-const COMMAND_TITLE = 'Socket Optimize';
+const CMD_NAME = 'socket optimize';
 const manifestNpmOverrides = registry.getManifestData(NPM$1);
-async function applyOptimization(cwd, pin, prod) {
-  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
-    logger: logger.logger,
-    prod
-  });
-  if (!pkgEnvDetails) {
-    return;
-  }
-  // Lazily access constants.spinner.
-  const {
-    spinner
-  } = constants;
-  spinner.start('Socket optimizing...');
-  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
-    logger: logger.logger,
-    pin,
-    prod,
-    spinner
-  });
-  spinner.stop();
-  const addedCount = state.added.size;
-  const updatedCount = state.updated.size;
-  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
-  if (pkgJsonChanged) {
-    if (updatedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
-    }
-    if (addedCount > 0) {
-      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
-    }
-  } else {
-    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
-  }
-  if (pkgEnvDetails.agent === NPM$1 || pkgJsonChanged) {
-    // Always update package-lock.json until the npm overrides PR lands:
-    // https://github.com/npm/cli/pull/8089
-    await updatePackageLockJson(pkgEnvDetails, {
-      logger: logger.logger,
-      spinner
-    });
-  }
-}
-function createActionMessage(verb, overrideCount, workspaceCount) {
-  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
-}
 async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const {
     agent,
@@ -5212,16 +5329,16 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const isWorkspace = !!workspaceGlobs;
   if (isWorkspace && agent === PNPM && npmExecPath === NPM$1 && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
-    logger?.warn(`${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
+    logger?.warn(cmdPrefixMessage(CMD_NAME, 'pnpm workspace support requires `npm ls`, falling back to `pnpm list`'));
   }
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
     npmExecPath
   });
   // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
   // first two parameters. AgentLockIncludesFn accepts an optional third
   // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
   // as an AgentLockIncludesFn type.
-  const thingScanner = isLockScanned ? lockIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
+  const thingScanner = isLockScanned ? lockfileIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
   const depEntries = getDependencyEntries(pkgJson);
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
@@ -5347,6 +5464,51 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   }
   return state;
 }
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
+}
+async function applyOptimization(cwd, pin, prod) {
+  const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
+    cmdName: CMD_NAME,
+    logger: logger.logger,
+    prod
+  });
+  if (!pkgEnvDetails) {
+    return;
+  }
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Socket optimizing...');
+  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
+    logger: logger.logger,
+    pin,
+    prod,
+    spinner
+  });
+  spinner.stop();
+  const addedCount = state.added.size;
+  const updatedCount = state.updated.size;
+  const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
+  if (pkgJsonChanged) {
+    if (updatedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
+    }
+    if (addedCount > 0) {
+      logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+    }
+  } else {
+    logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
+  }
+  if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
+    await updateLockfile(pkgEnvDetails, {
+      cmdName: CMD_NAME,
+      logger: logger.logger,
+      spinner
+    });
+  }
+}
 
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h
@@ -5727,8 +5889,8 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
       spinner.error('Report result deemed unhealthy for project');
     }
   } else if (!result.data.healthy) {
-    const severityCount = getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
-    const issueSummary = formatSeverityCount(severityCount);
+    const severityCount = shadowNpmInject.getSeverityCount(result.data.issues, includeAllIssues ? undefined : 'high');
+    const issueSummary = shadowNpmInject.formatSeverityCount(severityCount);
     spinner.success(`Report has these issues: ${issueSummary}`);
   } else {
     spinner.success('Report has no issues');
@@ -7029,7 +7191,7 @@ async function run$6(argv, importMeta, {
   });
   const [orgSlug = '', ...targets] = cli.input;
   const cwd = cli.flags['cwd'] && cli.flags['cwd'] !== 'process.cwd()' ? String(cli.flags['cwd']) : process$1.cwd();
-  let {
+  const {
     branch: branchName,
     repo: repoName
   } = cli.flags;
@@ -7624,11 +7786,36 @@ const cmdScan = {
   }
 };
 
+// Note: Widgets does not seem to actually work as code :'(
+
 async function getThreatFeed({
+  direction,
+  ecosystem,
+  filter,
+  outputKind,
+  page,
+  perPage
+}) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await getThreatFeedWithToken({
+    apiToken,
+    direction,
+    ecosystem,
+    filter,
+    outputKind,
+    page,
+    perPage
+  });
+}
+async function getThreatFeedWithToken({
   apiToken,
   direction,
+  ecosystem,
   filter,
-  outputJson,
+  outputKind,
   page,
   perPage
 }) {
@@ -7636,17 +7823,12 @@ async function getThreatFeed({
   const {
     spinner
   } = constants;
-  spinner.start('Looking up the threat feed');
-  const formattedQueryParams = formatQueryParams({
-    per_page: perPage,
-    page,
-    direction,
-    filter
-  }).join('&');
-  const response = await queryAPI(`threat-feed?${formattedQueryParams}`, apiToken);
+  const queryParams = new URLSearchParams([['direction', direction], ['ecosystem', ecosystem], ['filter', filter], ['page', page], ['per_page', String(perPage)]]);
+  spinner.start('Fetching Threat Feed data...');
+  const response = await queryAPI(`threat-feed?${queryParams}`, apiToken);
   const data = await response.json();
-  spinner.stop();
-  if (outputJson) {
+  spinner.stop('Threat feed data fetched');
+  if (outputKind === 'json') {
     logger.logger.log(data);
     return;
   }
@@ -7659,47 +7841,98 @@ async function getThreatFeed({
     interactive: 'true',
     label: 'Threat feed',
     width: '100%',
-    height: '100%',
+    height: '70%',
+    // Changed from 100% to 70%
     border: {
       type: 'line',
       fg: 'cyan'
     },
-    columnSpacing: 3,
-    //in chars
-    columnWidth: [9, 30, 10, 17, 13, 100] /*in chars*/
+    columnWidth: [10, 30, 20, 18, 15, 200],
+    // TODO: the truncation doesn't seem to work too well yet but when we add
+    //       `pad` alignment fails, when we extend columnSpacing alignment fails
+    columnSpacing: 1,
+    truncate: '_'
+  });
+
+  // Create details box at the bottom
+  const detailsBox = new BoxWidget({
+    bottom: 0,
+    height: '30%',
+    width: '100%',
+    border: {
+      type: 'line',
+      fg: 'cyan'
+    },
+    label: 'Details',
+    content: 'Use arrow keys to navigate. Press Enter to select a threat. Press q to exit.',
+    style: {
+      fg: 'white'
+    }
   });
 
   // allow control the table with the keyboard
   table.focus();
   screen.append(table);
+  screen.append(detailsBox);
   const formattedOutput = formatResults(data.results);
+  const descriptions = data.results.map(d => d.description);
   table.setData({
-    headers: ['Ecosystem', 'Name', 'Version', 'Threat type', 'Detected at', 'Details'],
+    headers: [' Ecosystem', ' Name', '  Version', '  Threat type', '  Detected at', ' Details'],
     data: formattedOutput
   });
+
+  // Update details box when selection changes
+  table.rows.on('select item', () => {
+    const selectedIndex = table.rows.selected;
+    if (selectedIndex !== undefined && selectedIndex >= 0) {
+      const selectedRow = formattedOutput[selectedIndex];
+      if (selectedRow) {
+        // Note: the spacing works around issues with the table; it refuses to pad!
+        detailsBox.setContent(`Ecosystem: ${selectedRow[0]}\n` + `Name: ${selectedRow[1]}\n` + `Version:${selectedRow[2]}\n` + `Threat type:${selectedRow[3]}\n` + `Detected at:${selectedRow[4]}\n` + `Details: ${selectedRow[5]}\n` + `Description: ${descriptions[selectedIndex]}`);
+        screen.render();
+      }
+    }
+  });
   screen.render();
   screen.key(['escape', 'q', 'C-c'], () => process$1.exit(0));
+  screen.key(['return'], () => {
+    const selectedIndex = table.rows.selected;
+    screen.destroy();
+    const selectedRow = formattedOutput[selectedIndex];
+    console.log(selectedRow);
+  });
 }
 function formatResults(data) {
   return data.map(d => {
     const ecosystem = d.purl.split('pkg:')[1].split('/')[0];
     const name = d.purl.split('/')[1].split('@')[0];
     const version = d.purl.split('@')[1];
-    const timeStart = new Date(d.createdAt).getMilliseconds();
-    const timeEnd = Date.now();
-    const diff = getHourDiff(timeStart, timeEnd);
-    const hourDiff = diff > 0 ? `${diff} hours ago` : `${getMinDiff(timeStart, timeEnd)} minutes ago`;
-    return [ecosystem, decodeURIComponent(name), version, d.threatType, hourDiff, d.locationHtmlUrl];
+    const timeDiff = msAtHome(d.createdAt);
+
+    // Note: the spacing works around issues with the table; it refuses to pad!
+    return [ecosystem, decodeURIComponent(name), ` ${version}`, ` ${d.threatType}`, ` ${timeDiff}`, d.locationHtmlUrl];
   });
 }
-function formatQueryParams(params) {
-  return Object.entries(params).map(entry => `${entry[0]}=${entry[1]}`);
-}
-function getHourDiff(start, end) {
-  return Math.floor((end - start) / 3600000);
-}
-function getMinDiff(start, end) {
-  return Math.floor((end - start) / 60000);
+function msAtHome(isoTimeStamp) {
+  const timeStart = Date.parse(isoTimeStamp);
+  const timeEnd = Date.now();
+  const rtf = new Intl.RelativeTimeFormat('en', {
+    numeric: 'always',
+    style: 'short'
+  });
+  const delta = timeEnd - timeStart;
+  if (delta < 60 * 60 * 1000) {
+    return rtf.format(-Math.round(delta / (60 * 1000)), 'minute');
+    // return Math.round(delta / (60 * 1000)) + ' min ago'
+  } else if (delta < 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (60 * 60 * 1000)).toFixed(1), 'hour');
+    // return (delta / (60 * 60 * 1000)).toFixed(1) + ' hr ago'
+  } else if (delta < 7 * 24 * 60 * 60 * 1000) {
+    return rtf.format(-(delta / (24 * 60 * 60 * 1000)).toFixed(1), 'day');
+    // return (delta / (24 * 60 * 60 * 1000)).toFixed(1) + ' day ago'
+  } else {
+    return isoTimeStamp.slice(0, 10);
+  }
 }
 
 const {
@@ -7707,7 +7940,7 @@ const {
 } = constants;
 const config$1 = {
   commandName: 'threat-feed',
-  description: 'Look up the threat feed',
+  description: '[beta] View the threat feed',
   hidden: false,
   flags: {
     ...commonFlags,
@@ -7730,6 +7963,12 @@ const config$1 = {
       default: 'desc',
       description: 'Order asc or desc by the createdAt attribute.'
     },
+    eco: {
+      type: 'string',
+      shortFlag: 'e',
+      default: '',
+      description: 'Only show threats for a particular ecosystem'
+    },
     filter: {
       type: 'string',
       shortFlag: 'f',
@@ -7741,9 +7980,35 @@ const config$1 = {
     Usage
       $ ${command}
 
+    This feature requires a Threat Feed license. Please contact
+    sales@socket.dev if you are interested in purchasing this access.
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
+    Valid filters:
+
+      - anom    Anomaly
+      - c       Do not filter
+      - fp      False Positives
+      - joke    Joke / Fake
+      - mal     Malware and Possible Malware [default]
+      - secret  Secrets
+      - spy     Telemetry
+      - tp      False Positives and Unreviewed
+      - typo    Typo-squat
+      - u       Unreviewed
+      - vuln    Vulnerability
+
+    Valid ecosystems:
+
+      - gem
+      - golang
+      - maven
+      - npm
+      - nuget
+      - pypi
+
     Examples
       $ ${command}
       $ ${command} --perPage=5 --page=2 --direction=asc --filter=joke
@@ -7767,17 +8032,13 @@ async function run$1(argv, importMeta, {
     logger.logger.log(DRY_RUN_BAIL_TEXT$1);
     return;
   }
-  const apiToken = shadowNpmInject.getDefaultToken();
-  if (!apiToken) {
-    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
-  }
   await getThreatFeed({
-    apiToken,
     direction: String(cli.flags['direction'] || 'desc'),
+    ecosystem: String(cli.flags['eco'] || ''),
     filter: String(cli.flags['filter'] || 'mal'),
-    outputJson: Boolean(cli.flags['json']),
-    page: String(cli.flags['filter'] || '1'),
-    perPage: Number(cli.flags['per_page'] || 0)
+    outputKind: cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print',
+    page: String(cli.flags['page'] || '1'),
+    perPage: Number(cli.flags['perPage']) || 30
   });
 }
 
@@ -7979,14 +8240,14 @@ async function run(argv, importMeta, {
 }
 
 const {
-  SOCKET,
+  SOCKET_CLI_BIN_NAME,
   rootPkgJsonPath
 } = constants;
 
 // TODO: Add autocompletion using https://socket.dev/npm/package/omelette
 void (async () => {
   await updateNotifier({
-    name: SOCKET,
+    name: SOCKET_CLI_BIN_NAME,
     version: require(rootPkgJsonPath).version,
     ttl: 86_400_000 /* 24 hours in milliseconds */
   });
@@ -8023,7 +8284,7 @@ void (async () => {
         }
       },
       argv: process$1.argv.slice(2),
-      name: SOCKET,
+      name: SOCKET_CLI_BIN_NAME,
       importMeta: {
         url: `${node_url.pathToFileURL(__filename)}`
       }
@@ -8047,12 +8308,12 @@ void (async () => {
     } else {
       errorTitle = 'Unexpected error with no details';
     }
-    logger.logger.fail(`${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
+    logger.logger.fail(`${colors.bgRed(colors.white(`${errorTitle}:`))} ${errorMessage}`);
     if (errorBody) {
       logger.logger.error(`\n${errorBody}`);
     }
     await shadowNpmInject.captureException(e);
   }
 })();
-//# debugId=6f2331ca-147d-40b1-aa4e-e5b6a5c2eba0
+//# debugId=c1c67343-d5ad-409c-8f8e-9236e0fb545a
 //# sourceMappingURL=cli.js.map