@socketsecurity/cli-with-sentry 0.14.57 → 0.14.59

package/dist/module-sync/shadow-npm-inject.js

@@ -9,18 +9,18 @@ function _socketInterop(e) {
   return c ? e.default : e
 }
 
-var process = require('node:process');
-var path = require('node:path');
+var process$1 = require('node:process');
+var logger = require('@socketsecurity/registry/lib/logger');
+var prompts = require('@socketsecurity/registry/lib/prompts');
+var constants = require('./constants.js');
 var semver = _socketInterop(require('semver'));
 var packageurlJs = require('@socketregistry/packageurl-js');
 var registry = require('@socketsecurity/registry');
 var arrays = require('@socketsecurity/registry/lib/arrays');
+var debug = require('@socketsecurity/registry/lib/debug');
 var objects = require('@socketsecurity/registry/lib/objects');
-var packages = require('@socketsecurity/registry/lib/packages');
-var prompts = require('@socketsecurity/registry/lib/prompts');
-var sorts = require('@socketsecurity/registry/lib/sorts');
-var spinner = require('@socketsecurity/registry/lib/spinner');
-var constants = require('./constants.js');
+var shadowNpmPaths = require('./shadow-npm-paths.js');
+var npa = _socketInterop(require('npm-package-arg'));
 var events = require('node:events');
 var https = require('node:https');
 var readline = require('node:readline');
@@ -30,16 +30,15 @@ var registryConstants = require('@socketsecurity/registry/lib/constants');
 var strings = require('@socketsecurity/registry/lib/strings');
 var sdk = require('@socketsecurity/sdk');
 var promises = require('node:timers/promises');
-var debug = require('@socketsecurity/registry/lib/debug');
 var fs = require('node:fs');
 var os = require('node:os');
+var path = require('node:path');
 var config = require('@socketsecurity/config');
-var logger = require('@socketsecurity/registry/lib/logger');
+var packages = require('@socketsecurity/registry/lib/packages');
+var sorts = require('@socketsecurity/registry/lib/sorts');
 var terminalLink = _socketInterop(require('terminal-link'));
 var colors = _socketInterop(require('yoctocolors-cjs'));
 var indentString = require('@socketregistry/indent-string/index.cjs');
-var shadowNpmPaths = require('./shadow-npm-paths.js');
-var npa = _socketInterop(require('npm-package-arg'));
 
 const {
   kInternalsSymbol: kInternalsSymbol$1,
@@ -76,7 +75,7 @@ function isErrnoException(value) {
 }
 
 async function findUp(name, {
-  cwd = process.cwd()
+  cwd = process$1.cwd()
 }) {
   let dir = path.resolve(cwd);
   const {
@@ -110,9 +109,9 @@ async function readFileUtf8(filepath, options) {
     encoding: 'utf8'
   });
 }
-function safeReadFile(...args) {
+async function safeReadFile(...args) {
   try {
-    return fs.promises.readFile(...args);
+    return await fs.promises.readFile(...args);
   } catch {}
   return undefined;
 }
@@ -155,7 +154,7 @@ function getSettingsPath() {
     const {
       WIN32
     } = constants;
-    let dataHome = WIN32 ? process.env[LOCALAPPDATA] : process.env['XDG_DATA_HOME'];
+    let dataHome = WIN32 ? process$1.env[LOCALAPPDATA] : process$1.env['XDG_DATA_HOME'];
     if (!dataHome) {
       if (WIN32) {
         if (!_warnedSettingPathWin32Missing) {
@@ -163,7 +162,7 @@ function getSettingsPath() {
           logger.logger.warn(`Missing %${LOCALAPPDATA}%`);
         }
       } else {
-        dataHome = path.join(os.homedir(), ...(process.platform === 'darwin' ? ['Library', 'Application Support'] : ['.local', 'share']));
+        dataHome = path.join(os.homedir(), ...(process$1.platform === 'darwin' ? ['Library', 'Application Support'] : ['.local', 'share']));
       }
     }
     _settingsPath = dataHome ? path.join(dataHome, 'socket/settings') : undefined;
@@ -179,7 +178,7 @@ function normalizeSettingsKey(key) {
 }
 function findSocketYmlSync() {
   let prevDir = null;
-  let dir = process.cwd();
+  let dir = process$1.cwd();
   while (dir !== prevDir) {
     let ymlPath = path.join(dir, 'socket.yml');
     let yml = safeReadFileSync(ymlPath, 'utf8');
@@ -211,7 +210,7 @@ function updateSetting(key, value) {
   settings[normalizeSettingsKey(key)] = value;
   if (!pendingSave) {
     pendingSave = true;
-    process.nextTick(() => {
+    process$1.nextTick(() => {
       pendingSave = false;
       const settingsPath = getSettingsPath();
       if (settingsPath) {
@@ -227,13 +226,13 @@ const {
 
 // The API server that should be used for operations.
 function getDefaultApiBaseUrl() {
-  const baseUrl = process.env['SOCKET_SECURITY_API_BASE_URL'] || getSetting('apiBaseUrl');
+  const baseUrl = process$1.env['SOCKET_SECURITY_API_BASE_URL'] || getSetting('apiBaseUrl');
   return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined;
 }
 
 // The API server that should be used for operations.
 function getDefaultHttpProxy() {
-  const apiProxy = process.env['SOCKET_SECURITY_API_PROXY'] || getSetting('apiProxy');
+  const apiProxy = process$1.env['SOCKET_SECURITY_API_PROXY'] || getSetting('apiProxy');
   return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined;
 }
 
@@ -244,10 +243,10 @@ function getDefaultToken() {
   if (constants.ENV[SOCKET_CLI_NO_API_TOKEN]) {
     _defaultToken = undefined;
   } else {
-    const key = process.env['SOCKET_SECURITY_API_TOKEN'] ||
+    const key = process$1.env['SOCKET_SECURITY_API_TOKEN'] ||
     // Keep 'SOCKET_SECURITY_API_KEY' as an alias of 'SOCKET_SECURITY_API_TOKEN'.
     // TODO: Remove 'SOCKET_SECURITY_API_KEY' alias.
-    process.env['SOCKET_SECURITY_API_KEY'] || getSetting('apiToken') || _defaultToken;
+    process$1.env['SOCKET_SECURITY_API_KEY'] || getSetting('apiToken') || _defaultToken;
     _defaultToken = strings.isNonEmptyString(key) ? key : undefined;
   }
   return _defaultToken;
@@ -280,1177 +279,1443 @@ async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApi
   });
 }
 
+let DiffAction = /*#__PURE__*/function (DiffAction) {
+  DiffAction["add"] = "ADD";
+  DiffAction["change"] = "CHANGE";
+  DiffAction["remove"] = "REMOVE";
+  return DiffAction;
+}({});
+
+const depValid = require(shadowNpmPaths.getArboristDepValidPath());
+
 const {
-  LOOP_SENTINEL: LOOP_SENTINEL$1,
-  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1
+  UNDEFINED_TOKEN
 } = constants;
-function getUrlOrigin(input) {
-  try {
-    return URL.parse(input)?.origin ?? '';
-  } catch {}
-  return '';
+function tryRequire(req, ...ids) {
+  for (const data of ids) {
+    let id;
+    let transformer;
+    if (Array.isArray(data)) {
+      id = data[0];
+      transformer = data[1];
+    } else {
+      id = data;
+      transformer = mod => mod;
+    }
+    try {
+      // Check that the transformed value isn't `undefined` because older
+      // versions of packages like 'proc-log' may not export a `log` method.
+      const exported = transformer(req(id));
+      if (exported !== undefined) {
+        return exported;
+      }
+    } catch {}
+  }
+  return undefined;
 }
-function getPackagesToQueryFromDiff(diff_, options) {
-  const {
-    includeUnchanged = false,
-    includeUnknownOrigin = false
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const details = [];
-  // `diff_` is `null` when `npm install --package-lock-only` is passed.
-  if (!diff_) {
-    return details;
+let _log = UNDEFINED_TOKEN;
+function getLogger() {
+  if (_log === UNDEFINED_TOKEN) {
+    _log = tryRequire(shadowNpmPaths.getNpmRequire(), ['proc-log/lib/index.js',
+    // The proc-log DefinitelyTyped definition is incorrect. The type definition
+    // is really that of its export log.
+    mod => mod.log], 'npmlog/lib/log.js');
   }
-  const queue = [...diff_.children];
-  let pos = 0;
-  let {
-    length: queueLength
-  } = queue;
-  while (pos < queueLength) {
-    if (pos === LOOP_SENTINEL$1) {
-      throw new Error('Detected infinite loop while walking Arborist diff');
+  return _log;
+}
+
+const OverrideSet = require(shadowNpmPaths.getArboristOverrideSetClassPath());
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/8089
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
+class SafeOverrideSet extends OverrideSet {
+  // Patch adding doOverrideSetsConflict is based on
+  // https://github.com/npm/cli/pull/8089.
+  static doOverrideSetsConflict(first, second) {
+    // If override sets contain one another then we can try to use the more
+    // specific one. If neither one is more specific, then we consider them to
+    // be in conflict.
+    return this.findSpecificOverrideSet(first, second) === undefined;
+  }
+
+  // Patch adding findSpecificOverrideSet is based on
+  // https://github.com/npm/cli/pull/8089.
+  static findSpecificOverrideSet(first, second) {
+    for (let overrideSet = second; overrideSet; overrideSet = overrideSet.parent) {
+      if (overrideSet.isEqual(first)) {
+        return second;
+      }
     }
-    const diff = queue[pos++];
-    const {
-      action
-    } = diff;
-    if (action) {
-      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
-      // action is 'REMOVE'
-      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
-      // action is 'ADD'.
-      const {
-        actual: oldNode,
-        ideal: pkgNode
-      } = diff;
-      let existing;
-      let keep = false;
-      if (action === 'CHANGE') {
-        if (pkgNode?.package.version !== oldNode?.package.version) {
-          keep = true;
-          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
-            existing = oldNode;
-          }
+    for (let overrideSet = first; overrideSet; overrideSet = overrideSet.parent) {
+      if (overrideSet.isEqual(second)) {
+        return first;
+      }
+    }
+    // The override sets are incomparable. Neither one contains the other.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', first, second);
+    return undefined;
+  }
+
+  // Patch adding childrenAreEqual is based on
+  // https://github.com/npm/cli/pull/8089.
+  childrenAreEqual(otherOverrideSet) {
+    if (this.children.size !== otherOverrideSet.children.size) {
+      return false;
+    }
+    for (const {
+      0: key,
+      1: childOverrideSet
+    } of this.children) {
+      const otherChildOverrideSet = otherOverrideSet.children.get(key);
+      if (!otherChildOverrideSet) {
+        return false;
+      }
+      if (childOverrideSet.value !== otherChildOverrideSet.value) {
+        return false;
+      }
+      if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  getEdgeRule(edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue;
+      }
+      // If keySpec is * we found our override.
+      if (rule.keySpec === '*') {
+        return rule;
+      }
+      // Patch replacing
+      // let spec = npa(`${edge.name}@${edge.spec}`)
+      // is based on https://github.com/npm/cli/pull/8089.
+      //
+      // We need to use the rawSpec here, because the spec has the overrides
+      // applied to it already. The rawSpec can be undefined, so we need to use
+      // the fallback value of spec if it is.
+      let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`);
+      if (spec.type === 'alias') {
+        spec = spec.subSpec;
+      }
+      if (spec.type === 'git') {
+        if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec)) {
+          return rule;
         }
-      } else {
-        keep = action !== 'REMOVE';
+        continue;
       }
-      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        if (includeUnknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL$1) {
-          details.push({
-            node: pkgNode,
-            existing
-          });
+      if (spec.type === 'range' || spec.type === 'version') {
+        if (semver.intersects(spec.fetchSpec, rule.keySpec)) {
+          return rule;
         }
+        continue;
       }
+      // If we got this far, the spec type is one of tag, directory or file
+      // which means we have no real way to make version comparisons, so we
+      // just accept the override.
+      return rule;
     }
-    for (const child of diff.children) {
-      queue[queueLength++] = child;
-    }
+    return this;
   }
-  if (includeUnchanged) {
-    const {
-      unchanged
-    } = diff_;
-    for (let i = 0, {
-        length
-      } = unchanged; i < length; i += 1) {
-      const pkgNode = unchanged[i];
-      if (includeUnknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL$1) {
-        details.push({
-          node: pkgNode,
-          existing: pkgNode
-        });
-      }
+
+  // Patch adding isEqual is based on
+  // https://github.com/npm/cli/pull/8089.
+  isEqual(otherOverrideSet) {
+    if (this === otherOverrideSet) {
+      return true;
+    }
+    if (!otherOverrideSet) {
+      return false;
+    }
+    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
+      return false;
+    }
+    if (!this.childrenAreEqual(otherOverrideSet)) {
+      return false;
+    }
+    if (!this.parent) {
+      return !otherOverrideSet.parent;
     }
+    return this.parent.isEqual(otherOverrideSet.parent);
   }
-  return details;
 }
 
-const {
-  ALERT_TYPE_CRITICAL_CVE,
-  ALERT_TYPE_CVE,
-  ALERT_TYPE_MEDIUM_CVE,
-  ALERT_TYPE_MILD_CVE,
-  ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1,
-  CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE,
-  abortSignal: abortSignal$1
-} = constants;
-async function* createBatchGenerator(chunk) {
-  // Adds the first 'abort' listener to abortSignal.
-  const req = https
-  // Lazily access constants.BATCH_PURL_ENDPOINT.
-  .request(constants.BATCH_PURL_ENDPOINT, {
-    method: 'POST',
-    headers: {
-      Authorization: `Basic ${btoa(`${getPublicToken()}:`)}`
+const Node = require(shadowNpmPaths.getArboristNodeClassPath());
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/8089
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
+class SafeNode extends Node {
+  // Return true if it's safe to remove this node, because anything that is
+  // depending on it would be fine with the thing that they would resolve to if
+  // it was removed, or nothing is depending on it in the first place.
+  canDedupe(preferDedupe = false) {
+    // Not allowed to mess with shrinkwraps or bundles.
+    if (this.inDepBundle || this.inShrinkwrap) {
+      return false;
     }
-    // TODO: Fix to not abort process on network abort.
-    // signal: abortSignal
-  }).end(JSON.stringify({
-    components: chunk.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  }));
-  // Adds the second 'abort' listener to abortSignal.
-  const {
-    0: res
-  } = await events.once(req, 'response', {
-    signal: abortSignal$1
-  });
-  const ok = res.statusCode >= 200 && res.statusCode <= 299;
-  if (!ok) {
-    throw new Error(`Socket API Error: ${res.statusCode}`);
-  }
-  const rli = readline.createInterface({
-    input: res,
-    crlfDelay: Infinity,
-    signal: abortSignal$1
-  });
-  for await (const line of rli) {
-    yield JSON.parse(line);
-  }
-}
-async function* batchScan(pkgIds, concurrencyLimit = 50) {
-  // The createBatchGenerator method will add 2 'abort' event listeners to
-  // abortSignal so we multiply the concurrencyLimit by 2.
-  const neededMaxListeners = concurrencyLimit * 2;
-  // Increase abortSignal max listeners count to avoid Node's MaxListenersExceededWarning.
-  const oldAbortSignalMaxListeners = events.getMaxListeners(abortSignal$1);
-  let abortSignalMaxListeners = oldAbortSignalMaxListeners;
-  if (oldAbortSignalMaxListeners < neededMaxListeners) {
-    abortSignalMaxListeners = oldAbortSignalMaxListeners + neededMaxListeners;
-    events.setMaxListeners(abortSignalMaxListeners, abortSignal$1);
-  }
-  const {
-    length: pkgIdsCount
-  } = pkgIds;
-  const running = [];
-  let index = 0;
-  const enqueueGen = () => {
-    if (index >= pkgIdsCount) {
-      // No more work to do.
-      return;
+    // It's a top level pkg, or a dep of one.
+    if (!this.resolveParent?.resolveParent) {
+      return false;
     }
-    const chunk = pkgIds.slice(index, index + 25);
-    index += 25;
-    const generator = createBatchGenerator(chunk);
-    continueGen(generator);
-  };
-  const continueGen = generator => {
-    let resolveFn;
-    running.push({
-      generator,
-      promise: new Promise(resolve => resolveFn = resolve)
-    });
-    void generator.next().then(res => resolveFn({
-      generator,
-      iteratorResult: res
-    }));
-  };
-  // Start initial batch of generators.
-  while (running.length < concurrencyLimit && index < pkgIdsCount) {
-    enqueueGen();
-  }
-  while (running.length > 0) {
-    // eslint-disable-next-line no-await-in-loop
-    const {
-      generator,
-      iteratorResult
-    } = await Promise.race(running.map(entry => entry.promise));
-    // Remove generator.
-    running.splice(running.findIndex(entry => entry.generator === generator), 1);
-    if (iteratorResult.done) {
-      // Start a new generator if available.
-      enqueueGen();
-    } else {
-      yield iteratorResult.value;
-      // Keep fetching values from this generator.
-      continueGen(generator);
+    // No one wants it, remove it.
+    if (this.edgesIn.size === 0) {
+      return true;
     }
-  }
-  // Reset abortSignal max listeners count.
-  if (abortSignalMaxListeners > oldAbortSignalMaxListeners) {
-    events.setMaxListeners(oldAbortSignalMaxListeners, abortSignal$1);
-  }
-}
-function isArtifactAlertCveFixable(alert) {
-  const {
-    type
-  } = alert;
-  return (type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE) && !!alert.props?.[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1] && !!alert.props?.[CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE];
-}
-function isArtifactAlertUpgradeFixable(alert) {
-  return alert.type === ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE;
-}
-
-const {
-  abortSignal
-} = constants;
-const ERROR_UX = {
-  block: true,
-  display: true
-};
-const IGNORE_UX = {
-  block: false,
-  display: false
-};
-const WARN_UX = {
-  block: false,
-  display: true
-};
-
-// Iterates over all entries with ordered issue rule for deferral.  Iterates over
-// all issue rules and finds the first defined value that does not defer otherwise
-// uses the defaultValue. Takes the value and converts into a UX workflow.
-function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
-  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
-    defaultValue = {
-      action: 'error'
-    };
-  } else if (defaultValue === false) {
-    defaultValue = {
-      action: 'ignore'
-    };
-  }
-  let block = false;
-  let display = false;
-  let needDefault = true;
-  iterate_entries: for (const rules of orderedRulesCollection) {
-    for (const rule of rules) {
-      if (ruleValueDoesNotDefer(rule)) {
-        needDefault = false;
-        const narrowingFilter = uxForDefinedNonDeferValue(rule);
-        block = block || narrowingFilter.block;
-        display = display || narrowingFilter.display;
-        continue iterate_entries;
-      }
+    const other = this.resolveParent.resolveParent.resolve(this.name);
+    // Nothing else, need this one.
+    if (!other) {
+      return false;
     }
-    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
-    block = block || narrowingFilter.block;
-    display = display || narrowingFilter.display;
-  }
-  if (needDefault) {
-    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
-    block = block || narrowingFilter.block;
-    display = display || narrowingFilter.display;
-  }
-  return {
-    block,
-    display
-  };
-}
-
-// Negative form because it is narrowing the type.
-function ruleValueDoesNotDefer(rule) {
-  if (rule === undefined) {
-    return false;
-  }
-  if (objects.isObject(rule)) {
-    const {
-      action
-    } = rule;
-    if (action === undefined || action === 'defer') {
+    // If it's the same thing, then always fine to remove.
+    if (other.matches(this)) {
+      return true;
+    }
+    // If the other thing can't replace this, then skip it.
+    if (!other.canReplace(this)) {
       return false;
     }
+    // Patch replacing
+    // if (preferDedupe || semver.gte(other.version, this.version)) {
+    //   return true
+    // }
+    // is based on https://github.com/npm/cli/pull/8089.
+    //
+    // If we prefer dedupe, or if the version is equal, take the other.
+    if (preferDedupe || semver.eq(other.version, this.version)) {
+      return true;
+    }
+    // If our current version isn't the result of an override, then prefer to
+    // take the greater version.
+    if (!this.overridden && semver.gt(other.version, this.version)) {
+      return true;
+    }
+    return false;
   }
-  return true;
-}
 
-// Handles booleans for backwards compatibility.
-function uxForDefinedNonDeferValue(ruleValue) {
-  if (typeof ruleValue === 'boolean') {
-    return ruleValue ? ERROR_UX : IGNORE_UX;
-  }
-  const {
-    action
-  } = ruleValue;
-  if (action === 'warn') {
-    return WARN_UX;
-  } else if (action === 'ignore') {
-    return IGNORE_UX;
-  }
-  return ERROR_UX;
-}
-function createAlertUXLookup(settings) {
-  const cachedUX = new Map();
-  return context => {
-    const {
-      type
-    } = context.alert;
-    let ux = cachedUX.get(type);
-    if (ux) {
-      return ux;
+  // Is it safe to replace one node with another?  check the edges to
+  // make sure no one will get upset.  Note that the node might end up
+  // having its own unmet dependencies, if the new node has new deps.
+  // Note that there are cases where Arborist will opt to insert a node
+  // into the tree even though this function returns false!  This is
+  // necessary when a root dependency is added or updated, or when a
+  // root dependency brings peer deps along with it.  In that case, we
+  // will go ahead and create the invalid state, and then try to resolve
+  // it with more tree construction, because it's a user request.
+  canReplaceWith(node, ignorePeers) {
+    if (this.name !== node.name || this.packageName !== node.packageName) {
+      return false;
     }
-    const orderedRulesCollection = [];
-    for (const settingsEntry of settings.entries) {
-      const orderedRules = [];
-      let target = settingsEntry.start;
-      while (target !== null) {
-        const resolvedTarget = settingsEntry.settings[target];
-        if (!resolvedTarget) {
-          break;
+    // Patch replacing
+    // if (node.overrides !== this.overrides) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/8089.
+    //
+    // If this node has no dependencies, then it's irrelevant to check the
+    // override rules of the replacement node.
+    if (this.edgesOut.size) {
+      // XXX need to check for two root nodes?
+      if (node.overrides) {
+        if (!node.overrides.isEqual(this.overrides)) {
+          return false;
         }
-        const issueRuleValue = resolvedTarget.issueRules?.[type];
-        if (typeof issueRuleValue !== 'undefined') {
-          orderedRules.push(issueRuleValue);
+      } else {
+        if (this.overrides) {
+          return false;
         }
-        target = resolvedTarget.deferTo ?? null;
       }
-      orderedRulesCollection.push(orderedRules);
     }
-    const defaultValue = settings.defaults.issueRules[type];
-    let resolvedDefaultValue = {
-      action: 'error'
-    };
-    if (defaultValue === false) {
-      resolvedDefaultValue = {
-        action: 'ignore'
-      };
-    } else if (defaultValue && defaultValue !== true) {
-      resolvedDefaultValue = {
-        action: defaultValue.action ?? 'error'
-      };
+    // To satisfy the patch we ensure `node.overrides === this.overrides`
+    // so that the condition we want to replace,
+    // if (this.overrides !== node.overrides) {
+    // , is not hit.`
+    const oldOverrideSet = this.overrides;
+    let result = true;
+    if (oldOverrideSet !== node.overrides) {
+      this.overrides = node.overrides;
     }
-    ux = resolveAlertRuleUX(orderedRulesCollection, resolvedDefaultValue);
-    cachedUX.set(type, ux);
-    return ux;
-  };
-}
-let _uxLookup;
-async function uxLookup(settings) {
-  while (_uxLookup === undefined) {
-    // eslint-disable-next-line no-await-in-loop
-    await promises.setTimeout(1, {
-      signal: abortSignal
-    });
-  }
-  return _uxLookup(settings);
-}
-
-// Start initializing the AlertUxLookupResult immediately.
-void (async () => {
-  const {
-    orgs,
-    settings
-  } = await (async () => {
     try {
-      const sockSdk = await setupSdk(getPublicToken());
-      const orgResult = await sockSdk.getOrganizations();
-      if (!orgResult.success) {
-        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
-      }
-      const orgs = [];
-      for (const org of Object.values(orgResult.data.organizations)) {
-        if (org) {
-          orgs.push(org);
-        }
-      }
-      const result = await sockSdk.postSettings(orgs.map(org => ({
-        organization: org.id
-      })));
-      if (!result.success) {
-        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
-      }
-      return {
-        orgs,
-        settings: result.data
-      };
+      result = super.canReplaceWith(node, ignorePeers);
+      this.overrides = oldOverrideSet;
     } catch (e) {
-      const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
-      if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
-        throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
-          cause: e
-        });
-      }
+      this.overrides = oldOverrideSet;
       throw e;
     }
-  })();
-
-  // Remove any organizations not being enforced.
-  const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
-  for (const {
-    0: i,
-    1: org
-  } of orgs.entries()) {
-    if (!enforcedOrgs.includes(org.id)) {
-      settings.entries.splice(i, 1);
-    }
-  }
-  const socketYml = findSocketYmlSync();
-  if (socketYml) {
-    settings.entries.push({
-      start: socketYml.path,
-      settings: {
-        [socketYml.path]: {
-          deferTo: null,
-          // TODO: TypeScript complains about the type not matching. We should
-          // figure out why are providing
-          // issueRules: { [issueName: string]: boolean }
-          // but expecting
-          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
-          issueRules: socketYml.parsed.issueRules
-        }
-      }
-    });
+    return result;
   }
-  _uxLookup = createAlertUXLookup(settings);
-})();
 
-class ColorOrMarkdown {
-  constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown;
-  }
-  bold(text) {
-    return this.useMarkdown ? `**${text}**` : colors.bold(`${text}`);
-  }
-  header(text, level = 1) {
-    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : colors.underline(`\n${level === 1 ? colors.bold(text) : text}\n`);
-  }
-  hyperlink(text, url, {
-    fallback = true,
-    fallbackToUrl
-  } = {}) {
-    if (url) {
-      return this.useMarkdown ? `[${text}](${url})` : terminalLink(text, url, {
-        fallback: fallbackToUrl ? (_text, url) => url : fallback
-      });
+  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.
+  deleteEdgeIn(edge) {
+    this.edgesIn.delete(edge);
+    const {
+      overrides
+    } = edge;
+    if (overrides) {
+      this.updateOverridesEdgeInRemoved(overrides);
     }
-    return text;
-  }
-  indent(...args) {
-    return indentString(...args);
-  }
-  italic(text) {
-    return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`);
-  }
-  json(value) {
-    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
   }
-  list(items) {
-    const indentedContent = items.map(item => this.indent(item).trimStart());
-    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
+  addEdgeIn(edge) {
+    // Patch replacing
+    // if (edge.overrides) {
+    //   this.overrides = edge.overrides
+    // }
+    // is based on https://github.com/npm/cli/pull/8089.
+    //
+    // We need to handle the case where the new edge in has an overrides field
+    // which is different from the current value.
+    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
+      this.updateOverridesEdgeInAdded(edge.overrides);
+    }
+    this.edgesIn.add(edge);
+    // Try to get metadata from the yarn.lock file.
+    this.root.meta?.addEdge(edge);
   }
-}
-
-function getSocketDevAlertUrl(alertType) {
-  return `https://socket.dev/alerts/${alertType}`;
-}
-function getSocketDevPackageOverviewUrl(eco, name, version) {
-  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`;
-}
 
-const depValid = require(shadowNpmPaths.getArboristDepValidPath());
-
-const {
-  UNDEFINED_TOKEN
-} = constants;
-function tryRequire(req, ...ids) {
-  for (const data of ids) {
-    let id;
-    let transformer;
-    if (Array.isArray(data)) {
-      id = data[0];
-      transformer = data[1];
-    } else {
-      id = data;
-      transformer = mod => mod;
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get overridden() {
+    // Patch replacing
+    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // is based on https://github.com/npm/cli/pull/8089.
+    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+      return false;
     }
-    try {
-      // Check that the transformed value isn't `undefined` because older
-      // versions of packages like 'proc-log' may not export a `log` method.
-      const exported = transformer(req(id));
-      if (exported !== undefined) {
-        return exported;
+    // The overrides rule is for a package with this name, but some override
+    // rules only apply to specific versions. To make sure this package was
+    // actually overridden, we check whether any edge going in had the rule
+    // applied to it, in which case its overrides set is different than its
+    // source node.
+    for (const edge of this.edgesIn) {
+      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
+        if (!edge.overrides.isEqual(edge.from?.overrides)) {
+          return true;
+        }
       }
-    } catch {}
+    }
+    return false;
   }
-  return undefined;
-}
-let _log = UNDEFINED_TOKEN;
-function getLogger() {
-  if (_log === UNDEFINED_TOKEN) {
-    _log = tryRequire(shadowNpmPaths.getNpmRequire(), ['proc-log/lib/index.js',
-    // The proc-log DefinitelyTyped definition is incorrect. The type definition
-    // is really that of its export log.
-    mod => mod.log], 'npmlog/lib/log.js');
+  set parent(newParent) {
+    // Patch removing
+    // if (parent.overrides) {
+    //   this.overrides = parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/8089.
+    //
+    // The "parent" setter is a really large and complex function. To satisfy
+    // the patch we hold on to the old overrides value and set `this.overrides`
+    // to `undefined` so that the condition we want to remove is not hit.
+    const {
+      overrides
+    } = this;
+    if (overrides) {
+      this.overrides = undefined;
+    }
+    try {
+      super.parent = newParent;
+      this.overrides = overrides;
+    } catch (e) {
+      this.overrides = overrides;
+      throw e;
+    }
   }
-  return _log;
-}
-
-const OverrideSet = require(shadowNpmPaths.getArboristOverrideSetClassPath());
 
-// Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
-class SafeOverrideSet extends OverrideSet {
-  // Patch adding doOverrideSetsConflict is based on
+  // Patch adding recalculateOutEdgesOverrides is based on
   // https://github.com/npm/cli/pull/8089.
-  static doOverrideSetsConflict(first, second) {
-    // If override sets contain one another then we can try to use the more
-    // specific one. If neither one is more specific, then we consider them to
-    // be in conflict.
-    return this.findSpecificOverrideSet(first, second) === undefined;
+  recalculateOutEdgesOverrides() {
+    // For each edge out propagate the new overrides through.
+    for (const edge of this.edgesOut.values()) {
+      edge.reload(true);
+      if (edge.to) {
+        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+      }
+    }
   }
 
-  // Patch adding findSpecificOverrideSet is based on
-  // https://github.com/npm/cli/pull/8089.
-  static findSpecificOverrideSet(first, second) {
-    for (let overrideSet = second; overrideSet; overrideSet = overrideSet.parent) {
-      if (overrideSet.isEqual(first)) {
-        return second;
-      }
+  // @ts-ignore: Incorrectly typed to accept null.
+  set root(newRoot) {
+    // Patch removing
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    //   this.overrides = this.parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/8089.
+    //
+    // The "root" setter is a really large and complex function. To satisfy the
+    // patch we add a dummy value to `this.overrides` so that the condition we
+    // want to remove is not hit.
+    if (!this.overrides) {
+      this.overrides = new SafeOverrideSet({
+        overrides: ''
+      });
     }
-    for (let overrideSet = first; overrideSet; overrideSet = overrideSet.parent) {
-      if (overrideSet.isEqual(second)) {
-        return first;
-      }
+    try {
+      super.root = newRoot;
+      this.overrides = undefined;
+    } catch (e) {
+      this.overrides = undefined;
+      throw e;
     }
-    // The override sets are incomparable. Neither one contains the other.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', first, second);
-    return undefined;
   }
 
-  // Patch adding childrenAreEqual is based on
-  // https://github.com/npm/cli/pull/8089.
-  childrenAreEqual(otherOverrideSet) {
-    if (this.children.size !== otherOverrideSet.children.size) {
+  // Patch adding updateOverridesEdgeInAdded is based on
+  // https://github.com/npm/cli/pull/7025.
+  //
+  // This logic isn't perfect either. When we have two edges in that have
+  // different override sets, then we have to decide which set is correct. This
+  // function assumes the more specific override set is applicable, so if we have
+  // dependencies A->B->C and A->C and an override set that specifies what happens
+  // for C under A->B, this will work even if the new A->C edge comes along and
+  // tries to change the override set. The strictly correct logic is not to allow
+  // two edges with different overrides to point to the same node, because even
+  // if this node can satisfy both, one of its dependencies might need to be
+  // different depending on the edge leading to it. However, this might cause a
+  // lot of duplication, because the conflict in the dependencies might never
+  // actually happen.
+  updateOverridesEdgeInAdded(otherOverrideSet) {
+    if (!otherOverrideSet) {
+      // Assuming there are any overrides at all, the overrides field is never
+      // undefined for any node at the end state of the tree. So if the new edge's
+      // overrides is undefined it will be updated later. So we can wait with
+      // updating the node's overrides field.
       return false;
     }
-    for (const {
-      0: key,
-      1: childOverrideSet
-    } of this.children) {
-      const otherChildOverrideSet = otherOverrideSet.children.get(key);
-      if (!otherChildOverrideSet) {
-        return false;
-      }
-      if (childOverrideSet.value !== otherChildOverrideSet.value) {
+    if (!this.overrides) {
+      this.overrides = otherOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    if (this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    if (newOverrideSet) {
+      if (this.overrides.isEqual(newOverrideSet)) {
         return false;
       }
-      if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {
-        return false;
+      this.overrides = newOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    // This is an error condition. We can only get here if the new override set
+    // is in conflict with the existing.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', this.name);
+    return false;
+  }
+
+  // Patch adding updateOverridesEdgeInRemoved is based on
+  // https://github.com/npm/cli/pull/7025.
+  updateOverridesEdgeInRemoved(otherOverrideSet) {
+    // If this edge's overrides isn't equal to this node's overrides,
+    // then removing it won't change newOverrideSet later.
+    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    let newOverrideSet;
+    for (const edge of this.edgesIn) {
+      const {
+        overrides: edgeOverrides
+      } = edge;
+      if (newOverrideSet && edgeOverrides) {
+        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+      } else {
+        newOverrideSet = edgeOverrides;
       }
     }
+    if (this.overrides.isEqual(newOverrideSet)) {
+      return false;
+    }
+    this.overrides = newOverrideSet;
+    if (newOverrideSet) {
+      // Optimization: If there's any override set at all, then no non-extraneous
+      // node has an empty override set. So if we temporarily have no override set
+      // (for example, we removed all the edges in), there's no use updating all
+      // the edges out right now. Let's just wait until we have an actual override
+      // set later.
+      this.recalculateOutEdgesOverrides();
+    }
     return true;
   }
-  getEdgeRule(edge) {
-    for (const rule of this.ruleset.values()) {
-      if (rule.name !== edge.name) {
-        continue;
-      }
-      // If keySpec is * we found our override.
-      if (rule.keySpec === '*') {
-        return rule;
-      }
-      // Patch replacing
-      // let spec = npa(`${edge.name}@${edge.spec}`)
-      // is based on https://github.com/npm/cli/pull/8089.
-      //
-      // We need to use the rawSpec here, because the spec has the overrides
-      // applied to it already. The rawSpec can be undefined, so we need to use
-      // the fallback value of spec if it is.
-      let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`);
-      if (spec.type === 'alias') {
-        spec = spec.subSpec;
-      }
-      if (spec.type === 'git') {
-        if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec)) {
-          return rule;
+}
+
+const Edge = require(shadowNpmPaths.getArboristEdgeClassPath());
+
+// The Edge class makes heavy use of private properties which subclasses do NOT
+// have access to. So we have to recreate any functionality that relies on those
+// private properties and use our own "safe" prefixed non-conflicting private
+// properties. Implementation code not related to patch https://github.com/npm/cli/pull/8089
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
+//
+// The npm application
+// Copyright (c) npm, Inc. and Contributors
+// Licensed on the terms of The Artistic License 2.0
+//
+// An edge in the dependency graph.
+// Represents a dependency relationship of some kind.
+class SafeEdge extends Edge {
+  #safeError;
+  #safeExplanation;
+  #safeFrom;
+  #safeTo;
+  constructor(options) {
+    const {
+      from
+    } = options;
+    // Defer to supper to validate options and assign non-private values.
+    super(options);
+    if (from.constructor !== SafeNode) {
+      Reflect.setPrototypeOf(from, SafeNode.prototype);
+    }
+    this.#safeError = null;
+    this.#safeExplanation = null;
+    this.#safeFrom = from;
+    this.#safeTo = null;
+    this.reload(true);
+  }
+  get bundled() {
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  }
+  get error() {
+    if (!this.#safeError) {
+      if (!this.#safeTo) {
+        if (this.optional) {
+          this.#safeError = null;
+        } else {
+          this.#safeError = 'MISSING';
         }
-        continue;
+      } else if (this.peer && this.#safeFrom === this.#safeTo.parent &&
+      // Patch adding "?." use based on
+      // https://github.com/npm/cli/pull/8089.
+      !this.#safeFrom?.isTop) {
+        this.#safeError = 'PEER LOCAL';
+      } else if (!this.satisfiedBy(this.#safeTo)) {
+        this.#safeError = 'INVALID';
       }
-      if (spec.type === 'range' || spec.type === 'version') {
-        if (semver.intersects(spec.fetchSpec, rule.keySpec)) {
-          return rule;
-        }
-        continue;
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/8089.
+      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
+      } else {
+        this.#safeError = 'OK';
       }
-      // If we got this far, the spec type is one of tag, directory or file
-      // which means we have no real way to make version comparisons, so we
-      // just accept the override.
-      return rule;
-    }
-    return this;
-  }
-
-  // Patch adding isEqual is based on
-  // https://github.com/npm/cli/pull/8089.
-  isEqual(otherOverrideSet) {
-    if (this === otherOverrideSet) {
-      return true;
-    }
-    if (!otherOverrideSet) {
-      return false;
-    }
-    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
-      return false;
-    }
-    if (!this.childrenAreEqual(otherOverrideSet)) {
-      return false;
     }
-    if (!this.parent) {
-      return !otherOverrideSet.parent;
+    if (this.#safeError === 'OK') {
+      return null;
     }
-    return this.parent.isEqual(otherOverrideSet.parent);
+    return this.#safeError;
   }
-}
 
-const Node = require(shadowNpmPaths.getArboristNodeClassPath());
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get from() {
+    return this.#safeFrom;
+  }
 
-// Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
-class SafeNode extends Node {
-  // Return true if it's safe to remove this node, because anything that is
-  // depending on it would be fine with the thing that they would resolve to if
-  // it was removed, or nothing is depending on it in the first place.
-  canDedupe(preferDedupe = false) {
-    // Not allowed to mess with shrinkwraps or bundles.
-    if (this.inDepBundle || this.inShrinkwrap) {
-      return false;
-    }
-    // It's a top level pkg, or a dep of one.
-    if (!this.resolveParent?.resolveParent) {
-      return false;
-    }
-    // No one wants it, remove it.
-    if (this.edgesIn.size === 0) {
-      return true;
-    }
-    const other = this.resolveParent.resolveParent.resolve(this.name);
-    // Nothing else, need this one.
-    if (!other) {
-      return false;
-    }
-    // If it's the same thing, then always fine to remove.
-    if (other.matches(this)) {
-      return true;
-    }
-    // If the other thing can't replace this, then skip it.
-    if (!other.canReplace(this)) {
-      return false;
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get spec() {
+    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+      if (this.overrides.value.startsWith('$')) {
+        const ref = this.overrides.value.slice(1);
+        // We may be a virtual root, if we are we want to resolve reference
+        // overrides from the real root, not the virtual one.
+        //
+        // Patch adding "?." use based on
+        // https://github.com/npm/cli/pull/8089.
+        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom?.sourceReference.root.package : this.#safeFrom?.root?.package;
+        if (pkg?.devDependencies?.[ref]) {
+          return pkg.devDependencies[ref];
+        }
+        if (pkg?.optionalDependencies?.[ref]) {
+          return pkg.optionalDependencies[ref];
+        }
+        if (pkg?.dependencies?.[ref]) {
+          return pkg.dependencies[ref];
+        }
+        if (pkg?.peerDependencies?.[ref]) {
+          return pkg.peerDependencies[ref];
+        }
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
+      }
+      return this.overrides.value;
     }
+    return this.rawSpec;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get to() {
+    return this.#safeTo;
+  }
+  detach() {
+    this.#safeExplanation = null;
     // Patch replacing
-    // if (preferDedupe || semver.gte(other.version, this.version)) {
-    //   return true
+    // if (this.#to) {
+    //   this.#to.edgesIn.delete(this)
     // }
+    // this.#from.edgesOut.delete(this.#name)
     // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If we prefer dedupe, or if the version is equal, take the other.
-    if (preferDedupe || semver.eq(other.version, this.version)) {
-      return true;
-    }
-    // If our current version isn't the result of an override, then prefer to
-    // take the greater version.
-    if (!this.overridden && semver.gt(other.version, this.version)) {
-      return true;
-    }
-    return false;
+    this.#safeTo?.deleteEdgeIn(this);
+    this.#safeFrom?.edgesOut.delete(this.name);
+    this.#safeTo = null;
+    this.#safeError = 'DETACHED';
+    this.#safeFrom = null;
   }
 
-  // Is it safe to replace one node with another?  check the edges to
-  // make sure no one will get upset.  Note that the node might end up
-  // having its own unmet dependencies, if the new node has new deps.
-  // Note that there are cases where Arborist will opt to insert a node
-  // into the tree even though this function returns false!  This is
-  // necessary when a root dependency is added or updated, or when a
-  // root dependency brings peer deps along with it.  In that case, we
-  // will go ahead and create the invalid state, and then try to resolve
-  // it with more tree construction, because it's a user request.
-  canReplaceWith(node, ignorePeers) {
-    if (this.name !== node.name || this.packageName !== node.packageName) {
-      return false;
+  // Return the edge data, and an explanation of how that edge came to be here.
+  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
+  explain() {
+    if (!this.#safeExplanation) {
+      const explanation = {
+        type: this.type,
+        name: this.name,
+        spec: this.spec,
+        bundled: false,
+        overridden: false,
+        error: undefined,
+        from: undefined,
+        rawSpec: undefined
+      };
+      if (this.rawSpec !== this.spec) {
+        explanation.rawSpec = this.rawSpec;
+        explanation.overridden = true;
+      }
+      if (this.bundled) {
+        explanation.bundled = this.bundled;
+      }
+      if (this.error) {
+        explanation.error = this.error;
+      }
+      if (this.#safeFrom) {
+        explanation.from = this.#safeFrom.explain();
+      }
+      this.#safeExplanation = explanation;
     }
+    return this.#safeExplanation;
+  }
+  reload(hard = false) {
+    this.#safeExplanation = null;
     // Patch replacing
-    // if (node.overrides !== this.overrides) {
-    //   return false
-    // }
+    // if (this.#from.overrides) {
     // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If this node has no dependencies, then it's irrelevant to check the
-    // override rules of the replacement node.
-    if (this.edgesOut.size) {
-      // XXX need to check for two root nodes?
-      if (node.overrides) {
-        if (!node.overrides.isEqual(this.overrides)) {
-          return false;
-        }
-      } else {
-        if (this.overrides) {
-          return false;
-        }
+    let needToUpdateOverrideSet = false;
+    let newOverrideSet;
+    let oldOverrideSet;
+    if (this.#safeFrom?.overrides) {
+      newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
+        // If there's a new different override set we need to propagate it to
+        // the nodes. If we're deleting the override set then there's no point
+        // propagating it right now since it will be filled with another value
+        // later.
+        needToUpdateOverrideSet = true;
+        oldOverrideSet = this.overrides;
+        this.overrides = newOverrideSet;
       }
+    } else {
+      this.overrides = undefined;
     }
-    // To satisfy the patch we ensure `node.overrides === this.overrides`
-    // so that the condition we want to replace,
-    // if (this.overrides !== node.overrides) {
-    // , is not hit.`
-    const oldOverrideSet = this.overrides;
-    let result = true;
-    if (oldOverrideSet !== node.overrides) {
-      this.overrides = node.overrides;
-    }
-    try {
-      result = super.canReplaceWith(node, ignorePeers);
-      this.overrides = oldOverrideSet;
-    } catch (e) {
-      this.overrides = oldOverrideSet;
-      throw e;
-    }
-    return result;
-  }
-
-  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.
-  deleteEdgeIn(edge) {
-    this.edgesIn.delete(edge);
-    const {
-      overrides
-    } = edge;
-    if (overrides) {
-      this.updateOverridesEdgeInRemoved(overrides);
+    // Patch adding "?." use based on
+    // https://github.com/npm/cli/pull/8089.
+    const newTo = this.#safeFrom?.resolve(this.name);
+    if (newTo !== this.#safeTo) {
+      // Patch replacing
+      // this.#to.edgesIn.delete(this)
+      // is based on https://github.com/npm/cli/pull/8089.
+      this.#safeTo?.deleteEdgeIn(this);
+      this.#safeTo = newTo ?? null;
+      this.#safeError = null;
+      this.#safeTo?.addEdgeIn(this);
+    } else if (hard) {
+      this.#safeError = null;
+    }
+    // Patch adding "else if" condition based on
+    // https://github.com/npm/cli/pull/8089.
+    else if (needToUpdateOverrideSet && this.#safeTo) {
+      // Propagate the new override set to the target node.
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
     }
   }
-  addEdgeIn(edge) {
+  satisfiedBy(node) {
     // Patch replacing
-    // if (edge.overrides) {
-    //   this.overrides = edge.overrides
+    // if (node.name !== this.#name) {
+    //   return false
     // }
     // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // We need to handle the case where the new edge in has an overrides field
-    // which is different from the current value.
-    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
-      this.updateOverridesEdgeInAdded(edge.overrides);
+    if (node.name !== this.name || !this.#safeFrom) {
+      return false;
+    }
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+      return depValid(node, this.rawSpec, this.accept, this.#safeFrom);
     }
-    this.edgesIn.add(edge);
-    // Try to get metadata from the yarn.lock file.
-    this.root.meta?.addEdge(edge);
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get overridden() {
     // Patch replacing
-    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // return depValid(node, this.spec, this.#accept, this.#from)
     // is based on https://github.com/npm/cli/pull/8089.
-    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+    //
+    // If there's no override we just use the spec.
+    if (!this.overrides?.keySpec) {
+      return depValid(node, this.spec, this.accept, this.#safeFrom);
+    }
+    // There's some override. If the target node satisfies the overriding spec
+    // then it's okay.
+    if (depValid(node, this.spec, this.accept, this.#safeFrom)) {
+      return true;
+    }
+    // If it doesn't, then it should at least satisfy the original spec.
+    if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {
       return false;
     }
-    // The overrides rule is for a package with this name, but some override
-    // rules only apply to specific versions. To make sure this package was
-    // actually overridden, we check whether any edge going in had the rule
-    // applied to it, in which case its overrides set is different than its
-    // source node.
-    for (const edge of this.edgesIn) {
-      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
-        if (!edge.overrides.isEqual(edge.from?.overrides)) {
-          return true;
-        }
+    // It satisfies the original spec, not the overriding spec. We need to make
+    // sure it doesn't use the overridden spec.
+    // For example:
+    //   we might have an ^8.0.0 rawSpec, and an override that makes
+    //   keySpec=8.23.0 and the override value spec=9.0.0.
+    //   If the node is 9.0.0, then it's okay because it's consistent with spec.
+    //   If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
+    //   If the node is 8.23.0, then it's not okay because even though it's consistent
+    //   with the rawSpec, it's also consistent with the keySpec.
+    //   So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
+    return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom);
+  }
+}
+
+const {
+  ALERT_TYPE_CRITICAL_CVE,
+  ALERT_TYPE_CVE,
+  ALERT_TYPE_MEDIUM_CVE,
+  ALERT_TYPE_MILD_CVE,
+  ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1,
+  CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE,
+  abortSignal: abortSignal$1
+} = constants;
+async function* createBatchGenerator(chunk) {
+  // Adds the first 'abort' listener to abortSignal.
+  const req = https
+  // Lazily access constants.BATCH_PURL_ENDPOINT.
+  .request(constants.BATCH_PURL_ENDPOINT, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${btoa(`${getPublicToken()}:`)}`
+    }
+    // TODO: Fix to not abort process on network abort.
+    // signal: abortSignal
+  }).end(JSON.stringify({
+    components: chunk.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  }));
+  // Adds the second 'abort' listener to abortSignal.
+  const {
+    0: res
+  } = await events.once(req, 'response', {
+    signal: abortSignal$1
+  });
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = readline.createInterface({
+    input: res,
+    crlfDelay: Infinity,
+    signal: abortSignal$1
+  });
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
+}
+async function* batchScan(pkgIds, concurrencyLimit = 50) {
+  // The createBatchGenerator method will add 2 'abort' event listeners to
+  // abortSignal so we multiply the concurrencyLimit by 2.
+  const neededMaxListeners = concurrencyLimit * 2;
+  // Increase abortSignal max listeners count to avoid Node's MaxListenersExceededWarning.
+  const oldAbortSignalMaxListeners = events.getMaxListeners(abortSignal$1);
+  let abortSignalMaxListeners = oldAbortSignalMaxListeners;
+  if (oldAbortSignalMaxListeners < neededMaxListeners) {
+    abortSignalMaxListeners = oldAbortSignalMaxListeners + neededMaxListeners;
+    events.setMaxListeners(abortSignalMaxListeners, abortSignal$1);
+  }
+  const {
+    length: pkgIdsCount
+  } = pkgIds;
+  const running = [];
+  let index = 0;
+  const enqueueGen = () => {
+    if (index >= pkgIdsCount) {
+      // No more work to do.
+      return;
+    }
+    const chunk = pkgIds.slice(index, index + 25);
+    index += 25;
+    const generator = createBatchGenerator(chunk);
+    continueGen(generator);
+  };
+  const continueGen = generator => {
+    let resolveFn;
+    running.push({
+      generator,
+      promise: new Promise(resolve => resolveFn = resolve)
+    });
+    void generator.next().then(res => resolveFn({
+      generator,
+      iteratorResult: res
+    }));
+  };
+  // Start initial batch of generators.
+  while (running.length < concurrencyLimit && index < pkgIdsCount) {
+    enqueueGen();
+  }
+  while (running.length > 0) {
+    // eslint-disable-next-line no-await-in-loop
+    const {
+      generator,
+      iteratorResult
+    } = await Promise.race(running.map(entry => entry.promise));
+    // Remove generator.
+    running.splice(running.findIndex(entry => entry.generator === generator), 1);
+    if (iteratorResult.done) {
+      // Start a new generator if available.
+      enqueueGen();
+    } else {
+      yield iteratorResult.value;
+      // Keep fetching values from this generator.
+      continueGen(generator);
+    }
+  }
+  // Reset abortSignal max listeners count.
+  if (abortSignalMaxListeners > oldAbortSignalMaxListeners) {
+    events.setMaxListeners(oldAbortSignalMaxListeners, abortSignal$1);
+  }
+}
+function isArtifactAlertCve(alert) {
+  const {
+    type
+  } = alert;
+  return type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE;
+}
+function isArtifactAlertCveFixable(alert) {
+  if (!isArtifactAlertCve(alert)) {
+    return false;
+  }
+  const {
+    props
+  } = alert;
+  return !!props?.[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER$1] && !!props?.[CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE];
+}
+function isArtifactAlertUpgrade(alert) {
+  return alert.type === ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE;
+}
+
+const {
+  abortSignal
+} = constants;
+const ERROR_UX = {
+  block: true,
+  display: true
+};
+const IGNORE_UX = {
+  block: false,
+  display: false
+};
+const WARN_UX = {
+  block: false,
+  display: true
+};
+
+// Iterates over all entries with ordered issue rule for deferral.  Iterates over
+// all issue rules and finds the first defined value that does not defer otherwise
+// uses the defaultValue. Takes the value and converts into a UX workflow.
+function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
+  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
+    defaultValue = {
+      action: 'error'
+    };
+  } else if (defaultValue === false) {
+    defaultValue = {
+      action: 'ignore'
+    };
+  }
+  let block = false;
+  let display = false;
+  let needDefault = true;
+  iterate_entries: for (const rules of orderedRulesCollection) {
+    for (const rule of rules) {
+      if (ruleValueDoesNotDefer(rule)) {
+        needDefault = false;
+        const narrowingFilter = uxForDefinedNonDeferValue(rule);
+        block = block || narrowingFilter.block;
+        display = display || narrowingFilter.display;
+        continue iterate_entries;
       }
     }
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  if (needDefault) {
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  return {
+    block,
+    display
+  };
+}
+
+// Negative form because it is narrowing the type.
+function ruleValueDoesNotDefer(rule) {
+  if (rule === undefined) {
     return false;
   }
-  set parent(newParent) {
-    // Patch removing
-    // if (parent.overrides) {
-    //   this.overrides = parent.overrides.getNodeRule(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // The "parent" setter is a really large and complex function. To satisfy
-    // the patch we hold on to the old overrides value and set `this.overrides`
-    // to `undefined` so that the condition we want to remove is not hit.
+  if (objects.isObject(rule)) {
     const {
-      overrides
-    } = this;
-    if (overrides) {
-      this.overrides = undefined;
-    }
-    try {
-      super.parent = newParent;
-      this.overrides = overrides;
-    } catch (e) {
-      this.overrides = overrides;
-      throw e;
+      action
+    } = rule;
+    if (action === undefined || action === 'defer') {
+      return false;
     }
   }
+  return true;
+}
 
-  // Patch adding recalculateOutEdgesOverrides is based on
-  // https://github.com/npm/cli/pull/8089.
-  recalculateOutEdgesOverrides() {
-    // For each edge out propagate the new overrides through.
-    for (const edge of this.edgesOut.values()) {
-      edge.reload(true);
-      if (edge.to) {
-        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+// Handles booleans for backwards compatibility.
+function uxForDefinedNonDeferValue(ruleValue) {
+  if (typeof ruleValue === 'boolean') {
+    return ruleValue ? ERROR_UX : IGNORE_UX;
+  }
+  const {
+    action
+  } = ruleValue;
+  if (action === 'warn') {
+    return WARN_UX;
+  } else if (action === 'ignore') {
+    return IGNORE_UX;
+  }
+  return ERROR_UX;
+}
+function createAlertUXLookup(settings) {
+  const cachedUX = new Map();
+  return context => {
+    const {
+      type
+    } = context.alert;
+    let ux = cachedUX.get(type);
+    if (ux) {
+      return ux;
+    }
+    const orderedRulesCollection = [];
+    for (const settingsEntry of settings.entries) {
+      const orderedRules = [];
+      let target = settingsEntry.start;
+      while (target !== null) {
+        const resolvedTarget = settingsEntry.settings[target];
+        if (!resolvedTarget) {
+          break;
+        }
+        const issueRuleValue = resolvedTarget.issueRules?.[type];
+        if (typeof issueRuleValue !== 'undefined') {
+          orderedRules.push(issueRuleValue);
+        }
+        target = resolvedTarget.deferTo ?? null;
       }
+      orderedRulesCollection.push(orderedRules);
+    }
+    const defaultValue = settings.defaults.issueRules[type];
+    let resolvedDefaultValue = {
+      action: 'error'
+    };
+    if (defaultValue === false) {
+      resolvedDefaultValue = {
+        action: 'ignore'
+      };
+    } else if (defaultValue && defaultValue !== true) {
+      resolvedDefaultValue = {
+        action: defaultValue.action ?? 'error'
+      };
     }
+    ux = resolveAlertRuleUX(orderedRulesCollection, resolvedDefaultValue);
+    cachedUX.set(type, ux);
+    return ux;
+  };
+}
+let _uxLookup;
+async function uxLookup(settings) {
+  while (_uxLookup === undefined) {
+    // eslint-disable-next-line no-await-in-loop
+    await promises.setTimeout(1, {
+      signal: abortSignal
+    });
   }
+  return _uxLookup(settings);
+}
 
-  // @ts-ignore: Incorrectly typed to accept null.
-  set root(newRoot) {
-    // Patch removing
-    // if (!this.overrides && this.parent && this.parent.overrides) {
-    //   this.overrides = this.parent.overrides.getNodeRule(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // The "root" setter is a really large and complex function. To satisfy the
-    // patch we add a dummy value to `this.overrides` so that the condition we
-    // want to remove is not hit.
-    if (!this.overrides) {
-      this.overrides = new SafeOverrideSet({
-        overrides: ''
-      });
-    }
+// Start initializing the AlertUxLookupResult immediately.
+void (async () => {
+  const {
+    orgs,
+    settings
+  } = await (async () => {
     try {
-      super.root = newRoot;
-      this.overrides = undefined;
+      const sockSdk = await setupSdk(getPublicToken());
+      const orgResult = await sockSdk.getOrganizations();
+      if (!orgResult.success) {
+        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
+      }
+      const orgs = [];
+      for (const org of Object.values(orgResult.data.organizations)) {
+        if (org) {
+          orgs.push(org);
+        }
+      }
+      const result = await sockSdk.postSettings(orgs.map(org => ({
+        organization: org.id
+      })));
+      if (!result.success) {
+        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
+      }
+      return {
+        orgs,
+        settings: result.data
+      };
     } catch (e) {
-      this.overrides = undefined;
+      const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
+      if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
+        throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
+          cause: e
+        });
+      }
       throw e;
     }
-  }
+  })();
 
-  // Patch adding updateOverridesEdgeInAdded is based on
-  // https://github.com/npm/cli/pull/7025.
-  //
-  // This logic isn't perfect either. When we have two edges in that have
-  // different override sets, then we have to decide which set is correct. This
-  // function assumes the more specific override set is applicable, so if we have
-  // dependencies A->B->C and A->C and an override set that specifies what happens
-  // for C under A->B, this will work even if the new A->C edge comes along and
-  // tries to change the override set. The strictly correct logic is not to allow
-  // two edges with different overrides to point to the same node, because even
-  // if this node can satisfy both, one of its dependencies might need to be
-  // different depending on the edge leading to it. However, this might cause a
-  // lot of duplication, because the conflict in the dependencies might never
-  // actually happen.
-  updateOverridesEdgeInAdded(otherOverrideSet) {
-    if (!otherOverrideSet) {
-      // Assuming there are any overrides at all, the overrides field is never
-      // undefined for any node at the end state of the tree. So if the new edge's
-      // overrides is undefined it will be updated later. So we can wait with
-      // updating the node's overrides field.
-      return false;
-    }
-    if (!this.overrides) {
-      this.overrides = otherOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
-    }
-    if (this.overrides.isEqual(otherOverrideSet)) {
-      return false;
-    }
-    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
-    if (newOverrideSet) {
-      if (this.overrides.isEqual(newOverrideSet)) {
-        return false;
-      }
-      this.overrides = newOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
+  // Remove any organizations not being enforced.
+  const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
+  for (const {
+    0: i,
+    1: org
+  } of orgs.entries()) {
+    if (!enforcedOrgs.includes(org.id)) {
+      settings.entries.splice(i, 1);
     }
-    // This is an error condition. We can only get here if the new override set
-    // is in conflict with the existing.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', this.name);
-    return false;
   }
-
-  // Patch adding updateOverridesEdgeInRemoved is based on
-  // https://github.com/npm/cli/pull/7025.
-  updateOverridesEdgeInRemoved(otherOverrideSet) {
-    // If this edge's overrides isn't equal to this node's overrides,
-    // then removing it won't change newOverrideSet later.
-    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
-      return false;
-    }
-    let newOverrideSet;
-    for (const edge of this.edgesIn) {
-      const {
-        overrides: edgeOverrides
-      } = edge;
-      if (newOverrideSet && edgeOverrides) {
-        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
-      } else {
-        newOverrideSet = edgeOverrides;
-      }
-    }
-    if (this.overrides.isEqual(newOverrideSet)) {
-      return false;
-    }
-    this.overrides = newOverrideSet;
-    if (newOverrideSet) {
-      // Optimization: If there's any override set at all, then no non-extraneous
-      // node has an empty override set. So if we temporarily have no override set
-      // (for example, we removed all the edges in), there's no use updating all
-      // the edges out right now. Let's just wait until we have an actual override
-      // set later.
-      this.recalculateOutEdgesOverrides();
-    }
-    return true;
+  const socketYml = findSocketYmlSync();
+  if (socketYml) {
+    settings.entries.push({
+      start: socketYml.path,
+      settings: {
+        [socketYml.path]: {
+          deferTo: null,
+          // TODO: TypeScript complains about the type not matching. We should
+          // figure out why are providing
+          // issueRules: { [issueName: string]: boolean }
+          // but expecting
+          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
+          issueRules: socketYml.parsed.issueRules
+        }
+      }
+    });
+  }
+  _uxLookup = createAlertUXLookup(settings);
+})();
+
+function pick(input, keys) {
+  const result = {};
+  for (const key of keys) {
+    result[key] = input[key];
   }
+  return result;
 }
 
-const Edge = require(shadowNpmPaths.getArboristEdgeClassPath());
+function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
+  const values = list.filter(Boolean);
+  const {
+    length
+  } = values;
+  if (!length) {
+    return '';
+  }
+  if (length === 1) {
+    return values[0];
+  }
+  const finalValue = values.pop();
+  return `${values.join(', ')}${separator}${finalValue}`;
+}
 
-// The Edge class makes heavy use of private properties which subclasses do NOT
-// have access to. So we have to recreate any functionality that relies on those
-// private properties and use our own "safe" prefixed non-conflicting private
-// properties. Implementation code not related to patch https://github.com/npm/cli/pull/8089
-// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
-//
-// The npm application
-// Copyright (c) npm, Inc. and Contributors
-// Licensed on the terms of The Artistic License 2.0
-//
-// An edge in the dependency graph.
-// Represents a dependency relationship of some kind.
-class SafeEdge extends Edge {
-  #safeError;
-  #safeExplanation;
-  #safeFrom;
-  #safeTo;
-  constructor(options) {
-    const {
-      from
-    } = options;
-    // Defer to supper to validate options and assign non-private values.
-    super(options);
-    if (from.constructor !== SafeNode) {
-      Reflect.setPrototypeOf(from, SafeNode.prototype);
+let SEVERITY = /*#__PURE__*/function (SEVERITY) {
+  SEVERITY["critical"] = "critical";
+  SEVERITY["high"] = "high";
+  SEVERITY["middle"] = "middle";
+  SEVERITY["low"] = "low";
+  return SEVERITY;
+}({});
+
+// Ordered from most severe to least.
+const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
+function getDesiredSeverities(lowestToInclude) {
+  const result = [];
+  for (const severity of SEVERITIES_BY_ORDER) {
+    result.push(severity);
+    if (severity === lowestToInclude) {
+      break;
     }
-    this.#safeError = null;
-    this.#safeExplanation = null;
-    this.#safeFrom = from;
-    this.#safeTo = null;
-    this.reload(true);
   }
-  get bundled() {
-    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  return result;
+}
+function formatSeverityCount(severityCount) {
+  const summary = [];
+  for (const severity of SEVERITIES_BY_ORDER) {
+    if (severityCount[severity]) {
+      summary.push(`${severityCount[severity]} ${severity}`);
+    }
   }
-  get error() {
-    if (!this.#safeError) {
-      if (!this.#safeTo) {
-        if (this.optional) {
-          this.#safeError = null;
-        } else {
-          this.#safeError = 'MISSING';
-        }
-      } else if (this.peer && this.#safeFrom === this.#safeTo.parent &&
-      // Patch adding "?." use based on
-      // https://github.com/npm/cli/pull/8089.
-      !this.#safeFrom?.isTop) {
-        this.#safeError = 'PEER LOCAL';
-      } else if (!this.satisfiedBy(this.#safeTo)) {
-        this.#safeError = 'INVALID';
-      }
-      // Patch adding "else if" condition is based on
-      // https://github.com/npm/cli/pull/8089.
-      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
-        // Any inconsistency between the edge's override set and the target's
-        // override set is potentially problematic. But we only say the edge is
-        // in error if the override sets are plainly conflicting. Note that if
-        // the target doesn't have any dependencies of their own, then this
-        // inconsistency is irrelevant.
-        this.#safeError = 'INVALID';
-      } else {
-        this.#safeError = 'OK';
-      }
+  return stringJoinWithSeparateFinalSeparator(summary);
+}
+function getSeverityCount(issues, lowestToInclude) {
+  const severityCount = pick({
+    low: 0,
+    middle: 0,
+    high: 0,
+    critical: 0
+  }, getDesiredSeverities(lowestToInclude));
+  for (const issue of issues) {
+    const {
+      value
+    } = issue;
+    if (!value) {
+      continue;
     }
-    if (this.#safeError === 'OK') {
-      return null;
+    if (severityCount[value.severity] !== undefined) {
+      severityCount[value.severity] += 1;
     }
-    return this.#safeError;
   }
+  return severityCount;
+}
 
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get from() {
-    return this.#safeFrom;
+class ColorOrMarkdown {
+  constructor(useMarkdown) {
+    this.useMarkdown = !!useMarkdown;
   }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get spec() {
-    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
-      if (this.overrides.value.startsWith('$')) {
-        const ref = this.overrides.value.slice(1);
-        // We may be a virtual root, if we are we want to resolve reference
-        // overrides from the real root, not the virtual one.
-        //
-        // Patch adding "?." use based on
-        // https://github.com/npm/cli/pull/8089.
-        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom?.sourceReference.root.package : this.#safeFrom?.root?.package;
-        if (pkg?.devDependencies?.[ref]) {
-          return pkg.devDependencies[ref];
-        }
-        if (pkg?.optionalDependencies?.[ref]) {
-          return pkg.optionalDependencies[ref];
-        }
-        if (pkg?.dependencies?.[ref]) {
-          return pkg.dependencies[ref];
-        }
-        if (pkg?.peerDependencies?.[ref]) {
-          return pkg.peerDependencies[ref];
-        }
-        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
-      }
-      return this.overrides.value;
+  bold(text) {
+    return this.useMarkdown ? `**${text}**` : colors.bold(`${text}`);
+  }
+  header(text, level = 1) {
+    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : colors.underline(`\n${level === 1 ? colors.bold(text) : text}\n`);
+  }
+  hyperlink(text, url, {
+    fallback = true,
+    fallbackToUrl
+  } = {}) {
+    if (url) {
+      return this.useMarkdown ? `[${text}](${url})` : terminalLink(text, url, {
+        fallback: fallbackToUrl ? (_text, url) => url : fallback
+      });
     }
-    return this.rawSpec;
+    return text;
   }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get to() {
-    return this.#safeTo;
+  indent(...args) {
+    return indentString(...args);
   }
-  detach() {
-    this.#safeExplanation = null;
-    // Patch replacing
-    // if (this.#to) {
-    //   this.#to.edgesIn.delete(this)
-    // }
-    // this.#from.edgesOut.delete(this.#name)
-    // is based on https://github.com/npm/cli/pull/8089.
-    this.#safeTo?.deleteEdgeIn(this);
-    this.#safeFrom?.edgesOut.delete(this.name);
-    this.#safeTo = null;
-    this.#safeError = 'DETACHED';
-    this.#safeFrom = null;
+  italic(text) {
+    return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`);
+  }
+  json(value) {
+    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
+  }
+  list(items) {
+    const indentedContent = items.map(item => this.indent(item).trimStart());
+    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
   }
+}
 
-  // Return the edge data, and an explanation of how that edge came to be here.
-  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
-  explain() {
-    if (!this.#safeExplanation) {
-      const explanation = {
-        type: this.type,
-        name: this.name,
-        spec: this.spec,
-        bundled: false,
-        overridden: false,
-        error: undefined,
-        from: undefined,
-        rawSpec: undefined
-      };
-      if (this.rawSpec !== this.spec) {
-        explanation.rawSpec = this.rawSpec;
-        explanation.overridden = true;
-      }
-      if (this.bundled) {
-        explanation.bundled = this.bundled;
-      }
-      if (this.error) {
-        explanation.error = this.error;
-      }
-      if (this.#safeFrom) {
-        explanation.from = this.#safeFrom.explain();
-      }
-      this.#safeExplanation = explanation;
-    }
-    return this.#safeExplanation;
+function getSocketDevAlertUrl(alertType) {
+  return `https://socket.dev/alerts/${alertType}`;
+}
+function getSocketDevPackageOverviewUrl(eco, name, version) {
+  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`;
+}
+
+let _translations;
+function getTranslations() {
+  if (_translations === undefined) {
+    _translations = require(
+    // Lazily access constants.rootPath.
+    path.join(constants.rootPath, 'translations.json'));
   }
-  reload(hard = false) {
-    this.#safeExplanation = null;
-    // Patch replacing
-    // if (this.#from.overrides) {
-    // is based on https://github.com/npm/cli/pull/8089.
-    let needToUpdateOverrideSet = false;
-    let newOverrideSet;
-    let oldOverrideSet;
-    if (this.#safeFrom?.overrides) {
-      newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
-      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
-        // If there's a new different override set we need to propagate it to
-        // the nodes. If we're deleting the override set then there's no point
-        // propagating it right now since it will be filled with another value
-        // later.
-        needToUpdateOverrideSet = true;
-        oldOverrideSet = this.overrides;
-        this.overrides = newOverrideSet;
-      }
-    } else {
-      this.overrides = undefined;
-    }
-    // Patch adding "?." use based on
-    // https://github.com/npm/cli/pull/8089.
-    const newTo = this.#safeFrom?.resolve(this.name);
-    if (newTo !== this.#safeTo) {
-      // Patch replacing
-      // this.#to.edgesIn.delete(this)
-      // is based on https://github.com/npm/cli/pull/8089.
-      this.#safeTo?.deleteEdgeIn(this);
-      this.#safeTo = newTo ?? null;
-      this.#safeError = null;
-      this.#safeTo?.addEdgeIn(this);
-    } else if (hard) {
-      this.#safeError = null;
-    }
-    // Patch adding "else if" condition based on
-    // https://github.com/npm/cli/pull/8089.
-    else if (needToUpdateOverrideSet && this.#safeTo) {
-      // Propagate the new override set to the target node.
-      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
-      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+  return _translations;
+}
+
+const {
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
+  NPM: NPM$1
+} = constants;
+const format = new ColorOrMarkdown(false);
+async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
+  // Make TypeScript happy.
+  if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
+    return;
+  }
+  const {
+    consolidate = false,
+    include: _include,
+    overrides
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const include = {
+    __proto__: null,
+    critical: true,
+    cve: true,
+    unfixable: true,
+    upgrade: false,
+    ..._include
+  };
+  const name = packages.resolvePackageName(artifact);
+  const {
+    version
+  } = artifact;
+  const pkgId = `${name}@${version}`;
+  const major = semver.major(version);
+  let sockPkgAlerts = [];
+  for (const alert of artifact.alerts) {
+    // eslint-disable-next-line no-await-in-loop
+    const ux = await uxLookup({
+      package: {
+        name,
+        version
+      },
+      alert: {
+        type: alert.type
+      }
+    });
+    const critical = alert.severity === SEVERITY.critical;
+    const cve = isArtifactAlertCve(alert);
+    const fixableCve = isArtifactAlertCveFixable(alert);
+    const fixableUpgrade = isArtifactAlertUpgrade(alert);
+    const fixable = fixableCve || fixableUpgrade;
+    const upgrade = fixableUpgrade && !objects.hasOwn(overrides, name);
+    if (include.cve && cve || include.unfixable && !fixable || include.critical && critical || include.upgrade && upgrade) {
+      sockPkgAlerts.push({
+        name,
+        version,
+        key: alert.key,
+        type: alert.type,
+        block: ux.block,
+        critical,
+        display: ux.display,
+        fixable,
+        raw: alert,
+        upgrade
+      });
     }
   }
-  satisfiedBy(node) {
-    // Patch replacing
-    // if (node.name !== this.#name) {
-    //   return false
-    // }
-    // is based on https://github.com/npm/cli/pull/8089.
-    if (node.name !== this.name || !this.#safeFrom) {
-      return false;
-    }
-    // NOTE: this condition means we explicitly do not support overriding
-    // bundled or shrinkwrapped dependencies
-    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
-      return depValid(node, this.rawSpec, this.accept, this.#safeFrom);
-    }
-    // Patch replacing
-    // return depValid(node, this.spec, this.#accept, this.#from)
-    // is based on https://github.com/npm/cli/pull/8089.
-    //
-    // If there's no override we just use the spec.
-    if (!this.overrides?.keySpec) {
-      return depValid(node, this.spec, this.accept, this.#safeFrom);
+  if (!sockPkgAlerts.length) {
+    return;
+  }
+  if (consolidate) {
+    const highestForCve = new Map();
+    const highestForUpgrade = new Map();
+    const unfixableAlerts = [];
+    for (const sockPkgAlert of sockPkgAlerts) {
+      if (isArtifactAlertCveFixable(sockPkgAlert.raw)) {
+        const patchedVersion = sockPkgAlert.raw.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
+        const patchedMajor = semver.major(patchedVersion);
+        const oldHighest = highestForCve.get(patchedMajor);
+        const highest = oldHighest?.version ?? '0.0.0';
+        if (semver.gt(patchedVersion, highest)) {
+          highestForCve.set(patchedMajor, {
+            alert: sockPkgAlert,
+            version: patchedVersion
+          });
+        }
+      } else if (isArtifactAlertUpgrade(sockPkgAlert.raw)) {
+        const oldHighest = highestForUpgrade.get(major);
+        const highest = oldHighest?.version ?? '0.0.0';
+        if (semver.gt(version, highest)) {
+          highestForUpgrade.set(major, {
+            alert: sockPkgAlert,
+            version
+          });
+        }
+      } else {
+        unfixableAlerts.push(sockPkgAlert);
+      }
     }
-    // There's some override. If the target node satisfies the overriding spec
-    // then it's okay.
-    if (depValid(node, this.spec, this.accept, this.#safeFrom)) {
-      return true;
+    sockPkgAlerts = [...unfixableAlerts, ...[...highestForCve.values()].map(d => d.alert), ...[...highestForUpgrade.values()].map(d => d.alert)];
+  }
+  if (!sockPkgAlerts.length) {
+    return;
+  }
+  sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
+  alertsByPkgId.set(pkgId, sockPkgAlerts);
+}
+function getCveInfoByAlertsMap(alertsMap, options) {
+  const exclude = {
+    upgrade: true,
+    ...{
+      __proto__: null,
+      ...options
+    }.exclude
+  };
+  let infoByPkg = null;
+  for (const [pkgId, alerts] of alertsMap) {
+    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`);
+    const name = packages.resolvePackageName(purlObj);
+    for (const alert of alerts) {
+      if (!isArtifactAlertCveFixable(alert.raw) || exclude.upgrade && registry.getManifestData(NPM$1, name)) {
+        continue;
+      }
+      if (!infoByPkg) {
+        infoByPkg = new Map();
+      }
+      let infos = infoByPkg.get(name);
+      if (!infos) {
+        infos = [];
+        infoByPkg.set(name, infos);
+      }
+      const {
+        firstPatchedVersionIdentifier,
+        vulnerableVersionRange
+      } = alert.raw.props;
+      infos.push({
+        firstPatchedVersionIdentifier,
+        vulnerableVersionRange: new semver.Range(vulnerableVersionRange).format()
+      });
     }
-    // If it doesn't, then it should at least satisfy the original spec.
-    if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {
-      return false;
+  }
+  return infoByPkg;
+}
+function logAlertsMap(alertsMap, options) {
+  const {
+    output = process.stderr
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const translations = getTranslations();
+  for (const [pkgId, alerts] of alertsMap) {
+    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`);
+    const lines = new Set();
+    for (const alert of alerts) {
+      const {
+        type
+      } = alert;
+      const attributes = [...(alert.fixable ? ['fixable'] : []), ...(alert.block ? [] : ['non-blocking'])];
+      const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
+      // Based data from { pageProps: { alertTypes } } of:
+      // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
+      const info = translations.alerts[type];
+      const title = info?.title ?? type;
+      const maybeDesc = info?.description ? ` - ${info.description}` : '';
+      // TODO: emoji seems to mis-align terminals sometimes
+      lines.add(`  ${title}${maybeAttributes}${maybeDesc}`);
+    }
+    output.write(`(socket) ${format.hyperlink(pkgId, getSocketDevPackageOverviewUrl(NPM$1, packages.resolvePackageName(purlObj), purlObj.version))} contains risks:\n`);
+    for (const line of lines) {
+      output.write(`${line}\n`);
     }
-    // It satisfies the original spec, not the overriding spec. We need to make
-    // sure it doesn't use the overridden spec.
-    // For example:
-    //   we might have an ^8.0.0 rawSpec, and an override that makes
-    //   keySpec=8.23.0 and the override value spec=9.0.0.
-    //   If the node is 9.0.0, then it's okay because it's consistent with spec.
-    //   If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
-    //   If the node is 8.23.0, then it's not okay because even though it's consistent
-    //   with the rawSpec, it's also consistent with the keySpec.
-    //   So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
-    return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom);
   }
 }
 
 const {
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
   LOOP_SENTINEL,
   NPM,
-  NPM_REGISTRY_URL,
-  OVERRIDES,
-  PNPM,
-  RESOLUTIONS
+  NPM_REGISTRY_URL
 } = constants;
-const formatter = new ColorOrMarkdown(false);
+function getDetailsFromDiff(diff_, options) {
+  const details = [];
+  // `diff_` is `null` when `npm install --package-lock-only` is passed.
+  if (!diff_) {
+    return details;
+  }
+  const include = {
+    __proto__: null,
+    unchanged: false,
+    unknownOrigin: false,
+    ...{
+      __proto__: null,
+      ...options
+    }.include
+  };
+  const queue = [...diff_.children];
+  let pos = 0;
+  let {
+    length: queueLength
+  } = queue;
+  while (pos < queueLength) {
+    if (pos === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop while walking Arborist diff');
+    }
+    const diff = queue[pos++];
+    const {
+      action
+    } = diff;
+    if (action) {
+      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
+      // action is 'REMOVE'
+      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
+      // action is 'ADD'.
+      const {
+        actual: oldNode,
+        ideal: pkgNode
+      } = diff;
+      let existing;
+      let keep = false;
+      if (action === DiffAction.change) {
+        if (pkgNode?.package.version !== oldNode?.package.version) {
+          keep = true;
+          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
+            existing = oldNode;
+          }
+        } else {
+          debug.debugLog('SKIPPING META CHANGE ON', diff);
+        }
+      } else {
+        keep = action !== DiffAction.remove;
+      }
+      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
+        if (include.unknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL) {
+          details.push({
+            node: pkgNode,
+            existing
+          });
+        }
+      }
+    }
+    for (const child of diff.children) {
+      queue[queueLength++] = child;
+    }
+  }
+  if (include.unchanged) {
+    const {
+      unchanged
+    } = diff_;
+    for (let i = 0, {
+        length
+      } = unchanged; i < length; i += 1) {
+      const pkgNode = unchanged[i];
+      if (include.unknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL) {
+        details.push({
+          node: pkgNode,
+          existing: pkgNode
+        });
+      }
+    }
+  }
+  return details;
+}
+function getUrlOrigin(input) {
+  try {
+    return URL.parse(input)?.origin ?? '';
+  } catch {}
+  return '';
+}
 function findBestPatchVersion(node, availableVersions, vulnerableVersionRange, _firstPatchedVersionIdentifier) {
   const manifestData = registry.getManifestData(NPM, node.name);
   let eligibleVersions;
@@ -1460,8 +1725,8 @@ function findBestPatchVersion(node, availableVersions, vulnerableVersionRange, _
   } else {
     const major = semver.major(node.version);
     eligibleVersions = availableVersions.filter(v =>
-    // Filter for versions that are within the current major version
-    // and are not in the vulnerable range
+    // Filter for versions that are within the current major version and
+    // are NOT in the vulnerable range.
     semver.major(v) === major && (!vulnerableVersionRange || !semver.satisfies(v, vulnerableVersionRange)));
   }
   return semver.maxSatisfying(eligibleVersions, '*');
@@ -1492,17 +1757,55 @@ function findPackageNodes(tree, packageName) {
   }
   return matches;
 }
-let _translations;
-function getTranslations() {
-  if (_translations === undefined) {
-    _translations = require(
-    // Lazily access constants.rootPath.
-    path.join(constants.rootPath, 'translations.json'));
+async function getAlertsMapFromArborist(arb, options) {
+  const {
+    include: _include,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const include = {
+    __proto__: null,
+    existing: false,
+    ..._include
+  };
+  const needInfoOn = getDetailsFromDiff(arb.diff, {
+    include: {
+      unchanged: include.existing
+    }
+  });
+  const pkgIds = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid));
+  let {
+    length: remaining
+  } = pkgIds;
+  const alertsByPkgId = new Map();
+  if (!remaining) {
+    return alertsByPkgId;
   }
-  return _translations;
-}
-function hasOverride(pkgJson, name) {
-  return !!(pkgJson?.[OVERRIDES]?.[name] || pkgJson?.[RESOLUTIONS]?.[name] || pkgJson?.[PNPM]?.[OVERRIDES]?.[name]);
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  let overrides;
+  const overridesMap = (arb.actualTree ?? arb.idealTree ?? (await arb.loadActual()))?.overrides?.children;
+  if (overridesMap) {
+    overrides = Object.fromEntries([...overridesMap.entries()].map(([key, overrideSet]) => {
+      return [key, overrideSet.value];
+    }));
+  }
+  const toAlertsMapOptions = {
+    overrides,
+    ...options
+  };
+  for await (const artifact of batchScan(pkgIds)) {
+    await addArtifactToAlertsMap(artifact, alertsByPkgId, toAlertsMapOptions);
+    remaining -= 1;
+    if (spinner && remaining > 0) {
+      spinner.start();
+      spinner.setText(getText());
+    }
+  }
+  spinner?.stop();
+  return alertsByPkgId;
 }
 function updateNode(node, packument, vulnerableVersionRange, firstPatchedVersionIdentifier) {
   const availableVersions = Object.keys(packument.versions);
@@ -1563,208 +1866,6 @@ function updateNode(node, packument, vulnerableVersionRange, firstPatchedVersion
   }
   return true;
 }
-async function getPackagesAlerts(arb, options) {
-  const {
-    consolidate = false,
-    includeExisting = false,
-    includeUnfixable = true,
-    includeUpgrades = false,
-    output
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const needInfoOn = getPackagesToQueryFromDiff(arb.diff, {
-    includeUnchanged: includeExisting
-  });
-  const purls = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid));
-  let {
-    length: remaining
-  } = purls;
-  const results = [];
-  if (!remaining) {
-    return results;
-  }
-  const pkgJson = (arb.actualTree ?? arb.idealTree).package;
-  const spinner$1 = output ? new spinner.Spinner({
-    stream: output
-  }) : undefined;
-  const getText = () => `Looking up data for ${remaining} packages`;
-  const decrementRemaining = () => {
-    remaining -= 1;
-    if (spinner$1 && remaining > 0) {
-      spinner$1.start();
-      spinner$1.setText(getText());
-    }
-  };
-  spinner$1?.start(getText());
-  for await (const artifact of batchScan(purls)) {
-    if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-      decrementRemaining();
-      continue;
-    }
-    const name = packages.resolvePackageName(artifact);
-    const {
-      version
-    } = artifact;
-    let displayWarning = false;
-    let sockPkgAlerts = [];
-    for (const alert of artifact.alerts) {
-      // eslint-disable-next-line no-await-in-loop
-      const ux = await uxLookup({
-        package: {
-          name,
-          version
-        },
-        alert: {
-          type: alert.type
-        }
-      });
-      if (ux.display) {
-        displayWarning = !!output;
-      }
-      const fixableCve = isArtifactAlertCveFixable(alert);
-      const fixableUpgrade = isArtifactAlertUpgradeFixable(alert);
-      if (includeUnfixable || fixableCve || includeUpgrades && fixableUpgrade && !hasOverride(pkgJson, name)) {
-        sockPkgAlerts.push({
-          name,
-          version,
-          key: alert.key,
-          type: alert.type,
-          block: ux.block,
-          raw: alert,
-          fixable: fixableCve || fixableUpgrade
-        });
-      }
-    }
-    if (!includeExisting && sockPkgAlerts.length) {
-      // Before we ask about problematic issues, check to see if they
-      // already existed in the old version if they did, be quiet.
-      const allExisting = needInfoOn.filter(d => d.existing?.pkgid.startsWith(`${name}@`));
-      for (const {
-        existing
-      } of allExisting) {
-        const oldAlerts =
-        // eslint-disable-next-line no-await-in-loop
-        (await batchScan([existing.pkgid]).next()).value?.alerts;
-        if (oldAlerts?.length) {
-          // SocketArtifactAlert and SocketPackageAlert both have the 'key' property.
-          sockPkgAlerts = sockPkgAlerts.filter(({
-            key
-          }) => !oldAlerts.find(a => a.key === key));
-        }
-      }
-    }
-    if (consolidate && sockPkgAlerts.length) {
-      const highestForCve = new Map();
-      const highestForUpgrade = new Map();
-      const unfixableAlerts = [];
-      for (const sockPkgAlert of sockPkgAlerts) {
-        if (isArtifactAlertCveFixable(sockPkgAlert.raw)) {
-          const version = sockPkgAlert.raw.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
-          const major = semver.major(version);
-          const highest = highestForCve.get(major)?.raw[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER] ?? '0.0.0';
-          if (semver.gt(version, highest)) {
-            highestForCve.set(major, sockPkgAlert);
-          }
-        } else if (isArtifactAlertUpgradeFixable(sockPkgAlert.raw)) {
-          const {
-            version
-          } = sockPkgAlert;
-          const major = semver.major(version);
-          const highest = highestForUpgrade.get(major)?.version ?? '0.0.0';
-          if (semver.gt(version, highest)) {
-            highestForUpgrade.set(major, sockPkgAlert);
-          }
-        } else {
-          unfixableAlerts.push(sockPkgAlert);
-        }
-      }
-      sockPkgAlerts = [...unfixableAlerts, ...highestForCve.values(), ...highestForUpgrade.values()];
-    }
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
-    spinner$1?.stop();
-    if (displayWarning && sockPkgAlerts.length) {
-      const lines = new Set();
-      const translations = getTranslations();
-      for (const sockPkgAlert of sockPkgAlerts) {
-        const attributes = [...(sockPkgAlert.fixable ? ['fixable'] : []), ...(sockPkgAlert.block ? [] : ['non-blocking'])];
-        const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
-        // Based data from { pageProps: { alertTypes } } of:
-        // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-        const info = translations.alerts[sockPkgAlert.type];
-        const title = info?.title ?? sockPkgAlert.type;
-        const maybeDesc = info?.description ? ` - ${info.description}` : '';
-        // TODO: emoji seems to mis-align terminals sometimes
-        lines.add(`  ${title}${maybeAttributes}${maybeDesc}\n`);
-      }
-      output?.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, getSocketDevPackageOverviewUrl(NPM, name, version))} contains risks:\n`);
-      for (const line of lines) {
-        output?.write(line);
-      }
-    }
-    results.push(...sockPkgAlerts);
-    decrementRemaining();
-  }
-  spinner$1?.stop();
-  return results;
-}
-function getCveInfoByPackage(alerts, options) {
-  const {
-    excludeUpgrades
-  } = {
-    __proto__: null,
-    ...options
-  };
-  let infoByPkg = null;
-  for (const alert of alerts) {
-    if (!isArtifactAlertCveFixable(alert.raw) || excludeUpgrades && registry.getManifestData(NPM, alert.name)) {
-      continue;
-    }
-    if (!infoByPkg) {
-      infoByPkg = new Map();
-    }
-    const {
-      name
-    } = alert;
-    let infos = infoByPkg.get(name);
-    if (!infos) {
-      infos = [];
-      infoByPkg.set(name, infos);
-    }
-    const {
-      firstPatchedVersionIdentifier,
-      vulnerableVersionRange
-    } = alert.raw.props;
-    infos.push({
-      firstPatchedVersionIdentifier,
-      vulnerableVersionRange
-    });
-  }
-  return infoByPkg;
-}
-const kCtorArgs = Symbol('ctorArgs');
-const kRiskyReify = Symbol('riskyReify');
-async function reify(arb, args, level = 1) {
-  const {
-    stderr: output,
-    stdin: input
-  } = process;
-  const alerts = await getPackagesAlerts(arb, {
-    output,
-    includeUnfixable: level < 2
-  });
-  if (alerts.length && !(await prompts.confirm({
-    message: 'Accept risks of installing these packages?',
-    default: false
-  }, {
-    input,
-    output
-  }))) {
-    throw new Error('Socket npm exiting due to risks');
-  }
-  return await arb[kRiskyReify](...args);
-}
 
 const {
   SOCKET_CLI_SAFE_WRAPPER,
@@ -1773,7 +1874,6 @@ const {
     getIPC
   }
 } = constants;
-const Arborist = require(shadowNpmPaths.getArboristClassPath());
 const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   __proto__: null,
   audit: false,
@@ -1785,13 +1885,16 @@ const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   saveBundle: false,
   silent: true
 };
+const kCtorArgs = Symbol('ctorArgs');
+const kRiskyReify = Symbol('riskyReify');
+const Arborist = require(shadowNpmPaths.getArboristClassPath());
 
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
 class SafeArborist extends Arborist {
   constructor(...ctorArgs) {
     super({
-      path: (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process.cwd(),
+      path: (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process$1.cwd(),
       ...(ctorArgs.length ? ctorArgs[0] : undefined),
       ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
     }, ...ctorArgs.slice(1));
@@ -1817,23 +1920,41 @@ class SafeArborist extends Arborist {
       __proto__: null,
       ...(args.length ? args[0] : undefined)
     };
-    if (options.dryRun) {
-      return await this[kRiskyReify](...args);
-    }
-    const level = await getIPC(SOCKET_CLI_SAFE_WRAPPER);
+    const level = options.dryRun ? 0 : await getIPC(SOCKET_CLI_SAFE_WRAPPER);
     if (!level) {
       return await this[kRiskyReify](...args);
     }
-    const safeArgs = [{
+    // Lazily access constants.spinner.
+    const {
+      spinner
+    } = constants;
+    await super.reify({
       ...options,
+      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
       progress: false
-    }, ...args.slice(1)];
-    Object.assign(options, SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES);
-    const old = args[0];
-    args[0] = options;
-    await super.reify(...safeArgs);
-    args[0] = old;
-    return await reify(this, args, level);
+    },
+    // @ts-ignore: TS gets grumpy about rest parameters.
+    ...args.slice(1));
+    const alertsMap = await getAlertsMapFromArborist(this, {
+      spinner,
+      include: {
+        unfixable: level < 2
+      }
+    });
+    if (alertsMap.size) {
+      logAlertsMap(alertsMap, {
+        output: process$1.stderr
+      });
+      if (!(await prompts.confirm({
+        message: 'Accept risks of installing these packages?',
+        default: false
+      }))) {
+        throw new Error('Socket npm exiting due to risks');
+      }
+    } else {
+      logger.logger.success('Socket npm found no risks!');
+    }
+    return await this[kRiskyReify](...args);
   }
 }
 
@@ -1862,15 +1983,21 @@ exports.AuthError = AuthError;
 exports.ColorOrMarkdown = ColorOrMarkdown;
 exports.InputError = InputError;
 exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES;
+exports.SEVERITY = SEVERITY;
 exports.SafeArborist = SafeArborist;
+exports.addArtifactToAlertsMap = addArtifactToAlertsMap;
+exports.batchScan = batchScan;
 exports.captureException = captureException;
+exports.findBestPatchVersion = findBestPatchVersion;
 exports.findPackageNodes = findPackageNodes;
 exports.findUp = findUp;
-exports.getCveInfoByPackage = getCveInfoByPackage;
+exports.formatSeverityCount = formatSeverityCount;
+exports.getAlertsMapFromArborist = getAlertsMapFromArborist;
+exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap;
 exports.getDefaultToken = getDefaultToken;
-exports.getPackagesAlerts = getPackagesAlerts;
 exports.getPublicToken = getPublicToken;
 exports.getSetting = getSetting;
+exports.getSeverityCount = getSeverityCount;
 exports.getSocketDevAlertUrl = getSocketDevAlertUrl;
 exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl;
 exports.readFileBinary = readFileBinary;
@@ -1879,5 +2006,5 @@ exports.safeReadFile = safeReadFile;
 exports.setupSdk = setupSdk;
 exports.updateNode = updateNode;
 exports.updateSetting = updateSetting;
-//# debugId=a2461f74-6908-4fea-b499-5d8392a553ba
+//# debugId=1b6e4e80-401e-49a9-9b56-3f777bfba08f
 //# sourceMappingURL=shadow-npm-inject.js.map