@socketsecurity/cli-with-sentry 0.14.66 → 0.14.68

package/dist/module-sync/shadow-npm-inject.js

@@ -1,176 +1,174 @@
-'use strict';
+'use strict'
 
 function _socketInterop(e) {
   let c = 0
   for (const k in e ?? {}) {
     c = c === 0 && k === 'default' ? 1 : 0
-    if (!c && k !== '__esModule') break
+    if (!c && k !== '__esModule') {
+      break
+    }
   }
   return c ? e.default : e
 }
 
-var shadowNpmPaths = require('./shadow-npm-paths.js');
-var process$1 = require('node:process');
-var logger = require('@socketsecurity/registry/lib/logger');
-var prompts = require('@socketsecurity/registry/lib/prompts');
-var constants = require('./constants.js');
-var semver = _socketInterop(require('semver'));
-var packageurlJs = require('@socketregistry/packageurl-js');
-var registry = require('@socketsecurity/registry');
-var arrays = require('@socketsecurity/registry/lib/arrays');
-var debug = require('@socketsecurity/registry/lib/debug');
-var objects = require('@socketsecurity/registry/lib/objects');
-var npa = _socketInterop(require('npm-package-arg'));
-var hpagent = _socketInterop(require('hpagent'));
-var isInteractive = require('@socketregistry/is-interactive/index.cjs');
-var registryConstants = require('@socketsecurity/registry/lib/constants');
-var strings = require('@socketsecurity/registry/lib/strings');
-var sdk = require('@socketsecurity/sdk');
-var promises = require('node:timers/promises');
-var fs = require('node:fs');
-var os = require('node:os');
-var path = require('node:path');
-var config = require('@socketsecurity/config');
-var packages = require('@socketsecurity/registry/lib/packages');
-var sorts = require('@socketsecurity/registry/lib/sorts');
-var terminalLink = _socketInterop(require('terminal-link'));
-var colors = _socketInterop(require('yoctocolors-cjs'));
-var indentString = require('@socketregistry/indent-string/index.cjs');
-
-const {
-  kInternalsSymbol: kInternalsSymbol$1,
-  [kInternalsSymbol$1]: {
-    getSentry
-  }
-} = constants;
-class AuthError extends Error {}
-class InputError extends Error {
-  constructor(message, body) {
-    super(message);
-    this.body = body;
-  }
-}
-async function captureException(exception, hint) {
-  const result = captureExceptionSync(exception, hint);
-  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
-  await promises.setTimeout(1000);
-  return result;
-}
-function captureExceptionSync(exception, hint) {
-  const Sentry = getSentry();
-  if (!Sentry) {
-    return '';
-  }
-  debug.debugLog('captureException: Sending exception to Sentry.');
-  return Sentry.captureException(exception, hint);
-}
-function isErrnoException(value) {
-  if (!(value instanceof Error)) {
-    return false;
-  }
-  return value.code !== undefined;
-}
+const shadowNpmPaths = require('./shadow-npm-paths.js')
+const process$1 = require('node:process')
+const commonTags = _socketInterop(require('common-tags'))
+const logger = require('@socketsecurity/registry/lib/logger')
+const constants = require('./constants.js')
+const semver = _socketInterop(require('semver'))
+const packageurlJs = require('@socketregistry/packageurl-js')
+const registry = require('@socketsecurity/registry')
+const arrays = require('@socketsecurity/registry/lib/arrays')
+const debug = require('@socketsecurity/registry/lib/debug')
+const objects = require('@socketsecurity/registry/lib/objects')
+const npa = _socketInterop(require('npm-package-arg'))
+const hpagent = _socketInterop(require('hpagent'))
+const isInteractive = require('@socketregistry/is-interactive/index.cjs')
+const registryConstants = require('@socketsecurity/registry/lib/constants')
+const prompts = require('@socketsecurity/registry/lib/prompts')
+const strings = require('@socketsecurity/registry/lib/strings')
+const sdk = require('@socketsecurity/sdk')
+const fs = require('node:fs')
+const os = require('node:os')
+const path = require('node:path')
+const config = require('@socketsecurity/config')
+const promises = require('node:timers/promises')
+const colors = _socketInterop(require('yoctocolors-cjs'))
+const packages = require('@socketsecurity/registry/lib/packages')
+const sorts = require('@socketsecurity/registry/lib/sorts')
+const terminalLink = _socketInterop(require('terminal-link'))
+const indentString = require('@socketregistry/indent-string/index.cjs')
 
-const {
-  abortSignal
-} = constants;
-async function findUp(name, {
-  cwd = process$1.cwd(),
-  signal = abortSignal
-}) {
-  let dir = path.resolve(cwd);
-  const {
-    root
-  } = path.parse(dir);
-  const names = [name].flat();
+const { abortSignal } = constants
+async function findUp(name, { cwd = process$1.cwd(), signal = abortSignal }) {
+  let dir = path.resolve(cwd)
+  const { root } = path.parse(dir)
+  const names = [name].flat()
   while (dir && dir !== root) {
     for (const name of names) {
       if (signal?.aborted) {
-        return undefined;
+        return undefined
       }
-      const filePath = path.join(dir, name);
+      const filePath = path.join(dir, name)
       try {
         // eslint-disable-next-line no-await-in-loop
-        const stats = await fs.promises.stat(filePath);
+        const stats = await fs.promises.stat(filePath)
         if (stats.isFile()) {
-          return filePath;
+          return filePath
         }
       } catch {}
     }
-    dir = path.dirname(dir);
+    dir = path.dirname(dir)
   }
-  return undefined;
+  return undefined
 }
 async function readFileBinary(filepath, options) {
   return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'binary'
-  });
+  })
 }
 async function readFileUtf8(filepath, options) {
   return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'utf8'
-  });
+  })
 }
 async function safeReadFile(filepath, options) {
   try {
     return await fs.promises.readFile(filepath, {
       encoding: 'utf8',
       signal: abortSignal,
-      ...(typeof options === 'string' ? {
-        encoding: options
-      } : options)
-    });
+      ...(typeof options === 'string'
+        ? {
+            encoding: options
+          }
+        : options)
+    })
   } catch {}
-  return undefined;
+  return undefined
 }
 function safeReadFileSync(filepath, options) {
   try {
     return fs.readFileSync(filepath, {
       encoding: 'utf8',
-      ...(typeof options === 'string' ? {
-        encoding: options
-      } : options)
-    });
+      ...(typeof options === 'string'
+        ? {
+            encoding: options
+          }
+        : options)
+    })
   } catch {}
-  return undefined;
+  return undefined
 }
 
-// Default app data folder env var on Win
-const LOCALAPPDATA = 'LOCALAPPDATA';
-// Default app data folder env var on Mac/Linux
-const XDG_DATA_HOME = 'XDG_DATA_HOME';
-const SOCKET_APP_DIR = 'socket/settings';
-const supportedApiKeys = new Set(['apiBaseUrl', 'apiKey', 'apiProxy', 'enforcedOrgs']);
-let settings;
-let settingsPath;
-let warnedSettingPathWin32Missing = false;
-let pendingSave = false;
-function getSettings() {
-  if (settings === undefined) {
-    settings = {};
-    const settingsPath = getSettingsPath();
-    if (settingsPath) {
-      const raw = safeReadFileSync(settingsPath);
+const { LOCALAPPDATA, SOCKET_APP_DIR, XDG_DATA_HOME } = constants
+const supportedConfigKeys = new Map([
+  ['apiBaseUrl', 'Base URL of the API endpoint'],
+  ['apiProxy', 'A proxy through which to access the API'],
+  ['apiToken', 'The API token required to access most API endpoints'],
+  [
+    'defaultOrg',
+    'The default org slug to use when appropriate; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.'
+  ],
+  [
+    'enforcedOrgs',
+    'Orgs in this list have their security policies enforced on this machine'
+  ]
+])
+const sensitiveConfigKeys = new Set(['apiToken'])
+let _cachedConfig
+// When using --config or SOCKET_CLI_CONFIG_OVERRIDE, do not persist the config.
+let _readOnlyConfig = false
+function overrideCachedConfig(config) {
+  _cachedConfig = {
+    ...config
+  }
+  _readOnlyConfig = true
+  // Normalize apiKey to apiToken.
+  if (_cachedConfig['apiKey']) {
+    _cachedConfig['apiToken'] = _cachedConfig['apiKey']
+    delete _cachedConfig['apiKey']
+  }
+}
+function getConfigValues() {
+  if (_cachedConfig === undefined) {
+    _cachedConfig = {}
+    // Order: env var > --config flag > file
+    const configPath = getConfigPath()
+    if (configPath) {
+      const raw = safeReadFileSync(configPath)
       if (raw) {
         try {
-          Object.assign(settings, JSON.parse(Buffer.from(raw, 'base64').toString()));
+          Object.assign(
+            _cachedConfig,
+            JSON.parse(Buffer.from(raw, 'base64').toString())
+          )
         } catch {
-          logger.logger.warn(`Failed to parse settings at ${settingsPath}`);
+          logger.logger.warn(`Failed to parse config at ${configPath}`)
+        }
+        // Normalize apiKey to apiToken and persist it.
+        // This is a one time migration per user.
+        if (_cachedConfig['apiKey']) {
+          const token = _cachedConfig['apiKey']
+          delete _cachedConfig['apiKey']
+          updateConfigValue('apiToken', token)
         }
       } else {
-        fs.mkdirSync(path.dirname(settingsPath), {
+        fs.mkdirSync(path.dirname(configPath), {
           recursive: true
-        });
+        })
       }
     }
   }
-  return settings;
+  return _cachedConfig
 }
-function getSettingsPath() {
+let _configPath
+let _warnedConfigPathWin32Missing = false
+function getConfigPath() {
   // Get the OS app data folder:
   // - Win: %LOCALAPPDATA% or fail?
   // - Mac: %XDG_DATA_HOME% or fallback to "~/Library/Application Support/"
@@ -183,182 +181,248 @@ function getSettingsPath() {
   // - Mac: %XDG_DATA_HOME%/socket/settings or "~/Library/Application Support/socket/settings"
   // - Linux: %XDG_DATA_HOME%/socket/settings or "~/.local/share/socket/settings"
 
-  if (settingsPath === undefined) {
+  if (_configPath === undefined) {
     // Lazily access constants.WIN32.
-    const {
-      WIN32
-    } = constants;
-    let dataHome = WIN32 ? process$1.env[LOCALAPPDATA] : process$1.env[XDG_DATA_HOME];
+    const { WIN32 } = constants
+    let dataHome = WIN32
+      ? // Lazily access constants.ENV[LOCALAPPDATA]
+        constants.ENV[LOCALAPPDATA]
+      : // Lazily access constants.ENV[XDG_DATA_HOME]
+        constants.ENV[XDG_DATA_HOME]
     if (!dataHome) {
       if (WIN32) {
-        if (!warnedSettingPathWin32Missing) {
-          warnedSettingPathWin32Missing = true;
-          logger.logger.warn(`Missing %${LOCALAPPDATA}%`);
+        if (!_warnedConfigPathWin32Missing) {
+          _warnedConfigPathWin32Missing = true
+          logger.logger.warn(`Missing %${LOCALAPPDATA}%`)
         }
       } else {
-        dataHome = path.join(os.homedir(), ...(process$1.platform === 'darwin' ? ['Library', 'Application Support'] : ['.local', 'share']));
+        dataHome = path.join(
+          os.homedir(),
+          ...(process$1.platform === 'darwin'
+            ? ['Library', 'Application Support']
+            : ['.local', 'share'])
+        )
       }
     }
-    settingsPath = dataHome ? path.join(dataHome, SOCKET_APP_DIR) : undefined;
+    _configPath = dataHome ? path.join(dataHome, SOCKET_APP_DIR) : undefined
   }
-  return settingsPath;
+  return _configPath
 }
-function normalizeSettingsKey(key) {
-  const normalizedKey = key === 'apiToken' ? 'apiKey' : key;
-  if (!supportedApiKeys.has(normalizedKey)) {
-    throw new Error(`Invalid settings key: ${normalizedKey}`);
-  }
-  return normalizedKey;
+function normalizeConfigKey(key) {
+  // Note: apiKey was the old name of the token. When we load a config with
+  //       property apiKey, we'll copy that to apiToken and delete the old property.
+  const normalizedKey = key === 'apiKey' ? 'apiToken' : key
+  if (!supportedConfigKeys.has(normalizedKey)) {
+    throw new Error(`Invalid config key: ${normalizedKey}`)
+  }
+  return normalizedKey
 }
-function findSocketYmlSync() {
-  let prevDir = null;
-  let dir = process$1.cwd();
+function findSocketYmlSync(dir = process$1.cwd()) {
+  let prevDir = null
   while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml');
-    let yml = safeReadFileSync(ymlPath);
+    let ymlPath = path.join(dir, 'socket.yml')
+    let yml = safeReadFileSync(ymlPath)
     if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml');
-      yml = safeReadFileSync(ymlPath);
+      ymlPath = path.join(dir, 'socket.yaml')
+      yml = safeReadFileSync(ymlPath)
     }
     if (typeof yml === 'string') {
       try {
         return {
           path: ymlPath,
           parsed: config.parseSocketConfig(yml)
-        };
+        }
       } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+        throw new Error(`Found file but was unable to parse ${ymlPath}`)
       }
     }
-    prevDir = dir;
-    dir = path.join(dir, '..');
+    prevDir = dir
+    dir = path.join(dir, '..')
   }
-  return null;
+  return null
 }
-function getSetting(key) {
-  return getSettings()[normalizeSettingsKey(key)];
+function getConfigValue(key) {
+  const localConfig = getConfigValues()
+  return localConfig[normalizeConfigKey(key)]
 }
-function updateSetting(key, value) {
-  const settings = getSettings();
-  settings[normalizeSettingsKey(key)] = value;
-  if (!pendingSave) {
-    pendingSave = true;
+let _pendingSave = false
+function updateConfigValue(key, value) {
+  const localConfig = getConfigValues()
+  localConfig[normalizeConfigKey(key)] = value
+  if (_readOnlyConfig) {
+    logger.logger.warn(
+      'Not persisting config change; current config overridden through env var or flag'
+    )
+  } else if (!_pendingSave) {
+    _pendingSave = true
     process$1.nextTick(() => {
-      pendingSave = false;
-      const settingsPath = getSettingsPath();
-      if (settingsPath) {
-        fs.writeFileSync(settingsPath, Buffer.from(JSON.stringify(settings)).toString('base64'));
+      _pendingSave = false
+      const configPath = getConfigPath()
+      if (configPath) {
+        fs.writeFileSync(
+          configPath,
+          Buffer.from(JSON.stringify(localConfig)).toString('base64')
+        )
       }
-    });
+    })
+  }
+}
+
+const {
+  kInternalsSymbol: kInternalsSymbol$1,
+  [kInternalsSymbol$1]: { getSentry }
+} = constants
+class AuthError extends Error {}
+class InputError extends Error {
+  constructor(message, body) {
+    super(message)
+    this.body = body
+  }
+}
+async function captureException(exception, hint) {
+  const result = captureExceptionSync(exception, hint)
+  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
+  await promises.setTimeout(1000)
+  return result
+}
+function captureExceptionSync(exception, hint) {
+  const Sentry = getSentry()
+  if (!Sentry) {
+    return ''
   }
+  debug.debugLog('captureException: Sending exception to Sentry.')
+  return Sentry.captureException(exception, hint)
 }
 
 const {
-  SOCKET_CLI_NO_API_TOKEN
-} = constants;
+  SOCKET_CLI_NO_API_TOKEN,
+  SOCKET_SECURITY_API_BASE_URL,
+  SOCKET_SECURITY_API_PROXY,
+  SOCKET_SECURITY_API_TOKEN
+} = constants
 
 // The API server that should be used for operations.
 function getDefaultApiBaseUrl() {
-  const baseUrl = process$1.env['SOCKET_SECURITY_API_BASE_URL'] || getSetting('apiBaseUrl');
-  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined;
+  const baseUrl =
+    // Lazily access constants.ENV[SOCKET_SECURITY_API_BASE_URL].
+    constants.ENV[SOCKET_SECURITY_API_BASE_URL] || getConfigValue('apiBaseUrl')
+  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined
 }
 
 // The API server that should be used for operations.
 function getDefaultHttpProxy() {
-  const apiProxy = process$1.env['SOCKET_SECURITY_API_PROXY'] || getSetting('apiProxy');
-  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined;
+  const apiProxy =
+    // Lazily access constants.ENV[SOCKET_SECURITY_API_PROXY].
+    constants.ENV[SOCKET_SECURITY_API_PROXY] || getConfigValue('apiProxy')
+  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined
 }
 
 // This API key should be stored globally for the duration of the CLI execution.
-let _defaultToken;
+let _defaultToken
 function getDefaultToken() {
   // Lazily access constants.ENV[SOCKET_CLI_NO_API_TOKEN].
   if (constants.ENV[SOCKET_CLI_NO_API_TOKEN]) {
-    _defaultToken = undefined;
+    _defaultToken = undefined
   } else {
-    const key = process$1.env['SOCKET_SECURITY_API_TOKEN'] ||
-    // Keep 'SOCKET_SECURITY_API_KEY' as an alias of 'SOCKET_SECURITY_API_TOKEN'.
-    // TODO: Remove 'SOCKET_SECURITY_API_KEY' alias.
-    process$1.env['SOCKET_SECURITY_API_KEY'] || getSetting('apiToken') || _defaultToken;
-    _defaultToken = strings.isNonEmptyString(key) ? key : undefined;
-  }
-  return _defaultToken;
+    const key =
+      // Lazily access constants.ENV[SOCKET_SECURITY_API_TOKEN].
+      constants.ENV[SOCKET_SECURITY_API_TOKEN] ||
+      getConfigValue('apiToken') ||
+      _defaultToken
+    _defaultToken = strings.isNonEmptyString(key) ? key : undefined
+  }
+  return _defaultToken
 }
 function getPublicToken() {
-  return (process$1.env['SOCKET_SECURITY_API_TOKEN'] || getDefaultToken()) ?? registryConstants.SOCKET_PUBLIC_API_TOKEN;
+  return (
+    // Lazily access constants.ENV[SOCKET_SECURITY_API_TOKEN].
+    (constants.ENV[SOCKET_SECURITY_API_TOKEN] || getDefaultToken()) ??
+    registryConstants.SOCKET_PUBLIC_API_TOKEN
+  )
 }
-async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApiBaseUrl(), proxy = getDefaultHttpProxy()) {
+async function setupSdk(
+  apiToken = getDefaultToken(),
+  apiBaseUrl = getDefaultApiBaseUrl(),
+  proxy = getDefaultHttpProxy()
+) {
   if (typeof apiToken !== 'string' && isInteractive()) {
     apiToken = await prompts.password({
-      message: 'Enter your Socket.dev API key (not saved, use socket login to persist)'
-    });
-    _defaultToken = apiToken;
+      message:
+        'Enter your Socket.dev API key (not saved, use socket login to persist)'
+    })
+    _defaultToken = apiToken
   }
   if (!apiToken) {
-    throw new AuthError('You need to provide an API key');
+    throw new AuthError('You need to provide an API key')
   }
   return new sdk.SocketSdk(apiToken, {
-    agent: proxy ? new hpagent.HttpsProxyAgent({
-      proxy
-    }) : undefined,
+    agent: proxy
+      ? new hpagent.HttpsProxyAgent({
+          proxy
+        })
+      : undefined,
     baseUrl: apiBaseUrl,
     userAgent: sdk.createUserAgentFromPkgJson({
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
-      name: "@socketsecurity/cli",
+      name: '@socketsecurity/cli',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-      version: "0.14.66",
+      version: '0.14.68',
       // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_HOMEPAGE']".
-      homepage: "https://github.com/SocketDev/socket-cli"
+      homepage: 'https://github.com/SocketDev/socket-cli'
     })
-  });
+  })
 }
 
-let DiffAction = /*#__PURE__*/function (DiffAction) {
-  DiffAction["add"] = "ADD";
-  DiffAction["change"] = "CHANGE";
-  DiffAction["remove"] = "REMOVE";
-  return DiffAction;
-}({});
+const DiffAction = /*#__PURE__*/ (function (DiffAction) {
+  DiffAction['add'] = 'ADD'
+  DiffAction['change'] = 'CHANGE'
+  DiffAction['remove'] = 'REMOVE'
+  return DiffAction
+})({})
 
-const depValid = require(shadowNpmPaths.getArboristDepValidPath());
+const depValid = require(shadowNpmPaths.getArboristDepValidPath())
 
-const {
-  UNDEFINED_TOKEN
-} = constants;
+const { UNDEFINED_TOKEN } = constants
 function tryRequire(req, ...ids) {
   for (const data of ids) {
-    let id;
-    let transformer;
+    let id
+    let transformer
     if (Array.isArray(data)) {
-      id = data[0];
-      transformer = data[1];
+      id = data[0]
+      transformer = data[1]
     } else {
-      id = data;
-      transformer = mod => mod;
+      id = data
+      transformer = mod => mod
     }
     try {
       // Check that the transformed value isn't `undefined` because older
       // versions of packages like 'proc-log' may not export a `log` method.
-      const exported = transformer(req(id));
+      const exported = transformer(req(id))
       if (exported !== undefined) {
-        return exported;
+        return exported
       }
     } catch {}
   }
-  return undefined;
+  return undefined
 }
-let _log = UNDEFINED_TOKEN;
+let _log = UNDEFINED_TOKEN
 function getLogger() {
   if (_log === UNDEFINED_TOKEN) {
-    _log = tryRequire(shadowNpmPaths.getNpmRequire(), ['proc-log/lib/index.js',
-    // The proc-log DefinitelyTyped definition is incorrect. The type definition
-    // is really that of its export log.
-    mod => mod.log], 'npmlog/lib/log.js');
-  }
-  return _log;
+    _log = tryRequire(
+      shadowNpmPaths.getNpmRequire(),
+      [
+        'proc-log/lib/index.js',
+        // The proc-log DefinitelyTyped definition is incorrect. The type definition
+        // is really that of its export log.
+        mod => mod.log
+      ],
+      'npmlog/lib/log.js'
+    )
+  }
+  return _log
 }
 
-const OverrideSet = require(shadowNpmPaths.getArboristOverrideSetClassPath());
+const OverrideSet = require(shadowNpmPaths.getArboristOverrideSetClassPath())
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
@@ -369,59 +433,64 @@ class SafeOverrideSet extends OverrideSet {
     // If override sets contain one another then we can try to use the more
     // specific one. If neither one is more specific, then we consider them to
     // be in conflict.
-    return this.findSpecificOverrideSet(first, second) === undefined;
+    return this.findSpecificOverrideSet(first, second) === undefined
   }
 
   // Patch adding findSpecificOverrideSet is based on
   // https://github.com/npm/cli/pull/8089.
   static findSpecificOverrideSet(first, second) {
-    for (let overrideSet = second; overrideSet; overrideSet = overrideSet.parent) {
+    for (
+      let overrideSet = second;
+      overrideSet;
+      overrideSet = overrideSet.parent
+    ) {
       if (overrideSet.isEqual(first)) {
-        return second;
+        return second
       }
     }
-    for (let overrideSet = first; overrideSet; overrideSet = overrideSet.parent) {
+    for (
+      let overrideSet = first;
+      overrideSet;
+      overrideSet = overrideSet.parent
+    ) {
       if (overrideSet.isEqual(second)) {
-        return first;
+        return first
       }
     }
     // The override sets are incomparable. Neither one contains the other.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', first, second);
-    return undefined;
+    const log = getLogger()
+    log?.silly('Conflicting override sets', first, second)
+    return undefined
   }
 
   // Patch adding childrenAreEqual is based on
   // https://github.com/npm/cli/pull/8089.
   childrenAreEqual(otherOverrideSet) {
     if (this.children.size !== otherOverrideSet.children.size) {
-      return false;
+      return false
     }
-    for (const {
-      0: key,
-      1: childOverrideSet
-    } of this.children) {
-      const otherChildOverrideSet = otherOverrideSet.children.get(key);
+    for (const { 0: key, 1: childOverrideSet } of this.children) {
+      const otherChildOverrideSet = otherOverrideSet.children.get(key)
       if (!otherChildOverrideSet) {
-        return false;
+        return false
       }
       if (childOverrideSet.value !== otherChildOverrideSet.value) {
-        return false;
+        return false
       }
       if (!childOverrideSet.childrenAreEqual(otherChildOverrideSet)) {
-        return false;
+        return false
       }
     }
-    return true;
+    return true
   }
   getEdgeRule(edge) {
     for (const rule of this.ruleset.values()) {
       if (rule.name !== edge.name) {
-        continue;
+        continue
       }
       // If keySpec is * we found our override.
       if (rule.keySpec === '*') {
-        return rule;
+        return rule
       }
       // Patch replacing
       // let spec = npa(`${edge.name}@${edge.spec}`)
@@ -430,53 +499,56 @@ class SafeOverrideSet extends OverrideSet {
       // We need to use the rawSpec here, because the spec has the overrides
       // applied to it already. The rawSpec can be undefined, so we need to use
       // the fallback value of spec if it is.
-      let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`);
+      let spec = npa(`${edge.name}@${edge.rawSpec || edge.spec}`)
       if (spec.type === 'alias') {
-        spec = spec.subSpec;
+        spec = spec.subSpec
       }
       if (spec.type === 'git') {
         if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec)) {
-          return rule;
+          return rule
         }
-        continue;
+        continue
       }
       if (spec.type === 'range' || spec.type === 'version') {
         if (semver.intersects(spec.fetchSpec, rule.keySpec)) {
-          return rule;
+          return rule
         }
-        continue;
+        continue
       }
       // If we got this far, the spec type is one of tag, directory or file
       // which means we have no real way to make version comparisons, so we
       // just accept the override.
-      return rule;
+      return rule
     }
-    return this;
+    return this
   }
 
   // Patch adding isEqual is based on
   // https://github.com/npm/cli/pull/8089.
   isEqual(otherOverrideSet) {
     if (this === otherOverrideSet) {
-      return true;
+      return true
     }
     if (!otherOverrideSet) {
-      return false;
+      return false
     }
-    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
-      return false;
+    if (
+      this.key !== otherOverrideSet.key ||
+      this.value !== otherOverrideSet.value
+    ) {
+      return false
     }
     if (!this.childrenAreEqual(otherOverrideSet)) {
-      return false;
+      return false
     }
     if (!this.parent) {
-      return !otherOverrideSet.parent;
+      return !otherOverrideSet.parent
     }
-    return this.parent.isEqual(otherOverrideSet.parent);
+    return this.parent.isEqual(otherOverrideSet.parent)
   }
 }
 
-const Node = require(shadowNpmPaths.getArboristNodeClassPath());
+const Node = require(shadowNpmPaths.getArboristNodeClassPath())
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/8089
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
@@ -487,28 +559,28 @@ class SafeNode extends Node {
   canDedupe(preferDedupe = false) {
     // Not allowed to mess with shrinkwraps or bundles.
     if (this.inDepBundle || this.inShrinkwrap) {
-      return false;
+      return false
     }
     // It's a top level pkg, or a dep of one.
     if (!this.resolveParent?.resolveParent) {
-      return false;
+      return false
     }
     // No one wants it, remove it.
     if (this.edgesIn.size === 0) {
-      return true;
+      return true
     }
-    const other = this.resolveParent.resolveParent.resolve(this.name);
+    const other = this.resolveParent.resolveParent.resolve(this.name)
     // Nothing else, need this one.
     if (!other) {
-      return false;
+      return false
     }
     // If it's the same thing, then always fine to remove.
     if (other.matches(this)) {
-      return true;
+      return true
     }
     // If the other thing can't replace this, then skip it.
     if (!other.canReplace(this)) {
-      return false;
+      return false
     }
     // Patch replacing
     // if (preferDedupe || semver.gte(other.version, this.version)) {
@@ -518,14 +590,14 @@ class SafeNode extends Node {
     //
     // If we prefer dedupe, or if the version is equal, take the other.
     if (preferDedupe || semver.eq(other.version, this.version)) {
-      return true;
+      return true
     }
     // If our current version isn't the result of an override, then prefer to
     // take the greater version.
     if (!this.overridden && semver.gt(other.version, this.version)) {
-      return true;
+      return true
     }
-    return false;
+    return false
   }
 
   // Is it safe to replace one node with another?  check the edges to
@@ -539,7 +611,7 @@ class SafeNode extends Node {
   // it with more tree construction, because it's a user request.
   canReplaceWith(node, ignorePeers) {
     if (this.name !== node.name || this.packageName !== node.packageName) {
-      return false;
+      return false
     }
     // Patch replacing
     // if (node.overrides !== this.overrides) {
@@ -553,11 +625,11 @@ class SafeNode extends Node {
       // XXX need to check for two root nodes?
       if (node.overrides) {
         if (!node.overrides.isEqual(this.overrides)) {
-          return false;
+          return false
         }
       } else {
         if (this.overrides) {
-          return false;
+          return false
         }
       }
     }
@@ -565,29 +637,27 @@ class SafeNode extends Node {
     // so that the condition we want to replace,
     // if (this.overrides !== node.overrides) {
     // , is not hit.`
-    const oldOverrideSet = this.overrides;
-    let result = true;
+    const oldOverrideSet = this.overrides
+    let result = true
     if (oldOverrideSet !== node.overrides) {
-      this.overrides = node.overrides;
+      this.overrides = node.overrides
     }
     try {
-      result = super.canReplaceWith(node, ignorePeers);
-      this.overrides = oldOverrideSet;
+      result = super.canReplaceWith(node, ignorePeers)
+      this.overrides = oldOverrideSet
     } catch (e) {
-      this.overrides = oldOverrideSet;
-      throw e;
+      this.overrides = oldOverrideSet
+      throw e
     }
-    return result;
+    return result
   }
 
   // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/8089.
   deleteEdgeIn(edge) {
-    this.edgesIn.delete(edge);
-    const {
-      overrides
-    } = edge;
+    this.edgesIn.delete(edge)
+    const { overrides } = edge
     if (overrides) {
-      this.updateOverridesEdgeInRemoved(overrides);
+      this.updateOverridesEdgeInRemoved(overrides)
     }
   }
   addEdgeIn(edge) {
@@ -600,11 +670,11 @@ class SafeNode extends Node {
     // We need to handle the case where the new edge in has an overrides field
     // which is different from the current value.
     if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
-      this.updateOverridesEdgeInAdded(edge.overrides);
+      this.updateOverridesEdgeInAdded(edge.overrides)
     }
-    this.edgesIn.add(edge);
+    this.edgesIn.add(edge)
     // Try to get metadata from the yarn.lock file.
-    this.root.meta?.addEdge(edge);
+    this.root.meta?.addEdge(edge)
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
@@ -612,8 +682,12 @@ class SafeNode extends Node {
     // Patch replacing
     // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
     // is based on https://github.com/npm/cli/pull/8089.
-    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
-      return false;
+    if (
+      !this.overrides ||
+      !this.overrides.value ||
+      this.overrides.name !== this.name
+    ) {
+      return false
     }
     // The overrides rule is for a package with this name, but some override
     // rules only apply to specific versions. To make sure this package was
@@ -621,13 +695,17 @@ class SafeNode extends Node {
     // applied to it, in which case its overrides set is different than its
     // source node.
     for (const edge of this.edgesIn) {
-      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
+      if (
+        edge.overrides &&
+        edge.overrides.name === this.name &&
+        edge.overrides.value === this.version
+      ) {
         if (!edge.overrides.isEqual(edge.from?.overrides)) {
-          return true;
+          return true
         }
       }
     }
-    return false;
+    return false
   }
   set parent(newParent) {
     // Patch removing
@@ -639,18 +717,16 @@ class SafeNode extends Node {
     // The "parent" setter is a really large and complex function. To satisfy
     // the patch we hold on to the old overrides value and set `this.overrides`
     // to `undefined` so that the condition we want to remove is not hit.
-    const {
-      overrides
-    } = this;
+    const { overrides } = this
     if (overrides) {
-      this.overrides = undefined;
+      this.overrides = undefined
     }
     try {
-      super.parent = newParent;
-      this.overrides = overrides;
+      super.parent = newParent
+      this.overrides = overrides
     } catch (e) {
-      this.overrides = overrides;
-      throw e;
+      this.overrides = overrides
+      throw e
     }
   }
 
@@ -659,9 +735,9 @@ class SafeNode extends Node {
   recalculateOutEdgesOverrides() {
     // For each edge out propagate the new overrides through.
     for (const edge of this.edgesOut.values()) {
-      edge.reload(true);
+      edge.reload(true)
       if (edge.to) {
-        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+        edge.to.updateOverridesEdgeInAdded(edge.overrides)
       }
     }
   }
@@ -680,14 +756,14 @@ class SafeNode extends Node {
     if (!this.overrides) {
       this.overrides = new SafeOverrideSet({
         overrides: ''
-      });
+      })
     }
     try {
-      super.root = newRoot;
-      this.overrides = undefined;
+      super.root = newRoot
+      this.overrides = undefined
     } catch (e) {
-      this.overrides = undefined;
-      throw e;
+      this.overrides = undefined
+      throw e
     }
   }
 
@@ -711,30 +787,33 @@ class SafeNode extends Node {
       // undefined for any node at the end state of the tree. So if the new edge's
       // overrides is undefined it will be updated later. So we can wait with
       // updating the node's overrides field.
-      return false;
+      return false
     }
     if (!this.overrides) {
-      this.overrides = otherOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
+      this.overrides = otherOverrideSet
+      this.recalculateOutEdgesOverrides()
+      return true
     }
     if (this.overrides.isEqual(otherOverrideSet)) {
-      return false;
+      return false
     }
-    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(
+      this.overrides,
+      otherOverrideSet
+    )
     if (newOverrideSet) {
       if (this.overrides.isEqual(newOverrideSet)) {
-        return false;
+        return false
       }
-      this.overrides = newOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
+      this.overrides = newOverrideSet
+      this.recalculateOutEdgesOverrides()
+      return true
     }
     // This is an error condition. We can only get here if the new override set
     // is in conflict with the existing.
-    const log = getLogger();
-    log?.silly('Conflicting override sets', this.name);
-    return false;
+    const log = getLogger()
+    log?.silly('Conflicting override sets', this.name)
+    return false
   }
 
   // Patch adding updateOverridesEdgeInRemoved is based on
@@ -743,36 +822,37 @@ class SafeNode extends Node {
     // If this edge's overrides isn't equal to this node's overrides,
     // then removing it won't change newOverrideSet later.
     if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
-      return false;
+      return false
     }
-    let newOverrideSet;
+    let newOverrideSet
     for (const edge of this.edgesIn) {
-      const {
-        overrides: edgeOverrides
-      } = edge;
+      const { overrides: edgeOverrides } = edge
       if (newOverrideSet && edgeOverrides) {
-        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(
+          edgeOverrides,
+          newOverrideSet
+        )
       } else {
-        newOverrideSet = edgeOverrides;
+        newOverrideSet = edgeOverrides
       }
     }
     if (this.overrides.isEqual(newOverrideSet)) {
-      return false;
+      return false
     }
-    this.overrides = newOverrideSet;
+    this.overrides = newOverrideSet
     if (newOverrideSet) {
       // Optimization: If there's any override set at all, then no non-extraneous
       // node has an empty override set. So if we temporarily have no override set
       // (for example, we removed all the edges in), there's no use updating all
       // the edges out right now. Let's just wait until we have an actual override
       // set later.
-      this.recalculateOutEdgesOverrides();
+      this.recalculateOutEdgesOverrides()
     }
-    return true;
+    return true
   }
 }
 
-const Edge = require(shadowNpmPaths.getArboristEdgeClassPath());
+const Edge = require(shadowNpmPaths.getArboristEdgeClassPath())
 
 // The Edge class makes heavy use of private properties which subclasses do NOT
 // have access to. So we have to recreate any functionality that relies on those
@@ -787,115 +867,129 @@ const Edge = require(shadowNpmPaths.getArboristEdgeClassPath());
 // An edge in the dependency graph.
 // Represents a dependency relationship of some kind.
 class SafeEdge extends Edge {
-  #safeError;
-  #safeExplanation;
-  #safeFrom;
-  #safeTo;
+  #safeError
+  #safeExplanation
+  #safeFrom
+  #safeTo
   constructor(options) {
-    const {
-      from
-    } = options;
+    const { from } = options
     // Defer to supper to validate options and assign non-private values.
-    super(options);
+    super(options)
     if (from.constructor !== SafeNode) {
-      Reflect.setPrototypeOf(from, SafeNode.prototype);
+      Reflect.setPrototypeOf(from, SafeNode.prototype)
     }
-    this.#safeError = null;
-    this.#safeExplanation = null;
-    this.#safeFrom = from;
-    this.#safeTo = null;
-    this.reload(true);
+    this.#safeError = null
+    this.#safeExplanation = null
+    this.#safeFrom = from
+    this.#safeTo = null
+    this.reload(true)
   }
   get bundled() {
-    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name)
   }
   get error() {
     if (!this.#safeError) {
       if (!this.#safeTo) {
         if (this.optional) {
-          this.#safeError = null;
+          this.#safeError = null
         } else {
-          this.#safeError = 'MISSING';
+          this.#safeError = 'MISSING'
         }
-      } else if (this.peer && this.#safeFrom === this.#safeTo.parent &&
-      // Patch adding "?." use based on
-      // https://github.com/npm/cli/pull/8089.
-      !this.#safeFrom?.isTop) {
-        this.#safeError = 'PEER LOCAL';
+      } else if (
+        this.peer &&
+        this.#safeFrom === this.#safeTo.parent &&
+        // Patch adding "?." use based on
+        // https://github.com/npm/cli/pull/8089.
+        !this.#safeFrom?.isTop
+      ) {
+        this.#safeError = 'PEER LOCAL'
       } else if (!this.satisfiedBy(this.#safeTo)) {
-        this.#safeError = 'INVALID';
+        this.#safeError = 'INVALID'
       }
       // Patch adding "else if" condition is based on
       // https://github.com/npm/cli/pull/8089.
-      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
+      else if (
+        this.overrides &&
+        this.#safeTo.edgesOut.size &&
+        SafeOverrideSet.doOverrideSetsConflict(
+          this.overrides,
+          this.#safeTo.overrides
+        )
+      ) {
         // Any inconsistency between the edge's override set and the target's
         // override set is potentially problematic. But we only say the edge is
         // in error if the override sets are plainly conflicting. Note that if
         // the target doesn't have any dependencies of their own, then this
         // inconsistency is irrelevant.
-        this.#safeError = 'INVALID';
+        this.#safeError = 'INVALID'
       } else {
-        this.#safeError = 'OK';
+        this.#safeError = 'OK'
       }
     }
     if (this.#safeError === 'OK') {
-      return null;
+      return null
     }
-    return this.#safeError;
+    return this.#safeError
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
   get from() {
-    return this.#safeFrom;
+    return this.#safeFrom
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
   get spec() {
-    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+    if (
+      this.overrides?.value &&
+      this.overrides.value !== '*' &&
+      this.overrides.name === this.name
+    ) {
       if (this.overrides.value.startsWith('$')) {
-        const ref = this.overrides.value.slice(1);
+        const ref = this.overrides.value.slice(1)
         // We may be a virtual root, if we are we want to resolve reference
         // overrides from the real root, not the virtual one.
         //
         // Patch adding "?." use based on
         // https://github.com/npm/cli/pull/8089.
-        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom?.sourceReference.root.package : this.#safeFrom?.root?.package;
+        const pkg = this.#safeFrom?.sourceReference
+          ? this.#safeFrom?.sourceReference.root.package
+          : this.#safeFrom?.root?.package
         if (pkg?.devDependencies?.[ref]) {
-          return pkg.devDependencies[ref];
+          return pkg.devDependencies[ref]
         }
         if (pkg?.optionalDependencies?.[ref]) {
-          return pkg.optionalDependencies[ref];
+          return pkg.optionalDependencies[ref]
         }
         if (pkg?.dependencies?.[ref]) {
-          return pkg.dependencies[ref];
+          return pkg.dependencies[ref]
         }
         if (pkg?.peerDependencies?.[ref]) {
-          return pkg.peerDependencies[ref];
+          return pkg.peerDependencies[ref]
         }
-        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`)
       }
-      return this.overrides.value;
+      return this.overrides.value
     }
-    return this.rawSpec;
+    return this.rawSpec
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
   get to() {
-    return this.#safeTo;
+    return this.#safeTo
   }
   detach() {
-    this.#safeExplanation = null;
+    this.#safeExplanation = null
     // Patch replacing
     // if (this.#to) {
     //   this.#to.edgesIn.delete(this)
     // }
     // this.#from.edgesOut.delete(this.#name)
     // is based on https://github.com/npm/cli/pull/8089.
-    this.#safeTo?.deleteEdgeIn(this);
-    this.#safeFrom?.edgesOut.delete(this.name);
-    this.#safeTo = null;
-    this.#safeError = 'DETACHED';
-    this.#safeFrom = null;
+    this.#safeTo?.deleteEdgeIn(this)
+    this.#safeFrom?.edgesOut.delete(this.name)
+    this.#safeTo = null
+    this.#safeError = 'DETACHED'
+    this.#safeFrom = null
   }
 
   // Return the edge data, and an explanation of how that edge came to be here.
@@ -911,66 +1005,66 @@ class SafeEdge extends Edge {
         error: undefined,
         from: undefined,
         rawSpec: undefined
-      };
+      }
       if (this.rawSpec !== this.spec) {
-        explanation.rawSpec = this.rawSpec;
-        explanation.overridden = true;
+        explanation.rawSpec = this.rawSpec
+        explanation.overridden = true
       }
       if (this.bundled) {
-        explanation.bundled = this.bundled;
+        explanation.bundled = this.bundled
       }
       if (this.error) {
-        explanation.error = this.error;
+        explanation.error = this.error
       }
       if (this.#safeFrom) {
-        explanation.from = this.#safeFrom.explain();
+        explanation.from = this.#safeFrom.explain()
       }
-      this.#safeExplanation = explanation;
+      this.#safeExplanation = explanation
     }
-    return this.#safeExplanation;
+    return this.#safeExplanation
   }
   reload(hard = false) {
-    this.#safeExplanation = null;
+    this.#safeExplanation = null
     // Patch replacing
     // if (this.#from.overrides) {
     // is based on https://github.com/npm/cli/pull/8089.
-    let needToUpdateOverrideSet = false;
-    let newOverrideSet;
-    let oldOverrideSet;
+    let needToUpdateOverrideSet = false
+    let newOverrideSet
+    let oldOverrideSet
     if (this.#safeFrom?.overrides) {
-      newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this)
       if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
         // If there's a new different override set we need to propagate it to
         // the nodes. If we're deleting the override set then there's no point
         // propagating it right now since it will be filled with another value
         // later.
-        needToUpdateOverrideSet = true;
-        oldOverrideSet = this.overrides;
-        this.overrides = newOverrideSet;
+        needToUpdateOverrideSet = true
+        oldOverrideSet = this.overrides
+        this.overrides = newOverrideSet
       }
     } else {
-      this.overrides = undefined;
+      this.overrides = undefined
     }
     // Patch adding "?." use based on
     // https://github.com/npm/cli/pull/8089.
-    const newTo = this.#safeFrom?.resolve(this.name);
+    const newTo = this.#safeFrom?.resolve(this.name)
     if (newTo !== this.#safeTo) {
       // Patch replacing
       // this.#to.edgesIn.delete(this)
       // is based on https://github.com/npm/cli/pull/8089.
-      this.#safeTo?.deleteEdgeIn(this);
-      this.#safeTo = newTo ?? null;
-      this.#safeError = null;
-      this.#safeTo?.addEdgeIn(this);
+      this.#safeTo?.deleteEdgeIn(this)
+      this.#safeTo = newTo ?? null
+      this.#safeError = null
+      this.#safeTo?.addEdgeIn(this)
     } else if (hard) {
-      this.#safeError = null;
+      this.#safeError = null
     }
     // Patch adding "else if" condition based on
     // https://github.com/npm/cli/pull/8089.
     else if (needToUpdateOverrideSet && this.#safeTo) {
       // Propagate the new override set to the target node.
-      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
-      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet)
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet)
     }
   }
   satisfiedBy(node) {
@@ -980,12 +1074,12 @@ class SafeEdge extends Edge {
     // }
     // is based on https://github.com/npm/cli/pull/8089.
     if (node.name !== this.name || !this.#safeFrom) {
-      return false;
+      return false
     }
     // NOTE: this condition means we explicitly do not support overriding
     // bundled or shrinkwrapped dependencies
     if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
-      return depValid(node, this.rawSpec, this.accept, this.#safeFrom);
+      return depValid(node, this.rawSpec, this.accept, this.#safeFrom)
     }
     // Patch replacing
     // return depValid(node, this.spec, this.#accept, this.#from)
@@ -993,16 +1087,16 @@ class SafeEdge extends Edge {
     //
     // If there's no override we just use the spec.
     if (!this.overrides?.keySpec) {
-      return depValid(node, this.spec, this.accept, this.#safeFrom);
+      return depValid(node, this.spec, this.accept, this.#safeFrom)
     }
     // There's some override. If the target node satisfies the overriding spec
     // then it's okay.
     if (depValid(node, this.spec, this.accept, this.#safeFrom)) {
-      return true;
+      return true
     }
     // If it doesn't, then it should at least satisfy the original spec.
     if (!depValid(node, this.rawSpec, this.accept, this.#safeFrom)) {
-      return false;
+      return false
     }
     // It satisfies the original spec, not the overriding spec. We need to make
     // sure it doesn't use the overridden spec.
@@ -1014,7 +1108,7 @@ class SafeEdge extends Edge {
     //   If the node is 8.23.0, then it's not okay because even though it's consistent
     //   with the rawSpec, it's also consistent with the keySpec.
     //   So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
-    return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom);
+    return !depValid(node, this.overrides.keySpec, this.accept, this.#safeFrom)
   }
 }
 
@@ -1023,364 +1117,260 @@ const {
   ALERT_TYPE_CVE,
   ALERT_TYPE_MEDIUM_CVE,
   ALERT_TYPE_MILD_CVE
-} = constants;
+} = constants
 function isArtifactAlertCve(alert) {
-  const {
-    type
-  } = alert;
-  return type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE;
-}
-
-let ALERT_FIX_TYPE = /*#__PURE__*/function (ALERT_FIX_TYPE) {
-  ALERT_FIX_TYPE["cve"] = "cve";
-  ALERT_FIX_TYPE["upgrade"] = "upgrade";
-  return ALERT_FIX_TYPE;
-}({});
-
-const ERROR_UX = {
-  block: true,
-  display: true
-};
-const IGNORE_UX = {
-  block: false,
-  display: false
-};
-const WARN_UX = {
-  block: false,
-  display: true
-};
-
-// Iterates over all entries with ordered issue rule for deferral.  Iterates over
-// all issue rules and finds the first defined value that does not defer otherwise
-// uses the defaultValue. Takes the value and converts into a UX workflow.
-function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
-  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
-    defaultValue = {
-      action: 'error'
-    };
-  } else if (defaultValue === false) {
-    defaultValue = {
-      action: 'ignore'
-    };
-  }
-  let block = false;
-  let display = false;
-  let needDefault = true;
-  iterate_entries: for (const rules of orderedRulesCollection) {
-    for (const rule of rules) {
-      if (ruleValueDoesNotDefer(rule)) {
-        needDefault = false;
-        const narrowingFilter = uxForDefinedNonDeferValue(rule);
-        block = block || narrowingFilter.block;
-        display = display || narrowingFilter.display;
-        continue iterate_entries;
-      }
-    }
-    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
-    block = block || narrowingFilter.block;
-    display = display || narrowingFilter.display;
-  }
-  if (needDefault) {
-    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
-    block = block || narrowingFilter.block;
-    display = display || narrowingFilter.display;
-  }
-  return {
-    block,
-    display
-  };
-}
-
-// Negative form because it is narrowing the type.
-function ruleValueDoesNotDefer(rule) {
-  if (rule === undefined) {
-    return false;
-  }
-  if (objects.isObject(rule)) {
-    const {
-      action
-    } = rule;
-    if (action === undefined || action === 'defer') {
-      return false;
-    }
-  }
-  return true;
+  const { type } = alert
+  return (
+    type === ALERT_TYPE_CVE ||
+    type === ALERT_TYPE_MEDIUM_CVE ||
+    type === ALERT_TYPE_MILD_CVE ||
+    type === ALERT_TYPE_CRITICAL_CVE
+  )
 }
 
-// Handles booleans for backwards compatibility.
-function uxForDefinedNonDeferValue(ruleValue) {
-  if (typeof ruleValue === 'boolean') {
-    return ruleValue ? ERROR_UX : IGNORE_UX;
-  }
-  const {
-    action
-  } = ruleValue;
-  if (action === 'warn') {
-    return WARN_UX;
-  } else if (action === 'ignore') {
-    return IGNORE_UX;
-  }
-  return ERROR_UX;
-}
-function createAlertUXLookup(settings) {
-  const cachedUX = new Map();
-  return context => {
-    const {
-      type
-    } = context.alert;
-    let ux = cachedUX.get(type);
-    if (ux) {
-      return ux;
-    }
-    const orderedRulesCollection = [];
-    for (const settingsEntry of settings.entries) {
-      const orderedRules = [];
-      let target = settingsEntry.start;
-      while (target !== null) {
-        const resolvedTarget = settingsEntry.settings[target];
-        if (!resolvedTarget) {
-          break;
-        }
-        const issueRuleValue = resolvedTarget.issueRules?.[type];
-        if (typeof issueRuleValue !== 'undefined') {
-          orderedRules.push(issueRuleValue);
-        }
-        target = resolvedTarget.deferTo ?? null;
-      }
-      orderedRulesCollection.push(orderedRules);
-    }
-    const defaultValue = settings.defaults.issueRules[type];
-    let resolvedDefaultValue = {
-      action: 'error'
-    };
-    if (defaultValue === false) {
-      resolvedDefaultValue = {
-        action: 'ignore'
-      };
-    } else if (defaultValue && defaultValue !== true) {
-      resolvedDefaultValue = {
-        action: defaultValue.action ?? 'error'
-      };
-    }
-    ux = resolveAlertRuleUX(orderedRulesCollection, resolvedDefaultValue);
-    cachedUX.set(type, ux);
-    return ux;
-  };
-}
-let _uxLookup;
-async function uxLookup(settings) {
-  if (_uxLookup === undefined) {
-    const {
-      orgs,
-      settings
-    } = await (async () => {
-      try {
-        const sockSdk = await setupSdk(getPublicToken());
-        const orgResult = await sockSdk.getOrganizations();
-        if (!orgResult.success) {
-          if (orgResult.status === 429) {
-            throw new Error(`API token quota exceeded: ${orgResult.error}`);
-          }
-          throw new Error(`Failed to fetch Socket organization info: ${orgResult.error}`);
-        }
-        const {
-          organizations
-        } = orgResult.data;
-        const orgs = [];
-        for (const org of Object.values(organizations)) {
-          if (org) {
-            orgs.push(org);
-          }
-        }
-        const settingsResult = await sockSdk.postSettings(orgs.map(org => ({
-          organization: org.id
-        })));
-        if (!settingsResult.success) {
-          throw new Error(`Failed to fetch API key settings: ${settingsResult.error}`);
-        }
-        return {
-          orgs,
-          settings: settingsResult.data
-        };
-      } catch (e) {
-        const cause = objects.isObject(e) && 'cause' in e ? e['cause'] : undefined;
-        if (isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
-          throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
-            cause: e
-          });
-        }
-        throw e;
-      }
-    })();
-    // Remove any organizations not being enforced.
-    const enforcedOrgs = getSetting('enforcedOrgs') ?? [];
-    for (const {
-      0: i,
-      1: org
-    } of orgs.entries()) {
-      if (!enforcedOrgs.includes(org.id)) {
-        settings.entries.splice(i, 1);
-      }
-    }
-    const socketYml = findSocketYmlSync();
-    if (socketYml) {
-      settings.entries.push({
-        start: socketYml.path,
-        settings: {
-          [socketYml.path]: {
-            deferTo: null,
-            // TODO: TypeScript complains about the type not matching. We should
-            // figure out why are providing
-            // issueRules: { [issueName: string]: boolean }
-            // but expecting
-            // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
-            issueRules: socketYml.parsed.issueRules
-          }
-        }
-      });
-    }
-    _uxLookup = createAlertUXLookup(settings);
-  }
-  return _uxLookup(settings);
-}
+const ALERT_FIX_TYPE = /*#__PURE__*/ (function (ALERT_FIX_TYPE) {
+  ALERT_FIX_TYPE['cve'] = 'cve'
+  ALERT_FIX_TYPE['upgrade'] = 'upgrade'
+  return ALERT_FIX_TYPE
+})({})
 
 function pick(input, keys) {
-  const result = {};
+  const result = {}
   for (const key of keys) {
-    result[key] = input[key];
+    result[key] = input[key]
   }
-  return result;
+  return result
 }
 
 function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean);
-  const {
-    length
-  } = values;
+  const values = list.filter(Boolean)
+  const { length } = values
   if (!length) {
-    return '';
+    return ''
   }
   if (length === 1) {
-    return values[0];
+    return values[0]
   }
-  const finalValue = values.pop();
-  return `${values.join(', ')}${separator}${finalValue}`;
+  const finalValue = values.pop()
+  return `${values.join(', ')}${separator}${finalValue}`
 }
 
-let ALERT_SEVERITY = /*#__PURE__*/function (ALERT_SEVERITY) {
-  ALERT_SEVERITY["critical"] = "critical";
-  ALERT_SEVERITY["high"] = "high";
-  ALERT_SEVERITY["middle"] = "middle";
-  ALERT_SEVERITY["low"] = "low";
-  return ALERT_SEVERITY;
-}({});
+const ALERT_SEVERITY = /*#__PURE__*/ (function (ALERT_SEVERITY) {
+  ALERT_SEVERITY['critical'] = 'critical'
+  ALERT_SEVERITY['high'] = 'high'
+  ALERT_SEVERITY['middle'] = 'middle'
+  ALERT_SEVERITY['low'] = 'low'
+  return ALERT_SEVERITY
+})({})
 // Ordered from most severe to least.
-const SEVERITIES_BY_ORDER = Object.freeze(['critical', 'high', 'middle', 'low']);
+const ALERT_SEVERITIES_SORTED = Object.freeze([
+  'critical',
+  'high',
+  'middle',
+  'low'
+])
 function getDesiredSeverities(lowestToInclude) {
-  const result = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
-    result.push(severity);
+  const result = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
+    result.push(severity)
     if (severity === lowestToInclude) {
-      break;
+      break
     }
   }
-  return result;
+  return result
 }
 function formatSeverityCount(severityCount) {
-  const summary = [];
-  for (const severity of SEVERITIES_BY_ORDER) {
+  const summary = []
+  for (const severity of ALERT_SEVERITIES_SORTED) {
     if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`);
+      summary.push(`${severityCount[severity]} ${severity}`)
     }
   }
-  return stringJoinWithSeparateFinalSeparator(summary);
+  return stringJoinWithSeparateFinalSeparator(summary)
 }
 function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick({
-    low: 0,
-    middle: 0,
-    high: 0,
-    critical: 0
-  }, getDesiredSeverities(lowestToInclude));
+  const severityCount = pick(
+    {
+      low: 0,
+      middle: 0,
+      high: 0,
+      critical: 0
+    },
+    getDesiredSeverities(lowestToInclude)
+  )
   for (const issue of issues) {
-    const {
-      value
-    } = issue;
+    const { value } = issue
     if (!value) {
-      continue;
+      continue
     }
-    const {
-      severity
-    } = value;
+    const { severity } = value
     if (severityCount[severity] !== undefined) {
-      severityCount[severity] += 1;
+      severityCount[severity] += 1
     }
   }
-  return severityCount;
+  return severityCount
 }
 
 class ColorOrMarkdown {
   constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown;
+    this.useMarkdown = !!useMarkdown
   }
   bold(text) {
-    return this.useMarkdown ? `**${text}**` : colors.bold(`${text}`);
+    return this.useMarkdown ? `**${text}**` : colors.bold(`${text}`)
   }
   header(text, level = 1) {
-    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : colors.underline(`\n${level === 1 ? colors.bold(text) : text}\n`);
+    return this.useMarkdown
+      ? `\n${''.padStart(level, '#')} ${text}\n`
+      : colors.underline(`\n${level === 1 ? colors.bold(text) : text}\n`)
   }
-  hyperlink(text, url, {
-    fallback = true,
-    fallbackToUrl
-  } = {}) {
+  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
     if (url) {
-      return this.useMarkdown ? `[${text}](${url})` : terminalLink(text, url, {
-        fallback: fallbackToUrl ? (_text, url) => url : fallback
-      });
+      return this.useMarkdown
+        ? `[${text}](${url})`
+        : terminalLink(text, url, {
+            fallback: fallbackToUrl ? (_text, url) => url : fallback
+          })
     }
-    return text;
+    return text
   }
   indent(...args) {
-    return indentString(...args);
+    return indentString(...args)
   }
   italic(text) {
-    return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`);
+    return this.useMarkdown ? `_${text}_` : colors.italic(`${text}`)
   }
   json(value) {
-    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
+    return this.useMarkdown
+      ? '```json\n' + JSON.stringify(value) + '\n```'
+      : JSON.stringify(value)
   }
   list(items) {
-    const indentedContent = items.map(item => this.indent(item).trimStart());
-    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
+    const indentedContent = items.map(item => this.indent(item).trimStart())
+    return this.useMarkdown
+      ? `* ${indentedContent.join('\n* ')}\n`
+      : `${indentedContent.join('\n')}\n`
   }
 }
 
 function getSocketDevAlertUrl(alertType) {
-  return `https://socket.dev/alerts/${alertType}`;
+  return `https://socket.dev/alerts/${alertType}`
 }
 function getSocketDevPackageOverviewUrl(eco, name, version) {
-  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`;
+  return `https://socket.dev/${eco}/package/${name}${version ? `/overview/${version}` : ''}`
 }
 
-let _translations;
+let _translations
 function getTranslations() {
   if (_translations === undefined) {
     _translations = require(
-    // Lazily access constants.rootPath.
-    path.join(constants.rootPath, 'translations.json'));
+      // Lazily access constants.rootPath.
+      path.join(constants.rootPath, 'translations.json')
+    )
   }
-  return _translations;
+  return _translations
 }
 
-const {
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
-  NPM: NPM$2
-} = constants;
-const format = new ColorOrMarkdown(false);
+const ALERT_SEVERITY_COLOR = /*#__PURE__*/ (function (ALERT_SEVERITY_COLOR) {
+  ALERT_SEVERITY_COLOR['critical'] = 'magenta'
+  ALERT_SEVERITY_COLOR['high'] = 'red'
+  ALERT_SEVERITY_COLOR['middle'] = 'yellow'
+  ALERT_SEVERITY_COLOR['low'] = 'white'
+  return ALERT_SEVERITY_COLOR
+})({})
+const ALERT_SEVERITY_ORDER = /*#__PURE__*/ (function (ALERT_SEVERITY_ORDER) {
+  ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['critical'] = 0)] = 'critical'
+  ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['high'] = 1)] = 'high'
+  ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['middle'] = 2)] = 'middle'
+  ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['low'] = 3)] = 'low'
+  ALERT_SEVERITY_ORDER[(ALERT_SEVERITY_ORDER['none'] = 4)] = 'none'
+  return ALERT_SEVERITY_ORDER
+})({})
+const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$2 } =
+  constants
+const MIN_ABOVE_THE_FOLD_COUNT = 3
+const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1
+const format = new ColorOrMarkdown(false)
+function alertsHaveBlocked(alerts) {
+  return alerts.find(a => a.blocked) !== undefined
+}
+function alertsHaveSeverity(alerts, severity) {
+  return alerts.find(a => a.raw.severity === severity) !== undefined
+}
+function alertSeverityComparator(a, b) {
+  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)
+}
+function getAlertSeverityOrder(alert) {
+  const { severity } = alert.raw
+  return severity === ALERT_SEVERITY.critical
+    ? 0
+    : severity === ALERT_SEVERITY.high
+      ? 1
+      : severity === ALERT_SEVERITY.middle
+        ? 2
+        : severity === ALERT_SEVERITY.low
+          ? 3
+          : 4
+}
+function getAlertsSeverityOrder(alerts) {
+  return alertsHaveBlocked(alerts) ||
+    alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)
+    ? 0
+    : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)
+      ? 1
+      : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)
+        ? 2
+        : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)
+          ? 3
+          : 4
+}
+function getHiddenRiskCounts(hiddenAlerts) {
+  const riskCounts = {
+    critical: 0,
+    high: 0,
+    middle: 0,
+    low: 0
+  }
+  for (const alert of hiddenAlerts) {
+    switch (getAlertSeverityOrder(alert)) {
+      case ALERT_SEVERITY_ORDER.critical:
+        riskCounts.critical += 1
+        break
+      case ALERT_SEVERITY_ORDER.high:
+        riskCounts.high += 1
+        break
+      case ALERT_SEVERITY_ORDER.middle:
+        riskCounts.middle += 1
+        break
+      case ALERT_SEVERITY_ORDER.low:
+        riskCounts.low += 1
+        break
+    }
+  }
+  return riskCounts
+}
+function getHiddenRisksDescription(riskCounts) {
+  const descriptions = []
+  if (riskCounts.critical) {
+    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)
+  }
+  if (riskCounts.high) {
+    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)
+  }
+  if (riskCounts.middle) {
+    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)
+  }
+  if (riskCounts.low) {
+    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)
+  }
+  return `(${descriptions.join('; ')})`
+}
+function getSeverityLabel(severity) {
+  return severity === 'middle' ? 'moderate' : severity
+}
 async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   // Make TypeScript happy.
   if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-    return alertsByPkgId;
+    return alertsByPkgId
   }
   const {
     consolidate = false,
@@ -1389,176 +1379,322 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   } = {
     __proto__: null,
     ...options
-  };
+  }
   const include = {
     __proto__: null,
+    blocked: true,
     critical: true,
     cve: true,
     unfixable: true,
-    upgrade: false,
+    upgradable: false,
     ..._include
-  };
-  const name = packages.resolvePackageName(artifact);
-  const {
-    version
-  } = artifact;
-  const pkgId = `${name}@${version}`;
-  const major = semver.major(version);
-  let sockPkgAlerts = [];
+  }
+  const name = packages.resolvePackageName(artifact)
+  const { version } = artifact
+  const pkgId = `${name}@${version}`
+  const major = semver.major(version)
+  const socketYml = findSocketYmlSync()
+  const enabledState = {
+    __proto__: null,
+    ...socketYml?.parsed.issueRules
+  }
+  let sockPkgAlerts = []
   for (const alert of artifact.alerts) {
-    // eslint-disable-next-line no-await-in-loop
-    const ux = await uxLookup({
-      package: {
-        name,
-        version
-      },
-      alert: {
-        type: alert.type
-      }
-    });
-    const fixType = alert.fix?.type ?? '';
-    const critical = alert.severity === ALERT_SEVERITY.critical;
-    const cve = isArtifactAlertCve(alert);
-    const fixableCve = fixType === ALERT_FIX_TYPE.cve;
-    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade;
-    const fixable = fixableCve || fixableUpgrade;
-    const upgrade = fixableUpgrade && !objects.hasOwn(overrides, name);
-    if (include.cve && cve || include.unfixable && !fixable || include.critical && critical || include.upgrade && upgrade) {
+    const action = alert.action ?? ''
+    const enabledFlag = enabledState[alert.type]
+    if (
+      (action === 'ignore' && enabledFlag !== true) ||
+      enabledFlag === false
+    ) {
+      continue
+    }
+    const blocked = action === 'error'
+    const critical = alert.severity === ALERT_SEVERITY.critical
+    const cve = isArtifactAlertCve(alert)
+    const fixType = alert.fix?.type ?? ''
+    const fixableCve = fixType === ALERT_FIX_TYPE.cve
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade
+    const fixable = fixableCve || fixableUpgrade
+    const upgradable = fixableUpgrade && !objects.hasOwn(overrides, name)
+    if (
+      (include.blocked && blocked) ||
+      (include.critical && critical) ||
+      (include.cve && cve) ||
+      (include.unfixable && !fixable) ||
+      (include.upgradable && upgradable)
+    ) {
       sockPkgAlerts.push({
         name,
         version,
         key: alert.key,
         type: alert.type,
-        block: ux.block,
+        blocked,
         critical,
-        display: ux.display,
         fixable,
         raw: alert,
-        upgrade
-      });
+        upgradable
+      })
     }
   }
   if (!sockPkgAlerts.length) {
-    return alertsByPkgId;
+    return alertsByPkgId
   }
   if (consolidate) {
-    const highestForCve = new Map();
-    const highestForUpgrade = new Map();
-    const unfixableAlerts = [];
+    const highestForCve = new Map()
+    const highestForUpgrade = new Map()
+    const unfixableAlerts = []
     for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw;
-      const fixType = alert.fix?.type ?? '';
+      const alert = sockPkgAlert.raw
+      const fixType = alert.fix?.type ?? ''
       if (fixType === ALERT_FIX_TYPE.cve) {
-        const patchedVersion = alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
-        const patchedMajor = semver.major(patchedVersion);
-        const oldHighest = highestForCve.get(patchedMajor);
-        const highest = oldHighest?.version ?? '0.0.0';
+        const patchedVersion =
+          alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER]
+        const patchedMajor = semver.major(patchedVersion)
+        const oldHighest = highestForCve.get(patchedMajor)
+        const highest = oldHighest?.version ?? '0.0.0'
         if (semver.gt(patchedVersion, highest)) {
           highestForCve.set(patchedMajor, {
             alert: sockPkgAlert,
             version: patchedVersion
-          });
+          })
         }
       } else if (fixType === ALERT_FIX_TYPE.upgrade) {
-        const oldHighest = highestForUpgrade.get(major);
-        const highest = oldHighest?.version ?? '0.0.0';
+        const oldHighest = highestForUpgrade.get(major)
+        const highest = oldHighest?.version ?? '0.0.0'
         if (semver.gt(version, highest)) {
           highestForUpgrade.set(major, {
             alert: sockPkgAlert,
             version
-          });
+          })
         }
       } else {
-        unfixableAlerts.push(sockPkgAlert);
+        unfixableAlerts.push(sockPkgAlert)
       }
     }
-    sockPkgAlerts = [...unfixableAlerts, ...[...highestForCve.values()].map(d => d.alert), ...[...highestForUpgrade.values()].map(d => d.alert)];
+    sockPkgAlerts = [
+      ...unfixableAlerts,
+      ...[...highestForCve.values()].map(d => d.alert),
+      ...[...highestForUpgrade.values()].map(d => d.alert)
+    ]
   }
   if (sockPkgAlerts.length) {
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
-    alertsByPkgId.set(pkgId, sockPkgAlerts);
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type))
+    alertsByPkgId.set(pkgId, sockPkgAlerts)
   }
-  return alertsByPkgId;
+  return alertsByPkgId
 }
 function getCveInfoByAlertsMap(alertsMap, options) {
   const exclude = {
-    upgrade: true,
+    upgradable: true,
     ...{
       __proto__: null,
       ...options
     }.exclude
-  };
-  let infoByPkg = null;
+  }
+  let infoByPkg = null
   for (const [pkgId, sockPkgAlerts] of alertsMap) {
-    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`);
-    const name = packages.resolvePackageName(purlObj);
+    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`)
+    const name = packages.resolvePackageName(purlObj)
     for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw;
-      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || exclude.upgrade && registry.getManifestData(NPM$2, name)) {
-        continue;
+      const alert = sockPkgAlert.raw
+      if (
+        alert.fix?.type !== ALERT_FIX_TYPE.cve ||
+        (exclude.upgradable && registry.getManifestData(NPM$2, name))
+      ) {
+        continue
       }
       if (!infoByPkg) {
-        infoByPkg = new Map();
+        infoByPkg = new Map()
       }
-      let infos = infoByPkg.get(name);
+      let infos = infoByPkg.get(name)
       if (!infos) {
-        infos = [];
-        infoByPkg.set(name, infos);
+        infos = []
+        infoByPkg.set(name, infos)
       }
-      const {
-        firstPatchedVersionIdentifier,
-        vulnerableVersionRange
-      } = alert.props;
+      const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
+        alert.props
       infos.push({
         firstPatchedVersionIdentifier,
-        vulnerableVersionRange: new semver.Range(vulnerableVersionRange).format()
-      });
+        vulnerableVersionRange: new semver.Range(
+          vulnerableVersionRange
+        ).format()
+      })
     }
   }
-  return infoByPkg;
+  return infoByPkg
 }
 function logAlertsMap(alertsMap, options) {
-  const {
-    output = process.stderr
-  } = {
+  const { hideAt = 'middle', output = process.stderr } = {
     __proto__: null,
     ...options
-  };
-  const translations = getTranslations();
-  for (const [pkgId, alerts] of alertsMap) {
-    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`);
-    const lines = new Set();
+  }
+  const translations = getTranslations()
+  const sortedEntries = [...alertsMap.entries()].sort(
+    (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1])
+  )
+  const aboveTheFoldPkgIds = new Set()
+  const viewableAlertsByPkgId = new Map()
+  const hiddenAlertsByPkgId = new Map()
+  for (let i = 0, { length } = sortedEntries; i < length; i += 1) {
+    const { 0: pkgId, 1: alerts } = sortedEntries[i]
+    const hiddenAlerts = []
+    const viewableAlerts = alerts.filter(a => {
+      const keep =
+        a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]
+      if (!keep) {
+        hiddenAlerts.push(a)
+      }
+      return keep
+    })
+    if (hiddenAlerts.length) {
+      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator))
+    }
+    if (!viewableAlerts.length) {
+      continue
+    }
+    viewableAlerts.sort(alertSeverityComparator)
+    viewableAlertsByPkgId.set(pkgId, viewableAlerts)
+    if (
+      viewableAlerts.find(
+        a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle
+      )
+    ) {
+      aboveTheFoldPkgIds.add(pkgId)
+    }
+  }
+
+  // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
+  for (const { 0: pkgId } of viewableAlertsByPkgId.entries()) {
+    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break
+    }
+    aboveTheFoldPkgIds.add(pkgId)
+  }
+  // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
+  for (const { 0: pkgId, 1: hiddenAlerts } of hiddenAlertsByPkgId.entries()) {
+    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break
+    }
+    aboveTheFoldPkgIds.add(pkgId)
+    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? []
+    if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
+      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length
+      let removedHiddenAlerts
+      if (hiddenAlerts.length - neededCount > 0) {
+        removedHiddenAlerts = hiddenAlerts.splice(
+          0,
+          MIN_ABOVE_THE_FOLD_ALERT_COUNT
+        )
+      } else {
+        removedHiddenAlerts = hiddenAlerts
+        hiddenAlertsByPkgId.delete(pkgId)
+      }
+      viewableAlertsByPkgId.set(pkgId, [
+        ...viewableAlerts,
+        ...removedHiddenAlerts
+      ])
+    }
+  }
+  const mentionedPkgIdsWithHiddenAlerts = new Set()
+  for (
+    let i = 0,
+      prevAboveTheFold = true,
+      entries = [...viewableAlertsByPkgId.entries()],
+      { length } = entries;
+    i < length;
+    i += 1
+  ) {
+    const { 0: pkgId, 1: alerts } = entries[i]
+    const lines = new Set()
     for (const alert of alerts) {
-      const {
-        type
-      } = alert;
-      const attributes = [...(alert.fixable ? ['fixable'] : []), ...(alert.block ? [] : ['non-blocking'])];
-      const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
+      const { type } = alert
+      const severity = alert.raw.severity ?? ''
+      const attributes = [
+        ...(severity
+          ? [colors[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))]
+          : []),
+        ...(alert.blocked ? [colors.bold(colors.red('blocked'))] : []),
+        ...(alert.fixable ? ['fixable'] : [])
+      ]
+      const maybeAttributes = attributes.length
+        ? ` ${colors.italic(`(${attributes.join('; ')})`)}`
+        : ''
       // Based data from { pageProps: { alertTypes } } of:
       // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-      const info = translations.alerts[type];
-      const title = info?.title ?? type;
-      const maybeDesc = info?.description ? ` - ${info.description}` : '';
+      const info = translations.alerts[type]
+      const title = info?.title ?? type
+      const maybeDesc = info?.description ? ` - ${info.description}` : ''
+      const content = `${title}${maybeAttributes}${maybeDesc}`
       // TODO: emoji seems to mis-align terminals sometimes
-      lines.add(`  ${title}${maybeAttributes}${maybeDesc}`);
+      lines.add(`  ${content}`)
+    }
+    const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${pkgId}`)
+    const hyperlink = format.hyperlink(
+      pkgId,
+      getSocketDevPackageOverviewUrl(
+        NPM$2,
+        packages.resolvePackageName(purlObj),
+        purlObj.version
+      )
+    )
+    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId)
+    if (isAboveTheFold) {
+      aboveTheFoldPkgIds.add(pkgId)
+      output.write(`${i ? '\n' : ''}${hyperlink}:\n`)
+    } else {
+      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`)
     }
-    output.write(`(socket) ${format.hyperlink(pkgId, getSocketDevPackageOverviewUrl(NPM$2, packages.resolvePackageName(purlObj), purlObj.version))} contains risks:\n`);
     for (const line of lines) {
-      output.write(`${line}\n`);
+      output.write(`${line}\n`)
+    }
+    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? []
+    const { length: hiddenAlertsCount } = hiddenAlerts
+    if (hiddenAlertsCount) {
+      mentionedPkgIdsWithHiddenAlerts.add(pkgId)
+      if (hiddenAlertsCount === 1) {
+        output.write(
+          `  ${colors.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`
+        )
+      } else {
+        output.write(
+          `  ${colors.dim(`+${hiddenAlertsCount} Hidden alerts ${colors.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`
+        )
+      }
     }
+    prevAboveTheFold = isAboveTheFold
   }
+  const additionalHiddenCount =
+    hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size
+  if (additionalHiddenCount) {
+    const totalRiskCounts = {
+      critical: 0,
+      high: 0,
+      middle: 0,
+      low: 0
+    }
+    for (const { 0: pkgId, 1: alerts } of hiddenAlertsByPkgId.entries()) {
+      if (mentionedPkgIdsWithHiddenAlerts.has(pkgId)) {
+        continue
+      }
+      const riskCounts = getHiddenRiskCounts(alerts)
+      totalRiskCounts.critical += riskCounts.critical
+      totalRiskCounts.high += riskCounts.high
+      totalRiskCounts.middle += riskCounts.middle
+      totalRiskCounts.low += riskCounts.low
+    }
+    output.write(
+      `${aboveTheFoldPkgIds.size ? '\n' : ''}${colors.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${colors.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`
+    )
+  }
+  output.write('\n')
 }
 
-const {
-  LOOP_SENTINEL,
-  NPM: NPM$1,
-  NPM_REGISTRY_URL
-} = constants;
+const { LOOP_SENTINEL, NPM: NPM$1, NPM_REGISTRY_URL } = constants
 function getDetailsFromDiff(diff_, options) {
-  const details = [];
+  const details = []
   // `diff_` is `null` when `npm install --package-lock-only` is passed.
   if (!diff_) {
-    return details;
+    return details
   }
   const include = {
     __proto__: null,
@@ -1568,252 +1704,285 @@ function getDetailsFromDiff(diff_, options) {
       __proto__: null,
       ...options
     }.include
-  };
-  const queue = [...diff_.children];
-  let pos = 0;
-  let {
-    length: queueLength
-  } = queue;
+  }
+  const queue = [...diff_.children]
+  let pos = 0
+  let { length: queueLength } = queue
   while (pos < queueLength) {
     if (pos === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop while walking Arborist diff');
+      throw new Error('Detected infinite loop while walking Arborist diff')
     }
-    const diff = queue[pos++];
-    const {
-      action
-    } = diff;
+    const diff = queue[pos++]
+    const { action } = diff
     if (action) {
       // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
       // action is 'REMOVE'
       // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
       // action is 'ADD'.
-      const {
-        actual: oldNode,
-        ideal: pkgNode
-      } = diff;
-      let existing;
-      let keep = false;
+      const { actual: oldNode, ideal: pkgNode } = diff
+      let existing
+      let keep = false
       if (action === DiffAction.change) {
         if (pkgNode?.package.version !== oldNode?.package.version) {
-          keep = true;
-          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
-            existing = oldNode;
+          keep = true
+          if (
+            oldNode?.package.name &&
+            oldNode.package.name === pkgNode?.package.name
+          ) {
+            existing = oldNode
           }
         } else {
-          debug.debugLog('SKIPPING META CHANGE ON', diff);
+          debug.debugLog('SKIPPING META CHANGE ON', diff)
         }
       } else {
-        keep = action !== DiffAction.remove;
+        keep = action !== DiffAction.remove
       }
       if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        if (include.unknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL) {
+        if (
+          include.unknownOrigin ||
+          getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
+        ) {
           details.push({
             node: pkgNode,
             existing
-          });
+          })
         }
       }
     }
     for (const child of diff.children) {
-      queue[queueLength++] = child;
+      queue[queueLength++] = child
     }
   }
   if (include.unchanged) {
-    const {
-      unchanged
-    } = diff_;
-    for (let i = 0, {
-        length
-      } = unchanged; i < length; i += 1) {
-      const pkgNode = unchanged[i];
-      if (include.unknownOrigin || getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL) {
+    const { unchanged } = diff_
+    for (let i = 0, { length } = unchanged; i < length; i += 1) {
+      const pkgNode = unchanged[i]
+      if (
+        include.unknownOrigin ||
+        getUrlOrigin(pkgNode.resolved) === NPM_REGISTRY_URL
+      ) {
         details.push({
           node: pkgNode,
           existing: pkgNode
-        });
+        })
       }
     }
   }
-  return details;
+  return details
 }
 function getUrlOrigin(input) {
   try {
-    return URL.parse(input)?.origin ?? '';
+    // TODO: URL.parse is available in Node 22.1.0. We can use it when we drop Node 18.
+    // https://nodejs.org/docs/latest-v22.x/api/url.html#urlparseinput-base
+    // return URL.parse(input)?.origin ?? ''
+    return new URL(input).origin ?? ''
   } catch {}
-  return '';
+  return ''
 }
-function findBestPatchVersion(node, availableVersions, vulnerableVersionRange, _firstPatchedVersionIdentifier) {
-  const manifestData = registry.getManifestData(NPM$1, node.name);
-  let eligibleVersions;
+function findBestPatchVersion(
+  node,
+  availableVersions,
+  vulnerableVersionRange,
+  _firstPatchedVersionIdentifier
+) {
+  const manifestData = registry.getManifestData(NPM$1, node.name)
+  let eligibleVersions
   if (manifestData && manifestData.name === manifestData.package) {
-    const major = semver.major(manifestData.version);
-    eligibleVersions = availableVersions.filter(v => semver.major(v) === major);
+    const major = semver.major(manifestData.version)
+    eligibleVersions = availableVersions.filter(v => semver.major(v) === major)
   } else {
-    const major = semver.major(node.version);
-    eligibleVersions = availableVersions.filter(v =>
-    // Filter for versions that are within the current major version and
-    // are NOT in the vulnerable range.
-    semver.major(v) === major && (!vulnerableVersionRange || !semver.satisfies(v, vulnerableVersionRange)));
-  }
-  return semver.maxSatisfying(eligibleVersions, '*');
+    const major = semver.major(node.version)
+    eligibleVersions = availableVersions.filter(
+      v =>
+        // Filter for versions that are within the current major version and
+        // are NOT in the vulnerable range.
+        semver.major(v) === major &&
+        (!vulnerableVersionRange ||
+          !semver.satisfies(v, vulnerableVersionRange))
+    )
+  }
+  return semver.maxSatisfying(eligibleVersions, '*')
 }
 function findPackageNodes(tree, packageName) {
-  const queue = [{
-    node: tree
-  }];
-  const matches = [];
-  let sentinel = 0;
+  const queue = [
+    {
+      node: tree
+    }
+  ]
+  const matches = []
+  let sentinel = 0
   while (queue.length) {
     if (sentinel++ === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop in findPackageNodes');
+      throw new Error('Detected infinite loop in findPackageNodes')
     }
-    const {
-      node: currentNode
-    } = queue.pop();
-    const node = currentNode.children.get(packageName);
+    const { node: currentNode } = queue.pop()
+    const node = currentNode.children.get(packageName)
     if (node) {
-      matches.push(node);
+      matches.push(node)
     }
-    const children = [...currentNode.children.values()];
+    const children = [...currentNode.children.values()]
     for (let i = children.length - 1; i >= 0; i -= 1) {
       queue.push({
         node: children[i]
-      });
+      })
     }
   }
-  return matches;
+  return matches
 }
 async function getAlertsMapFromArborist(arb, options) {
-  const {
-    include: _include,
-    spinner
-  } = {
+  const { include: _include, spinner } = {
     __proto__: null,
     ...options
-  };
+  }
   const include = {
     __proto__: null,
+    blocked: true,
+    critical: true,
+    cve: true,
     existing: false,
     unfixable: true,
+    upgradable: false,
     ..._include
-  };
+  }
   const needInfoOn = getDetailsFromDiff(arb.diff, {
     include: {
       unchanged: include.existing
     }
-  });
-  const pkgIds = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid));
-  let {
-    length: remaining
-  } = pkgIds;
-  const alertsByPkgId = new Map();
+  })
+  const pkgIds = arrays.arrayUnique(needInfoOn.map(d => d.node.pkgid))
+  let { length: remaining } = pkgIds
+  const alertsByPkgId = new Map()
   if (!remaining) {
-    return alertsByPkgId;
-  }
-  const getText = () => `Looking up data for ${remaining} packages`;
-  spinner?.start(getText());
-  let overrides;
-  const overridesMap = (arb.actualTree ?? arb.idealTree ?? (await arb.loadActual()))?.overrides?.children;
+    return alertsByPkgId
+  }
+  const getText = () => `Looking up data for ${remaining} packages`
+  spinner?.start(getText())
+  let overrides
+  const overridesMap = (
+    arb.actualTree ??
+    arb.idealTree ??
+    (await arb.loadActual())
+  )?.overrides?.children
   if (overridesMap) {
-    overrides = Object.fromEntries([...overridesMap.entries()].map(([key, overrideSet]) => {
-      return [key, overrideSet.value];
-    }));
+    overrides = Object.fromEntries(
+      [...overridesMap.entries()].map(([key, overrideSet]) => {
+        return [key, overrideSet.value]
+      })
+    )
   }
-  const socketSdk = await setupSdk(getPublicToken());
+  const sockSdk = await setupSdk(getPublicToken())
   const toAlertsMapOptions = {
-    overrides,
-    ...options
-  };
-  for await (const batchPackageFetchResult of socketSdk.batchPackageStream({
-    alerts: 'true',
-    compact: 'true',
-    fixable: include.unfixable ? 'false' : 'true'
-  }, {
-    components: pkgIds.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  })) {
+    ...options,
+    include,
+    overrides
+  }
+  for await (const batchPackageFetchResult of sockSdk.batchPackageStream(
+    {
+      alerts: 'true',
+      compact: 'true',
+      fixable: include.unfixable ? 'false' : 'true'
+    },
+    {
+      components: pkgIds.map(id => ({
+        purl: `pkg:npm/${id}`
+      }))
+    }
+  )) {
     if (batchPackageFetchResult.success) {
-      await addArtifactToAlertsMap(batchPackageFetchResult.data, alertsByPkgId, toAlertsMapOptions);
+      await addArtifactToAlertsMap(
+        batchPackageFetchResult.data,
+        alertsByPkgId,
+        toAlertsMapOptions
+      )
     }
-    remaining -= 1;
+    remaining -= 1
     if (spinner && remaining > 0) {
-      spinner.start();
-      spinner.setText(getText());
+      spinner.start()
+      spinner.setText(getText())
     }
   }
-  spinner?.stop();
-  return alertsByPkgId;
+  spinner?.stop()
+  return alertsByPkgId
 }
-function updateNode(node, packument, vulnerableVersionRange, firstPatchedVersionIdentifier) {
-  const availableVersions = Object.keys(packument.versions);
+function updateNode(
+  node,
+  packument,
+  vulnerableVersionRange,
+  firstPatchedVersionIdentifier
+) {
+  const availableVersions = Object.keys(packument.versions)
   // Find the highest non-vulnerable version within the same major range
-  const targetVersion = findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
-  const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+  const targetVersion = findBestPatchVersion(
+    node,
+    availableVersions,
+    vulnerableVersionRange
+  )
+  const targetPackument = targetVersion
+    ? packument.versions[targetVersion]
+    : undefined
   // Check !targetVersion to make TypeScript happy.
   if (!targetVersion || !targetPackument) {
     // No suitable patch version found.
-    return false;
+    return false
   }
   // Use Object.defineProperty to override the version.
   Object.defineProperty(node, 'version', {
     configurable: true,
     enumerable: true,
     get: () => targetVersion
-  });
-  node.package.version = targetVersion;
+  })
+  node.package.version = targetVersion
   // Update resolved and clear integrity for the new version.
-  const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`);
-  node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`;
-  const {
-    integrity
-  } = targetPackument.dist;
+  const purlObj = packageurlJs.PackageURL.fromString(`pkg:npm/${node.name}`)
+  node.resolved = `${NPM_REGISTRY_URL}/${node.name}/-/${purlObj.name}-${targetVersion}.tgz`
+  const { integrity } = targetPackument.dist
   if (integrity) {
-    node.integrity = integrity;
+    node.integrity = integrity
   } else {
-    delete node.integrity;
+    delete node.integrity
   }
   if ('deprecated' in targetPackument) {
-    node.package['deprecated'] = targetPackument.deprecated;
+    node.package['deprecated'] = targetPackument.deprecated
   } else {
-    delete node.package['deprecated'];
+    delete node.package['deprecated']
   }
   const newDeps = {
     ...targetPackument.dependencies
-  };
-  const {
-    dependencies: oldDeps
-  } = node.package;
-  node.package.dependencies = newDeps;
+  }
+  const { dependencies: oldDeps } = node.package
+  node.package.dependencies = newDeps
   if (oldDeps) {
     for (const oldDepName of Object.keys(oldDeps)) {
       if (!objects.hasOwn(newDeps, oldDepName)) {
-        node.edgesOut.get(oldDepName)?.detach();
+        node.edgesOut.get(oldDepName)?.detach()
       }
     }
   }
   for (const newDepName of Object.keys(newDeps)) {
     if (!objects.hasOwn(oldDeps, newDepName)) {
-      node.addEdgeOut(new Edge({
-        from: node,
-        name: newDepName,
-        spec: newDeps[newDepName],
-        type: 'prod'
-      }));
+      node.addEdgeOut(
+        new Edge({
+          from: node,
+          name: newDepName,
+          spec: newDeps[newDepName],
+          type: 'prod'
+        })
+      )
     }
   }
-  return true;
+  return true
 }
 
 const {
   NPM,
   NPX,
-  SOCKET_CLI_SAFE_WRAPPER,
+  SOCKET_CLI_ACCEPT_RISKS,
+  SOCKET_CLI_SAFE_BIN,
+  SOCKET_CLI_SAFE_PROGRESS,
+  SOCKET_CLI_VIEW_ALL_RISKS,
   kInternalsSymbol,
-  [kInternalsSymbol]: {
-    getIpc
-  }
-} = constants;
+  [kInternalsSymbol]: { getIpc }
+} = constants
 const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   __proto__: null,
   audit: false,
@@ -1824,34 +1993,44 @@ const SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = {
   save: false,
   saveBundle: false,
   silent: true
-};
-const kCtorArgs = Symbol('ctorArgs');
-const kRiskyReify = Symbol('riskyReify');
-const Arborist = require(shadowNpmPaths.getArboristClassPath());
+}
+const kCtorArgs = Symbol('ctorArgs')
+const kRiskyReify = Symbol('riskyReify')
+const Arborist = require(shadowNpmPaths.getArboristClassPath())
 
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
 class SafeArborist extends Arborist {
   constructor(...ctorArgs) {
-    super({
-      path: (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process$1.cwd(),
-      ...(ctorArgs.length ? ctorArgs[0] : undefined),
-      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-    }, ...ctorArgs.slice(1));
-    this[kCtorArgs] = ctorArgs;
+    super(
+      {
+        path:
+          (ctorArgs.length ? ctorArgs[0]?.path : undefined) ?? process$1.cwd(),
+        ...(ctorArgs.length ? ctorArgs[0] : undefined),
+        ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+      },
+      ...ctorArgs.slice(1)
+    )
+    this[kCtorArgs] = ctorArgs
   }
   async [kRiskyReify](...args) {
-    const ctorArgs = this[kCtorArgs];
-    const arb = new Arborist({
-      ...(ctorArgs.length ? ctorArgs[0] : undefined),
-      progress: false
-    }, ...ctorArgs.slice(1));
-    const ret = await arb.reify({
-      ...(args.length ? args[0] : undefined),
-      progress: false
-    }, ...args.slice(1));
-    Object.assign(this, arb);
-    return ret;
+    const ctorArgs = this[kCtorArgs]
+    const arb = new Arborist(
+      {
+        ...(ctorArgs.length ? ctorArgs[0] : undefined),
+        progress: false
+      },
+      ...ctorArgs.slice(1)
+    )
+    const ret = await arb.reify(
+      {
+        ...(args.length ? args[0] : undefined),
+        progress: false
+      },
+      ...args.slice(1)
+    )
+    Object.assign(this, arb)
+    return ret
   }
 
   // @ts-ignore Incorrectly typed.
@@ -1859,95 +2038,119 @@ class SafeArborist extends Arborist {
     const options = {
       __proto__: null,
       ...(args.length ? args[0] : undefined)
-    };
-    const safeWrapperName = options.dryRun ? undefined : await getIpc(SOCKET_CLI_SAFE_WRAPPER);
-    const isSafeNpm = safeWrapperName === NPM;
-    const isSafeNpx = safeWrapperName === NPX;
-    if (!safeWrapperName || isSafeNpx && options['yes']) {
-      return await this[kRiskyReify](...args);
     }
-
-    // Lazily access constants.spinner.
-    const {
-      spinner
-    } = constants;
-    await super.reify({
-      ...options,
-      ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
-      progress: false
-    },
-    // @ts-ignore: TS gets grumpy about rest parameters.
-    ...args.slice(1));
+    const ipc = await getIpc()
+    const binName = ipc[SOCKET_CLI_SAFE_BIN]
+    if (!binName) {
+      return await this[kRiskyReify](...args)
+    }
+    await super.reify(
+      {
+        ...options,
+        ...SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES,
+        progress: false
+      },
+      // @ts-ignore: TS gets grumpy about rest parameters.
+      ...args.slice(1)
+    )
+    const progress = ipc[SOCKET_CLI_SAFE_PROGRESS]
+    const spinner =
+      options['silent'] || !progress
+        ? undefined
+        : // Lazily access constants.spinner.
+          constants.spinner
+    const isSafeNpm = binName === NPM
+    const isSafeNpx = binName === NPX
     const alertsMap = await getAlertsMapFromArborist(this, {
       spinner,
-      include: {
-        existing: isSafeNpx,
-        unfixable: isSafeNpm
-      }
-    });
+      include:
+        options.dryRun ||
+        options['yes'] ||
+        // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
+        constants.ENV[SOCKET_CLI_ACCEPT_RISKS]
+          ? {
+              blocked: true,
+              critical: false,
+              cve: false,
+              unfixable: false
+            }
+          : {
+              existing: isSafeNpx,
+              unfixable: isSafeNpm
+            }
+    })
     if (alertsMap.size) {
+      process$1.exitCode = 1
       logAlertsMap(alertsMap, {
+        // Lazily access constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS].
+        hideAt: constants.ENV[SOCKET_CLI_VIEW_ALL_RISKS] ? 'none' : 'middle',
         output: process$1.stderr
-      });
-      if (!(await prompts.confirm({
-        message: 'Accept risks of installing these packages?',
-        default: false
-      }))) {
-        throw new Error('Socket npm exiting due to risks');
+      })
+      throw new Error(commonTags.stripIndents`
+          Socket ${binName} exiting due to risks.
+          View all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.
+          Accept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.
+        `)
+    } else if (!options['silent']) {
+      logger.logger.success(`Socket ${binName} found no risks!`)
+      if (binName === NPX) {
+        logger.logger.log(`Running ${options.add[0]}`)
       }
-    } else {
-      logger.logger.success('Socket npm found no risks!');
     }
-    return await this[kRiskyReify](...args);
+    return await this[kRiskyReify](...args)
   }
 }
 
 function installSafeArborist() {
   // Override '@npmcli/arborist' module exports with patched variants based on
   // https://github.com/npm/cli/pull/8089.
-  const cache = require.cache;
+  const cache = require.cache
   cache[shadowNpmPaths.getArboristClassPath()] = {
     exports: SafeArborist
-  };
+  }
   cache[shadowNpmPaths.getArboristEdgeClassPath()] = {
     exports: SafeEdge
-  };
+  }
   cache[shadowNpmPaths.getArboristNodeClassPath()] = {
     exports: SafeNode
-  };
+  }
   cache[shadowNpmPaths.getArboristOverrideSetClassPath()] = {
     exports: SafeOverrideSet
-  };
+  }
 }
 
-installSafeArborist();
+installSafeArborist()
 
-exports.ALERT_SEVERITY = ALERT_SEVERITY;
-exports.Arborist = Arborist;
-exports.AuthError = AuthError;
-exports.ColorOrMarkdown = ColorOrMarkdown;
-exports.InputError = InputError;
-exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES = SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES;
-exports.SafeArborist = SafeArborist;
-exports.addArtifactToAlertsMap = addArtifactToAlertsMap;
-exports.captureException = captureException;
-exports.findBestPatchVersion = findBestPatchVersion;
-exports.findPackageNodes = findPackageNodes;
-exports.findUp = findUp;
-exports.formatSeverityCount = formatSeverityCount;
-exports.getAlertsMapFromArborist = getAlertsMapFromArborist;
-exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap;
-exports.getDefaultToken = getDefaultToken;
-exports.getPublicToken = getPublicToken;
-exports.getSetting = getSetting;
-exports.getSeverityCount = getSeverityCount;
-exports.getSocketDevAlertUrl = getSocketDevAlertUrl;
-exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl;
-exports.readFileBinary = readFileBinary;
-exports.readFileUtf8 = readFileUtf8;
-exports.safeReadFile = safeReadFile;
-exports.setupSdk = setupSdk;
-exports.updateNode = updateNode;
-exports.updateSetting = updateSetting;
-//# debugId=86178861-a8cc-486b-ac92-f49e627e80af
+exports.ALERT_SEVERITY = ALERT_SEVERITY
+exports.Arborist = Arborist
+exports.AuthError = AuthError
+exports.ColorOrMarkdown = ColorOrMarkdown
+exports.InputError = InputError
+exports.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES =
+  SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+exports.SafeArborist = SafeArborist
+exports.addArtifactToAlertsMap = addArtifactToAlertsMap
+exports.captureException = captureException
+exports.findBestPatchVersion = findBestPatchVersion
+exports.findPackageNodes = findPackageNodes
+exports.findUp = findUp
+exports.formatSeverityCount = formatSeverityCount
+exports.getAlertsMapFromArborist = getAlertsMapFromArborist
+exports.getConfigValue = getConfigValue
+exports.getCveInfoByAlertsMap = getCveInfoByAlertsMap
+exports.getDefaultToken = getDefaultToken
+exports.getPublicToken = getPublicToken
+exports.getSeverityCount = getSeverityCount
+exports.getSocketDevAlertUrl = getSocketDevAlertUrl
+exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl
+exports.overrideCachedConfig = overrideCachedConfig
+exports.readFileBinary = readFileBinary
+exports.readFileUtf8 = readFileUtf8
+exports.safeReadFile = safeReadFile
+exports.sensitiveConfigKeys = sensitiveConfigKeys
+exports.setupSdk = setupSdk
+exports.supportedConfigKeys = supportedConfigKeys
+exports.updateConfigValue = updateConfigValue
+exports.updateNode = updateNode
+//# debugId=c4cc0383-a1f3-4096-bddd-173589820ed1
 //# sourceMappingURL=shadow-npm-inject.js.map