@socketsecurity/cli-with-sentry 0.15.11 → 0.15.12

package/dist/utils.js

@@ -1,105 +1,93 @@
-'use strict'
-
-const vendor = require('./vendor.js')
-const logger = require('../external/@socketsecurity/registry/lib/logger')
-const debug = require('../external/@socketsecurity/registry/lib/debug')
-const path = require('node:path')
-const objects = require('../external/@socketsecurity/registry/lib/objects')
-const path$1 = require('../external/@socketsecurity/registry/lib/path')
-const regexps = require('../external/@socketsecurity/registry/lib/regexps')
-const constants = require('./constants.js')
-const prompts = require('../external/@socketsecurity/registry/lib/prompts')
-const strings = require('../external/@socketsecurity/registry/lib/strings')
-const promises = require('node:timers/promises')
-const arrays = require('../external/@socketsecurity/registry/lib/arrays')
-const fs = require('node:fs')
-const registry = require('../external/@socketsecurity/registry')
-const packages = require('../external/@socketsecurity/registry/lib/packages')
-const sorts = require('../external/@socketsecurity/registry/lib/sorts')
-const Module = require('node:module')
-const spawn = require('../external/@socketsecurity/registry/lib/spawn')
-const npm = require('../external/@socketsecurity/registry/lib/npm')
-const words = require('../external/@socketsecurity/registry/lib/words')
-const fs$1 = require('../external/@socketsecurity/registry/lib/fs')
-
-const _documentCurrentScript =
-  typeof document !== 'undefined' ? document.currentScript : null
-const { NPM: NPM$6, PNPM: PNPM$2 } = constants
-const PNPM_WORKSPACE = `${PNPM$2}-workspace`
+'use strict';
+
+var vendor = require('./vendor.js');
+var logger = require('../external/@socketsecurity/registry/lib/logger');
+var debug = require('../external/@socketsecurity/registry/lib/debug');
+var path = require('node:path');
+var objects = require('../external/@socketsecurity/registry/lib/objects');
+var path$1 = require('../external/@socketsecurity/registry/lib/path');
+var regexps = require('../external/@socketsecurity/registry/lib/regexps');
+var constants = require('./constants.js');
+var prompts = require('../external/@socketsecurity/registry/lib/prompts');
+var strings = require('../external/@socketsecurity/registry/lib/strings');
+var promises = require('node:timers/promises');
+var arrays = require('../external/@socketsecurity/registry/lib/arrays');
+var fs = require('node:fs');
+var registry = require('../external/@socketsecurity/registry');
+var packages = require('../external/@socketsecurity/registry/lib/packages');
+var sorts = require('../external/@socketsecurity/registry/lib/sorts');
+var Module = require('node:module');
+var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var npm = require('../external/@socketsecurity/registry/lib/npm');
+var words = require('../external/@socketsecurity/registry/lib/words');
+var fs$1 = require('../external/@socketsecurity/registry/lib/fs');
+
+var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
+const {
+  NPM: NPM$6,
+  PNPM: PNPM$2
+} = constants;
+const PNPM_WORKSPACE = `${PNPM$2}-workspace`;
 const ignoredDirs = [
-  // Taken from ignore-by-default:
-  // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
-  '.git',
-  // Git repository files, see <https://git-scm.com/>
-  '.log',
-  // Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
-  '.nyc_output',
-  // Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
-  '.sass-cache',
-  // Cache folder for node-sass, see <https://github.com/sass/node-sass>
-  '.yarn',
-  // Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
-  'bower_components',
-  // Where Bower packages are installed, see <http://bower.io/>
-  'coverage',
-  // Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
-  'node_modules',
-  // Where Node modules are installed, see <https://nodejs.org/>
-  // Taken from globby:
-  // https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
-  'flow-typed'
-]
-const ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`)
+// Taken from ignore-by-default:
+// https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
+'.git',
+// Git repository files, see <https://git-scm.com/>
+'.log',
+// Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
+'.nyc_output',
+// Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
+'.sass-cache',
+// Cache folder for node-sass, see <https://github.com/sass/node-sass>
+'.yarn',
+// Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
+'bower_components',
+// Where Bower packages are installed, see <http://bower.io/>
+'coverage',
+// Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
+'node_modules',
+// Where Node modules are installed, see <https://nodejs.org/>
+// Taken from globby:
+// https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
+'flow-typed'];
+const ignoredDirPatterns = ignoredDirs.map(i => `**/${i}`);
 async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
-  let workspacePatterns
+  let workspacePatterns;
   if (agent === PNPM$2) {
-    for (const workspacePath of [
-      path.join(cwd, `${PNPM_WORKSPACE}.yaml`),
-      path.join(cwd, `${PNPM_WORKSPACE}.yml`)
-    ]) {
+    for (const workspacePath of [path.join(cwd, `${PNPM_WORKSPACE}.yaml`), path.join(cwd, `${PNPM_WORKSPACE}.yml`)]) {
       // eslint-disable-next-line no-await-in-loop
-      const yml = await safeReadFile(workspacePath)
+      const yml = await safeReadFile(workspacePath);
       if (yml) {
         try {
-          workspacePatterns = vendor.distExports$1.parse(yml)?.packages
+          workspacePatterns = vendor.distExports$1.parse(yml)?.packages;
         } catch {}
         if (workspacePatterns) {
-          break
+          break;
         }
       }
     }
   } else {
-    workspacePatterns = (
-      await packages.readPackageJson(cwd, {
-        throws: false
-      })
-    )?.['workspaces']
+    workspacePatterns = (await packages.readPackageJson(cwd, {
+      throws: false
+    }))?.['workspaces'];
   }
-  return Array.isArray(workspacePatterns)
-    ? workspacePatterns
-        .filter(strings.isNonEmptyString)
-        .map(workspacePatternToGlobPattern)
-    : []
+  return Array.isArray(workspacePatterns) ? workspacePatterns.filter(strings.isNonEmptyString).map(workspacePatternToGlobPattern) : [];
 }
 function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
-  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/')
-  const patterns = []
-  for (let i = 0, { length } = lines; i < length; i += 1) {
-    const pattern = lines[i].trim()
+  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/');
+  const patterns = [];
+  for (let i = 0, {
+      length
+    } = lines; i < length; i += 1) {
+    const pattern = lines[i].trim();
     if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
-      patterns.push(
-        ignorePatternToMinimatch(
-          pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/
-            ? `!${path.posix.join(base, pattern.slice(1))}`
-            : path.posix.join(base, pattern)
-        )
-      )
+      patterns.push(ignorePatternToMinimatch(pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/ ? `!${path.posix.join(base, pattern.slice(1))}` : path.posix.join(base, pattern)));
     }
   }
-  return patterns
+  return patterns;
 }
 function ignoreFileToGlobPatterns(content, filepath, cwd) {
-  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd)
+  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd);
 }
 
 // Based on `@eslint/compat` convertIgnorePatternToMinimatch.
@@ -107,25 +95,16 @@ function ignoreFileToGlobPatterns(content, filepath, cwd) {
 // Copyright Nicholas C. Zakas
 // https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
 function ignorePatternToMinimatch(pattern) {
-  const isNegated = pattern.startsWith('!')
-  const negatedPrefix = isNegated ? '!' : ''
-  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd()
+  const isNegated = pattern.startsWith('!');
+  const negatedPrefix = isNegated ? '!' : '';
+  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd();
   // Special cases.
-  if (
-    patternToTest === '' ||
-    patternToTest === '**' ||
-    patternToTest === '/**' ||
-    patternToTest === '**'
-  ) {
-    return `${negatedPrefix}${patternToTest}`
-  }
-  const firstIndexOfSlash = patternToTest.indexOf('/')
-  const matchEverywherePrefix =
-    firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1
-      ? '**/'
-      : ''
-  const patternWithoutLeadingSlash =
-    firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest
+  if (patternToTest === '' || patternToTest === '**' || patternToTest === '/**' || patternToTest === '**') {
+    return `${negatedPrefix}${patternToTest}`;
+  }
+  const firstIndexOfSlash = patternToTest.indexOf('/');
+  const matchEverywherePrefix = firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1 ? '**/' : '';
+  const patternWithoutLeadingSlash = firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest;
   // Escape `{` and `(` because in gitignore patterns they are just
   // literal characters without any specific syntactic meaning,
   // while in minimatch patterns they can form brace expansion or extglob syntax.
@@ -133,48 +112,35 @@ function ignorePatternToMinimatch(pattern) {
   // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
   // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
   // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
-  const escapedPatternWithoutLeadingSlash =
-    patternWithoutLeadingSlash.replaceAll(
-      /(?=((?:\\.|[^{(])*))\1([{(])/guy,
-      '$1\\$2'
-    )
-  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : ''
-  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`
+  const escapedPatternWithoutLeadingSlash = patternWithoutLeadingSlash.replaceAll(/(?=((?:\\.|[^{(])*))\1([{(])/guy, '$1\\$2');
+  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : '';
+  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`;
 }
 function workspacePatternToGlobPattern(workspace) {
-  const { length } = workspace
+  const {
+    length
+  } = workspace;
   if (!length) {
-    return ''
+    return '';
   }
   // If the workspace ends with "/"
   if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
-    return `${workspace}/*/package.json`
+    return `${workspace}/*/package.json`;
   }
   // If the workspace ends with "/**"
-  if (
-    workspace.charCodeAt(length - 1) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 2) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 3) === 47 /*'/'*/
-  ) {
-    return `${workspace}/*/**/package.json`
+  if (workspace.charCodeAt(length - 1) === 42 /*'*'*/ && workspace.charCodeAt(length - 2) === 42 /*'*'*/ && workspace.charCodeAt(length - 3) === 47 /*'/'*/) {
+    return `${workspace}/*/**/package.json`;
   }
   // Things like "packages/a" or "packages/*"
-  return `${workspace}/package.json`
+  return `${workspace}/package.json`;
 }
 async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
-  const patterns = ['golang', NPM$6, 'maven', 'pypi', 'gem', 'nuget'].reduce(
-    (r, n) => {
-      const supported = supportedFiles[n]
-      r.push(
-        ...(supported
-          ? Object.values(supported).map(p => `**/${p.pattern}`)
-          : [])
-      )
-      return r
-    },
-    []
-  )
-  return entries.filter(p => vendor.micromatchExports.some(p, patterns))
+  const patterns = ['golang', NPM$6, 'maven', 'pypi', 'gem', 'nuget'].reduce((r, n) => {
+    const supported = supportedFiles[n];
+    r.push(...(supported ? Object.values(supported).map(p => `**/${p.pattern}`) : []));
+    return r;
+  }, []);
+  return entries.filter(p => vendor.micromatchExports.some(p, patterns));
 }
 async function globWithGitIgnore(patterns, options) {
   const {
@@ -184,468 +150,421 @@ async function globWithGitIgnore(patterns, options) {
   } = {
     __proto__: null,
     ...options
-  }
-  const projectIgnorePaths = socketConfig?.projectIgnorePaths
+  };
+  const projectIgnorePaths = socketConfig?.projectIgnorePaths;
   const ignoreFiles = await vendor.distExports.glob(['**/.gitignore'], {
     absolute: true,
     cwd,
     expandDirectories: true
-  })
-  const ignores = [
-    ...ignoredDirPatterns,
-    ...(Array.isArray(projectIgnorePaths)
-      ? ignoreFileLinesToGlobPatterns(
-          projectIgnorePaths,
-          path.join(cwd, '.gitignore'),
-          cwd
-        )
-      : []),
-    ...(
-      await Promise.all(
-        ignoreFiles.map(async filepath =>
-          ignoreFileToGlobPatterns(
-            await fs.promises.readFile(filepath, 'utf8'),
-            filepath,
-            cwd
-          )
-        )
-      )
-    ).flat()
-  ]
-  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/)
+  });
+  const ignores = [...ignoredDirPatterns, ...(Array.isArray(projectIgnorePaths) ? ignoreFileLinesToGlobPatterns(projectIgnorePaths, path.join(cwd, '.gitignore'), cwd) : []), ...(await Promise.all(ignoreFiles.map(async filepath => ignoreFileToGlobPatterns(await fs.promises.readFile(filepath, 'utf8'), filepath, cwd)))).flat()];
+  const hasNegatedPattern = ignores.some(p => p.charCodeAt(0) === 33 /*'!'*/);
   const globOptions = {
     absolute: true,
     cwd,
     expandDirectories: false,
     ignore: hasNegatedPattern ? [] : ignores,
     ...additionalOptions
-  }
-  const result = await vendor.distExports.glob(patterns, globOptions)
+  };
+  const result = await vendor.distExports.glob(patterns, globOptions);
   if (!hasNegatedPattern) {
-    return result
+    return result;
   }
-  const { absolute } = globOptions
+  const {
+    absolute
+  } = globOptions;
 
   // Note: the input files must be INSIDE the cwd. If you get strange looking
   // relative path errors here, most likely your path is outside the given cwd.
-  const filtered = vendor
-    .ignoreExports()
-    .add(ignores)
-    .filter(absolute ? result.map(p => path.relative(cwd, p)) : result)
-  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered
+  const filtered = vendor.ignoreExports().add(ignores).filter(absolute ? result.map(p => path.relative(cwd, p)) : result);
+  return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered;
 }
 async function globNodeModules(cwd = process.cwd()) {
   return await vendor.distExports.glob('**/node_modules/**', {
     absolute: true,
     cwd
-  })
+  });
 }
 async function globWorkspace(agent, cwd = process.cwd()) {
-  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd)
-  return workspaceGlobs.length
-    ? await vendor.distExports.glob(workspaceGlobs, {
-        absolute: true,
-        cwd,
-        ignore: ['**/node_modules/**', '**/bower_components/**']
-      })
-    : []
+  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd);
+  return workspaceGlobs.length ? await vendor.distExports.glob(workspaceGlobs, {
+    absolute: true,
+    cwd,
+    ignore: ['**/node_modules/**', '**/bower_components/**']
+  }) : [];
 }
 function pathsToGlobPatterns(paths) {
   // TODO: Does not support `~/` paths.
-  return paths.map(p => (p === '.' || p === './' ? '**/*' : p))
+  return paths.map(p => p === '.' || p === './' ? '**/*' : p);
 }
 
-const { abortSignal } = constants
+const {
+  abortSignal
+} = constants;
 async function removeNodeModules(cwd = process.cwd()) {
-  const nodeModulesPaths = await globNodeModules(cwd)
-  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)))
+  const nodeModulesPaths = await globNodeModules(cwd);
+  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)));
 }
-async function findUp(name, { cwd = process.cwd(), signal = abortSignal }) {
-  let dir = path.resolve(cwd)
-  const { root } = path.parse(dir)
-  const names = [name].flat()
+async function findUp(name, {
+  cwd = process.cwd(),
+  signal = abortSignal
+}) {
+  let dir = path.resolve(cwd);
+  const {
+    root
+  } = path.parse(dir);
+  const names = [name].flat();
   while (dir && dir !== root) {
     for (const name of names) {
       if (signal?.aborted) {
-        return undefined
+        return undefined;
       }
-      const filePath = path.join(dir, name)
+      const filePath = path.join(dir, name);
       try {
         // eslint-disable-next-line no-await-in-loop
-        const stats = await fs.promises.stat(filePath)
+        const stats = await fs.promises.stat(filePath);
         if (stats.isFile()) {
-          return filePath
+          return filePath;
         }
       } catch {}
     }
-    dir = path.dirname(dir)
+    dir = path.dirname(dir);
   }
-  return undefined
+  return undefined;
 }
 async function readFileBinary(filepath, options) {
   return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'binary'
-  })
+  });
 }
 async function readFileUtf8(filepath, options) {
   return await fs.promises.readFile(filepath, {
     signal: abortSignal,
     ...options,
     encoding: 'utf8'
-  })
+  });
 }
 async function safeReadFile(filepath, options) {
   try {
     return await fs.promises.readFile(filepath, {
       encoding: 'utf8',
       signal: abortSignal,
-      ...(typeof options === 'string'
-        ? {
-            encoding: options
-          }
-        : options)
-    })
+      ...(typeof options === 'string' ? {
+        encoding: options
+      } : options)
+    });
   } catch {}
-  return undefined
+  return undefined;
 }
 function safeReadFileSync(filepath, options) {
   try {
     return fs.readFileSync(filepath, {
       encoding: 'utf8',
-      ...(typeof options === 'string'
-        ? {
-            encoding: options
-          }
-        : options)
-    })
+      ...(typeof options === 'string' ? {
+        encoding: options
+      } : options)
+    });
   } catch {}
-  return undefined
-}
-
-const supportedConfigKeys = new Map([
-  ['apiBaseUrl', 'Base URL of the API endpoint'],
-  ['apiProxy', 'A proxy through which to access the API'],
-  ['apiToken', 'The API token required to access most API endpoints'],
-  [
-    'defaultOrg',
-    'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.'
-  ],
-  [
-    'enforcedOrgs',
-    'Orgs in this list have their security policies enforced on this machine'
-  ],
-  ['isTestingV1', 'For development of testing the next major bump']
-])
-const sensitiveConfigKeys = new Set(['apiToken'])
-let _cachedConfig
-// When using --config or SOCKET_CLI_CONFIG, do not persist the config.
-let _readOnlyConfig = false
-function overrideCachedConfig(jsonConfig) {
-  debug.debugLog('Overriding entire config, marking config as read-only')
-  let config
-  try {
-    config = JSON.parse(String(jsonConfig))
-    if (!config || typeof config !== 'object') {
-      // `null` is valid json, so are primitive values. They're not valid config objects :)
-      return {
-        ok: false,
-        message: 'Could not parse Config as JSON',
-        cause:
-          "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
-      }
-    }
-  } catch {
-    // Force set an empty config to prevent accidentally using system settings
-    _cachedConfig = {}
-    _readOnlyConfig = true
-    return {
-      ok: false,
-      message: 'Could not parse Config as JSON',
-      cause:
-        "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
-    }
-  }
-
-  // @ts-ignore Override an illegal object.
-  _cachedConfig = config
-  _readOnlyConfig = true
-
-  // Normalize apiKey to apiToken.
-  if (_cachedConfig['apiKey']) {
-    if (_cachedConfig['apiToken']) {
-      logger.logger.warn(
-        'Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.'
-      )
-    }
-    _cachedConfig['apiToken'] = _cachedConfig['apiKey']
-    delete _cachedConfig['apiKey']
-  }
-  return {
-    ok: true,
-    data: undefined
-  }
-}
-function overrideConfigApiToken(apiToken) {
-  debug.debugLog('Overriding API token, marking config as read-only')
-  // Set token to the local cached config and mark it read-only so it doesn't persist
-  _cachedConfig = {
-    ...vendor.configExports,
-    ...(apiToken === undefined
-      ? {}
-      : {
-          apiToken: String(apiToken)
-        })
-  }
-  _readOnlyConfig = true
+  return undefined;
 }
+
+const sensitiveConfigKeys = new Set(['apiToken']);
+const supportedConfigKeys = new Map([['apiBaseUrl', 'Base URL of the API endpoint'], ['apiProxy', 'A proxy through which to access the API'], ['apiToken', 'The API token required to access most API endpoints'], ['defaultOrg', 'The default org slug to use; usually the org your API token has access to. When set, all orgSlug arguments are implied to be this value.'], ['enforcedOrgs', 'Orgs in this list have their security policies enforced on this machine'], ['isTestingV1', 'For development of testing the next major bump']]);
 function getConfigValues() {
   if (_cachedConfig === undefined) {
     // Order: env var > --config flag > file
-    _cachedConfig = {}
-    // Lazily access constants.socketAppPath.
-    const { socketAppPath } = constants
-    if (socketAppPath) {
-      const raw = safeReadFileSync(socketAppPath)
+    _cachedConfig = {};
+    // Lazily access constants.socketAppDataPath.
+    const {
+      socketAppDataPath
+    } = constants;
+    if (socketAppDataPath) {
+      const raw = safeReadFileSync(socketAppDataPath);
       if (raw) {
         try {
-          Object.assign(
-            _cachedConfig,
-            JSON.parse(Buffer.from(raw, 'base64').toString())
-          )
+          Object.assign(_cachedConfig, JSON.parse(Buffer.from(raw, 'base64').toString()));
         } catch {
-          logger.logger.warn(`Failed to parse config at ${socketAppPath}`)
+          logger.logger.warn(`Failed to parse config at ${socketAppDataPath}`);
         }
         // Normalize apiKey to apiToken and persist it.
         // This is a one time migration per user.
         if (_cachedConfig['apiKey']) {
-          const token = _cachedConfig['apiKey']
-          delete _cachedConfig['apiKey']
-          updateConfigValue('apiToken', token)
+          const token = _cachedConfig['apiKey'];
+          delete _cachedConfig['apiKey'];
+          updateConfigValue('apiToken', token);
         }
       } else {
-        fs.mkdirSync(path.dirname(socketAppPath), {
+        fs.mkdirSync(path.dirname(socketAppDataPath), {
           recursive: true
-        })
+        });
       }
     }
   }
-  return _cachedConfig
+  return _cachedConfig;
 }
 function normalizeConfigKey(key) {
   // Note: apiKey was the old name of the token. When we load a config with
   //       property apiKey, we'll copy that to apiToken and delete the old property.
-  const normalizedKey = key === 'apiKey' ? 'apiToken' : key
+  const normalizedKey = key === 'apiKey' ? 'apiToken' : key;
   if (!supportedConfigKeys.has(normalizedKey)) {
     return {
       ok: false,
       message: `Invalid config key: ${normalizedKey}`,
       data: undefined
-    }
+    };
   }
   return {
     ok: true,
     data: key
-  }
+  };
 }
 function findSocketYmlSync(dir = process.cwd()) {
-  let prevDir = null
+  let prevDir = null;
   while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml')
-    let yml = safeReadFileSync(ymlPath)
+    let ymlPath = path.join(dir, 'socket.yml');
+    let yml = safeReadFileSync(ymlPath);
     if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml')
-      yml = safeReadFileSync(ymlPath)
+      ymlPath = path.join(dir, 'socket.yaml');
+      yml = safeReadFileSync(ymlPath);
     }
     if (typeof yml === 'string') {
       try {
         return {
           path: ymlPath,
           parsed: vendor.configExports.parseSocketConfig(yml)
-        }
+        };
       } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`)
+        throw new Error(`Found file but was unable to parse ${ymlPath}`);
       }
     }
-    prevDir = dir
-    dir = path.join(dir, '..')
+    prevDir = dir;
+    dir = path.join(dir, '..');
   }
-  return null
+  return null;
 }
 function getConfigValue(key) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
+  const localConfig = getConfigValues();
+  const keyResult = normalizeConfigKey(key);
   if (!keyResult.ok) {
-    return keyResult
+    return keyResult;
   }
   return {
     ok: true,
     data: localConfig[keyResult.data]
-  }
+  };
 }
+
 // This version squashes errors, returning undefined instead.
 // Should be used when we can reasonably predict the call can't fail.
 function getConfigValueOrUndef(key) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
+  const localConfig = getConfigValues();
+  const keyResult = normalizeConfigKey(key);
   if (!keyResult.ok) {
-    return undefined
+    return undefined;
   }
-  return localConfig[keyResult.data]
+  return localConfig[keyResult.data];
 }
 function isReadOnlyConfig() {
-  return _readOnlyConfig
+  return _readOnlyConfig;
 }
-let _pendingSave = false
+function isTestingV1() {
+  return !!getConfigValueOrUndef('isTestingV1');
+}
+let _cachedConfig;
+// When using --config or SOCKET_CLI_CONFIG, do not persist the config.
+let _readOnlyConfig = false;
+function overrideCachedConfig(jsonConfig) {
+  debug.debugLog('Overriding entire config, marking config as read-only');
+  let config;
+  try {
+    config = JSON.parse(String(jsonConfig));
+    if (!config || typeof config !== 'object') {
+      // `null` is valid json, so are primitive values. They're not valid config objects :)
+      return {
+        ok: false,
+        message: 'Could not parse Config as JSON',
+        cause: "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
+      };
+    }
+  } catch {
+    // Force set an empty config to prevent accidentally using system settings
+    _cachedConfig = {};
+    _readOnlyConfig = true;
+    return {
+      ok: false,
+      message: 'Could not parse Config as JSON',
+      cause: "Could not JSON parse the config override. Make sure it's a proper JSON object (double-quoted keys and strings, no unquoted `undefined`) and try again."
+    };
+  }
+
+  // @ts-ignore Override an illegal object.
+  _cachedConfig = config;
+  _readOnlyConfig = true;
+
+  // Normalize apiKey to apiToken.
+  if (_cachedConfig['apiKey']) {
+    if (_cachedConfig['apiToken']) {
+      logger.logger.warn('Note: The config override had both apiToken and apiKey. Using the apiToken value. Remove the apiKey to get rid of this message.');
+    }
+    _cachedConfig['apiToken'] = _cachedConfig['apiKey'];
+    delete _cachedConfig['apiKey'];
+  }
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+function overrideConfigApiToken(apiToken) {
+  debug.debugLog('Overriding API token, marking config as read-only');
+  // Set token to the local cached config and mark it read-only so it doesn't persist
+  _cachedConfig = {
+    ...vendor.configExports,
+    ...(apiToken === undefined ? {} : {
+      apiToken: String(apiToken)
+    })
+  };
+  _readOnlyConfig = true;
+}
+let _pendingSave = false;
 function updateConfigValue(key, value) {
-  const localConfig = getConfigValues()
-  const keyResult = normalizeConfigKey(key)
+  const localConfig = getConfigValues();
+  const keyResult = normalizeConfigKey(key);
   if (!keyResult.ok) {
-    return keyResult
+    return keyResult;
   }
-  localConfig[keyResult.data] = value
+  localConfig[keyResult.data] = value;
   if (_readOnlyConfig) {
     return {
       ok: true,
       message: `Config key '${key}' was updated`,
       data: 'Change applied but not persisted; current config is overridden through env var or flag'
-    }
+    };
   }
   if (!_pendingSave) {
-    _pendingSave = true
+    _pendingSave = true;
     process.nextTick(() => {
-      _pendingSave = false
-      // Lazily access constants.socketAppPath.
-      const { socketAppPath } = constants
-      if (socketAppPath) {
-        fs.writeFileSync(
-          socketAppPath,
-          Buffer.from(JSON.stringify(localConfig)).toString('base64')
-        )
+      _pendingSave = false;
+      // Lazily access constants.socketAppDataPath.
+      const {
+        socketAppDataPath
+      } = constants;
+      if (socketAppDataPath) {
+        fs.writeFileSync(socketAppDataPath, Buffer.from(JSON.stringify(localConfig)).toString('base64'));
       }
-    })
+    });
   }
   return {
     ok: true,
     message: `Config key '${key}' was updated`,
     data: undefined
-  }
-}
-function isTestingV1() {
-  return !!getConfigValueOrUndef('isTestingV1')
+  };
 }
 
 const {
   kInternalsSymbol,
-  [kInternalsSymbol]: { getSentry }
-} = constants
+  [kInternalsSymbol]: {
+    getSentry
+  }
+} = constants;
 class AuthError extends Error {}
 class InputError extends Error {
   constructor(message, body) {
-    super(message)
-    this.body = body
+    super(message);
+    this.body = body;
   }
 }
 async function captureException(exception, hint) {
-  const result = captureExceptionSync(exception, hint)
+  const result = captureExceptionSync(exception, hint);
   // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
-  await promises.setTimeout(1000)
-  return result
+  await promises.setTimeout(1000);
+  return result;
 }
 function captureExceptionSync(exception, hint) {
-  const Sentry = getSentry()
+  const Sentry = getSentry();
   if (!Sentry) {
-    return ''
+    return '';
   }
-  debug.debugLog('captureException: Sending exception to Sentry')
-  return Sentry.captureException(exception, hint)
+  debug.debugLog('captureException: Sending exception to Sentry');
+  return Sentry.captureException(exception, hint);
 }
 
 function failMsgWithBadge(badge, msg) {
-  return `${vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}${msg ? ': ' : ''}`)))}${msg ? ' ' + vendor.yoctocolorsCjsExports.bold(msg) : ''}`
+  return `${vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}${msg ? ': ' : ''}`)))}${msg ? ' ' + vendor.yoctocolorsCjsExports.bold(msg) : ''}`;
 }
 
-const { SOCKET_PUBLIC_API_TOKEN } = constants
-const TOKEN_PREFIX = 'sktsec_'
-const { length: TOKEN_PREFIX_LENGTH } = TOKEN_PREFIX
+const {
+  SOCKET_PUBLIC_API_TOKEN
+} = constants;
+const TOKEN_PREFIX = 'sktsec_';
+const {
+  length: TOKEN_PREFIX_LENGTH
+} = TOKEN_PREFIX;
 
 // The API server that should be used for operations.
 function getDefaultApiBaseUrl$1() {
   const baseUrl =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
-    constants.ENV.SOCKET_SECURITY_API_BASE_URL ||
-    getConfigValueOrUndef('apiBaseUrl')
-  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined
+  // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
+  constants.ENV.SOCKET_SECURITY_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl');
+  return strings.isNonEmptyString(baseUrl) ? baseUrl : undefined;
 }
 
 // The API server that should be used for operations.
 function getDefaultHttpProxy() {
   const apiProxy =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_PROXY.
-    constants.ENV.SOCKET_SECURITY_API_PROXY || getConfigValueOrUndef('apiProxy')
-  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined
+  // Lazily access constants.ENV.SOCKET_SECURITY_API_PROXY.
+  constants.ENV.SOCKET_SECURITY_API_PROXY || getConfigValueOrUndef('apiProxy');
+  return strings.isNonEmptyString(apiProxy) ? apiProxy : undefined;
 }
 
 // This API key should be stored globally for the duration of the CLI execution.
-let _defaultToken
+let _defaultToken;
 function getDefaultToken() {
   // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.
   if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {
-    _defaultToken = undefined
+    _defaultToken = undefined;
   } else {
     const key =
-      // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-      constants.ENV.SOCKET_SECURITY_API_TOKEN ||
-      getConfigValueOrUndef('apiToken') ||
-      _defaultToken
-    _defaultToken = strings.isNonEmptyString(key) ? key : undefined
+    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
+    constants.ENV.SOCKET_SECURITY_API_TOKEN || getConfigValueOrUndef('apiToken') || _defaultToken;
+    _defaultToken = strings.isNonEmptyString(key) ? key : undefined;
   }
-  return _defaultToken
+  return _defaultToken;
 }
 function getVisibleTokenPrefix() {
-  const apiToken = getDefaultToken()
-  return apiToken
-    ? apiToken.slice(TOKEN_PREFIX_LENGTH, TOKEN_PREFIX_LENGTH + 5)
-    : ''
+  const apiToken = getDefaultToken();
+  return apiToken ? apiToken.slice(TOKEN_PREFIX_LENGTH, TOKEN_PREFIX_LENGTH + 5) : '';
 }
 function hasDefaultToken() {
-  return !!getDefaultToken()
+  return !!getDefaultToken();
 }
 function getPublicToken() {
   return (
     // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-    (constants.ENV.SOCKET_SECURITY_API_TOKEN || getDefaultToken()) ??
-    SOCKET_PUBLIC_API_TOKEN
-  )
-}
-async function setupSdk(
-  apiToken = getDefaultToken(),
-  apiBaseUrl = getDefaultApiBaseUrl$1(),
-  proxy = getDefaultHttpProxy()
-) {
+    (constants.ENV.SOCKET_SECURITY_API_TOKEN || getDefaultToken()) ?? SOCKET_PUBLIC_API_TOKEN
+  );
+}
+async function setupSdk(apiToken = getDefaultToken(), apiBaseUrl = getDefaultApiBaseUrl$1(), proxy = getDefaultHttpProxy()) {
   if (typeof apiToken !== 'string' && vendor.isInteractiveExports()) {
     apiToken = await prompts.password({
-      message:
-        'Enter your Socket.dev API key (not saved, use socket login to persist)'
-    })
-    _defaultToken = apiToken
+      message: 'Enter your Socket.dev API key (not saved, use socket login to persist)'
+    });
+    _defaultToken = apiToken;
   }
   if (!apiToken) {
     return {
       ok: false,
       message: 'Auth Error',
       cause: 'You need to provide an API Token. Run `socket login` first.'
-    }
+    };
   }
   return {
     ok: true,
     data: new vendor.distExports$2.SocketSdk(apiToken, {
-      agent: proxy
-        ? new vendor.HttpsProxyAgent({
-            proxy
-          })
-        : undefined,
+      agent: proxy ? new vendor.HttpsProxyAgent({
+        proxy
+      }) : undefined,
       baseUrl: apiBaseUrl,
       userAgent: vendor.distExports$2.createUserAgentFromPkgJson({
         // Lazily access constants.ENV.INLINED_SOCKET_CLI_NAME.
@@ -656,53 +575,55 @@ async function setupSdk(
         homepage: constants.ENV.INLINED_SOCKET_CLI_HOMEPAGE
       })
     })
-  }
+  };
 }
 
 // TODO: this function is removed after v1.0.0
 function handleUnsuccessfulApiResponse(_name, error, cause, status) {
-  const message = `${error || 'No error message returned'}${cause ? ` (reason: ${cause})` : ''}`
+  const message = `${error || 'No error message returned'}${cause ? ` (reason: ${cause})` : ''}`;
   if (status === 401 || status === 403) {
     // Lazily access constants.spinner.
-    const { spinner } = constants
-    spinner.stop()
-    throw new AuthError(message)
+    const {
+      spinner
+    } = constants;
+    spinner.stop();
+    throw new AuthError(message);
   }
-  logger.logger.fail(failMsgWithBadge('Socket API returned an error', message))
+  logger.logger.fail(failMsgWithBadge('Socket API returned an error', message));
   // eslint-disable-next-line n/no-process-exit
-  process.exit(1)
+  process.exit(1);
 }
 async function handleApiCall(value, fetchingDesc) {
   // Lazily access constants.spinner.
-  const { spinner } = constants
-  spinner.start(`Requesting ${fetchingDesc} from API...`)
-  let result
+  const {
+    spinner
+  } = constants;
+  spinner.start(`Requesting ${fetchingDesc} from API...`);
+  let result;
   try {
-    result = await value
+    result = await value;
 
     // TODO: info, not success (looks weird when response is non-200)
-    spinner.successAndStop(
-      `Received API response (after requesting ${fetchingDesc}).`
-    )
+    spinner.successAndStop(`Received API response (after requesting ${fetchingDesc}).`);
   } catch (e) {
-    spinner.failAndStop(`An error was thrown while requesting ${fetchingDesc}`)
-    debug.debugLog(`handleApiCall(${fetchingDesc}) threw error:\n`, e)
-    const message = `${e || 'No error message returned'}`
-    const cause = `${e || 'No error message returned'}`
+    spinner.failAndStop(`An error was thrown while requesting ${fetchingDesc}`);
+    debug.debugLog(`handleApiCall(${fetchingDesc}) threw error:\n`, e);
+    const message = `${e || 'No error message returned'}`;
+    const cause = `${e || 'No error message returned'}`;
     return {
       ok: false,
       message: 'Socket API returned an error',
       cause: `${message}${cause ? ` ( Reason: ${cause} )` : ''}`
-    }
+    };
   } finally {
-    spinner.stop()
+    spinner.stop();
   }
 
   // Note: TS can't narrow down the type of result due to generics
   if (result.success === false) {
-    const err = result
-    const message = `${err.error || 'No error message returned'}`
-    debug.debugLog(`handleApiCall(${fetchingDesc}) bad response:\n`, err)
+    const err = result;
+    const message = `${err.error || 'No error message returned'}`;
+    debug.debugLog(`handleApiCall(${fetchingDesc}) bad response:\n`, err);
     return {
       ok: false,
       message: 'Socket API returned an error',
@@ -710,35 +631,35 @@ async function handleApiCall(value, fetchingDesc) {
       data: {
         code: result.status
       }
-    }
+    };
   } else {
-    const ok = result
+    const ok = result;
     return {
       ok: true,
       data: ok.data
-    }
+    };
   }
 }
 async function handleApiCallNoSpinner(value, description) {
-  let result
+  let result;
   try {
-    result = await value
+    result = await value;
   } catch (e) {
-    debug.debugLog(`handleApiCall(${description}) threw error:\n`, e)
-    const message = `${e || 'No error message returned'}`
-    const cause = `${e || 'No error message returned'}`
+    debug.debugLog(`handleApiCall(${description}) threw error:\n`, e);
+    const message = `${e || 'No error message returned'}`;
+    const cause = `${e || 'No error message returned'}`;
     return {
       ok: false,
       message: 'Socket API returned an error',
       cause: `${message}${cause ? ` ( Reason: ${cause} )` : ''}`
-    }
+    };
   }
 
   // Note: TS can't narrow down the type of result due to generics
   if (result.success === false) {
-    const err = result
-    const message = `${err.error || 'No error message returned'}`
-    debug.debugLog(`handleApiCall(${description}) bad response:\n`, err)
+    const err = result;
+    const message = `${err.error || 'No error message returned'}`;
+    debug.debugLog(`handleApiCall(${description}) bad response:\n`, err);
     return {
       ok: false,
       message: 'Socket API returned an error',
@@ -746,145 +667,140 @@ async function handleApiCallNoSpinner(value, description) {
       data: {
         code: result.status
       }
-    }
+    };
   } else {
-    const ok = result
+    const ok = result;
     return {
       ok: true,
       data: ok.data
-    }
+    };
   }
 }
 async function getErrorMessageForHttpStatusCode(code) {
   if (code === 400) {
-    return 'One of the options passed might be incorrect'
+    return 'One of the options passed might be incorrect';
   }
   if (code === 403 || code === 401) {
-    return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with'
+    return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with';
   }
   if (code === 404) {
-    return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. If unexpected, this could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.'
+    return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. If unexpected, this could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.';
   }
   if (code === 500) {
-    return 'There was an unknown server side problem with your request. This ought to be temporary. Please let us know if this problem persists.'
+    return 'There was an unknown server side problem with your request. This ought to be temporary. Please let us know if this problem persists.';
   }
-  return `Server responded with status code ${code}`
+  return `Server responded with status code ${code}`;
 }
 
 // The API server that should be used for operations.
 function getDefaultApiBaseUrl() {
   // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
-  const SOCKET_SECURITY_API_BASE_URL =
-    constants.ENV.SOCKET_SECURITY_API_BASE_URL
-  const baseUrl =
-    SOCKET_SECURITY_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl')
+  const SOCKET_SECURITY_API_BASE_URL = constants.ENV.SOCKET_SECURITY_API_BASE_URL;
+  const baseUrl = SOCKET_SECURITY_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl');
   if (strings.isNonEmptyString(baseUrl)) {
-    return baseUrl
+    return baseUrl;
   }
   // Lazily access constants.API_V0_URL.
-  const API_V0_URL = constants.API_V0_URL
-  return API_V0_URL
+  const API_V0_URL = constants.API_V0_URL;
+  return API_V0_URL;
 }
 async function queryApi(path, apiToken) {
-  const baseUrl = getDefaultApiBaseUrl() || ''
+  const baseUrl = getDefaultApiBaseUrl() || '';
   if (!baseUrl) {
-    logger.logger.warn(
-      'API endpoint is not set and default was empty. Request is likely to fail.'
-    )
+    logger.logger.warn('API endpoint is not set and default was empty. Request is likely to fail.');
   }
   return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {
     method: 'GET',
     headers: {
       Authorization: `Basic ${btoa(`${apiToken}:`)}`
     }
-  })
+  });
 }
 async function queryApiSafeText(path, fetchSpinnerDesc) {
-  const apiToken = getDefaultToken()
+  const apiToken = getDefaultToken();
   if (!apiToken) {
     return {
       ok: false,
       message: 'Authentication Error',
-      cause:
-        'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.'
-    }
+      cause: 'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.'
+    };
   }
   if (fetchSpinnerDesc) {
     // Lazily access constants.spinner.
-    const { spinner } = constants
-    spinner.start(`Requesting ${fetchSpinnerDesc} from API...`)
+    const {
+      spinner
+    } = constants;
+    spinner.start(`Requesting ${fetchSpinnerDesc} from API...`);
   }
-  let result
+  let result;
   try {
-    result = await queryApi(path, apiToken)
+    result = await queryApi(path, apiToken);
     if (fetchSpinnerDesc) {
       // Lazily access constants.spinner.
-      const { spinner } = constants
-      spinner.successAndStop(
-        `Received API response (after requesting ${fetchSpinnerDesc}).`
-      )
+      const {
+        spinner
+      } = constants;
+      spinner.successAndStop(`Received API response (after requesting ${fetchSpinnerDesc}).`);
     }
   } catch (e) {
     if (fetchSpinnerDesc) {
       // Lazily access constants.spinner.
-      const { spinner } = constants
-      spinner.failAndStop(
-        `An error was thrown while requesting ${fetchSpinnerDesc}`
-      )
-    }
-    debug.debugLog('Error thrown trying to await queryApi():')
-    debug.debugLog(e)
-    const msg = e?.message
+      const {
+        spinner
+      } = constants;
+      spinner.failAndStop(`An error was thrown while requesting ${fetchSpinnerDesc}`);
+    }
+    debug.debugLog('Error thrown trying to await queryApi():');
+    debug.debugLog(e);
+    const msg = e?.message;
     return {
       ok: false,
       message: 'API Request failed to complete',
-      ...(msg
-        ? {
-            cause: msg
-          }
-        : {})
-    }
+      ...(msg ? {
+        cause: msg
+      } : {})
+    };
   }
   if (!result.ok) {
-    const cause = await getErrorMessageForHttpStatusCode(result.status)
+    const cause = await getErrorMessageForHttpStatusCode(result.status);
     return {
       ok: false,
       message: 'Socket API returned an error',
       cause: `${result.statusText}${cause ? ` (cause: ${cause})` : ''}`
-    }
+    };
   }
   try {
-    const data = await result.text()
+    const data = await result.text();
     return {
       ok: true,
       data
-    }
+    };
   } catch (e) {
-    debug.debugLog('Error thrown trying to await result.text():')
-    debug.debugLog(e)
+    debug.debugLog('Error thrown trying to await result.text():');
+    debug.debugLog(e);
     return {
       ok: false,
       message: 'API Request failed to complete',
       cause: 'There was an unexpected error trying to read the response text'
-    }
+    };
   }
 }
 async function queryApiSafeJson(path, fetchSpinnerDesc = '') {
-  const result = await queryApiSafeText(path, fetchSpinnerDesc)
+  const result = await queryApiSafeText(path, fetchSpinnerDesc);
   if (!result.ok) {
-    return result
+    return result;
   }
   try {
     return {
       ok: true,
       data: JSON.parse(result.data)
-    }
+    };
   } catch (e) {
     return {
       ok: false,
       message: 'Server returned invalid JSON',
       cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\``
-    }
+    };
   }
 }
 
@@ -893,129 +809,120 @@ function mdTableStringNumber(title1, title2, obj) {
   // | ----------- | ------ |
   // | Header      | 201464 |
   // | Paragraph   |     18 |
-  let mw1 = title1.length
-  let mw2 = title2.length
+  let mw1 = title1.length;
+  let mw2 = title2.length;
   for (const [key, value] of Object.entries(obj)) {
-    mw1 = Math.max(mw1, key.length)
-    mw2 = Math.max(mw2, String(value ?? '').length)
+    mw1 = Math.max(mw1, key.length);
+    mw2 = Math.max(mw2, String(value ?? '').length);
   }
-  const lines = []
-  lines.push(`| ${title1.padEnd(mw1, ' ')} | ${title2.padEnd(mw2)} |`)
-  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`)
+  const lines = [];
+  lines.push(`| ${title1.padEnd(mw1, ' ')} | ${title2.padEnd(mw2)} |`);
+  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`);
   for (const [key, value] of Object.entries(obj)) {
-    lines.push(
-      `| ${key.padEnd(mw1, ' ')} | ${String(value ?? '').padStart(mw2, ' ')} |`
-    )
-  }
-  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`)
-  return lines.join('\n')
-}
-function mdTable(
-  logs,
-  // This is saying "an array of strings and the strings are a valid key of elements of T"
-  // In turn, T is defined above as the audit log event type from our OpenAPI docs.
-  cols,
-  titles = cols
-) {
+    lines.push(`| ${key.padEnd(mw1, ' ')} | ${String(value ?? '').padStart(mw2, ' ')} |`);
+  }
+  lines.push(`| ${'-'.repeat(mw1)} | ${'-'.repeat(mw2)} |`);
+  return lines.join('\n');
+}
+function mdTable(logs,
+// This is saying "an array of strings and the strings are a valid key of elements of T"
+// In turn, T is defined above as the audit log event type from our OpenAPI docs.
+cols, titles = cols) {
   // Max col width required to fit all data in that column
-  const cws = cols.map(col => col.length)
+  const cws = cols.map(col => col.length);
   for (const log of logs) {
-    for (let i = 0, { length } = cols; i < length; i += 1) {
+    for (let i = 0, {
+        length
+      } = cols; i < length; i += 1) {
       // @ts-ignore
-      const val = log[cols[i] ?? ''] ?? ''
-      cws[i] = Math.max(
-        cws[i] ?? 0,
-        String(val).length,
-        (titles[i] || '').length
-      )
+      const val = log[cols[i] ?? ''] ?? '';
+      cws[i] = Math.max(cws[i] ?? 0, String(val).length, (titles[i] || '').length);
     }
   }
-  let div = '|'
+  let div = '|';
   for (const cw of cws) {
-    div += ' ' + '-'.repeat(cw) + ' |'
+    div += ' ' + '-'.repeat(cw) + ' |';
   }
-  let header = '|'
-  for (let i = 0, { length } = titles; i < length; i += 1) {
-    header += ' ' + String(titles[i]).padEnd(cws[i] ?? 0, ' ') + ' |'
+  let header = '|';
+  for (let i = 0, {
+      length
+    } = titles; i < length; i += 1) {
+    header += ' ' + String(titles[i]).padEnd(cws[i] ?? 0, ' ') + ' |';
   }
-  let body = ''
+  let body = '';
   for (const log of logs) {
-    body += '|'
-    for (let i = 0, { length } = cols; i < length; i += 1) {
+    body += '|';
+    for (let i = 0, {
+        length
+      } = cols; i < length; i += 1) {
       // @ts-ignore
-      const val = log[cols[i] ?? ''] ?? ''
-      body += ' ' + String(val).padEnd(cws[i] ?? 0, ' ') + ' |'
+      const val = log[cols[i] ?? ''] ?? '';
+      body += ' ' + String(val).padEnd(cws[i] ?? 0, ' ') + ' |';
     }
-    body += '\n'
+    body += '\n';
   }
-  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n')
+  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n');
 }
-function mdTableOfPairs(
-  arr,
-  // This is saying "an array of strings and the strings are a valid key of elements of T"
-  // In turn, T is defined above as the audit log event type from our OpenAPI docs.
-  cols
-) {
+function mdTableOfPairs(arr,
+// This is saying "an array of strings and the strings are a valid key of elements of T"
+// In turn, T is defined above as the audit log event type from our OpenAPI docs.
+cols) {
   // Max col width required to fit all data in that column
-  const cws = cols.map(col => col.length)
+  const cws = cols.map(col => col.length);
   for (const [key, val] of arr) {
-    cws[0] = Math.max(cws[0] ?? 0, String(key).length)
-    cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length)
+    cws[0] = Math.max(cws[0] ?? 0, String(key).length);
+    cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length);
   }
-  let div = '|'
+  let div = '|';
   for (const cw of cws) {
-    div += ' ' + '-'.repeat(cw) + ' |'
+    div += ' ' + '-'.repeat(cw) + ' |';
   }
-  let header = '|'
-  for (let i = 0, { length } = cols; i < length; i += 1) {
-    header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' |'
+  let header = '|';
+  for (let i = 0, {
+      length
+    } = cols; i < length; i += 1) {
+    header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' |';
   }
-  let body = ''
+  let body = '';
   for (const [key, val] of arr) {
-    body += '|'
-    body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' |'
-    body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' |'
-    body += '\n'
+    body += '|';
+    body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' |';
+    body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' |';
+    body += '\n';
   }
-  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n')
+  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n');
 }
 
 // Serialize the final result object before printing it
 // All commands that support the --json flag should call this before printing
 function serializeResultJson(data) {
   if (typeof data !== 'object' || !data) {
-    process.exitCode = 1
+    process.exitCode = 1;
     // We should not allow to expect the json value to be "null", or a boolean/number/string, even if they are valid "json".
-    const msg =
-      'There was a problem converting the data set to JSON. The JSON was not an object. Please try again without --json'
-    debug.debugLog('typeof data=', typeof data)
+    const msg = 'There was a problem converting the data set to JSON. The JSON was not an object. Please try again without --json';
+    debug.debugLog('typeof data=', typeof data);
     if (typeof data !== 'object' && data) {
-      debug.debugLog('data:\n', data)
+      debug.debugLog('data:\n', data);
     }
-    return (
-      JSON.stringify({
-        ok: false,
-        message: 'Unable to serialize JSON',
-        data: msg
-      }).trim() + '\n'
-    )
+    return JSON.stringify({
+      ok: false,
+      message: 'Unable to serialize JSON',
+      data: msg
+    }).trim() + '\n';
   }
   try {
-    return JSON.stringify(data, null, 2).trim() + '\n'
+    return JSON.stringify(data, null, 2).trim() + '\n';
   } catch (e) {
-    debug.debugLog('Error:\n', e)
-    process.exitCode = 1
+    debug.debugLog('Error:\n', e);
+    process.exitCode = 1;
     // This could be caused by circular references, which is an "us" problem
-    const msg =
-      'There was a problem converting the data set to JSON. Please try again without --json'
-    logger.logger.error(msg)
-    return (
-      JSON.stringify({
-        ok: false,
-        message: 'Unable to serialize JSON',
-        data: msg
-      }).trim() + '\n'
-    )
+    const msg = 'There was a problem converting the data set to JSON. Please try again without --json';
+    logger.logger.fail(msg);
+    return JSON.stringify({
+      ok: false,
+      message: 'Unable to serialize JSON',
+      data: msg
+    }).trim() + '\n';
   }
 }
 
@@ -1050,7 +957,7 @@ const commonFlags = {
     shortFlag: 's',
     description: 'Make the CLI less chatty'
   }
-}
+};
 const outputFlags = {
   json: {
     type: 'boolean',
@@ -1064,7 +971,7 @@ const outputFlags = {
     default: false,
     description: 'Output result as markdown'
   }
-}
+};
 const validationFlags = {
   all: {
     type: 'boolean',
@@ -1076,95 +983,86 @@ const validationFlags = {
     default: false,
     description: 'Exits with an error code if any matching issues are found'
   }
-}
+};
 
 function checkCommandInput(outputKind, ...checks) {
   if (checks.every(d => d.test)) {
-    return true
+    return true;
   }
-  const msg = ['Please review the input requirements and try again', '']
+  const msg = ['Please review the input requirements and try again', ''];
   for (const d of checks) {
     // If nook, then ignore when test is ok
     if (d.nook && d.test) {
-      continue
+      continue;
     }
-    const lines = d.message.split('\n')
-    const { length: lineCount } = lines
+    const lines = d.message.split('\n');
+    const {
+      length: lineCount
+    } = lines;
     if (!lineCount) {
-      continue
+      continue;
     }
     // If the message has newlines then format the first line with the input
     // expectation and the rest indented below it.
-    msg.push(
-      `  - ${lines[0]} (${d.test ? vendor.yoctocolorsCjsExports.green(d.pass) : vendor.yoctocolorsCjsExports.red(d.fail)})`
-    )
+    msg.push(`  - ${lines[0]} (${d.test ? vendor.yoctocolorsCjsExports.green(d.pass) : vendor.yoctocolorsCjsExports.red(d.fail)})`);
     if (lineCount > 1) {
-      msg.push(...lines.slice(1).map(str => `    ${str}`))
+      msg.push(...lines.slice(1).map(str => `    ${str}`));
     }
-    msg.push('')
+    msg.push('');
   }
 
   // Use exit status of 2 to indicate incorrect usage, generally invalid
   // options or missing arguments.
   // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
-  process.exitCode = 2
+  process.exitCode = 2;
   if (outputKind === 'json') {
-    logger.logger.log(
-      serializeResultJson({
-        ok: false,
-        message: 'Input error',
-        data: msg.join('\n')
-      })
-    )
+    logger.logger.log(serializeResultJson({
+      ok: false,
+      message: 'Input error',
+      data: msg.join('\n')
+    }));
   } else {
-    logger.logger.fail(failMsgWithBadge('Input error', msg.join('\n')))
+    logger.logger.fail(failMsgWithBadge('Input error', msg.join('\n')));
   }
-  return false
+  return false;
 }
 
 function getOutputKind(json, markdown) {
   if (json) {
-    return 'json'
+    return 'json';
   }
   if (markdown) {
-    return 'markdown'
+    return 'markdown';
   }
-  return 'text'
+  return 'text';
 }
 
-function getFlagListOutput(list, indent, { keyPrefix = '--', padName } = {}) {
-  return getHelpListOutput(
-    {
-      ...list
-    },
-    indent,
-    {
-      keyPrefix,
-      padName
-    }
-  )
-}
-function getHelpListOutput(
-  list,
-  indent,
-  { keyPrefix = '', padName = 18 } = {}
-) {
-  let result = ''
-  const names = Object.keys(list).sort()
+function getFlagListOutput(list, indent, {
+  keyPrefix = '--',
+  padName
+} = {}) {
+  return getHelpListOutput({
+    ...list
+  }, indent, {
+    keyPrefix,
+    padName
+  });
+}
+function getHelpListOutput(list, indent, {
+  keyPrefix = '',
+  padName = 18
+} = {}) {
+  let result = '';
+  const names = Object.keys(list).sort();
   for (const name of names) {
-    const entry = list[name]
+    const entry = list[name];
     if (entry && 'hidden' in entry && entry?.hidden) {
-      continue
+      continue;
     }
-    const description =
-      (typeof entry === 'object' ? entry.description : entry) || ''
-    result +=
-      ''.padEnd(indent) +
-      (keyPrefix + name).padEnd(padName) +
-      description +
-      '\n'
+    const description = (typeof entry === 'object' ? entry.description : entry) || '';
+    result += ''.padEnd(indent) + (keyPrefix + name).padEnd(padName) + description + '\n';
   }
-  return result.trim() || '(none)'
+  return result.trim() || '(none)';
 }
 
 async function meowWithSubcommands(subcommands, options) {
@@ -1178,30 +1076,26 @@ async function meowWithSubcommands(subcommands, options) {
   } = {
     __proto__: null,
     ...options
-  }
-  const [commandOrAliasName_, ...rawCommandArgv] = argv
-  let commandOrAliasName = commandOrAliasName_
+  };
+  const [commandOrAliasName_, ...rawCommandArgv] = argv;
+  let commandOrAliasName = commandOrAliasName_;
   if (!commandOrAliasName && defaultSub) {
-    commandOrAliasName = defaultSub
+    commandOrAliasName = defaultSub;
   }
   const flags = {
     ...commonFlags,
     ...additionalOptions.flags
-  }
+  };
 
   // No further args or first arg is a flag (shrug)
-  if (
-    name === 'socket' &&
-    (!commandOrAliasName || commandOrAliasName?.startsWith('-'))
-  ) {
+  if (name === 'socket' && (!commandOrAliasName || commandOrAliasName?.startsWith('-'))) {
     flags['dryRun'] = {
       type: 'boolean',
       default: false,
       hidden: false,
       // Only show on root
-      description:
-        'Do input validation for a command and exit 0 when input is ok. Every command should support this flag (not shown on help screens)'
-    }
+      description: 'Do input validation for a command and exit 0 when input is ok. Every command should support this flag (not shown on help screens)'
+    };
   }
 
   // This is basically a dry-run parse of cli args and flags. We use this to
@@ -1216,130 +1110,113 @@ async function meowWithSubcommands(subcommands, options) {
     // We will emit help when we're ready
     // Plus, if we allow this then meow() can just exit here.
     autoHelp: false
-  })
+  });
 
   // Hard override the config if instructed to do so.
   // The env var overrides the --flag, which overrides the persisted config
   // Also, when either of these are used, config updates won't persist.
-  let configOverrideResult
+  let configOverrideResult;
   // Lazily access constants.ENV.SOCKET_CLI_CONFIG.
   if (constants.ENV.SOCKET_CLI_CONFIG) {
     configOverrideResult = overrideCachedConfig(
-      // Lazily access constants.ENV.SOCKET_CLI_CONFIG.
-      constants.ENV.SOCKET_CLI_CONFIG
-    )
+    // Lazily access constants.ENV.SOCKET_CLI_CONFIG.
+    constants.ENV.SOCKET_CLI_CONFIG);
   } else if (cli1.flags['config']) {
-    configOverrideResult = overrideCachedConfig(
-      String(cli1.flags['config'] || '')
-    )
+    configOverrideResult = overrideCachedConfig(String(cli1.flags['config'] || ''));
   }
 
   // Lazily access constants.ENV.SOCKET_CLI_NO_API_TOKEN.
   if (constants.ENV.SOCKET_CLI_NO_API_TOKEN) {
     // This overrides the config override and even the explicit token env var.
     // The config will be marked as readOnly to prevent persisting it.
-    overrideConfigApiToken(undefined)
+    overrideConfigApiToken(undefined);
   } else {
     // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-    const tokenOverride = constants.ENV.SOCKET_SECURITY_API_TOKEN
+    const tokenOverride = constants.ENV.SOCKET_SECURITY_API_TOKEN;
     if (tokenOverride) {
       // This will set the token (even if there was a config override) and
       // set it to readOnly, making sure the temp token won't be persisted.
-      overrideConfigApiToken(tokenOverride)
+      overrideConfigApiToken(tokenOverride);
     }
   }
   if (configOverrideResult?.ok === false) {
-    emitBanner(name)
-    logger.logger.fail(configOverrideResult.message)
-    process.exitCode = 2
-    return
+    emitBanner(name);
+    logger.logger.fail(configOverrideResult.message);
+    process.exitCode = 2;
+    return;
   }
 
   // If we got at least some args, then lets find out if we can find a command.
   if (commandOrAliasName) {
-    const alias = aliases[commandOrAliasName]
+    const alias = aliases[commandOrAliasName];
     // First: Resolve argv data from alias if its an alias that's been given.
-    const [commandName, ...commandArgv] = alias
-      ? [...alias.argv, ...rawCommandArgv]
-      : [commandOrAliasName, ...rawCommandArgv]
+    const [commandName, ...commandArgv] = alias ? [...alias.argv, ...rawCommandArgv] : [commandOrAliasName, ...rawCommandArgv];
     // Second: Find a command definition using that data.
-    const commandDefinition = commandName ? subcommands[commandName] : undefined
+    const commandDefinition = commandName ? subcommands[commandName] : undefined;
     // Third: If a valid command has been found, then we run it...
     if (commandDefinition) {
       return await commandDefinition.run(commandArgv, importMeta, {
         parentName: name
-      })
+      });
     }
   }
   if (isTestingV1()) {
-    delete subcommands['diff-scan']
-    delete subcommands['info']
-    delete subcommands['report']
+    delete subcommands['diff-scan'];
+    delete subcommands['info'];
+    delete subcommands['report'];
   }
 
   // Parse it again. Config overrides should now be applied (may affect help).
-  const cli2 = vendor.meow(
-    `
+  const cli2 = vendor.meow(`
     Usage
       $ ${name} <command>
 
     Commands
-      ${getHelpListOutput(
-        {
-          ...objects.toSortedObject(
-            Object.fromEntries(
-              Object.entries(subcommands).filter(
-                ({ 1: subcommand }) => !subcommand.hidden
-              )
-            )
-          ),
-          ...objects.toSortedObject(
-            Object.fromEntries(
-              Object.entries(aliases).filter(({ 1: alias }) => {
-                const { hidden } = alias
-                const cmdName = hidden ? '' : alias.argv[0]
-                const subcommand = cmdName ? subcommands[cmdName] : undefined
-                return subcommand && !subcommand.hidden
-              })
-            )
-          )
-        },
-        6
-      )}
+      ${getHelpListOutput({
+    ...objects.toSortedObject(Object.fromEntries(Object.entries(subcommands).filter(({
+      1: subcommand
+    }) => !subcommand.hidden))),
+    ...objects.toSortedObject(Object.fromEntries(Object.entries(aliases).filter(({
+      1: alias
+    }) => {
+      const {
+        hidden
+      } = alias;
+      const cmdName = hidden ? '' : alias.argv[0];
+      const subcommand = cmdName ? subcommands[cmdName] : undefined;
+      return subcommand && !subcommand.hidden;
+    })))
+  }, 6)}
 
     Options
       ${getFlagListOutput(flags, 6)}
 
     Examples
       $ ${name} --help
-  `,
-    {
-      argv,
-      importMeta,
-      ...additionalOptions,
-      flags,
-      // Do not strictly check for flags here.
-      allowUnknownFlags: true,
-      // We will emit help when we're ready
-      // Plus, if we allow this then meow() can just exit here.
-      autoHelp: false
-    }
-  )
+  `, {
+    argv,
+    importMeta,
+    ...additionalOptions,
+    flags,
+    // Do not strictly check for flags here.
+    allowUnknownFlags: true,
+    // We will emit help when we're ready
+    // Plus, if we allow this then meow() can just exit here.
+    autoHelp: false
+  });
 
   // ...else we provide basic instructions and help.
   if (!cli2.flags['silent']) {
-    emitBanner(name)
+    emitBanner(name);
   }
   if (!cli2.flags['help'] && cli2.flags['dryRun']) {
-    process.exitCode = 0
+    process.exitCode = 0;
     // Lazily access constants.DRY_RUN_LABEL.
-    logger.logger.log(
-      `${constants.DRY_RUN_LABEL}: No-op, call a sub-command; ok`
-    )
+    logger.logger.log(`${constants.DRY_RUN_LABEL}: No-op, call a sub-command; ok`);
   } else {
     // When you explicitly request --help, the command should be successful
     // so we exit(0). If we do it because we need more input, we exit(2).
-    cli2.showHelp(cli2.flags['help'] ? 0 : 2)
+    cli2.showHelp(cli2.flags['help'] ? 0 : 2);
   }
 }
 
@@ -1354,7 +1231,7 @@ function meowOrExit({
   importMeta,
   parentName
 }) {
-  const command = `${parentName} ${config.commandName}`
+  const command = `${parentName} ${config.commandName}`;
 
   // This exits if .printHelp() is called either by meow itself or by us.
   const cli = vendor.meow({
@@ -1366,9 +1243,9 @@ function meowOrExit({
     allowUnknownFlags: true,
     // meow will exit(1) before printing the banner
     autoHelp: false // meow will exit(0) before printing the banner
-  })
+  });
   if (!cli.flags['silent']) {
-    emitBanner(command)
+    emitBanner(command);
   }
   if (!allowUnknownFlags) {
     // Run meow specifically with the flag setting. It will exit(2) if an
@@ -1381,15 +1258,15 @@ function meowOrExit({
       flags: config.flags,
       allowUnknownFlags: false,
       autoHelp: false
-    })
+    });
   }
   if (cli.flags['help']) {
-    cli.showHelp(0)
+    cli.showHelp(0);
   }
   // Now test for help state. Run meow again. If it exits now, it must be due
   // to wanting to print the help screen. But it would exit(0) and we want a
   // consistent exit(2) for that case (missing input). TODO: move away from meow
-  process.exitCode = 2
+  process.exitCode = 2;
   vendor.meow({
     argv,
     description: config.description,
@@ -1398,10 +1275,10 @@ function meowOrExit({
     flags: config.flags,
     allowUnknownFlags: Boolean(allowUnknownFlags),
     autoHelp: false
-  })
+  });
   // Ok, no help, reset to default.
-  process.exitCode = 0
-  return cli
+  process.exitCode = 0;
+  return cli;
 }
 function emitBanner(name) {
   // Print a banner at the top of each command.
@@ -1412,375 +1289,330 @@ function emitBanner(name) {
   //       and pipe the result to other tools. By emitting the banner over stderr
   //       you can do something like `socket scan view xyz | jq | process`.
   //       The spinner also emits over stderr for example.
-  logger.logger.error(getAsciiHeader(name))
+  logger.logger.error(getAsciiHeader(name));
 }
 function getAsciiHeader(command) {
   // Note: In tests we return <redacted> because otherwise snapshots will fail.
-  const { REDACTED } = constants
+  const {
+    REDACTED
+  } = constants;
   // Lazily access constants.ENV.VITEST.
-  const redacting = constants.ENV.VITEST
-  const cliVersion = redacting
-    ? REDACTED
-    : // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH.
-      constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH
-  const nodeVersion = redacting ? REDACTED : process.version
-  const defaultOrg = getConfigValueOrUndef('defaultOrg')
-  const readOnlyConfig = isReadOnlyConfig() ? '*' : '.'
-  const v1test = isTestingV1() ? ' (is testing v1)' : ''
-  const feedback = isTestingV1()
-    ? vendor.yoctocolorsCjsExports.green(
-        '   (Thank you for testing the v1 bump! Please send us any feedback you might have!)\n'
-      )
-    : ''
-  const shownToken = redacting ? REDACTED : getVisibleTokenPrefix() || 'no'
-  const relCwd = redacting
-    ? REDACTED
-    : path$1.normalizePath(
-        process
-          .cwd()
-          .replace(
-            new RegExp(
-              `^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`,
-              'i'
-            ),
-            '~/'
-          )
-      )
-  let nodeVerWarn = ''
+  const redacting = constants.ENV.VITEST;
+  const cliVersion = redacting ? REDACTED :
+  // Lazily access constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH.
+  constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH;
+  const nodeVersion = redacting ? REDACTED : process.version;
+  const defaultOrg = getConfigValueOrUndef('defaultOrg');
+  const readOnlyConfig = isReadOnlyConfig() ? '*' : '.';
+  const v1test = isTestingV1() ? ' (is testing v1)' : '';
+  const feedback = isTestingV1() ? vendor.yoctocolorsCjsExports.green('   (Thank you for testing the v1 bump! Please send us any feedback you might have!)\n') : '';
+  const shownToken = redacting ? REDACTED : getVisibleTokenPrefix() || 'no';
+  const relCwd = redacting ? REDACTED : path$1.normalizePath(process.cwd().replace(new RegExp(`^${regexps.escapeRegExp(constants.homePath)}(?:${path.sep}|$)`, 'i'), '~/'));
+  let nodeVerWarn = '';
   if ((vendor.semverExports.parse(constants.NODE_VERSION)?.major ?? 0) < 20) {
-    nodeVerWarn += vendor.yoctocolorsCjsExports.bold(
-      `   ${vendor.yoctocolorsCjsExports.red('Warning:')} NodeJS version 19 and lower will be ${vendor.yoctocolorsCjsExports.red('unsupported')} after April 30th, 2025.`
-    )
-    nodeVerWarn += '\n'
-    nodeVerWarn +=
-      '            Soon after the Socket CLI will require NodeJS version 20 or higher.'
-    nodeVerWarn += '\n'
+    nodeVerWarn += vendor.yoctocolorsCjsExports.bold(`   ${vendor.yoctocolorsCjsExports.red('Warning:')} NodeJS version 19 and lower will be ${vendor.yoctocolorsCjsExports.red('unsupported')} after April 30th, 2025.`);
+    nodeVerWarn += '\n';
+    nodeVerWarn += '            Soon after the Socket CLI will require NodeJS version 20 or higher.';
+    nodeVerWarn += '\n';
   }
   const body = `
    _____         _       _        /---------------
   |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}${v1test}
   |__   | ${readOnlyConfig} |  _| '_| -_|  _|     | Node: ${nodeVersion}, API token set: ${shownToken}${defaultOrg ? `, default org: ${redacting ? REDACTED : defaultOrg}` : ''}
-  |_____|___|___|_,_|___|_|.dev   | Command: \`${command}\`, cwd: ${relCwd}`.trimStart()
-  return `   ${body}\n${nodeVerWarn}${feedback}`
+  |_____|___|___|_,_|___|_|.dev   | Command: \`${command}\`, cwd: ${relCwd}`.trimStart();
+  return `   ${body}\n${nodeVerWarn}${feedback}`;
 }
 
 async function suggestOrgSlug() {
-  const sockSdkResult = await setupSdk()
+  const sockSdkResult = await setupSdk();
   if (!sockSdkResult.ok) {
-    return
+    return;
   }
-  const sockSdk = sockSdkResult.data
-  const result = await handleApiCall(
-    sockSdk.getOrganizations(),
-    'list of organizations'
-  )
+  const sockSdk = sockSdkResult.data;
+  const result = await handleApiCall(sockSdk.getOrganizations(), 'list of organizations');
 
   // Ignore a failed request here. It was not the primary goal of
   // running this command and reporting it only leads to end-user confusion.
   if (result.ok) {
     const proceed = await prompts.select({
-      message:
-        'Missing org name; do you want to use any of these orgs for this scan?',
-      choices: [
-        ...Object.values(result.data.organizations).map(org => {
-          const name = org.name ?? org.slug
-          return {
-            name: `Yes [${name}]`,
-            value: name,
-            description: `Use "${name}" as the organization`
-          }
-        }),
-        {
-          name: 'No',
-          value: '',
-          description:
-            'Do not use any of these organizations (will end in a no-op)'
-        }
-      ]
-    })
+      message: 'Missing org name; do you want to use any of these orgs for this scan?',
+      choices: [...Object.values(result.data.organizations).map(org => {
+        const name = org.name ?? org.slug;
+        return {
+          name: `Yes [${name}]`,
+          value: name,
+          description: `Use "${name}" as the organization`
+        };
+      }), {
+        name: 'No',
+        value: '',
+        description: 'Do not use any of these organizations (will end in a no-op)'
+      }]
+    });
     if (proceed) {
-      return proceed
+      return proceed;
     }
   } else {
-    logger.logger.fail(
-      'Failed to lookup organization list from API, unable to suggest'
-    )
+    logger.logger.fail('Failed to lookup organization list from API, unable to suggest');
   }
 }
 
 async function determineOrgSlug(orgFlag, firstArg, interactive, dryRun) {
-  const defaultOrgSlug = getConfigValueOrUndef('defaultOrg')
-  let orgSlug = String(orgFlag || defaultOrgSlug || '')
+  const defaultOrgSlug = getConfigValueOrUndef('defaultOrg');
+  let orgSlug = String(orgFlag || defaultOrgSlug || '');
   if (!orgSlug) {
     if (isTestingV1()) {
       // ask from server
-      logger.logger.error(
-        'Missing the org slug and no --org flag set. Trying to auto-discover the org now...'
-      )
-      logger.logger.error(
-        'Note: you can set the default org slug to prevent this issue. You can also override all that with the --org flag.'
-      )
+      logger.logger.warn('Missing the org slug and no --org flag set. Trying to auto-discover the org now...');
+      logger.logger.info('Note: you can set the default org slug to prevent this issue. You can also override all that with the --org flag.');
       if (dryRun) {
-        logger.logger.fail('Skipping auto-discovery of org in dry-run mode')
+        logger.logger.fail('Skipping auto-discovery of org in dry-run mode');
       } else if (!interactive) {
-        logger.logger.fail(
-          'Skipping auto-discovery of org when interactive = false'
-        )
+        logger.logger.fail('Skipping auto-discovery of org when interactive = false');
       } else {
-        orgSlug = (await suggestOrgSlug()) || ''
+        orgSlug = (await suggestOrgSlug()) || '';
       }
     } else {
-      orgSlug = firstArg || ''
+      orgSlug = firstArg || '';
     }
   }
-  return [orgSlug, defaultOrgSlug]
+  return [orgSlug, defaultOrgSlug];
 }
 
-const { NODE_MODULES: NODE_MODULES$1, NPM: NPM$5, shadowBinPath } = constants
+const {
+  NODE_MODULES: NODE_MODULES$1,
+  NPM: NPM$5,
+  shadowBinPath
+} = constants;
 function findBinPathDetailsSync(binName) {
-  const binPaths =
-    vendor.libExports$1.sync(binName, {
-      all: true,
-      nothrow: true
-    }) ?? []
-  let shadowIndex = -1
-  let theBinPath
-  for (let i = 0, { length } = binPaths; i < length; i += 1) {
-    const binPath = binPaths[i]
+  const binPaths = vendor.libExports$1.sync(binName, {
+    all: true,
+    nothrow: true
+  }) ?? [];
+  let shadowIndex = -1;
+  let theBinPath;
+  for (let i = 0, {
+      length
+    } = binPaths; i < length; i += 1) {
+    const binPath = binPaths[i];
     // Skip our bin directory if it's in the front.
     if (path.dirname(binPath) === shadowBinPath) {
-      shadowIndex = i
+      shadowIndex = i;
     } else {
-      theBinPath = npm.resolveBinPath(binPath)
-      break
+      theBinPath = npm.resolveBinPath(binPath);
+      break;
     }
   }
   return {
     name: binName,
     path: theBinPath,
     shadowed: shadowIndex !== -1
-  }
+  };
 }
 function findNpmPathSync(npmBinPath) {
   // Lazily access constants.WIN32.
-  const { WIN32 } = constants
-  let thePath = npmBinPath
+  const {
+    WIN32
+  } = constants;
+  let thePath = npmBinPath;
   while (true) {
-    const libNmNpmPath = path.join(thePath, 'lib', NODE_MODULES$1, NPM$5)
+    const libNmNpmPath = path.join(thePath, 'lib', NODE_MODULES$1, NPM$5);
     // mise puts its npm bin in a path like:
     //   /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/bin/npm.
     // HOWEVER, the location of the npm install is:
     //   /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/lib/node_modules/npm.
     if (
-      // Use existsSync here because statsSync, even with { throwIfNoEntry: false },
-      // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.
-      // See https://github.com/nodejs/node/issues/56993.
-      fs.existsSync(libNmNpmPath) &&
-      fs
-        .statSync(libNmNpmPath, {
-          throwIfNoEntry: false
-        })
-        ?.isDirectory()
-    ) {
-      thePath = path.join(libNmNpmPath, NPM$5)
-    }
-    const nmPath = path.join(thePath, NODE_MODULES$1)
+    // Use existsSync here because statsSync, even with { throwIfNoEntry: false },
+    // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.
+    // See https://github.com/nodejs/node/issues/56993.
+    fs.existsSync(libNmNpmPath) && fs.statSync(libNmNpmPath, {
+      throwIfNoEntry: false
+    })?.isDirectory()) {
+      thePath = path.join(libNmNpmPath, NPM$5);
+    }
+    const nmPath = path.join(thePath, NODE_MODULES$1);
     if (
-      // npm bin paths may look like:
-      //   /usr/local/share/npm/bin/npm
-      //   /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm
-      //   C:\Users\SomeUsername\AppData\Roaming\npm\bin\npm.cmd
-      // OR
-      //   C:\Program Files\nodejs\npm.cmd
-      //
-      // In practically all cases the npm path contains a node_modules folder:
-      //   /usr/local/share/npm/bin/npm/node_modules
-      //   C:\Program Files\nodejs\node_modules
-      fs.existsSync(nmPath) &&
-      fs
-        .statSync(nmPath, {
-          throwIfNoEntry: false
-        })
-        ?.isDirectory() &&
-      // Optimistically look for the default location.
-      (path.basename(thePath) === NPM$5 ||
-        // Chocolatey installs npm bins in the same directory as node bins.
-        (WIN32 && fs.existsSync(path.join(thePath, `${NPM$5}.cmd`))))
-    ) {
-      return thePath
-    }
-    const parent = path.dirname(thePath)
+    // npm bin paths may look like:
+    //   /usr/local/share/npm/bin/npm
+    //   /Users/SomeUsername/.nvm/versions/node/vX.X.X/bin/npm
+    //   C:\Users\SomeUsername\AppData\Roaming\npm\bin\npm.cmd
+    // OR
+    //   C:\Program Files\nodejs\npm.cmd
+    //
+    // In practically all cases the npm path contains a node_modules folder:
+    //   /usr/local/share/npm/bin/npm/node_modules
+    //   C:\Program Files\nodejs\node_modules
+    fs.existsSync(nmPath) && fs.statSync(nmPath, {
+      throwIfNoEntry: false
+    })?.isDirectory() && (
+    // Optimistically look for the default location.
+    path.basename(thePath) === NPM$5 ||
+    // Chocolatey installs npm bins in the same directory as node bins.
+    WIN32 && fs.existsSync(path.join(thePath, `${NPM$5}.cmd`)))) {
+      return thePath;
+    }
+    const parent = path.dirname(thePath);
     if (parent === thePath) {
-      return undefined
+      return undefined;
     }
-    thePath = parent
+    thePath = parent;
   }
 }
 async function getPackageFilesForScan(cwd, inputPaths, supportedFiles, config) {
-  debug.debugLog(
-    `getPackageFilesForScan: resolving ${inputPaths.length} paths:\n`,
-    inputPaths
-  )
+  debug.debugLog(`getPackageFilesForScan: resolving ${inputPaths.length} paths:\n`, inputPaths);
 
   // Lazily access constants.spinner.
-  const { spinner } = constants
-  const patterns = pathsToGlobPatterns(inputPaths)
-  spinner.start('Searching for local files to include in scan...')
+  const {
+    spinner
+  } = constants;
+  const patterns = pathsToGlobPatterns(inputPaths);
+  spinner.start('Searching for local files to include in scan...');
   const entries = await globWithGitIgnore(patterns, {
     cwd,
     socketConfig: config
-  })
+  });
   if (debug.isDebug()) {
-    spinner.stop()
-    debug.debugLog(
-      `Resolved ${inputPaths.length} paths to ${entries.length} local paths:\n`,
-      entries
-    )
-    spinner.start('Searching for files now...')
+    spinner.stop();
+    debug.debugLog(`Resolved ${inputPaths.length} paths to ${entries.length} local paths:\n`, entries);
+    spinner.start('Searching for files now...');
   } else {
-    spinner.start(
-      `Resolved ${inputPaths.length} paths to ${entries.length} local paths, searching for files now...`
-    )
-  }
-  const packageFiles = await filterGlobResultToSupportedFiles(
-    entries,
-    supportedFiles
-  )
-  spinner.successAndStop(
-    `Found ${packageFiles.length} local ${words.pluralize('file', packageFiles.length)}`
-  )
-  debug.debugLog('Absolute paths:\n', packageFiles)
-  return packageFiles
-}
-
-const { NODE_MODULES, NPM: NPM$4, NPX, SOCKET_CLI_ISSUES_URL } = constants
+    spinner.start(`Resolved ${inputPaths.length} paths to ${entries.length} local paths, searching for files now...`);
+  }
+  const packageFiles = await filterGlobResultToSupportedFiles(entries, supportedFiles);
+  spinner.successAndStop(`Found ${packageFiles.length} local ${words.pluralize('file', packageFiles.length)}`);
+  debug.debugLog('Absolute paths:\n', packageFiles);
+  return packageFiles;
+}
+
+const {
+  NODE_MODULES,
+  NPM: NPM$4,
+  NPX,
+  SOCKET_CLI_ISSUES_URL
+} = constants;
 function exitWithBinPathError(binName) {
-  logger.logger.fail(
-    `Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`
-  )
+  logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
   // The exit code 127 indicates that the command or binary being executed
   // could not be found.
   // eslint-disable-next-line n/no-process-exit
-  process.exit(127)
+  process.exit(127);
 }
-let _npmBinPathDetails
+let _npmBinPathDetails;
 function getNpmBinPathDetails() {
   if (_npmBinPathDetails === undefined) {
-    _npmBinPathDetails = findBinPathDetailsSync(NPM$4)
+    _npmBinPathDetails = findBinPathDetailsSync(NPM$4);
   }
-  return _npmBinPathDetails
+  return _npmBinPathDetails;
 }
-let _npxBinPathDetails
+let _npxBinPathDetails;
 function getNpxBinPathDetails() {
   if (_npxBinPathDetails === undefined) {
-    _npxBinPathDetails = findBinPathDetailsSync(NPX)
+    _npxBinPathDetails = findBinPathDetailsSync(NPX);
   }
-  return _npxBinPathDetails
+  return _npxBinPathDetails;
 }
 function isNpmBinPathShadowed() {
-  return getNpmBinPathDetails().shadowed
+  return getNpmBinPathDetails().shadowed;
 }
 function isNpxBinPathShadowed() {
-  return getNpxBinPathDetails().shadowed
+  return getNpxBinPathDetails().shadowed;
 }
-let _npmBinPath
+let _npmBinPath;
 function getNpmBinPath() {
   if (_npmBinPath === undefined) {
-    _npmBinPath = getNpmBinPathDetails().path
+    _npmBinPath = getNpmBinPathDetails().path;
     if (!_npmBinPath) {
-      exitWithBinPathError(NPM$4)
+      exitWithBinPathError(NPM$4);
     }
   }
-  return _npmBinPath
+  return _npmBinPath;
 }
-let _npmPath
+let _npmPath;
 function getNpmPath() {
   if (_npmPath === undefined) {
-    const npmBinPath = getNpmBinPath()
-    _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined
+    const npmBinPath = getNpmBinPath();
+    _npmPath = npmBinPath ? findNpmPathSync(npmBinPath) : undefined;
     if (!_npmPath) {
-      let message = 'Unable to find npm CLI install directory.'
+      let message = 'Unable to find npm CLI install directory.';
       if (npmBinPath) {
-        message += `\nSearched parent directories of ${path.dirname(npmBinPath)}.`
+        message += `\nSearched parent directories of ${path.dirname(npmBinPath)}.`;
       }
-      message += `\n\nThis is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`
-      logger.logger.fail(message)
+      message += `\n\nThis is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`;
+      logger.logger.fail(message);
       // The exit code 127 indicates that the command or binary being executed
       // could not be found.
       // eslint-disable-next-line n/no-process-exit
-      process.exit(127)
+      process.exit(127);
     }
   }
-  return _npmPath
+  return _npmPath;
 }
-let _npmRequire
+let _npmRequire;
 function getNpmRequire() {
   if (_npmRequire === undefined) {
-    const npmPath = getNpmPath()
-    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM$4)
-    _npmRequire = Module.createRequire(
-      path.join(
-        fs.existsSync(npmNmPath) ? npmNmPath : npmPath,
-        '<dummy-basename>'
-      )
-    )
-  }
-  return _npmRequire
-}
-let _npxBinPath
+    const npmPath = getNpmPath();
+    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM$4);
+    _npmRequire = Module.createRequire(path.join(fs.existsSync(npmNmPath) ? npmNmPath : npmPath, '<dummy-basename>'));
+  }
+  return _npmRequire;
+}
+let _npxBinPath;
 function getNpxBinPath() {
   if (_npxBinPath === undefined) {
-    _npxBinPath = getNpxBinPathDetails().path
+    _npxBinPath = getNpxBinPathDetails().path;
     if (!_npxBinPath) {
-      exitWithBinPathError(NPX)
+      exitWithBinPathError(NPX);
     }
   }
-  return _npxBinPath
+  return _npxBinPath;
 }
 
-const helpFlags = new Set(['--help', '-h'])
+const helpFlags = new Set(['--help', '-h']);
 function cmdFlagsToString(args) {
-  const result = []
-  for (let i = 0, { length } = args; i < length; i += 1) {
+  const result = [];
+  for (let i = 0, {
+      length
+    } = args; i < length; i += 1) {
     if (args[i].startsWith('--')) {
       // Check if the next item exists and is NOT another flag.
       if (i + 1 < length && !args[i + 1].startsWith('--')) {
-        result.push(`${args[i]}=${args[i + 1]}`)
-        i += 1
+        result.push(`${args[i]}=${args[i + 1]}`);
+        i += 1;
       } else {
-        result.push(args[i])
+        result.push(args[i]);
       }
     }
   }
-  return result.join(' ')
+  return result.join(' ');
 }
 function cmdPrefixMessage(cmdName, text) {
-  const cmdPrefix = cmdName ? `${cmdName}: ` : ''
-  return `${cmdPrefix}${text}`
+  const cmdPrefix = cmdName ? `${cmdName}: ` : '';
+  return `${cmdPrefix}${text}`;
 }
 function isHelpFlag(cmdArg) {
-  return helpFlags.has(cmdArg)
+  return helpFlags.has(cmdArg);
 }
 
-const { SOCKET_WEBSITE_URL } = constants
+const {
+  SOCKET_WEBSITE_URL
+} = constants;
 function getPkgFullNameFromPurlObj(purlObj) {
-  const { name, namespace } = purlObj
-  return namespace
-    ? `${namespace}${purlObj.type === 'maven' ? ':' : '/'}${name}`
-    : name
+  const {
+    name,
+    namespace
+  } = purlObj;
+  return namespace ? `${namespace}${purlObj.type === 'maven' ? ':' : '/'}${name}` : name;
 }
 function getSocketDevAlertUrl(alertType) {
-  return `${SOCKET_WEBSITE_URL}/alerts/${alertType}`
+  return `${SOCKET_WEBSITE_URL}/alerts/${alertType}`;
 }
 function getSocketDevPackageOverviewUrlFromPurl(purlObj) {
-  const fullName = getPkgFullNameFromPurlObj(purlObj)
-  return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version)
+  const fullName = getPkgFullNameFromPurlObj(purlObj);
+  return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version);
 }
 function getSocketDevPackageOverviewUrl(ecosystem, fullName, version) {
-  const url = `${SOCKET_WEBSITE_URL}/${ecosystem}/package/${fullName}`
-  return ecosystem === 'go'
-    ? `${url}${version ? `?section=overview&version=${version}` : ''}`
-    : `${url}${version ? `/overview/${version}` : ''}`
+  const url = `${SOCKET_WEBSITE_URL}/${ecosystem}/package/${fullName}`;
+  return ecosystem === 'go' ? `${url}${version ? `?section=overview&version=${version}` : ''}` : `${url}${version ? `/overview/${version}` : ''}`;
 }
 
 /**
@@ -1788,23 +1620,18 @@ function getSocketDevPackageOverviewUrl(ecosystem, fullName, version) {
  * The goal is to serialize it with JSON.stringify, which Map can't do.
  */
 function mapToObject(map) {
-  return Object.fromEntries(
-    Array.from(map.entries()).map(([k, v]) => [
-      k,
-      v instanceof Map ? mapToObject(v) : v
-    ])
-  )
+  return Object.fromEntries(Array.from(map.entries()).map(([k, v]) => [k, v instanceof Map ? mapToObject(v) : v]));
 }
 
 function* walkNestedMap(map, keys = []) {
   for (const [key, value] of map.entries()) {
     if (value instanceof Map) {
-      yield* walkNestedMap(value, keys.concat(key))
+      yield* walkNestedMap(value, keys.concat(key));
     } else {
       yield {
         keys: keys.concat(key),
         value: value
-      }
+      };
     }
   }
 }
@@ -1814,48 +1641,47 @@ const {
   ALERT_TYPE_CVE,
   ALERT_TYPE_MEDIUM_CVE,
   ALERT_TYPE_MILD_CVE
-} = constants
+} = constants;
 function isArtifactAlertCve(alert) {
-  const { type } = alert
-  return (
-    type === ALERT_TYPE_CVE ||
-    type === ALERT_TYPE_MEDIUM_CVE ||
-    type === ALERT_TYPE_MILD_CVE ||
-    type === ALERT_TYPE_CRITICAL_CVE
-  )
+  const {
+    type
+  } = alert;
+  return type === ALERT_TYPE_CVE || type === ALERT_TYPE_MEDIUM_CVE || type === ALERT_TYPE_MILD_CVE || type === ALERT_TYPE_CRITICAL_CVE;
 }
 
 function createEnum(obj) {
   return Object.freeze({
     __proto__: null,
     ...obj
-  })
+  });
 }
 function pick(input, keys) {
-  const result = {}
+  const result = {};
   for (const key of keys) {
-    result[key] = input[key]
+    result[key] = input[key];
   }
-  return result
+  return result;
 }
 
 const ALERT_FIX_TYPE = createEnum({
   cve: 'cve',
   remove: 'remove',
   upgrade: 'upgrade'
-})
+});
 
 function stringJoinWithSeparateFinalSeparator(list, separator = ' and ') {
-  const values = list.filter(Boolean)
-  const { length } = values
+  const values = list.filter(Boolean);
+  const {
+    length
+  } = values;
   if (!length) {
-    return ''
+    return '';
   }
   if (length === 1) {
-    return values[0]
+    return values[0];
   }
-  const finalValue = values.pop()
-  return `${values.join(', ')}${separator}${finalValue}`
+  const finalValue = values.pop();
+  return `${values.join(', ')}${separator}${finalValue}`;
 }
 
 const ALERT_SEVERITY = createEnum({
@@ -1863,129 +1689,147 @@ const ALERT_SEVERITY = createEnum({
   high: 'high',
   middle: 'middle',
   low: 'low'
-})
+});
 // Ordered from most severe to least.
-const ALERT_SEVERITIES_SORTED = Object.freeze([
-  'critical',
-  'high',
-  'middle',
-  'low'
-])
+const ALERT_SEVERITIES_SORTED = Object.freeze(['critical', 'high', 'middle', 'low']);
 function getDesiredSeverities(lowestToInclude) {
-  const result = []
+  const result = [];
   for (const severity of ALERT_SEVERITIES_SORTED) {
-    result.push(severity)
+    result.push(severity);
     if (severity === lowestToInclude) {
-      break
+      break;
     }
   }
-  return result
+  return result;
 }
 function formatSeverityCount(severityCount) {
-  const summary = []
+  const summary = [];
   for (const severity of ALERT_SEVERITIES_SORTED) {
     if (severityCount[severity]) {
-      summary.push(`${severityCount[severity]} ${severity}`)
+      summary.push(`${severityCount[severity]} ${severity}`);
     }
   }
-  return stringJoinWithSeparateFinalSeparator(summary)
+  return stringJoinWithSeparateFinalSeparator(summary);
 }
 function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = pick(
-    {
-      low: 0,
-      middle: 0,
-      high: 0,
-      critical: 0
-    },
-    getDesiredSeverities(lowestToInclude)
-  )
+  const severityCount = pick({
+    low: 0,
+    middle: 0,
+    high: 0,
+    critical: 0
+  }, getDesiredSeverities(lowestToInclude));
   for (const issue of issues) {
-    const { value } = issue
+    const {
+      value
+    } = issue;
     if (!value) {
-      continue
+      continue;
     }
-    const { severity } = value
+    const {
+      severity
+    } = value;
     if (severityCount[severity] !== undefined) {
-      severityCount[severity] += 1
+      severityCount[severity] += 1;
     }
   }
-  return severityCount
+  return severityCount;
 }
 
 class ColorOrMarkdown {
   constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown
+    this.useMarkdown = !!useMarkdown;
   }
   bold(text) {
-    return this.useMarkdown
-      ? `**${text}**`
-      : vendor.yoctocolorsCjsExports.bold(`${text}`)
+    return this.useMarkdown ? `**${text}**` : vendor.yoctocolorsCjsExports.bold(`${text}`);
   }
   header(text, level = 1) {
-    return this.useMarkdown
-      ? `\n${''.padStart(level, '#')} ${text}\n`
-      : vendor.yoctocolorsCjsExports.underline(
-          `\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`
-        )
+    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : vendor.yoctocolorsCjsExports.underline(`\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`);
   }
-  hyperlink(text, url, { fallback = true, fallbackToUrl } = {}) {
+  hyperlink(text, url, {
+    fallback = true,
+    fallbackToUrl
+  } = {}) {
     if (url) {
-      return this.useMarkdown
-        ? `[${text}](${url})`
-        : vendor.terminalLinkExports(text, url, {
-            fallback: fallbackToUrl ? (_text, url) => url : fallback
-          })
+      return this.useMarkdown ? `[${text}](${url})` : vendor.terminalLinkExports(text, url, {
+        fallback: fallbackToUrl ? (_text, url) => url : fallback
+      });
     }
-    return text
+    return text;
   }
   indent(...args) {
-    return vendor.indentStringExports(...args)
+    return vendor.indentStringExports(...args);
   }
   italic(text) {
-    return this.useMarkdown
-      ? `_${text}_`
-      : vendor.yoctocolorsCjsExports.italic(`${text}`)
+    return this.useMarkdown ? `_${text}_` : vendor.yoctocolorsCjsExports.italic(`${text}`);
   }
   json(value) {
-    return this.useMarkdown
-      ? '```json\n' + JSON.stringify(value) + '\n```'
-      : JSON.stringify(value)
+    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
   }
   list(items) {
-    const indentedContent = items.map(item => this.indent(item).trimStart())
-    return this.useMarkdown
-      ? `* ${indentedContent.join('\n* ')}\n`
-      : `${indentedContent.join('\n')}\n`
+    const indentedContent = items.map(item => this.indent(item).trimStart());
+    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
   }
 }
 
-const require$1 = Module.createRequire(
-  require('u' + 'rl').pathToFileURL(__filename).href
-)
-let _translations
+const require$1 =Module.createRequire(require('u' + 'rl').pathToFileURL(__filename).href)
+let _translations;
 function getTranslations() {
   if (_translations === undefined) {
     _translations = require$1(
-      // Lazily access constants.rootPath.
-      path.join(constants.rootPath, 'translations.json')
-    )
+    // Lazily access constants.rootPath.
+    path.join(constants.rootPath, 'translations.json'));
   }
-  return _translations
+  return _translations;
 }
 
-function idToPurl(id) {
-  return `pkg:npm/${id}`
+async function extractPurlsFromPnpmLockfile(lockfile) {
+  const packages = lockfile?.packages ?? {};
+  const seen = new Set();
+  const visit = pkgPath => {
+    if (seen.has(pkgPath)) {
+      return;
+    }
+    const pkg = packages[pkgPath];
+    if (!pkg) {
+      return;
+    }
+    seen.add(pkgPath);
+    const deps = {
+      __proto__: null,
+      ...pkg.dependencies,
+      ...pkg.optionalDependencies,
+      ...pkg.devDependencies
+    };
+    for (const depName in deps) {
+      const ref = deps[depName];
+      const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`;
+      visit(subKey);
+    }
+  };
+  for (const pkgPath of Object.keys(packages)) {
+    visit(pkgPath);
+  }
+  return [...seen].map(p => idToPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))));
+}
+function isPnpmDepPath(maybeDepPath) {
+  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47; /*'/'*/
+}
+function parsePnpmLockfileVersion(version) {
+  return vendor.semverExports.coerce(version);
+}
+async function readPnpmLockfile(lockfilePath) {
+  return fs.existsSync(lockfilePath) ? vendor.jsYaml.load(strings.stripBom(await readFileUtf8(lockfilePath))) : null;
 }
-function isDepPath(maybeDepPath) {
-  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47 /*'/'*/
+function stripLeadingPnpmDepPathSlash(depPath) {
+  return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
 }
-function stripLeadingSlash(depPath) {
-  return isDepPath(depPath) ? depPath.slice(1) : depPath
+function stripPnpmPeerSuffix(depPath) {
+  const index = depPath.indexOf('(');
+  return index === -1 ? depPath : depPath.slice(0, index);
 }
-function stripPeerSuffix(depPath) {
-  const index = depPath.indexOf('(')
-  return index === -1 ? depPath : depPath.slice(0, index)
+
+function idToPurl(id) {
+  return `pkg:npm/${id}`;
 }
 
 const ALERT_SEVERITY_COLOR = createEnum({
@@ -1993,51 +1837,38 @@ const ALERT_SEVERITY_COLOR = createEnum({
   high: 'red',
   middle: 'yellow',
   low: 'white'
-})
+});
 const ALERT_SEVERITY_ORDER = createEnum({
   critical: 0,
   high: 1,
   middle: 2,
   low: 3,
   none: 4
-})
-const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM: NPM$3 } =
-  constants
-const MIN_ABOVE_THE_FOLD_COUNT = 3
-const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1
-const format = new ColorOrMarkdown(false)
+});
+const {
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
+  NPM: NPM$3
+} = constants;
+const MIN_ABOVE_THE_FOLD_COUNT = 3;
+const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1;
+const format = new ColorOrMarkdown(false);
 function alertsHaveBlocked(alerts) {
-  return alerts.find(a => a.blocked) !== undefined
+  return alerts.find(a => a.blocked) !== undefined;
 }
 function alertsHaveSeverity(alerts, severity) {
-  return alerts.find(a => a.raw.severity === severity) !== undefined
+  return alerts.find(a => a.raw.severity === severity) !== undefined;
 }
 function alertSeverityComparator(a, b) {
-  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b)
+  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b);
 }
 function getAlertSeverityOrder(alert) {
-  const { severity } = alert.raw
-  return severity === ALERT_SEVERITY.critical
-    ? 0
-    : severity === ALERT_SEVERITY.high
-      ? 1
-      : severity === ALERT_SEVERITY.middle
-        ? 2
-        : severity === ALERT_SEVERITY.low
-          ? 3
-          : 4
+  const {
+    severity
+  } = alert.raw;
+  return severity === ALERT_SEVERITY.critical ? 0 : severity === ALERT_SEVERITY.high ? 1 : severity === ALERT_SEVERITY.middle ? 2 : severity === ALERT_SEVERITY.low ? 3 : 4;
 }
 function getAlertsSeverityOrder(alerts) {
-  return alertsHaveBlocked(alerts) ||
-    alertsHaveSeverity(alerts, ALERT_SEVERITY.critical)
-    ? 0
-    : alertsHaveSeverity(alerts, ALERT_SEVERITY.high)
-      ? 1
-      : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle)
-        ? 2
-        : alertsHaveSeverity(alerts, ALERT_SEVERITY.low)
-          ? 3
-          : 4
+  return alertsHaveBlocked(alerts) || alertsHaveSeverity(alerts, ALERT_SEVERITY.critical) ? 0 : alertsHaveSeverity(alerts, ALERT_SEVERITY.high) ? 1 : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle) ? 2 : alertsHaveSeverity(alerts, ALERT_SEVERITY.low) ? 3 : 4;
 }
 function getHiddenRiskCounts(hiddenAlerts) {
   const riskCounts = {
@@ -2045,48 +1876,48 @@ function getHiddenRiskCounts(hiddenAlerts) {
     high: 0,
     middle: 0,
     low: 0
-  }
+  };
   for (const alert of hiddenAlerts) {
     switch (getAlertSeverityOrder(alert)) {
       case ALERT_SEVERITY_ORDER.critical:
-        riskCounts.critical += 1
-        break
+        riskCounts.critical += 1;
+        break;
       case ALERT_SEVERITY_ORDER.high:
-        riskCounts.high += 1
-        break
+        riskCounts.high += 1;
+        break;
       case ALERT_SEVERITY_ORDER.middle:
-        riskCounts.middle += 1
-        break
+        riskCounts.middle += 1;
+        break;
       case ALERT_SEVERITY_ORDER.low:
-        riskCounts.low += 1
-        break
+        riskCounts.low += 1;
+        break;
     }
   }
-  return riskCounts
+  return riskCounts;
 }
 function getHiddenRisksDescription(riskCounts) {
-  const descriptions = []
+  const descriptions = [];
   if (riskCounts.critical) {
-    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`)
+    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`);
   }
   if (riskCounts.high) {
-    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`)
+    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`);
   }
   if (riskCounts.middle) {
-    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`)
+    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`);
   }
   if (riskCounts.low) {
-    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`)
+    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`);
   }
-  return `(${descriptions.join('; ')})`
+  return `(${descriptions.join('; ')})`;
 }
 function getSeverityLabel(severity) {
-  return severity === 'middle' ? 'moderate' : severity
+  return severity === 'middle' ? 'moderate' : severity;
 }
 async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   // Make TypeScript happy.
   if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-    return alertsByPkgId
+    return alertsByPkgId;
   }
   const {
     consolidate = false,
@@ -2095,7 +1926,7 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   } = {
     __proto__: null,
     ...options
-  }
+  };
   const include = {
     __proto__: null,
     blocked: true,
@@ -2104,41 +1935,34 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
     unfixable: true,
     upgradable: false,
     ..._include
-  }
-  const name = packages.resolvePackageName(artifact)
-  const { version } = artifact
-  const pkgId = `${name}@${version}`
-  const major = vendor.semverExports.major(version)
-  const socketYml = findSocketYmlSync()
+  };
+  const name = packages.resolvePackageName(artifact);
+  const {
+    version
+  } = artifact;
+  const pkgId = `${name}@${version}`;
+  const major = vendor.semverExports.major(version);
+  const socketYml = findSocketYmlSync();
   const enabledState = {
     __proto__: null,
     ...socketYml?.parsed.issueRules
-  }
-  let sockPkgAlerts = []
+  };
+  let sockPkgAlerts = [];
   for (const alert of artifact.alerts) {
-    const action = alert.action ?? ''
-    const enabledFlag = enabledState[alert.type]
-    if (
-      (action === 'ignore' && enabledFlag !== true) ||
-      enabledFlag === false
-    ) {
-      continue
-    }
-    const blocked = action === 'error'
-    const critical = alert.severity === ALERT_SEVERITY.critical
-    const cve = isArtifactAlertCve(alert)
-    const fixType = alert.fix?.type ?? ''
-    const fixableCve = fixType === ALERT_FIX_TYPE.cve
-    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade
-    const fixable = fixableCve || fixableUpgrade
-    const upgradable = fixableUpgrade && !objects.hasOwn(overrides, name)
-    if (
-      (include.blocked && blocked) ||
-      (include.critical && critical) ||
-      (include.cve && cve) ||
-      (include.unfixable && !fixable) ||
-      (include.upgradable && upgradable)
-    ) {
+    const action = alert.action ?? '';
+    const enabledFlag = enabledState[alert.type];
+    if (action === 'ignore' && enabledFlag !== true || enabledFlag === false) {
+      continue;
+    }
+    const blocked = action === 'error';
+    const critical = alert.severity === ALERT_SEVERITY.critical;
+    const cve = isArtifactAlertCve(alert);
+    const fixType = alert.fix?.type ?? '';
+    const fixableCve = fixType === ALERT_FIX_TYPE.cve;
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade;
+    const fixable = fixableCve || fixableUpgrade;
+    const upgradable = fixableUpgrade && !objects.hasOwn(overrides, name);
+    if (include.blocked && blocked || include.critical && critical || include.cve && cve || include.unfixable && !fixable || include.upgradable && upgradable) {
       sockPkgAlerts.push({
         name,
         version,
@@ -2149,376 +1973,315 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
         fixable,
         raw: alert,
         upgradable
-      })
+      });
     }
   }
   if (!sockPkgAlerts.length) {
-    return alertsByPkgId
+    return alertsByPkgId;
   }
   if (consolidate) {
-    const highestForCve = new Map()
-    const highestForUpgrade = new Map()
-    const unfixableAlerts = []
+    const highestForCve = new Map();
+    const highestForUpgrade = new Map();
+    const unfixableAlerts = [];
     for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw
-      const fixType = alert.fix?.type ?? ''
+      const alert = sockPkgAlert.raw;
+      const fixType = alert.fix?.type ?? '';
       if (fixType === ALERT_FIX_TYPE.cve) {
-        const patchedVersion =
-          alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER]
-        const patchedMajor = vendor.semverExports.major(patchedVersion)
-        const oldHighest = highestForCve.get(patchedMajor)
-        const highest = oldHighest?.version ?? '0.0.0'
+        const patchedVersion = alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
+        const patchedMajor = vendor.semverExports.major(patchedVersion);
+        const oldHighest = highestForCve.get(patchedMajor);
+        const highest = oldHighest?.version ?? '0.0.0';
         if (vendor.semverExports.gt(patchedVersion, highest)) {
           highestForCve.set(patchedMajor, {
             alert: sockPkgAlert,
             version: patchedVersion
-          })
+          });
         }
       } else if (fixType === ALERT_FIX_TYPE.upgrade) {
-        const oldHighest = highestForUpgrade.get(major)
-        const highest = oldHighest?.version ?? '0.0.0'
+        const oldHighest = highestForUpgrade.get(major);
+        const highest = oldHighest?.version ?? '0.0.0';
         if (vendor.semverExports.gt(version, highest)) {
           highestForUpgrade.set(major, {
             alert: sockPkgAlert,
             version
-          })
+          });
         }
       } else {
-        unfixableAlerts.push(sockPkgAlert)
+        unfixableAlerts.push(sockPkgAlert);
       }
     }
-    sockPkgAlerts = [
-      ...unfixableAlerts,
-      ...[...highestForCve.values()].map(d => d.alert),
-      ...[...highestForUpgrade.values()].map(d => d.alert)
-    ]
+    sockPkgAlerts = [...unfixableAlerts, ...[...highestForCve.values()].map(d => d.alert), ...[...highestForUpgrade.values()].map(d => d.alert)];
   }
   if (sockPkgAlerts.length) {
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type))
-    alertsByPkgId.set(pkgId, sockPkgAlerts)
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
+    alertsByPkgId.set(pkgId, sockPkgAlerts);
   }
-  return alertsByPkgId
+  return alertsByPkgId;
 }
 function getCveInfoFromAlertsMap(alertsMap, options) {
-  const { exclude: _exclude, limit = Infinity } = {
+  const {
+    exclude: _exclude,
+    limit = Infinity
+  } = {
     __proto__: null,
     ...options
-  }
+  };
   const exclude = {
     __proto__: null,
     upgradable: true,
     ..._exclude
-  }
-  let count = 0
-  let infoByPkgName = null
+  };
+  let count = 0;
+  let infoByPkgName = null;
   alertsMapLoop: for (const [pkgId, sockPkgAlerts] of alertsMap) {
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(pkgId)
-    )
-    const name = packages.resolvePackageName(purlObj)
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(idToPurl(pkgId));
+    const name = packages.resolvePackageName(purlObj);
     for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw
-      if (
-        alert.fix?.type !== ALERT_FIX_TYPE.cve ||
-        (exclude.upgradable && registry.getManifestData(NPM$3, name))
-      ) {
-        continue
+      const alert = sockPkgAlert.raw;
+      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || exclude.upgradable && registry.getManifestData(NPM$3, name)) {
+        continue;
       }
       if (!infoByPkgName) {
-        infoByPkgName = new Map()
+        infoByPkgName = new Map();
       }
-      let infos = infoByPkgName.get(name)
+      let infos = infoByPkgName.get(name);
       if (!infos) {
-        infos = new Map()
-        infoByPkgName.set(name, infos)
+        infos = new Map();
+        infoByPkgName.set(name, infos);
       }
-      const { key } = alert
+      const {
+        key
+      } = alert;
       if (!infos.has(key)) {
-        const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
-          alert.props
+        const {
+          firstPatchedVersionIdentifier,
+          vulnerableVersionRange
+        } = alert.props;
         try {
           infos.set(key, {
             firstPatchedVersionIdentifier,
             vulnerableVersionRange: new vendor.semverExports.Range(
-              // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
-              // semver.Range will parse it without erroring.
-              vulnerableVersionRange.replace(/, +/g, ' ')
-            ).format()
-          })
+            // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
+            // semver.Range will parse it without erroring.
+            vulnerableVersionRange.replace(/, +/g, ' ')).format()
+          });
           if (++count >= limit) {
-            break alertsMapLoop
+            break alertsMapLoop;
           }
         } catch (e) {
           debug.debugLog('getCveInfoFromAlertsMap', {
             firstPatchedVersionIdentifier,
             vulnerableVersionRange
-          })
-          debug.debugLog(e)
+          });
+          debug.debugLog(e);
         }
       }
     }
   }
-  return infoByPkgName
+  return infoByPkgName;
 }
 function logAlertsMap(alertsMap, options) {
-  const { hideAt = 'middle', output = process.stderr } = {
+  const {
+    hideAt = 'middle',
+    output = process.stderr
+  } = {
     __proto__: null,
     ...options
-  }
-  const translations = getTranslations()
-  const sortedEntries = [...alertsMap.entries()].sort(
-    (a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1])
-  )
-  const aboveTheFoldPkgIds = new Set()
-  const viewableAlertsByPkgId = new Map()
-  const hiddenAlertsByPkgId = new Map()
-  for (let i = 0, { length } = sortedEntries; i < length; i += 1) {
-    const { 0: pkgId, 1: alerts } = sortedEntries[i]
-    const hiddenAlerts = []
+  };
+  const translations = getTranslations();
+  const sortedEntries = [...alertsMap.entries()].sort((a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]));
+  const aboveTheFoldPkgIds = new Set();
+  const viewableAlertsByPkgId = new Map();
+  const hiddenAlertsByPkgId = new Map();
+  for (let i = 0, {
+      length
+    } = sortedEntries; i < length; i += 1) {
+    const {
+      0: pkgId,
+      1: alerts
+    } = sortedEntries[i];
+    const hiddenAlerts = [];
     const viewableAlerts = alerts.filter(a => {
-      const keep =
-        a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt]
+      const keep = a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt];
       if (!keep) {
-        hiddenAlerts.push(a)
+        hiddenAlerts.push(a);
       }
-      return keep
-    })
+      return keep;
+    });
     if (hiddenAlerts.length) {
-      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator))
+      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator));
     }
     if (!viewableAlerts.length) {
-      continue
+      continue;
     }
-    viewableAlerts.sort(alertSeverityComparator)
-    viewableAlertsByPkgId.set(pkgId, viewableAlerts)
-    if (
-      viewableAlerts.find(
-        a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle
-      )
-    ) {
-      aboveTheFoldPkgIds.add(pkgId)
+    viewableAlerts.sort(alertSeverityComparator);
+    viewableAlertsByPkgId.set(pkgId, viewableAlerts);
+    if (viewableAlerts.find(a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle)) {
+      aboveTheFoldPkgIds.add(pkgId);
     }
   }
 
   // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
-  for (const { 0: pkgId } of viewableAlertsByPkgId.entries()) {
+  for (const {
+    0: pkgId
+  } of viewableAlertsByPkgId.entries()) {
     if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break
+      break;
     }
-    aboveTheFoldPkgIds.add(pkgId)
+    aboveTheFoldPkgIds.add(pkgId);
   }
   // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
-  for (const { 0: pkgId, 1: hiddenAlerts } of hiddenAlertsByPkgId.entries()) {
+  for (const {
+    0: pkgId,
+    1: hiddenAlerts
+  } of hiddenAlertsByPkgId.entries()) {
     if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break
+      break;
     }
-    aboveTheFoldPkgIds.add(pkgId)
-    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? []
+    aboveTheFoldPkgIds.add(pkgId);
+    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? [];
     if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
-      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length
-      let removedHiddenAlerts
+      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length;
+      let removedHiddenAlerts;
       if (hiddenAlerts.length - neededCount > 0) {
-        removedHiddenAlerts = hiddenAlerts.splice(
-          0,
-          MIN_ABOVE_THE_FOLD_ALERT_COUNT
-        )
+        removedHiddenAlerts = hiddenAlerts.splice(0, MIN_ABOVE_THE_FOLD_ALERT_COUNT);
       } else {
-        removedHiddenAlerts = hiddenAlerts
-        hiddenAlertsByPkgId.delete(pkgId)
+        removedHiddenAlerts = hiddenAlerts;
+        hiddenAlertsByPkgId.delete(pkgId);
       }
-      viewableAlertsByPkgId.set(pkgId, [
-        ...viewableAlerts,
-        ...removedHiddenAlerts
-      ])
-    }
-  }
-  const mentionedPkgIdsWithHiddenAlerts = new Set()
-  for (
-    let i = 0,
-      prevAboveTheFold = true,
-      entries = [...viewableAlertsByPkgId.entries()],
-      { length } = entries;
-    i < length;
-    i += 1
-  ) {
-    const { 0: pkgId, 1: alerts } = entries[i]
-    const lines = new Set()
+      viewableAlertsByPkgId.set(pkgId, [...viewableAlerts, ...removedHiddenAlerts]);
+    }
+  }
+  const mentionedPkgIdsWithHiddenAlerts = new Set();
+  for (let i = 0, prevAboveTheFold = true, entries = [...viewableAlertsByPkgId.entries()], {
+      length
+    } = entries; i < length; i += 1) {
+    const {
+      0: pkgId,
+      1: alerts
+    } = entries[i];
+    const lines = new Set();
     for (const alert of alerts) {
-      const { type } = alert
-      const severity = alert.raw.severity ?? ''
-      const attributes = [
-        ...(severity
-          ? [
-              vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](
-                getSeverityLabel(severity)
-              )
-            ]
-          : []),
-        ...(alert.blocked
-          ? [
-              vendor.yoctocolorsCjsExports.bold(
-                vendor.yoctocolorsCjsExports.red('blocked')
-              )
-            ]
-          : []),
-        ...(alert.fixable ? ['fixable'] : [])
-      ]
-      const maybeAttributes = attributes.length
-        ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}`
-        : ''
+      const {
+        type
+      } = alert;
+      const severity = alert.raw.severity ?? '';
+      const attributes = [...(severity ? [vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))] : []), ...(alert.blocked ? [vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.red('blocked'))] : []), ...(alert.fixable ? ['fixable'] : [])];
+      const maybeAttributes = attributes.length ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}` : '';
       // Based data from { pageProps: { alertTypes } } of:
       // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-      const info = translations.alerts[type]
-      const title = info?.title ?? type
-      const maybeDesc = info?.description ? ` - ${info.description}` : ''
-      const content = `${title}${maybeAttributes}${maybeDesc}`
+      const info = translations.alerts[type];
+      const title = info?.title ?? type;
+      const maybeDesc = info?.description ? ` - ${info.description}` : '';
+      const content = `${title}${maybeAttributes}${maybeDesc}`;
       // TODO: emoji seems to mis-align terminals sometimes
-      lines.add(`  ${content}`)
-    }
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(
-      idToPurl(pkgId)
-    )
-    const hyperlink = format.hyperlink(
-      pkgId,
-      getSocketDevPackageOverviewUrl(
-        NPM$3,
-        packages.resolvePackageName(purlObj),
-        purlObj.version
-      )
-    )
-    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId)
+      lines.add(`  ${content}`);
+    }
+    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(idToPurl(pkgId));
+    const hyperlink = format.hyperlink(pkgId, getSocketDevPackageOverviewUrl(NPM$3, packages.resolvePackageName(purlObj), purlObj.version));
+    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId);
     if (isAboveTheFold) {
-      aboveTheFoldPkgIds.add(pkgId)
-      output.write(`${i ? '\n' : ''}${hyperlink}:\n`)
+      aboveTheFoldPkgIds.add(pkgId);
+      output.write(`${i ? '\n' : ''}${hyperlink}:\n`);
     } else {
-      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`)
+      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`);
     }
     for (const line of lines) {
-      output.write(`${line}\n`)
+      output.write(`${line}\n`);
     }
-    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? []
-    const { length: hiddenAlertsCount } = hiddenAlerts
+    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? [];
+    const {
+      length: hiddenAlertsCount
+    } = hiddenAlerts;
     if (hiddenAlertsCount) {
-      mentionedPkgIdsWithHiddenAlerts.add(pkgId)
+      mentionedPkgIdsWithHiddenAlerts.add(pkgId);
       if (hiddenAlertsCount === 1) {
-        output.write(
-          `  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`
-        )
+        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`);
       } else {
-        output.write(
-          `  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`
-        )
+        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`);
       }
     }
-    prevAboveTheFold = isAboveTheFold
+    prevAboveTheFold = isAboveTheFold;
   }
-  const additionalHiddenCount =
-    hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size
+  const additionalHiddenCount = hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size;
   if (additionalHiddenCount) {
     const totalRiskCounts = {
       critical: 0,
       high: 0,
       middle: 0,
       low: 0
-    }
-    for (const { 0: pkgId, 1: alerts } of hiddenAlertsByPkgId.entries()) {
+    };
+    for (const {
+      0: pkgId,
+      1: alerts
+    } of hiddenAlertsByPkgId.entries()) {
       if (mentionedPkgIdsWithHiddenAlerts.has(pkgId)) {
-        continue
+        continue;
       }
-      const riskCounts = getHiddenRiskCounts(alerts)
-      totalRiskCounts.critical += riskCounts.critical
-      totalRiskCounts.high += riskCounts.high
-      totalRiskCounts.middle += riskCounts.middle
-      totalRiskCounts.low += riskCounts.low
+      const riskCounts = getHiddenRiskCounts(alerts);
+      totalRiskCounts.critical += riskCounts.critical;
+      totalRiskCounts.high += riskCounts.high;
+      totalRiskCounts.middle += riskCounts.middle;
+      totalRiskCounts.low += riskCounts.low;
     }
-    output.write(
-      `${aboveTheFoldPkgIds.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`
-    )
+    output.write(`${aboveTheFoldPkgIds.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`);
   }
-  output.write('\n')
+  output.write('\n');
 }
 
-const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde']
+const RangeStyles = ['caret', 'gt', 'lt', 'pin', 'preserve', 'tilde'];
 function applyRange(refRange, version, style = 'preserve') {
   switch (style) {
     case 'caret':
-      return `^${version}`
+      return `^${version}`;
     case 'gt':
-      return `>${version}`
+      return `>${version}`;
     case 'gte':
-      return `>=${version}`
+      return `>=${version}`;
     case 'lt':
-      return `<${version}`
+      return `<${version}`;
     case 'lte':
-      return `<=${version}`
-    case 'preserve': {
-      const range = new vendor.semverExports.Range(refRange)
-      const { raw } = range
-      const comparators = [...range.set].flat()
-      const { length } = comparators
-      if (length === 1) {
-        const char = /^[<>]=?/.exec(raw)?.[0]
-        if (char) {
-          return `${char}${version}`
-        }
-      } else if (length === 2) {
-        const char = /^[~^]/.exec(raw)?.[0]
-        if (char) {
-          return `${char}${version}`
+      return `<=${version}`;
+    case 'preserve':
+      {
+        const range = new vendor.semverExports.Range(refRange);
+        const {
+          raw
+        } = range;
+        const comparators = [...range.set].flat();
+        const {
+          length
+        } = comparators;
+        if (length === 1) {
+          const char = /^[<>]=?/.exec(raw)?.[0];
+          if (char) {
+            return `${char}${version}`;
+          }
+        } else if (length === 2) {
+          const char = /^[~^]/.exec(raw)?.[0];
+          if (char) {
+            return `${char}${version}`;
+          }
         }
+        return version;
       }
-      return version
-    }
     case 'tilde':
-      return `~${version}`
+      return `~${version}`;
     case 'pin':
     default:
-      return version
+      return version;
   }
 }
 function getMajor(version) {
-  const coerced = vendor.semverExports.coerce(version)
+  const coerced = vendor.semverExports.coerce(version);
   if (coerced) {
     try {
-      return vendor.semverExports.major(coerced)
+      return vendor.semverExports.major(coerced);
     } catch (e) {
-      debug.debugLog(`Error parsing '${version}':\n`, e)
-    }
-  }
-  return null
-}
-
-async function extractPurlsFromPnpmLockfile(lockfile) {
-  const packages = lockfile?.packages ?? {}
-  const seen = new Set()
-  const visit = pkgPath => {
-    if (seen.has(pkgPath)) {
-      return
-    }
-    const pkg = packages[pkgPath]
-    if (!pkg) {
-      return
+      debug.debugLog(`Error parsing '${version}':\n`, e);
     }
-    seen.add(pkgPath)
-    const deps = {
-      __proto__: null,
-      ...pkg.dependencies,
-      ...pkg.optionalDependencies,
-      ...pkg.devDependencies
-    }
-    for (const depName in deps) {
-      const ref = deps[depName]
-      const subKey = isDepPath(ref) ? ref : `/${depName}@${ref}`
-      visit(subKey)
-    }
-  }
-  for (const pkgPath of Object.keys(packages)) {
-    visit(pkgPath)
   }
-  return [...seen].map(p => idToPurl(stripPeerSuffix(stripLeadingSlash(p))))
-}
-function parsePnpmLockfileVersion(version) {
-  return vendor.semverExports.coerce(version)
+  return null;
 }
 
 async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
@@ -2528,12 +2291,12 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
     limit: Infinity,
     nothrow: false,
     ...options_
-  }
-  const purls = await extractPurlsFromPnpmLockfile(lockfile)
+  };
+  const purls = await extractPurlsFromPnpmLockfile(lockfile);
   return await getAlertsMapFromPurls(purls, {
     overrides: lockfile.overrides,
     ...options
-  })
+  });
 }
 async function getAlertsMapFromPurls(purls, options_) {
   const options = {
@@ -2541,7 +2304,7 @@ async function getAlertsMapFromPurls(purls, options_) {
     consolidate: false,
     nothrow: false,
     ...options_
-  }
+  };
   const include = {
     __proto__: null,
     actions: undefined,
@@ -2552,69 +2315,60 @@ async function getAlertsMapFromPurls(purls, options_) {
     unfixable: true,
     upgradable: false,
     ...options.include
-  }
-  const { spinner } = options
-  const uniqPurls = arrays.arrayUnique(purls)
-  let { length: remaining } = uniqPurls
-  const alertsByPkgId = new Map()
+  };
+  const {
+    spinner
+  } = options;
+  const uniqPurls = arrays.arrayUnique(purls);
+  let {
+    length: remaining
+  } = uniqPurls;
+  const alertsByPkgId = new Map();
   if (!remaining) {
-    return alertsByPkgId
+    return alertsByPkgId;
   }
-  const getText = () => `Looking up data for ${remaining} packages`
-  spinner?.start(getText())
-  const sockSdkResult = await setupSdk(getPublicToken())
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  const sockSdkResult = await setupSdk(getPublicToken());
   if (!sockSdkResult.ok) {
-    throw new Error('Auth error: Try to run `socket login` first')
+    throw new Error('Auth error: Try to run `socket login` first');
   }
-  const sockSdk = sockSdkResult.data
+  const sockSdk = sockSdkResult.data;
   const toAlertsMapOptions = {
     overrides: options.overrides,
     consolidate: options.consolidate,
     include,
     spinner
-  }
-  for await (const batchResult of sockSdk.batchPackageStream(
-    {
-      alerts: 'true',
-      compact: 'true',
-      ...(include.actions
-        ? {
-            actions: include.actions.join(',')
-          }
-        : {}),
-      ...(include.unfixable
-        ? {}
-        : {
-            fixable: 'true'
-          })
-    },
-    {
-      components: uniqPurls.map(purl => ({
-        purl
-      }))
-    }
-  )) {
+  };
+  for await (const batchResult of sockSdk.batchPackageStream({
+    alerts: 'true',
+    compact: 'true',
+    ...(include.actions ? {
+      actions: include.actions.join(',')
+    } : {}),
+    ...(include.unfixable ? {} : {
+      fixable: 'true'
+    })
+  }, {
+    components: uniqPurls.map(purl => ({
+      purl
+    }))
+  })) {
     if (batchResult.success) {
-      await addArtifactToAlertsMap(
-        batchResult.data,
-        alertsByPkgId,
-        toAlertsMapOptions
-      )
+      await addArtifactToAlertsMap(batchResult.data, alertsByPkgId, toAlertsMapOptions);
     } else if (!options.nothrow) {
-      const statusCode = batchResult.status ?? 'unknown'
-      const statusMessage = batchResult.error ?? 'No status message'
-      throw new Error(
-        `Socket API server error (${statusCode}): ${statusMessage}`
-      )
+      const statusCode = batchResult.status ?? 'unknown';
+      const statusMessage = batchResult.error ?? 'No status message';
+      throw new Error(`Socket API server error (${statusCode}): ${statusMessage}`);
     }
-    remaining -= 1
+    remaining -= 1;
     if (spinner && remaining > 0) {
-      spinner.start()
-      spinner.setText(getText())
+      spinner.start();
+      spinner.setText(getText());
     }
   }
-  spinner?.stop()
-  return alertsByPkgId
+  spinner?.stop();
+  return alertsByPkgId;
 }
 
 const {
@@ -2622,7 +2376,7 @@ const {
   SOCKET_CLI_SAFE_BIN,
   SOCKET_CLI_SAFE_PROGRESS,
   SOCKET_IPC_HANDSHAKE
-} = constants
+} = constants;
 function safeNpmInstall(options) {
   const {
     agentExecPath = getNpmBinPath(),
@@ -2633,77 +2387,60 @@ function safeNpmInstall(options) {
   } = {
     __proto__: null,
     ...options
-  }
+  };
   // Lazily access constants.ENV.NODE_COMPILE_CACHE
-  const { NODE_COMPILE_CACHE } = constants.ENV
-  let stdio = spawnOptions.stdio
-  const useIpc = objects.isObject(ipc)
+  const {
+    NODE_COMPILE_CACHE
+  } = constants.ENV;
+  let stdio = spawnOptions.stdio;
+  const useIpc = objects.isObject(ipc);
   // Include 'ipc' in the spawnOptions.stdio when an options.ipc object is provided.
   // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
   // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
   if (typeof stdio === 'string') {
-    stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio]
+    stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio];
   } else if (useIpc && Array.isArray(stdio) && !stdio.includes('ipc')) {
-    stdio = stdio.concat('ipc')
-  }
-  const useDebug = debug.isDebug()
-  const terminatorPos = args.indexOf('--')
-  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)
-  const progressArg =
-    rawBinArgs.findLast(npm.isProgressFlag) !== '--no-progress'
-  const binArgs = rawBinArgs.filter(
-    a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a)
-  )
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)
-  const isSilent = !useDebug && !binArgs.some(npm.isLoglevelFlag)
-  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : []
+    stdio = stdio.concat('ipc');
+  }
+  const useDebug = debug.isDebug();
+  const terminatorPos = args.indexOf('--');
+  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const progressArg = rawBinArgs.findLast(npm.isProgressFlag) !== '--no-progress';
+  const binArgs = rawBinArgs.filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const isSilent = !useDebug && !binArgs.some(npm.isLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : [];
   const spawnPromise = spawn.spawn(
-    // Lazily access constants.execPath.
-    constants.execPath,
-    [
-      // Lazily access constants.nodeHardenFlags.
-      ...constants.nodeHardenFlags,
-      // Lazily access constants.nodeNoWarningsFlags.
-      ...constants.nodeNoWarningsFlags,
-      // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.
-      ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD
-        ? [
-            '--require',
-            // Lazily access constants.distInstrumentWithSentryPath.
-            constants.distInstrumentWithSentryPath
-          ]
-        : []),
-      '--require',
-      // Lazily access constants.distShadowInjectPath.
-      constants.distShadowInjectPath,
-      npm.realExecPathSync(agentExecPath),
-      'install',
-      // Avoid code paths for 'audit' and 'fund'.
-      '--no-audit',
-      '--no-fund',
-      // Add '--no-progress' to fix input being swallowed by the npm spinner.
-      '--no-progress',
-      // Add '--loglevel=silent' if a loglevel flag is not provided and the
-      // SOCKET_CLI_DEBUG environment variable is not truthy.
-      ...logLevelArgs,
-      ...binArgs,
-      ...otherArgs
-    ],
-    {
-      spinner,
-      ...spawnOptions,
-      stdio,
-      env: {
-        ...process.env,
-        ...(NODE_COMPILE_CACHE
-          ? {
-              NODE_COMPILE_CACHE
-            }
-          : undefined),
-        ...spawnOptions.env
-      }
+  // Lazily access constants.execPath.
+  constants.execPath, [
+  // Lazily access constants.nodeHardenFlags.
+  ...constants.nodeHardenFlags,
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags,
+  // Lazily access constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD.
+  ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require',
+  // Lazily access constants.distInstrumentWithSentryPath.
+  constants.distInstrumentWithSentryPath] : []), '--require',
+  // Lazily access constants.distShadowInjectPath.
+  constants.distShadowInjectPath, npm.realExecPathSync(agentExecPath), 'install',
+  // Avoid code paths for 'audit' and 'fund'.
+  '--no-audit', '--no-fund',
+  // Add '--no-progress' to fix input being swallowed by the npm spinner.
+  '--no-progress',
+  // Add '--loglevel=silent' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...binArgs, ...otherArgs], {
+    spinner,
+    ...spawnOptions,
+    stdio,
+    env: {
+      ...process.env,
+      ...(NODE_COMPILE_CACHE ? {
+        NODE_COMPILE_CACHE
+      } : undefined),
+      ...spawnOptions.env
     }
-  )
+  });
   if (useIpc) {
     spawnPromise.process.send({
       [SOCKET_IPC_HANDSHAKE]: {
@@ -2711,20 +2448,26 @@ function safeNpmInstall(options) {
         [SOCKET_CLI_SAFE_PROGRESS]: progressArg,
         ...ipc
       }
-    })
+    });
   }
-  return spawnPromise
+  return spawnPromise;
 }
 
-const { NPM: NPM$1, PNPM: PNPM$1 } = constants
+const {
+  NPM: NPM$1,
+  PNPM: PNPM$1
+} = constants;
 function runAgentInstall(pkgEnvDetails, options) {
-  const { agent, agentExecPath } = pkgEnvDetails
+  const {
+    agent,
+    agentExecPath
+  } = pkgEnvDetails;
   // All package managers support the "install" command.
   if (agent === NPM$1) {
     return safeNpmInstall({
       agentExecPath,
       ...options
-    })
+    });
   }
   const {
     args = [],
@@ -2733,9 +2476,8 @@ function runAgentInstall(pkgEnvDetails, options) {
   } = {
     __proto__: null,
     ...options
-  }
-  const skipNodeHardenFlags =
-    agent === PNPM$1 && pkgEnvDetails.agentVersion.major < 11
+  };
+  const skipNodeHardenFlags = agent === PNPM$1 && pkgEnvDetails.agentVersion.major < 11;
   return spawn.spawn(agentExecPath, ['install', ...args], {
     // Lazily access constants.WIN32.
     shell: constants.WIN32,
@@ -2744,17 +2486,14 @@ function runAgentInstall(pkgEnvDetails, options) {
     ...spawnOptions,
     env: {
       ...process.env,
-      NODE_OPTIONS: cmdFlagsToString([
-        ...(skipNodeHardenFlags
-          ? []
-          : // Lazily access constants.nodeHardenFlags.
-            constants.nodeHardenFlags),
-        // Lazily access constants.nodeNoWarningsFlags.
-        ...constants.nodeNoWarningsFlags
-      ]),
+      NODE_OPTIONS: cmdFlagsToString([...(skipNodeHardenFlags ? [] :
+      // Lazily access constants.nodeHardenFlags.
+      constants.nodeHardenFlags),
+      // Lazily access constants.nodeNoWarningsFlags.
+      ...constants.nodeNoWarningsFlags]),
       ...spawnOptions.env
     }
-  })
+  });
 }
 
 const {
@@ -2770,49 +2509,37 @@ const {
   YARN,
   YARN_BERRY,
   YARN_CLASSIC
-} = constants
-const AGENTS = new Set([BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT])
-const binByAgent = new Map([
-  [BUN, BUN],
-  [NPM, NPM],
-  [PNPM, PNPM],
-  [YARN_BERRY, YARN],
-  [YARN_CLASSIC, YARN],
-  [VLT, VLT]
-])
+} = constants;
+const AGENTS = [BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT];
+const binByAgent = new Map([[BUN, BUN], [NPM, NPM], [PNPM, PNPM], [YARN_BERRY, YARN], [YARN_CLASSIC, YARN], [VLT, VLT]]);
 async function getAgentExecPath(agent) {
-  const binName = binByAgent.get(agent)
+  const binName = binByAgent.get(agent);
   if (binName === NPM) {
     // Lazily access constants.npmExecPath.
-    return constants.npmExecPath
+    return constants.npmExecPath;
   }
-  return (
-    (await vendor.libExports$1(binName, {
-      nothrow: true
-    })) ?? binName
-  )
+  return (await vendor.libExports$1(binName, {
+    nothrow: true
+  })) ?? binName;
 }
 async function getAgentVersion(agentExecPath, cwd) {
-  let result
+  let result;
   try {
     result =
-      // Coerce version output into a valid semver version by passing it through
-      // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
-      // and tildes (~).
-      vendor.semverExports.coerce(
-        // All package managers support the "--version" flag.
-        (
-          await spawn.spawn(agentExecPath, ['--version'], {
-            cwd,
-            // Lazily access constants.WIN32.
-            shell: constants.WIN32
-          })
-        ).stdout
-      ) ?? undefined
+    // Coerce version output into a valid semver version by passing it through
+    // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
+    // and tildes (~).
+    vendor.semverExports.coerce(
+    // All package managers support the "--version" flag.
+    (await spawn.spawn(agentExecPath, ['--version'], {
+      cwd,
+      // Lazily access constants.WIN32.
+      shell: constants.WIN32
+    })).stdout) ?? undefined;
   } catch (e) {
-    debug.debugLog('getAgentVersion error:\n', e)
+    debug.debugLog('getAgentVersion error:\n', e);
   }
-  return result
+  return result;
 }
 
 // The order of LOCKS properties IS significant as it affects iteration order.
@@ -2835,195 +2562,147 @@ const LOCKS = {
   // Unlike the other LOCKS keys this key contains a directory AND filename so
   // it has to be handled differently.
   'node_modules/.package-lock.json': NPM
-}
+};
 const readLockFileByAgent = (() => {
   function wrapReader(reader) {
     return async (...args) => {
       try {
-        return await reader(...args)
+        return await reader(...args);
       } catch {}
-      return undefined
-    }
-  }
-  const binaryReader = wrapReader(readFileBinary)
-  const defaultReader = wrapReader(
-    async lockPath => await readFileUtf8(lockPath)
-  )
-  return new Map([
-    [
-      BUN,
-      wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
-        const ext = path.extname(lockPath)
-        if (ext === LOCK_EXT) {
-          return await defaultReader(lockPath)
-        }
-        if (ext === BINARY_LOCK_EXT) {
-          const lockBuffer = await binaryReader(lockPath)
-          if (lockBuffer) {
-            try {
-              return vendor.hyrious__bun_lockbExports.parse(lockBuffer)
-            } catch {}
-          }
-          // To print a Yarn lockfile to your console without writing it to disk
-          // use `bun bun.lockb`.
-          // https://bun.sh/guides/install/yarnlock
-          return (
-            await spawn.spawn(agentExecPath, [lockPath], {
-              cwd,
-              // Lazily access constants.WIN32.
-              shell: constants.WIN32
-            })
-          ).stdout.trim()
-        }
-        return undefined
-      })
-    ],
-    [NPM, defaultReader],
-    [PNPM, defaultReader],
-    [VLT, defaultReader],
-    [YARN_BERRY, defaultReader],
-    [YARN_CLASSIC, defaultReader]
-  ])
-})()
+      return undefined;
+    };
+  }
+  const binaryReader = wrapReader(readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await readFileUtf8(lockPath));
+  return new Map([[BUN, wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
+    const ext = path.extname(lockPath);
+    if (ext === LOCK_EXT) {
+      return await defaultReader(lockPath);
+    }
+    if (ext === BINARY_LOCK_EXT) {
+      const lockBuffer = await binaryReader(lockPath);
+      if (lockBuffer) {
+        try {
+          return vendor.hyrious__bun_lockbExports.parse(lockBuffer);
+        } catch {}
+      }
+      // To print a Yarn lockfile to your console without writing it to disk
+      // use `bun bun.lockb`.
+      // https://bun.sh/guides/install/yarnlock
+      return (await spawn.spawn(agentExecPath, [lockPath], {
+        cwd,
+        // Lazily access constants.WIN32.
+        shell: constants.WIN32
+      })).stdout.trim();
+    }
+    return undefined;
+  })], [NPM, defaultReader], [PNPM, defaultReader], [VLT, defaultReader], [YARN_BERRY, defaultReader], [YARN_CLASSIC, defaultReader]]);
+})();
 async function detectPackageEnvironment({
   cwd = process.cwd(),
   onUnknown
 } = {}) {
   let lockPath = await findUp(Object.keys(LOCKS), {
     cwd
-  })
-  let lockName = lockPath ? path.basename(lockPath) : undefined
-  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON
-  const pkgJsonPath = lockPath
-    ? path.resolve(
-        lockPath,
-        `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`
-      )
-    : await findUp(PACKAGE_JSON, {
-        cwd
-      })
-  const pkgPath =
-    pkgJsonPath && fs.existsSync(pkgJsonPath)
-      ? path.dirname(pkgJsonPath)
-      : undefined
-  const editablePkgJson = pkgPath
-    ? await packages.readPackageJson(pkgPath, {
-        editable: true
-      })
-    : undefined
+  });
+  let lockName = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON;
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await findUp(PACKAGE_JSON, {
+    cwd
+  });
+  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
+    editable: true
+  }) : undefined;
   // Read Corepack `packageManager` field in package.json:
   // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = strings.isNonEmptyString(
-    editablePkgJson?.content?.packageManager
-  )
-    ? editablePkgJson.content.packageManager
-    : undefined
-  let agent
+  const pkgManager = strings.isNonEmptyString(editablePkgJson?.content?.packageManager) ? editablePkgJson.content.packageManager : undefined;
+  let agent;
   if (pkgManager) {
     // A valid "packageManager" field value is "<package manager name>@<version>".
     // https://nodejs.org/api/packages.html#packagemanager
-    const atSignIndex = pkgManager.lastIndexOf('@')
+    const atSignIndex = pkgManager.lastIndexOf('@');
     if (atSignIndex !== -1) {
-      const name = pkgManager.slice(0, atSignIndex)
-      const version = pkgManager.slice(atSignIndex + 1)
-      if (version && AGENTS.has(name)) {
-        agent = name
+      const name = pkgManager.slice(0, atSignIndex);
+      const version = pkgManager.slice(atSignIndex + 1);
+      if (version && AGENTS.includes(name)) {
+        agent = name;
       }
     }
   }
-  if (
-    agent === undefined &&
-    !isHiddenLockFile &&
-    typeof pkgJsonPath === 'string' &&
-    typeof lockName === 'string'
-  ) {
-    agent = LOCKS[lockName]
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
+    agent = LOCKS[lockName];
   }
   if (agent === undefined) {
-    agent = NPM
-    onUnknown?.(pkgManager)
+    agent = NPM;
+    onUnknown?.(pkgManager);
   }
-  const agentExecPath = await getAgentExecPath(agent)
-  const agentVersion = await getAgentVersion(agentExecPath, cwd)
+  const agentExecPath = await getAgentExecPath(agent);
+  const agentVersion = await getAgentVersion(agentExecPath, cwd);
   if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {
-    agent = YARN_BERRY
+    agent = YARN_BERRY;
   }
   // Lazily access constants.maintainedNodeVersions.
-  const { maintainedNodeVersions } = constants
+  const {
+    maintainedNodeVersions
+  } = constants;
   // Lazily access constants.minimumVersionByAgent.
-  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent)
-  const minSupportedNodeVersion = maintainedNodeVersions.last
-  const nodeVersion = vendor.semverExports.coerce(process.version)
-  let lockSrc
-  let pkgAgentRange
-  let pkgNodeRange
-  let pkgMinAgentVersion = minSupportedAgentVersion
-  let pkgMinNodeVersion = minSupportedNodeVersion
+  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent);
+  const minSupportedNodeVersion = maintainedNodeVersions.last;
+  const nodeVersion = vendor.semverExports.coerce(process.version);
+  let lockSrc;
+  let pkgAgentRange;
+  let pkgNodeRange;
+  let pkgMinAgentVersion = minSupportedAgentVersion;
+  let pkgMinNodeVersion = minSupportedNodeVersion;
   if (editablePkgJson?.content) {
-    const { engines } = editablePkgJson.content
-    const engineAgentRange = engines?.[agent]
-    const engineNodeRange = engines?.['node']
+    const {
+      engines
+    } = editablePkgJson.content;
+    const engineAgentRange = engines?.[agent];
+    const engineNodeRange = engines?.['node'];
     if (strings.isNonEmptyString(engineAgentRange)) {
-      pkgAgentRange = engineAgentRange
+      pkgAgentRange = engineAgentRange;
       // Roughly check agent range as semver.coerce will strip leading
       // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
-      const coerced = vendor.semverExports.coerce(pkgAgentRange)
+      const coerced = vendor.semverExports.coerce(pkgAgentRange);
       if (coerced && vendor.semverExports.lt(coerced, pkgMinAgentVersion)) {
-        pkgMinAgentVersion = coerced.version
+        pkgMinAgentVersion = coerced.version;
       }
     }
     if (strings.isNonEmptyString(engineNodeRange)) {
-      pkgNodeRange = engineNodeRange
+      pkgNodeRange = engineNodeRange;
       // Roughly check Node range as semver.coerce will strip leading
       // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
-      const coerced = vendor.semverExports.coerce(pkgNodeRange)
+      const coerced = vendor.semverExports.coerce(pkgNodeRange);
       if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
-        pkgMinNodeVersion = coerced.version
+        pkgMinNodeVersion = coerced.version;
       }
     }
-    const browserslistQuery = editablePkgJson.content['browserslist']
+    const browserslistQuery = editablePkgJson.content['browserslist'];
     if (Array.isArray(browserslistQuery)) {
       // List Node targets in ascending version order.
-      const browserslistNodeTargets = vendor
-        .browserslistExports(browserslistQuery)
-        .filter(v => /^node /i.test(v))
-        .map(v => v.slice(5 /*'node '.length*/))
-        .sort(sorts.naturalCompare)
+      const browserslistNodeTargets = vendor.browserslistExports(browserslistQuery).filter(v => /^node /i.test(v)).map(v => v.slice(5 /*'node '.length*/)).sort(sorts.naturalCompare);
       if (browserslistNodeTargets.length) {
         // browserslistNodeTargets[0] is the lowest Node target version.
-        const coerced = vendor.semverExports.coerce(browserslistNodeTargets[0])
+        const coerced = vendor.semverExports.coerce(browserslistNodeTargets[0]);
         if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
-          pkgMinNodeVersion = coerced.version
+          pkgMinNodeVersion = coerced.version;
         }
       }
     }
-    lockSrc =
-      typeof lockPath === 'string'
-        ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath, cwd)
-        : undefined
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath, cwd) : undefined;
   } else {
-    lockName = undefined
-    lockPath = undefined
+    lockName = undefined;
+    lockPath = undefined;
   }
   // Does the system agent version meet our minimum supported agent version?
-  const agentSupported =
-    !!agentVersion &&
-    vendor.semverExports.satisfies(
-      agentVersion,
-      `>=${minSupportedAgentVersion}`
-    )
+  const agentSupported = !!agentVersion && vendor.semverExports.satisfies(agentVersion, `>=${minSupportedAgentVersion}`);
 
   // Does the system Node version meet our minimum supported Node version?
-  const nodeSupported = vendor.semverExports.satisfies(
-    nodeVersion,
-    `>=${minSupportedNodeVersion}`
-  )
-  const npmExecPath =
-    agent === NPM ? agentExecPath : await getAgentExecPath(NPM)
-  const npmBuggyOverrides =
-    agent === NPM &&
-    !!agentVersion &&
-    vendor.semverExports.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION)
+  const nodeSupported = vendor.semverExports.satisfies(nodeVersion, `>=${minSupportedNodeVersion}`);
+  const npmExecPath = agent === NPM ? agentExecPath : await getAgentExecPath(NPM);
+  const npmBuggyOverrides = agent === NPM && !!agentVersion && vendor.semverExports.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION);
   return {
     agent,
     agentExecPath,
@@ -3046,16 +2725,11 @@ async function detectPackageEnvironment({
     },
     pkgSupports: {
       // Does our minimum supported agent version meet the package's requirements?
-      agent: vendor.semverExports.satisfies(
-        minSupportedAgentVersion,
-        `>=${pkgMinAgentVersion}`
-      ),
+      agent: vendor.semverExports.satisfies(minSupportedAgentVersion, `>=${pkgMinAgentVersion}`),
       // Does our supported Node versions meet the package's requirements?
-      node: maintainedNodeVersions.some(v =>
-        vendor.semverExports.satisfies(v, `>=${pkgMinNodeVersion}`)
-      )
+      node: maintainedNodeVersions.some(v => vendor.semverExports.satisfies(v, `>=${pkgMinNodeVersion}`))
     }
-  }
+  };
 }
 async function detectAndValidatePackageEnvironment(cwd, options) {
   const {
@@ -3065,177 +2739,201 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
   } = {
     __proto__: null,
     ...options
-  }
+  };
   const details = await detectPackageEnvironment({
     cwd,
     onUnknown(pkgManager) {
-      logger?.warn(
-        cmdPrefixMessage(
-          cmdName,
-          `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`
-        )
-      )
-    }
-  })
-  const { agent, nodeVersion, pkgRequirements } = details
-  const agentVersion = details.agentVersion ?? 'unknown'
+      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
+    }
+  });
+  const {
+    agent,
+    nodeVersion,
+    pkgRequirements
+  } = details;
+  const agentVersion = details.agentVersion ?? 'unknown';
   if (!details.agentSupported) {
-    const minVersion = constants.minimumVersionByAgent.get(agent)
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`
-      )
-    )
-    return
+    const minVersion = constants.minimumVersionByAgent.get(agent);
+    logger?.fail(cmdPrefixMessage(cmdName, `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`));
+    return;
   }
   if (!details.nodeSupported) {
-    const minVersion = constants.maintainedNodeVersions.last
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`
-      )
-    )
-    return
+    const minVersion = constants.maintainedNodeVersions.last;
+    logger?.fail(cmdPrefixMessage(cmdName, `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`));
+    return;
   }
   if (!details.pkgSupports.agent) {
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`
-      )
-    )
-    return
+    logger?.fail(cmdPrefixMessage(cmdName, `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`));
+    return;
   }
   if (!details.pkgSupports.node) {
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`
-      )
-    )
-    return
+    logger?.fail(cmdPrefixMessage(cmdName, `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`));
+    return;
   }
   if (agent === VLT) {
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `${agent} does not support overrides. Soon, though ⚡`
-      )
-    )
-    return
-  }
-  const lockName = details.lockName ?? 'lock file'
+    logger?.fail(cmdPrefixMessage(cmdName, `${agent} does not support overrides. Soon, though ⚡`));
+    return;
+  }
+  const lockName = details.lockName ?? 'lock file';
   if (details.lockName === undefined || details.lockSrc === undefined) {
-    logger?.fail(cmdPrefixMessage(cmdName, `No ${lockName} found`))
-    return
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${lockName} found`));
+    return;
   }
   if (details.lockSrc.trim() === '') {
-    logger?.fail(cmdPrefixMessage(cmdName, `${lockName} is empty`))
-    return
+    logger?.fail(cmdPrefixMessage(cmdName, `${lockName} is empty`));
+    return;
   }
   if (details.pkgPath === undefined) {
-    logger?.fail(cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`))
-    return
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`));
+    return;
   }
   if (prod && (agent === BUN || agent === YARN_BERRY)) {
-    logger?.fail(
-      cmdPrefixMessage(
-        cmdName,
-        `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`
-      )
-    )
-    return
-  }
-  if (
-    details.lockPath &&
-    path.relative(cwd, details.lockPath).startsWith('.')
-  ) {
+    logger?.fail(cmdPrefixMessage(cmdName, `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`));
+    return;
+  }
+  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
     // Note: In tests we return <redacted> because otherwise snapshots will fail.
-    const { REDACTED } = constants
+    const {
+      REDACTED
+    } = constants;
     // Lazily access constants.ENV.VITEST.
-    const redacting = constants.ENV.VITEST
-    logger?.warn(
-      cmdPrefixMessage(
-        cmdName,
-        `Package ${lockName} found at ${redacting ? REDACTED : details.lockPath}`
-      )
-    )
-  }
-  return details
-}
-
-exports.ALERT_SEVERITY = ALERT_SEVERITY
-exports.AuthError = AuthError
-exports.ColorOrMarkdown = ColorOrMarkdown
-exports.InputError = InputError
-exports.RangeStyles = RangeStyles
-exports.applyRange = applyRange
-exports.captureException = captureException
-exports.checkCommandInput = checkCommandInput
-exports.cmdFlagsToString = cmdFlagsToString
-exports.cmdPrefixMessage = cmdPrefixMessage
-exports.commonFlags = commonFlags
-exports.createEnum = createEnum
-exports.detectAndValidatePackageEnvironment =
-  detectAndValidatePackageEnvironment
-exports.determineOrgSlug = determineOrgSlug
-exports.failMsgWithBadge = failMsgWithBadge
-exports.formatSeverityCount = formatSeverityCount
-exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile
-exports.getAlertsMapFromPurls = getAlertsMapFromPurls
-exports.getConfigValue = getConfigValue
-exports.getConfigValueOrUndef = getConfigValueOrUndef
-exports.getCveInfoFromAlertsMap = getCveInfoFromAlertsMap
-exports.getFlagListOutput = getFlagListOutput
-exports.getMajor = getMajor
-exports.getNpmBinPath = getNpmBinPath
-exports.getNpmRequire = getNpmRequire
-exports.getNpxBinPath = getNpxBinPath
-exports.getOutputKind = getOutputKind
-exports.getPackageFilesForScan = getPackageFilesForScan
-exports.getPkgFullNameFromPurlObj = getPkgFullNameFromPurlObj
-exports.getPublicToken = getPublicToken
-exports.getSeverityCount = getSeverityCount
-exports.getSocketDevAlertUrl = getSocketDevAlertUrl
-exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl
-exports.getSocketDevPackageOverviewUrlFromPurl =
-  getSocketDevPackageOverviewUrlFromPurl
-exports.getVisibleTokenPrefix = getVisibleTokenPrefix
-exports.globWorkspace = globWorkspace
-exports.handleApiCall = handleApiCall
-exports.handleApiCallNoSpinner = handleApiCallNoSpinner
-exports.handleUnsuccessfulApiResponse = handleUnsuccessfulApiResponse
-exports.hasDefaultToken = hasDefaultToken
-exports.idToPurl = idToPurl
-exports.isHelpFlag = isHelpFlag
-exports.isNpmBinPathShadowed = isNpmBinPathShadowed
-exports.isNpxBinPathShadowed = isNpxBinPathShadowed
-exports.isReadOnlyConfig = isReadOnlyConfig
-exports.isTestingV1 = isTestingV1
-exports.logAlertsMap = logAlertsMap
-exports.mapToObject = mapToObject
-exports.mdTable = mdTable
-exports.mdTableOfPairs = mdTableOfPairs
-exports.mdTableStringNumber = mdTableStringNumber
-exports.meowOrExit = meowOrExit
-exports.meowWithSubcommands = meowWithSubcommands
-exports.outputFlags = outputFlags
-exports.parsePnpmLockfileVersion = parsePnpmLockfileVersion
-exports.queryApiSafeJson = queryApiSafeJson
-exports.queryApiSafeText = queryApiSafeText
-exports.readFileUtf8 = readFileUtf8
-exports.removeNodeModules = removeNodeModules
-exports.runAgentInstall = runAgentInstall
-exports.safeReadFile = safeReadFile
-exports.sensitiveConfigKeys = sensitiveConfigKeys
-exports.serializeResultJson = serializeResultJson
-exports.setupSdk = setupSdk
-exports.suggestOrgSlug = suggestOrgSlug
-exports.supportedConfigKeys = supportedConfigKeys
-exports.updateConfigValue = updateConfigValue
-exports.validationFlags = validationFlags
-exports.walkNestedMap = walkNestedMap
-//# debugId=e7aa1c94-3495-4b0b-9d64-bbe476ebf80c
+    const redacting = constants.ENV.VITEST;
+    logger?.warn(cmdPrefixMessage(cmdName, `Package ${lockName} found at ${redacting ? REDACTED : details.lockPath}`));
+  }
+  return details;
+}
+
+const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
+function getCompletionSourcingCommand() {
+  // Note: this is exported to distPath in .config/rollup.dist.config.mjs
+  const completionScriptExportPath = path.join(
+  // Lazily access constants.distPath.
+  constants.distPath, 'socket-completion.bash');
+  if (!fs.existsSync(completionScriptExportPath)) {
+    return {
+      ok: false,
+      message: 'Tab Completion script not found',
+      cause: `Expected to find completion script at \`${completionScriptExportPath}\` but it was not there`
+    };
+  }
+  return {
+    ok: true,
+    data: `source ${completionScriptExportPath}`
+  };
+}
+function getBashrcDetails(targetCommandName) {
+  const sourcingCommand = getCompletionSourcingCommand();
+  if (!sourcingCommand.ok) {
+    return sourcingCommand;
+  }
+
+  // Lazily access constants.socketAppDataPath.
+  const {
+    socketAppDataPath
+  } = constants;
+  if (!socketAppDataPath) {
+    return {
+      ok: false,
+      message: 'Could not determine config directory',
+      cause: 'Failed to get config path'
+    };
+  }
+
+  // _socket_completion is the function defined in our completion bash script
+  const completionCommand = `${COMPLETION_CMD_PREFIX} ${targetCommandName}`;
+
+  // Location of completion script in config after installing
+  const completionScriptPath = path.join(path.dirname(socketAppDataPath), 'completion', 'socket-completion.bash');
+  const bashrcContent = `# Socket CLI completion for "${targetCommandName}"
+if [ -f "${completionScriptPath}" ]; then
+    # Load the tab completion script
+    source "${completionScriptPath}"
+    # Tell bash to use this function for tab completion of this function
+    ${completionCommand}
+fi
+`;
+  return {
+    ok: true,
+    data: {
+      sourcingCommand: sourcingCommand.data,
+      completionCommand,
+      toAddToBashrc: bashrcContent,
+      targetName: targetCommandName,
+      targetPath: completionScriptPath
+    }
+  };
+}
+
+exports.ALERT_SEVERITY = ALERT_SEVERITY;
+exports.AuthError = AuthError;
+exports.COMPLETION_CMD_PREFIX = COMPLETION_CMD_PREFIX;
+exports.ColorOrMarkdown = ColorOrMarkdown;
+exports.InputError = InputError;
+exports.RangeStyles = RangeStyles;
+exports.applyRange = applyRange;
+exports.captureException = captureException;
+exports.checkCommandInput = checkCommandInput;
+exports.cmdFlagsToString = cmdFlagsToString;
+exports.cmdPrefixMessage = cmdPrefixMessage;
+exports.commonFlags = commonFlags;
+exports.createEnum = createEnum;
+exports.detectAndValidatePackageEnvironment = detectAndValidatePackageEnvironment;
+exports.determineOrgSlug = determineOrgSlug;
+exports.failMsgWithBadge = failMsgWithBadge;
+exports.formatSeverityCount = formatSeverityCount;
+exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile;
+exports.getAlertsMapFromPurls = getAlertsMapFromPurls;
+exports.getBashrcDetails = getBashrcDetails;
+exports.getConfigValue = getConfigValue;
+exports.getConfigValueOrUndef = getConfigValueOrUndef;
+exports.getCveInfoFromAlertsMap = getCveInfoFromAlertsMap;
+exports.getFlagListOutput = getFlagListOutput;
+exports.getMajor = getMajor;
+exports.getNpmBinPath = getNpmBinPath;
+exports.getNpmRequire = getNpmRequire;
+exports.getNpxBinPath = getNpxBinPath;
+exports.getOutputKind = getOutputKind;
+exports.getPackageFilesForScan = getPackageFilesForScan;
+exports.getPkgFullNameFromPurlObj = getPkgFullNameFromPurlObj;
+exports.getPublicToken = getPublicToken;
+exports.getSeverityCount = getSeverityCount;
+exports.getSocketDevAlertUrl = getSocketDevAlertUrl;
+exports.getSocketDevPackageOverviewUrl = getSocketDevPackageOverviewUrl;
+exports.getSocketDevPackageOverviewUrlFromPurl = getSocketDevPackageOverviewUrlFromPurl;
+exports.getVisibleTokenPrefix = getVisibleTokenPrefix;
+exports.globWorkspace = globWorkspace;
+exports.handleApiCall = handleApiCall;
+exports.handleApiCallNoSpinner = handleApiCallNoSpinner;
+exports.handleUnsuccessfulApiResponse = handleUnsuccessfulApiResponse;
+exports.hasDefaultToken = hasDefaultToken;
+exports.idToPurl = idToPurl;
+exports.isHelpFlag = isHelpFlag;
+exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
+exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
+exports.isReadOnlyConfig = isReadOnlyConfig;
+exports.isTestingV1 = isTestingV1;
+exports.logAlertsMap = logAlertsMap;
+exports.mapToObject = mapToObject;
+exports.mdTable = mdTable;
+exports.mdTableOfPairs = mdTableOfPairs;
+exports.mdTableStringNumber = mdTableStringNumber;
+exports.meowOrExit = meowOrExit;
+exports.meowWithSubcommands = meowWithSubcommands;
+exports.outputFlags = outputFlags;
+exports.parsePnpmLockfileVersion = parsePnpmLockfileVersion;
+exports.queryApiSafeJson = queryApiSafeJson;
+exports.queryApiSafeText = queryApiSafeText;
+exports.readPnpmLockfile = readPnpmLockfile;
+exports.removeNodeModules = removeNodeModules;
+exports.runAgentInstall = runAgentInstall;
+exports.safeReadFile = safeReadFile;
+exports.sensitiveConfigKeys = sensitiveConfigKeys;
+exports.serializeResultJson = serializeResultJson;
+exports.setupSdk = setupSdk;
+exports.suggestOrgSlug = suggestOrgSlug;
+exports.supportedConfigKeys = supportedConfigKeys;
+exports.updateConfigValue = updateConfigValue;
+exports.validationFlags = validationFlags;
+exports.walkNestedMap = walkNestedMap;
+//# debugId=8743d856-59d2-4e34-8527-7a1be1f6157f
 //# sourceMappingURL=utils.js.map