@socketsecurity/cli-with-sentry 0.15.19 → 0.15.21

package/dist/cli.js

@@ -28,6 +28,8 @@ var shadowInject = require('./shadow-inject.js');
 var objects = require('../external/@socketsecurity/registry/lib/objects');
 var registryConstants = require('../external/@socketsecurity/registry/lib/constants');
 var require$$7 = require('../external/@socketsecurity/registry/lib/promises');
+var os = require('node:os');
+var promises = require('node:stream/promises');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 async function fetchOrgAnalyticsData(time) {
@@ -300,9 +302,9 @@ async function handleAnalytics({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$K
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$L
 } = constants;
-const config$P = {
+const config$Q = {
   commandName: 'analytics',
   description: `Look up analytics data`,
   hidden: false,
@@ -364,16 +366,16 @@ const config$P = {
   .replace(/\n(?: *\n)+/g, '\n\n')
 };
 const cmdAnalytics = {
-  description: config$P.description,
-  hidden: config$P.hidden,
-  run: run$P
+  description: config$Q.description,
+  hidden: config$Q.hidden,
+  run: run$Q
 };
-async function run$P(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$P,
+    config: config$Q,
     importMeta,
     parentName
   });
@@ -477,7 +479,7 @@ async function run$P(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$K);
+    logger.logger.log(DRY_RUN_BAILING_NOW$L);
     return;
   }
   return await handleAnalytics({
@@ -658,10 +660,10 @@ async function handleAuditLog({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$J,
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$K,
   SOCKET_WEBSITE_URL: SOCKET_WEBSITE_URL$3
 } = constants;
-const config$O = {
+const config$P = {
   commandName: 'audit-log',
   description: 'Look up the audit log for an organization',
   hidden: false,
@@ -715,16 +717,16 @@ const config$O = {
   `
 };
 const cmdAuditLog = {
-  description: config$O.description,
-  hidden: config$O.hidden,
-  run: run$O
+  description: config$P.description,
+  hidden: config$P.hidden,
+  run: run$P
 };
-async function run$O(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$O,
+    config: config$P,
     importMeta,
     parentName
   });
@@ -765,7 +767,7 @@ async function run$O(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$J);
+    logger.logger.log(DRY_RUN_BAILING_NOW$K);
     return;
   }
   await handleAuditLog({
@@ -855,7 +857,7 @@ async function runCdxgen(yargvWithYes) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$I
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$J
 } = constants;
 
 // TODO: Convert yargs to meow.
@@ -1057,7 +1059,7 @@ const yargsConfig = {
   'usages-slices-file' // hidden
   ]
 };
-const config$N = {
+const config$O = {
   commandName: 'cdxgen',
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: false,
@@ -1067,18 +1069,18 @@ const config$N = {
   help: () => ''
 };
 const cmdManifestCdxgen = {
-  description: config$N.description,
-  hidden: config$N.hidden,
-  run: run$N
+  description: config$O.description,
+  hidden: config$O.hidden,
+  run: run$O
 };
-async function run$N(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     allowUnknownFlags: true,
     // Don't let meow take over --help.
     argv: argv.filter(a => !utils.isHelpFlag(a)),
-    config: config$N,
+    config: config$O,
     importMeta,
     parentName
   });
@@ -1100,7 +1102,7 @@ async function run$N(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$I);
+    logger.logger.log(DRY_RUN_BAILING_NOW$J);
     return;
   }
 
@@ -1129,15 +1131,15 @@ async function handleCdxgen(argv, importMeta, {
   });
 }
 
-const config$M = {
+const config$N = {
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: true};
 const cmdCdxgen = {
-  description: config$M.description,
-  hidden: config$M.hidden,
-  run: run$M
+  description: config$N.description,
+  hidden: config$N.hidden,
+  run: run$N
 };
-async function run$M(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   logger.logger.warn('Warning: The `socket cdxgen` command moved to `socket manifest cdxgen` and will be removed as a toplevel command in the next major bump.');
@@ -2318,9 +2320,9 @@ async function handleCI(autoManifest) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$H
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$I
 } = constants;
-const config$L = {
+const config$M = {
   commandName: 'ci',
   description: 'Create a new scan and report whether it passes your security policy',
   hidden: true,
@@ -2338,7 +2340,7 @@ const config$L = {
       $ ${parentName}
 
     Options
-      ${utils.getFlagListOutput(config$L.flags, 6)}
+      ${utils.getFlagListOutput(config$M.flags, 6)}
 
     This command is intended to use in CI runs to allow automated systems to
     accept or reject a current build. When the scan does not pass your security
@@ -2353,21 +2355,21 @@ const config$L = {
   `
 };
 const cmdCI = {
-  description: config$L.description,
-  hidden: config$L.hidden,
-  run: run$L
+  description: config$M.description,
+  hidden: config$M.hidden,
+  run: run$M
 };
-async function run$L(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$L,
+    config: config$M,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$H);
+    logger.logger.log(DRY_RUN_BAILING_NOW$I);
     return;
   }
   await handleCI(Boolean(cli.flags['autoManifest']));
@@ -2611,9 +2613,9 @@ async function handleConfigAuto({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$G
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$H
 } = constants;
-const config$K = {
+const config$L = {
   commandName: 'auto',
   description: 'Automatically discover and set the correct value config item',
   hidden: false,
@@ -2642,16 +2644,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigAuto = {
-  description: config$K.description,
-  hidden: config$K.hidden,
-  run: run$K
+  description: config$L.description,
+  hidden: config$L.hidden,
+  run: run$L
 };
-async function run$K(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$K,
+    config: config$L,
     importMeta,
     parentName
   });
@@ -2677,7 +2679,7 @@ async function run$K(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$G);
+    logger.logger.log(DRY_RUN_BAILING_NOW$H);
     return;
   }
   await handleConfigAuto({
@@ -2725,9 +2727,9 @@ async function handleConfigGet({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$F
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$G
 } = constants;
-const config$J = {
+const config$K = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
   hidden: false,
@@ -2751,16 +2753,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigGet = {
-  description: config$J.description,
-  hidden: config$J.hidden,
-  run: run$J
+  description: config$K.description,
+  hidden: config$K.hidden,
+  run: run$K
 };
-async function run$J(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$J,
+    config: config$K,
     importMeta,
     parentName
   });
@@ -2786,7 +2788,7 @@ async function run$J(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$F);
+    logger.logger.log(DRY_RUN_BAILING_NOW$G);
     return;
   }
   await handleConfigGet({
@@ -2863,9 +2865,9 @@ async function outputConfigList({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$E
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$F
 } = constants;
-const config$I = {
+const config$J = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
   hidden: false,
@@ -2894,16 +2896,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigList = {
-  description: config$I.description,
-  hidden: config$I.hidden,
-  run: run$I
+  description: config$J.description,
+  hidden: config$J.hidden,
+  run: run$J
 };
-async function run$I(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$I,
+    config: config$J,
     importMeta,
     parentName
   });
@@ -2924,7 +2926,7 @@ async function run$I(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$E);
+    logger.logger.log(DRY_RUN_BAILING_NOW$F);
     return;
   }
   await outputConfigList({
@@ -2973,9 +2975,9 @@ async function handleConfigSet({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$D
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$E
 } = constants;
-const config$H = {
+const config$I = {
   commandName: 'set',
   description: 'Update the value of a local CLI config item',
   hidden: false,
@@ -3004,16 +3006,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigSet = {
-  description: config$H.description,
-  hidden: config$H.hidden,
-  run: run$H
+  description: config$I.description,
+  hidden: config$I.hidden,
+  run: run$I
 };
-async function run$H(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$H,
+    config: config$I,
     importMeta,
     parentName
   });
@@ -3046,7 +3048,7 @@ async function run$H(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$D);
+    logger.logger.log(DRY_RUN_BAILING_NOW$E);
     return;
   }
   await handleConfigSet({
@@ -3095,9 +3097,9 @@ async function handleConfigUnset({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$C
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$D
 } = constants;
-const config$G = {
+const config$H = {
   commandName: 'unset',
   description: 'Clear the value of a local CLI config item',
   hidden: false,
@@ -3121,16 +3123,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigUnset = {
-  description: config$G.description,
-  hidden: config$G.hidden,
-  run: run$G
+  description: config$H.description,
+  hidden: config$H.hidden,
+  run: run$H
 };
-async function run$G(argv, importMeta, {
+async function run$H(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$G,
+    config: config$H,
     importMeta,
     parentName
   });
@@ -3156,7 +3158,7 @@ async function run$G(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$C);
+    logger.logger.log(DRY_RUN_BAILING_NOW$D);
     return;
   }
   await handleConfigUnset({
@@ -3265,9 +3267,9 @@ async function handleDependencies({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$B
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$C
 } = constants;
-const config$F = {
+const config$G = {
   commandName: 'dependencies',
   description: 'Search for any dependency that is being used in your organization',
   hidden: false,
@@ -3303,16 +3305,16 @@ const config$F = {
   `
 };
 const cmdScanCreate$1 = {
-  description: config$F.description,
-  hidden: config$F.hidden,
-  run: run$F
+  description: config$G.description,
+  hidden: config$G.hidden,
+  run: run$G
 };
-async function run$F(argv, importMeta, {
+async function run$G(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$F,
+    config: config$G,
     importMeta,
     parentName
   });
@@ -3341,7 +3343,7 @@ async function run$F(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$B);
+    logger.logger.log(DRY_RUN_BAILING_NOW$C);
     return;
   }
   await handleDependencies({
@@ -3438,9 +3440,9 @@ async function handleDiffScan$1({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$A
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$B
 } = constants;
-const config$E = {
+const config$F = {
   commandName: 'get',
   description: 'Get a diff scan for an organization',
   hidden: false,
@@ -3499,16 +3501,16 @@ const config$E = {
   `
 };
 const cmdDiffScanGet = {
-  description: config$E.description,
-  hidden: config$E.hidden,
-  run: run$E
+  description: config$F.description,
+  hidden: config$F.hidden,
+  run: run$F
 };
-async function run$E(argv, importMeta, {
+async function run$F(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$E,
+    config: config$F,
     importMeta,
     parentName
   });
@@ -3553,7 +3555,7 @@ async function run$E(argv, importMeta, {
   }
   logger.logger.fail('Warning: this command is deprecated in favor of `socket scan diff` and will be removed in the next major bump.');
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$A);
+    logger.logger.log(DRY_RUN_BAILING_NOW$B);
     return;
   }
   await handleDiffScan$1({
@@ -3715,8 +3717,8 @@ let _octokit;
 function getOctokit() {
   if (_octokit === undefined) {
     _octokit = new vendor.Octokit({
-      // Lazily access constants.ENV properties.
-      auth: constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN
+      // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+      auth: constants.ENV.SOCKET_CLI_GITHUB_TOKEN
     });
   }
   return _octokit;
@@ -3726,8 +3728,8 @@ function getOctokitGraphql() {
   if (!_octokitGraphql) {
     _octokitGraphql = vendor.graphql2.defaults({
       headers: {
-        // Lazily access constants.ENV properties.
-        authorization: `token ${constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN}`
+        // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+        authorization: `token ${constants.ENV.SOCKET_CLI_GITHUB_TOKEN}`
       }
     });
   }
@@ -3735,6 +3737,7 @@ function getOctokitGraphql() {
 }
 async function cacheFetch(key, fetcher, ttlMs) {
   // Optionally disable cache.
+  // Lazily access constants.ENV.DISABLE_GITHUB_CACHE.
   if (constants.ENV.DISABLE_GITHUB_CACHE) {
     return await fetcher();
   }
@@ -4098,13 +4101,16 @@ async function install$1(arb, options) {
     __proto__: null,
     ...options
   };
-  const newArb = new shadowInject.Arborist({
-    path: cwd
-  });
-  newArb.idealTree = await arb.buildIdealTree();
-  const actualTree = await newArb.reify();
-  arb.actualTree = actualTree;
-  return actualTree;
+  try {
+    const newArb = new shadowInject.Arborist({
+      path: cwd
+    });
+    newArb.idealTree = await arb.buildIdealTree();
+    const actualTree = await newArb.reify();
+    arb.actualTree = actualTree;
+    return actualTree;
+  } catch {}
+  return null;
 }
 async function npmFix(pkgEnvDetails, {
   autoMerge,
@@ -4152,18 +4158,23 @@ async function npmFix(pkgEnvDetails, {
   });
   if (!infoByPkgName) {
     spinner?.stop();
-    logger.logger.info('No fixable vulnerabilities found.');
+    logger.logger.info('No fixable vulns found.');
     return;
   }
 
   // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN;
+  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
   const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const handleInstallFail = () => {
+    logger.logger.error(`Unexpected condition: ${pkgEnvDetails.agent} install failed.\n`);
+    logger.logger.dedent();
+    spinner?.dedent();
+  };
   spinner?.stop();
   let count = 0;
   const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
@@ -4175,7 +4186,7 @@ async function npmFix(pkgEnvDetails, {
       0: name,
       1: infos
     } = sortedInfoEntries[i];
-    logger.logger.log(`Processing vulnerable package: ${name}`);
+    logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$a, name)) {
@@ -4240,7 +4251,7 @@ async function npmFix(pkgEnvDetails, {
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
           const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
           if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`No update applied. ${oldId} needs >=${firstPatchedVersionIdentifier}.`);
+            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const newVersionRange = utils.applyRange(oldVersion, newVersion, rangeStyle);
@@ -4288,18 +4299,23 @@ async function npmFix(pkgEnvDetails, {
           let errored = false;
           try {
             // eslint-disable-next-line no-await-in-loop
-            actualTree = await install$1(arb, {
+            const maybeActualTree = await install$1(arb, {
               cwd
             });
-            if (test) {
-              spinner?.info(`Testing ${newId} in ${workspaceName}.`);
-              // eslint-disable-next-line no-await-in-loop
-              await npm.runScript(testScript, [], {
-                spinner,
-                stdio: 'ignore'
-              });
+            if (maybeActualTree) {
+              actualTree = maybeActualTree;
+              if (test) {
+                spinner?.info(`Testing ${newId} in ${workspaceName}.`);
+                // eslint-disable-next-line no-await-in-loop
+                await npm.runScript(testScript, [], {
+                  spinner,
+                  stdio: 'ignore'
+                });
+              }
+              spinner?.success(`Fixed ${name} in ${workspaceName}.`);
+            } else {
+              errored = true;
             }
-            spinner?.success(`Fixed ${name} in ${workspaceName}.`);
           } catch (e) {
             errored = true;
             error = e;
@@ -4340,9 +4356,15 @@ async function npmFix(pkgEnvDetails, {
                 // eslint-disable-next-line no-await-in-loop
                 await gitResetAndClean(baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
-                actualTree = await install$1(arb, {
+                const maybeActualTree = await install$1(arb, {
                   cwd
                 });
+                if (!maybeActualTree) {
+                  // Exit early if install fails.
+                  handleInstallFail();
+                  return;
+                }
+                actualTree = maybeActualTree;
                 continue infosLoop;
               }
 
@@ -4386,12 +4408,19 @@ async function npmFix(pkgEnvDetails, {
             }
           }
           if (isCi) {
+            spinner?.start();
             // eslint-disable-next-line no-await-in-loop
             await gitResetAndClean(baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
-            actualTree = await install$1(arb, {
+            const maybeActualTree = await install$1(arb, {
               cwd
             });
+            spinner?.stop();
+            if (maybeActualTree) {
+              actualTree = maybeActualTree;
+            } else {
+              errored = true;
+            }
           }
           if (errored) {
             if (!isCi) {
@@ -4402,10 +4431,16 @@ async function npmFix(pkgEnvDetails, {
                 ignoreWhitespace: true
               })]);
               // eslint-disable-next-line no-await-in-loop
-              actualTree = await install$1(arb, {
+              const maybeActualTree = await install$1(arb, {
                 cwd
               });
               spinner?.stop();
+              if (!maybeActualTree) {
+                // Exit early if install fails.
+                handleInstallFail();
+                return;
+              }
+              actualTree = maybeActualTree;
             }
             logger.logger.fail(`Update failed for ${oldId} in ${workspaceName}.`, error);
           }
@@ -4457,18 +4492,21 @@ async function install(pkgEnvDetails, options) {
     __proto__: null,
     ...options
   };
-  await utils.runAgentInstall(pkgEnvDetails, {
-    args: [...(args ?? []),
-    // Enable pnpm updates to pnpm-lock.yaml in CI environments.
-    // https://pnpm.io/cli/install#--frozen-lockfile
-    '--no-frozen-lockfile',
-    // Enable a non-interactive pnpm install
-    // https://github.com/pnpm/pnpm/issues/6778
-    '--config.confirmModulesPurge=false'],
-    spinner,
-    stdio: debug.isDebug() ? 'inherit' : 'ignore'
-  });
-  return await getActualTree(cwd);
+  try {
+    await utils.runAgentInstall(pkgEnvDetails, {
+      args: [...(args ?? []),
+      // Enable pnpm updates to pnpm-lock.yaml in CI environments.
+      // https://pnpm.io/cli/install#--frozen-lockfile
+      '--no-frozen-lockfile',
+      // Enable a non-interactive pnpm install
+      // https://github.com/pnpm/pnpm/issues/6778
+      '--config.confirmModulesPurge=false'],
+      spinner,
+      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+    });
+    return await getActualTree(cwd);
+  } catch {}
+  return null;
 }
 async function pnpmFix(pkgEnvDetails, {
   autoMerge,
@@ -4498,21 +4536,27 @@ async function pnpmFix(pkgEnvDetails, {
 
   // If pnpm-lock.yaml does NOT exist then install with pnpm to create it.
   if (!lockfile) {
-    actualTree = await install(pkgEnvDetails, {
+    const maybeActualTree = await install(pkgEnvDetails, {
       cwd,
       spinner
     });
-    lockfile = await utils.readPnpmLockfile(lockfilePath);
+    if (maybeActualTree) {
+      actualTree = maybeActualTree;
+      lockfile = await utils.readPnpmLockfile(lockfilePath);
+    }
   }
   // Update pnpm-lock.yaml if its version is older than what the installed pnpm
   // produces.
   if (lockfile && pkgEnvDetails.agentVersion.major >= 10 && utils.parsePnpmLockfileVersion(lockfile.lockfileVersion).major <= 6) {
-    actualTree = await install(pkgEnvDetails, {
+    const maybeActualTree = await install(pkgEnvDetails, {
       args: ['--lockfile-only'],
       cwd,
       spinner
     });
-    lockfile = await utils.readPnpmLockfile(lockfilePath);
+    if (maybeActualTree) {
+      actualTree = maybeActualTree;
+      lockfile = await utils.readPnpmLockfile(lockfilePath);
+    }
   }
 
   // Exit early if pnpm-lock.yaml is not found.
@@ -4538,18 +4582,23 @@ async function pnpmFix(pkgEnvDetails, {
   });
   if (!infoByPkgName) {
     spinner?.stop();
-    logger.logger.info('No fixable vulnerabilities found.');
+    logger.logger.info('No fixable vulns found.');
     return;
   }
 
   // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN;
+  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
   const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const handleInstallFail = () => {
+    logger.logger.error(`Unexpected condition: ${pkgEnvDetails.agent} install failed.\n`);
+    logger.logger.dedent();
+    spinner?.dedent();
+  };
   spinner?.stop();
   let count = 0;
   const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
@@ -4561,7 +4610,7 @@ async function pnpmFix(pkgEnvDetails, {
       0: name,
       1: infos
     } = sortedInfoEntries[i];
-    logger.logger.log(`Processing vulnerable package: ${name}`);
+    logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$9, name)) {
@@ -4590,7 +4639,7 @@ async function pnpmFix(pkgEnvDetails, {
 
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
-        actualTree = fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
+        const maybeActualTree = fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
         // eslint-disable-next-line no-await-in-loop
@@ -4598,6 +4647,14 @@ async function pnpmFix(pkgEnvDetails, {
           cwd,
           spinner
         });
+        if (maybeActualTree) {
+          actualTree = maybeActualTree;
+        }
+      }
+      if (!actualTree) {
+        // Exit early if install fails.
+        handleInstallFail();
+        return;
       }
       const oldVersions = arrays.arrayUnique(shadowInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
@@ -4641,7 +4698,7 @@ async function pnpmFix(pkgEnvDetails, {
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
           const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
           if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`No update applied. ${oldId} needs >=${firstPatchedVersionIdentifier}.`);
+            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const overrideKey = `${name}@${vulnerableVersionRange}`;
@@ -4708,19 +4765,24 @@ async function pnpmFix(pkgEnvDetails, {
           let errored = false;
           try {
             // eslint-disable-next-line no-await-in-loop
-            actualTree = await install(pkgEnvDetails, {
+            const maybeActualTree = await install(pkgEnvDetails, {
               cwd,
               spinner
             });
-            if (test) {
-              spinner?.info(`Testing ${newId} in ${workspaceName}.`);
-              // eslint-disable-next-line no-await-in-loop
-              await npm.runScript(testScript, [], {
-                spinner,
-                stdio: 'ignore'
-              });
+            if (maybeActualTree) {
+              actualTree = maybeActualTree;
+              if (test) {
+                spinner?.info(`Testing ${newId} in ${workspaceName}.`);
+                // eslint-disable-next-line no-await-in-loop
+                await npm.runScript(testScript, [], {
+                  spinner,
+                  stdio: 'ignore'
+                });
+              }
+              spinner?.success(`Fixed ${name} in ${workspaceName}.`);
+            } else {
+              errored = true;
             }
-            spinner?.success(`Fixed ${name} in ${workspaceName}.`);
           } catch (e) {
             error = e;
             errored = true;
@@ -4761,10 +4823,16 @@ async function pnpmFix(pkgEnvDetails, {
                 // eslint-disable-next-line no-await-in-loop
                 await gitResetAndClean(baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
-                actualTree = await install(pkgEnvDetails, {
+                const maybeActualTree = await install(pkgEnvDetails, {
                   cwd,
                   spinner
                 });
+                if (!maybeActualTree) {
+                  // Exit early if install fails.
+                  handleInstallFail();
+                  return;
+                }
+                actualTree = maybeActualTree;
                 continue infosLoop;
               }
 
@@ -4808,13 +4876,20 @@ async function pnpmFix(pkgEnvDetails, {
             }
           }
           if (isCi) {
+            spinner?.start();
             // eslint-disable-next-line no-await-in-loop
             await gitResetAndClean(baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
-            actualTree = await install(pkgEnvDetails, {
+            const maybeActualTree = await install(pkgEnvDetails, {
               cwd,
               spinner
             });
+            spinner?.stop();
+            if (maybeActualTree) {
+              actualTree = maybeActualTree;
+            } else {
+              errored = true;
+            }
           }
           if (errored) {
             if (!isCi) {
@@ -4825,13 +4900,19 @@ async function pnpmFix(pkgEnvDetails, {
                 ignoreWhitespace: true
               })]);
               // eslint-disable-next-line no-await-in-loop
-              actualTree = await install(pkgEnvDetails, {
+              const maybeActualTree = await install(pkgEnvDetails, {
                 cwd,
                 spinner
               });
               spinner?.stop();
+              if (!maybeActualTree) {
+                // Exit early if install fails.
+                handleInstallFail();
+                return;
+              }
+              actualTree = maybeActualTree;
             }
-            logger.logger.fail(`Update failed for ${oldId} in ${workspaceName}.`, error);
+            logger.logger.fail(`Update failed for ${oldId} in ${workspaceName}.`, ...(error ? [error] : []));
           }
           if (++count >= limit) {
             logger.logger.dedent();
@@ -4880,7 +4961,7 @@ async function runFix(options_) {
   }
 }
 
-const config$D = {
+const config$E = {
   commandName: 'fix',
   description: 'Update dependencies with "fixable" Socket alerts',
   hidden: false,
@@ -4944,16 +5025,16 @@ const config$D = {
   `
 };
 const cmdFix = {
-  description: config$D.description,
-  hidden: config$D.hidden,
-  run: run$D
+  description: config$E.description,
+  hidden: config$E.hidden,
+  run: run$E
 };
-async function run$D(argv, importMeta, {
+async function run$E(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$D,
+    config: config$E,
     importMeta,
     parentName
   });
@@ -5133,9 +5214,9 @@ async function handlePackageInfo({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$z
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$A
 } = constants;
-const config$C = {
+const config$D = {
   commandName: 'info',
   description: 'Look up info regarding a package',
   hidden: true,
@@ -5160,16 +5241,16 @@ const config$C = {
   `
 };
 const cmdInfo = {
-  description: config$C.description,
-  hidden: config$C.hidden,
-  run: run$C
+  description: config$D.description,
+  hidden: config$D.hidden,
+  run: run$D
 };
-async function run$C(argv, importMeta, {
+async function run$D(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$C,
+    config: config$D,
     importMeta,
     parentName
   });
@@ -5206,11 +5287,11 @@ async function run$C(argv, importMeta, {
   const pkgName = versionSeparator < 1 ? rawPkgName : rawPkgName.slice(0, versionSeparator);
   const pkgVersion = versionSeparator < 1 ? 'latest' : rawPkgName.slice(versionSeparator + 1);
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$z);
+    logger.logger.log(DRY_RUN_BAILING_NOW$A);
     return;
   }
   await handlePackageInfo({
-    commandName: `${parentName} ${config$C.commandName}`,
+    commandName: `${parentName} ${config$D.commandName}`,
     includeAllIssues: Boolean(all),
     outputKind,
     pkgName,
@@ -5338,9 +5419,9 @@ async function handleInstallCompletion(targetName) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$y
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$z
 } = constants;
-const config$B = {
+const config$C = {
   commandName: 'completion',
   description: 'Install bash completion for Socket CLI',
   hidden: true,
@@ -5378,22 +5459,22 @@ const config$B = {
   `
 };
 const cmdInstallCompletion = {
-  description: config$B.description,
-  hidden: config$B.hidden,
-  run: run$B
+  description: config$C.description,
+  hidden: config$C.hidden,
+  run: run$C
 };
-async function run$B(argv, importMeta, {
+async function run$C(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$B,
+    config: config$C,
     importMeta,
     parentName
   });
   const targetName = cli.input[0] || 'socket';
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$y);
+    logger.logger.log(DRY_RUN_BAILING_NOW$z);
     return;
   }
   await handleInstallCompletion(String(targetName));
@@ -5511,9 +5592,9 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$x
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$y
 } = constants;
-const config$A = {
+const config$B = {
   commandName: 'login',
   description: 'Socket API login',
   hidden: false,
@@ -5546,23 +5627,23 @@ const config$A = {
   `
 };
 const cmdLogin = {
-  description: config$A.description,
-  hidden: config$A.hidden,
-  run: run$A
+  description: config$B.description,
+  hidden: config$B.hidden,
+  run: run$B
 };
-async function run$A(argv, importMeta, {
+async function run$B(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$A,
+    config: config$B,
     importMeta,
     parentName
   });
   const apiBaseUrl = cli.flags['apiBaseUrl'];
   const apiProxy = cli.flags['apiProxy'];
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$x);
+    logger.logger.log(DRY_RUN_BAILING_NOW$y);
     return;
   }
   if (!vendor.isInteractiveExports()) {
@@ -5592,9 +5673,9 @@ function attemptLogout() {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$w
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$x
 } = constants;
-const config$z = {
+const config$A = {
   commandName: 'logout',
   description: 'Socket API logout',
   hidden: false,
@@ -5609,30 +5690,30 @@ const config$z = {
   `
 };
 const cmdLogout = {
-  description: config$z.description,
-  hidden: config$z.hidden,
-  run: run$z
+  description: config$A.description,
+  hidden: config$A.hidden,
+  run: run$A
 };
-async function run$z(argv, importMeta, {
+async function run$A(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$z,
+    config: config$A,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$w);
+    logger.logger.log(DRY_RUN_BAILING_NOW$x);
     return;
   }
   attemptLogout();
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$v
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$w
 } = constants;
-const config$y = {
+const config$z = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
   hidden: false,
@@ -5661,16 +5742,16 @@ const config$y = {
   `
 };
 const cmdManifestAuto = {
-  description: config$y.description,
-  hidden: config$y.hidden,
-  run: run$y
+  description: config$z.description,
+  hidden: config$z.hidden,
+  run: run$z
 };
-async function run$y(argv, importMeta, {
+async function run$z(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$y,
+    config: config$z,
     importMeta,
     parentName
   });
@@ -5684,7 +5765,7 @@ async function run$y(argv, importMeta, {
   const cwd = String(cwdFlag || process.cwd());
   const verbose = !!verboseFlag;
   if (verbose) {
-    logger.logger.group('- ', parentName, config$y.commandName, ':');
+    logger.logger.group('- ', parentName, config$z.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -5694,7 +5775,7 @@ async function run$y(argv, importMeta, {
   const detected = await detectManifestActions(String(cwd));
   debug.debugLog(detected);
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$v);
+    logger.logger.log(DRY_RUN_BAILING_NOW$w);
     return;
   }
   if (!detected.count) {
@@ -5711,9 +5792,9 @@ async function run$y(argv, importMeta, {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$u
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$v
 } = constants;
-const config$x = {
+const config$y = {
   commandName: 'conda',
   description: '[beta] Convert a Conda environment.yml file to a python requirements.txt',
   hidden: false,
@@ -5756,16 +5837,16 @@ const config$x = {
   `
 };
 const cmdManifestConda = {
-  description: config$x.description,
-  hidden: config$x.hidden,
-  run: run$x
+  description: config$y.description,
+  hidden: config$y.hidden,
+  run: run$y
 };
-async function run$x(argv, importMeta, {
+async function run$y(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$x,
+    config: config$y,
     importMeta,
     parentName
   });
@@ -5780,7 +5861,7 @@ async function run$x(argv, importMeta, {
 
   const [target = ''] = cli.input;
   if (verbose) {
-    logger.logger.group('- ', parentName, config$x.commandName, ':');
+    logger.logger.group('- ', parentName, config$y.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- target:', target);
@@ -5810,16 +5891,16 @@ async function run$x(argv, importMeta, {
   }
   logger.logger.warn('Warning: This will approximate your Conda dependencies using PyPI. We do not yet officially support Conda. Use at your own risk.');
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$u);
+    logger.logger.log(DRY_RUN_BAILING_NOW$v);
     return;
   }
   await handleManifestConda(target, String(out || ''), json ? 'json' : markdown ? 'markdown' : 'text', String(cwd), Boolean(verbose));
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$t
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$u
 } = constants;
-const config$w = {
+const config$x = {
   commandName: 'gradle',
   description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Gradle/Java/Kotlin/etc project',
   hidden: false,
@@ -5882,16 +5963,16 @@ const config$w = {
   `
 };
 const cmdManifestGradle = {
-  description: config$w.description,
-  hidden: config$w.hidden,
-  run: run$w
+  description: config$x.description,
+  hidden: config$x.hidden,
+  run: run$x
 };
-async function run$w(argv, importMeta, {
+async function run$x(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$w,
+    config: config$x,
     importMeta,
     parentName
   });
@@ -5903,7 +5984,7 @@ async function run$w(argv, importMeta, {
   const outputKind = utils.getOutputKind(json, markdown); // TODO: impl json/md further
 
   if (verbose) {
-    logger.logger.group('- ', parentName, config$w.commandName, ':');
+    logger.logger.group('- ', parentName, config$x.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -5945,14 +6026,14 @@ async function run$w(argv, importMeta, {
     gradleOpts = cli.flags['gradleOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$t);
+    logger.logger.log(DRY_RUN_BAILING_NOW$u);
     return;
   }
   await convertGradleToMaven(target, String(bin), String(cwd), verbose, gradleOpts);
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$s
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$t
 } = constants;
 
 // TODO: we may want to dedupe some pieces for all gradle languages. I think it
@@ -5960,7 +6041,7 @@ const {
 //       sense for the help panels to note the requested language, rather than
 //       `socket manifest kotlin` to print help screens with `gradle` as the
 //       command. Room for improvement.
-const config$v = {
+const config$w = {
   commandName: 'kotlin',
   description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Kotlin project',
   hidden: false,
@@ -6023,16 +6104,16 @@ const config$v = {
   `
 };
 const cmdManifestKotlin = {
-  description: config$v.description,
-  hidden: config$v.hidden,
-  run: run$v
+  description: config$w.description,
+  hidden: config$w.hidden,
+  run: run$w
 };
-async function run$v(argv, importMeta, {
+async function run$w(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$v,
+    config: config$w,
     importMeta,
     parentName
   });
@@ -6044,7 +6125,7 @@ async function run$v(argv, importMeta, {
   const outputKind = utils.getOutputKind(json, markdown); // TODO: impl json/md further
 
   if (verbose) {
-    logger.logger.group('- ', parentName, config$v.commandName, ':');
+    logger.logger.group('- ', parentName, config$w.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -6086,16 +6167,16 @@ async function run$v(argv, importMeta, {
     gradleOpts = cli.flags['gradleOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$s);
+    logger.logger.log(DRY_RUN_BAILING_NOW$t);
     return;
   }
   await convertGradleToMaven(target, String(bin), String(cwd), verbose, gradleOpts);
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$r
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$s
 } = constants;
-const config$u = {
+const config$v = {
   commandName: 'scala',
   description: "[beta] Generate a manifest file (`pom.xml`) from Scala's `build.sbt` file",
   hidden: false,
@@ -6168,16 +6249,16 @@ const config$u = {
   `
 };
 const cmdManifestScala = {
-  description: config$u.description,
-  hidden: config$u.hidden,
-  run: run$u
+  description: config$v.description,
+  hidden: config$v.hidden,
+  run: run$v
 };
-async function run$u(argv, importMeta, {
+async function run$v(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$u,
+    config: config$v,
     importMeta,
     parentName
   });
@@ -6189,7 +6270,7 @@ async function run$u(argv, importMeta, {
   const outputKind = utils.getOutputKind(json, markdown); // TODO: impl json/md further
 
   if (verbose) {
-    logger.logger.group('- ', parentName, config$u.commandName, ':');
+    logger.logger.group('- ', parentName, config$v.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -6239,13 +6320,13 @@ async function run$u(argv, importMeta, {
     sbtOpts = cli.flags['sbtOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$r);
+    logger.logger.log(DRY_RUN_BAILING_NOW$s);
     return;
   }
   await convertSbtToMaven(target, bin, out, verbose, sbtOpts);
 }
 
-const config$t = {
+const config$u = {
   commandName: 'manifest',
   description: 'Generate a dependency manifest for given file or dir',
   hidden: false,
@@ -6253,11 +6334,11 @@ const config$t = {
     ...utils.commonFlags
   }};
 const cmdManifest = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
+  description: config$u.description,
+  hidden: config$u.hidden,
+  run: run$u
 };
-async function run$t(argv, importMeta, {
+async function run$u(argv, importMeta, {
   parentName
 }) {
   await utils.meowWithSubcommands({
@@ -6271,23 +6352,23 @@ async function run$t(argv, importMeta, {
     argv,
     aliases: {
       yolo: {
-        description: config$t.description,
+        description: config$u.description,
         hidden: true,
         argv: ['auto']
       }
     },
-    description: config$t.description,
+    description: config$u.description,
     importMeta,
-    flags: config$t.flags,
-    name: `${parentName} ${config$t.commandName}`
+    flags: config$u.flags,
+    name: `${parentName} ${config$u.commandName}`
   });
 }
 
 const require$3 =Module.createRequire(require$$0.pathToFileURL(__filename).href)
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$q
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$r
 } = constants;
-const config$s = {
+const config$t = {
   commandName: 'npm',
   description: `npm wrapper functionality`,
   hidden: false,
@@ -6300,22 +6381,22 @@ const config$s = {
   `
 };
 const cmdNpm = {
-  description: config$s.description,
-  hidden: config$s.hidden,
-  run: run$s
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
 };
-async function run$s(argv, importMeta, {
+async function run$t(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$s,
+    config: config$t,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$q);
+    logger.logger.log(DRY_RUN_BAILING_NOW$r);
     return;
   }
 
@@ -6326,9 +6407,9 @@ async function run$s(argv, importMeta, {
 
 const require$2 =Module.createRequire(require$$0.pathToFileURL(__filename).href)
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$p
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$q
 } = constants;
-const config$r = {
+const config$s = {
   commandName: 'npx',
   description: `npx wrapper functionality`,
   hidden: false,
@@ -6341,22 +6422,22 @@ const config$r = {
   `
 };
 const cmdNpx = {
-  description: config$r.description,
-  hidden: config$r.hidden,
-  run: run$r
+  description: config$s.description,
+  hidden: config$s.hidden,
+  run: run$s
 };
-async function run$r(argv, importMeta, {
+async function run$s(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$r,
+    config: config$s,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$p);
+    logger.logger.log(DRY_RUN_BAILING_NOW$q);
     return;
   }
 
@@ -6366,9 +6447,9 @@ async function run$r(argv, importMeta, {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$o
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$p
 } = constants;
-const config$q = {
+const config$r = {
   commandName: 'oops',
   description: 'Trigger an intentional error (for development)',
   hidden: true,
@@ -6384,16 +6465,16 @@ const config$q = {
   `
 };
 const cmdOops = {
-  description: config$q.description,
-  hidden: config$q.hidden,
-  run: run$q
+  description: config$r.description,
+  hidden: config$r.hidden,
+  run: run$r
 };
-async function run$q(argv, importMeta, {
+async function run$r(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$q,
+    config: config$r,
     importMeta,
     parentName
   });
@@ -6402,7 +6483,7 @@ async function run$q(argv, importMeta, {
     markdown
   } = cli.flags;
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$o);
+    logger.logger.log(DRY_RUN_BAILING_NOW$p);
     return;
   }
   if (json) {
@@ -7096,9 +7177,9 @@ async function applyOptimization(cwd, pin, prod) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$n
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$o
 } = constants;
-const config$p = {
+const config$q = {
   commandName: 'optimize',
   description: 'Optimize dependencies with @socketregistry overrides',
   hidden: false,
@@ -7128,16 +7209,16 @@ const config$p = {
   `
 };
 const cmdOptimize = {
-  description: config$p.description,
-  hidden: config$p.hidden,
-  run: run$p
+  description: config$q.description,
+  hidden: config$q.hidden,
+  run: run$q
 };
-async function run$p(argv, importMeta, {
+async function run$q(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$p,
+    config: config$q,
     importMeta,
     parentName
   });
@@ -7146,7 +7227,7 @@ async function run$p(argv, importMeta, {
 
   const cwd = process.cwd();
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$n);
+    logger.logger.log(DRY_RUN_BAILING_NOW$o);
     return;
   }
   await applyOptimization(cwd, Boolean(cli.flags['pin']), Boolean(cli.flags['prod']));
@@ -7217,9 +7298,9 @@ async function handleOrganizationList(outputKind = 'text') {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$m
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$n
 } = constants;
-const config$o = {
+const config$p = {
   commandName: 'list',
   description: 'List organizations associated with the API key used',
   hidden: false,
@@ -7236,20 +7317,20 @@ const config$o = {
       - Permissions: none (does need a token)
 
     Options
-      ${utils.getFlagListOutput(config$o.flags, 6)}
+      ${utils.getFlagListOutput(config$p.flags, 6)}
   `
 };
 const cmdOrganizationList = {
-  description: config$o.description,
-  hidden: config$o.hidden,
-  run: run$o
+  description: config$p.description,
+  hidden: config$p.hidden,
+  run: run$p
 };
-async function run$o(argv, importMeta, {
+async function run$p(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$o,
+    config: config$p,
     importMeta,
     parentName
   });
@@ -7276,7 +7357,7 @@ async function run$o(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$m);
+    logger.logger.log(DRY_RUN_BAILING_NOW$n);
     return;
   }
   await handleOrganizationList(outputKind);
@@ -7322,11 +7403,11 @@ async function handleLicensePolicy(orgSlug, outputKind) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$l
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$m
 } = constants;
 
 // TODO: secret toplevel alias `socket license policy`?
-const config$n = {
+const config$o = {
   commandName: 'license',
   description: 'Retrieve the license policy of an organization',
   hidden: true,
@@ -7352,7 +7433,7 @@ const config$n = {
       - Permissions: license-policy:read
 
     Options
-      ${utils.getFlagListOutput(config$n.flags, 6)}
+      ${utils.getFlagListOutput(config$o.flags, 6)}
 
     Your API token will need the \`license-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -7363,16 +7444,16 @@ const config$n = {
   `
 };
 const cmdOrganizationPolicyLicense = {
-  description: config$n.description,
-  hidden: config$n.hidden,
-  run: run$n
+  description: config$o.description,
+  hidden: config$o.hidden,
+  run: run$o
 };
-async function run$n(argv, importMeta, {
+async function run$o(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$n,
+    config: config$o,
     importMeta,
     parentName
   });
@@ -7409,7 +7490,7 @@ async function run$n(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$l);
+    logger.logger.log(DRY_RUN_BAILING_NOW$m);
     return;
   }
   await handleLicensePolicy(orgSlug, outputKind);
@@ -7456,11 +7537,11 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$k
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$l
 } = constants;
 
 // TODO: secret toplevel alias `socket security policy`?
-const config$m = {
+const config$n = {
   commandName: 'security',
   description: 'Retrieve the security policy of an organization',
   hidden: true,
@@ -7486,7 +7567,7 @@ const config$m = {
       - Permissions: security-policy:read
 
     Options
-      ${utils.getFlagListOutput(config$m.flags, 6)}
+      ${utils.getFlagListOutput(config$n.flags, 6)}
 
     Your API token will need the \`security-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -7497,16 +7578,16 @@ const config$m = {
   `
 };
 const cmdOrganizationPolicyPolicy = {
-  description: config$m.description,
-  hidden: config$m.hidden,
-  run: run$m
+  description: config$n.description,
+  hidden: config$n.hidden,
+  run: run$n
 };
-async function run$m(argv, importMeta, {
+async function run$n(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$m,
+    config: config$n,
     importMeta,
     parentName
   });
@@ -7543,7 +7624,7 @@ async function run$m(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$k);
+    logger.logger.log(DRY_RUN_BAILING_NOW$l);
     return;
   }
   await handleSecurityPolicy(orgSlug, outputKind);
@@ -7612,9 +7693,9 @@ async function handleQuota(outputKind = 'text') {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$j
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$k
 } = constants;
-const config$l = {
+const config$m = {
   commandName: 'quota',
   description: 'List organizations associated with the API key used',
   hidden: true,
@@ -7627,20 +7708,20 @@ const config$l = {
       $ ${command}
 
     Options
-      ${utils.getFlagListOutput(config$l.flags, 6)}
+      ${utils.getFlagListOutput(config$m.flags, 6)}
   `
 };
 const cmdOrganizationQuota = {
-  description: config$l.description,
-  hidden: config$l.hidden,
-  run: run$l
+  description: config$m.description,
+  hidden: config$m.hidden,
+  run: run$m
 };
-async function run$l(argv, importMeta, {
+async function run$m(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$l,
+    config: config$m,
     importMeta,
     parentName
   });
@@ -7665,7 +7746,7 @@ async function run$l(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$j);
+    logger.logger.log(DRY_RUN_BAILING_NOW$k);
     return;
   }
   await handleQuota(outputKind);
@@ -7913,9 +7994,9 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$i
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$j
 } = constants;
-const config$k = {
+const config$l = {
   commandName: 'score',
   description: '[beta] Look up score for one package which reflects all of its transitive dependencies as well',
   hidden: false,
@@ -7957,16 +8038,16 @@ const config$k = {
   `
 };
 const cmdPackageScore = {
-  description: config$k.description,
-  hidden: config$k.hidden,
-  run: run$k
+  description: config$l.description,
+  hidden: config$l.hidden,
+  run: run$l
 };
-async function run$k(argv, importMeta, {
+async function run$l(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$k,
+    config: config$l,
     importMeta,
     parentName
   });
@@ -8008,7 +8089,7 @@ async function run$k(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$i);
+    logger.logger.log(DRY_RUN_BAILING_NOW$j);
     return;
   }
   await handlePurlDeepScore(purls[0] || '', outputKind);
@@ -8145,9 +8226,9 @@ async function handlePurlsShallowScore({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$h
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$i
 } = constants;
-const config$j = {
+const config$k = {
   commandName: 'shallow',
   description: '[beta] Look up info regarding one or more packages but not their transitives',
   hidden: false,
@@ -8189,23 +8270,23 @@ const config$j = {
   `
 };
 const cmdPackageShallow = {
-  description: config$j.description,
-  hidden: config$j.hidden,
+  description: config$k.description,
+  hidden: config$k.hidden,
   alias: {
     shallowScore: {
-      description: config$j.description,
+      description: config$k.description,
       hidden: true,
       argv: []
     }
   },
-  run: run$j
+  run: run$k
 };
-async function run$j(argv, importMeta, {
+async function run$k(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$j,
+    config: config$k,
     importMeta,
     parentName
   });
@@ -8240,7 +8321,7 @@ async function run$j(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$h);
+    logger.logger.log(DRY_RUN_BAILING_NOW$i);
     return;
   }
   await handlePurlsShallowScore({
@@ -8294,10 +8375,10 @@ async function runRawNpm(argv) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$g,
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$h,
   NPM
 } = constants;
-const config$i = {
+const config$j = {
   commandName: 'raw-npm',
   description: `Temporarily disable the Socket ${NPM} wrapper`,
   hidden: false,
@@ -8311,22 +8392,22 @@ const config$i = {
   `
 };
 const cmdRawNpm = {
-  description: config$i.description,
-  hidden: config$i.hidden,
-  run: run$i
+  description: config$j.description,
+  hidden: config$j.hidden,
+  run: run$j
 };
-async function run$i(argv, importMeta, {
+async function run$j(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$i,
+    config: config$j,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$g);
+    logger.logger.log(DRY_RUN_BAILING_NOW$h);
     return;
   }
   await runRawNpm(argv);
@@ -8351,10 +8432,10 @@ async function runRawNpx(argv) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$f,
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$g,
   NPX
 } = constants;
-const config$h = {
+const config$i = {
   commandName: 'raw-npx',
   description: `Temporarily disable the Socket ${NPX} wrapper`,
   hidden: false,
@@ -8368,28 +8449,28 @@ const config$h = {
   `
 };
 const cmdRawNpx = {
-  description: config$h.description,
-  hidden: config$h.hidden,
-  run: run$h
+  description: config$i.description,
+  hidden: config$i.hidden,
+  run: run$i
 };
-async function run$h(argv, importMeta, {
+async function run$i(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$h,
+    config: config$i,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$f);
+    logger.logger.log(DRY_RUN_BAILING_NOW$g);
     return;
   }
   await runRawNpx(argv);
 }
 
-const config$g = {
+const config$h = {
   commandName: 'create',
   description: '[Deprecated] Create a project report',
   hidden: false,
@@ -8403,16 +8484,16 @@ const config$g = {
   `
 };
 const cmdReportCreate = {
-  description: config$g.description,
-  hidden: config$g.hidden,
-  run: run$g
+  description: config$h.description,
+  hidden: config$h.hidden,
+  run: run$h
 };
-async function run$g(argv, importMeta, {
+async function run$h(argv, importMeta, {
   parentName
 }) {
   utils.meowOrExit({
     argv,
-    config: config$g,
+    config: config$h,
     importMeta,
     parentName
   });
@@ -8420,7 +8501,7 @@ async function run$g(argv, importMeta, {
   process.exitCode = 1;
 }
 
-const config$f = {
+const config$g = {
   commandName: 'view',
   description: '[Deprecated] View a project report',
   hidden: false,
@@ -8434,16 +8515,16 @@ const config$f = {
   `
 };
 const cmdReportView = {
-  description: config$f.description,
-  hidden: config$f.hidden,
-  run: run$f
+  description: config$g.description,
+  hidden: config$g.hidden,
+  run: run$g
 };
-async function run$f(argv, importMeta, {
+async function run$g(argv, importMeta, {
   parentName
 }) {
   utils.meowOrExit({
     argv,
-    config: config$f,
+    config: config$g,
     importMeta,
     parentName
   });
@@ -8531,9 +8612,9 @@ async function handleCreateRepo({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$e
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$f
 } = constants;
-const config$e = {
+const config$f = {
   commandName: 'create',
   description: 'Create a repository in an organization',
   hidden: false,
@@ -8596,16 +8677,16 @@ const config$e = {
   `
 };
 const cmdReposCreate = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$e
+  description: config$f.description,
+  hidden: config$f.hidden,
+  run: run$f
 };
-async function run$e(argv, importMeta, {
+async function run$f(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$e,
+    config: config$f,
     importMeta,
     parentName
   });
@@ -8650,7 +8731,7 @@ async function run$e(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$e);
+    logger.logger.log(DRY_RUN_BAILING_NOW$f);
     return;
   }
   await handleCreateRepo({
@@ -8693,9 +8774,9 @@ async function handleDeleteRepo(orgSlug, repoName, outputKind) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$d
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$e
 } = constants;
-const config$d = {
+const config$e = {
   commandName: 'del',
   description: 'Delete a repository in an organization',
   hidden: false,
@@ -8728,16 +8809,16 @@ const config$d = {
   `
 };
 const cmdReposDel = {
-  description: config$d.description,
-  hidden: config$d.hidden,
-  run: run$d
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$e
 };
-async function run$d(argv, importMeta, {
+async function run$e(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$d,
+    config: config$e,
     importMeta,
     parentName
   });
@@ -8774,7 +8855,7 @@ async function run$d(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$d);
+    logger.logger.log(DRY_RUN_BAILING_NOW$e);
     return;
   }
   await handleDeleteRepo(orgSlug, repoName, outputKind);
@@ -8810,6 +8891,8 @@ async function fetchListAllRepos({
       page: String(nextPage)
     }), 'list of repositories');
     if (!result.ok) {
+      debug.debugLog('[DEBUG] fetchListAllRepos: At least one fetch failed, bailing...');
+      debug.debugLog(result);
       return result;
     }
     result.data.results.forEach(row => rows.push(row));
@@ -8935,9 +9018,9 @@ async function handleListRepos({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$c
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$d
 } = constants;
-const config$c = {
+const config$d = {
   commandName: 'list',
   description: 'List repositories in an organization',
   hidden: false,
@@ -8998,16 +9081,16 @@ const config$c = {
   `
 };
 const cmdReposList = {
-  description: config$c.description,
-  hidden: config$c.hidden,
-  run: run$c
+  description: config$d.description,
+  hidden: config$d.hidden,
+  run: run$d
 };
-async function run$c(argv, importMeta, {
+async function run$d(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$c,
+    config: config$d,
     importMeta,
     parentName
   });
@@ -9052,7 +9135,7 @@ async function run$c(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$c);
+    logger.logger.log(DRY_RUN_BAILING_NOW$d);
     return;
   }
   await handleListRepos({
@@ -9124,9 +9207,9 @@ async function handleUpdateRepo({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$b
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$c
 } = constants;
-const config$b = {
+const config$c = {
   commandName: 'update',
   description: 'Update a repository in an organization',
   hidden: false,
@@ -9189,16 +9272,16 @@ const config$b = {
   `
 };
 const cmdReposUpdate = {
-  description: config$b.description,
-  hidden: config$b.hidden,
-  run: run$b
+  description: config$c.description,
+  hidden: config$c.hidden,
+  run: run$c
 };
-async function run$b(argv, importMeta, {
+async function run$c(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$b,
+    config: config$c,
     importMeta,
     parentName
   });
@@ -9243,7 +9326,7 @@ async function run$b(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$b);
+    logger.logger.log(DRY_RUN_BAILING_NOW$c);
     return;
   }
   await handleUpdateRepo({
@@ -9311,9 +9394,9 @@ async function handleViewRepo(orgSlug, repoName, outputKind) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$a
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$b
 } = constants;
-const config$a = {
+const config$b = {
   commandName: 'view',
   description: 'View repositories in an organization',
   hidden: false,
@@ -9351,16 +9434,16 @@ const config$a = {
   `
 };
 const cmdReposView = {
-  description: config$a.description,
-  hidden: config$a.hidden,
-  run: run$a
+  description: config$b.description,
+  hidden: config$b.hidden,
+  run: run$b
 };
-async function run$a(argv, importMeta, {
+async function run$b(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$a,
+    config: config$b,
     importMeta,
     parentName
   });
@@ -9410,7 +9493,7 @@ async function run$a(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$a);
+    logger.logger.log(DRY_RUN_BAILING_NOW$b);
     return;
   }
   await handleViewRepo(orgSlug, String(repoName), outputKind);
@@ -9458,9 +9541,9 @@ async function suggestTarget() {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$9
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$a
 } = constants;
-const config$9 = {
+const config$a = {
   commandName: 'create',
   description: 'Create a scan',
   hidden: false,
@@ -9593,16 +9676,16 @@ const config$9 = {
   `
 };
 const cmdScanCreate = {
-  description: config$9.description,
-  hidden: config$9.hidden,
-  run: run$9
+  description: config$a.description,
+  hidden: config$a.hidden,
+  run: run$a
 };
-async function run$9(argv, importMeta, {
+async function run$a(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$9,
+    config: config$a,
     importMeta,
     parentName
   });
@@ -9714,7 +9797,7 @@ async function run$9(argv, importMeta, {
 
   // Note exiting earlier to skirt a hidden auth requirement
   if (dryRun) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$9);
+    logger.logger.log(DRY_RUN_BAILING_NOW$a);
     return;
   }
   await handleCreateNewScan({
@@ -9768,9 +9851,9 @@ async function handleDeleteScan(orgSlug, scanId, outputKind) {
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$8
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$9
 } = constants;
-const config$8 = {
+const config$9 = {
   commandName: 'del',
   description: 'Delete a scan',
   hidden: false,
@@ -9803,16 +9886,16 @@ const config$8 = {
   `
 };
 const cmdScanDel = {
-  description: config$8.description,
-  hidden: config$8.hidden,
-  run: run$8
+  description: config$9.description,
+  hidden: config$9.hidden,
+  run: run$9
 };
-async function run$8(argv, importMeta, {
+async function run$9(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$8,
+    config: config$9,
     importMeta,
     parentName
   });
@@ -9849,7 +9932,7 @@ async function run$8(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$8);
+    logger.logger.log(DRY_RUN_BAILING_NOW$9);
     return;
   }
   await handleDeleteScan(orgSlug, scanId, outputKind);
@@ -10043,14 +10126,14 @@ async function handleDiffScan({
 }
 
 const {
-  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$7,
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$8,
   SOCKET_WEBSITE_URL: SOCKET_WEBSITE_URL$1
 } = constants;
 const SOCKET_SBOM_URL_PREFIX = `${SOCKET_WEBSITE_URL$1}/dashboard/org/SocketDev/sbom/`;
 const {
   length: SOCKET_SBOM_URL_PREFIX_LENGTH
 } = SOCKET_SBOM_URL_PREFIX;
-const config$7 = {
+const config$8 = {
   commandName: 'diff',
   description: 'See what changed between two Scans',
   hidden: false,
@@ -10102,16 +10185,16 @@ const config$7 = {
   `
 };
 const cmdScanDiff = {
-  description: config$7.description,
-  hidden: config$7.hidden,
-  run: run$7
+  description: config$8.description,
+  hidden: config$8.hidden,
+  run: run$8
 };
-async function run$7(argv, importMeta, {
+async function run$8(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$7,
+    config: config$8,
     importMeta,
     parentName
   });
@@ -10163,7 +10246,7 @@ async function run$7(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAILING_NOW$7);
+    logger.logger.log(DRY_RUN_BAILING_NOW$8);
     return;
   }
   await handleDiffScan({
@@ -10176,33 +10259,816 @@ async function run$7(argv, importMeta, {
   });
 }
 
-async function fetchListScans({
-  branch,
-  direction,
-  from_time,
+// Supported manifest file name patterns
+// Keep in mind that we have to request these files through the GitHub API; that cost is much heavier than local disk searches
+// TODO: get this list from API instead? Is that too much? Has to fetch through gh api...
+const SUPPORTED_FILE_PATTERNS = [/.*[-.]spdx\.json/, /bom\.json/, /.*[-.]cyclonedx\.json/, /.*[-.]cyclonedx\.xml/, /package\.json/, /package-lock\.json/, /npm-shrinkwrap\.json/, /yarn\.lock/, /pnpm-lock\.yaml/, /pnpm-lock\.yml/, /pnpm-workspace\.yaml/, /pnpm-workspace\.yml/, /pipfile/, /pyproject\.toml/, /poetry\.lock/, /requirements[\\/].*\.txt/, /requirements-.*\.txt/, /requirements_.*\.txt/, /requirements\.frozen/, /setup\.py/, /pipfile\.lock/, /go\.mod/, /go\.sum/, /pom\.xml/, /.*\..*proj/, /.*\.props/, /.*\.targets/, /.*\.nuspec/, /nuget\.config/, /packages\.config/, /packages\.lock\.json/];
+async function createScanFromGithub({
+  all,
+  githubApiUrl,
+  githubToken,
+  interactive,
+  orgGithub,
   orgSlug,
-  page,
-  per_page,
-  repo,
-  sort
+  outputKind,
+  repos
 }) {
-  const sockSdkResult = await utils.setupSdk();
-  if (!sockSdkResult.ok) {
-    return sockSdkResult;
+  let targetRepos = repos.trim().split(',').map(repo => repo.trim()).filter(Boolean);
+  if (all || targetRepos.length === 0) {
+    // Fetch from Socket API
+    const result = await fetchListAllRepos({
+      direction: 'asc',
+      orgSlug,
+      sort: 'name'
+    });
+    if (!result.ok) {
+      return result;
+    }
+    targetRepos = result.data.results.map(obj => obj.slug || '');
   }
-  const sockSdk = sockSdkResult.data;
-  return await utils.handleApiCall(sockSdk.getOrgFullScanList(orgSlug, {
-    ...(branch ? {
-      branch
-    } : {}),
-    ...(repo ? {
-      repo
-    } : {}),
-    sort,
-    direction,
-    per_page: String(per_page),
-    page: String(page),
-    from: from_time
+  targetRepos = targetRepos.map(slug => slug.trim()).filter(Boolean);
+  logger.logger.info(`Have ${targetRepos.length} repo names to Scan!`);
+  logger.logger.log('');
+  if (!targetRepos.filter(Boolean).length) {
+    return {
+      ok: false,
+      message: 'No repo found',
+      cause: 'You did not set the --repos value and/or the server responded with zero repos when asked for some. Unable to proceed.'
+    };
+  }
+
+  // Non-interactive or explicitly requested; just do it.
+  if (interactive && targetRepos.length > 1 && !all && !repos) {
+    const which = await selectFocus(targetRepos);
+    if (!which.ok) {
+      return which;
+    }
+    targetRepos = which.data;
+  }
+
+  // 10 is an arbitrary number. Maybe confirm whenever count>1 ?
+  // Do not ask to confirm when the list was given explicit.
+  if (interactive && (all || !repos) && targetRepos.length > 10) {
+    const sure = await makeSure(targetRepos.length);
+    if (!sure.ok) {
+      return sure;
+    }
+  }
+  for (const repoSlug of targetRepos) {
+    // eslint-disable-next-line no-await-in-loop
+    await scanRepo(repoSlug, {
+      githubApiUrl,
+      githubToken,
+      orgSlug,
+      orgGithub,
+      outputKind,
+      repos
+    });
+  }
+  logger.logger.success('Scanned', targetRepos.length, 'repos, or tried to, anyways!');
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+async function scanRepo(repoSlug, {
+  githubApiUrl,
+  githubToken,
+  orgGithub,
+  orgSlug,
+  outputKind,
+  repos
+}) {
+  logger.logger.info(`Requesting repo details from GitHub API for: \`${orgGithub}/${repoSlug}\`...`);
+  logger.logger.group();
+  const result = await scanOneRepo(repoSlug, {
+    githubApiUrl,
+    githubToken,
+    orgSlug,
+    orgGithub,
+    outputKind});
+  logger.logger.groupEnd();
+  logger.logger.log('');
+  return result;
+}
+async function scanOneRepo(repoSlug, {
+  githubApiUrl,
+  githubToken,
+  orgGithub,
+  orgSlug,
+  outputKind
+}) {
+  const repoResult = await getRepoDetails({
+    orgGithub,
+    repoSlug,
+    githubApiUrl,
+    githubToken
+  });
+  if (!repoResult.ok) {
+    return repoResult;
+  }
+  const {
+    defaultBranch,
+    repoApiUrl
+  } = repoResult.data;
+  logger.logger.info(`Default branch: \`${defaultBranch}\``);
+  const treeResult = await getRepoBranchTree({
+    orgGithub,
+    repoSlug,
+    repoApiUrl,
+    defaultBranch,
+    githubToken
+  });
+  if (!treeResult.ok) {
+    return treeResult;
+  }
+  const files = treeResult.data;
+  if (!files.length) {
+    logger.logger.warn('No files were reported for the default branch. Moving on to next repo.');
+    return {
+      ok: true,
+      data: undefined
+    };
+  }
+  const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
+  debug.debugLog(`[DEBUG] Temp dir for downloaded manifest (serves as scan root): ${tmpDir}`);
+  const downloadResult = await testAndDownloadManifestFiles({
+    files,
+    tmpDir,
+    repoSlug,
+    defaultBranch,
+    orgGithub,
+    repoApiUrl,
+    githubToken
+  });
+  if (!downloadResult.ok) {
+    return downloadResult;
+  }
+  const commitResult = await getLastCommitDetails({
+    orgGithub,
+    repoSlug,
+    defaultBranch,
+    repoApiUrl,
+    githubToken
+  });
+  if (!commitResult.ok) {
+    return commitResult;
+  }
+  const {
+    lastCommitMessage,
+    lastCommitSha,
+    lastCommitter
+  } = commitResult.data;
+
+  // Make request for full scan
+  // I think we can just kick off the socket scan create command now...
+
+  await handleCreateNewScan({
+    autoManifest: false,
+    branchName: defaultBranch,
+    commitHash: lastCommitSha,
+    commitMessage: lastCommitMessage || '',
+    committers: lastCommitter || '',
+    cwd: tmpDir,
+    defaultBranch: true,
+    interactive: false,
+    orgSlug,
+    outputKind,
+    pendingHead: true,
+    pullRequest: 0,
+    readOnly: false,
+    repoName: repoSlug,
+    report: false,
+    targets: ['.'],
+    tmp: false
+  });
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+async function testAndDownloadManifestFiles({
+  defaultBranch,
+  files,
+  githubToken,
+  orgGithub,
+  repoApiUrl,
+  repoSlug,
+  tmpDir
+}) {
+  logger.logger.info(`File tree for ${defaultBranch} contains ${files.length} entries. Searching for supported manifest files...`);
+  logger.logger.group();
+  let fileCount = 0;
+  let firstFailureResult;
+  for (const file of files) {
+    // eslint-disable-next-line no-await-in-loop
+    const result = await testAndDownloadManifestFile({
+      file,
+      tmpDir,
+      defaultBranch,
+      repoApiUrl,
+      githubToken
+    });
+    if (result.ok) {
+      if (result.data.isManifest) {
+        fileCount += 1;
+      }
+    } else if (!firstFailureResult) {
+      firstFailureResult = result;
+    }
+  }
+  logger.logger.info('Found and downloaded', fileCount, 'manifest files');
+  logger.logger.groupEnd();
+  if (!fileCount) {
+    if (firstFailureResult) {
+      logger.logger.fail('While no supported manifest files were downloaded, at least one error encountered trying to do so. Showing the first error.');
+      return firstFailureResult;
+    }
+    return {
+      ok: false,
+      message: 'No manifest files found',
+      cause: `No supported manifest files were found in the latest commit on the branch ${defaultBranch} for repo ${orgGithub}/${repoSlug}. Skipping full scan.`
+    };
+  }
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+async function testAndDownloadManifestFile({
+  defaultBranch,
+  file,
+  githubToken,
+  repoApiUrl,
+  tmpDir
+}) {
+  debug.debugLog(`[DEBUG] Testing file:`, file);
+  if (!SUPPORTED_FILE_PATTERNS.some(regex => regex.test(file))) {
+    // Not an error.
+    return {
+      ok: true,
+      data: {
+        isManifest: false
+      }
+    };
+  }
+  logger.logger.success(`Found a manifest file: \`${file}\`, will download it to temp dir...`);
+  logger.logger.group();
+  const result = await downloadManifestFile({
+    file,
+    tmpDir,
+    defaultBranch,
+    repoApiUrl,
+    githubToken
+  });
+  logger.logger.groupEnd();
+  if (!result.ok) {
+    return result;
+  }
+  return {
+    ok: true,
+    data: {
+      isManifest: true
+    }
+  };
+}
+async function downloadManifestFile({
+  defaultBranch,
+  file,
+  githubToken,
+  repoApiUrl,
+  tmpDir
+}) {
+  logger.logger.info('Requesting download url from GitHub...');
+  const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
+  debug.debugLog('[DEBUG] File url:', fileUrl);
+  const downloadUrlResponse = await fetch(fileUrl, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${githubToken}`
+    }
+  });
+  logger.logger.success(`Request completed.`);
+  const downloadUrlText = await downloadUrlResponse.text();
+  debug.debugLog('[DEBUG] raw download url response:');
+  debug.debugLog(downloadUrlText);
+  let downloadUrl;
+  try {
+    downloadUrl = JSON.parse(downloadUrlText).download_url;
+  } catch {
+    logger.logger.fail(`GitHub response contained invalid JSON for download url for file`);
+    logger.logger.error(downloadUrlText);
+    return {
+      ok: false,
+      message: 'Invalid JSON response',
+      cause: `Server responded with invalid JSON for download url ${downloadUrl}`
+    };
+  }
+  logger.logger.info(`Downloading manifest file...`);
+  const localPath = path.join(tmpDir, file);
+  debug.debugLog('[DEBUG] Downloading from', downloadUrl, 'to', localPath);
+  // Now stream the file to that file...
+
+  const result = await streamDownloadWithFetch(localPath, downloadUrl);
+  if (!result.ok) {
+    // Do we proceed? Bail? Hrm...
+    logger.logger.fail(`Failed to download manifest file, skipping to next file. File: ${file}`);
+    return result;
+  }
+  logger.logger.success(`Downloaded manifest file.`);
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+
+// Courtesy of gemini:
+async function streamDownloadWithFetch(localPath, downloadUrl) {
+  let response; // Declare response here to access it in catch if needed
+
+  try {
+    response = await fetch(downloadUrl);
+    if (!response.ok) {
+      const errorMsg = `Download failed: ${response.status} ${response.statusText} for ${downloadUrl}`;
+      return {
+        ok: false,
+        message: 'Download Failed',
+        cause: errorMsg
+      };
+    }
+    if (!response.body) {
+      return {
+        ok: false,
+        message: 'Download Failed',
+        cause: 'Response body is null or undefined.'
+      };
+    }
+    const fileStream = fs$1.createWriteStream(localPath);
+
+    // Using stream.pipeline for better error handling and cleanup
+
+    await promises.pipeline(response.body, fileStream);
+    // 'pipeline' will automatically handle closing streams and propagating errors.
+    // It resolves when the piping is fully complete and fileStream is closed.
+    return {
+      ok: true,
+      data: localPath
+    };
+  } catch (error) {
+    logger.logger.fail('An error occurred trying to download the file...');
+    // If an error occurs and fileStream was created, attempt to clean up.
+    if (fs$1.existsSync(localPath)) {
+      // Check if fileStream was even opened before trying to delete
+      // This check might be too simplistic depending on when error occurs
+      fs$1.unlink(localPath, unlinkErr => {
+        if (unlinkErr) {
+          logger.logger.fail(`Error deleting partial file ${localPath}: ${unlinkErr.message}`);
+        }
+      });
+    }
+    // Construct a more informative error message
+    let detailedError = `Error during download of ${downloadUrl}: ${error.message}`;
+    if (error.cause) {
+      // Include cause if available (e.g., from network errors)
+      detailedError += `\nCause: ${error.cause}`;
+    }
+    if (response && !response.ok) {
+      // If error was due to bad HTTP status
+      detailedError += ` (HTTP Status: ${response.status} ${response.statusText})`;
+    }
+    return {
+      ok: false,
+      message: 'Download Failed',
+      cause: detailedError
+    };
+  }
+}
+async function getLastCommitDetails({
+  defaultBranch,
+  githubToken,
+  orgGithub,
+  repoApiUrl,
+  repoSlug
+}) {
+  logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
+  const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
+  debug.debugLog('Commit url:', commitApiUrl);
+  const commitResponse = await fetch(commitApiUrl, {
+    headers: {
+      Authorization: `Bearer ${githubToken}`
+    }
+  });
+  const commitText = await commitResponse.text();
+  debug.debugLog('[DEBUG] Raw Commit Response:', commitText);
+  let lastCommit;
+  try {
+    lastCommit = JSON.parse(commitText)?.[0];
+  } catch {
+    logger.logger.fail(`GitHub response contained invalid JSON for last commit`);
+    logger.logger.error(commitText);
+    return {
+      ok: false,
+      message: 'Invalid JSON response',
+      cause: `Server responded with invalid JSON for last commit of repo ${repoSlug}`
+    };
+  }
+  const lastCommitSha = lastCommit.sha;
+  const lastCommitter = Array.from(new Set([lastCommit.commit.author.name, lastCommit.commit.committer.name]))[0];
+  const lastCommitMessage = lastCommit.message;
+  if (!lastCommitSha) {
+    return {
+      ok: false,
+      message: 'Missing commit SHA',
+      cause: 'Unable to get last commit for repo'
+    };
+  }
+  if (!lastCommitter) {
+    return {
+      ok: false,
+      message: 'Missing committer',
+      cause: 'Last commit does not have information about who made the commit'
+    };
+  }
+  return {
+    ok: true,
+    data: {
+      lastCommitSha,
+      lastCommitter,
+      lastCommitMessage
+    }
+  };
+}
+async function selectFocus(repos) {
+  const proceed = await prompts.select({
+    message: 'Please select the repo to process:',
+    choices: repos.map(slug => ({
+      name: slug,
+      value: slug,
+      description: `Create scan for the ${slug} repo through GitHub`
+    })).concat({
+      name: '(Exit)',
+      value: '',
+      description: 'Cancel this action and exit'
+    })
+  });
+  if (!proceed) {
+    return {
+      ok: false,
+      message: 'Canceled by user',
+      cause: 'User chose to cancel the action'
+    };
+  }
+  return {
+    ok: true,
+    data: [proceed]
+  };
+}
+async function makeSure(count) {
+  if (!(await prompts.confirm({
+    message: `Are you sure you want to run this for ${count} repos?`,
+    default: false
+  }))) {
+    return {
+      ok: false,
+      message: 'User canceled',
+      cause: 'Action canceled by user'
+    };
+  }
+  return {
+    ok: true,
+    data: undefined
+  };
+}
+async function getRepoDetails({
+  githubApiUrl,
+  githubToken,
+  orgGithub,
+  repoSlug
+}) {
+  const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
+  debug.debugLog('Repo url:', repoApiUrl);
+  const repoDetailsResponse = await fetch(repoApiUrl, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${githubToken}`
+    }
+  });
+  logger.logger.success(`Request completed.`);
+  const repoDetailsText = await repoDetailsResponse.text();
+  debug.debugLog('[DEBUG] Raw Repo Response:', repoDetailsText);
+  let repoDetails;
+  try {
+    repoDetails = JSON.parse(repoDetailsText);
+  } catch {
+    logger.logger.fail(`GitHub response contained invalid JSON for repo ${repoSlug}`);
+    logger.logger.error(repoDetailsText);
+    return {
+      ok: false,
+      message: 'Invalid JSON response',
+      cause: `Server responded with invalid JSON for repo ${repoSlug}`
+    };
+  }
+  const defaultBranch = repoDetails.default_branch;
+  if (!defaultBranch) {
+    return {
+      ok: false,
+      message: 'Default Branch Not Found',
+      cause: `Repo ${repoSlug} does not have a default branch set or it was not reported`
+    };
+  }
+  return {
+    ok: true,
+    data: {
+      defaultBranch,
+      repoDetails,
+      repoApiUrl
+    }
+  };
+}
+async function getRepoBranchTree({
+  defaultBranch,
+  githubToken,
+  orgGithub,
+  repoApiUrl,
+  repoSlug
+}) {
+  logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
+  const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
+  debug.debugLog('Tree url:', treeApiUrl);
+  const treeResponse = await fetch(treeApiUrl, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${githubToken}`
+    }
+  });
+  const treeText = await treeResponse.text();
+  debug.debugLog('[DEBUG] Raw Tree Response:', treeText);
+  let treeDetails;
+  try {
+    treeDetails = JSON.parse(treeText);
+  } catch {
+    logger.logger.fail(`GitHub response contained invalid JSON for default branch of repo ${repoSlug}`);
+    logger.logger.error(treeText);
+    return {
+      ok: false,
+      message: 'Invalid JSON response',
+      cause: `Server responded with invalid JSON for repo ${repoSlug}`
+    };
+  }
+  if (treeDetails.message) {
+    if (treeDetails.message === 'Git Repository is empty.') {
+      logger.logger.warn(`GitHub reports the default branch of repo ${repoSlug} to be empty. Moving on to next repo.`);
+      return {
+        ok: true,
+        data: []
+      };
+    }
+    logger.logger.fail('Negative response from GitHub:', treeDetails.message);
+    return {
+      ok: false,
+      message: 'Unexpected error response',
+      cause: `GitHub responded with an unexpected error while asking for details on the default branch: ${treeDetails.message}`
+    };
+  }
+  if (!treeDetails.tree || !Array.isArray(treeDetails.tree)) {
+    debug.debugLog('treeDetails.tree:', treeDetails.tree);
+    return {
+      ok: false,
+      message: `Tree response for default branch ${defaultBranch} for ${orgGithub}/${repoSlug} was not a list`
+    };
+  }
+  const files = treeDetails.tree.filter(obj => obj.type === 'blob').map(obj => obj.path);
+  return {
+    ok: true,
+    data: files
+  };
+}
+
+async function handleCreateGithubScan({
+  all,
+  githubApiUrl,
+  githubToken,
+  interactive,
+  orgGithub,
+  orgSlug,
+  outputKind,
+  repos
+}) {
+  const result = await createScanFromGithub({
+    all: Boolean(all),
+    githubApiUrl,
+    githubToken,
+    interactive: Boolean(interactive),
+    orgSlug,
+    orgGithub,
+    outputKind,
+    repos: String(repos || '')
+  });
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
+  }
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
+  }
+  logger.logger.success('Ok! Finished!');
+}
+
+const {
+  DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$7
+} = constants;
+const config$7 = {
+  commandName: 'github',
+  description: 'Create a scan for given GitHub repo',
+  hidden: true,
+  // wip
+  flags: {
+    ...utils.commonFlags,
+    ...utils.outputFlags,
+    all: {
+      type: 'boolean',
+      description: 'Apply for all known repos reported by the Socket API. Supersedes `repos`.'
+    },
+    githubToken: {
+      type: 'string',
+      description: '(required) GitHub token for authentication (or set GITHUB_TOKEN as an environment variable)'
+    },
+    githubApiUrl: {
+      type: 'string',
+      default: 'https://api.github.com',
+      description: 'Base URL of the GitHub API (default: https://api.github.com)'
+    },
+    interactive: {
+      type: 'boolean',
+      default: true,
+      description: 'Allow for interactive elements, asking for input. Use --no-interactive to prevent any input questions, defaulting them to cancel/no.'
+    },
+    org: {
+      type: 'string',
+      description: 'Force override the organization slug, overrides the default org from config'
+    },
+    orgGithub: {
+      type: 'string',
+      description: 'Alternate GitHub Org if the name is different than the Socket Org'
+    },
+    repos: {
+      type: 'string',
+      description: 'List of repos to target in a comma-separated format (e.g., repo1,repo2). If not specified, the script will pull the list from Socket and ask you to pick one. Use --all to use them all.'
+    }
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command}
+
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:create
+
+    This is similar to the \`socket scan create\` command except it pulls the files
+    from GitHub. See the help for that command for more details.
+
+    A GitHub Personal Access Token (PAT) will at least need read access to the repo
+    ("contents", read-only) for this command to work.
+
+    Note: This command cannot run the \`socket manifest auto\` things because that
+    requires local access to the repo while this command runs entirely through the
+    GitHub for file access.
+
+    Options
+      ${utils.getFlagListOutput(config.flags, 6)}
+
+    Examples
+      $ ${command}
+  `
+};
+const cmdScanGithub = {
+  description: config$7.description,
+  hidden: config$7.hidden,
+  run: run$7
+};
+async function run$7(argv, importMeta, {
+  parentName
+}) {
+  const cli = utils.meowOrExit({
+    argv,
+    config: config$7,
+    importMeta,
+    parentName
+  });
+  const {
+    all = false,
+    dryRun = false,
+    githubApiUrl = 'https://api.github.com',
+    // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+    githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN,
+    interactive = true,
+    json,
+    markdown,
+    org: orgFlag,
+    orgGithub: orgGithubFlag,
+    repos
+  } = cli.flags;
+  const outputKind = utils.getOutputKind(json, markdown);
+  let [orgSlug, defaultOrgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), cli.input[0] || '', interactive, dryRun);
+  if (!defaultOrgSlug) {
+    // Tmp. just for TS. will drop this later.
+    defaultOrgSlug = '';
+  }
+
+  // Default to Socket org slug. Often that's fine. Vanity and all that.
+  const orgGithub = orgGithubFlag || orgSlug;
+
+  // We're going to need an api token to suggest data because those suggestions
+  // must come from data we already know. Don't error on missing api token yet.
+  // If the api-token is not set, ignore it for the sake of suggestions.
+  const hasSocketApiToken = utils.hasDefaultToken();
+  // We will also be needing that GitHub token.
+  const hasGithubApiToken = !!githubToken;
+
+  // If the current cwd is unknown and is used as a repo slug anyways, we will
+  // first need to register the slug before we can use it.
+  // Only do suggestions with an apiToken and when not in dryRun mode
+  if (hasSocketApiToken && !dryRun && interactive) {
+    if (!orgSlug) {
+      const suggestion = await utils.suggestOrgSlug();
+      if (suggestion) {
+        orgSlug = suggestion;
+      }
+    }
+  }
+  const wasValidInput = utils.checkCommandInput(outputKind, {
+    nook: !utils.isTestingV1() && !!defaultOrgSlug,
+    test: !!orgSlug && orgSlug !== '.',
+    message: utils.isTestingV1() ? 'Org name by default setting, --org, or auto-discovered' : 'Org name must be the first argument',
+    pass: 'ok',
+    fail: orgSlug === '.' ? 'dot is an invalid org, most likely you forgot the org name here?' : 'missing'
+  }, {
+    nook: true,
+    test: !json || !markdown,
+    message: 'The json and markdown flags cannot be both set, pick one',
+    pass: 'ok',
+    fail: 'omit one'
+  }, {
+    nook: true,
+    test: hasSocketApiToken,
+    message: 'This command requires an API token for access',
+    pass: 'ok',
+    fail: 'missing (try `socket login`)'
+  }, {
+    test: hasGithubApiToken,
+    message: 'This command requires a GitHub API token for access',
+    pass: 'ok',
+    fail: 'missing'
+  });
+  if (!wasValidInput) {
+    return;
+  }
+
+  // Note exiting earlier to skirt a hidden auth requirement
+  if (dryRun) {
+    logger.logger.log(DRY_RUN_BAILING_NOW$7);
+    return;
+  }
+  await handleCreateGithubScan({
+    all: Boolean(all),
+    githubApiUrl,
+    githubToken,
+    interactive: Boolean(interactive),
+    orgSlug,
+    orgGithub,
+    outputKind,
+    repos: String(repos || '')
+  });
+}
+
+async function fetchListScans({
+  branch,
+  direction,
+  from_time,
+  orgSlug,
+  page,
+  per_page,
+  repo,
+  sort
+}) {
+  const sockSdkResult = await utils.setupSdk();
+  if (!sockSdkResult.ok) {
+    return sockSdkResult;
+  }
+  const sockSdk = sockSdkResult.data;
+  return await utils.handleApiCall(sockSdk.getOrgFullScanList(orgSlug, {
+    ...(branch ? {
+      branch
+    } : {}),
+    ...(repo ? {
+      repo
+    } : {}),
+    sort,
+    direction,
+    per_page: String(per_page),
+    page: String(page),
+    from: from_time
   }), 'list of scans');
 }
 
@@ -10941,9 +11807,10 @@ const cmdScan = {
   }) {
     await utils.meowWithSubcommands({
       create: cmdScanCreate,
-      list: cmdScanList,
       del: cmdScanDel,
       diff: cmdScanDiff,
+      github: cmdScanGithub,
+      list: cmdScanList,
       metadata: cmdScanMetadata,
       report: cmdScanReport,
       view: cmdScanView
@@ -11739,5 +12606,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=5ee308bf-7f52-47e1-b4b2-79a10b530aa3
+//# debugId=5d9c5e36-6148-4af1-bcc3-bcaaa5b18e1
 //# sourceMappingURL=cli.js.map