@socketsecurity/cli-with-sentry 0.15.33 → 0.15.35

package/dist/cli.js

@@ -630,7 +630,7 @@ ${table}
     process.exitCode = 1;
     logger.logger.fail('There was a problem converting the logs to Markdown, please try the `--json` flag');
     if (debug.isDebug()) {
-      debug.debugFn('Unexpected error:\n', e);
+      debug.debugFn('catch: unexpected\n', e);
     }
     return '';
   }
@@ -1151,7 +1151,7 @@ async function run$O(argv, importMeta, {
 async function getDefaultOrgSlug() {
   const defaultOrgResult = utils.getConfigValueOrUndef('defaultOrg');
   if (defaultOrgResult) {
-    debug.debugFn('Using default org:', defaultOrgResult);
+    debug.debugFn('use: default org', defaultOrgResult);
     return {
       ok: true,
       data: defaultOrgResult
@@ -1183,7 +1183,7 @@ async function getDefaultOrgSlug() {
       data: `Was unable to determine the default organization for the current API token. Unable to continue.`
     };
   }
-  debug.debugFn('Resolved org to:', slug);
+  debug.debugFn('resolve: org', slug);
   return {
     ok: true,
     message: 'Retrieved default org from server',
@@ -1287,7 +1287,7 @@ async function fetchReportData(orgSlug, scanId, includeLicensePolicy) {
         return JSON.parse(line);
       } catch {
         ok = false;
-        debug.debugFn('NDJSON failed to parse the following line:\n', line);
+        debug.debugFn('fail: parse NDJSON\n', line);
         return;
       }
     });
@@ -3667,44 +3667,70 @@ function getBaseGitBranch() {
   // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
   'main';
 }
-function getSocketBranchName(purl, newVersion, workspaceName) {
-  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl);
-  const maybeWorkspaceName = workspaceName ? `${formatBranchName(workspaceName)}-` : '';
-  const maybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}-` : '';
-  const fullName = `${maybeWorkspaceName}${maybeNamespace}${formatBranchName(purlObj.name)}`;
-  return `socket/${fullName}-${formatBranchName(newVersion)}`;
-}
-function getSocketPrTitlePattern(options) {
+function getSocketBranchName(purl, newVersion, workspace) {
+  const purlObj = utils.getPurlObject(purl);
+  const fmtType = formatBranchName(purlObj.type);
+  const fmtWorkspace = workspace ? `${formatBranchName(workspace)}` : 'root';
+  const fmtMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
+  const fmtFullName = `${fmtMaybeNamespace}${formatBranchName(purlObj.name)}`;
+  const fmtVersion = formatBranchName(purlObj.version);
+  const fmtNewVersion = formatBranchName(newVersion);
+  return `socket/${fmtType}_${fmtWorkspace}_${fmtFullName}_${fmtVersion}_${fmtNewVersion}`;
+}
+function getSocketBranchPattern(options) {
   const {
+    newVersion,
     purl,
     workspace
   } = {
     __proto__: null,
     ...options
   };
-  const purlObj = purl ? vendor.packageurlJsExports.PackageURL.fromString(purl) : null;
-  const escapedPkgFullName = purlObj ? regexps.escapeRegExp(utils.getPkgFullNameFromPurlObj(purlObj)) : '\\S+';
-  const escapedPkgVersion = purlObj ? regexps.escapeRegExp(purlObj.version) : '\\S+';
-  const escapedWorkspaceDetails = workspace ? ` in ${regexps.escapeRegExp(workspace)}` : '';
-  return new RegExp(`Bump ${escapedPkgFullName} from ${escapedPkgVersion} to \\S+${escapedWorkspaceDetails}`);
-}
-function getSocketPullRequestTitle(purl, toVersion, workspace) {
-  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl);
-  const pkgFullName = utils.getPkgFullNameFromPurlObj(purlObj);
-  const workspaceDetails = workspace ? ` in ${workspace}` : '';
-  return `Bump ${pkgFullName} from ${purlObj.version} to ${toVersion}${workspaceDetails}`;
-}
-function getSocketPullRequestBody(purl, newVersion, workspaceName) {
-  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl);
-  const pkgFullName = utils.getPkgFullNameFromPurlObj(purlObj);
-  const workspaceDetails = workspaceName ? ` in ${workspaceName}` : '';
-  return `Bump [${pkgFullName}](${utils.getSocketDevPackageOverviewUrlFromPurl(purlObj)}) from ${purlObj.version} to ${newVersion}${workspaceDetails}.`;
-}
-function getSocketCommitMessage(purl, newVersion, workspaceName) {
-  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl);
-  const pkgFullName = utils.getPkgFullNameFromPurlObj(purlObj);
-  const workspaceDetails = workspaceName ? ` in ${workspaceName}` : '';
-  return `socket: Bump ${pkgFullName} from ${purlObj.version} to ${newVersion}${workspaceDetails}`;
+  const purlObj = purl ? utils.getPurlObject(purl) : null;
+  const escType = purlObj ? regexps.escapeRegExp(purlObj.type) : '[^_]+';
+  const escWorkspace = workspace ? `${regexps.escapeRegExp(formatBranchName(workspace))}` : 'root';
+  const escMaybeNamespace = purlObj?.namespace ? `${regexps.escapeRegExp(formatBranchName(purlObj.namespace))}--` : '';
+  const escFullName = purlObj ? `${escMaybeNamespace}${regexps.escapeRegExp(formatBranchName(purlObj.name))}` : '[^_]+';
+  const escVersion = purlObj ? regexps.escapeRegExp(formatBranchName(purlObj.version)) : '[^_]+';
+  const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
+  return new RegExp(`^socket/(${escType})_(${escWorkspace})_(${escFullName})_(${escVersion})_(${escNewVersion})$`);
+}
+function createSocketBranchParser(options) {
+  const pattern = getSocketBranchPattern(options);
+  return function parse(branch) {
+    const match = pattern.exec(branch);
+    if (!match) {
+      return null;
+    }
+    const {
+      0: type,
+      1: workspace,
+      2: fullName,
+      3: version,
+      4: newVersion
+    } = match;
+    return {
+      newVersion,
+      purl: utils.getPurlObject(`pkg:${type}/${fullName}@${version}`),
+      workspace
+    };
+  };
+}
+function getSocketPullRequestTitle(purl, newVersion, workspace) {
+  const purlObj = utils.getPurlObject(purl);
+  const fullName = utils.getPkgFullNameFromPurlObj(purlObj);
+  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
+}
+function getSocketPullRequestBody(purl, newVersion, workspace) {
+  const purlObj = utils.getPurlObject(purl);
+  const fullName = utils.getPkgFullNameFromPurlObj(purlObj);
+  const pkgOverviewUrl = utils.getSocketDevPackageOverviewUrlFromPurl(purlObj);
+  return `Bump [${fullName}](${pkgOverviewUrl}) from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}.`;
+}
+function getSocketCommitMessage(purl, newVersion, workspace) {
+  const purlObj = utils.getPurlObject(purl);
+  const fullName = utils.getPkgFullNameFromPurlObj(purlObj);
+  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 async function gitCleanFdx(cwd = process.cwd()) {
   const stdioIgnoreOptions = {
@@ -3737,7 +3763,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn('Unexpected error:\n', e);
+    debug.debugFn('catch: unexpected\n', e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3767,7 +3793,7 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn('Unexpected error:\n', e);
+        debug.debugFn('catch: unexpected\n', e);
       }
     }
   }));
@@ -3807,7 +3833,7 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
       data: rawFiles.map(relPath => path$1.normalizePath(relPath))
     };
   } catch (e) {
-    debug.debugFn('Unexpected error trying to run git diff --name-only');
+    debug.debugFn('catch: git diff --name-only failed\n', e);
     return {
       ok: false,
       message: 'Git Error',
@@ -3819,9 +3845,15 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
 let _octokit;
 function getOctokit() {
   if (_octokit === undefined) {
+    // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+    const {
+      SOCKET_CLI_GITHUB_TOKEN
+    } = constants.ENV;
+    if (!SOCKET_CLI_GITHUB_TOKEN) {
+      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+    }
     _octokit = new vendor.Octokit({
-      // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
-      auth: constants.ENV.SOCKET_CLI_GITHUB_TOKEN
+      auth: SOCKET_CLI_GITHUB_TOKEN
     });
   }
   return _octokit;
@@ -3829,10 +3861,16 @@ function getOctokit() {
 let _octokitGraphql;
 function getOctokitGraphql() {
   if (!_octokitGraphql) {
+    // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+    const {
+      SOCKET_CLI_GITHUB_TOKEN
+    } = constants.ENV;
+    if (!SOCKET_CLI_GITHUB_TOKEN) {
+      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+    }
     _octokitGraphql = vendor.graphql2.defaults({
       headers: {
-        // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
-        authorization: `token ${constants.ENV.SOCKET_CLI_GITHUB_TOKEN}`
+        authorization: `token ${SOCKET_CLI_GITHUB_TOKEN}`
       }
     });
   }
@@ -3878,25 +3916,30 @@ async function writeCache(key, data) {
   }
   await fs$2.writeJson(cacheJsonPath, data);
 }
-async function cleanupOpenPrs(owner, repo, newVersion, options) {
+async function cleanupOpenPrs(owner, repo, options) {
   const contextualMatches = await getOpenSocketPrsWithContext(owner, repo, options);
   if (!contextualMatches.length) {
     return [];
   }
   const cachesToSave = new Map();
+  const {
+    newVersion
+  } = {
+    __proto__: null,
+    ...options
+  };
   const octokit = getOctokit();
   const settledMatches = await Promise.allSettled(contextualMatches.map(async ({
     context,
     match
   }) => {
     const {
+      newVersion: prToVersion,
       number: prNum
     } = match;
     const prRef = `PR #${prNum}`;
-    const prToVersionText = /(?<= to )\S+/.exec(match.title)?.[0];
-    const prToVersion = vendor.semverExports.coerce(prToVersionText);
     // Close older PRs.
-    if (prToVersion && vendor.semverExports.lt(prToVersion, newVersion)) {
+    if (prToVersion && newVersion && vendor.semverExports.lt(prToVersion, newVersion)) {
       try {
         await octokit.pulls.update({
           owner,
@@ -3904,14 +3947,14 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
           pull_number: prNum,
           state: 'closed'
         });
-        debug.debugFn(`Closed ${prRef} for older version ${prToVersion}.`);
+        debug.debugFn(`close: ${prRef} for ${prToVersion}`);
         // Remove entry from parent object.
         context.parent.splice(context.index, 1);
         // Mark cache to be saved.
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        debug.debugFn(`Failed to close ${prRef}: ${e?.message || 'Unknown error'}`);
+        debug.debugFn(`fail: close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
       }
     }
     // Update stale PRs.
@@ -3924,7 +3967,7 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
           base: match.headRefName,
           head: match.baseRefName
         });
-        debug.debugFn(`Updated stale ${prRef}.`);
+        debug.debugFn('update: stale', prRef);
         // Update entry entry.
         if (context.apiType === 'graphql') {
           context.entry.mergeStateStatus = 'CLEAN';
@@ -3935,7 +3978,7 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
         cachesToSave.set(context.cacheKey, context.data);
       } catch (e) {
         const message = e?.message || 'Unknown error';
-        debug.debugFn(`Failed to update ${prRef}: ${message}`);
+        debug.debugFn(`fail: update ${prRef} - ${message}`);
       }
     }
     return match;
@@ -3990,9 +4033,15 @@ async function enablePrAutoMerge({
     enabled: false
   };
 }
-function getGitHubEnvRepoInfo() {
+function getGithubEnvRepoInfo() {
   // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const ownerSlashRepo = constants.ENV.GITHUB_REPOSITORY;
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('miss: GITHUB_REPOSITORY env var');
+  }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
   const slashIndex = ownerSlashRepo.indexOf('/');
   if (slashIndex === -1) {
     return null;
@@ -4002,6 +4051,9 @@ function getGitHubEnvRepoInfo() {
     repo: ownerSlashRepo.slice(slashIndex + 1)
   };
 }
+async function getOpenSocketPrs(owner, repo, options) {
+  return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+}
 async function getOpenSocketPrsWithContext(owner, repo, options_) {
   const options = {
     __proto__: null,
@@ -4013,7 +4065,7 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
   const checkAuthor = strings.isNonEmptyString(author);
   const octokit = getOctokit();
   const octokitGraphql = getOctokitGraphql();
-  const titlePattern = getSocketPrTitlePattern(options);
+  const prBranchParser = createSocketBranchParser(options);
   const contextualMatches = [];
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
@@ -4047,7 +4099,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
       const node = nodes[i];
       const login = node.author?.login;
       const matchesAuthor = checkAuthor ? login === author : true;
-      if (matchesAuthor && titlePattern.test(node.title)) {
+      const matchesBranch = prBranchParser(node.headRefName);
+      if (matchesAuthor && matchesBranch) {
         contextualMatches.push({
           context: {
             apiType: 'graphql',
@@ -4059,6 +4112,7 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           },
           match: {
             ...node,
+            ...matchesBranch,
             author: login ?? '<unknown>'
           }
         });
@@ -4089,7 +4143,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
     const pr = allOpenPrs[i];
     const login = pr.user?.login;
     const matchesAuthor = checkAuthor ? login === author : true;
-    if (matchesAuthor && titlePattern.test(pr.title)) {
+    const matchesBranch = prBranchParser(pr.head.ref);
+    if (matchesAuthor && matchesBranch) {
       contextualMatches.push({
         context: {
           apiType: 'rest',
@@ -4100,6 +4155,7 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           parent: allOpenPrs
         },
         match: {
+          ...matchesBranch,
           author: login ?? '<unknown>',
           baseRefName: pr.base.ref,
           headRefName: pr.head.ref,
@@ -4124,18 +4180,19 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
   };
   // Lazily access constants.ENV.GITHUB_ACTIONS.
   if (!constants.ENV.GITHUB_ACTIONS) {
-    debug.debugFn('Missing GITHUB_ACTIONS environment variable.');
+    debug.debugFn('miss: GITHUB_ACTIONS env var');
     return null;
   }
+  const purlObj = utils.getPurlObject(purl);
   const octokit = getOctokit();
   try {
     return await octokit.pulls.create({
       owner,
       repo,
-      title: getSocketPullRequestTitle(purl, newVersion, workspace),
+      title: getSocketPullRequestTitle(purlObj, newVersion, workspace),
       head: branch,
       base: baseBranch,
-      body: getSocketPullRequestBody(purl, newVersion, workspace)
+      body: getSocketPullRequestBody(purlObj, newVersion, workspace)
     });
   } catch (e) {
     let message = `Failed to open pull request`;
@@ -4164,7 +4221,7 @@ async function prExistForBranch(owner, repo, branch) {
   } catch {}
   return false;
 }
-async function setGitRemoteGitHubRepoUrl(owner, repo, token, cwd = process.cwd()) {
+async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const stdioIgnoreOptions = {
     cwd,
     stdio: 'ignore'
@@ -4173,7 +4230,7 @@ async function setGitRemoteGitHubRepoUrl(owner, repo, token, cwd = process.cwd()
   try {
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
   } catch (e) {
-    debug.debugFn('Unexpected error:\n', e);
+    debug.debugFn('catch: unexpected\n', e);
   }
 }
 
@@ -4228,10 +4285,26 @@ async function npmFix(pkgEnvDetails, {
   const {
     spinner
   } = constants;
-  spinner?.start();
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+
+  // Lazily access constants.ENV properties.
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
+  const repoInfo = isCi ? getGithubEnvRepoInfo() : null;
+  spinner?.start();
+  const openPrs =
+  // Check repoInfo to make TypeScript happy.
+  isCi && repoInfo ? await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
+    author: gitUser
+  }) : [];
+  if (openPrs.length) {
+    debug.debugFn(`found: ${openPrs.length} open PRs`);
+  }
+  let count = isCi ? openPrs.length : 0;
   const arb = new shadowInject.Arborist({
     path: rootPath,
     ...shadowInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
@@ -4242,14 +4315,13 @@ async function npmFix(pkgEnvDetails, {
   let alertsMap;
   try {
     alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-      limit
+      limit: limit + openPrs.length
     })) : await shadowInject.getAlertsMapFromArborist(arb, getAlertsMapOptions({
-      limit
+      limit: limit + openPrs.length
     }));
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('API Error thrown:');
-    debug.debugFn(e);
+    debug.debugFn('catch: PURL API\n', e);
     return {
       ok: false,
       message: 'API Error',
@@ -4257,7 +4329,7 @@ async function npmFix(pkgEnvDetails, {
     };
   }
   const infoByPkgName = utils.getCveInfoFromAlertsMap(alertsMap, {
-    limit
+    limit: limit + openPrs.length
   });
   if (!infoByPkgName) {
     spinner?.stop();
@@ -4269,17 +4341,14 @@ async function npmFix(pkgEnvDetails, {
       }
     };
   }
-
-  // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const handleInstallFail = () => {
-    debug.debugFn(`Unexpected condition: ${pkgEnvDetails.agent} install failed.\n`);
+    debug.debugFn(`fail: ${pkgEnvDetails.agent} install\n`);
     logger.logger.dedent();
     spinner?.dedent();
     return {
@@ -4289,21 +4358,24 @@ async function npmFix(pkgEnvDetails, {
     };
   };
   spinner?.stop();
-  let count = 0;
-  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   infoEntriesLoop: for (let i = 0, {
       length
     } = sortedInfoEntries; i < length; i += 1) {
     const isLastInfoEntry = i === length - 1;
+    const infoEntry = sortedInfoEntries[i];
     const {
-      0: name,
-      1: infos
-    } = sortedInfoEntries[i];
+      0: name
+    } = infoEntry;
+    const openPrsForPkg = openPrs.filter(pr => name === packages.resolvePackageName(pr.purl));
+    const infos = [...infoEntry[1].values()].filter(info => !openPrsForPkg.find(pr => pr.newVersion === info.firstPatchedVersionIdentifier));
+    if (!infos.length) {
+      continue infoEntriesLoop;
+    }
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$a, name)) {
-      debug.debugFn(`Socket Optimize package exists for ${name}.`);
+      debug.debugFn(`found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -4327,7 +4399,7 @@ async function npmFix(pkgEnvDetails, {
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
       const oldVersions = arrays.arrayUnique(shadowInject.findPackageNodes(actualTree, name).map(n => n.target?.version ?? n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`${name} not found, skipping.\n`);
+        debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
         logger.logger.dedent();
         spinner?.dedent();
@@ -4343,7 +4415,7 @@ async function npmFix(pkgEnvDetails, {
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
-        debug.debugFn(`Checking workspace ${workspace}.`);
+        debug.debugFn(`check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -4352,7 +4424,7 @@ async function npmFix(pkgEnvDetails, {
         const oldPurl = utils.idToPurl(oldId);
         const node = shadowInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`${oldId} not found, skipping.`);
+          debug.debugFn(`skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -4360,7 +4432,7 @@ async function npmFix(pkgEnvDetails, {
           vulnerableVersionRange
         } of infos.values()) {
           if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`${oldId} is >= ${firstPatchedVersionIdentifier}, skipping.`);
+            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
@@ -4396,7 +4468,7 @@ async function npmFix(pkgEnvDetails, {
           if (!(await editablePkgJson.save({
             ignoreWhitespace: true
           }))) {
-            debug.debugFn(`${workspace}/package.json not changed, skipping.`);
+            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
             if (isCi) {
               // eslint-disable-next-line no-await-in-loop
@@ -4436,7 +4508,9 @@ async function npmFix(pkgEnvDetails, {
             error = e;
           }
           spinner?.stop();
-          if (!errored && isCi) {
+
+          // Check repoInfo to make TypeScript happy.
+          if (!errored && isCi && repoInfo) {
             try {
               // eslint-disable-next-line no-await-in-loop
               const result = await gitUnstagedModifiedFiles(cwd);
@@ -4454,23 +4528,24 @@ async function npmFix(pkgEnvDetails, {
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
                 continue infosLoop;
               }
-              const repoInfo = getGitHubEnvRepoInfo();
               const branch = getSocketBranchName(oldPurl, newVersion, workspace);
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
               await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
                 skipPr = true;
-                debug.debugFn(`Branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: branch "${branch}" exists`);
               }
               // eslint-disable-next-line no-await-in-loop
               else if (await gitRemoteBranchExists(branch, cwd)) {
                 skipPr = true;
-                debug.debugFn(`Remote branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: remote branch "${branch}" exists`);
               } else if (
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
-                cwd
+                cwd,
+                email: gitEmail,
+                user: gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
@@ -4491,7 +4566,8 @@ async function npmFix(pkgEnvDetails, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, token, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, {
+                newVersion,
                 purl: oldPurl,
                 workspace
               })]);
@@ -4652,7 +4728,23 @@ async function pnpmFix(pkgEnvDetails, {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+
+  // Lazily access constants.ENV properties.
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
+  const repoInfo = isCi ? getGithubEnvRepoInfo() : null;
   spinner?.start();
+  const openPrs =
+  // Check repoInfo to make TypeScript happy.
+  isCi && repoInfo ? await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
+    author: gitUser
+  }) : [];
+  if (openPrs.length) {
+    debug.debugFn(`found: ${openPrs.length} open PRs`);
+  }
+  let count = isCi ? openPrs.length : 0;
   let actualTree;
   const lockfilePath = path.join(rootPath, 'pnpm-lock.yaml');
   let lockfileContent = await utils.readPnpmLockfile(lockfilePath);
@@ -4701,14 +4793,13 @@ async function pnpmFix(pkgEnvDetails, {
   let alertsMap;
   try {
     alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-      limit
+      limit: limit + openPrs.length
     })) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getAlertsMapOptions({
-      limit
+      limit: limit + openPrs.length
     }));
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('Unexpected Socket batch PURL API error:');
-    debug.debugFn(e);
+    debug.debugFn('catch: PURL API\n', e);
     return {
       ok: false,
       message: 'API Error',
@@ -4716,7 +4807,7 @@ async function pnpmFix(pkgEnvDetails, {
     };
   }
   const infoByPkgName = utils.getCveInfoFromAlertsMap(alertsMap, {
-    limit
+    limit: limit + openPrs.length
   });
   if (!infoByPkgName) {
     spinner?.stop();
@@ -4728,15 +4819,12 @@ async function pnpmFix(pkgEnvDetails, {
       }
     };
   }
-
-  // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const handleInstallFail = () => {
     logger.logger.dedent();
     spinner?.dedent();
@@ -4747,21 +4835,24 @@ async function pnpmFix(pkgEnvDetails, {
     };
   };
   spinner?.stop();
-  let count = 0;
-  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   infoEntriesLoop: for (let i = 0, {
       length
     } = sortedInfoEntries; i < length; i += 1) {
     const isLastInfoEntry = i === length - 1;
+    const infoEntry = sortedInfoEntries[i];
     const {
-      0: name,
-      1: infos
-    } = sortedInfoEntries[i];
+      0: name
+    } = infoEntry;
+    const openPrsForPkg = openPrs.filter(pr => name === packages.resolvePackageName(pr.purl));
+    const infos = [...infoEntry[1].values()].filter(info => !openPrsForPkg.find(pr => pr.newVersion === info.firstPatchedVersionIdentifier));
+    if (!infos.length) {
+      continue infoEntriesLoop;
+    }
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$9, name)) {
-      debug.debugFn(`Socket Optimize package exists for ${name}.`);
+      debug.debugFn(`found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -4786,6 +4877,10 @@ async function pnpmFix(pkgEnvDetails, {
 
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
+        if (!isCi) {
+          // eslint-disable-next-line no-await-in-loop
+          await utils.removeNodeModules(cwd);
+        }
         const maybeActualTree = isCi && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
@@ -4808,7 +4903,7 @@ async function pnpmFix(pkgEnvDetails, {
       }
       const oldVersions = arrays.arrayUnique(shadowInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`${name} not found, skipping.\n`);
+        debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
         logger.logger.dedent();
         spinner?.dedent();
@@ -4827,7 +4922,7 @@ async function pnpmFix(pkgEnvDetails, {
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
-        debug.debugFn(`Checking workspace ${workspace}.`);
+        debug.debugFn(`check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -4836,7 +4931,7 @@ async function pnpmFix(pkgEnvDetails, {
         const oldPurl = utils.idToPurl(oldId);
         const node = shadowInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`${oldId} not found, skipping.`);
+          debug.debugFn(`skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -4844,7 +4939,7 @@ async function pnpmFix(pkgEnvDetails, {
           vulnerableVersionRange
         } of infos.values()) {
           if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`${oldId} is >= ${firstPatchedVersionIdentifier}, skipping.`);
+            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
@@ -4902,7 +4997,7 @@ async function pnpmFix(pkgEnvDetails, {
           if (!(await editablePkgJson.save({
             ignoreWhitespace: true
           }))) {
-            debug.debugFn(`${workspace}/package.json unchanged, skipping.`);
+            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
             if (isCi) {
               // eslint-disable-next-line no-await-in-loop
@@ -4961,7 +5056,9 @@ async function pnpmFix(pkgEnvDetails, {
             errored = true;
           }
           spinner?.stop();
-          if (!errored && isCi) {
+
+          // Check repoInfo to make TypeScript happy.
+          if (!errored && isCi && repoInfo) {
             try {
               // eslint-disable-next-line no-await-in-loop
               const result = await gitUnstagedModifiedFiles(cwd);
@@ -4977,23 +5074,24 @@ async function pnpmFix(pkgEnvDetails, {
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
                 continue infosLoop;
               }
-              const repoInfo = getGitHubEnvRepoInfo();
               const branch = getSocketBranchName(oldPurl, newVersion, workspace);
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
               await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
                 skipPr = true;
-                debug.debugFn(`Branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: branch "${branch}" exists`);
               }
               // eslint-disable-next-line no-await-in-loop
               else if (await gitRemoteBranchExists(branch, cwd)) {
                 skipPr = true;
-                debug.debugFn(`Remote branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: remote branch "${branch}" exists`);
               } else if (
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
-                cwd
+                cwd,
+                email: gitEmail,
+                user: gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
@@ -5019,7 +5117,8 @@ async function pnpmFix(pkgEnvDetails, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, token, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, {
+                newVersion,
                 purl: oldPurl,
                 workspace
               })]);
@@ -5130,12 +5229,14 @@ async function pnpmFix(pkgEnvDetails, {
     spinner?.dedent();
   }
   spinner?.stop();
+
+  // Or, did we change anything?
   return {
     ok: true,
     data: {
       fixed: true
     }
-  }; // or, did we change anything?
+  };
 }
 
 const {
@@ -5634,9 +5735,9 @@ async function setupTabCompletion(targetName) {
 
   // Target dir is something like ~/.local/share/socket/settings/completion (linux)
   const targetDir = path.dirname(targetPath);
-  debug.debugFn('Target Path:', targetPath, ', Target Dir:', targetDir);
+  debug.debugFn('target: path + dir', targetPath, targetDir);
   if (!fs$1.existsSync(targetDir)) {
-    debug.debugFn('Dir does not exist, creating it now...');
+    debug.debugFn('create: target dir');
     fs$1.mkdirSync(targetDir, {
       recursive: true
     });
@@ -8016,7 +8117,7 @@ async function updateLockfile(pkgEnvDetails, options) {
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn(e);
+    debug.debugFn('fail: update\n', e);
     return {
       ok: false,
       message: 'Update failed',
@@ -9859,7 +9960,7 @@ async function fetchListAllRepos({
       page: String(nextPage)
     }), 'list of repositories');
     if (!result.ok) {
-      debug.debugFn('At least one fetch failed, bailing...', result);
+      debug.debugFn('fail: fetch repo\n', result);
       return result;
     }
     result.data.results.forEach(row => rows.push(row));
@@ -11297,7 +11398,7 @@ async function createScanFromGithub({
       scansCreated += 1;
     }
   }
-  logger.logger.success(targetRepos.length, 'Github repos detected');
+  logger.logger.success(targetRepos.length, 'GitHub repos detected');
   logger.logger.success(scansCreated, 'with supported Manifest files');
   return {
     ok: true,
@@ -11346,11 +11447,11 @@ async function scanOneRepo(repoSlug, {
   } = repoResult.data;
   logger.logger.info(`Default branch: \`${defaultBranch}\``);
   const treeResult = await getRepoBranchTree({
+    defaultBranch,
+    githubToken,
     orgGithub,
     repoSlug,
-    repoApiUrl,
-    defaultBranch,
-    githubToken
+    repoApiUrl
   });
   if (!treeResult.ok) {
     return treeResult;
@@ -11366,7 +11467,7 @@ async function scanOneRepo(repoSlug, {
     };
   }
   const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
-  debug.debugFn('Temp dir for downloaded manifest (serves as scan root):', tmpDir);
+  debug.debugFn('init: temp dir for scan root', tmpDir);
   const downloadResult = await testAndDownloadManifestFiles({
     files,
     tmpDir,
@@ -11479,7 +11580,7 @@ async function testAndDownloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('Testing file:', file);
+  debug.debugFn('test: file', file);
   if (!SUPPORTED_FILE_PATTERNS.some(regex => regex.test(file))) {
     // Not an error.
     return {
@@ -11489,7 +11590,7 @@ async function testAndDownloadManifestFile({
       }
     };
   }
-  debug.debugLog(`[DEBUG] Found a manifest file: \`${file}\`, will download it to temp dir...`);
+  debug.debugFn('found: manifest file', file);
   const result = await downloadManifestFile({
     file,
     tmpDir,
@@ -11497,15 +11598,12 @@ async function testAndDownloadManifestFile({
     repoApiUrl,
     githubToken
   });
-  if (!result.ok) {
-    return result;
-  }
-  return {
+  return result.ok ? {
     ok: true,
     data: {
       isManifest: true
     }
-  };
+  } : result;
 }
 async function downloadManifestFile({
   defaultBranch,
@@ -11514,44 +11612,40 @@ async function downloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugLog(`[DEBUG] Requesting download url from GitHub...`);
+  debug.debugFn('request: download url from GitHub');
   const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
-  debug.debugFn('File url:', fileUrl);
+  debug.debugFn('url: file', fileUrl);
   const downloadUrlResponse = await fetch(fileUrl, {
     method: 'GET',
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
-  debug.debugLog(`[DEBUG] Request completed.`);
+  debug.debugFn('complete: request');
   const downloadUrlText = await downloadUrlResponse.text();
-  debug.debugFn('Raw download url response:', downloadUrlText);
+  debug.debugFn('response: raw download url', downloadUrlText);
   let downloadUrl;
   try {
     downloadUrl = JSON.parse(downloadUrlText).download_url;
   } catch {
     logger.logger.fail(`GitHub response contained invalid JSON for download url for: ${file}`);
-    debug.debugLog(`[DEBUG] The not-json-content:`);
-    debug.debugLog(downloadUrlText);
     return {
       ok: false,
       message: 'Invalid JSON response',
       cause: `Server responded with invalid JSON for download url ${downloadUrl}`
     };
   }
-  debug.debugLog(`[DEBUG] Downloading manifest file...`);
   const localPath = path.join(tmpDir, file);
-  debug.debugFn('Downloading from', downloadUrl, 'to', localPath);
+  debug.debugFn('download: manifest file started', downloadUrl, '->', localPath);
 
   // Now stream the file to that file...
-
   const result = await streamDownloadWithFetch(localPath, downloadUrl);
   if (!result.ok) {
     // Do we proceed? Bail? Hrm...
     logger.logger.fail(`Failed to download manifest file, skipping to next file. File: ${file}`);
     return result;
   }
-  debug.debugLog(`[DEBUG] Downloaded manifest file.`);
+  debug.debugFn('download: manifest file completed');
   return {
     ok: true,
     data: undefined
@@ -11628,14 +11722,14 @@ async function getLastCommitDetails({
 }) {
   logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
   const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
-  debug.debugFn('Commit url:', commitApiUrl);
+  debug.debugFn('url: commit', commitApiUrl);
   const commitResponse = await fetch(commitApiUrl, {
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
   const commitText = await commitResponse.text();
-  debug.debugFn('Raw commit response:', commitText);
+  debug.debugFn('response: commit', commitText);
   let lastCommit;
   try {
     lastCommit = JSON.parse(commitText)?.[0];
@@ -11722,7 +11816,7 @@ async function getRepoDetails({
   repoSlug
 }) {
   const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
-  debug.debugFn('Repo URL:', repoApiUrl);
+  debug.debugFn('url: repo', repoApiUrl);
   const repoDetailsResponse = await fetch(repoApiUrl, {
     method: 'GET',
     headers: {
@@ -11731,7 +11825,7 @@ async function getRepoDetails({
   });
   logger.logger.success(`Request completed.`);
   const repoDetailsText = await repoDetailsResponse.text();
-  debug.debugFn('Raw repo response:', repoDetailsText);
+  debug.debugFn('response: repo', repoDetailsText);
   let repoDetails;
   try {
     repoDetails = JSON.parse(repoDetailsText);
@@ -11770,7 +11864,7 @@ async function getRepoBranchTree({
 }) {
   logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
   const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
-  debug.debugFn('Tree URL:', treeApiUrl);
+  debug.debugFn('url: tree', treeApiUrl);
   const treeResponse = await fetch(treeApiUrl, {
     method: 'GET',
     headers: {
@@ -11778,7 +11872,7 @@ async function getRepoBranchTree({
     }
   });
   const treeText = await treeResponse.text();
-  debug.debugFn('Raw tree response:', treeText);
+  debug.debugFn('response: tree', treeText);
   let treeDetails;
   try {
     treeDetails = JSON.parse(treeText);
@@ -12555,7 +12649,7 @@ async function fetchScan(orgSlug, scanId) {
       return JSON.parse(line);
     } catch {
       ok = false;
-      debug.debugFn('NDJSON failed to parse the following line:', line);
+      debug.debugFn('fail: parse NDJSON\n', line);
       return null;
     }
   });
@@ -13340,7 +13434,7 @@ Do you want to install "safe npm" (this will create an alias to the socket-npm c
       }
     }
   } catch (e) {
-    debug.debugFn('Failed to setup tab completion:\n', e);
+    debug.debugFn('fail: setup tab completion\n', e);
     // Ignore. Skip tab completion setup.
   }
   if (!updatedTabCompletion) {
@@ -13582,5 +13676,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=2fd0bc0c-3a6c-42d6-8ccd-1745d5682e7e
+//# debugId=563527a7-7f37-46a5-b38a-7455caa4e1aa
 //# sourceMappingURL=cli.js.map