@socketsecurity/cli-with-sentry 0.15.42 → 0.15.44

package/dist/utils.js

@@ -21,10 +21,11 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
 var words = require('../external/@socketsecurity/registry/lib/words');
 var fs$1 = require('../external/@socketsecurity/registry/lib/fs');
+var require$$7 = require('../external/@socketsecurity/registry/lib/promises');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 const {
-  NPM: NPM$6,
+  NPM: NPM$5,
   PNPM: PNPM$2
 } = constants;
 const PNPM_WORKSPACE = `${PNPM$2}-workspace`;
@@ -135,7 +136,7 @@ function workspacePatternToGlobPattern(workspace) {
   return `${workspace}/package.json`;
 }
 async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
-  const patterns = ['golang', NPM$6, 'maven', 'pypi', 'gem', 'nuget'].reduce((r, n) => {
+  const patterns = ['golang', NPM$5, 'maven', 'pypi', 'gem', 'nuget'].reduce((r, n) => {
     const supported = supportedFiles[n];
     r.push(...(supported ? Object.values(supported).map(p => `**/${p.pattern}`) : []));
     return r;
@@ -180,9 +181,11 @@ async function globWithGitIgnore(patterns, options) {
   return absolute ? filtered.map(p => path.resolve(cwd, p)) : filtered;
 }
 async function globNodeModules(cwd = process.cwd()) {
-  return await vendor.distExports.glob('**/node_modules/**', {
+  return await vendor.distExports.glob('**/node_modules', {
     absolute: true,
-    cwd
+    cwd,
+    expandDirectories: false,
+    onlyDirectories: true
   });
 }
 async function globWorkspace(agent, cwd = process.cwd()) {
@@ -203,7 +206,12 @@ const {
 } = constants;
 async function removeNodeModules(cwd = process.cwd()) {
   const nodeModulesPaths = await globNodeModules(cwd);
-  await Promise.all(nodeModulesPaths.map(p => fs$1.remove(p)));
+  await require$$7.pEach(nodeModulesPaths, 3, p => fs$1.remove(p, {
+    force: true,
+    recursive: true
+  }), {
+    retries: 3
+  });
 }
 async function findUp(name, {
   cwd = process.cwd(),
@@ -1093,13 +1101,43 @@ async function meowWithSubcommands(subcommands, options) {
   };
 
   // No further args or first arg is a flag (shrug)
-  if (name === 'socket' && (!commandOrAliasName || commandOrAliasName?.startsWith('-'))) {
+  const isRootCommand = name === 'socket' && (!commandOrAliasName || commandOrAliasName?.startsWith('-'));
+  if (isRootCommand) {
+    flags['help'] = {
+      type: 'boolean',
+      hidden: false,
+      // Only show on root
+      description: 'Give you detailed help information about any sub-command'
+    };
+    flags['config'] = {
+      type: 'string',
+      hidden: false,
+      // Only show on root
+      description: 'Allows you to temp overrides the internal CLI config'
+    };
     flags['dryRun'] = {
       type: 'boolean',
-      default: false,
       hidden: false,
       // Only show on root
-      description: 'Do input validation for a command and exit 0 when input is ok. Every command should support this flag (not shown on help screens)'
+      description: 'Do input validation for a sub-command and then exit'
+    };
+    flags['json'] = {
+      type: 'boolean',
+      hidden: false,
+      // Only show on root
+      description: 'Ensure stdout only receives proper JSON (Most non-interactive commands support this)'
+    };
+    flags['markdown'] = {
+      type: 'boolean',
+      hidden: false,
+      // Only show on root
+      description: 'Ensure stdout only receives a markdown report (Many commands that support --json also support this)'
+    };
+    flags['version'] = {
+      type: 'boolean',
+      hidden: false,
+      // Only show on root
+      description: 'Show version of CLI'
     };
   }
 
@@ -1172,35 +1210,97 @@ async function meowWithSubcommands(subcommands, options) {
     delete subcommands['info'];
     delete subcommands['report'];
   }
+  function formatCommandsForHelp(isRootCommand) {
+    if (!isRootCommand || !isTestingV1()) {
+      return getHelpListOutput({
+        ...objects.toSortedObject(Object.fromEntries(Object.entries(subcommands).filter(({
+          1: subcommand
+        }) => !subcommand.hidden))),
+        ...objects.toSortedObject(Object.fromEntries(Object.entries(aliases).filter(({
+          1: alias
+        }) => {
+          const {
+            hidden
+          } = alias;
+          const cmdName = hidden ? '' : alias.argv[0];
+          const subcommand = cmdName ? subcommands[cmdName] : undefined;
+          return subcommand && !subcommand.hidden;
+        })))
+      }, 6);
+    }
+
+    // "Bucket" some commands for easier usage
+
+    const commands = new Set(['analytics', 'audit-log', 'config', 'dependencies', 'fix', 'install', 'login', 'logout', 'manifest', 'npm', 'npx', 'optimize', 'organization', 'package', 'raw-npm', 'raw-npx', 'repos', 'scan', 'threat-feed', 'uninstall', 'wrapper']);
+    Object.entries(subcommands).filter(([_name, subcommand]) => !subcommand.hidden).map(([name]) => name).forEach(name => {
+      if (commands.has(name)) {
+        commands.delete(name);
+      } else {
+        logger.logger.fail('Received a visible command that was not added to the list here;', name);
+      }
+    });
+    if (commands.size) {
+      logger.logger.fail('Found commands in the list that were not marked as public or were not defined at all:', Array.from(commands).sort());
+    }
+    const out = [];
+    out.push('All commands have their own --help page');
+    out.push('    ');
+    out.push('    Main commands');
+    out.push('    ');
+    out.push('      socket login             Setup the CLI with an API Token and defaults');
+    out.push('      socket scan create       Create a new Scan and report');
+    out.push('      socket package score     Request the (shallow) security score of a particular package');
+    out.push('      socket ci                Shorthand for CI; socket scan create --report --no-interactive');
+    out.push('    ');
+    out.push('    Socket API');
+    out.push('    ');
+    out.push('      analytics                Look up analytics data');
+    out.push('      audit-log                Look up the audit log for an organization');
+    out.push('      organization             Manage organization account details');
+    out.push('      package                  Look up published package details');
+    out.push('      repository               Manage registered repositories');
+    out.push('      scan                     Manage Socket scans');
+    out.push('      threat-feed              [beta] View the threat feed');
+    out.push('    ');
+    out.push('    Local tools');
+    out.push('    ');
+    out.push('      fix                      Update dependencies with "fixable" Socket alerts');
+    out.push('      manifest                 Generate a dependency manifest for certain languages');
+    out.push('      npm                      npm wrapper functionality');
+    out.push('      npx                      npx wrapper functionality');
+    out.push('      optimize                 Optimize dependencies with @socketregistry overrides');
+    out.push('      raw-npm                  Temporarily disable the Socket npm wrapper');
+    out.push('      raw-npx                  Temporarily disable the Socket npx wrapper');
+    out.push('    ');
+    out.push('    CLI configuration');
+    out.push('    ');
+    out.push('      config                   Manage the CLI configuration directly');
+    out.push('      install                  Manually install CLI tab completion on your system');
+    out.push('      login                    Socket API login and CLI setup');
+    out.push('      logout                   Socket API logout');
+    out.push('      uninstall                Remove the CLI tab completion from your system');
+    out.push('      wrapper                  Enable or disable the Socket npm/npx wrapper');
+    return out.join('\n');
+  }
 
   // Parse it again. Config overrides should now be applied (may affect help).
+  // Note: this is displayed as help screen if the command does not override it
+  //       (which is the case for most sub-commands with sub-commands)
   const cli2 = vendor.meow(`
     Usage
       $ ${name} <command>
 
-    Commands
-      ${getHelpListOutput({
-    ...objects.toSortedObject(Object.fromEntries(Object.entries(subcommands).filter(({
-      1: subcommand
-    }) => !subcommand.hidden))),
-    ...objects.toSortedObject(Object.fromEntries(Object.entries(aliases).filter(({
-      1: alias
-    }) => {
-      const {
-        hidden
-      } = alias;
-      const cmdName = hidden ? '' : alias.argv[0];
-      const subcommand = cmdName ? subcommands[cmdName] : undefined;
-      return subcommand && !subcommand.hidden;
-    })))
-  }, 6)}
+${isRootCommand && isTestingV1() ? '' : '    Commands'}
+      ${formatCommandsForHelp(isRootCommand)}
 
-    Options
-      ${getFlagListOutput(flags, 6)}
+${isRootCommand && isTestingV1() ? '    Options' : '    Options'}${isRootCommand ? '       (Note: all CLI commands have these flags even when not displayed in their help)\n' : ''}
+      ${getFlagListOutput(flags, 6, isTestingV1() ? {
+    padName: 25
+  } : undefined)}
 
     Examples
       $ ${name} --help
-  `, {
+${isRootCommand ? `      $ ${name} scan create` : ''}${isRootCommand ? `\n      $ ${name} package score npm left-pad` : ''}`, {
     argv,
     importMeta,
     ...additionalOptions,
@@ -1397,7 +1497,7 @@ async function determineOrgSlug(orgFlag, firstArg, interactive, dryRun) {
 
 const {
   NODE_MODULES: NODE_MODULES$1,
-  NPM: NPM$5,
+  NPM: NPM$4,
   shadowBinPath
 } = constants;
 function findBinPathDetailsSync(binName) {
@@ -1432,7 +1532,7 @@ function findNpmPathSync(npmBinPath) {
   } = constants;
   let thePath = npmBinPath;
   while (true) {
-    const libNmNpmPath = path.join(thePath, 'lib', NODE_MODULES$1, NPM$5);
+    const libNmNpmPath = path.join(thePath, 'lib', NODE_MODULES$1, NPM$4);
     // mise puts its npm bin in a path like:
     //   /Users/SomeUsername/.local/share/mise/installs/node/vX.X.X/bin/npm.
     // HOWEVER, the location of the npm install is:
@@ -1444,7 +1544,7 @@ function findNpmPathSync(npmBinPath) {
     fs.existsSync(libNmNpmPath) && fs.statSync(libNmNpmPath, {
       throwIfNoEntry: false
     })?.isDirectory()) {
-      thePath = path.join(libNmNpmPath, NPM$5);
+      thePath = path.join(libNmNpmPath, NPM$4);
     }
     const nmPath = path.join(thePath, NODE_MODULES$1);
     if (
@@ -1462,9 +1562,9 @@ function findNpmPathSync(npmBinPath) {
       throwIfNoEntry: false
     })?.isDirectory() && (
     // Optimistically look for the default location.
-    path.basename(thePath) === NPM$5 ||
+    path.basename(thePath) === NPM$4 ||
     // Chocolatey installs npm bins in the same directory as node bins.
-    WIN32 && fs.existsSync(path.join(thePath, `${NPM$5}.cmd`)))) {
+    WIN32 && fs.existsSync(path.join(thePath, `${NPM$4}.cmd`)))) {
       return thePath;
     }
     const parent = path.dirname(thePath);
@@ -1502,7 +1602,7 @@ async function getPackageFilesForScan(cwd, inputPaths, supportedFiles, config) {
 
 const {
   NODE_MODULES,
-  NPM: NPM$4,
+  NPM: NPM$3,
   NPX,
   SOCKET_CLI_ISSUES_URL
 } = constants;
@@ -1516,7 +1616,7 @@ function exitWithBinPathError(binName) {
 let _npmBinPathDetails;
 function getNpmBinPathDetails() {
   if (_npmBinPathDetails === undefined) {
-    _npmBinPathDetails = findBinPathDetailsSync(NPM$4);
+    _npmBinPathDetails = findBinPathDetailsSync(NPM$3);
   }
   return _npmBinPathDetails;
 }
@@ -1538,7 +1638,7 @@ function getNpmBinPath() {
   if (_npmBinPath === undefined) {
     _npmBinPath = getNpmBinPathDetails().path;
     if (!_npmBinPath) {
-      exitWithBinPathError(NPM$4);
+      exitWithBinPathError(NPM$3);
     }
   }
   return _npmBinPath;
@@ -1567,7 +1667,7 @@ let _npmRequire;
 function getNpmRequire() {
   if (_npmRequire === undefined) {
     const npmPath = getNpmPath();
-    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM$4);
+    const npmNmPath = path.join(npmPath, NODE_MODULES, NPM$3);
     _npmRequire = Module.createRequire(path.join(fs.existsSync(npmNmPath) ? npmNmPath : npmPath, '<dummy-basename>'));
   }
   return _npmRequire;
@@ -1609,10 +1709,15 @@ function isHelpFlag(cmdArg) {
   return helpFlags.has(cmdArg);
 }
 
+function getPurlObject(purl) {
+  return typeof purl === 'string' ? vendor.packageurlJsExports.PackageURL.fromString(purl) : purl;
+}
+
 const {
   SOCKET_WEBSITE_URL
 } = constants;
-function getPkgFullNameFromPurlObj(purlObj) {
+function getPkgFullNameFromPurl(purl) {
+  const purlObj = getPurlObject(purl);
   const {
     name,
     namespace
@@ -1622,13 +1727,14 @@ function getPkgFullNameFromPurlObj(purlObj) {
 function getSocketDevAlertUrl(alertType) {
   return `${SOCKET_WEBSITE_URL}/alerts/${alertType}`;
 }
-function getSocketDevPackageOverviewUrlFromPurl(purlObj) {
-  const fullName = getPkgFullNameFromPurlObj(purlObj);
+function getSocketDevPackageOverviewUrlFromPurl(purl) {
+  const purlObj = getPurlObject(purl);
+  const fullName = getPkgFullNameFromPurl(purlObj);
   return getSocketDevPackageOverviewUrl(purlObj.type, fullName, purlObj.version);
 }
 function getSocketDevPackageOverviewUrl(ecosystem, fullName, version) {
   const url = `${SOCKET_WEBSITE_URL}/${ecosystem}/package/${fullName}`;
-  return ecosystem === 'go' ? `${url}${version ? `?section=overview&version=${version}` : ''}` : `${url}${version ? `/overview/${version}` : ''}`;
+  return ecosystem === 'golang' ? `${url}${version ? `?section=overview&version=${version}` : ''}` : `${url}${version ? `/overview/${version}` : ''}`;
 }
 
 /**
@@ -1757,10 +1863,6 @@ async function writeSocketJson(cwd, socketJson) {
   };
 }
 
-function getPurlObject(purl) {
-  return typeof purl === 'string' ? vendor.packageurlJsExports.PackageURL.fromString(purl) : purl;
-}
-
 const {
   ALERT_TYPE_CRITICAL_CVE,
   ALERT_TYPE_CVE,
@@ -1964,72 +2066,6 @@ function getTranslations() {
   return _translations;
 }
 
-function extractOverridesFromPnpmLockfileContent(lockfileContent) {
-  return typeof lockfileContent === 'string' ? /^overrides:(\r?\n {2}.+)+(?:\r?\n)*/m.exec(lockfileContent)?.[0] ?? '' : '';
-}
-async function extractPurlsFromPnpmLockfile(lockfile) {
-  const packages = lockfile?.packages ?? {};
-  const seen = new Set();
-  const visit = pkgPath => {
-    if (seen.has(pkgPath)) {
-      return;
-    }
-    const pkg = packages[pkgPath];
-    if (!pkg) {
-      return;
-    }
-    seen.add(pkgPath);
-    const deps = {
-      __proto__: null,
-      ...pkg.dependencies,
-      ...pkg.optionalDependencies,
-      ...pkg.devDependencies
-    };
-    for (const depName in deps) {
-      const ref = deps[depName];
-      const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`;
-      visit(subKey);
-    }
-  };
-  for (const pkgPath of Object.keys(packages)) {
-    visit(pkgPath);
-  }
-  return [...seen].map(p => idToPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))));
-}
-function isPnpmDepPath(maybeDepPath) {
-  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47; /*'/'*/
-}
-function parsePnpmLockfile(lockfileContent) {
-  let result;
-  if (typeof lockfileContent === 'string') {
-    try {
-      result = vendor.jsYaml.load(strings.stripBom(lockfileContent));
-    } catch {}
-  }
-  return objects.isObjectObject(result) ? result : null;
-}
-function parsePnpmLockfileVersion(version) {
-  try {
-    return vendor.semverExports.coerce(version);
-  } catch {}
-  return null;
-}
-async function readPnpmLockfile(lockfilePath) {
-  return fs.existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null;
-}
-function stripLeadingPnpmDepPathSlash(depPath) {
-  return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
-}
-function stripPnpmPeerSuffix(depPath) {
-  const parenIndex = depPath.indexOf('(');
-  const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex;
-  return index === -1 ? depPath : depPath.slice(0, index);
-}
-
-function idToPurl(id) {
-  return `pkg:npm/${id}`;
-}
-
 const ALERT_SEVERITY_COLOR = createEnum({
   critical: 'magenta',
   high: 'red',
@@ -2043,9 +2079,6 @@ const ALERT_SEVERITY_ORDER = createEnum({
   low: 3,
   none: 4
 });
-const {
-  NPM: NPM$3
-} = constants;
 const MIN_ABOVE_THE_FOLD_COUNT = 3;
 const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1;
 const format = new ColorOrMarkdown(false);
@@ -2090,10 +2123,10 @@ function getHiddenRisksDescription(riskCounts) {
   }
   return `(${descriptions.join('; ')})`;
 }
-async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
+async function addArtifactToAlertsMap(artifact, alertsByPurl, options) {
   // Make TypeScript happy.
   if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-    return alertsByPkgId;
+    return alertsByPurl;
   }
   const {
     consolidate = false,
@@ -2116,6 +2149,7 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   };
   const name = packages.resolvePackageName(artifact);
   const {
+    type: ecosystem,
     version
   } = artifact;
   const enabledState = {
@@ -2145,6 +2179,7 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
         type: alert.type,
         blocked,
         critical,
+        ecosystem,
         fixable,
         raw: alert,
         upgradable
@@ -2152,9 +2187,9 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
     }
   }
   if (!sockPkgAlerts.length) {
-    return alertsByPkgId;
+    return alertsByPurl;
   }
-  const pkgId = `${name}@${version}`;
+  const purl = `pkg:${ecosystem}/${name}@${version}`;
   const major = getMajor(version);
   if (consolidate) {
     const highestForCve = new Map();
@@ -2203,9 +2238,9 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
     sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
   }
   if (sockPkgAlerts.length) {
-    alertsByPkgId.set(pkgId, sockPkgAlerts);
+    alertsByPurl.set(purl, sockPkgAlerts);
   }
-  return alertsByPkgId;
+  return alertsByPurl;
 }
 function alertsHaveBlocked(alerts) {
   return alerts.find(a => a.blocked) !== undefined;
@@ -2239,22 +2274,26 @@ function getCveInfoFromAlertsMap(alertsMap, options_) {
     ...options.exclude
   };
   let count = 0;
-  let infoByPkgName = null;
-  alertsMapLoop: for (const [pkgId, sockPkgAlerts] of alertsMap) {
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(idToPurl(pkgId));
+  let infoByPartialPurl = null;
+  alertsMapLoop: for (const {
+    0: purl,
+    1: sockPkgAlerts
+  } of alertsMap) {
+    const purlObj = getPurlObject(purl);
+    const partialPurl = new vendor.packageurlJsExports$1.PackageURL(purlObj.type, purlObj.namespace, purlObj.name).toString();
     const name = packages.resolvePackageName(purlObj);
     sockPkgAlertsLoop: for (const sockPkgAlert of sockPkgAlerts) {
       const alert = sockPkgAlert.raw;
-      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || options.exclude.upgradable && registry.getManifestData(NPM$3, name)) {
+      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || options.exclude.upgradable && registry.getManifestData(sockPkgAlert.ecosystem, name)) {
         continue sockPkgAlertsLoop;
       }
-      if (!infoByPkgName) {
-        infoByPkgName = new Map();
+      if (!infoByPartialPurl) {
+        infoByPartialPurl = new Map();
       }
-      let infos = infoByPkgName.get(name);
+      let infos = infoByPartialPurl.get(partialPurl);
       if (!infos) {
         infos = new Map();
-        infoByPkgName.set(name, infos);
+        infoByPartialPurl.set(partialPurl, infos);
       }
       const {
         key
@@ -2273,7 +2312,7 @@ function getCveInfoFromAlertsMap(alertsMap, options_) {
               vulnerableVersionRange: new vendor.semverExports.Range(
               // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
               // semver.Range will parse it without erroring.
-              vulnerableVersionRange.replace(/, +/g, ' ')).format()
+              vulnerableVersionRange.replace(/, +/g, ' ').replace(/; +/g, ' || ')).format()
             });
             if (++count >= options.limit) {
               break alertsMapLoop;
@@ -2286,12 +2325,12 @@ function getCveInfoFromAlertsMap(alertsMap, options_) {
         debug.debugFn('fail: invalid SocketPackageAlert\n', alert);
         if (error) {
           // Explicitly use debugLog here.
-          debug.debugLog(error);
+          debug.debugLog(error.message ?? error);
         }
       }
     }
   }
-  return infoByPkgName;
+  return infoByPartialPurl;
 }
 function getSeverityLabel(severity) {
   return severity === 'middle' ? 'moderate' : severity;
@@ -2306,14 +2345,14 @@ function logAlertsMap(alertsMap, options) {
   };
   const translations = getTranslations();
   const sortedEntries = [...alertsMap.entries()].sort((a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]));
-  const aboveTheFoldPkgIds = new Set();
-  const viewableAlertsByPkgId = new Map();
-  const hiddenAlertsByPkgId = new Map();
+  const aboveTheFoldPurls = new Set();
+  const viewableAlertsByPurl = new Map();
+  const hiddenAlertsByPurl = new Map();
   for (let i = 0, {
       length
     } = sortedEntries; i < length; i += 1) {
     const {
-      0: pkgId,
+      0: purl,
       1: alerts
     } = sortedEntries[i];
     const hiddenAlerts = [];
@@ -2325,37 +2364,37 @@ function logAlertsMap(alertsMap, options) {
       return keep;
     });
     if (hiddenAlerts.length) {
-      hiddenAlertsByPkgId.set(pkgId, hiddenAlerts.sort(alertSeverityComparator));
+      hiddenAlertsByPurl.set(purl, hiddenAlerts.sort(alertSeverityComparator));
     }
     if (!viewableAlerts.length) {
       continue;
     }
     viewableAlerts.sort(alertSeverityComparator);
-    viewableAlertsByPkgId.set(pkgId, viewableAlerts);
+    viewableAlertsByPurl.set(purl, viewableAlerts);
     if (viewableAlerts.find(a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle)) {
-      aboveTheFoldPkgIds.add(pkgId);
+      aboveTheFoldPurls.add(purl);
     }
   }
 
   // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
   for (const {
-    0: pkgId
-  } of viewableAlertsByPkgId.entries()) {
-    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+    0: purl
+  } of viewableAlertsByPurl.entries()) {
+    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
       break;
     }
-    aboveTheFoldPkgIds.add(pkgId);
+    aboveTheFoldPurls.add(purl);
   }
   // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
   for (const {
-    0: pkgId,
+    0: purl,
     1: hiddenAlerts
-  } of hiddenAlertsByPkgId.entries()) {
-    if (aboveTheFoldPkgIds.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+  } of hiddenAlertsByPurl.entries()) {
+    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
       break;
     }
-    aboveTheFoldPkgIds.add(pkgId);
-    const viewableAlerts = viewableAlertsByPkgId.get(pkgId) ?? [];
+    aboveTheFoldPurls.add(purl);
+    const viewableAlerts = viewableAlertsByPurl.get(purl) ?? [];
     if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
       const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length;
       let removedHiddenAlerts;
@@ -2363,17 +2402,17 @@ function logAlertsMap(alertsMap, options) {
         removedHiddenAlerts = hiddenAlerts.splice(0, MIN_ABOVE_THE_FOLD_ALERT_COUNT);
       } else {
         removedHiddenAlerts = hiddenAlerts;
-        hiddenAlertsByPkgId.delete(pkgId);
+        hiddenAlertsByPurl.delete(purl);
       }
-      viewableAlertsByPkgId.set(pkgId, [...viewableAlerts, ...removedHiddenAlerts]);
+      viewableAlertsByPurl.set(purl, [...viewableAlerts, ...removedHiddenAlerts]);
     }
   }
-  const mentionedPkgIdsWithHiddenAlerts = new Set();
-  for (let i = 0, prevAboveTheFold = true, entries = [...viewableAlertsByPkgId.entries()], {
+  const mentionedPurlsWithHiddenAlerts = new Set();
+  for (let i = 0, prevAboveTheFold = true, entries = [...viewableAlertsByPurl.entries()], {
       length
     } = entries; i < length; i += 1) {
     const {
-      0: pkgId,
+      0: purl,
       1: alerts
     } = entries[i];
     const lines = new Set();
@@ -2393,11 +2432,12 @@ function logAlertsMap(alertsMap, options) {
       // TODO: emoji seems to mis-align terminals sometimes
       lines.add(`  ${content}`);
     }
-    const purlObj = vendor.packageurlJsExports.PackageURL.fromString(idToPurl(pkgId));
-    const hyperlink = format.hyperlink(pkgId, getSocketDevPackageOverviewUrl(NPM$3, packages.resolvePackageName(purlObj), purlObj.version));
-    const isAboveTheFold = aboveTheFoldPkgIds.has(pkgId);
+    const purlObj = getPurlObject(purl);
+    const pkgName = packages.resolvePackageName(purlObj);
+    const hyperlink = format.hyperlink(pkgName, getSocketDevPackageOverviewUrl(purlObj.type, pkgName, purlObj.version));
+    const isAboveTheFold = aboveTheFoldPurls.has(purl);
     if (isAboveTheFold) {
-      aboveTheFoldPkgIds.add(pkgId);
+      aboveTheFoldPurls.add(purl);
       output.write(`${i ? '\n' : ''}${hyperlink}:\n`);
     } else {
       output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`);
@@ -2405,12 +2445,12 @@ function logAlertsMap(alertsMap, options) {
     for (const line of lines) {
       output.write(`${line}\n`);
     }
-    const hiddenAlerts = hiddenAlertsByPkgId.get(pkgId) ?? [];
+    const hiddenAlerts = hiddenAlertsByPurl.get(purl) ?? [];
     const {
       length: hiddenAlertsCount
     } = hiddenAlerts;
     if (hiddenAlertsCount) {
-      mentionedPkgIdsWithHiddenAlerts.add(pkgId);
+      mentionedPurlsWithHiddenAlerts.add(purl);
       if (hiddenAlertsCount === 1) {
         output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`);
       } else {
@@ -2419,7 +2459,7 @@ function logAlertsMap(alertsMap, options) {
     }
     prevAboveTheFold = isAboveTheFold;
   }
-  const additionalHiddenCount = hiddenAlertsByPkgId.size - mentionedPkgIdsWithHiddenAlerts.size;
+  const additionalHiddenCount = hiddenAlertsByPurl.size - mentionedPurlsWithHiddenAlerts.size;
   if (additionalHiddenCount) {
     const totalRiskCounts = {
       critical: 0,
@@ -2428,10 +2468,10 @@ function logAlertsMap(alertsMap, options) {
       low: 0
     };
     for (const {
-      0: pkgId,
+      0: purl,
       1: alerts
-    } of hiddenAlertsByPkgId.entries()) {
-      if (mentionedPkgIdsWithHiddenAlerts.has(pkgId)) {
+    } of hiddenAlertsByPurl.entries()) {
+      if (mentionedPurlsWithHiddenAlerts.has(purl)) {
         continue;
       }
       const riskCounts = getHiddenRiskCounts(alerts);
@@ -2440,11 +2480,80 @@ function logAlertsMap(alertsMap, options) {
       totalRiskCounts.middle += riskCounts.middle;
       totalRiskCounts.low += riskCounts.low;
     }
-    output.write(`${aboveTheFoldPkgIds.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPkgIds.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`);
+    output.write(`${aboveTheFoldPurls.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPurls.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`);
   }
   output.write('\n');
 }
 
+function idToNpmPurl(id) {
+  return `pkg:npm/${id}`;
+}
+function idToPurl(id, type) {
+  return `pkg:${type}/${id}`;
+}
+
+function extractOverridesFromPnpmLockfileContent(lockfileContent) {
+  return typeof lockfileContent === 'string' ? /^overrides:(\r?\n {2}.+)+(?:\r?\n)*/m.exec(lockfileContent)?.[0] ?? '' : '';
+}
+async function extractPurlsFromPnpmLockfile(lockfile) {
+  const packages = lockfile?.packages ?? {};
+  const seen = new Set();
+  const visit = pkgPath => {
+    if (seen.has(pkgPath)) {
+      return;
+    }
+    const pkg = packages[pkgPath];
+    if (!pkg) {
+      return;
+    }
+    seen.add(pkgPath);
+    const deps = {
+      __proto__: null,
+      ...pkg.dependencies,
+      ...pkg.optionalDependencies,
+      ...pkg.devDependencies
+    };
+    for (const depName in deps) {
+      const ref = deps[depName];
+      const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`;
+      visit(subKey);
+    }
+  };
+  for (const pkgPath of Object.keys(packages)) {
+    visit(pkgPath);
+  }
+  return [...seen].map(p => idToNpmPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))));
+}
+function isPnpmDepPath(maybeDepPath) {
+  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47; /*'/'*/
+}
+function parsePnpmLockfile(lockfileContent) {
+  let result;
+  if (typeof lockfileContent === 'string') {
+    try {
+      result = vendor.jsYaml.load(strings.stripBom(lockfileContent));
+    } catch {}
+  }
+  return objects.isObjectObject(result) ? result : null;
+}
+function parsePnpmLockfileVersion(version) {
+  try {
+    return vendor.semverExports.coerce(version);
+  } catch {}
+  return null;
+}
+async function readPnpmLockfile(lockfilePath) {
+  return fs.existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : null;
+}
+function stripLeadingPnpmDepPathSlash(depPath) {
+  return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
+}
+function stripPnpmPeerSuffix(depPath) {
+  const parenIndex = depPath.indexOf('(');
+  const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex;
+  return index === -1 ? depPath : depPath.slice(0, index);
+}
+
 async function getAlertsMapFromPnpmLockfile(lockfile, options) {
   const purls = await extractPurlsFromPnpmLockfile(lockfile);
   return await getAlertsMapFromPurls(purls, {
@@ -2480,9 +2589,9 @@ async function getAlertsMapFromPurls(purls, options_) {
   let {
     length: remaining
   } = uniqPurls;
-  const alertsByPkgId = new Map();
+  const alertsByPurl = new Map();
   if (!remaining) {
-    return alertsByPkgId;
+    return alertsByPurl;
   }
   const getText = () => `Looking up data for ${remaining} packages`;
   spinner?.start(getText());
@@ -2512,7 +2621,7 @@ async function getAlertsMapFromPurls(purls, options_) {
     }))
   })) {
     if (batchResult.success) {
-      await addArtifactToAlertsMap(batchResult.data, alertsByPkgId, alertsMapOptions);
+      await addArtifactToAlertsMap(batchResult.data, alertsByPurl, alertsMapOptions);
     } else if (!options.nothrow) {
       const statusCode = batchResult.status ?? 'unknown';
       const statusMessage = batchResult.error ?? 'No status message';
@@ -2525,7 +2634,7 @@ async function getAlertsMapFromPurls(purls, options_) {
     }
   }
   spinner?.stop();
-  return alertsByPkgId;
+  return alertsByPurl;
 }
 
 function npa(...args) {
@@ -3083,7 +3192,7 @@ exports.getNpmRequire = getNpmRequire;
 exports.getNpxBinPath = getNpxBinPath;
 exports.getOutputKind = getOutputKind;
 exports.getPackageFilesForScan = getPackageFilesForScan;
-exports.getPkgFullNameFromPurlObj = getPkgFullNameFromPurlObj;
+exports.getPkgFullNameFromPurl = getPkgFullNameFromPurl;
 exports.getPublicToken = getPublicToken;
 exports.getPurlObject = getPurlObject;
 exports.getSeverityCount = getSeverityCount;
@@ -3096,6 +3205,7 @@ exports.handleApiCall = handleApiCall;
 exports.handleApiCallNoSpinner = handleApiCallNoSpinner;
 exports.handleUnsuccessfulApiResponse = handleUnsuccessfulApiResponse;
 exports.hasDefaultToken = hasDefaultToken;
+exports.idToNpmPurl = idToNpmPurl;
 exports.idToPurl = idToPurl;
 exports.isHelpFlag = isHelpFlag;
 exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
@@ -3130,5 +3240,5 @@ exports.updateConfigValue = updateConfigValue;
 exports.validationFlags = validationFlags;
 exports.walkNestedMap = walkNestedMap;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=26e03419-502d-4c19-9c00-b8622567d403
+//# debugId=c940586c-7f80-4e5e-ab46-bf967fcb3730
 //# sourceMappingURL=utils.js.map