@socketsecurity/cli-with-sentry 1.0.0 → 1.0.2

package/dist/cli.js

@@ -18,14 +18,14 @@ var registry = require('../external/@socketsecurity/registry');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var sorts = require('../external/@socketsecurity/registry/lib/sorts');
+var strings = require('../external/@socketsecurity/registry/lib/strings');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
-var strings = require('../external/@socketsecurity/registry/lib/strings');
 var shadowNpmInject = require('./shadow-npm-inject.js');
+var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
+var objects = require('../external/@socketsecurity/registry/lib/objects');
 var words = require('../external/@socketsecurity/registry/lib/words');
 var shadowNpmBin = require('./shadow-npm-bin.js');
-var objects = require('../external/@socketsecurity/registry/lib/objects');
 var require$$7 = require('../external/@socketsecurity/registry/lib/promises');
 var require$$1 = require('node:util');
 var os = require('node:os');
@@ -2966,22 +2966,6 @@ const cmdConfig = {
   }
 };
 
-async function outputFixResult(result, outputKind) {
-  if (!result.ok) {
-    process.exitCode = result.code ?? 1;
-  }
-  if (outputKind === 'json') {
-    logger.logger.log(utils.serializeResultJson(result));
-    return;
-  }
-  if (!result.ok) {
-    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
-    return;
-  }
-  logger.logger.log('');
-  logger.logger.success('Finished!');
-}
-
 function formatBranchName(name) {
   return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
 }
@@ -3264,6 +3248,18 @@ function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
   return activeBranches;
 }
 
+async function getActualTree(cwd = process.cwd()) {
+  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
+  // folders. However, support is iffy resulting in unhappy path errors and hangs.
+  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
+  // of the node_modules folder.
+  const arb = new shadowNpmInject.Arborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  return await arb.loadActual();
+}
+
 let _octokit;
 function getOctokit() {
   if (_octokit === undefined) {
@@ -3634,133 +3630,110 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   }
 }
 
-async function getEnvRepoInfo(cwd) {
-  // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const {
-    GITHUB_REPOSITORY
-  } = constants.ENV;
-  if (!GITHUB_REPOSITORY) {
-    debug.debugFn('miss: GITHUB_REPOSITORY env var');
-  }
-  const ownerSlashRepo = GITHUB_REPOSITORY;
-  const slashIndex = ownerSlashRepo.indexOf('/');
-  if (slashIndex !== -1) {
-    return {
-      owner: ownerSlashRepo.slice(0, slashIndex),
-      repo: ownerSlashRepo.slice(slashIndex + 1)
-    };
-  }
-  return await gitRepoInfo(cwd);
+const {
+  BUN: BUN$4,
+  NPM: NPM$8,
+  OVERRIDES: OVERRIDES$2,
+  PNPM: PNPM$8,
+  RESOLUTIONS: RESOLUTIONS$1,
+  VLT: VLT$5,
+  YARN_BERRY: YARN_BERRY$4,
+  YARN_CLASSIC: YARN_CLASSIC$4
+} = constants;
+function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_BERRY$4,
+    overrides
+  };
 }
-async function getCiEnv() {
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
-  if (!isCi) {
-    return null;
-  }
-  const baseBranch = await getBaseGitBranch();
-  if (!baseBranch) {
-    return null;
-  }
-  const repoInfo = await getEnvRepoInfo();
-  if (!repoInfo) {
-    return null;
-  }
+
+// npm overrides documentation:
+// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
+function getOverridesDataNpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$2] ?? {};
   return {
-    gitEmail,
-    gitUser,
-    githubToken,
-    repoInfo,
-    baseBranch,
-    branchParser: createSocketBranchParser()
+    type: NPM$8,
+    overrides
   };
 }
-async function getOpenPrsForEnvironment(env) {
-  return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
-    author: env.gitUser
-  }) : [];
+
+// pnpm overrides documentation:
+// https://pnpm.io/package_json#pnpmoverrides
+function getOverridesDataPnpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[PNPM$8]?.[OVERRIDES$2] ?? {};
+  return {
+    type: PNPM$8,
+    overrides
+  };
+}
+function getOverridesDataVlt(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$2] ?? {};
+  return {
+    type: VLT$5,
+    overrides
+  };
 }
 
-const CMD_NAME$1 = 'socket fix';
-function getAlertsMapOptions(options = {}) {
+// Yarn resolutions documentation:
+// https://yarnpkg.com/configuration/manifest#resolutions
+function getOverridesDataYarn(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
   return {
-    __proto__: null,
-    consolidate: true,
-    nothrow: true,
-    ...options,
-    include: {
-      __proto__: null,
-      existing: true,
-      unfixable: false,
-      upgradable: false,
-      ...options?.include
-    }
+    type: YARN_BERRY$4,
+    overrides
   };
 }
 
-async function install$1(arb, options) {
-  const {
-    cwd = process.cwd()
-  } = {
-    __proto__: null,
-    ...options
+// Yarn resolutions documentation:
+// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
+function getOverridesDataYarnClassic(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_CLASSIC$4,
+    overrides
   };
-  try {
-    const newArb = new shadowNpmInject.Arborist({
-      path: cwd
-    });
-    newArb.idealTree = await arb.buildIdealTree();
-    const actualTree = await newArb.reify();
-    arb.actualTree = actualTree;
-    return actualTree;
-  } catch {}
-  return null;
 }
-async function npmFix(pkgEnvDetails, {
-  autoMerge,
-  cwd,
-  limit,
-  purls,
-  rangeStyle,
-  test,
-  testScript
-}) {
-  // Lazily access constants.spinner.
+function getOverridesData(pkgEnvDetails, pkgJson) {
+  switch (pkgEnvDetails.agent) {
+    case BUN$4:
+      return getOverridesDataBun(pkgEnvDetails, pkgJson);
+    case PNPM$8:
+      return getOverridesDataPnpm(pkgEnvDetails, pkgJson);
+    case VLT$5:
+      return getOverridesDataVlt(pkgEnvDetails, pkgJson);
+    case YARN_BERRY$4:
+      return getOverridesDataYarn(pkgEnvDetails, pkgJson);
+    case YARN_CLASSIC$4:
+      return getOverridesDataYarnClassic(pkgEnvDetails, pkgJson);
+    case NPM$8:
+    default:
+      return getOverridesDataNpm(pkgEnvDetails, pkgJson);
+  }
+}
+
+const noopHandler = () => {};
+async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
+  beforeInstall = noopHandler,
+  // eslint-disable-next-line sort-destructure-keys/sort-destructure-keys
+  afterInstall = noopHandler,
+  revertInstall = noopHandler
+}, ciEnv, openPrs, options) {
+  const {
+    autoMerge,
+    cwd,
+    limit,
+    rangeStyle,
+    test,
+    testScript
+  } = options;
   const {
     spinner
   } = constants;
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
-  spinner?.start();
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let count = 0;
-  const arb = new shadowNpmInject.Arborist({
-    path: rootPath,
-    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-  });
-  // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
-  // and populates arb.actualTree.
-  let actualTree = await arb.reify();
-  let alertsMap;
-  try {
-    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    })) : await shadowNpmInject.getAlertsMapFromArborist(arb, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    }));
-  } catch (e) {
-    spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
-    return {
-      ok: false,
-      message: 'API Error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
   const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
     limit: Math.max(limit, openPrs.length)
   });
@@ -3774,6 +3747,9 @@ async function npmFix(pkgEnvDetails, {
       }
     };
   }
+  if (debug.isDebug()) {
+    debug.debugFn('found: cves for', Array.from(infoByPartialPurl.keys()));
+  }
 
   // Lazily access constants.packumentCache.
   const {
@@ -3793,8 +3769,8 @@ async function npmFix(pkgEnvDetails, {
     cleanupInfoEntriesLoop();
     return {
       ok: false,
-      message: 'Installation failure',
-      cause: `Unexpected condition: ${pkgEnvDetails.agent} install failed.`
+      message: 'Install failed',
+      cause: `Unexpected condition: ${pkgEnvDetails.agent} install failed`
     };
   };
   spinner?.stop();
@@ -3836,7 +3812,33 @@ async function npmFix(pkgEnvDetails, {
       const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
       const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
-      const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.target?.version ?? n.version).filter(Boolean));
+
+      // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
+      if (!actualTree) {
+        if (!ciEnv) {
+          // eslint-disable-next-line no-await-in-loop
+          await utils.removeNodeModules(cwd);
+        }
+        const maybeActualTree = ciEnv && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
+        // eslint-disable-next-line no-await-in-loop
+        await getActualTree(cwd) :
+        // eslint-disable-next-line no-await-in-loop
+        await installer(pkgEnvDetails, {
+          cwd,
+          spinner
+        });
+        const maybeLockSrc = maybeActualTree ?
+        // eslint-disable-next-line no-await-in-loop
+        await utils.readLockfile(pkgEnvDetails.lockPath) : null;
+        if (maybeActualTree && maybeLockSrc) {
+          actualTree = maybeActualTree;
+        }
+      }
+      if (!actualTree) {
+        // Exit early if install fails.
+        return handleInstallFail();
+      }
+      const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
         debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
@@ -3850,7 +3852,7 @@ async function npmFix(pkgEnvDetails, {
       const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
         editable: true
       });
-      const fixedVersions = new Set();
+      const seenVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
@@ -3869,14 +3871,14 @@ async function npmFix(pkgEnvDetails, {
         infosLoop: for (const {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
-        } of infos.values()) {
+        } of infos) {
           const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
           const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
           if (!(newVersion && newVersionPackument)) {
             warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
-          if (fixedVersions.has(newVersion)) {
+          if (seenVersions.has(newVersion)) {
             continue infosLoop;
           }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
@@ -3891,29 +3893,20 @@ async function npmFix(pkgEnvDetails, {
             }
             continue infosLoop;
           }
-          const newVersionRange = utils.applyRange(oldVersion, newVersion, rangeStyle);
-          const newId = `${name}@${newVersionRange}`;
-          const revertData = {
-            ...(editablePkgJson.content.dependencies && {
-              dependencies: {
-                ...editablePkgJson.content.dependencies
-              }
-            }),
-            ...(editablePkgJson.content.optionalDependencies && {
-              optionalDependencies: {
-                ...editablePkgJson.content.optionalDependencies
-              }
-            }),
-            ...(editablePkgJson.content.peerDependencies && {
-              peerDependencies: {
-                ...editablePkgJson.content.peerDependencies
-              }
-            })
-          };
-          shadowNpmInject.updateNode(node, newVersion, newVersionPackument);
-          shadowNpmInject.updatePackageJsonFromNode(editablePkgJson,
+          const {
+            overrides: oldOverrides
+          } = getOverridesData(pkgEnvDetails, editablePkgJson.content);
+          let refRange = oldOverrides?.[`${name}@${vulnerableVersionRange}`];
+          if (!strings.isNonEmptyString(refRange)) {
+            refRange = oldOverrides?.[name];
+          }
+          if (!strings.isNonEmptyString(refRange)) {
+            refRange = oldVersion;
+          }
+
           // eslint-disable-next-line no-await-in-loop
-          await arb.buildIdealTree(), node, newVersion, rangeStyle);
+          await beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options);
+          shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
           // eslint-disable-next-line no-await-in-loop
           if (!(await editablePkgJson.save({
             ignoreWhitespace: true
@@ -3930,17 +3923,24 @@ async function npmFix(pkgEnvDetails, {
             hasAnnouncedWorkspace = true;
             workspaceLogCallCount = logger.logger.logCallCount;
           }
+          const newId = `${name}@${utils.applyRange(refRange, newVersion, rangeStyle)}`;
           spinner?.start();
           spinner?.info(`Installing ${newId} in ${workspace}.`);
           let error;
           let errored = false;
           try {
             // eslint-disable-next-line no-await-in-loop
-            const maybeActualTree = await install$1(arb, {
-              cwd
+            const maybeActualTree = await installer(pkgEnvDetails, {
+              cwd,
+              spinner
             });
-            if (maybeActualTree) {
+            const maybeLockSrc = maybeActualTree ?
+            // eslint-disable-next-line no-await-in-loop
+            await utils.readLockfile(pkgEnvDetails.lockPath) : null;
+            if (maybeActualTree && maybeLockSrc) {
               actualTree = maybeActualTree;
+              // eslint-disable-next-line no-await-in-loop
+              await afterInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options);
               if (test) {
                 spinner?.info(`Testing ${newId} in ${workspace}.`);
                 // eslint-disable-next-line no-await-in-loop
@@ -3950,13 +3950,13 @@ async function npmFix(pkgEnvDetails, {
                 });
               }
               spinner?.success(`Fixed ${name} in ${workspace}.`);
-              fixedVersions.add(newVersion);
+              seenVersions.add(newVersion);
             } else {
               errored = true;
             }
           } catch (e) {
-            errored = true;
             error = e;
+            errored = true;
           }
           spinner?.stop();
 
@@ -3966,14 +3966,12 @@ async function npmFix(pkgEnvDetails, {
               // eslint-disable-next-line no-await-in-loop
               const result = await gitUnstagedModifiedFiles(cwd);
               if (!result.ok) {
-                // Do we fail if this fails? If this git command
-                // fails then probably other git commands do too?
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue infosLoop;
+                continue;
               }
-              const moddedFilepaths = result.data.filter(p => {
-                const basename = path.basename(p);
-                return basename === 'package.json' || basename === 'package-lock.json';
+              const moddedFilepaths = result.data.filter(filepath => {
+                const basename = path.basename(filepath);
+                return basename === 'package.json' || basename === pkgEnvDetails.lockName;
               });
               if (!moddedFilepaths.length) {
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
@@ -4005,15 +4003,19 @@ async function npmFix(pkgEnvDetails, {
                 // eslint-disable-next-line no-await-in-loop
                 await gitResetAndClean(ciEnv.baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
-                const maybeActualTree = await install$1(arb, {
-                  cwd
+                const maybeActualTree = await installer(pkgEnvDetails, {
+                  cwd,
+                  spinner
                 });
-                if (!maybeActualTree) {
-                  // Exit early if install fails.
-                  return handleInstallFail();
+                const maybeLockSrc = maybeActualTree ?
+                // eslint-disable-next-line no-await-in-loop
+                await utils.readLockfile(pkgEnvDetails.lockPath) : null;
+                if (maybeActualTree && maybeLockSrc) {
+                  actualTree = maybeActualTree;
+                  continue infosLoop;
                 }
-                actualTree = maybeActualTree;
-                continue infosLoop;
+                // Exit early if install fails.
+                return handleInstallFail();
               }
 
               // eslint-disable-next-line no-await-in-loop
@@ -4062,8 +4064,9 @@ async function npmFix(pkgEnvDetails, {
             // eslint-disable-next-line no-await-in-loop
             await gitResetAndClean(ciEnv.baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
-            const maybeActualTree = await install$1(arb, {
-              cwd
+            const maybeActualTree = await installer(pkgEnvDetails, {
+              cwd,
+              spinner
             });
             spinner?.stop();
             if (maybeActualTree) {
@@ -4075,24 +4078,33 @@ async function npmFix(pkgEnvDetails, {
           if (errored) {
             if (!ciEnv) {
               spinner?.start();
-              editablePkgJson.update(revertData);
+              // eslint-disable-next-line no-await-in-loop
+              await revertInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options);
               // eslint-disable-next-line no-await-in-loop
               await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
                 ignoreWhitespace: true
               })]);
               // eslint-disable-next-line no-await-in-loop
-              const maybeActualTree = await install$1(arb, {
-                cwd
+              const maybeActualTree = await installer(pkgEnvDetails, {
+                cwd,
+                spinner
               });
               spinner?.stop();
-              if (!maybeActualTree) {
+              if (maybeActualTree) {
+                actualTree = maybeActualTree;
+              } else {
                 // Exit early if install fails.
                 return handleInstallFail();
               }
-              actualTree = maybeActualTree;
             }
-            logger.logger.fail(`Update failed for ${oldId} in ${workspace}.`, error);
+            return {
+              ok: false,
+              message: 'Update failed',
+              cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
+            };
           }
+          debug.debugFn('name:', name);
+          debug.debugFn('increment: count', count + 1);
           if (++count >= limit) {
             cleanupInfoEntriesLoop();
             break infoEntriesLoop;
@@ -4112,29 +4124,187 @@ async function npmFix(pkgEnvDetails, {
     cleanupInfoEntriesLoop();
   }
   spinner?.stop();
+
+  // Or, did we change anything?
   return {
     ok: true,
     data: {
       fixed: true
     }
-  }; // true? did we actually change anything?
+  };
 }
 
-const {
-  OVERRIDES: OVERRIDES$2,
-  PNPM: PNPM$8
-} = constants;
-async function getActualTree(cwd = process.cwd()) {
-  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-  // folders. However, support is iffy resulting in unhappy path errors and hangs.
-  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
-  // of the node_modules folder.
-  const arb = new shadowNpmInject.Arborist({
-    path: cwd,
-    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-  });
-  return await arb.loadActual();
+async function getEnvRepoInfo(cwd) {
+  // Lazily access constants.ENV.GITHUB_REPOSITORY.
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('miss: GITHUB_REPOSITORY env var');
+  }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
+  const slashIndex = ownerSlashRepo.indexOf('/');
+  if (slashIndex !== -1) {
+    return {
+      owner: ownerSlashRepo.slice(0, slashIndex),
+      repo: ownerSlashRepo.slice(slashIndex + 1)
+    };
+  }
+  return await gitRepoInfo(cwd);
+}
+async function getCiEnv() {
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  if (!isCi) {
+    return null;
+  }
+  const baseBranch = await getBaseGitBranch();
+  if (!baseBranch) {
+    return null;
+  }
+  const repoInfo = await getEnvRepoInfo();
+  if (!repoInfo) {
+    return null;
+  }
+  return {
+    gitEmail,
+    gitUser,
+    githubToken,
+    repoInfo,
+    baseBranch,
+    branchParser: createSocketBranchParser()
+  };
+}
+async function getOpenPrsForEnvironment(env) {
+  return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
+    author: env.gitUser
+  }) : [];
+}
+
+const CMD_NAME$1 = 'socket fix';
+function getAlertsMapOptions(options = {}) {
+  return {
+    __proto__: null,
+    consolidate: true,
+    nothrow: true,
+    ...options,
+    include: {
+      __proto__: null,
+      existing: true,
+      unfixable: false,
+      upgradable: false,
+      ...options?.include
+    }
+  };
+}
+
+async function install$1(pkgEnvDetails, options) {
+  const {
+    args,
+    cwd,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  try {
+    await utils.runAgentInstall(pkgEnvDetails, {
+      args,
+      spinner,
+      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+    });
+    return await getActualTree(cwd);
+  } catch {}
+  return null;
+}
+async function npmFix(pkgEnvDetails, options) {
+  const {
+    limit,
+    purls,
+    spinner
+  } = options;
+  spinner?.start();
+  const ciEnv = await getCiEnv();
+  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
+  let actualTree;
+  let alertsMap;
+  try {
+    if (purls.length) {
+      alertsMap = await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
+        limit: Math.max(limit, openPrs.length)
+      }));
+    } else {
+      const arb = new shadowNpmInject.Arborist({
+        path: pkgEnvDetails.pkgPath,
+        ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+      });
+      actualTree = await arb.reify();
+      // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
+      // and populates arb.actualTree.
+      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getAlertsMapOptions({
+        limit: Math.max(limit, openPrs.length)
+      }));
+    }
+  } catch (e) {
+    spinner?.stop();
+    debug.debugFn('catch: PURL API\n', e);
+    return {
+      ok: false,
+      message: 'API Error',
+      cause: e?.message || 'Unknown Socket batch PURL API error.'
+    };
+  }
+  let revertData;
+  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install$1, {
+    async beforeInstall(editablePkgJson) {
+      revertData = {
+        ...(editablePkgJson.content.dependencies && {
+          dependencies: {
+            ...editablePkgJson.content.dependencies
+          }
+        }),
+        ...(editablePkgJson.content.optionalDependencies && {
+          optionalDependencies: {
+            ...editablePkgJson.content.optionalDependencies
+          }
+        }),
+        ...(editablePkgJson.content.peerDependencies && {
+          peerDependencies: {
+            ...editablePkgJson.content.peerDependencies
+          }
+        })
+      };
+    },
+    async revertInstall(editablePkgJson) {
+      if (revertData) {
+        editablePkgJson.update(revertData);
+      }
+    }
+  }, ciEnv, openPrs, options);
+}
+
+async function outputFixResult(result, outputKind) {
+  if (!result.ok) {
+    process.exitCode = result.code ?? 1;
+  }
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
+  }
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
+  }
+  logger.logger.log('');
+  logger.logger.success('Finished!');
 }
+
+const {
+  OVERRIDES: OVERRIDES$1,
+  PNPM: PNPM$7
+} = constants;
 async function install(pkgEnvDetails, options) {
   const {
     args,
@@ -4160,64 +4330,40 @@ async function install(pkgEnvDetails, options) {
   } catch {}
   return null;
 }
-async function pnpmFix(pkgEnvDetails, {
-  autoMerge,
-  cwd,
-  limit,
-  purls,
-  rangeStyle,
-  test,
-  testScript
-}) {
-  // Lazily access constants.spinner.
+async function pnpmFix(pkgEnvDetails, options) {
   const {
+    cwd,
+    limit,
+    purls,
     spinner
-  } = constants;
-  const {
-    pkgPath: rootPath
-  } = pkgEnvDetails;
+  } = options;
   spinner?.start();
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
-  let count = 0;
   let actualTree;
-  const lockfilePath = path.join(rootPath, 'pnpm-lock.yaml');
-  let lockfileContent = await utils.readPnpmLockfile(lockfilePath);
-
-  // If pnpm-lock.yaml does NOT exist then install with pnpm to create it.
-  if (!lockfileContent) {
-    const maybeActualTree = await install(pkgEnvDetails, {
-      cwd,
-      spinner
-    });
-    const maybeLockfileContent = maybeActualTree ? await utils.readPnpmLockfile(lockfilePath) : null;
-    if (maybeActualTree) {
-      actualTree = maybeActualTree;
-      lockfileContent = maybeLockfileContent;
-    }
-  }
-  let lockfile = utils.parsePnpmLockfile(lockfileContent);
+  let {
+    lockSrc
+  } = pkgEnvDetails;
+  let lockfile = utils.parsePnpmLockfile(lockSrc);
   // Update pnpm-lock.yaml if its version is older than what the installed pnpm
   // produces.
-  if (lockfileContent && pkgEnvDetails.agentVersion.major >= 10 && (utils.parsePnpmLockfileVersion(lockfile?.lockfileVersion)?.major ?? 0) <= 6) {
+  if (pkgEnvDetails.agentVersion.major >= 10 && (utils.parsePnpmLockfileVersion(lockfile?.lockfileVersion)?.major ?? 0) <= 6) {
     const maybeActualTree = await install(pkgEnvDetails, {
       args: ['--lockfile-only'],
       cwd,
       spinner
     });
-    const maybeLockfileContent = maybeActualTree ? await utils.readPnpmLockfile(lockfilePath) : null;
-    if (maybeActualTree && maybeLockfileContent) {
+    const maybeLockSrc = maybeActualTree ? await utils.readLockfile(pkgEnvDetails.lockPath) : null;
+    if (maybeActualTree && maybeLockSrc) {
       actualTree = maybeActualTree;
-      lockfileContent = maybeLockfileContent;
-      lockfile = utils.parsePnpmLockfile(lockfileContent);
+      lockSrc = maybeLockSrc;
+      lockfile = utils.parsePnpmLockfile(lockSrc);
     } else {
       lockfile = null;
     }
   }
 
   // Exit early if pnpm-lock.yaml is not found or usable.
-  // Check !lockfileContent to make TypeScript happy.
-  if (!lockfile || !lockfileContent) {
+  // Check !lockSrc to make TypeScript happy.
+  if (!lockfile || !lockSrc) {
     spinner?.stop();
     return {
       ok: false,
@@ -4225,6 +4371,8 @@ async function pnpmFix(pkgEnvDetails, {
       cause: 'Required pnpm-lock.yaml not found or usable'
     };
   }
+  const ciEnv = await getCiEnv();
+  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let alertsMap;
   try {
     alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
@@ -4234,550 +4382,186 @@ async function pnpmFix(pkgEnvDetails, {
     }));
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
-    return {
-      ok: false,
-      message: 'API Error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
-  const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
-    limit: Math.max(limit, openPrs.length)
-  });
-  if (!infoByPartialPurl) {
-    spinner?.stop();
-    logger.logger.info('No fixable vulns found.');
-    return {
-      ok: true,
-      data: {
-        fixed: false
-      }
-    };
-  }
-  if (debug.isDebug()) {
-    debug.debugFn('found: cves for', Array.from(infoByPartialPurl.keys()));
-  }
-
-  // Lazily access constants.packumentCache.
-  const {
-    packumentCache
-  } = constants;
-  const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
-  const pkgJsonPaths = [...workspacePkgJsonPaths,
-  // Process the workspace root last since it will add an override to package.json.
-  pkgEnvDetails.editablePkgJson.filename];
-  const sortedInfoEntries = Array.from(infoByPartialPurl.entries()).sort((a, b) => sorts.naturalCompare(a[0], b[0]));
-  const cleanupInfoEntriesLoop = () => {
-    logger.logger.dedent();
-    spinner?.dedent();
-    packumentCache.clear();
-  };
-  const handleInstallFail = () => {
-    cleanupInfoEntriesLoop();
-    return {
-      ok: false,
-      message: 'Install failed',
-      cause: `Unexpected condition: ${pkgEnvDetails.agent} install failed`
-    };
-  };
-  spinner?.stop();
-  infoEntriesLoop: for (let i = 0, {
-      length
-    } = sortedInfoEntries; i < length; i += 1) {
-    const isLastInfoEntry = i === length - 1;
-    const infoEntry = sortedInfoEntries[i];
-    const partialPurlObj = utils.getPurlObject(infoEntry[0]);
-    const name = packages.resolvePackageName(partialPurlObj);
-    const infos = Array.from(infoEntry[1].values());
-    if (!infos.length) {
-      continue infoEntriesLoop;
-    }
-    logger.logger.log(`Processing vulns for ${name}:`);
-    logger.logger.indent();
-    spinner?.indent();
-    if (registry.getManifestData(partialPurlObj.type, name)) {
-      debug.debugFn(`found: Socket Optimize variant for ${name}`);
-    }
-    // eslint-disable-next-line no-await-in-loop
-    const packument = await packages.fetchPackagePackument(name);
-    if (!packument) {
-      logger.logger.warn(`Unexpected condition: No packument found for ${name}.\n`);
-      cleanupInfoEntriesLoop();
-      continue infoEntriesLoop;
-    }
-    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
-    const availableVersions = Object.keys(packument.versions);
-    const warningsForAfter = new Set();
-
-    // eslint-disable-next-line no-unused-labels
-    for (let j = 0, {
-        length: length_j
-      } = pkgJsonPaths; j < length_j; j += 1) {
-      const isLastPkgJsonPath = j === length_j - 1;
-      const pkgJsonPath = pkgJsonPaths[j];
-      const pkgPath = path.dirname(pkgJsonPath);
-      const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
-      const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
-
-      // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
-      if (!actualTree) {
-        if (!ciEnv) {
-          // eslint-disable-next-line no-await-in-loop
-          await utils.removeNodeModules(cwd);
-        }
-        const maybeActualTree = ciEnv && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
-        // eslint-disable-next-line no-await-in-loop
-        await getActualTree(cwd) :
-        // eslint-disable-next-line no-await-in-loop
-        await install(pkgEnvDetails, {
-          cwd,
-          spinner
-        });
-        const maybeLockfileContent = maybeActualTree ?
-        // eslint-disable-next-line no-await-in-loop
-        await utils.readPnpmLockfile(lockfilePath) : null;
-        if (maybeActualTree && maybeLockfileContent) {
-          actualTree = maybeActualTree;
-          lockfileContent = maybeLockfileContent;
-        }
-      }
-      if (!actualTree) {
-        // Exit early if install fails.
-        return handleInstallFail();
-      }
-      const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
-      if (!oldVersions.length) {
-        debug.debugFn(`skip: ${name} not found\n`);
-        // Skip to next package.
-        cleanupInfoEntriesLoop();
-        continue infoEntriesLoop;
-      }
-
-      // Always re-read the editable package.json to avoid stale mutations
-      // across iterations.
-      // eslint-disable-next-line no-await-in-loop
-      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
-        editable: true
-      });
-      const fixedVersions = new Set();
-
-      // Get current overrides for revert logic.
-      const oldPnpmSection = editablePkgJson.content[PNPM$8];
-      const oldOverrides = oldPnpmSection?.[OVERRIDES$2];
-      let hasAnnouncedWorkspace = false;
-      let workspaceLogCallCount = logger.logger.logCallCount;
-      if (debug.isDebug()) {
-        debug.debugFn(`check: workspace ${workspace}`);
-        hasAnnouncedWorkspace = true;
-        workspaceLogCallCount = logger.logger.logCallCount;
-      }
-      oldVersionsLoop: for (const oldVersion of oldVersions) {
-        const oldId = `${name}@${oldVersion}`;
-        const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
-        const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
-        if (!node) {
-          debug.debugFn(`skip: ${oldId} not found`);
-          continue oldVersionsLoop;
-        }
-        infosLoop: for (const {
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange
-        } of infos) {
-          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
-          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
-          if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
-            continue infosLoop;
-          }
-          if (fixedVersions.has(newVersion)) {
-            continue infosLoop;
-          }
-          if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
-            continue infosLoop;
-          }
-          if (activeBranches.find(b => b.workspace === branchWorkspace && b.newVersion === newVersion)) {
-            debug.debugFn(`skip: open PR found for ${name}@${newVersion}`);
-            if (++count >= limit) {
-              cleanupInfoEntriesLoop();
-              break infoEntriesLoop;
-            }
-            continue infosLoop;
-          }
-          const overrideKey = `${name}@${vulnerableVersionRange}`;
-          const newVersionRange = utils.applyRange(oldOverrides?.[overrideKey] ?? oldVersion, newVersion, rangeStyle);
-          const newId = `${name}@${newVersionRange}`;
-          const updateOverrides = isWorkspaceRoot ? {
-            [PNPM$8]: {
-              ...oldPnpmSection,
-              [OVERRIDES$2]: {
-                ...oldOverrides,
-                [overrideKey]: newVersionRange
-              }
-            }
-          } : undefined;
-          const revertOverrides = isWorkspaceRoot ? {
-            [PNPM$8]: oldPnpmSection ? {
-              ...oldPnpmSection,
-              [OVERRIDES$2]: oldOverrides && Object.keys(oldOverrides).length > 1 ? {
-                ...oldOverrides,
-                [overrideKey]: undefined
-              } : undefined
-            } : undefined
-          } : {};
-          const revertData = {
-            ...revertOverrides,
-            ...(editablePkgJson.content.dependencies && {
-              dependencies: {
-                ...editablePkgJson.content.dependencies
-              }
-            }),
-            ...(editablePkgJson.content.optionalDependencies && {
-              optionalDependencies: {
-                ...editablePkgJson.content.optionalDependencies
-              }
-            }),
-            ...(editablePkgJson.content.peerDependencies && {
-              peerDependencies: {
-                ...editablePkgJson.content.peerDependencies
-              }
-            })
-          };
-          if (updateOverrides) {
-            // Update overrides in the root package.json so that when `pnpm install`
-            // generates pnpm-lock.yaml it updates transitive dependencies too.
-            editablePkgJson.update(updateOverrides);
-          }
-          shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
-          // eslint-disable-next-line no-await-in-loop
-          if (!(await editablePkgJson.save({
-            ignoreWhitespace: true
-          }))) {
-            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
-            // Reset things just in case.
-            if (ciEnv) {
-              // eslint-disable-next-line no-await-in-loop
-              await gitResetAndClean(ciEnv.baseBranch, cwd);
-            }
-            continue infosLoop;
-          }
-          if (!hasAnnouncedWorkspace) {
-            hasAnnouncedWorkspace = true;
-            workspaceLogCallCount = logger.logger.logCallCount;
-          }
-          spinner?.start();
-          spinner?.info(`Installing ${newId} in ${workspace}.`);
-          let error;
-          let errored = false;
-          try {
-            const revertOverridesContent = utils.extractOverridesFromPnpmLockfileContent(lockfileContent);
-            // eslint-disable-next-line no-await-in-loop
-            const maybeActualTree = await install(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            const maybeLockfileContent = maybeActualTree ?
-            // eslint-disable-next-line no-await-in-loop
-            await utils.readPnpmLockfile(lockfilePath) : null;
-            if (maybeActualTree && maybeLockfileContent) {
-              actualTree = maybeActualTree;
-              lockfileContent = maybeLockfileContent;
-              // Revert overrides metadata in package.json now that pnpm-lock.yaml
-              // has been updated.
-              editablePkgJson.update(revertOverrides);
-              // eslint-disable-next-line no-await-in-loop
-              await editablePkgJson.save({
-                ignoreWhitespace: true
-              });
-              const updatedOverridesContent = utils.extractOverridesFromPnpmLockfileContent(lockfileContent);
-              if (updatedOverridesContent) {
-                lockfileContent = lockfileContent.replace(updatedOverridesContent, revertOverridesContent);
-                // eslint-disable-next-line no-await-in-loop
-                await fs$1.promises.writeFile(lockfilePath, lockfileContent, 'utf8');
-              }
-              if (test) {
-                spinner?.info(`Testing ${newId} in ${workspace}.`);
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runScript(testScript, [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-              }
-              spinner?.success(`Fixed ${name} in ${workspace}.`);
-              fixedVersions.add(newVersion);
-            } else {
-              errored = true;
-            }
-          } catch (e) {
-            error = e;
-            errored = true;
-          }
-          spinner?.stop();
-
-          // Check repoInfo to make TypeScript happy.
-          if (!errored && ciEnv?.repoInfo) {
-            try {
-              // eslint-disable-next-line no-await-in-loop
-              const result = await gitUnstagedModifiedFiles(cwd);
-              if (!result.ok) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue;
-              }
-              const moddedFilepaths = result.data.filter(p => {
-                const basename = path.basename(p);
-                return basename === 'package.json' || basename === 'pnpm-lock.yaml';
-              });
-              if (!moddedFilepaths.length) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue infosLoop;
-              }
-              const branch = getSocketBranchName(oldPurl, newVersion, workspace);
-              let skipPr = false;
-              if (
-              // eslint-disable-next-line no-await-in-loop
-              await prExistForBranch(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch)) {
-                skipPr = true;
-                debug.debugFn(`skip: branch "${branch}" exists`);
-              }
-              // eslint-disable-next-line no-await-in-loop
-              else if (await gitRemoteBranchExists(branch, cwd)) {
-                skipPr = true;
-                debug.debugFn(`skip: remote branch "${branch}" exists`);
-              } else if (
-              // eslint-disable-next-line no-await-in-loop
-              !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
-                cwd,
-                email: ciEnv.gitEmail,
-                user: ciEnv.gitUser
-              }))) {
-                skipPr = true;
-                logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
-              }
-              if (skipPr) {
-                // eslint-disable-next-line no-await-in-loop
-                await gitResetAndClean(ciEnv.baseBranch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                const maybeActualTree = await install(pkgEnvDetails, {
-                  cwd,
-                  spinner
-                });
-                const maybeLockfileContent = maybeActualTree ?
-                // eslint-disable-next-line no-await-in-loop
-                await utils.readPnpmLockfile(lockfilePath) : null;
-                if (maybeActualTree && maybeLockfileContent) {
-                  actualTree = maybeActualTree;
-                  lockfileContent = maybeLockfileContent;
-                  continue infosLoop;
-                }
-                // Exit early if install fails.
-                return handleInstallFail();
-              }
-
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, ciEnv.githubToken, cwd), cleanupOpenPrs(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, {
-                newVersion,
-                purl: oldPurl,
-                workspace
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch: ciEnv.baseBranch,
-                cwd,
-                workspace
-              });
-              if (prResponse) {
-                const {
-                  data
-                } = prResponse;
-                const prRef = `PR #${data.number}`;
-                logger.logger.success(`Opened ${prRef}.`);
-                if (autoMerge) {
-                  logger.logger.indent();
-                  spinner?.indent();
-                  // eslint-disable-next-line no-await-in-loop
-                  const {
-                    details,
-                    enabled
-                  } = await enablePrAutoMerge(data);
-                  if (enabled) {
-                    logger.logger.info(`Auto-merge enabled for ${prRef}.`);
-                  } else {
-                    const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
-                    logger.logger.error(message);
-                  }
-                  logger.logger.dedent();
-                  spinner?.dedent();
-                }
-              }
-            } catch (e) {
-              error = e;
-              errored = true;
-            }
-          }
-          if (ciEnv) {
-            spinner?.start();
-            // eslint-disable-next-line no-await-in-loop
-            await gitResetAndClean(ciEnv.baseBranch, cwd);
-            // eslint-disable-next-line no-await-in-loop
-            const maybeActualTree = await install(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            const maybeLockfileContent = maybeActualTree ?
-            // eslint-disable-next-line no-await-in-loop
-            await utils.readPnpmLockfile(lockfilePath) : null;
-            spinner?.stop();
-            if (maybeActualTree) {
-              actualTree = maybeActualTree;
-              lockfileContent = maybeLockfileContent;
-            } else {
-              errored = true;
-            }
-          }
-          if (errored) {
-            if (!ciEnv) {
-              spinner?.start();
-              editablePkgJson.update(revertData);
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
-                ignoreWhitespace: true
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const maybeActualTree = await install(pkgEnvDetails, {
-                cwd,
-                spinner
-              });
-              const maybeLockfileContent = maybeActualTree ?
-              // eslint-disable-next-line no-await-in-loop
-              await utils.readPnpmLockfile(lockfilePath) : null;
-              spinner?.stop();
-              if (maybeActualTree) {
-                actualTree = maybeActualTree;
-                lockfileContent = maybeLockfileContent;
-              } else {
-                // Exit early if install fails.
-                return handleInstallFail();
-              }
+    debug.debugFn('catch: PURL API\n', e);
+    return {
+      ok: false,
+      message: 'API Error',
+      cause: e?.message || 'Unknown Socket batch PURL API error.'
+    };
+  }
+  let revertData;
+  let revertOverrides;
+  let revertOverridesSrc;
+  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
+    async beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options) {
+      const isWorkspaceRoot = editablePkgJson.path === pkgEnvDetails.editablePkgJson.filename;
+      // Get current overrides for revert logic.
+      const {
+        overrides: oldOverrides
+      } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
+      const oldPnpmSection = editablePkgJson.content[PNPM$7];
+      const overrideKey = `${name}@${vulnerableVersionRange}`;
+      revertOverrides = undefined;
+      revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
+      if (isWorkspaceRoot) {
+        revertOverrides = {
+          [PNPM$7]: oldPnpmSection ? {
+            ...oldPnpmSection,
+            [OVERRIDES$1]: objects.hasKeys(oldOverrides) ? {
+              ...oldOverrides,
+              [overrideKey]: undefined
+            } : undefined
+          } : undefined
+        };
+        // Update overrides in the root package.json so that when `pnpm install`
+        // generates pnpm-lock.yaml it updates transitive dependencies too.
+        editablePkgJson.update({
+          [PNPM$7]: {
+            ...oldPnpmSection,
+            [OVERRIDES$1]: {
+              ...oldOverrides,
+              [overrideKey]: utils.applyRange(oldOverrides?.[overrideKey] ?? oldVersion, newVersion, options.rangeStyle)
             }
-            return {
-              ok: false,
-              message: 'Update failed',
-              cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
-            };
           }
-          debug.debugFn('name:', name);
-          debug.debugFn('increment: count', count + 1);
-          if (++count >= limit) {
-            cleanupInfoEntriesLoop();
-            break infoEntriesLoop;
+        });
+      }
+      revertData = {
+        ...revertOverrides,
+        ...(editablePkgJson.content.dependencies && {
+          dependencies: {
+            ...editablePkgJson.content.dependencies
           }
-        }
+        }),
+        ...(editablePkgJson.content.optionalDependencies && {
+          optionalDependencies: {
+            ...editablePkgJson.content.optionalDependencies
+          }
+        }),
+        ...(editablePkgJson.content.peerDependencies && {
+          peerDependencies: {
+            ...editablePkgJson.content.peerDependencies
+          }
+        })
+      };
+    },
+    async afterInstall(editablePkgJson) {
+      if (revertOverrides) {
+        // Revert overrides metadata in package.json now that pnpm-lock.yaml
+        // has been updated.
+        editablePkgJson.update(revertOverrides);
       }
-      if (!isLastPkgJsonPath && logger.logger.logCallCount > workspaceLogCallCount) {
-        logger.logger.logNewline();
+      await editablePkgJson.save({
+        ignoreWhitespace: true
+      });
+      const updatedOverridesContent = utils.extractOverridesFromPnpmLockSrc(lockSrc);
+      if (updatedOverridesContent && revertOverridesSrc) {
+        lockSrc = lockSrc.replace(updatedOverridesContent, revertOverridesSrc);
+        await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
+      }
+    },
+    async revertInstall(editablePkgJson) {
+      if (revertData) {
+        editablePkgJson.update(revertData);
       }
     }
-    for (const warningText of warningsForAfter) {
-      logger.logger.warn(warningText);
-    }
-    if (!isLastInfoEntry) {
-      logger.logger.logNewline();
-    }
-    cleanupInfoEntriesLoop();
-  }
-  spinner?.stop();
-
-  // Or, did we change anything?
-  return {
-    ok: true,
-    data: {
-      fixed: true
-    }
-  };
+  }, ciEnv, openPrs, options);
 }
 
 const {
-  NPM: NPM$8,
-  PNPM: PNPM$7
+  NPM: NPM$7,
+  PNPM: PNPM$6
 } = constants;
-async function runFix({
+async function handleFix({
   autoMerge,
   cwd,
+  ghsas,
   limit,
+  outputKind,
   purls,
   rangeStyle,
   test,
   testScript
 }) {
-  const result = await utils.detectAndValidatePackageEnvironment(cwd, {
+  let {
+    length: ghsasCount
+  } = ghsas;
+  if (ghsasCount) {
+    // Lazily access constants.spinner.
+    const {
+      spinner
+    } = constants;
+    spinner.start();
+    if (ghsasCount === 1 && ghsas[0] === 'auto') {
+      const autoCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd], {
+        cwd,
+        spinner
+      });
+      if (autoCResult.ok) {
+        ghsas = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(autoCResult.data)?.[0]);
+        ghsasCount = ghsas.length;
+      } else {
+        ghsas = [];
+        ghsasCount = 0;
+      }
+    }
+    spinner.stop();
+    if (ghsasCount) {
+      spinner.start();
+      await outputFixResult(await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--apply-fixes-to', ...ghsas], {
+        cwd,
+        spinner
+      }), outputKind);
+      spinner.stop();
+      return;
+    }
+  }
+  const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
     cmdName: CMD_NAME$1,
     logger: logger.logger
   });
-  if (!result.ok) {
-    return result;
+  if (!pkgEnvCResult.ok) {
+    await outputFixResult(pkgEnvCResult, outputKind);
+    return;
   }
-  const pkgEnvDetails = result.data;
+  const {
+    data: pkgEnvDetails
+  } = pkgEnvCResult;
   if (!pkgEnvDetails) {
-    return {
+    await outputFixResult({
       ok: false,
       message: 'No package found',
       cause: `No valid package environment was found in given cwd (${cwd})`
-    };
+    }, outputKind);
+    return;
   }
-  logger.logger.info(`Fixing packages for ${pkgEnvDetails.agent}.\n`);
+  logger.logger.info(`Fixing packages for ${pkgEnvDetails.agent} v${pkgEnvDetails.agentVersion}.\n`);
   const {
     agent
   } = pkgEnvDetails;
-  if (agent === NPM$8) {
-    return await npmFix(pkgEnvDetails, {
-      autoMerge,
-      cwd,
-      limit,
-      purls,
-      rangeStyle,
-      test,
-      testScript
-    });
-  } else if (agent === PNPM$7) {
-    return await pnpmFix(pkgEnvDetails, {
-      autoMerge,
-      cwd,
-      limit,
-      purls,
-      rangeStyle,
-      test,
-      testScript
-    });
-  } else {
-    return {
+  if (agent !== NPM$7 && agent !== PNPM$6) {
+    await outputFixResult({
       ok: false,
       message: 'Not supported',
       cause: `${agent} is not supported by this command at the moment.`
-    };
+    }, outputKind);
+    return;
   }
-}
 
-async function handleFix({
-  autoMerge,
-  cwd,
-  limit,
-  outputKind,
-  purls,
-  rangeStyle,
-  test,
-  testScript
-}) {
-  const result = await runFix({
+  // Lazily access spinner.
+  const {
+    spinner
+  } = constants;
+  const fixer = agent === NPM$7 ? npmFix : pnpmFix;
+  await outputFixResult(await fixer(pkgEnvDetails, {
     autoMerge,
     cwd,
     limit,
     purls,
     rangeStyle,
+    spinner,
     test,
     testScript
-  });
-  await outputFixResult(result, outputKind);
+  }), outputKind);
 }
 
 const {
@@ -4799,6 +4583,12 @@ const config$H = {
       default: false,
       description: `Shorthand for --autoMerge --test`
     },
+    ghsa: {
+      type: 'string',
+      default: [],
+      description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+      isMultiple: true
+    },
     limit: {
       type: 'number',
       default: Infinity,
@@ -4807,7 +4597,7 @@ const config$H = {
     purl: {
       type: 'string',
       default: [],
-      description: `Provide a list of ${vendor.terminalLinkExports('package URLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} (PURLs) to fix, as either a comma separated value or as multiple flags,\n                        instead of querying the Socket API`,
+      description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as multiple flags,\n                        instead of querying the Socket API`,
       isMultiple: true,
       shortFlag: 'p'
     },
@@ -4869,25 +4659,16 @@ async function run$H(argv, importMeta, {
     json,
     markdown
   } = cli.flags;
-  let {
-    autoMerge,
-    rangeStyle,
-    test
-  } = cli.flags;
   const outputKind = utils.getOutputKind(json, markdown);
-  let [cwd = '.'] = cli.input;
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd);
-  if (autopilot) {
-    autoMerge = true;
-    test = true;
+  let rangeStyle = cli.flags['rangeStyle'];
+  if (!rangeStyle) {
+    rangeStyle = 'preserve';
   }
   const wasValidInput = utils.checkCommandInput(outputKind, {
-    test: utils.RangeStyles.includes(cli.flags['rangeStyle']),
+    test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
     pass: 'ok',
-    fail: 'missing'
+    fail: 'invalid'
   });
   if (!wasValidInput) {
     return;
@@ -4896,20 +4677,30 @@ async function run$H(argv, importMeta, {
     logger.logger.log(DRY_RUN_NOT_SAVING);
     return;
   }
-  let purls = Array.isArray(cli.flags['purl']) ? cli.flags['purl'] : [];
-  purls = purls.flatMap(p => p.split(/, */));
-  if (!['caret', 'gt', 'gte', 'lt', 'lte', 'pin', 'preserve', 'tilde'].includes(rangeStyle)) {
-    rangeStyle = 'preserve';
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+  let autoMerge = Boolean(cli.flags['autoMerge']);
+  let test = Boolean(cli.flags['test']);
+  if (autopilot) {
+    autoMerge = true;
+    test = true;
   }
+  const ghsas = utils.cmdFlagValueToArray(cli.flags['ghsa']);
+  const limit = (cli.flags['limit'] ? parseInt(String(cli.flags['limit'] || ''), 10) : Infinity) || Infinity;
+  const purls = utils.cmdFlagValueToArray(cli.flags['purl']);
+  const testScript = String(cli.flags['testScript'] || 'test');
   await handleFix({
-    autoMerge: Boolean(autoMerge),
+    autoMerge,
     cwd,
-    limit: (cli.flags['limit'] ? parseInt(String(cli.flags['limit'] || ''), 10) : Infinity) || Infinity,
+    ghsas,
+    limit,
     outputKind,
     purls,
-    rangeStyle: rangeStyle,
-    test: Boolean(test),
-    testScript: String(cli.flags['testScript'] || 'test')
+    rangeStyle,
+    test,
+    testScript
   });
 }
 
@@ -5425,14 +5216,14 @@ async function run$D(argv, importMeta, {
 }
 
 const {
-  NPM: NPM$7,
+  NPM: NPM$6,
   NPX: NPX$1,
   PACKAGE_LOCK_JSON,
-  PNPM: PNPM$6,
+  PNPM: PNPM$5,
   YARN,
   YARN_LOCK
 } = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$7, PNPM$6, 'ts', 'tsx', 'typescript']);
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$6, PNPM$5, 'ts', 'tsx', 'typescript']);
 function argvToArray(argv) {
   if (argv['help']) {
     return ['--help'];
@@ -5474,7 +5265,7 @@ async function runCdxgen(yargvWithYes) {
   const yesArgs = yes ? ['--yes'] : [];
   if (yargv.type !== YARN && nodejsPlatformTypes.has(yargv.type) && fs$1.existsSync(`./${YARN_LOCK}`)) {
     if (fs$1.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
-      yargv.type = NPM$7;
+      yargv.type = NPM$6;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
@@ -5482,7 +5273,7 @@ async function runCdxgen(yargvWithYes) {
         await shadowNpmBin(NPX$1, [...yesArgs,
         // Lazily access constants.ENV.INLINED_SYNP_VERSION.
         `synp@${constants.ENV.INLINED_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`]);
-        yargv.type = NPM$7;
+        yargv.type = NPM$6;
         cleanupPackageLock = true;
       } catch {}
     }
@@ -5548,7 +5339,7 @@ const arrayToLower = arg => arg.map(toLower);
 //                                sable.                                                          [boolean] [default: true]
 //       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
 //       --spec-version           CycloneDX Specification version to use. Defaults to 1.6
-//                                                                         [number] [choices: 1.4, 1.5, 1.6] [default: 1.6]
+//                                                                         [number] [choices: 1.4, 1.5, 1.6, 1.7] [default: 1.6]
 //       --filter                 Filter components containing this word in purl or component.properties.value. Multiple va
 //                                lues allowed.                                                                     [array]
 //       --only                   Include components only containing this word in purl. Useful to generate BOM with first p
@@ -7190,12 +6981,12 @@ async function run$s(argv, importMeta, {
 }
 
 const {
-  BUN: BUN$4,
-  NPM: NPM$6,
-  PNPM: PNPM$5,
-  VLT: VLT$5,
-  YARN_BERRY: YARN_BERRY$4,
-  YARN_CLASSIC: YARN_CLASSIC$5
+  BUN: BUN$3,
+  NPM: NPM$5,
+  PNPM: PNPM$4,
+  VLT: VLT$4,
+  YARN_BERRY: YARN_BERRY$3,
+  YARN_CLASSIC: YARN_CLASSIC$3
 } = constants;
 function matchLsCmdViewHumanStdout(stdout, name) {
   return stdout.includes(` ${name}@`);
@@ -7203,7 +6994,7 @@ function matchLsCmdViewHumanStdout(stdout, name) {
 function matchQueryCmdStdout(stdout, name) {
   return stdout.includes(`"${name}"`);
 }
-const depsIncludesByAgent = new Map([[BUN$4, matchLsCmdViewHumanStdout], [NPM$6, matchQueryCmdStdout], [PNPM$5, matchQueryCmdStdout], [VLT$5, matchQueryCmdStdout], [YARN_BERRY$4, matchLsCmdViewHumanStdout], [YARN_CLASSIC$5, matchLsCmdViewHumanStdout]]);
+const depsIncludesByAgent = new Map([[BUN$3, matchLsCmdViewHumanStdout], [NPM$5, matchQueryCmdStdout], [PNPM$4, matchQueryCmdStdout], [VLT$4, matchQueryCmdStdout], [YARN_BERRY$3, matchLsCmdViewHumanStdout], [YARN_CLASSIC$3, matchLsCmdViewHumanStdout]]);
 
 function getDependencyEntries(pkgEnvDetails) {
   const {
@@ -7229,72 +7020,6 @@ function getDependencyEntries(pkgEnvDetails) {
   }) => o);
 }
 
-const {
-  BUN: BUN$3,
-  NPM: NPM$5,
-  OVERRIDES: OVERRIDES$1,
-  PNPM: PNPM$4,
-  RESOLUTIONS: RESOLUTIONS$1,
-  VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$3,
-  YARN_CLASSIC: YARN_CLASSIC$4
-} = constants;
-function getOverridesDataBun(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$3,
-    overrides
-  };
-}
-
-// npm overrides documentation:
-// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-function getOverridesDataNpm(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[OVERRIDES$1] ?? {};
-  return {
-    type: NPM$5,
-    overrides
-  };
-}
-
-// pnpm overrides documentation:
-// https://pnpm.io/package_json#pnpmoverrides
-function getOverridesDataPnpm(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[PNPM$4]?.[OVERRIDES$1] ?? {};
-  return {
-    type: PNPM$4,
-    overrides
-  };
-}
-function getOverridesDataVlt(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[OVERRIDES$1] ?? {};
-  return {
-    type: VLT$4,
-    overrides
-  };
-}
-
-// Yarn resolutions documentation:
-// https://yarnpkg.com/configuration/manifest#resolutions
-function getOverridesDataYarn(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$3,
-    overrides
-  };
-}
-
-// Yarn resolutions documentation:
-// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
-function getOverridesDataYarnClassic(pkgEnvDetails) {
-  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_CLASSIC$4,
-    overrides
-  };
-}
-const overridesDataByAgent = new Map([[BUN$3, getOverridesDataBun], [NPM$5, getOverridesDataNpm], [PNPM$4, getOverridesDataPnpm], [VLT$4, getOverridesDataVlt], [YARN_BERRY$3, getOverridesDataYarn], [YARN_CLASSIC$4, getOverridesDataYarnClassic]]);
-
 const {
   BUN: BUN$2,
   LOCK_EXT,
@@ -7302,7 +7027,7 @@ const {
   PNPM: PNPM$3,
   VLT: VLT$3,
   YARN_BERRY: YARN_BERRY$2,
-  YARN_CLASSIC: YARN_CLASSIC$3
+  YARN_CLASSIC: YARN_CLASSIC$2
 } = constants;
 function includesNpm(lockSrc, name) {
   // Detects the package name in the following cases:
@@ -7344,7 +7069,7 @@ function includesYarn(lockSrc, name) {
   //   , name@
   `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
 }
-const lockfileIncludesByAgent = new Map([[BUN$2, includesBun], [NPM$4, includesNpm], [PNPM$3, includesPnpm], [VLT$3, includesVlt], [YARN_BERRY$2, includesYarn], [YARN_CLASSIC$3, includesYarn]]);
+const lockfileIncludesByAgent = new Map([[BUN$2, includesBun], [NPM$4, includesNpm], [PNPM$3, includesPnpm], [VLT$3, includesVlt], [YARN_BERRY$2, includesYarn], [YARN_CLASSIC$2, includesYarn]]);
 
 const {
   BUN: BUN$1,
@@ -7352,7 +7077,7 @@ const {
   PNPM: PNPM$2,
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$1,
-  YARN_CLASSIC: YARN_CLASSIC$2
+  YARN_CLASSIC: YARN_CLASSIC$1
 } = constants;
 function cleanupQueryStdout(stdout) {
   if (stdout === '') {
@@ -7481,7 +7206,7 @@ async function lsYarnClassic(pkgEnvDetails, cwd) {
   } catch {}
   return '';
 }
-const lsByAgent = new Map([[BUN$1, lsBun], [NPM$3, lsNpm], [PNPM$2, lsPnpm], [VLT$2, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$2, lsYarnClassic]]);
+const lsByAgent = new Map([[BUN$1, lsBun], [NPM$3, lsNpm], [PNPM$2, lsPnpm], [VLT$2, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$1, lsYarnClassic]]);
 
 const CMD_NAME = 'socket optimize';
 
@@ -7493,7 +7218,7 @@ const {
   RESOLUTIONS,
   VLT: VLT$1,
   YARN_BERRY,
-  YARN_CLASSIC: YARN_CLASSIC$1
+  YARN_CLASSIC
 } = constants;
 const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'peerDependenciesMeta', 'optionalDependencies', 'bundleDependencies'];
 function getEntryIndexes(entries, keys) {
@@ -7595,12 +7320,11 @@ function updateResolutionsField(pkgEnvDetails, overrides) {
 function updatePnpmField(pkgEnvDetails, overrides) {
   updatePkgJsonField(pkgEnvDetails.editablePkgJson, PNPM$1, overrides);
 }
-const updateManifestByAgent = new Map([[BUN, updateResolutionsField], [NPM$2, updateOverridesField], [PNPM$1, updatePnpmField], [VLT$1, updateOverridesField], [YARN_BERRY, updateResolutionsField], [YARN_CLASSIC$1, updateResolutionsField]]);
+const updateManifestByAgent = new Map([[BUN, updateResolutionsField], [NPM$2, updateOverridesField], [PNPM$1, updatePnpmField], [VLT$1, updateOverridesField], [YARN_BERRY, updateResolutionsField], [YARN_CLASSIC, updateResolutionsField]]);
 
 const {
   NPM: NPM$1,
-  PNPM,
-  YARN_CLASSIC
+  PNPM
 } = constants;
 const manifestNpmOverrides = registry.getManifestData(NPM$1);
 async function addOverrides(pkgEnvDetails, pkgPath, options) {
@@ -7640,9 +7364,9 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   }
   const overridesDataObjects = [];
   if (isWorkspace || pkgEnvDetails.editablePkgJson.content['private']) {
-    overridesDataObjects.push(overridesDataByAgent.get(agent)(pkgEnvDetails));
+    overridesDataObjects.push(getOverridesData(pkgEnvDetails));
   } else {
-    overridesDataObjects.push(overridesDataByAgent.get(NPM$1)(pkgEnvDetails), overridesDataByAgent.get(YARN_CLASSIC)(pkgEnvDetails));
+    overridesDataObjects.push(getOverridesDataNpm(pkgEnvDetails), getOverridesDataYarnClassic(pkgEnvDetails));
   }
   spinner?.setText(`Adding overrides to ${workspace}...`);
   const depAliasMap = new Map();
@@ -9979,7 +9703,7 @@ async function outputListRepos(result, outputKind, page, nextPage, sort, perPage
   logger.logger.log(vendor.srcExports(options, result.data.results));
   if (nextPage) {
     logger.logger.info(`This is page ${page}. Server indicated there are more results available on page ${nextPage}...`);
-    logger.logger.info(`(Hint: you can use \`socket repos list --page ${nextPage}\`)`);
+    logger.logger.info(`(Hint: you can use \`socket repository list --page ${nextPage}\`)`);
   } else if (perPage === Infinity) {
     logger.logger.info(`This should be the entire list available on the server.`);
   } else {
@@ -10768,6 +10492,14 @@ async function run$c(argv, importMeta, {
   if (hasApiToken && !dryRun && interactive) {
     if (!orgSlug) {
       const suggestion = await utils.suggestOrgSlug();
+      if (suggestion === undefined) {
+        await outputCreateNewScan({
+          ok: false,
+          message: 'Canceled by user',
+          cause: 'Org selector was canceled by user'
+        }, outputKind, false);
+        return;
+      }
       if (suggestion) {
         orgSlug = suggestion;
       }
@@ -11895,6 +11627,19 @@ async function getRepoBranchTree({
   };
 }
 
+async function outputScanGithub(result, outputKind) {
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
+  }
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
+  }
+  logger.logger.log('');
+  logger.logger.success('Finished!');
+}
+
 async function handleCreateGithubScan({
   all,
   githubApiUrl,
@@ -11915,16 +11660,7 @@ async function handleCreateGithubScan({
     outputKind,
     repos: String(repos || '')
   });
-  if (outputKind === 'json') {
-    logger.logger.log(utils.serializeResultJson(result));
-    return;
-  }
-  if (!result.ok) {
-    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
-    return;
-  }
-  logger.logger.log('');
-  logger.logger.success('Finished!');
+  await outputScanGithub(result, outputKind);
 }
 
 const {
@@ -12079,6 +11815,14 @@ async function run$9(argv, importMeta, {
   if (hasSocketApiToken && !dryRun && interactive) {
     if (!orgSlug) {
       const suggestion = await utils.suggestOrgSlug();
+      if (suggestion === undefined) {
+        await outputScanGithub({
+          ok: false,
+          message: 'Canceled by user',
+          cause: 'Org selector was canceled by user'
+        }, outputKind);
+        return;
+      }
       if (suggestion) {
         orgSlug = suggestion;
       }
@@ -12540,30 +12284,17 @@ const {
   DOT_SOCKET_DOT_FACTS_JSON
 } = constants;
 async function scanReachability(argv, cwd) {
-  try {
-    const result = await spawn.spawn(constants.execPath, [
-    // Lazily access constants.nodeNoWarningsFlags.
-    ...constants.nodeNoWarningsFlags,
-    // Lazily access constants.coanaBinPath.
-    constants.coanaBinPath, 'run', cwd, '--output-dir', cwd, '--socket-mode', DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...argv], {
-      cwd,
-      env: {
-        ...process.env,
-        SOCKET_CLI_API_TOKEN: utils.getDefaultToken()
-      }
-    });
-    return {
-      ok: true,
-      data: result.stdout.trim()
-    };
-  } catch (e) {
-    const message = e?.stdout ?? e?.message;
-    return {
-      ok: false,
-      data: e,
-      message
-    };
-  }
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start();
+  const result = await utils.spawnCoana(['run', cwd, '--output-dir', cwd, '--socket-mode', DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...argv], {
+    cwd,
+    spinner
+  });
+  spinner.stop();
+  return result;
 }
 
 async function handleScanReach(argv, cwd, outputKind) {
@@ -14393,5 +14124,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=13304ad0-96c0-432a-b125-801db7775ab7
+//# debugId=214e9941-f13a-4601-a726-83de349925db
 //# sourceMappingURL=cli.js.map