npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.0.110 → 1.1.0 - Mend

@socketsecurity/cli-with-sentry 1.0.110 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/dist/cli.js +150 -1298
package/dist/cli.js.map +1 -1
package/dist/constants.js +6 -5
package/dist/constants.js.map +1 -1
package/dist/shadow-npm-bin.js +10 -4
package/dist/shadow-npm-bin.js.map +1 -1
package/dist/shadow-npm-inject.js +21 -240
package/dist/shadow-npm-inject.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
package/dist/types/commands/fix/coana-fix.d.mts +1 -1
package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
package/dist/types/commands/fix/handle-fix.d.mts +1 -1
package/dist/types/commands/fix/handle-fix.d.mts.map +1 -1
package/dist/types/commands/fix/types.d.mts +18 -0
package/dist/types/commands/fix/types.d.mts.map +1 -0
package/dist/types/constants.d.mts.map +1 -1
package/dist/types/shadow/npm/arborist/lib/arborist/index.d.mts.map +1 -1
package/dist/types/shadow/npm/arborist-helpers.d.mts +1 -1
package/dist/types/shadow/npm/arborist-helpers.d.mts.map +1 -1
package/dist/types/shadow/npm/bin.d.mts.map +1 -1
package/dist/types/utils/alerts-map.d.mts.map +1 -1
package/dist/types/utils/fs.d.mts +3 -1
package/dist/types/utils/fs.d.mts.map +1 -1
package/dist/utils.js +990 -1222
package/dist/utils.js.map +1 -1
package/dist/vendor.js +111951 -119286
package/package.json +6 -6
package/dist/types/commands/fix/agent-fix.d.mts +0 -42
package/dist/types/commands/fix/agent-fix.d.mts.map +0 -1
package/dist/types/commands/fix/get-actual-tree.d.mts +0 -3
package/dist/types/commands/fix/get-actual-tree.d.mts.map +0 -1
package/dist/types/commands/fix/npm-fix.d.mts +0 -7
package/dist/types/commands/fix/npm-fix.d.mts.map +0 -1
package/dist/types/commands/fix/pnpm-fix.d.mts +0 -7
package/dist/types/commands/fix/pnpm-fix.d.mts.map +0 -1
package/dist/types/commands/fix/shared.d.mts +0 -10
package/dist/types/commands/fix/shared.d.mts.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -19,14 +19,11 @@ var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var registry = require('../external/@socketsecurity/registry');
-var npm = require('../external/@socketsecurity/registry/lib/npm');
-var packages = require('../external/@socketsecurity/registry/lib/packages');
-var sorts = require('../external/@socketsecurity/registry/lib/sorts');
-var shadowNpmInject = require('./shadow-npm-inject.js');
-var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
+var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
+var registry = require('../external/@socketsecurity/registry');
+var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$11 = require('../external/@socketsecurity/registry/lib/promises');
 var require$$1 = require('node:util');
 var os = require('node:os');
@@ -318,7 +315,7 @@ async function handleAnalytics({
   });
 }
-const CMD_NAME$x = 'analytics';
+const CMD_NAME$w = 'analytics';
 const description$D = 'Look up analytics data';
 const hidden$v = false;
 const cmdAnalytics = {
@@ -330,7 +327,7 @@ async function run$Q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$x,
+    commandName: CMD_NAME$w,
     description: description$D,
     hidden: hidden$v,
     flags: {
@@ -348,7 +345,7 @@ async function run$Q(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
     The scope is either org or repo level, defaults to org.
@@ -742,7 +739,7 @@ async function handleAuditLog({
   });
 }
-const CMD_NAME$w = 'audit-log';
+const CMD_NAME$v = 'audit-log';
 const description$C = 'Look up the audit log for an organization';
 const hidden$u = false;
 const cmdAuditLog = {
@@ -754,7 +751,7 @@ async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
+    commandName: CMD_NAME$v,
     description: description$C,
     hidden: hidden$u,
     flags: {
@@ -784,7 +781,7 @@ async function run$P(argv, importMeta, {
       $ ${command} [options] [FILTER]
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit ${constants.SOCKET_WEBSITE_URL}/pricing
@@ -2599,7 +2596,7 @@ async function handleConfigAuto({
   await outputConfigAuto(key, result, outputKind);
 }
-const CMD_NAME$v = 'auto';
+const CMD_NAME$u = 'auto';
 const description$B = 'Automatically discover and set the correct value config item';
 const hidden$t = false;
 const cmdConfigAuto = {
@@ -2611,7 +2608,7 @@ async function run$N(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
+    commandName: CMD_NAME$u,
     description: description$B,
     hidden: hidden$t,
     flags: {
@@ -2949,7 +2946,7 @@ async function handleConfigSet({
   await outputConfigSet(result, outputKind);
 }
-const CMD_NAME$u = 'set';
+const CMD_NAME$t = 'set';
 const description$A = 'Update the value of a local CLI config item';
 const hidden$s = false;
 const cmdConfigSet = {
@@ -2961,7 +2958,7 @@ async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
+    commandName: CMD_NAME$t,
     description: description$A,
     hidden: hidden$s,
     flags: {
@@ -3073,7 +3070,7 @@ async function handleConfigUnset({
   await outputConfigUnset(updateResult, outputKind);
 }
-const CMD_NAME$t = 'unset';
+const CMD_NAME$s = 'unset';
 const description$z = 'Clear the value of a local CLI config item';
 const hidden$r = false;
 const cmdConfigUnset = {
@@ -3085,7 +3082,7 @@ async function run$J(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
+    commandName: CMD_NAME$s,
     description: description$z,
     hidden: hidden$r,
     flags: {
@@ -3194,25 +3191,7 @@ function createSocketBranchParser(options) {
     };
   };
 }
-const genericSocketBranchParser = createSocketBranchParser();
-function getSocketBranchFullNameComponent(pkgName) {
-  const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
-  const branchMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
-  return `${branchMaybeNamespace}${formatBranchName(purlObj.name)}`;
-}
-function getSocketBranchName(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const branchType = getSocketBranchPurlTypeComponent(purlObj);
-  const branchWorkspace = getSocketBranchWorkspaceComponent(workspace);
-  const branchFullName = getSocketBranchFullNameComponent(purlObj);
-  const branchVersion = getSocketBranchPackageVersionComponent(purlObj.version);
-  const branchNewVersion = formatBranchName(newVersion);
-  return `socket/${branchType}/${branchWorkspace}/${branchFullName}_${branchVersion}_${branchNewVersion}`;
-}
-function getSocketBranchPackageVersionComponent(version) {
-  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
-  return formatBranchName(purlObj.version);
-}
+createSocketBranchParser();
 function getSocketBranchPattern(options) {
   const {
     newVersion,
@@ -3231,29 +3210,6 @@ function getSocketBranchPattern(options) {
   const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
   return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
 }
-function getSocketBranchPurlTypeComponent(purl) {
-  const purlObj = utils.getPurlObject(purl);
-  return formatBranchName(purlObj.type);
-}
-function getSocketBranchWorkspaceComponent(workspace) {
-  return workspace ? formatBranchName(workspace) : 'root';
-}
-function getSocketCommitMessage(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
-}
-function getSocketPullRequestBody(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  const pkgOverviewUrl = utils.getSocketDevPackageOverviewUrlFromPurl(purlObj);
-  return `Bump [${fullName}](${pkgOverviewUrl}) from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}.`;
-}
-function getSocketPullRequestTitle(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
-}
 let _octokit;
 function getOctokit() {
@@ -3375,85 +3331,6 @@ async function fetchGhsaDetails(ids) {
   }
   return results;
 }
-async function cleanupPrs(owner, repo, options) {
-  const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
-  if (!contextualMatches.length) {
-    return [];
-  }
-  const cachesToSave = new Map();
-  const {
-    newVersion
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const branchParser = createSocketBranchParser(options);
-  const octokit = getOctokit();
-  const settledMatches = await Promise.allSettled(contextualMatches.map(async ({
-    context,
-    match
-  }) => {
-    const {
-      number: prNum
-    } = match;
-    const prRef = `PR #${prNum}`;
-    const parsedBranch = branchParser(match.headRefName);
-    const prToVersion = parsedBranch?.newVersion;
-    // Close older PRs.
-    if (prToVersion && newVersion && vendor.semverExports.lt(prToVersion, newVersion)) {
-      try {
-        await octokit.pulls.update({
-          owner,
-          repo,
-          pull_number: prNum,
-          state: 'closed'
-        });
-        require$$9.debugFn('notice', `pr: closing ${prRef} for ${prToVersion}`);
-        // Remove entry from parent object.
-        context.parent.splice(context.index, 1);
-        // Mark cache to be saved.
-        cachesToSave.set(context.cacheKey, context.data);
-        return null;
-      } catch (e) {
-        require$$9.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'Unknown error');
-      }
-    }
-    // Update stale PRs.
-    // https://docs.github.com/en/graphql/reference/enums#mergestatestatus
-    if (match.mergeStateStatus === 'BEHIND') {
-      try {
-        await octokit.repos.merge({
-          owner,
-          repo,
-          base: match.headRefName,
-          head: match.baseRefName
-        });
-        require$$9.debugFn('notice', `pr: updating stale ${prRef}`);
-        // Update entry entry.
-        if (context.apiType === 'graphql') {
-          context.entry.mergeStateStatus = 'CLEAN';
-        } else if (context.apiType === 'rest') {
-          context.entry.mergeable_state = 'clean';
-        }
-        // Mark cache to be saved.
-        cachesToSave.set(context.cacheKey, context.data);
-      } catch (e) {
-        const message = e?.message || 'Unknown error';
-        require$$9.debugFn('error', `pr: failed to update ${prRef} - ${message}`);
-      }
-    }
-    return match;
-  }));
-  if (cachesToSave.size) {
-    await Promise.allSettled(Array.from(cachesToSave).map(({
-      0: key,
-      1: data
-    }) => writeCache(key, data)));
-  }
-  const fulfilledMatches = settledMatches.filter(r => r.status === 'fulfilled' && r.value);
-  return fulfilledMatches.map(r => r.value.match);
-}
 async function enablePrAutoMerge({
   node_id: prId
 }) {
@@ -3620,40 +3497,6 @@ async function getSocketPrsWithContext(owner, repo, options) {
   }
   return contextualMatches;
 }
-async function openPr(owner, repo, branch, purl, newVersion, options) {
-  const {
-    baseBranch = 'main',
-    workspace
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const purlObj = utils.getPurlObject(purl);
-  const octokit = getOctokit();
-  try {
-    const octokitPullsCreateParams = {
-      owner,
-      repo,
-      title: getSocketPullRequestTitle(purlObj, newVersion, workspace),
-      head: branch,
-      base: baseBranch,
-      body: getSocketPullRequestBody(purlObj, newVersion, workspace)
-    };
-    require$$9.debugDir('inspect', {
-      octokitPullsCreateParams
-    });
-    return await octokit.pulls.create(octokitPullsCreateParams);
-  } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
-    }
-    require$$9.debugFn('error', message);
-  }
-  return null;
-}
 async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
   const {
     baseBranch = 'main',
@@ -3833,7 +3676,7 @@ async function coanaFix(fixConfig) {
       data: uploadCResult.data
     };
   }
-  const isAll = ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const isAll = !ghsas.length || ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     const ids = isAll ? ['all'] : ghsas.slice(0, limit);
@@ -3863,8 +3706,7 @@ async function coanaFix(fixConfig) {
   if (isAll) {
     const foundCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
-      spinner,
-      stdio: 'inherit'
+      spinner
     });
     if (foundCResult.ok) {
       const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
@@ -3904,7 +3746,7 @@ async function coanaFix(fixConfig) {
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
@@ -4026,1121 +3868,46 @@ async function coanaFix(fixConfig) {
   };
 }
-function getPrsForPurl(fixEnv, partialPurl) {
-  if (!fixEnv) {
-    return [];
-  }
-  const prs = [];
-  const partialPurlObj = utils.getPurlObject(partialPurl);
-  const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
-  const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-  for (const pr of fixEnv.prs) {
-    const parsedBranch = genericSocketBranchParser(pr.headRefName);
-    if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-      prs.push(pr);
-    }
-  }
-  if (require$$9.isDebug('notice,silly')) {
-    const fullName = packages.resolvePackageName(partialPurlObj);
-    if (prs.length) {
-      require$$9.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
-      require$$9.debugDir('silly', {
-        prs
-      });
-    } else if (fixEnv.prs.length) {
-      require$$9.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
-    }
+async function outputFixResult(result, outputKind) {
+  if (!result.ok) {
+    process.exitCode = result.code ?? 1;
   }
-  return prs;
-}
-async function getActualTree(cwd = process.cwd()) {
-  try {
-    // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-    // folders. However, support is iffy resulting in unhappy paths of errors and hangs.
-    // So, to avoid unhappy paths, we restrict our usage to --dry-run loading of the
-    // node_modules folder.
-    const arb = new shadowNpmInject.Arborist({
-      path: cwd,
-      ...shadowNpmInject.SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-    });
-    return {
-      actualTree: await arb.loadActual()
-    };
-  } catch (e) {
-    return {
-      error: e
-    };
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
   }
-}
-const {
-  BUN: BUN$4,
-  NPM: NPM$4,
-  OVERRIDES: OVERRIDES$1,
-  PNPM: PNPM$4,
-  RESOLUTIONS: RESOLUTIONS$1,
-  VLT: VLT$5,
-  YARN_BERRY: YARN_BERRY$4,
-  YARN_CLASSIC: YARN_CLASSIC$4
-} = constants;
-function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$4,
-    overrides
-  };
-}
-// npm overrides documentation:
-// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-function getOverridesDataNpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
-  return {
-    type: NPM$4,
-    overrides
-  };
-}
-// pnpm overrides documentation:
-// https://pnpm.io/package_json#pnpmoverrides
-function getOverridesDataPnpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[PNPM$4]?.[OVERRIDES$1] ?? {};
-  return {
-    type: PNPM$4,
-    overrides
-  };
-}
-function getOverridesDataVlt(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
-  return {
-    type: VLT$5,
-    overrides
-  };
-}
-// Yarn resolutions documentation:
-// https://yarnpkg.com/configuration/manifest#resolutions
-function getOverridesDataYarn(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$4,
-    overrides
-  };
-}
-// Yarn resolutions documentation:
-// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
-function getOverridesDataYarnClassic(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_CLASSIC$4,
-    overrides
-  };
-}
-function getOverridesData(pkgEnvDetails, pkgJson) {
-  switch (pkgEnvDetails.agent) {
-    case BUN$4:
-      return getOverridesDataBun(pkgEnvDetails, pkgJson);
-    case PNPM$4:
-      return getOverridesDataPnpm(pkgEnvDetails, pkgJson);
-    case VLT$5:
-      return getOverridesDataVlt(pkgEnvDetails, pkgJson);
-    case YARN_BERRY$4:
-      return getOverridesDataYarn(pkgEnvDetails, pkgJson);
-    case YARN_CLASSIC$4:
-      return getOverridesDataYarnClassic(pkgEnvDetails, pkgJson);
-    case NPM$4:
-    default:
-      return getOverridesDataNpm(pkgEnvDetails, pkgJson);
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
   }
+  logger.logger.log('');
+  logger.logger.success('Finished!');
 }
-const noopHandler = () => {};
-async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
-  afterInstall = noopHandler,
-  afterUpdate = noopHandler,
-  beforeInstall = noopHandler,
-  revertInstall = noopHandler
-}, fixConfig) {
-  const {
-    pkgPath: rootPath
-  } = pkgEnvDetails;
-  const fixEnv = await getFixEnv();
-  require$$9.debugDir('inspect', {
-    fixEnv
-  });
-  const {
+async function handleFix({
+  autoMerge,
+  cwd,
+  ghsas,
+  limit,
+  minSatisfying,
+  orgSlug,
+  outputKind,
+  prCheck,
+  purls,
+  rangeStyle,
+  spinner,
+  test,
+  testScript,
+  unknownFlags
+}) {
+  await outputFixResult(await coanaFix({
     autoMerge,
     cwd,
+    ghsas,
     limit,
-    minSatisfying,
-    prCheck,
+    orgSlug,
     rangeStyle,
     spinner,
-    test,
-    testScript
-  } = fixConfig;
-  let count = 0;
-  const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
-    filter: {
-      upgradable: false
-    }
-  });
-  if (!infoByPartialPurl) {
-    spinner?.stop();
-    logger.logger.info('No fixable vulns found.');
-    if (alertsMap.size) {
-      require$$9.debugDir('inspect', {
-        alertsMap
-      });
-    } else {
-      require$$9.debugFn('inspect', '{ alertsMap: Map(0) {} }');
-    }
-    return {
-      ok: true,
-      data: {
-        fixed: false
-      }
-    };
-  }
-  if (require$$9.isDebug('notice,inspect')) {
-    spinner?.stop();
-    const partialPurls = Array.from(infoByPartialPurl.keys());
-    const {
-      length: purlsCount
-    } = partialPurls;
-    require$$9.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
-    require$$9.debugDir('inspect', {
-      partialPurls
-    });
-    spinner?.start();
-  }
-  const {
-    packumentCache
-  } = constants;
-  const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
-  const pkgJsonPaths = [...workspacePkgJsonPaths,
-  // Process the workspace root last since it will add an override to package.json.
-  pkgEnvDetails.editablePkgJson.filename];
-  const sortedInfoEntries = Array.from(infoByPartialPurl.entries()).sort((a, b) => sorts.naturalCompare(a[0], b[0]));
-  const cleanupInfoEntriesLoop = () => {
-    logger.logger.dedent();
-    spinner?.dedent();
-    packumentCache.clear();
-  };
-  const getModifiedFiles = async (cwd = process.cwd()) => {
-    const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
-    return unstagedCResult.ok ? unstagedCResult.data.filter(filepath => {
-      const basename = path.basename(filepath);
-      return basename === 'package.json' || basename === pkgEnvDetails.lockName;
-    }) : [];
-  };
-  const handleInstallFail = error => {
-    cleanupInfoEntriesLoop();
-    spinner?.stop();
-    return {
-      ok: false,
-      message: 'Install failed',
-      cause: `${pkgEnvDetails.agent} install failed${error ? `; ${error}` : ''}`
-    };
-  };
-  const hasModifiedFiles = async (cwd = process.cwd()) => {
-    return (await getModifiedFiles(cwd)).length > 0;
-  };
-  spinner?.stop();
-  infoEntriesLoop: for (let i = 0, {
-      length
-    } = sortedInfoEntries; i < length; i += 1) {
-    const isLastInfoEntry = i === length - 1;
-    const infoEntry = sortedInfoEntries[i];
-    const partialPurlObj = utils.getPurlObject(infoEntry[0]);
-    const name = packages.resolvePackageName(partialPurlObj);
-    const infos = Array.from(infoEntry[1].values());
-    if (!infos.length) {
-      require$$9.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
-      continue infoEntriesLoop;
-    }
-    logger.logger.log(`Processing '${name}'`);
-    logger.logger.indent();
-    spinner?.indent();
-    if (registry.getManifestData(partialPurlObj.type, name)) {
-      require$$9.debugFn('notice', `found: Socket Optimize variant for ${name}`);
-    }
-    // eslint-disable-next-line no-await-in-loop
-    const packument = await packages.fetchPackagePackument(name);
-    if (!packument) {
-      logger.logger.warn(`Unexpected condition: No packument found for ${name}.\n`);
-      cleanupInfoEntriesLoop();
-      // Skip to next package.
-      continue infoEntriesLoop;
-    }
-    require$$9.debugDir('inspect', {
-      infos
-    });
-    const availableVersions = Object.keys(packument.versions);
-    const prs = getPrsForPurl(fixEnv, infoEntry[0]);
-    const warningsForAfter = new Set();
-    let changed = false;
-    // eslint-disable-next-line no-unused-labels
-    for (let j = 0, {
-        length: length_j
-      } = pkgJsonPaths; j < length_j; j += 1) {
-      const isLastPkgJsonPath = j === length_j - 1;
-      const pkgJsonPath = pkgJsonPaths[j];
-      const pkgPath = path.dirname(pkgJsonPath);
-      const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
-      const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
-      if (!actualTree) {
-        if (!fixEnv.isCi) {
-          // eslint-disable-next-line no-await-in-loop
-          await utils.removeNodeModules(cwd);
-        }
-        if (fixEnv.isCi && fs$1.existsSync(path.join(rootPath, 'node_modules'))) {
-          // eslint-disable-next-line no-await-in-loop
-          const treeResult = await getActualTree(cwd);
-          const maybeActualTree = treeResult.actualTree;
-          if (!maybeActualTree) {
-            // Exit early if install fails.
-            return handleInstallFail(treeResult.error);
-          }
-          actualTree = maybeActualTree;
-        } else {
-          // eslint-disable-next-line no-await-in-loop
-          const installResult = await installer(pkgEnvDetails, {
-            cwd,
-            spinner
-          });
-          const maybeActualTree = installResult.actualTree;
-          if (!maybeActualTree) {
-            // Exit early if install fails.
-            return handleInstallFail(installResult.error);
-          }
-          actualTree = maybeActualTree;
-        }
-        if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-          // Exit early if lockfile is missing.
-          return handleInstallFail(new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`));
-        }
-      }
-      const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
-      if (!oldVersions.length) {
-        require$$9.debugFn('notice', `skip: ${name} not found`);
-        cleanupInfoEntriesLoop();
-        // Skip to next package.
-        continue infoEntriesLoop;
-      }
-      // Always re-read the editable package.json to avoid stale mutations
-      // across iterations.
-      // eslint-disable-next-line no-await-in-loop
-      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
-        editable: true
-      });
-      const seenBranches = new Set();
-      const seenVersions = new Set();
-      let hasAnnouncedWorkspace = false;
-      let workspaceLogCallCount = logger.logger.logCallCount;
-      if (require$$9.isDebug('notice')) {
-        require$$9.debugFn('notice', `check: workspace ${workspace}`);
-        hasAnnouncedWorkspace = true;
-        workspaceLogCallCount = logger.logger.logCallCount;
-      }
-      oldVersionsLoop: for (const oldVersion of oldVersions) {
-        const oldId = `${name}@${oldVersion}`;
-        const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
-        const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
-        if (!node) {
-          require$$9.debugFn('notice', `skip: ${oldId} not found`);
-          continue oldVersionsLoop;
-        }
-        infosLoop: for (const {
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange
-        } of infos) {
-          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, {
-            minSatisfying,
-            vulnerableVersionRange
-          });
-          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
-          if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
-            continue infosLoop;
-          }
-          if (seenVersions.has(newVersion)) {
-            continue infosLoop;
-          }
-          if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            require$$9.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
-            continue infosLoop;
-          }
-          const branch = getSocketBranchName(oldPurl, newVersion, workspace);
-          if (seenBranches.has(branch)) {
-            continue infosLoop;
-          }
-          const pr = prCheck ? prs.find(p => p.headRefName === branch) : undefined;
-          if (pr) {
-            require$$9.debugFn('notice', `skip: PR #${pr.number} for ${name}@${newVersion} exists`);
-            seenBranches.add(branch);
-            continue infosLoop;
-          }
-          if (fixEnv.isCi && (
-          // eslint-disable-next-line no-await-in-loop
-          await utils.gitRemoteBranchExists(branch, cwd))) {
-            require$$9.debugFn('notice', `skip: remote branch "${branch}" for ${name}@${newVersion} exists`);
-            seenBranches.add(branch);
-            continue infosLoop;
-          }
-          const {
-            overrides: oldOverrides
-          } = getOverridesData(pkgEnvDetails, editablePkgJson.content);
-          let refRange = oldOverrides?.[`${name}@${vulnerableVersionRange}`];
-          if (!strings.isNonEmptyString(refRange)) {
-            refRange = oldOverrides?.[name];
-          }
-          if (!strings.isNonEmptyString(refRange)) {
-            refRange = oldVersion;
-          }
-          // eslint-disable-next-line no-await-in-loop
-          await beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-          shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
-          // eslint-disable-next-line no-await-in-loop
-          await editablePkgJson.save({
-            ignoreWhitespace: true
-          });
-          // eslint-disable-next-line no-await-in-loop
-          await afterUpdate(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-          // eslint-disable-next-line no-await-in-loop
-          if (!(await hasModifiedFiles(cwd))) {
-            require$$9.debugFn('notice', `skip: no changes for ${name}@${newVersion}`);
-            seenVersions.add(newVersion);
-            // Reset things just in case.
-            if (fixEnv.isCi) {
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-            }
-            continue infosLoop;
-          }
-          spinner?.start();
-          if (!hasAnnouncedWorkspace) {
-            hasAnnouncedWorkspace = true;
-            workspaceLogCallCount = logger.logger.logCallCount;
-          }
-          const newId = `${name}@${utils.applyRange(refRange, newVersion, rangeStyle)}`;
-          spinner?.info(`Installing ${newId} in ${workspace}.`);
-          let error;
-          let errored = false;
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            const installResult = await installer(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            const maybeActualTree = installResult.actualTree;
-            if (!maybeActualTree) {
-              errored = true;
-              error = installResult.error;
-            } else if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-              errored = true;
-              error = new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`);
-            } else {
-              actualTree = maybeActualTree;
-              // eslint-disable-next-line no-await-in-loop
-              await afterInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-              if (test) {
-                spinner?.info(`Testing ${newId} in ${workspace}.`);
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runNpmScript(testScript, [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-              }
-              spinner?.success(`Fixed ${name} in ${workspace}.`);
-              seenVersions.add(newVersion);
-            }
-          } catch (e) {
-            error = e;
-            errored = true;
-          }
-          spinner?.stop();
-          // Check repoInfo to make TypeScript happy.
-          if (!errored && fixEnv.isCi && fixEnv.repoInfo) {
-            require$$9.debugFn('notice', 'pr: creating');
-            try {
-              const pushed =
-              // eslint-disable-next-line no-await-in-loop
-              (await utils.gitCreateBranch(branch, cwd)) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCheckoutBranch(branch, cwd)) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCommit(getSocketCommitMessage(oldPurl, newVersion, workspace),
-              // eslint-disable-next-line no-await-in-loop
-              await getModifiedFiles(cwd), {
-                cwd,
-                email: fixEnv.gitEmail,
-                user: fixEnv.gitUser
-              })) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitPushBranch(branch, cwd));
-              if (!pushed) {
-                logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitDeleteBranch(branch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                const installResult = await installer(pkgEnvDetails, {
-                  cwd,
-                  spinner
-                });
-                const maybeActualTree = installResult.actualTree;
-                if (!maybeActualTree) {
-                  // Exit early if install fails.
-                  return handleInstallFail(installResult.error);
-                }
-                if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-                  // Exit early if lockfile is missing.
-                  return handleInstallFail(new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`));
-                }
-                actualTree = maybeActualTree;
-                continue infosLoop;
-              }
-              seenBranches.add(branch);
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd), cleanupPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
-                newVersion,
-                purl: oldPurl,
-                workspace
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch: fixEnv.baseBranch,
-                cwd,
-                workspace
-              });
-              if (prResponse) {
-                const {
-                  data
-                } = prResponse;
-                const prRef = `PR #${data.number}`;
-                logger.logger.success(`Opened ${prRef}.`);
-                if (autoMerge) {
-                  logger.logger.indent();
-                  spinner?.indent();
-                  // eslint-disable-next-line no-await-in-loop
-                  const {
-                    details,
-                    enabled
-                  } = await enablePrAutoMerge(data);
-                  if (enabled) {
-                    logger.logger.info(`Auto-merge enabled for ${prRef}.`);
-                  } else {
-                    const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
-                    logger.logger.error(message);
-                  }
-                  logger.logger.dedent();
-                  spinner?.dedent();
-                }
-              }
-            } catch (e) {
-              error = e;
-              errored = true;
-            }
-          } else if (fixEnv.isCi) {
-            require$$9.debugFn('notice', 'skip: PR creation');
-          }
-          if (fixEnv.isCi) {
-            spinner?.start();
-            // eslint-disable-next-line no-await-in-loop
-            await utils.gitResetAndClean(branch, cwd);
-            // eslint-disable-next-line no-await-in-loop
-            await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-            // eslint-disable-next-line no-await-in-loop
-            const installResult = await installer(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            spinner?.stop();
-            const maybeActualTree = installResult.actualTree;
-            if (maybeActualTree) {
-              actualTree = maybeActualTree;
-            } else {
-              errored = true;
-              error = installResult.error;
-            }
-          }
-          if (errored) {
-            if (!fixEnv.isCi) {
-              spinner?.start();
-              // eslint-disable-next-line no-await-in-loop
-              await revertInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
-                ignoreWhitespace: true
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const installResult = await installer(pkgEnvDetails, {
-                cwd,
-                spinner
-              });
-              spinner?.stop();
-              const maybeActualTree = installResult.actualTree;
-              if (!maybeActualTree) {
-                // Exit early if install fails.
-                return handleInstallFail(installResult.error);
-              }
-              actualTree = maybeActualTree;
-            }
-            return {
-              ok: false,
-              message: 'Update failed',
-              cause: `Update failed for ${oldId} in ${workspace}${error ? `; ${error}` : ''}`
-            };
-          } else {
-            changed = true;
-          }
-          require$$9.debugFn('notice', 'increment: count', count + 1);
-          if (++count >= limit) {
-            cleanupInfoEntriesLoop();
-            // Exit main loop.
-            break infoEntriesLoop;
-          }
-        }
-      }
-      if (!isLastPkgJsonPath && logger.logger.logCallCount > workspaceLogCallCount) {
-        logger.logger.logNewline();
-      }
-    }
-    for (const warningText of warningsForAfter) {
-      logger.logger.warn(warningText);
-    }
-    if (!changed && !warningsForAfter.size) {
-      logger.logger.info('No vulnerable versions found.');
-    }
-    if (!isLastInfoEntry) {
-      logger.logger.logNewline();
-    }
-    cleanupInfoEntriesLoop();
-  }
-  spinner?.stop();
-  // Or, did we change anything?
-  return {
-    ok: true,
-    data: {
-      fixed: true
-    }
-  };
-}
-const CMD_NAME$s = 'socket fix';
-function getFixAlertsMapOptions(options = {}) {
-  return {
-    __proto__: null,
-    consolidate: true,
-    nothrow: true,
-    onlyFixable: true,
-    ...options,
-    filter: utils.toFilterConfig({
-      existing: true,
-      ...require$$10.getOwn(options, 'filter')
-    })
-  };
-}
-async function install$1(pkgEnvDetails, options) {
-  const {
-    args: extraArgs,
-    cwd,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const useDebug = require$$9.isDebug('stdio');
-  const args = [
-  // If "true", npm does not run scripts specified in package.json files.
-  // Note that commands explicitly intended to run a particular script, such
-  // as `npm start`, `npm stop`, `npm restart`, `npm test`, and `npm run` will
-  // still run their intended script if `ignore-scripts` is set, but they will
-  // not run any pre- or post-scripts.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#ignore-scripts
-  '--ignore-scripts',
-  // When "true" submit audit reports alongside the current npm command to the
-  // default registry and all registries configured for scopes. See the
-  // documentation for `npm audit` for details on what is submitted.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#audit
-  '--no-audit',
-  // When "true" displays the message at the end of each `npm install` acknowledging
-  // the number of dependencies looking for funding. See `npm fund` for details.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#fund
-  '--no-fund',
-  // When set to "true", npm will display a progress bar during time intensive
-  // operations, if `process.stderr` is a TTY. Set to "false" to suppress the
-  // progress bar.
-  // https://docs.npmjs.com/cli/v8/using-npm/config#progress
-  '--no-progress',
-  // What level of logs to report. All logs are written to a debug log, with
-  // the path to that file printed if the execution of a command fails. The
-  // default is "notice".
-  // https://docs.npmjs.com/cli/v8/using-npm/config#loglevel
-  ...(useDebug ? [] : ['--silent']), ...(extraArgs ?? [])];
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await utils.runAgentInstall(pkgEnvDetails, {
-      args,
-      spinner,
-      stdio: useDebug ? 'inherit' : 'ignore'
-    });
-  } catch (error) {
-    const result = {
-      error
-    };
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', result);
-    return result;
-  }
-  const treeResult = await getActualTree(cwd);
-  if (treeResult.actualTree) {
-    if (wasSpinning) {
-      spinner.start();
-    }
-    return treeResult;
-  }
-  require$$9.debugFn('error', 'caught: await arb.loadActual() error');
-  require$$9.debugDir('inspect', treeResult);
-  if (wasSpinning) {
-    spinner.start();
-  }
-  return treeResult;
-}
-async function npmFix(pkgEnvDetails, fixConfig) {
-  const {
-    purls,
-    spinner
-  } = fixConfig;
-  spinner?.start();
-  const flatConfig = await utils.getNpmConfig({
-    npmVersion: pkgEnvDetails.agentVersion
-  });
-  let actualTree;
-  let alertsMap;
-  try {
-    if (purls.length) {
-      alertsMap = await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions());
-    } else {
-      let arb;
-      try {
-        arb = new shadowNpmInject.Arborist({
-          path: pkgEnvDetails.pkgPath,
-          ...flatConfig,
-          ...shadowNpmInject.SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-        });
-        // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
-        // and populates arb.actualTree.
-        actualTree = await arb.reify();
-      } catch (e) {
-        spinner?.stop();
-        require$$9.debugFn('error', 'caught: await arb.reify() error');
-        require$$9.debugDir('inspect', {
-          error: e
-        });
-        return {
-          ok: false,
-          message: 'npm error',
-          cause: e?.message || 'Unknown npm error.'
-        };
-      }
-      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getFixAlertsMapOptions());
-    }
-  } catch (e) {
-    spinner?.stop();
-    require$$9.debugFn('error', 'caught: Socket batch PURL API error');
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-    return {
-      ok: false,
-      message: 'Socket API error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
-  let revertData;
-  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install$1, {
-    async beforeInstall(editablePkgJson) {
-      revertData = {
-        // Track existing dependencies in the root package.json to revert to later.
-        ...(editablePkgJson.content.dependencies && {
-          dependencies: {
-            ...editablePkgJson.content.dependencies
-          }
-        }),
-        ...(editablePkgJson.content.optionalDependencies && {
-          optionalDependencies: {
-            ...editablePkgJson.content.optionalDependencies
-          }
-        }),
-        ...(editablePkgJson.content.peerDependencies && {
-          peerDependencies: {
-            ...editablePkgJson.content.peerDependencies
-          }
-        })
-      };
-    },
-    async afterUpdate(editablePkgJson, packument, oldVersion, newVersion) {
-      // Exit early if not the root workspace.
-      if (editablePkgJson.filename !== pkgEnvDetails.editablePkgJson.filename) {
-        return;
-      }
-      // Update package-lock.json using @npmcli/arborist.
-      const arb = new shadowNpmInject.Arborist({
-        path: pkgEnvDetails.pkgPath,
-        ...flatConfig,
-        ...shadowNpmInject.SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-      });
-      // Build the ideal tree of nodes that are used to generated the saved
-      // package-lock.json
-      const idealTree = await arb.buildIdealTree();
-      const node = shadowNpmInject.findPackageNode(idealTree, packument.name, oldVersion);
-      if (node) {
-        // Update the ideal tree node.
-        shadowNpmInject.updateNode(node, newVersion, packument.versions[newVersion]);
-        // Save package-lock.json lockfile.
-        await arb.reify();
-      }
-    },
-    async revertInstall(editablePkgJson) {
-      if (revertData) {
-        // Revert package.json.
-        editablePkgJson.update(revertData);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-      }
-    }
-  }, fixConfig);
-}
-async function outputFixResult(result, outputKind) {
-  if (!result.ok) {
-    process.exitCode = result.code ?? 1;
-  }
-  if (outputKind === 'json') {
-    logger.logger.log(utils.serializeResultJson(result));
-    return;
-  }
-  if (!result.ok) {
-    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
-    return;
-  }
-  logger.logger.log('');
-  logger.logger.success('Finished!');
-}
-async function install(pkgEnvDetails, options) {
-  const {
-    args: extraArgs,
-    cwd,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const args = [
-  // Do not execute any scripts defined in the project package.json and its dependencies.
-  // https://pnpm.io/9.x/cli/install#--ignore-scripts
-  '--ignore-scripts',
-  // Enable pnpm updates to pnpm-lock.yaml in CI environments.
-  // https://pnpm.io/cli/install#--frozen-lockfile
-  '--no-frozen-lockfile',
-  // Enable a non-interactive pnpm install
-  // https://github.com/pnpm/pnpm/issues/6778
-  '--config.confirmModulesPurge=false', ...(extraArgs ?? [])];
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await utils.runAgentInstall(pkgEnvDetails, {
-      args,
-      spinner,
-      stdio: require$$9.isDebug('stdio') ? 'inherit' : 'ignore'
-    });
-  } catch (error) {
-    const result = {
-      error
-    };
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', result);
-    return result;
-  }
-  const treeResult = await getActualTree(cwd);
-  if (treeResult.actualTree) {
-    if (wasSpinning) {
-      spinner.start();
-    }
-    return treeResult;
-  }
-  require$$9.debugFn('error', 'caught: await arb.loadActual() error');
-  require$$9.debugDir('inspect', treeResult);
-  if (wasSpinning) {
-    spinner.start();
-  }
-  return treeResult;
-}
-async function pnpmFix(pkgEnvDetails, fixConfig) {
-  const {
-    cwd,
-    purls,
-    spinner
-  } = fixConfig;
-  spinner?.start();
-  let actualTree;
-  let lockSrc = pkgEnvDetails.lockSrc;
-  let lockfile = utils.parsePnpmLockfile(lockSrc);
-  // Update pnpm-lock.yaml if its version is older than what the installed pnpm
-  // produces.
-  if (pkgEnvDetails.agentVersion.major >= 10 && (utils.parsePnpmLockfileVersion(lockfile?.lockfileVersion)?.major ?? 0) <= 6) {
-    const installResult = await install(pkgEnvDetails, {
-      args: ['--lockfile-only'],
-      cwd,
-      spinner
-    });
-    const maybeActualTree = installResult.actualTree;
-    if (maybeActualTree) {
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-    } else {
-      lockSrc = '';
-    }
-    if (lockSrc) {
-      actualTree = maybeActualTree;
-      lockfile = utils.parsePnpmLockfile(lockSrc);
-    } else {
-      lockfile = null;
-    }
-  }
-  // Exit early if pnpm-lock.yaml is not found or usable.
-  // Check !lockSrc to make TypeScript happy.
-  if (!lockfile || !lockSrc) {
-    spinner?.stop();
-    return {
-      ok: false,
-      message: 'Missing lockfile',
-      cause: 'Required pnpm-lock.yaml not found or usable'
-    };
-  }
-  let alertsMap;
-  try {
-    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions()) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getFixAlertsMapOptions());
-  } catch (e) {
-    spinner?.stop();
-    require$$9.debugFn('error', 'caught: Socket batch PURL API error');
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-    return {
-      ok: false,
-      message: 'Socket API error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
-  let revertData;
-  let revertOverrides;
-  let revertOverridesSrc = '';
-  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
-    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, options) {
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-      // Update overrides for the root workspace.
-      if (editablePkgJson.filename === pkgEnvDetails.editablePkgJson.filename) {
-        const {
-          overrides: oldOverrides
-        } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
-        const oldPnpmSection = editablePkgJson.content['pnpm'];
-        const overrideKey = `${packument.name}@${vulnerableVersionRange}`;
-        revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
-        // Track existing overrides in the root package.json to revert to later.
-        revertOverrides = {
-          pnpm: oldPnpmSection ? {
-            ...oldPnpmSection,
-            overrides: require$$10.hasKeys(oldOverrides) ? {
-              ...oldOverrides,
-              [overrideKey]: undefined
-            } :
-            // Properties with undefined values are deleted when saved as JSON.
-            undefined
-          } :
-          // Properties with undefined values are deleted when saved as JSON.
-          undefined
-        };
-        // Update overrides in the root package.json so that when `pnpm install`
-        // generates pnpm-lock.yaml it updates transitive dependencies too.
-        editablePkgJson.update({
-          pnpm: {
-            ...oldPnpmSection,
-            overrides: {
-              ...oldOverrides,
-              [overrideKey]: utils.applyRange(oldOverrides?.[overrideKey] ?? oldVersion, newVersion, options.rangeStyle)
-            }
-          }
-        });
-      } else {
-        revertOverrides = undefined;
-        revertOverridesSrc = '';
-      }
-      revertData = {
-        // If "pnpm" or "pnpm.overrides" fields are undefined they will be
-        // deleted when saved.
-        ...revertOverrides,
-        // Track existing dependencies in the root package.json to revert to later.
-        ...(editablePkgJson.content.dependencies && {
-          dependencies: {
-            ...editablePkgJson.content.dependencies
-          }
-        }),
-        ...(editablePkgJson.content.optionalDependencies && {
-          optionalDependencies: {
-            ...editablePkgJson.content.optionalDependencies
-          }
-        }),
-        ...(editablePkgJson.content.peerDependencies && {
-          peerDependencies: {
-            ...editablePkgJson.content.peerDependencies
-          }
-        })
-      };
-    },
-    async afterInstall(editablePkgJson) {
-      if (revertOverrides) {
-        // Revert overrides metadata in package.json now that pnpm-lock.yaml
-        // has been updated.
-        editablePkgJson.update(revertOverrides);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-      }
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-      // Remove "overrides" block from pnpm-lock.yaml lockfile when processing
-      // the root workspace.
-      if (editablePkgJson.filename === pkgEnvDetails.editablePkgJson.filename) {
-        const updatedOverridesContent = utils.extractOverridesFromPnpmLockSrc(lockSrc);
-        if (updatedOverridesContent) {
-          // Remove "overrides" block from pnpm-lock.yaml lockfile.
-          lockSrc = lockSrc.replace(updatedOverridesContent, revertOverridesSrc);
-          // Save pnpm-lock.yaml lockfile.
-          await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
-        }
-      }
-    },
-    async revertInstall(editablePkgJson) {
-      if (revertData) {
-        // Revert package.json.
-        editablePkgJson.update(revertData);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-        // Revert pnpm-lock.yaml lockfile to be on the safe side.
-        await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
-      }
-    }
-  }, fixConfig);
-}
-async function handleFix({
-  autoMerge,
-  cwd,
-  ghsas,
-  limit,
-  minSatisfying,
-  orgSlug,
-  outputKind,
-  prCheck,
-  purls,
-  rangeStyle,
-  spinner,
-  test,
-  testScript,
-  unknownFlags
-}) {
-  if (ghsas.length) {
-    await outputFixResult(await coanaFix({
-      autoMerge,
-      cwd,
-      ghsas,
-      limit,
-      orgSlug,
-      rangeStyle,
-      spinner,
-      unknownFlags
-    }), outputKind);
-    return;
-  }
-  const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$s,
-    logger: logger.logger
-  });
-  if (!pkgEnvCResult.ok) {
-    await outputFixResult(pkgEnvCResult, outputKind);
-    return;
-  }
-  const {
-    data: pkgEnvDetails
-  } = pkgEnvCResult;
-  if (!pkgEnvDetails) {
-    await outputFixResult({
-      ok: false,
-      message: 'No package found.',
-      cause: `No valid package environment found for project path: ${cwd}`
-    }, outputKind);
-    return;
-  }
-  require$$9.debugDir('inspect', {
-    pkgEnvDetails
-  });
-  const {
-    agent,
-    agentVersion
-  } = pkgEnvDetails;
-  const isNpm = agent === 'npm';
-  const isPnpm = agent === 'pnpm';
-  if (!isNpm && !isPnpm) {
-    await outputFixResult({
-      ok: false,
-      message: 'Not supported.',
-      cause: `${agent} v${agentVersion} is not supported by this command.`
-    }, outputKind);
-    return;
-  }
-  logger.logger.info(`Fixing packages for ${agent} v${agentVersion}.\n`);
-  const fixer = isNpm ? npmFix : pnpmFix;
-  await outputFixResult(await fixer(pkgEnvDetails, {
-    autoMerge,
-    cwd,
-    ghsas,
-    limit,
-    minSatisfying,
-    orgSlug,
-    prCheck,
-    purls,
-    rangeStyle,
-    spinner,
-    test,
-    testScript,
     unknownFlags
   }), outputKind);
 }
@@ -5172,7 +3939,8 @@ async function run$I(argv, importMeta, {
       autopilot: {
         type: 'boolean',
         default: false,
-        description: `Shorthand for --auto-merge --test`
+        description: `Shorthand for --auto-merge --test`,
+        hidden: true
       },
       ghsa: {
         type: 'string',
@@ -5195,7 +3963,8 @@ async function run$I(argv, importMeta, {
       minSatisfying: {
         type: 'boolean',
         default: false,
-        description: 'Constrain dependency updates to the minimum satisfying version'
+        description: 'Constrain dependency updates to the minimum satisfying version',
+        hidden: true
       },
       prCheck: {
         type: 'boolean',
@@ -5208,7 +3977,8 @@ async function run$I(argv, importMeta, {
         default: [],
         description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags, instead of querying the Socket API`,
         isMultiple: true,
-        shortFlag: 'p'
+        shortFlag: 'p',
+        hidden: true
       },
       rangeStyle: {
         type: 'string',
@@ -7669,12 +6439,12 @@ async function run$t(argv, importMeta, {
 }
 const {
-  BUN: BUN$3,
-  NPM: NPM$3,
-  PNPM: PNPM$3,
-  VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$3,
-  YARN_CLASSIC: YARN_CLASSIC$3
+  BUN: BUN$4,
+  NPM: NPM$4,
+  PNPM: PNPM$4,
+  VLT: VLT$5,
+  YARN_BERRY: YARN_BERRY$4,
+  YARN_CLASSIC: YARN_CLASSIC$4
 } = constants;
 function matchLsCmdViewHumanStdout(stdout, name) {
   return stdout.includes(` ${name}@`);
@@ -7684,13 +6454,13 @@ function matchQueryCmdStdout(stdout, name) {
 }
 function lsStdoutIncludes(pkgEnvDetails, stdout, name) {
   switch (pkgEnvDetails.agent) {
-    case BUN$3:
-    case YARN_BERRY$3:
-    case YARN_CLASSIC$3:
+    case BUN$4:
+    case YARN_BERRY$4:
+    case YARN_CLASSIC$4:
       return matchLsCmdViewHumanStdout(stdout, name);
-    case PNPM$3:
-    case VLT$4:
-    case NPM$3:
+    case PNPM$4:
+    case VLT$5:
+    case NPM$4:
     default:
       return matchQueryCmdStdout(stdout, name);
   }
@@ -7720,6 +6490,88 @@ function getDependencyEntries(pkgEnvDetails) {
   }) => o);
 }
+const {
+  BUN: BUN$3,
+  NPM: NPM$3,
+  OVERRIDES: OVERRIDES$1,
+  PNPM: PNPM$3,
+  RESOLUTIONS: RESOLUTIONS$1,
+  VLT: VLT$4,
+  YARN_BERRY: YARN_BERRY$3,
+  YARN_CLASSIC: YARN_CLASSIC$3
+} = constants;
+function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_BERRY$3,
+    overrides
+  };
+}
+// npm overrides documentation:
+// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
+function getOverridesDataNpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
+  return {
+    type: NPM$3,
+    overrides
+  };
+}
+// pnpm overrides documentation:
+// https://pnpm.io/package_json#pnpmoverrides
+function getOverridesDataPnpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[PNPM$3]?.[OVERRIDES$1] ?? {};
+  return {
+    type: PNPM$3,
+    overrides
+  };
+}
+function getOverridesDataVlt(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
+  return {
+    type: VLT$4,
+    overrides
+  };
+}
+// Yarn resolutions documentation:
+// https://yarnpkg.com/configuration/manifest#resolutions
+function getOverridesDataYarn(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_BERRY$3,
+    overrides
+  };
+}
+// Yarn resolutions documentation:
+// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
+function getOverridesDataYarnClassic(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_CLASSIC$3,
+    overrides
+  };
+}
+function getOverridesData(pkgEnvDetails, pkgJson) {
+  switch (pkgEnvDetails.agent) {
+    case BUN$3:
+      return getOverridesDataBun(pkgEnvDetails, pkgJson);
+    case PNPM$3:
+      return getOverridesDataPnpm(pkgEnvDetails, pkgJson);
+    case VLT$4:
+      return getOverridesDataVlt(pkgEnvDetails, pkgJson);
+    case YARN_BERRY$3:
+      return getOverridesDataYarn(pkgEnvDetails, pkgJson);
+    case YARN_CLASSIC$3:
+      return getOverridesDataYarnClassic(pkgEnvDetails, pkgJson);
+    case NPM$3:
+    default:
+      return getOverridesDataNpm(pkgEnvDetails, pkgJson);
+  }
+}
 const {
   BUN: BUN$2,
   LOCK_EXT,
@@ -15351,5 +14203,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=90019b4f-8311-420b-bbc8-2645bd67f319
+//# debugId=2d71faa1-844b-480a-a713-c572fd14e2f4
 //# sourceMappingURL=cli.js.map