npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.0.111 → 1.1.0 - Mend

@socketsecurity/cli-with-sentry 1.0.111 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/dist/cli.js +148 -1295
package/dist/cli.js.map +1 -1
package/dist/constants.js +6 -5
package/dist/constants.js.map +1 -1
package/dist/shadow-npm-bin.js +10 -4
package/dist/shadow-npm-bin.js.map +1 -1
package/dist/shadow-npm-inject.js +21 -240
package/dist/shadow-npm-inject.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
package/dist/types/commands/fix/coana-fix.d.mts +1 -1
package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
package/dist/types/commands/fix/handle-fix.d.mts +1 -1
package/dist/types/commands/fix/handle-fix.d.mts.map +1 -1
package/dist/types/commands/fix/types.d.mts +18 -0
package/dist/types/commands/fix/types.d.mts.map +1 -0
package/dist/types/constants.d.mts.map +1 -1
package/dist/types/shadow/npm/arborist/lib/arborist/index.d.mts.map +1 -1
package/dist/types/shadow/npm/arborist-helpers.d.mts +1 -1
package/dist/types/shadow/npm/arborist-helpers.d.mts.map +1 -1
package/dist/types/shadow/npm/bin.d.mts.map +1 -1
package/dist/types/utils/alerts-map.d.mts.map +1 -1
package/dist/types/utils/fs.d.mts +3 -1
package/dist/types/utils/fs.d.mts.map +1 -1
package/dist/utils.js +990 -1222
package/dist/utils.js.map +1 -1
package/dist/vendor.js +111951 -119286
package/package.json +6 -6
package/dist/types/commands/fix/agent-fix.d.mts +0 -42
package/dist/types/commands/fix/agent-fix.d.mts.map +0 -1
package/dist/types/commands/fix/get-actual-tree.d.mts +0 -3
package/dist/types/commands/fix/get-actual-tree.d.mts.map +0 -1
package/dist/types/commands/fix/npm-fix.d.mts +0 -7
package/dist/types/commands/fix/npm-fix.d.mts.map +0 -1
package/dist/types/commands/fix/pnpm-fix.d.mts +0 -7
package/dist/types/commands/fix/pnpm-fix.d.mts.map +0 -1
package/dist/types/commands/fix/shared.d.mts +0 -10
package/dist/types/commands/fix/shared.d.mts.map +0 -1

package/dist/utils.js CHANGED Viewed

@@ -19,12 +19,11 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs = require('../external/@socketsecurity/registry/lib/fs');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var fs$1 = require('node:fs');
-var registry = require('../external/@socketsecurity/registry');
-var packages = require('../external/@socketsecurity/registry/lib/packages');
+var promises = require('node:timers/promises');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
+var packages = require('../external/@socketsecurity/registry/lib/packages');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
 var globs = require('../external/@socketsecurity/registry/lib/globs');
-var promises = require('node:timers/promises');
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 const sensitiveConfigKeyLookup = new Set(['apiToken']);
@@ -2266,13 +2265,6 @@ async function globWithGitIgnore(patterns, options) {
   }
   return filtered;
 }
-async function globStreamNodeModules(cwd = process.cwd()) {
-  return vendor.outExports.globStream('**/node_modules', {
-    absolute: true,
-    cwd,
-    onlyDirectories: true
-  });
-}
 async function globWorkspace(agent, cwd = process.cwd()) {
   const workspaceGlobs = await getWorkspaceGlobs(agent, cwd);
   return workspaceGlobs.length ? await vendor.outExports.glob(workspaceGlobs, {
@@ -2496,6 +2488,52 @@ function isHelpFlag(cmdArg) {
   return helpFlags.has(cmdArg);
 }
+async function findUp(name, options) {
+  const opts = {
+    __proto__: null,
+    ...options
+  };
+  const {
+    cwd = process.cwd(),
+    signal = constants.abortSignal
+  } = opts;
+  let {
+    onlyDirectories = false,
+    onlyFiles = true
+  } = opts;
+  if (onlyDirectories) {
+    onlyFiles = false;
+  }
+  if (onlyFiles) {
+    onlyDirectories = false;
+  }
+  let dir = path.resolve(cwd);
+  const {
+    root
+  } = path.parse(dir);
+  const names = [name].flat();
+  while (dir && dir !== root) {
+    for (const name of names) {
+      if (signal?.aborted) {
+        return undefined;
+      }
+      const thePath = path.join(dir, name);
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        const stats = await fs$1.promises.stat(thePath);
+        if (!onlyDirectories && (stats.isFile() || stats.isSymbolicLink())) {
+          return thePath;
+        }
+        if (!onlyFiles && stats.isDirectory()) {
+          return thePath;
+        }
+      } catch {}
+    }
+    dir = path.dirname(dir);
+  }
+  return undefined;
+}
 function extractTier1ReachabilityScanId(socketFactsFile) {
   const json = fs.readJsonSync(socketFactsFile, {
     throws: false
@@ -2678,1332 +2716,1072 @@ async function writeSocketJson(cwd, sockJson) {
   };
 }
-function isArtifactAlertCve(alert) {
-  const {
-    type
-  } = alert;
-  return type === constants.ALERT_TYPE_CVE || type === constants.ALERT_TYPE_MEDIUM_CVE || type === constants.ALERT_TYPE_MILD_CVE || type === constants.ALERT_TYPE_CRITICAL_CVE;
-}
-function createEnum(obj) {
-  return Object.freeze({
-    __proto__: null,
-    ...obj
-  });
+const RangeStyles = ['caret', 'gt', 'gte', 'lt', 'lte', 'pin', 'preserve', 'tilde'];
+function getMajor(version) {
+  try {
+    const coerced = vendor.semverExports.coerce(version);
+    return coerced ? vendor.semverExports.major(coerced) : null;
+  } catch {}
+  return null;
 }
-const ALERT_FIX_TYPE = createEnum({
-  cve: 'cve',
-  remove: 'remove',
-  upgrade: 'upgrade'
-});
-const ALERT_SEVERITY = createEnum({
-  critical: 'critical',
-  high: 'high',
-  middle: 'middle',
-  low: 'low'
-});
-class ColorOrMarkdown {
-  constructor(useMarkdown) {
-    this.useMarkdown = !!useMarkdown;
-  }
-  bold(text) {
-    return this.useMarkdown ? `**${text}**` : vendor.yoctocolorsCjsExports.bold(`${text}`);
-  }
-  header(text, level = 1) {
-    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : vendor.yoctocolorsCjsExports.underline(`\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`);
-  }
-  hyperlink(text, url, {
-    fallback = true,
-    fallbackToUrl
-  } = {}) {
-    if (url) {
-      return this.useMarkdown ? `[${text}](${url})` : vendor.terminalLinkExports(text, url, {
-        fallback: fallbackToUrl ? (_text, url) => url : fallback
-      });
-    }
-    return text;
-  }
-  indent(...args) {
-    return vendor.indentStringExports(...args);
-  }
-  italic(text) {
-    return this.useMarkdown ? `_${text}_` : vendor.yoctocolorsCjsExports.italic(`${text}`);
+const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
+function getCompletionSourcingCommand() {
+  // Note: this is exported to distPath in .config/rollup.dist.config.mjs
+  const completionScriptExportPath = path.join(constants.distPath, 'socket-completion.bash');
+  if (!fs$1.existsSync(completionScriptExportPath)) {
+    return {
+      ok: false,
+      message: 'Tab Completion script not found',
+      cause: `Expected to find completion script at \`${completionScriptExportPath}\` but it was not there`
+    };
   }
-  json(value) {
-    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
+  return {
+    ok: true,
+    data: `source ${completionScriptExportPath}`
+  };
+}
+function getBashrcDetails(targetCommandName) {
+  const sourcingCommand = getCompletionSourcingCommand();
+  if (!sourcingCommand.ok) {
+    return sourcingCommand;
   }
-  list(items) {
-    const indentedContent = items.map(item => this.indent(item).trimStart());
-    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
+  const {
+    socketAppDataPath
+  } = constants;
+  if (!socketAppDataPath) {
+    return {
+      ok: false,
+      message: 'Could not determine config directory',
+      cause: 'Failed to get config path'
+    };
   }
-}
-function toFilterConfig(obj) {
-  const normalized = {
-    __proto__: null
-  };
-  const keys = require$$10.isObject(obj) ? Object.keys(obj) : [];
-  for (const key of keys) {
-    const value = obj[key];
-    if (typeof value === 'boolean' || Array.isArray(value)) {
-      normalized[key] = value;
+  // _socket_completion is the function defined in our completion bash script
+  const completionCommand = `${COMPLETION_CMD_PREFIX} ${targetCommandName}`;
+  // Location of completion script in config after installing
+  const completionScriptPath = path.join(path.dirname(socketAppDataPath), 'completion', 'socket-completion.bash');
+  const bashrcContent = `# Socket CLI completion for "${targetCommandName}"
+if [ -f "${completionScriptPath}" ]; then
+    # Load the tab completion script
+    source "${completionScriptPath}"
+    # Tell bash to use this function for tab completion of this function
+    ${completionCommand}
+fi
+`;
+  return {
+    ok: true,
+    data: {
+      sourcingCommand: sourcingCommand.data,
+      completionCommand,
+      toAddToBashrc: bashrcContent,
+      targetName: targetCommandName,
+      targetPath: completionScriptPath
     }
-  }
-  return normalized;
+  };
 }
-const RangeStyles = ['caret', 'gt', 'gte', 'lt', 'lte', 'pin', 'preserve', 'tilde'];
-function applyRange(refRange, version, style = 'preserve') {
-  switch (style) {
-    case 'caret':
-      return `^${version}`;
-    case 'gt':
-      return `>${version}`;
-    case 'gte':
-      return `>=${version}`;
-    case 'lt':
-      return `<${version}`;
-    case 'lte':
-      return `<=${version}`;
-    case 'preserve':
-      {
-        const range = new vendor.semverExports.Range(refRange);
-        const {
-          raw
-        } = range;
-        const comparators = range.set.flat();
-        const {
-          length
-        } = comparators;
-        if (length === 1) {
-          const char = /^[<>]=?/.exec(raw)?.[0];
-          if (char) {
-            return `${char}${version}`;
-          }
-        } else if (length === 2) {
-          const char = /^[~^]/.exec(raw)?.[0];
-          if (char) {
-            return `${char}${version}`;
-          }
-        }
-        return version;
-      }
-    case 'tilde':
-      return `~${version}`;
-    case 'pin':
-    default:
-      return version;
+const {
+  kInternalsSymbol,
+  [kInternalsSymbol]: {
+    getSentry
+  }
+} = constants;
+class AuthError extends Error {}
+class InputError extends Error {
+  constructor(message, body) {
+    super(message);
+    this.body = body;
   }
 }
-function getMajor(version) {
-  try {
-    const coerced = vendor.semverExports.coerce(version);
-    return coerced ? vendor.semverExports.major(coerced) : null;
-  } catch {}
-  return null;
+async function captureException(exception, hint) {
+  const result = captureExceptionSync(exception, hint);
+  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
+  await promises.setTimeout(1000);
+  return result;
+}
+function captureExceptionSync(exception, hint) {
+  const Sentry = getSentry();
+  if (!Sentry) {
+    return '';
+  }
+  require$$9.debugFn('notice', 'send: exception to Sentry');
+  return Sentry.captureException(exception, hint);
 }
-function getMinVersion(range) {
+function npa(...args) {
   try {
-    return vendor.semverExports.minVersion(range);
+    return Reflect.apply(vendor.npaExports, undefined, args);
   } catch {}
   return null;
 }
-const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-let _translations;
-function getTranslations() {
-  if (_translations === undefined) {
-    _translations = /*@__PURE__*/require$1(path.join(constants.rootPath, 'translations.json'));
-  }
-  return _translations;
-}
-const ALERT_SEVERITY_COLOR = createEnum({
-  critical: 'magenta',
-  high: 'red',
-  middle: 'yellow',
-  low: 'white'
-});
-const ALERT_SEVERITY_ORDER = createEnum({
-  critical: 0,
-  high: 1,
-  middle: 2,
-  low: 3,
-  none: 4
-});
-const MIN_ABOVE_THE_FOLD_COUNT = 3;
-const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1;
-const format = new ColorOrMarkdown(false);
-function getHiddenRiskCounts(hiddenAlerts) {
-  const riskCounts = {
-    critical: 0,
-    high: 0,
-    middle: 0,
-    low: 0
+function shadowNpmInstall(options) {
+  const {
+    agentExecPath = getNpmBinPath(),
+    args = [],
+    ipc,
+    spinner,
+    ...spawnOpts
+  } = {
+    __proto__: null,
+    ...options
   };
-  for (const alert of hiddenAlerts) {
-    switch (getAlertSeverityOrder(alert)) {
-      case ALERT_SEVERITY_ORDER.critical:
-        riskCounts.critical += 1;
-        break;
-      case ALERT_SEVERITY_ORDER.high:
-        riskCounts.high += 1;
-        break;
-      case ALERT_SEVERITY_ORDER.middle:
-        riskCounts.middle += 1;
-        break;
-      case ALERT_SEVERITY_ORDER.low:
-        riskCounts.low += 1;
-        break;
+  const useDebug = require$$9.isDebug('stdio');
+  const terminatorPos = args.indexOf('--');
+  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
+  const binArgs = rawBinArgs.filter(a => !npm.isNpmAuditFlag(a) && !npm.isNpmFundFlag(a) && !npm.isNpmProgressFlag(a));
+  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
+  const progressArg = rawBinArgs.findLast(npm.isNpmProgressFlag) !== '--no-progress';
+  const isSilent = !useDebug && !binArgs.some(npm.isNpmLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : [];
+  const useIpc = require$$10.isObject(ipc);
+  // Include 'ipc' in the spawnOpts.stdio when an options.ipc object is provided.
+  // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
+  // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
+  let stdio = require$$10.getOwn(spawnOpts, 'stdio');
+  if (typeof stdio === 'string') {
+    stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio];
+  } else if (Array.isArray(stdio)) {
+    if (useIpc && !stdio.includes('ipc')) {
+      stdio = stdio.concat('ipc');
     }
+  } else {
+    stdio = useIpc ? ['pipe', 'pipe', 'pipe', 'ipc'] : 'pipe';
   }
-  return riskCounts;
-}
-function getHiddenRisksDescription(riskCounts) {
-  const descriptions = [];
-  if (riskCounts.critical) {
-    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`);
-  }
-  if (riskCounts.high) {
-    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`);
-  }
-  if (riskCounts.middle) {
-    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`);
-  }
-  if (riskCounts.low) {
-    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`);
+  const spawnPromise = spawn.spawn(constants.execPath, [...constants.nodeNoWarningsFlags, ...constants.nodeDebugFlags, ...constants.nodeHardenFlags, ...constants.nodeMemoryFlags, ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.instrumentWithSentryPath] : []), '--require', constants.shadowNpmInjectPath, npm.resolveBinPathSync(agentExecPath), 'install',
+  // Avoid code paths for 'audit' and 'fund'.
+  '--no-audit', '--no-fund',
+  // Add '--no-progress' to fix input being swallowed by the npm spinner.
+  '--no-progress',
+  // Add '--loglevel=silent' if a loglevel flag is not provided and the
+  // SOCKET_CLI_DEBUG environment variable is not truthy.
+  ...logLevelArgs, ...binArgs, ...otherArgs], {
+    ...spawnOpts,
+    env: {
+      ...process.env,
+      ...constants.processEnv,
+      ...require$$10.getOwn(spawnOpts, 'env')
+    },
+    spinner,
+    stdio
+  });
+  if (useIpc) {
+    spawnPromise.process.send({
+      [constants.SOCKET_IPC_HANDSHAKE]: {
+        [constants.SOCKET_CLI_SHADOW_BIN]: 'npm',
+        [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,
+        ...ipc
+      }
+    });
   }
-  return `(${descriptions.join('; ')})`;
+  return spawnPromise;
 }
-async function addArtifactToAlertsMap(artifact, alertsByPurl, options) {
-  // Make TypeScript happy.
-  if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-    return alertsByPurl;
-  }
+function runAgentInstall(pkgEnvDetails, options) {
   const {
-    type: ecosystem,
-    version
-  } = artifact;
+    agent,
+    agentExecPath
+  } = pkgEnvDetails;
+  const isNpm = agent === 'npm';
+  const isPnpm = agent === 'pnpm';
+  // All package managers support the "install" command.
+  if (isNpm) {
+    return shadowNpmInstall({
+      agentExecPath,
+      ...options
+    });
+  }
   const {
-    consolidate = false,
-    overrides,
-    socketYml
+    args = [],
+    spinner,
+    ...spawnOpts
   } = {
     __proto__: null,
     ...options
   };
-  const name = packages.resolvePackageName(artifact);
-  const filterConfig = toFilterConfig({
-    blocked: true,
-    critical: true,
-    cve: true,
-    ...require$$10.getOwn(options, 'filter')
+  const skipNodeHardenFlags = isPnpm && pkgEnvDetails.agentVersion.major < 11;
+  return spawn.spawn(agentExecPath, ['install', ...args], {
+    shell: constants.WIN32,
+    spinner,
+    stdio: 'inherit',
+    ...spawnOpts,
+    env: {
+      ...process.env,
+      ...constants.processEnv,
+      NODE_OPTIONS: cmdFlagsToString([...(skipNodeHardenFlags ? [] : constants.nodeHardenFlags), ...constants.nodeNoWarningsFlags]),
+      ...require$$10.getOwn(spawnOpts, 'env')
+    }
   });
-  const enabledState = {
-    __proto__: null,
-    ...socketYml?.issueRules
-  };
-  let sockPkgAlerts = [];
-  for (const alert of artifact.alerts) {
-    const action = alert.action ?? '';
-    const enabledFlag = enabledState[alert.type];
-    if (action === 'ignore' && enabledFlag !== true || enabledFlag === false) {
-      continue;
+}
+const {
+  BINARY_LOCK_EXT,
+  BUN,
+  HIDDEN_PACKAGE_LOCK_JSON,
+  LOCK_EXT,
+  NPM,
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
+  PACKAGE_JSON,
+  PNPM,
+  VLT,
+  YARN,
+  YARN_BERRY,
+  YARN_CLASSIC
+} = constants;
+const AGENTS = [BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT];
+const binByAgent = new Map([[BUN, BUN], [NPM, NPM], [PNPM, PNPM], [YARN_BERRY, YARN], [YARN_CLASSIC, YARN], [VLT, VLT]]);
+const readLockFileByAgent = (() => {
+  function wrapReader(reader) {
+    return async (...args) => {
+      try {
+        return await reader(...args);
+      } catch {}
+      return undefined;
+    };
+  }
+  const binaryReader = wrapReader(fs.readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await fs.readFileUtf8(lockPath));
+  return new Map([[BUN, wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
+    const ext = path.extname(lockPath);
+    if (ext === LOCK_EXT) {
+      return await defaultReader(lockPath);
     }
-    const blocked = action === 'error';
-    const critical = alert.severity === ALERT_SEVERITY.critical;
-    const cve = isArtifactAlertCve(alert);
-    const fixType = alert.fix?.type ?? '';
-    const fixableCve = fixType === ALERT_FIX_TYPE.cve;
-    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade;
-    const fixable = fixableCve || fixableUpgrade;
-    const upgradable = fixableUpgrade && !require$$10.hasOwn(overrides, name);
-    if (filterConfig.blocked && blocked || filterConfig.critical && critical || filterConfig.cve && cve || filterConfig.fixable && fixable || filterConfig.upgradable && upgradable) {
-      sockPkgAlerts.push({
-        name,
-        version,
-        key: alert.key,
-        type: alert.type,
-        blocked,
-        critical,
-        ecosystem,
-        fixable,
-        raw: alert,
-        upgradable
-      });
+    if (ext === BINARY_LOCK_EXT) {
+      const lockBuffer = await binaryReader(lockPath);
+      if (lockBuffer) {
+        try {
+          return vendor.hyrious__bun_lockbExports.parse(lockBuffer);
+        } catch {}
+      }
+      // To print a Yarn lockfile to your console without writing it to disk
+      // use `bun bun.lockb`.
+      // https://bun.sh/guides/install/yarnlock
+      return (await spawn.spawn(agentExecPath, [lockPath], {
+        cwd,
+        shell: constants.WIN32
+      })).stdout;
     }
+    return undefined;
+  })], [NPM, defaultReader], [PNPM, defaultReader], [VLT, defaultReader], [YARN_BERRY, defaultReader], [YARN_CLASSIC, defaultReader]]);
+})();
+// The order of LOCKS properties IS significant as it affects iteration order.
+const LOCKS = {
+  [`bun${LOCK_EXT}`]: BUN,
+  [`bun${BINARY_LOCK_EXT}`]: BUN,
+  // If both package-lock.json and npm-shrinkwrap.json are present in the root
+  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
+  // will be ignored.
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
+  'npm-shrinkwrap.json': NPM,
+  'package-lock.json': NPM,
+  'pnpm-lock.yaml': PNPM,
+  'pnpm-lock.yml': PNPM,
+  [`yarn${LOCK_EXT}`]: YARN_CLASSIC,
+  'vlt-lock.json': VLT,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
+  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
+  //
+  // Unlike the other LOCKS keys this key contains a directory AND filename so
+  // it has to be handled differently.
+  'node_modules/.package-lock.json': NPM
+};
+async function getAgentExecPath(agent) {
+  const binName = binByAgent.get(agent);
+  if (binName === NPM) {
+    return constants.npmExecPath;
   }
-  if (!sockPkgAlerts.length) {
-    return alertsByPurl;
+  return (await vendor.libExports$1(binName, {
+    nothrow: true
+  })) ?? binName;
+}
+async function getAgentVersion(agent, agentExecPath, cwd) {
+  let result;
+  const quotedCmd = `\`${agent} --version\``;
+  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
+  try {
+    result =
+    // Coerce version output into a valid semver version by passing it through
+    // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
+    // and tildes (~).
+    vendor.semverExports.coerce(
+    // All package managers support the "--version" flag.
+    (await spawn.spawn(agentExecPath, ['--version'], {
+      cwd,
+      shell: constants.WIN32
+    })).stdout) ?? undefined;
+  } catch (e) {
+    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
+    require$$9.debugDir('inspect', {
+      error: e
+    });
   }
-  const purl = `pkg:${ecosystem}/${name}@${version}`;
-  const major = getMajor(version);
-  if (consolidate) {
-    const highestForCve = new Map();
-    const highestForUpgrade = new Map();
-    const unfixableAlerts = [];
-    for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw;
-      const fixType = alert.fix?.type ?? '';
-      if (fixType === ALERT_FIX_TYPE.cve) {
-        // An alert with alert.fix.type of 'cve' should have a
-        // alert.props.firstPatchedVersionIdentifier property value.
-        // We're just being cautious.
-        const firstPatchedVersionIdentifier = alert.props?.firstPatchedVersionIdentifier;
-        const patchedMajor = firstPatchedVersionIdentifier ? getMajor(firstPatchedVersionIdentifier) : null;
-        if (typeof patchedMajor === 'number') {
-          // Consolidate to the highest "first patched version" by each major
-          // version number.
-          const highest = highestForCve.get(patchedMajor)?.version ?? '0.0.0';
-          if (vendor.semverExports.gt(firstPatchedVersionIdentifier, highest)) {
-            highestForCve.set(patchedMajor, {
-              alert: sockPkgAlert,
-              version: firstPatchedVersionIdentifier
-            });
-          }
-        } else {
-          unfixableAlerts.push(sockPkgAlert);
-        }
-      } else if (fixType === ALERT_FIX_TYPE.upgrade) {
-        // For Socket Optimize upgrades we assume the highest version available
-        // is compatible. This may change in the future.
-        const highest = highestForUpgrade.get(major)?.version ?? '0.0.0';
-        if (vendor.semverExports.gt(version, highest)) {
-          highestForUpgrade.set(major, {
-            alert: sockPkgAlert,
-            version
-          });
-        }
-      } else {
-        unfixableAlerts.push(sockPkgAlert);
+  return result;
+}
+async function detectPackageEnvironment({
+  cwd = process.cwd(),
+  onUnknown
+} = {}) {
+  let lockPath = await findUp(Object.keys(LOCKS), {
+    cwd
+  });
+  let lockName = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON;
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await findUp(PACKAGE_JSON, {
+    cwd
+  });
+  const pkgPath = pkgJsonPath && fs$1.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
+    editable: true
+  }) : undefined;
+  // Read Corepack `packageManager` field in package.json:
+  // https://nodejs.org/api/packages.html#packagemanager
+  const pkgManager = strings.isNonEmptyString(editablePkgJson?.content?.packageManager) ? editablePkgJson.content.packageManager : undefined;
+  let agent;
+  if (pkgManager) {
+    // A valid "packageManager" field value is "<package manager name>@<version>".
+    // https://nodejs.org/api/packages.html#packagemanager
+    const atSignIndex = pkgManager.lastIndexOf('@');
+    if (atSignIndex !== -1) {
+      const name = pkgManager.slice(0, atSignIndex);
+      const version = pkgManager.slice(atSignIndex + 1);
+      if (version && AGENTS.includes(name)) {
+        agent = name;
       }
     }
-    sockPkgAlerts = [
-    // Sort CVE alerts by severity: critical, high, middle, then low.
-    ...Array.from(highestForCve.values()).map(d => d.alert).sort(alertSeverityComparator), ...Array.from(highestForUpgrade.values()).map(d => d.alert), ...unfixableAlerts];
-  } else {
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
   }
-  if (sockPkgAlerts.length) {
-    alertsByPurl.set(purl, sockPkgAlerts);
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
+    agent = LOCKS[lockName];
+  }
+  if (agent === undefined) {
+    agent = NPM;
+    onUnknown?.(pkgManager);
+  }
+  const agentExecPath = await getAgentExecPath(agent);
+  const agentVersion = await getAgentVersion(agent, agentExecPath, cwd);
+  if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY;
   }
-  return alertsByPurl;
-}
-function alertsHaveBlocked(alerts) {
-  return alerts.find(a => a.blocked) !== undefined;
-}
-function alertsHaveSeverity(alerts, severity) {
-  return alerts.find(a => a.raw.severity === severity) !== undefined;
-}
-function alertSeverityComparator(a, b) {
-  // Put the most severe first.
-  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b);
-}
-function getAlertSeverityOrder(alert) {
-  // The more severe, the lower the sort number.
   const {
-    severity
-  } = alert.raw;
-  return severity === ALERT_SEVERITY.critical ? 0 : severity === ALERT_SEVERITY.high ? 1 : severity === ALERT_SEVERITY.middle ? 2 : severity === ALERT_SEVERITY.low ? 3 : 4;
-}
-function getAlertsSeverityOrder(alerts) {
-  return alertsHaveBlocked(alerts) || alertsHaveSeverity(alerts, ALERT_SEVERITY.critical) ? 0 : alertsHaveSeverity(alerts, ALERT_SEVERITY.high) ? 1 : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle) ? 2 : alertsHaveSeverity(alerts, ALERT_SEVERITY.low) ? 3 : 4;
-}
-function getCveInfoFromAlertsMap(alertsMap, options) {
-  const filterConfig = toFilterConfig(require$$10.getOwn(options, 'filter'));
-  let infoByPartialPurl = null;
-  // eslint-disable-next-line no-unused-labels
-  for (const {
-    0: purl,
-    1: sockPkgAlerts
-  } of alertsMap) {
-    const purlObj = getPurlObject(purl);
-    const partialPurl = new vendor.packageurlJsExports.PackageURL(purlObj.type, purlObj.namespace, purlObj.name).toString();
-    const name = packages.resolvePackageName(purlObj);
-    sockPkgAlertsLoop: for (const sockPkgAlert of sockPkgAlerts) {
-      const alert = sockPkgAlert.raw;
-      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || filterConfig.upgradable === false && registry.getManifestData(sockPkgAlert.ecosystem, name)) {
-        continue sockPkgAlertsLoop;
-      }
-      if (!infoByPartialPurl) {
-        infoByPartialPurl = new Map();
+    maintainedNodeVersions
+  } = constants;
+  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent);
+  const minSupportedNodeMajor = vendor.semverExports.major(maintainedNodeVersions.last);
+  const minSupportedNodeVersion = `${minSupportedNodeMajor}.0.0`;
+  const minSupportedNodeRange = `>=${minSupportedNodeMajor}`;
+  const nodeVersion = vendor.semverExports.coerce(process.version);
+  let lockSrc;
+  let pkgAgentRange;
+  let pkgNodeRange;
+  let pkgMinAgentVersion = minSupportedAgentVersion;
+  let pkgMinNodeVersion = minSupportedNodeVersion;
+  if (editablePkgJson?.content) {
+    const {
+      engines
+    } = editablePkgJson.content;
+    const engineAgentRange = engines?.[agent];
+    const engineNodeRange = engines?.['node'];
+    if (strings.isNonEmptyString(engineAgentRange)) {
+      pkgAgentRange = engineAgentRange;
+      // Roughly check agent range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = vendor.semverExports.coerce(pkgAgentRange);
+      if (coerced && vendor.semverExports.lt(coerced, pkgMinAgentVersion)) {
+        pkgMinAgentVersion = coerced.version;
       }
-      let infos = infoByPartialPurl.get(partialPurl);
-      if (!infos) {
-        infos = new Map();
-        infoByPartialPurl.set(partialPurl, infos);
+    }
+    if (strings.isNonEmptyString(engineNodeRange)) {
+      pkgNodeRange = engineNodeRange;
+      // Roughly check Node range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = vendor.semverExports.coerce(pkgNodeRange);
+      if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
+        pkgMinNodeVersion = coerced.version;
       }
-      const {
-        key
-      } = alert;
-      if (!infos.has(key)) {
-        // An alert with alert.fix.type of 'cve' should have a
-        // alert.props.firstPatchedVersionIdentifier property value.
-        // We're just being cautious.
-        const firstPatchedVersionIdentifier = alert.props?.firstPatchedVersionIdentifier;
-        const vulnerableVersionRange = alert.props?.vulnerableVersionRange;
-        let error;
-        if (firstPatchedVersionIdentifier && vulnerableVersionRange) {
-          try {
-            infos.set(key, {
-              firstPatchedVersionIdentifier,
-              vulnerableVersionRange: new vendor.semverExports.Range(
-              // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
-              // semver.Range will parse it without erroring.
-              vulnerableVersionRange.replace(/, +/g, ' ').replace(/; +/g, ' || ')).format()
-            });
-            continue sockPkgAlertsLoop;
-          } catch (e) {
-            error = e;
-          }
+    }
+    const browserslistQuery = editablePkgJson.content['browserslist'];
+    if (Array.isArray(browserslistQuery)) {
+      // List Node targets in ascending version order.
+      const browserslistNodeTargets = vendor.browserslistExports(browserslistQuery).filter(v => /^node /i.test(v)).map(v => v.slice(5 /*'node '.length*/)).sort(sorts.naturalCompare);
+      if (browserslistNodeTargets.length) {
+        // browserslistNodeTargets[0] is the lowest Node target version.
+        const coerced = vendor.semverExports.coerce(browserslistNodeTargets[0]);
+        if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
+          pkgMinNodeVersion = coerced.version;
         }
-        require$$9.debugFn('error', 'fail: invalid SocketPackageAlert');
-        require$$9.debugDir('inspect', {
-          alert,
-          error
-        });
       }
     }
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath, cwd) : undefined;
+  } else {
+    lockName = undefined;
+    lockPath = undefined;
   }
-  return infoByPartialPurl;
-}
-function getSeverityLabel(severity) {
-  return severity === 'middle' ? 'moderate' : severity;
+  // Does the system agent version meet our minimum supported agent version?
+  const agentSupported = !!agentVersion && vendor.semverExports.satisfies(agentVersion, `>=${minSupportedAgentVersion}`);
+  // Does the system Node version meet our minimum supported Node version?
+  const nodeSupported = vendor.semverExports.satisfies(nodeVersion, minSupportedNodeRange);
+  const npmExecPath = agent === NPM ? agentExecPath : await getAgentExecPath(NPM);
+  const npmBuggyOverrides = agent === NPM && !!agentVersion && vendor.semverExports.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION);
+  const pkgMinAgentRange = `>=${pkgMinAgentVersion}`;
+  const pkgMinNodeRange = `>=${vendor.semverExports.major(pkgMinNodeVersion)}`;
+  return {
+    agent,
+    agentExecPath,
+    agentSupported,
+    agentVersion,
+    editablePkgJson,
+    features: {
+      npmBuggyOverrides
+    },
+    lockName,
+    lockPath,
+    lockSrc,
+    nodeSupported,
+    nodeVersion,
+    npmExecPath,
+    pkgPath,
+    pkgRequirements: {
+      agent: pkgAgentRange ?? pkgMinAgentRange,
+      node: pkgNodeRange ?? pkgMinNodeRange
+    },
+    pkgSupports: {
+      // Does our minimum supported agent version meet the package's requirements?
+      agent: vendor.semverExports.satisfies(minSupportedAgentVersion, pkgMinAgentRange),
+      // Does our supported Node versions meet the package's requirements?
+      node: maintainedNodeVersions.some(v => vendor.semverExports.satisfies(v, pkgMinNodeRange))
+    }
+  };
 }
-function logAlertsMap(alertsMap, options) {
+async function detectAndValidatePackageEnvironment(cwd, options) {
   const {
-    hideAt = 'middle',
-    output = process.stderr
+    cmdName = '',
+    logger,
+    prod
   } = {
     __proto__: null,
     ...options
   };
-  const translations = getTranslations();
-  const sortedEntries = Array.from(alertsMap.entries()).sort((a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]));
-  const aboveTheFoldPurls = new Set();
-  const viewableAlertsByPurl = new Map();
-  const hiddenAlertsByPurl = new Map();
-  for (let i = 0, {
-      length
-    } = sortedEntries; i < length; i += 1) {
-    const {
-      0: purl,
-      1: alerts
-    } = sortedEntries[i];
-    const hiddenAlerts = [];
-    const viewableAlerts = alerts.filter(a => {
-      const keep = a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt];
-      if (!keep) {
-        hiddenAlerts.push(a);
-      }
-      return keep;
-    });
-    if (hiddenAlerts.length) {
-      hiddenAlertsByPurl.set(purl, hiddenAlerts.sort(alertSeverityComparator));
-    }
-    if (!viewableAlerts.length) {
-      continue;
-    }
-    viewableAlerts.sort(alertSeverityComparator);
-    viewableAlertsByPurl.set(purl, viewableAlerts);
-    if (viewableAlerts.find(a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle)) {
-      aboveTheFoldPurls.add(purl);
+  const details = await detectPackageEnvironment({
+    cwd,
+    onUnknown(pkgManager) {
+      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
     }
+  });
+  const {
+    agent,
+    nodeVersion,
+    pkgRequirements
+  } = details;
+  const agentVersion = details.agentVersion ?? 'unknown';
+  if (!details.agentSupported) {
+    const minVersion = constants.minimumVersionByAgent.get(agent);
+    return {
+      ok: false,
+      message: 'Version mismatch',
+      cause: cmdPrefixMessage(cmdName, `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`)
+    };
   }
-  // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
-  for (const {
-    0: purl
-  } of viewableAlertsByPurl.entries()) {
-    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break;
-    }
-    aboveTheFoldPurls.add(purl);
-  }
-  // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
-  for (const {
-    0: purl,
-    1: hiddenAlerts
-  } of hiddenAlertsByPurl.entries()) {
-    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
-      break;
-    }
-    aboveTheFoldPurls.add(purl);
-    const viewableAlerts = viewableAlertsByPurl.get(purl) ?? [];
-    if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
-      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length;
-      let removedHiddenAlerts;
-      if (hiddenAlerts.length - neededCount > 0) {
-        removedHiddenAlerts = hiddenAlerts.splice(0, MIN_ABOVE_THE_FOLD_ALERT_COUNT);
-      } else {
-        removedHiddenAlerts = hiddenAlerts;
-        hiddenAlertsByPurl.delete(purl);
-      }
-      viewableAlertsByPurl.set(purl, [...viewableAlerts, ...removedHiddenAlerts]);
-    }
+  if (!details.nodeSupported) {
+    const minVersion = constants.maintainedNodeVersions.last;
+    return {
+      ok: false,
+      message: 'Version mismatch',
+      cause: cmdPrefixMessage(cmdName, `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`)
+    };
   }
-  const mentionedPurlsWithHiddenAlerts = new Set();
-  for (let i = 0, prevAboveTheFold = true, entries = Array.from(viewableAlertsByPurl.entries()), {
-      length
-    } = entries; i < length; i += 1) {
-    const {
-      0: purl,
-      1: alerts
-    } = entries[i];
-    const lines = new Set();
-    for (const alert of alerts) {
-      const {
-        type
-      } = alert;
-      const severity = alert.raw.severity ?? '';
-      const attributes = [...(severity ? [vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))] : []), ...(alert.blocked ? [vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.red('blocked'))] : []), ...(alert.fixable ? ['fixable'] : [])];
-      const maybeAttributes = attributes.length ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}` : '';
-      // Based data from { pageProps: { alertTypes } } of:
-      // https://socket.dev/_next/data/9a6db8224b68b6da0eb9f7dbb17aff7e51568ac2/en-US.json
-      const info = translations.alerts[type];
-      const title = info?.title ?? type;
-      const maybeDesc = info?.description ? ` - ${info.description}` : '';
-      const content = `${title}${maybeAttributes}${maybeDesc}`;
-      // TODO: An added emoji seems to mis-align terminals sometimes.
-      lines.add(`  ${content}`);
-    }
-    const purlObj = getPurlObject(purl);
-    const pkgName = packages.resolvePackageName(purlObj);
-    const hyperlink = format.hyperlink(pkgName, getSocketDevPackageOverviewUrl(purlObj.type, pkgName, purlObj.version));
-    const isAboveTheFold = aboveTheFoldPurls.has(purl);
-    if (isAboveTheFold) {
-      aboveTheFoldPurls.add(purl);
-      output.write(`${i ? '\n' : ''}${hyperlink}:\n`);
-    } else {
-      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`);
-    }
-    for (const line of lines) {
-      output.write(`${line}\n`);
-    }
-    const hiddenAlerts = hiddenAlertsByPurl.get(purl) ?? [];
-    const {
-      length: hiddenAlertsCount
-    } = hiddenAlerts;
-    if (hiddenAlertsCount) {
-      mentionedPurlsWithHiddenAlerts.add(purl);
-      if (hiddenAlertsCount === 1) {
-        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`);
-      } else {
-        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`);
-      }
-    }
-    prevAboveTheFold = isAboveTheFold;
+  if (!details.pkgSupports.agent) {
+    return {
+      ok: false,
+      message: 'Engine mismatch',
+      cause: cmdPrefixMessage(cmdName, `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`)
+    };
   }
-  const additionalHiddenCount = hiddenAlertsByPurl.size - mentionedPurlsWithHiddenAlerts.size;
-  if (additionalHiddenCount) {
-    const totalRiskCounts = {
-      critical: 0,
-      high: 0,
-      middle: 0,
-      low: 0
+  if (!details.pkgSupports.node) {
+    return {
+      ok: false,
+      message: 'Version mismatch',
+      cause: cmdPrefixMessage(cmdName, `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`)
     };
-    for (const {
-      0: purl,
-      1: alerts
-    } of hiddenAlertsByPurl.entries()) {
-      if (mentionedPurlsWithHiddenAlerts.has(purl)) {
-        continue;
-      }
-      const riskCounts = getHiddenRiskCounts(alerts);
-      totalRiskCounts.critical += riskCounts.critical;
-      totalRiskCounts.high += riskCounts.high;
-      totalRiskCounts.middle += riskCounts.middle;
-      totalRiskCounts.low += riskCounts.low;
-    }
-    output.write(`${aboveTheFoldPurls.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPurls.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`);
   }
-  output.write('\n');
-}
-function idToNpmPurl(id) {
-  return `pkg:npm/${id}`;
-}
-function idToPurl(id, type) {
-  return `pkg:${type}/${id}`;
-}
-function extractOverridesFromPnpmLockSrc(lockfileContent) {
-  let match;
-  if (typeof lockfileContent === 'string') {
-    match = /^overrides:(?:\r?\n {2}.+)+(?:\r?\n)*/m.exec(lockfileContent)?.[0];
-  }
-  return match ?? '';
-}
-async function extractPurlsFromPnpmLockfile(lockfile) {
-  const packages = lockfile?.packages ?? {};
-  const seen = new Set();
-  const visit = pkgPath => {
-    if (seen.has(pkgPath)) {
-      return;
-    }
-    const pkg = packages[pkgPath];
-    if (!pkg) {
-      return;
-    }
-    seen.add(pkgPath);
-    const deps = {
-      __proto__: null,
-      ...pkg.dependencies,
-      ...pkg.optionalDependencies,
-      ...pkg.devDependencies
+  const lockName = details.lockName ?? 'lock file';
+  if (details.lockName === undefined || details.lockSrc === undefined) {
+    return {
+      ok: false,
+      message: 'Missing lockfile',
+      cause: cmdPrefixMessage(cmdName, `No ${lockName} found`)
     };
-    for (const depName in deps) {
-      const ref = deps[depName];
-      const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`;
-      visit(subKey);
-    }
-  };
-  for (const pkgPath of Object.keys(packages)) {
-    visit(pkgPath);
   }
-  return Array.from(seen).map(p => idToNpmPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))));
-}
-function isPnpmDepPath(maybeDepPath) {
-  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47; /*'/'*/
-}
-function parsePnpmLockfile(lockfileContent) {
-  let result;
-  if (typeof lockfileContent === 'string') {
-    try {
-      result = vendor.jsYaml.load(strings.stripBom(lockfileContent));
-    } catch {}
+  if (details.lockSrc.trim() === '') {
+    return {
+      ok: false,
+      message: 'Empty lockfile',
+      cause: cmdPrefixMessage(cmdName, `${lockName} is empty`)
+    };
   }
-  return require$$10.isObjectObject(result) ? result : null;
-}
-function parsePnpmLockfileVersion(version) {
-  try {
-    return vendor.semverExports.coerce(version);
-  } catch {}
-  return null;
-}
-function stripLeadingPnpmDepPathSlash(depPath) {
-  return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
-}
-function stripPnpmPeerSuffix(depPath) {
-  const parenIndex = depPath.indexOf('(');
-  const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex;
-  return index === -1 ? depPath : depPath.slice(0, index);
-}
-async function getAlertsMapFromPnpmLockfile(lockfile, options) {
-  const purls = await extractPurlsFromPnpmLockfile(lockfile);
-  return await getAlertsMapFromPurls(purls, {
-    overrides: lockfile.overrides,
-    ...options
-  });
-}
-async function getAlertsMapFromPurls(purls, options) {
-  const uniqPurls = arrays.arrayUnique(purls);
-  require$$9.debugDir('silly', {
-    purls: uniqPurls
-  });
-  let {
-    length: remaining
-  } = uniqPurls;
-  const alertsByPurl = new Map();
-  if (!remaining) {
-    return alertsByPurl;
+  if (details.pkgPath === undefined) {
+    return {
+      ok: false,
+      message: 'Missing package.json',
+      cause: cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`)
+    };
   }
-  const opts = {
-    __proto__: null,
-    consolidate: false,
-    nothrow: false,
-    ...options,
-    filter: toFilterConfig(require$$10.getOwn(options, 'filter'))
-  };
-  if (opts.onlyFixable) {
-    opts.filter.fixable = true;
+  if (prod && (agent === BUN || agent === YARN_BERRY)) {
+    return {
+      ok: false,
+      message: 'Bad input',
+      cause: cmdPrefixMessage(cmdName, `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`)
+    };
   }
-  const {
-    apiToken = getPublicApiToken(),
-    spinner
-  } = opts;
-  const getText = () => `Looking up data for ${remaining} packages`;
-  spinner?.start(getText());
-  const sockSdkCResult = await setupSdk({
-    apiToken
-  });
-  if (!sockSdkCResult.ok) {
-    spinner?.stop();
-    throw new Error('Auth error: Run `socket login` first');
+  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
+    // Note: In tests we return <redacted> because otherwise snapshots will fail.
+    logger?.warn(cmdPrefixMessage(cmdName, `Package ${lockName} found at ${constants.ENV.VITEST ? constants.REDACTED : details.lockPath}`));
   }
-  const sockSdk = sockSdkCResult.data;
-  const socketYml = findSocketYmlSync()?.parsed;
-  const alertsMapOptions = {
-    overrides: opts.overrides,
-    consolidate: opts.consolidate,
-    filter: opts.filter,
-    socketYml,
-    spinner
+  return {
+    ok: true,
+    data: details
   };
-  for await (const batchResult of sockSdk.batchPackageStream({
-    components: uniqPurls.map(purl => ({
-      purl
-    }))
-  }, {
-    queryParams: {
-      alerts: 'true',
-      compact: 'true',
-      ...(opts.onlyFixable ? {
-        fixable: 'true '
-      } : {}),
-      ...(Array.isArray(opts.filter.actions) ? {
-        actions: opts.filter.actions.join(',')
-      } : {})
-    }
-  })) {
-    if (batchResult.success) {
-      const artifact = batchResult.data;
-      await addArtifactToAlertsMap(artifact, alertsByPurl, alertsMapOptions);
-    } else if (!opts.nothrow) {
-      spinner?.stop();
-      if (strings.isNonEmptyString(batchResult.error)) {
-        throw new Error(batchResult.error);
-      }
-      const statusCode = batchResult.status ?? 'unknown';
-      throw new Error(`Socket API server error (${statusCode}): No status message`);
-    } else {
-      spinner?.stop();
-      logger.logger.fail(`Received a ${batchResult.status} response from Socket API which we consider a permanent failure:`, batchResult.error, batchResult.cause ? `( ${batchResult.cause} )` : '');
-      require$$9.debugDir('inspect', {
-        batchResult
-      });
-      break;
-    }
-    remaining -= 1;
-    if (remaining > 0) {
-      spinner?.start(getText());
-    }
-  }
-  spinner?.stop();
-  return alertsByPurl;
 }
-function npa(...args) {
-  try {
-    return Reflect.apply(vendor.npaExports, undefined, args);
-  } catch {}
-  return null;
+const ALL_ECOSYSTEMS = ['apk', 'bitbucket', 'cargo', 'chrome', 'cocoapods', 'composer', 'conan', 'conda', 'cran', 'deb', 'docker', 'gem', 'generic', 'github', 'golang', 'hackage', 'hex', 'huggingface', 'maven', 'mlflow', 'npm', 'nuget', 'oci', 'pub', 'pypi', 'qpkg', 'rpm', 'swift', 'swid', 'unknown'];
+new Set(ALL_ECOSYSTEMS);
+function getEcosystemChoicesForMeow() {
+  return [...ALL_ECOSYSTEMS];
 }
-async function removeNodeModules(cwd = process.cwd()) {
-  const stream = await globStreamNodeModules(cwd);
-  await streams.parallelEach(stream, p => fs.remove(p, {
-    force: true,
-    recursive: true
-  }), {
-    concurrency: 8
+function isArtifactAlertCve(alert) {
+  const {
+    type
+  } = alert;
+  return type === constants.ALERT_TYPE_CVE || type === constants.ALERT_TYPE_MEDIUM_CVE || type === constants.ALERT_TYPE_MILD_CVE || type === constants.ALERT_TYPE_CRITICAL_CVE;
+}
+function createEnum(obj) {
+  return Object.freeze({
+    __proto__: null,
+    ...obj
   });
 }
-async function findUp(name, {
-  cwd = process.cwd(),
-  signal = constants.abortSignal
-}) {
-  let dir = path.resolve(cwd);
-  const {
-    root
-  } = path.parse(dir);
-  const names = [name].flat();
-  while (dir && dir !== root) {
-    for (const name of names) {
-      if (signal?.aborted) {
-        return undefined;
-      }
-      const filePath = path.join(dir, name);
-      try {
-        // eslint-disable-next-line no-await-in-loop
-        const stats = await fs$1.promises.stat(filePath);
-        if (stats.isFile()) {
-          return filePath;
-        }
-      } catch {}
+const ALERT_FIX_TYPE = createEnum({
+  cve: 'cve',
+  remove: 'remove',
+  upgrade: 'upgrade'
+});
+const ALERT_SEVERITY = createEnum({
+  critical: 'critical',
+  high: 'high',
+  middle: 'middle',
+  low: 'low'
+});
+class ColorOrMarkdown {
+  constructor(useMarkdown) {
+    this.useMarkdown = !!useMarkdown;
+  }
+  bold(text) {
+    return this.useMarkdown ? `**${text}**` : vendor.yoctocolorsCjsExports.bold(`${text}`);
+  }
+  header(text, level = 1) {
+    return this.useMarkdown ? `\n${''.padStart(level, '#')} ${text}\n` : vendor.yoctocolorsCjsExports.underline(`\n${level === 1 ? vendor.yoctocolorsCjsExports.bold(text) : text}\n`);
+  }
+  hyperlink(text, url, {
+    fallback = true,
+    fallbackToUrl
+  } = {}) {
+    if (url) {
+      return this.useMarkdown ? `[${text}](${url})` : vendor.terminalLinkExports(text, url, {
+        fallback: fallbackToUrl ? (_text, url) => url : fallback
+      });
     }
-    dir = path.dirname(dir);
+    return text;
+  }
+  indent(...args) {
+    return vendor.indentStringExports(...args);
+  }
+  italic(text) {
+    return this.useMarkdown ? `_${text}_` : vendor.yoctocolorsCjsExports.italic(`${text}`);
+  }
+  json(value) {
+    return this.useMarkdown ? '```json\n' + JSON.stringify(value) + '\n```' : JSON.stringify(value);
+  }
+  list(items) {
+    const indentedContent = items.map(item => this.indent(item).trimStart());
+    return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
   }
-  return undefined;
 }
-function shadowNpmInstall(options) {
-  const {
-    agentExecPath = getNpmBinPath(),
-    args = [],
-    ipc,
-    spinner,
-    ...spawnOpts
-  } = {
-    __proto__: null,
-    ...options
+function toFilterConfig(obj) {
+  const normalized = {
+    __proto__: null
   };
-  const useDebug = require$$9.isDebug('stdio');
-  const terminatorPos = args.indexOf('--');
-  const rawBinArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos);
-  const binArgs = rawBinArgs.filter(a => !npm.isNpmAuditFlag(a) && !npm.isNpmFundFlag(a) && !npm.isNpmProgressFlag(a));
-  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const progressArg = rawBinArgs.findLast(npm.isNpmProgressFlag) !== '--no-progress';
-  const isSilent = !useDebug && !binArgs.some(npm.isNpmLoglevelFlag);
-  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : [];
-  const useIpc = require$$10.isObject(ipc);
-  // Include 'ipc' in the spawnOpts.stdio when an options.ipc object is provided.
-  // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
-  // and https://github.com/nodejs/node/blob/v23.6.0/lib/internal/child_process.js#L238.
-  let stdio = require$$10.getOwn(spawnOpts, 'stdio');
-  if (typeof stdio === 'string') {
-    stdio = useIpc ? [stdio, stdio, stdio, 'ipc'] : [stdio, stdio, stdio];
-  } else if (Array.isArray(stdio)) {
-    if (useIpc && !stdio.includes('ipc')) {
-      stdio = stdio.concat('ipc');
+  const keys = require$$10.isObject(obj) ? Object.keys(obj) : [];
+  for (const key of keys) {
+    const value = obj[key];
+    if (typeof value === 'boolean' || Array.isArray(value)) {
+      normalized[key] = value;
     }
-  } else {
-    stdio = useIpc ? ['pipe', 'pipe', 'pipe', 'ipc'] : 'pipe';
-  }
-  const spawnPromise = spawn.spawn(constants.execPath, [...constants.nodeNoWarningsFlags, ...constants.nodeDebugFlags, ...constants.nodeHardenFlags, ...constants.nodeMemoryFlags, ...(constants.ENV.INLINED_SOCKET_CLI_SENTRY_BUILD ? ['--require', constants.instrumentWithSentryPath] : []), '--require', constants.shadowNpmInjectPath, npm.resolveBinPathSync(agentExecPath), 'install',
-  // Avoid code paths for 'audit' and 'fund'.
-  '--no-audit', '--no-fund',
-  // Add '--no-progress' to fix input being swallowed by the npm spinner.
-  '--no-progress',
-  // Add '--loglevel=silent' if a loglevel flag is not provided and the
-  // SOCKET_CLI_DEBUG environment variable is not truthy.
-  ...logLevelArgs, ...binArgs, ...otherArgs], {
-    ...spawnOpts,
-    env: {
-      ...process.env,
-      ...constants.processEnv,
-      ...require$$10.getOwn(spawnOpts, 'env')
-    },
-    spinner,
-    stdio
-  });
-  if (useIpc) {
-    spawnPromise.process.send({
-      [constants.SOCKET_IPC_HANDSHAKE]: {
-        [constants.SOCKET_CLI_SHADOW_BIN]: 'npm',
-        [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,
-        ...ipc
-      }
-    });
   }
-  return spawnPromise;
+  return normalized;
 }
-function runAgentInstall(pkgEnvDetails, options) {
-  const {
-    agent,
-    agentExecPath
-  } = pkgEnvDetails;
-  const isNpm = agent === 'npm';
-  const isPnpm = agent === 'pnpm';
-  // All package managers support the "install" command.
-  if (isNpm) {
-    return shadowNpmInstall({
-      agentExecPath,
-      ...options
-    });
+const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+let _translations;
+function getTranslations() {
+  if (_translations === undefined) {
+    _translations = /*@__PURE__*/require$1(path.join(constants.rootPath, 'translations.json'));
   }
-  const {
-    args = [],
-    spinner,
-    ...spawnOpts
-  } = {
-    __proto__: null,
-    ...options
+  return _translations;
+}
+const ALERT_SEVERITY_COLOR = createEnum({
+  critical: 'magenta',
+  high: 'red',
+  middle: 'yellow',
+  low: 'white'
+});
+const ALERT_SEVERITY_ORDER = createEnum({
+  critical: 0,
+  high: 1,
+  middle: 2,
+  low: 3,
+  none: 4
+});
+const MIN_ABOVE_THE_FOLD_COUNT = 3;
+const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1;
+const format = new ColorOrMarkdown(false);
+function getHiddenRiskCounts(hiddenAlerts) {
+  const riskCounts = {
+    critical: 0,
+    high: 0,
+    middle: 0,
+    low: 0
   };
-  const skipNodeHardenFlags = isPnpm && pkgEnvDetails.agentVersion.major < 11;
-  return spawn.spawn(agentExecPath, ['install', ...args], {
-    shell: constants.WIN32,
-    spinner,
-    stdio: 'inherit',
-    ...spawnOpts,
-    env: {
-      ...process.env,
-      ...constants.processEnv,
-      NODE_OPTIONS: cmdFlagsToString([...(skipNodeHardenFlags ? [] : constants.nodeHardenFlags), ...constants.nodeNoWarningsFlags]),
-      ...require$$10.getOwn(spawnOpts, 'env')
+  for (const alert of hiddenAlerts) {
+    switch (getAlertSeverityOrder(alert)) {
+      case ALERT_SEVERITY_ORDER.critical:
+        riskCounts.critical += 1;
+        break;
+      case ALERT_SEVERITY_ORDER.high:
+        riskCounts.high += 1;
+        break;
+      case ALERT_SEVERITY_ORDER.middle:
+        riskCounts.middle += 1;
+        break;
+      case ALERT_SEVERITY_ORDER.low:
+        riskCounts.low += 1;
+        break;
     }
-  });
+  }
+  return riskCounts;
 }
-async function getNpmConfig(options) {
+function getHiddenRisksDescription(riskCounts) {
+  const descriptions = [];
+  if (riskCounts.critical) {
+    descriptions.push(`${riskCounts.critical} ${getSeverityLabel('critical')}`);
+  }
+  if (riskCounts.high) {
+    descriptions.push(`${riskCounts.high} ${getSeverityLabel('high')}`);
+  }
+  if (riskCounts.middle) {
+    descriptions.push(`${riskCounts.middle} ${getSeverityLabel('middle')}`);
+  }
+  if (riskCounts.low) {
+    descriptions.push(`${riskCounts.low} ${getSeverityLabel('low')}`);
+  }
+  return `(${descriptions.join('; ')})`;
+}
+async function addArtifactToAlertsMap(artifact, alertsByPurl, options) {
+  // Make TypeScript happy.
+  if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
+    return alertsByPurl;
+  }
   const {
-    cwd = process.cwd(),
-    env = process.env,
-    execPath = process.execPath,
-    nodeVersion = process.version,
-    npmCommand = 'install',
-    npmPath = getNpmDirPath(),
-    npmVersion,
-    platform = process.platform
+    type: ecosystem,
+    version
+  } = artifact;
+  const {
+    consolidate = false,
+    overrides,
+    socketYml
   } = {
     __proto__: null,
     ...options
   };
-  const config = new vendor.libExports$2({
-    argv: [],
-    cwd,
-    definitions: vendor.definitionsExports.definitions,
-    execPath,
-    env: {
-      ...env
-    },
-    flatten: vendor.definitionsExports.flatten,
-    npmPath,
-    platform,
-    shorthands: vendor.definitionsExports.shorthands
+  const name = packages.resolvePackageName(artifact);
+  const filterConfig = toFilterConfig({
+    blocked: true,
+    critical: true,
+    cve: true,
+    ...require$$10.getOwn(options, 'filter')
   });
-  await config.load();
-  const flatConfig = {
+  const enabledState = {
     __proto__: null,
-    ...config.flat
+    ...socketYml?.issueRules
   };
-  if (nodeVersion) {
-    flatConfig.nodeVersion = nodeVersion;
-  }
-  if (npmCommand) {
-    flatConfig.npmCommand = npmCommand;
-  }
-  if (npmVersion) {
-    flatConfig.npmVersion = npmVersion.toString();
-  }
-  return flatConfig;
-}
-async function readLockfile(lockfilePath) {
-  return fs$1.existsSync(lockfilePath) ? await fs.readFileUtf8(lockfilePath) : null;
-}
-const {
-  BINARY_LOCK_EXT,
-  BUN,
-  HIDDEN_PACKAGE_LOCK_JSON,
-  LOCK_EXT,
-  NPM,
-  NPM_BUGGY_OVERRIDES_PATCHED_VERSION,
-  PACKAGE_JSON,
-  PNPM,
-  VLT,
-  YARN,
-  YARN_BERRY,
-  YARN_CLASSIC
-} = constants;
-const AGENTS = [BUN, NPM, PNPM, YARN_BERRY, YARN_CLASSIC, VLT];
-const binByAgent = new Map([[BUN, BUN], [NPM, NPM], [PNPM, PNPM], [YARN_BERRY, YARN], [YARN_CLASSIC, YARN], [VLT, VLT]]);
-const readLockFileByAgent = (() => {
-  function wrapReader(reader) {
-    return async (...args) => {
-      try {
-        return await reader(...args);
-      } catch {}
-      return undefined;
-    };
-  }
-  const binaryReader = wrapReader(fs.readFileBinary);
-  const defaultReader = wrapReader(async lockPath => await fs.readFileUtf8(lockPath));
-  return new Map([[BUN, wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
-    const ext = path.extname(lockPath);
-    if (ext === LOCK_EXT) {
-      return await defaultReader(lockPath);
-    }
-    if (ext === BINARY_LOCK_EXT) {
-      const lockBuffer = await binaryReader(lockPath);
-      if (lockBuffer) {
-        try {
-          return vendor.hyrious__bun_lockbExports.parse(lockBuffer);
-        } catch {}
-      }
-      // To print a Yarn lockfile to your console without writing it to disk
-      // use `bun bun.lockb`.
-      // https://bun.sh/guides/install/yarnlock
-      return (await spawn.spawn(agentExecPath, [lockPath], {
-        cwd,
-        shell: constants.WIN32
-      })).stdout;
+  let sockPkgAlerts = [];
+  for (const alert of artifact.alerts) {
+    const action = alert.action ?? '';
+    const enabledFlag = enabledState[alert.type];
+    if (action === 'ignore' && enabledFlag !== true || enabledFlag === false) {
+      continue;
     }
-    return undefined;
-  })], [NPM, defaultReader], [PNPM, defaultReader], [VLT, defaultReader], [YARN_BERRY, defaultReader], [YARN_CLASSIC, defaultReader]]);
-})();
-// The order of LOCKS properties IS significant as it affects iteration order.
-const LOCKS = {
-  [`bun${LOCK_EXT}`]: BUN,
-  [`bun${BINARY_LOCK_EXT}`]: BUN,
-  // If both package-lock.json and npm-shrinkwrap.json are present in the root
-  // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
-  // will be ignored.
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': NPM,
-  'package-lock.json': NPM,
-  'pnpm-lock.yaml': PNPM,
-  'pnpm-lock.yml': PNPM,
-  [`yarn${LOCK_EXT}`]: YARN_CLASSIC,
-  'vlt-lock.json': VLT,
-  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
-  // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
-  //
-  // Unlike the other LOCKS keys this key contains a directory AND filename so
-  // it has to be handled differently.
-  'node_modules/.package-lock.json': NPM
-};
-async function getAgentExecPath(agent) {
-  const binName = binByAgent.get(agent);
-  if (binName === NPM) {
-    return constants.npmExecPath;
-  }
-  return (await vendor.libExports$1(binName, {
-    nothrow: true
-  })) ?? binName;
-}
-async function getAgentVersion(agent, agentExecPath, cwd) {
-  let result;
-  const quotedCmd = `\`${agent} --version\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    result =
-    // Coerce version output into a valid semver version by passing it through
-    // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
-    // and tildes (~).
-    vendor.semverExports.coerce(
-    // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, ['--version'], {
-      cwd,
-      shell: constants.WIN32
-    })).stdout) ?? undefined;
-  } catch (e) {
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-  }
-  return result;
-}
-async function detectPackageEnvironment({
-  cwd = process.cwd(),
-  onUnknown
-} = {}) {
-  let lockPath = await findUp(Object.keys(LOCKS), {
-    cwd
-  });
-  let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON;
-  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await findUp(PACKAGE_JSON, {
-    cwd
-  });
-  const pkgPath = pkgJsonPath && fs$1.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
-  const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
-    editable: true
-  }) : undefined;
-  // Read Corepack `packageManager` field in package.json:
-  // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = strings.isNonEmptyString(editablePkgJson?.content?.packageManager) ? editablePkgJson.content.packageManager : undefined;
-  let agent;
-  if (pkgManager) {
-    // A valid "packageManager" field value is "<package manager name>@<version>".
-    // https://nodejs.org/api/packages.html#packagemanager
-    const atSignIndex = pkgManager.lastIndexOf('@');
-    if (atSignIndex !== -1) {
-      const name = pkgManager.slice(0, atSignIndex);
-      const version = pkgManager.slice(atSignIndex + 1);
-      if (version && AGENTS.includes(name)) {
-        agent = name;
-      }
+    const blocked = action === 'error';
+    const critical = alert.severity === ALERT_SEVERITY.critical;
+    const cve = isArtifactAlertCve(alert);
+    const fixType = alert.fix?.type ?? '';
+    const fixableCve = fixType === ALERT_FIX_TYPE.cve;
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE.upgrade;
+    const fixable = fixableCve || fixableUpgrade;
+    const upgradable = fixableUpgrade && !require$$10.hasOwn(overrides, name);
+    if (filterConfig.blocked && blocked || filterConfig.critical && critical || filterConfig.cve && cve || filterConfig.fixable && fixable || filterConfig.upgradable && upgradable) {
+      sockPkgAlerts.push({
+        name,
+        version,
+        key: alert.key,
+        type: alert.type,
+        blocked,
+        critical,
+        ecosystem,
+        fixable,
+        raw: alert,
+        upgradable
+      });
     }
   }
-  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockName === 'string') {
-    agent = LOCKS[lockName];
-  }
-  if (agent === undefined) {
-    agent = NPM;
-    onUnknown?.(pkgManager);
-  }
-  const agentExecPath = await getAgentExecPath(agent);
-  const agentVersion = await getAgentVersion(agent, agentExecPath, cwd);
-  if (agent === YARN_CLASSIC && (agentVersion?.major ?? 0) > 1) {
-    agent = YARN_BERRY;
+  if (!sockPkgAlerts.length) {
+    return alertsByPurl;
   }
-  const {
-    maintainedNodeVersions
-  } = constants;
-  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent);
-  const minSupportedNodeMajor = vendor.semverExports.major(maintainedNodeVersions.last);
-  const minSupportedNodeVersion = `${minSupportedNodeMajor}.0.0`;
-  const minSupportedNodeRange = `>=${minSupportedNodeMajor}`;
-  const nodeVersion = vendor.semverExports.coerce(process.version);
-  let lockSrc;
-  let pkgAgentRange;
-  let pkgNodeRange;
-  let pkgMinAgentVersion = minSupportedAgentVersion;
-  let pkgMinNodeVersion = minSupportedNodeVersion;
-  if (editablePkgJson?.content) {
-    const {
-      engines
-    } = editablePkgJson.content;
-    const engineAgentRange = engines?.[agent];
-    const engineNodeRange = engines?.['node'];
-    if (strings.isNonEmptyString(engineAgentRange)) {
-      pkgAgentRange = engineAgentRange;
-      // Roughly check agent range as semver.coerce will strip leading
-      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
-      const coerced = vendor.semverExports.coerce(pkgAgentRange);
-      if (coerced && vendor.semverExports.lt(coerced, pkgMinAgentVersion)) {
-        pkgMinAgentVersion = coerced.version;
-      }
-    }
-    if (strings.isNonEmptyString(engineNodeRange)) {
-      pkgNodeRange = engineNodeRange;
-      // Roughly check Node range as semver.coerce will strip leading
-      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
-      const coerced = vendor.semverExports.coerce(pkgNodeRange);
-      if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
-        pkgMinNodeVersion = coerced.version;
-      }
-    }
-    const browserslistQuery = editablePkgJson.content['browserslist'];
-    if (Array.isArray(browserslistQuery)) {
-      // List Node targets in ascending version order.
-      const browserslistNodeTargets = vendor.browserslistExports(browserslistQuery).filter(v => /^node /i.test(v)).map(v => v.slice(5 /*'node '.length*/)).sort(sorts.naturalCompare);
-      if (browserslistNodeTargets.length) {
-        // browserslistNodeTargets[0] is the lowest Node target version.
-        const coerced = vendor.semverExports.coerce(browserslistNodeTargets[0]);
-        if (coerced && vendor.semverExports.lt(coerced, pkgMinNodeVersion)) {
-          pkgMinNodeVersion = coerced.version;
+  const purl = `pkg:${ecosystem}/${name}@${version}`;
+  const major = getMajor(version);
+  if (consolidate) {
+    const highestForCve = new Map();
+    const highestForUpgrade = new Map();
+    const unfixableAlerts = [];
+    for (const sockPkgAlert of sockPkgAlerts) {
+      const alert = sockPkgAlert.raw;
+      const fixType = alert.fix?.type ?? '';
+      if (fixType === ALERT_FIX_TYPE.cve) {
+        // An alert with alert.fix.type of 'cve' should have a
+        // alert.props.firstPatchedVersionIdentifier property value.
+        // We're just being cautious.
+        const firstPatchedVersionIdentifier = alert.props?.firstPatchedVersionIdentifier;
+        const patchedMajor = firstPatchedVersionIdentifier ? getMajor(firstPatchedVersionIdentifier) : null;
+        if (typeof patchedMajor === 'number') {
+          // Consolidate to the highest "first patched version" by each major
+          // version number.
+          const highest = highestForCve.get(patchedMajor)?.version ?? '0.0.0';
+          if (vendor.semverExports.gt(firstPatchedVersionIdentifier, highest)) {
+            highestForCve.set(patchedMajor, {
+              alert: sockPkgAlert,
+              version: firstPatchedVersionIdentifier
+            });
+          }
+        } else {
+          unfixableAlerts.push(sockPkgAlert);
+        }
+      } else if (fixType === ALERT_FIX_TYPE.upgrade) {
+        // For Socket Optimize upgrades we assume the highest version available
+        // is compatible. This may change in the future.
+        const highest = highestForUpgrade.get(major)?.version ?? '0.0.0';
+        if (vendor.semverExports.gt(version, highest)) {
+          highestForUpgrade.set(major, {
+            alert: sockPkgAlert,
+            version
+          });
         }
+      } else {
+        unfixableAlerts.push(sockPkgAlert);
       }
     }
-    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath, cwd) : undefined;
+    sockPkgAlerts = [
+    // Sort CVE alerts by severity: critical, high, middle, then low.
+    ...Array.from(highestForCve.values()).map(d => d.alert).sort(alertSeverityComparator), ...Array.from(highestForUpgrade.values()).map(d => d.alert), ...unfixableAlerts];
   } else {
-    lockName = undefined;
-    lockPath = undefined;
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
   }
-  // Does the system agent version meet our minimum supported agent version?
-  const agentSupported = !!agentVersion && vendor.semverExports.satisfies(agentVersion, `>=${minSupportedAgentVersion}`);
-  // Does the system Node version meet our minimum supported Node version?
-  const nodeSupported = vendor.semverExports.satisfies(nodeVersion, minSupportedNodeRange);
-  const npmExecPath = agent === NPM ? agentExecPath : await getAgentExecPath(NPM);
-  const npmBuggyOverrides = agent === NPM && !!agentVersion && vendor.semverExports.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION);
-  const pkgMinAgentRange = `>=${pkgMinAgentVersion}`;
-  const pkgMinNodeRange = `>=${vendor.semverExports.major(pkgMinNodeVersion)}`;
-  return {
-    agent,
-    agentExecPath,
-    agentSupported,
-    agentVersion,
-    editablePkgJson,
-    features: {
-      npmBuggyOverrides
-    },
-    lockName,
-    lockPath,
-    lockSrc,
-    nodeSupported,
-    nodeVersion,
-    npmExecPath,
-    pkgPath,
-    pkgRequirements: {
-      agent: pkgAgentRange ?? pkgMinAgentRange,
-      node: pkgNodeRange ?? pkgMinNodeRange
-    },
-    pkgSupports: {
-      // Does our minimum supported agent version meet the package's requirements?
-      agent: vendor.semverExports.satisfies(minSupportedAgentVersion, pkgMinAgentRange),
-      // Does our supported Node versions meet the package's requirements?
-      node: maintainedNodeVersions.some(v => vendor.semverExports.satisfies(v, pkgMinNodeRange))
-    }
-  };
+  if (sockPkgAlerts.length) {
+    alertsByPurl.set(purl, sockPkgAlerts);
+  }
+  return alertsByPurl;
 }
-async function detectAndValidatePackageEnvironment(cwd, options) {
+function alertsHaveBlocked(alerts) {
+  return alerts.find(a => a.blocked) !== undefined;
+}
+function alertsHaveSeverity(alerts, severity) {
+  return alerts.find(a => a.raw.severity === severity) !== undefined;
+}
+function alertSeverityComparator(a, b) {
+  // Put the most severe first.
+  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b);
+}
+function getAlertSeverityOrder(alert) {
+  // The more severe, the lower the sort number.
   const {
-    cmdName = '',
-    logger,
-    prod
+    severity
+  } = alert.raw;
+  return severity === ALERT_SEVERITY.critical ? 0 : severity === ALERT_SEVERITY.high ? 1 : severity === ALERT_SEVERITY.middle ? 2 : severity === ALERT_SEVERITY.low ? 3 : 4;
+}
+function getAlertsSeverityOrder(alerts) {
+  return alertsHaveBlocked(alerts) || alertsHaveSeverity(alerts, ALERT_SEVERITY.critical) ? 0 : alertsHaveSeverity(alerts, ALERT_SEVERITY.high) ? 1 : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle) ? 2 : alertsHaveSeverity(alerts, ALERT_SEVERITY.low) ? 3 : 4;
+}
+function getSeverityLabel(severity) {
+  return severity === 'middle' ? 'moderate' : severity;
+}
+function logAlertsMap(alertsMap, options) {
+  const {
+    hideAt = 'middle',
+    output = process.stderr
   } = {
     __proto__: null,
     ...options
   };
-  const details = await detectPackageEnvironment({
-    cwd,
-    onUnknown(pkgManager) {
-      logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
+  const translations = getTranslations();
+  const sortedEntries = Array.from(alertsMap.entries()).sort((a, b) => getAlertsSeverityOrder(a[1]) - getAlertsSeverityOrder(b[1]));
+  const aboveTheFoldPurls = new Set();
+  const viewableAlertsByPurl = new Map();
+  const hiddenAlertsByPurl = new Map();
+  for (let i = 0, {
+      length
+    } = sortedEntries; i < length; i += 1) {
+    const {
+      0: purl,
+      1: alerts
+    } = sortedEntries[i];
+    const hiddenAlerts = [];
+    const viewableAlerts = alerts.filter(a => {
+      const keep = a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER[hideAt];
+      if (!keep) {
+        hiddenAlerts.push(a);
+      }
+      return keep;
+    });
+    if (hiddenAlerts.length) {
+      hiddenAlertsByPurl.set(purl, hiddenAlerts.sort(alertSeverityComparator));
+    }
+    if (!viewableAlerts.length) {
+      continue;
+    }
+    viewableAlerts.sort(alertSeverityComparator);
+    viewableAlertsByPurl.set(purl, viewableAlerts);
+    if (viewableAlerts.find(a => a.blocked || getAlertSeverityOrder(a) < ALERT_SEVERITY_ORDER.middle)) {
+      aboveTheFoldPurls.add(purl);
     }
-  });
-  const {
-    agent,
-    nodeVersion,
-    pkgRequirements
-  } = details;
-  const agentVersion = details.agentVersion ?? 'unknown';
-  if (!details.agentSupported) {
-    const minVersion = constants.minimumVersionByAgent.get(agent);
-    return {
-      ok: false,
-      message: 'Version mismatch',
-      cause: cmdPrefixMessage(cmdName, `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`)
-    };
-  }
-  if (!details.nodeSupported) {
-    const minVersion = constants.maintainedNodeVersions.last;
-    return {
-      ok: false,
-      message: 'Version mismatch',
-      cause: cmdPrefixMessage(cmdName, `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`)
-    };
-  }
-  if (!details.pkgSupports.agent) {
-    return {
-      ok: false,
-      message: 'Engine mismatch',
-      cause: cmdPrefixMessage(cmdName, `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`)
-    };
-  }
-  if (!details.pkgSupports.node) {
-    return {
-      ok: false,
-      message: 'Version mismatch',
-      cause: cmdPrefixMessage(cmdName, `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`)
-    };
-  }
-  const lockName = details.lockName ?? 'lock file';
-  if (details.lockName === undefined || details.lockSrc === undefined) {
-    return {
-      ok: false,
-      message: 'Missing lockfile',
-      cause: cmdPrefixMessage(cmdName, `No ${lockName} found`)
-    };
   }
-  if (details.lockSrc.trim() === '') {
-    return {
-      ok: false,
-      message: 'Empty lockfile',
-      cause: cmdPrefixMessage(cmdName, `${lockName} is empty`)
-    };
+  // If MIN_ABOVE_THE_FOLD_COUNT is NOT met add more from viewable pkg ids.
+  for (const {
+    0: purl
+  } of viewableAlertsByPurl.entries()) {
+    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break;
+    }
+    aboveTheFoldPurls.add(purl);
   }
-  if (details.pkgPath === undefined) {
-    return {
-      ok: false,
-      message: 'Missing package.json',
-      cause: cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`)
-    };
+  // If MIN_ABOVE_THE_FOLD_COUNT is STILL NOT met add more from hidden pkg ids.
+  for (const {
+    0: purl,
+    1: hiddenAlerts
+  } of hiddenAlertsByPurl.entries()) {
+    if (aboveTheFoldPurls.size >= MIN_ABOVE_THE_FOLD_COUNT) {
+      break;
+    }
+    aboveTheFoldPurls.add(purl);
+    const viewableAlerts = viewableAlertsByPurl.get(purl) ?? [];
+    if (viewableAlerts.length < MIN_ABOVE_THE_FOLD_ALERT_COUNT) {
+      const neededCount = MIN_ABOVE_THE_FOLD_ALERT_COUNT - viewableAlerts.length;
+      let removedHiddenAlerts;
+      if (hiddenAlerts.length - neededCount > 0) {
+        removedHiddenAlerts = hiddenAlerts.splice(0, MIN_ABOVE_THE_FOLD_ALERT_COUNT);
+      } else {
+        removedHiddenAlerts = hiddenAlerts;
+        hiddenAlertsByPurl.delete(purl);
+      }
+      viewableAlertsByPurl.set(purl, [...viewableAlerts, ...removedHiddenAlerts]);
+    }
   }
-  if (prod && (agent === BUN || agent === YARN_BERRY)) {
-    return {
-      ok: false,
-      message: 'Bad input',
-      cause: cmdPrefixMessage(cmdName, `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`)
-    };
+  const mentionedPurlsWithHiddenAlerts = new Set();
+  for (let i = 0, prevAboveTheFold = true, entries = Array.from(viewableAlertsByPurl.entries()), {
+      length
+    } = entries; i < length; i += 1) {
+    const {
+      0: purl,
+      1: alerts
+    } = entries[i];
+    const lines = new Set();
+    for (const alert of alerts) {
+      const {
+        type
+      } = alert;
+      const severity = alert.raw.severity ?? '';
+      const attributes = [...(severity ? [vendor.yoctocolorsCjsExports[ALERT_SEVERITY_COLOR[severity]](getSeverityLabel(severity))] : []), ...(alert.blocked ? [vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.red('blocked'))] : []), ...(alert.fixable ? ['fixable'] : [])];
+      const maybeAttributes = attributes.length ? ` ${vendor.yoctocolorsCjsExports.italic(`(${attributes.join('; ')})`)}` : '';
+      // Based data from { pageProps: { alertTypes } } of:
+      // https://socket.dev/_next/data/9a6db8224b68b6da0eb9f7dbb17aff7e51568ac2/en-US.json
+      const info = translations.alerts[type];
+      const title = info?.title ?? type;
+      const maybeDesc = info?.description ? ` - ${info.description}` : '';
+      const content = `${title}${maybeAttributes}${maybeDesc}`;
+      // TODO: An added emoji seems to mis-align terminals sometimes.
+      lines.add(`  ${content}`);
+    }
+    const purlObj = getPurlObject(purl);
+    const pkgName = packages.resolvePackageName(purlObj);
+    const hyperlink = format.hyperlink(`${pkgName}@${purlObj.version}`, getSocketDevPackageOverviewUrl(purlObj.type, pkgName, purlObj.version));
+    const isAboveTheFold = aboveTheFoldPurls.has(purl);
+    if (isAboveTheFold) {
+      aboveTheFoldPurls.add(purl);
+      output.write(`${i ? '\n' : ''}${hyperlink}:\n`);
+    } else {
+      output.write(`${prevAboveTheFold ? '\n' : ''}${hyperlink}:\n`);
+    }
+    for (const line of lines) {
+      output.write(`${line}\n`);
+    }
+    const hiddenAlerts = hiddenAlertsByPurl.get(purl) ?? [];
+    const {
+      length: hiddenAlertsCount
+    } = hiddenAlerts;
+    if (hiddenAlertsCount) {
+      mentionedPurlsWithHiddenAlerts.add(purl);
+      if (hiddenAlertsCount === 1) {
+        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+1 Hidden ${getSeverityLabel(hiddenAlerts[0].raw.severity ?? 'low')} risk alert`)}\n`);
+      } else {
+        output.write(`  ${vendor.yoctocolorsCjsExports.dim(`+${hiddenAlertsCount} Hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(getHiddenRiskCounts(hiddenAlerts)))}`)}\n`);
+      }
+    }
+    prevAboveTheFold = isAboveTheFold;
   }
-  if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
-    // Note: In tests we return <redacted> because otherwise snapshots will fail.
-    logger?.warn(cmdPrefixMessage(cmdName, `Package ${lockName} found at ${constants.ENV.VITEST ? constants.REDACTED : details.lockPath}`));
+  const additionalHiddenCount = hiddenAlertsByPurl.size - mentionedPurlsWithHiddenAlerts.size;
+  if (additionalHiddenCount) {
+    const totalRiskCounts = {
+      critical: 0,
+      high: 0,
+      middle: 0,
+      low: 0
+    };
+    for (const {
+      0: purl,
+      1: alerts
+    } of hiddenAlertsByPurl.entries()) {
+      if (mentionedPurlsWithHiddenAlerts.has(purl)) {
+        continue;
+      }
+      const riskCounts = getHiddenRiskCounts(alerts);
+      totalRiskCounts.critical += riskCounts.critical;
+      totalRiskCounts.high += riskCounts.high;
+      totalRiskCounts.middle += riskCounts.middle;
+      totalRiskCounts.low += riskCounts.low;
+    }
+    output.write(`${aboveTheFoldPurls.size ? '\n' : ''}${vendor.yoctocolorsCjsExports.dim(`${aboveTheFoldPurls.size ? '+' : ''}${additionalHiddenCount} Packages with hidden alerts ${vendor.yoctocolorsCjsExports.italic(getHiddenRisksDescription(totalRiskCounts))}`)}\n`);
   }
-  return {
-    ok: true,
-    data: details
-  };
+  output.write('\n');
 }
-const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
-function getCompletionSourcingCommand() {
-  // Note: this is exported to distPath in .config/rollup.dist.config.mjs
-  const completionScriptExportPath = path.join(constants.distPath, 'socket-completion.bash');
-  if (!fs$1.existsSync(completionScriptExportPath)) {
-    return {
-      ok: false,
-      message: 'Tab Completion script not found',
-      cause: `Expected to find completion script at \`${completionScriptExportPath}\` but it was not there`
-    };
+function idToNpmPurl(id) {
+  return `pkg:npm/${id}`;
+}
+async function getAlertsMapFromPurls(purls, options) {
+  const uniqPurls = arrays.arrayUnique(purls);
+  require$$9.debugDir('silly', {
+    purls: uniqPurls
+  });
+  let {
+    length: remaining
+  } = uniqPurls;
+  const alertsByPurl = new Map();
+  if (!remaining) {
+    return alertsByPurl;
   }
-  return {
-    ok: true,
-    data: `source ${completionScriptExportPath}`
+  const opts = {
+    __proto__: null,
+    consolidate: false,
+    nothrow: false,
+    ...options,
+    filter: toFilterConfig(require$$10.getOwn(options, 'filter'))
   };
-}
-function getBashrcDetails(targetCommandName) {
-  const sourcingCommand = getCompletionSourcingCommand();
-  if (!sourcingCommand.ok) {
-    return sourcingCommand;
+  if (opts.onlyFixable) {
+    opts.filter.fixable = true;
   }
   const {
-    socketAppDataPath
-  } = constants;
-  if (!socketAppDataPath) {
-    return {
-      ok: false,
-      message: 'Could not determine config directory',
-      cause: 'Failed to get config path'
-    };
+    apiToken = getPublicApiToken(),
+    spinner
+  } = opts;
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner?.start(getText());
+  const sockSdkCResult = await setupSdk({
+    apiToken
+  });
+  if (!sockSdkCResult.ok) {
+    spinner?.stop();
+    throw new Error('Auth error: Run `socket login` first');
   }
-  // _socket_completion is the function defined in our completion bash script
-  const completionCommand = `${COMPLETION_CMD_PREFIX} ${targetCommandName}`;
-  // Location of completion script in config after installing
-  const completionScriptPath = path.join(path.dirname(socketAppDataPath), 'completion', 'socket-completion.bash');
-  const bashrcContent = `# Socket CLI completion for "${targetCommandName}"
-if [ -f "${completionScriptPath}" ]; then
-    # Load the tab completion script
-    source "${completionScriptPath}"
-    # Tell bash to use this function for tab completion of this function
-    ${completionCommand}
-fi
-`;
-  return {
-    ok: true,
-    data: {
-      sourcingCommand: sourcingCommand.data,
-      completionCommand,
-      toAddToBashrc: bashrcContent,
-      targetName: targetCommandName,
-      targetPath: completionScriptPath
-    }
+  const sockSdk = sockSdkCResult.data;
+  const socketYml = findSocketYmlSync()?.parsed;
+  const alertsMapOptions = {
+    consolidate: opts.consolidate,
+    filter: opts.filter,
+    overrides: opts.overrides,
+    socketYml,
+    spinner
   };
-}
-const {
-  kInternalsSymbol,
-  [kInternalsSymbol]: {
-    getSentry
-  }
-} = constants;
-class AuthError extends Error {}
-class InputError extends Error {
-  constructor(message, body) {
-    super(message);
-    this.body = body;
-  }
-}
-async function captureException(exception, hint) {
-  const result = captureExceptionSync(exception, hint);
-  // "Sleep" for a second, just in case, hopefully enough time to initiate fetch.
-  await promises.setTimeout(1000);
-  return result;
-}
-function captureExceptionSync(exception, hint) {
-  const Sentry = getSentry();
-  if (!Sentry) {
-    return '';
+  try {
+    for await (const batchResult of sockSdk.batchPackageStream({
+      components: uniqPurls.map(purl => ({
+        purl
+      }))
+    }, {
+      queryParams: {
+        alerts: 'true',
+        compact: 'true',
+        ...(opts.onlyFixable ? {
+          fixable: 'true '
+        } : {}),
+        ...(Array.isArray(opts.filter.actions) ? {
+          actions: opts.filter.actions.join(',')
+        } : {})
+      }
+    })) {
+      if (batchResult.success) {
+        const artifact = batchResult.data;
+        await addArtifactToAlertsMap(artifact, alertsByPurl, alertsMapOptions);
+      } else if (!opts.nothrow) {
+        spinner?.stop();
+        if (strings.isNonEmptyString(batchResult.error)) {
+          throw new Error(batchResult.error);
+        }
+        const statusCode = batchResult.status ?? 'unknown';
+        throw new Error(`Socket API server error (${statusCode}): No status message`);
+      } else {
+        spinner?.stop();
+        logger.logger.fail(`Received a ${batchResult.status} response from Socket API which we consider a permanent failure:`, batchResult.error, batchResult.cause ? `( ${batchResult.cause} )` : '');
+        require$$9.debugDir('inspect', {
+          batchResult
+        });
+        break;
+      }
+      remaining -= 1;
+      if (remaining > 0) {
+        spinner?.start(getText());
+      }
+    }
+  } catch (e) {
+    spinner?.stop();
+    throw e;
   }
-  require$$9.debugFn('notice', 'send: exception to Sentry');
-  return Sentry.captureException(exception, hint);
-}
-const ALL_ECOSYSTEMS = ['apk', 'bitbucket', 'cargo', 'chrome', 'cocoapods', 'composer', 'conan', 'conda', 'cran', 'deb', 'docker', 'gem', 'generic', 'github', 'golang', 'hackage', 'hex', 'huggingface', 'maven', 'mlflow', 'npm', 'nuget', 'oci', 'pub', 'pypi', 'qpkg', 'rpm', 'swift', 'swid', 'unknown'];
-new Set(ALL_ECOSYSTEMS);
-function getEcosystemChoicesForMeow() {
-  return [...ALL_ECOSYSTEMS];
+  spinner?.stop();
+  return alertsByPurl;
 }
 exports.AuthError = AuthError;
 exports.COMPLETION_CMD_PREFIX = COMPLETION_CMD_PREFIX;
 exports.InputError = InputError;
 exports.RangeStyles = RangeStyles;
-exports.applyRange = applyRange;
 exports.captureException = captureException;
 exports.checkCommandInput = checkCommandInput;
 exports.cmdFlagValueToArray = cmdFlagValueToArray;
@@ -4013,32 +3791,27 @@ exports.createEnum = createEnum;
 exports.detectAndValidatePackageEnvironment = detectAndValidatePackageEnvironment;
 exports.detectDefaultBranch = detectDefaultBranch;
 exports.determineOrgSlug = determineOrgSlug;
-exports.extractOverridesFromPnpmLockSrc = extractOverridesFromPnpmLockSrc;
 exports.extractTier1ReachabilityScanId = extractTier1ReachabilityScanId;
 exports.failMsgWithBadge = failMsgWithBadge;
 exports.fetchOrganization = fetchOrganization;
-exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile;
+exports.findUp = findUp;
 exports.getAlertsMapFromPurls = getAlertsMapFromPurls;
 exports.getBaseBranch = getBaseBranch;
 exports.getBashrcDetails = getBashrcDetails;
 exports.getConfigValue = getConfigValue;
 exports.getConfigValueOrUndef = getConfigValueOrUndef;
-exports.getCveInfoFromAlertsMap = getCveInfoFromAlertsMap;
 exports.getDefaultOrgSlug = getDefaultOrgSlug;
 exports.getEcosystemChoicesForMeow = getEcosystemChoicesForMeow;
 exports.getEnterpriseOrgs = getEnterpriseOrgs;
 exports.getFlagApiRequirementsOutput = getFlagApiRequirementsOutput;
 exports.getFlagListOutput = getFlagListOutput;
 exports.getMajor = getMajor;
-exports.getMinVersion = getMinVersion;
 exports.getNpmBinPath = getNpmBinPath;
-exports.getNpmConfig = getNpmConfig;
 exports.getNpmRequire = getNpmRequire;
 exports.getNpxBinPath = getNpxBinPath;
 exports.getOrgSlugs = getOrgSlugs;
 exports.getOutputKind = getOutputKind;
 exports.getPackageFilesForScan = getPackageFilesForScan;
-exports.getPkgFullNameFromPurl = getPkgFullNameFromPurl;
 exports.getPublicApiToken = getPublicApiToken;
 exports.getPurlObject = getPurlObject;
 exports.getRepoInfo = getRepoInfo;
@@ -4062,7 +3835,6 @@ exports.handleApiCallNoSpinner = handleApiCallNoSpinner;
 exports.hasDefaultApiToken = hasDefaultApiToken;
 exports.hasEnterpriseOrgPlan = hasEnterpriseOrgPlan;
 exports.idToNpmPurl = idToNpmPurl;
-exports.idToPurl = idToPurl;
 exports.isHelpFlag = isHelpFlag;
 exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
 exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
@@ -4079,14 +3851,10 @@ exports.meowOrExit = meowOrExit;
 exports.meowWithSubcommands = meowWithSubcommands;
 exports.msAtHome = msAtHome;
 exports.npa = npa;
-exports.parsePnpmLockfile = parsePnpmLockfile;
-exports.parsePnpmLockfileVersion = parsePnpmLockfileVersion;
 exports.queryApiSafeJson = queryApiSafeJson;
 exports.queryApiSafeText = queryApiSafeText;
-exports.readLockfile = readLockfile;
 exports.readOrDefaultSocketJson = readOrDefaultSocketJson;
 exports.readSocketJsonSync = readSocketJsonSync;
-exports.removeNodeModules = removeNodeModules;
 exports.runAgentInstall = runAgentInstall;
 exports.sendApiRequest = sendApiRequest;
 exports.serializeResultJson = serializeResultJson;
@@ -4098,5 +3866,5 @@ exports.toFilterConfig = toFilterConfig;
 exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=7bc6e694-34e1-474f-8bfe-df9d9abb3db6
+//# debugId=6bbbb6b9-ace3-439a-9c19-0674a8ba872d
 //# sourceMappingURL=utils.js.map