@socketsecurity/cli-with-sentry 1.0.79 → 1.0.81

package/dist/cli.js

@@ -3,7 +3,7 @@
 
 var require$$0 = require('node:url');
 var vendor = require('./vendor.js');
-var debug = require('../external/@socketsecurity/registry/lib/debug');
+var require$$6 = require('../external/@socketsecurity/registry/lib/debug');
 var logger = require('../external/@socketsecurity/registry/lib/logger');
 var utils = require('./utils.js');
 var fs = require('node:fs/promises');
@@ -15,6 +15,7 @@ var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var fs$1 = require('node:fs');
 var path = require('node:path');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var registry = require('../external/@socketsecurity/registry');
@@ -22,7 +23,6 @@ var npm = require('../external/@socketsecurity/registry/lib/npm');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var sorts = require('../external/@socketsecurity/registry/lib/sorts');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var shadowNpmInject = require('./shadow-npm-inject.js');
 var require$$7 = require('../external/@socketsecurity/registry/lib/objects');
 var shadowNpmBin = require('./shadow-npm-bin.js');
@@ -619,8 +619,8 @@ ${table}
   } catch (e) {
     process.exitCode = 1;
     logger.logger.fail('There was a problem converting the logs to Markdown, please try the `--json` flag');
-    debug.debugFn('error', 'caught: unexpected error');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'caught: unexpected error');
+    require$$6.debugDir('inspect', {
       error: e
     });
     return 'Failed to generate the markdown report';
@@ -1016,8 +1016,8 @@ async function fetchScanData(orgSlug, scanId, options) {
         return JSON.parse(line);
       } catch {
         ok = false;
-        debug.debugFn('error', 'fail: parse NDJSON');
-        debug.debugDir('inspect', {
+        require$$6.debugFn('error', 'fail: parse NDJSON');
+        require$$6.debugDir('inspect', {
           line
         });
         return;
@@ -1519,28 +1519,28 @@ sockJson, cwd = process.cwd()) {
     sbt: false
   };
   if (sockJson?.defaults?.manifest?.sbt?.disabled) {
-    debug.debugLog('notice', '[DEBUG] - sbt auto-detection is disabled in socket.json');
+    require$$6.debugLog('notice', '[DEBUG] - sbt auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'build.sbt'))) {
-    debug.debugLog('notice', '[DEBUG] - Detected a Scala sbt build file');
+    require$$6.debugLog('notice', '[DEBUG] - Detected a Scala sbt build file');
     output.sbt = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.gradle?.disabled) {
-    debug.debugLog('notice', '[DEBUG] - gradle auto-detection is disabled in socket.json');
+    require$$6.debugLog('notice', '[DEBUG] - gradle auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'gradlew'))) {
-    debug.debugLog('notice', '[DEBUG] - Detected a gradle build file');
+    require$$6.debugLog('notice', '[DEBUG] - Detected a gradle build file');
     output.gradle = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.conda?.disabled) {
-    debug.debugLog('notice', '[DEBUG] - conda auto-detection is disabled in socket.json');
+    require$$6.debugLog('notice', '[DEBUG] - conda auto-detection is disabled in socket.json');
   } else {
     const envyml = path.join(cwd, 'environment.yml');
     const hasEnvyml = fs$1.existsSync(envyml);
     const envyaml = path.join(cwd, 'environment.yaml');
     const hasEnvyaml = !hasEnvyml && fs$1.existsSync(envyaml);
     if (hasEnvyml || hasEnvyaml) {
-      debug.debugLog('notice', '[DEBUG] - Detected an environment.yml Conda file');
+      require$$6.debugLog('notice', '[DEBUG] - Detected an environment.yml Conda file');
       output.conda = true;
       output.count += 1;
     }
@@ -1716,7 +1716,7 @@ async function convertSbtToMaven({
     // TODO: maybe we can add an option to target a specific file to dump to stdout
     if (out === '-' && poms.length === 1) {
       logger.logger.log('Result:\n```');
-      logger.logger.log(await utils.safeReadFile(poms[0]));
+      logger.logger.log(await fs$2.safeReadFile(poms[0]));
       logger.logger.log('```');
       logger.logger.success(`OK`);
     } else if (out === '-') {
@@ -2043,7 +2043,7 @@ async function handleCreateNewScan({
     return;
   }
   logger.logger.success(`Found ${packagePaths.length} local ${words.pluralize('file', packagePaths.length)}`);
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     packagePaths
   });
   if (readOnly) {
@@ -3044,33 +3044,20 @@ async function coanaFix(fixConfig) {
     spinner?.stop();
     return lastCResult;
   }
-  const spawnOptions = {
+  const isAllOrAuto = ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const ids = isAllOrAuto ? ['all'] : ghsas;
+  const fixCResult = ids.length ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...fixConfig.unknownFlags], {
     cwd,
     spinner,
     env: {
       SOCKET_ORG_SLUG: orgSlug
     }
-  };
-  let ids = ghsas;
-  if (ids.length === 1 && ids[0] === 'auto') {
-    debug.debugFn('notice', 'resolve: GitHub security alerts.');
-    const foundIdsCResult = tarHash ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash], spawnOptions) : undefined;
-    if (foundIdsCResult) {
-      lastCResult = foundIdsCResult;
-    }
-    if (foundIdsCResult?.ok) {
-      ids = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(foundIdsCResult.data)?.[0]);
-      debug.debugDir('inspect', {
-        GitHubSecurityAlerts: ids
-      });
-    }
-  }
-  const fixCResult = ids.length ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...fixConfig.unknownFlags], spawnOptions) : undefined;
+  }) : undefined;
   if (fixCResult) {
     lastCResult = fixCResult;
   }
   spinner?.stop();
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     lastCResult
   });
   return lastCResult.ok ? {
@@ -3182,15 +3169,15 @@ function getPrsForPurl(fixEnv, partialPurl) {
       prs.push(pr);
     }
   }
-  if (debug.isDebug('notice,silly')) {
+  if (require$$6.isDebug('notice,silly')) {
     const fullName = packages.resolvePackageName(partialPurlObj);
     if (prs.length) {
-      debug.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
-      debug.debugDir('silly', {
+      require$$6.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
+      require$$6.debugDir('silly', {
         prs
       });
     } else if (fixEnv.prs.length) {
-      debug.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
+      require$$6.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
     }
   }
   return prs;
@@ -3204,14 +3191,14 @@ function getOctokit() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      require$$6.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     const octokitOptions = {
       auth: SOCKET_CLI_GITHUB_TOKEN,
       // Lazily access constants.ENV.GITHUB_API_URL.
       baseUrl: constants.ENV.GITHUB_API_URL
     };
-    debug.debugDir('inspect', {
+    require$$6.debugDir('inspect', {
       octokitOptions
     });
     _octokit = new vendor.Octokit(octokitOptions);
@@ -3226,7 +3213,7 @@ function getOctokitGraphql() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      require$$6.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     _octokitGraphql = vendor.graphql2.defaults({
       headers: {
@@ -3254,7 +3241,7 @@ async function readCache(key,
 ttlMs = 5 * 60 * 1000) {
   // Lazily access constants.githubCachePath.
   const cacheJsonPath = path.join(constants.githubCachePath, `${key}.json`);
-  const stat = utils.safeStatsSync(cacheJsonPath);
+  const stat = fs$2.safeStatsSync(cacheJsonPath);
   if (stat) {
     const isExpired = Date.now() - stat.mtimeMs > ttlMs;
     if (!isExpired) {
@@ -3310,14 +3297,14 @@ async function cleanupPrs(owner, repo, options) {
           pull_number: prNum,
           state: 'closed'
         });
-        debug.debugFn('notice', `pr: closing ${prRef} for ${prToVersion}`);
+        require$$6.debugFn('notice', `pr: closing ${prRef} for ${prToVersion}`);
         // Remove entry from parent object.
         context.parent.splice(context.index, 1);
         // Mark cache to be saved.
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        debug.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
+        require$$6.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
       }
     }
     // Update stale PRs.
@@ -3330,7 +3317,7 @@ async function cleanupPrs(owner, repo, options) {
           base: match.headRefName,
           head: match.baseRefName
         });
-        debug.debugFn('notice', `pr: updating stale ${prRef}`);
+        require$$6.debugFn('notice', `pr: updating stale ${prRef}`);
         // Update entry entry.
         if (context.apiType === 'graphql') {
           context.entry.mergeStateStatus = 'CLEAN';
@@ -3341,7 +3328,7 @@ async function cleanupPrs(owner, repo, options) {
         cachesToSave.set(context.cacheKey, context.data);
       } catch (e) {
         const message = e?.message || 'Unknown error';
-        debug.debugFn('error', `pr: failed to update ${prRef} - ${message}`);
+        require$$6.debugFn('error', `pr: failed to update ${prRef} - ${message}`);
       }
     }
     return match;
@@ -3542,7 +3529,7 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
       base: baseBranch,
       body: getSocketPullRequestBody(purlObj, newVersion, workspace)
     };
-    debug.debugDir('inspect', {
+    require$$6.debugDir('inspect', {
       octokitPullsCreateParams
     });
     return await octokit.pulls.create(octokitPullsCreateParams);
@@ -3553,7 +3540,7 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
       const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
       message += `:\n${details}`;
     }
-    debug.debugFn('error', message);
+    require$$6.debugFn('error', message);
   }
   return null;
 }
@@ -3564,16 +3551,16 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
   const stdioIgnoreOptions = {
     cwd,
-    stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
+    stdio: require$$6.isDebug('stdio') ? 'inherit' : 'ignore'
   };
   const quotedCmd = `\`git remote set-url origin ${url}\``;
-  debug.debugFn('stdio', `spawn: ${quotedCmd}`);
+  require$$6.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn('error', `caught: ${quotedCmd} failed`);
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', `caught: ${quotedCmd} failed`);
+    require$$6.debugDir('inspect', {
       error: e
     });
   }
@@ -3586,7 +3573,7 @@ function ciRepoInfo() {
     GITHUB_REPOSITORY
   } = constants.ENV;
   if (!GITHUB_REPOSITORY) {
-    debug.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
+    require$$6.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
   }
   const ownerSlashRepo = GITHUB_REPOSITORY;
   const slashIndex = ownerSlashRepo.indexOf('/');
@@ -3610,9 +3597,9 @@ async function getFixEnv() {
   // but some CI checks are passing,
   constants.ENV.CI || gitEmail || gitUser || githubToken) &&
   // then log about it when in debug mode.
-  debug.isDebug('notice')) {
+  require$$6.isDebug('notice')) {
     const envVars = [...(constants.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
-    debug.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
+    require$$6.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
   }
   let repoInfo = null;
   if (isCi) {
@@ -3620,7 +3607,7 @@ async function getFixEnv() {
   }
   if (!repoInfo) {
     if (isCi) {
-      debug.debugFn('notice', 'falling back to `git remote get-url origin`');
+      require$$6.debugFn('notice', 'falling back to `git remote get-url origin`');
     }
     repoInfo = await utils.getRepoInfo();
   }
@@ -3744,7 +3731,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     pkgPath: rootPath
   } = pkgEnvDetails;
   const fixEnv = await getFixEnv();
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     fixEnv
   });
   const {
@@ -3768,11 +3755,11 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     spinner?.stop();
     logger.logger.info('No fixable vulns found.');
     if (alertsMap.size) {
-      debug.debugDir('inspect', {
+      require$$6.debugDir('inspect', {
         alertsMap
       });
     } else {
-      debug.debugFn('inspect', '{ alertsMap: Map(0) {} }');
+      require$$6.debugFn('inspect', '{ alertsMap: Map(0) {} }');
     }
     return {
       ok: true,
@@ -3781,14 +3768,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
     };
   }
-  if (debug.isDebug('notice,inspect')) {
+  if (require$$6.isDebug('notice,inspect')) {
     spinner?.stop();
     const partialPurls = Array.from(infoByPartialPurl.keys());
     const {
       length: purlsCount
     } = partialPurls;
-    debug.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
-    debug.debugDir('inspect', {
+    require$$6.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
+    require$$6.debugDir('inspect', {
       partialPurls
     });
     spinner?.start();
@@ -3837,14 +3824,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     const name = packages.resolvePackageName(partialPurlObj);
     const infos = Array.from(infoEntry[1].values());
     if (!infos.length) {
-      debug.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
+      require$$6.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
       continue infoEntriesLoop;
     }
     logger.logger.log(`Processing '${name}'`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(partialPurlObj.type, name)) {
-      debug.debugFn('notice', `found: Socket Optimize variant for ${name}`);
+      require$$6.debugFn('notice', `found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -3854,7 +3841,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       // Skip to next package.
       continue infoEntriesLoop;
     }
-    debug.debugDir('inspect', {
+    require$$6.debugDir('inspect', {
       infos
     });
     const availableVersions = Object.keys(packument.versions);
@@ -3894,7 +3881,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
       const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn('notice', `skip: ${name} not found`);
+        require$$6.debugFn('notice', `skip: ${name} not found`);
         cleanupInfoEntriesLoop();
         // Skip to next package.
         continue infoEntriesLoop;
@@ -3910,8 +3897,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       const seenVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
-      if (debug.isDebug('notice')) {
-        debug.debugFn('notice', `check: workspace ${workspace}`);
+      if (require$$6.isDebug('notice')) {
+        require$$6.debugFn('notice', `check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -3920,7 +3907,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
         const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
         const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn('notice', `skip: ${oldId} not found`);
+          require$$6.debugFn('notice', `skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -3940,7 +3927,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             continue infosLoop;
           }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            debug.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
+            require$$6.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
           }
           const branch = getSocketBranchName(oldPurl, newVersion, workspace);
@@ -3949,14 +3936,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           }
           const pr = prCheck ? prs.find(p => p.headRefName === branch) : undefined;
           if (pr) {
-            debug.debugFn('notice', `skip: PR #${pr.number} for ${name}@${newVersion} exists`);
+            require$$6.debugFn('notice', `skip: PR #${pr.number} for ${name}@${newVersion} exists`);
             seenBranches.add(branch);
             continue infosLoop;
           }
           if (fixEnv.isCi && (
           // eslint-disable-next-line no-await-in-loop
           await utils.gitRemoteBranchExists(branch, cwd))) {
-            debug.debugFn('notice', `skip: remote branch "${branch}" for ${name}@${newVersion} exists`);
+            require$$6.debugFn('notice', `skip: remote branch "${branch}" for ${name}@${newVersion} exists`);
             seenBranches.add(branch);
             continue infosLoop;
           }
@@ -3985,7 +3972,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
 
           // eslint-disable-next-line no-await-in-loop
           if (!(await hasModifiedFiles(cwd))) {
-            debug.debugFn('notice', `skip: no changes for ${name}@${newVersion}`);
+            require$$6.debugFn('notice', `skip: no changes for ${name}@${newVersion}`);
             seenVersions.add(newVersion);
             // Reset things just in case.
             if (fixEnv.isCi) {
@@ -4036,7 +4023,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
 
           // Check repoInfo to make TypeScript happy.
           if (!errored && fixEnv.isCi && fixEnv.repoInfo) {
-            debug.debugFn('notice', 'pr: creating');
+            require$$6.debugFn('notice', 'pr: creating');
             try {
               const pushed =
               // eslint-disable-next-line no-await-in-loop
@@ -4116,7 +4103,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               errored = true;
             }
           } else if (fixEnv.isCi) {
-            debug.debugFn('notice', 'skip: PR creation');
+            require$$6.debugFn('notice', 'skip: PR creation');
           }
           if (fixEnv.isCi) {
             spinner?.start();
@@ -4161,12 +4148,12 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             return {
               ok: false,
               message: 'Update failed',
-              cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
+              cause: `Update failed for ${oldId} in ${workspace}${error ? `; ${error}` : ''}`
             };
           } else {
             changed = true;
           }
-          debug.debugFn('notice', 'increment: count', count + 1);
+          require$$6.debugFn('notice', 'increment: count', count + 1);
           if (++count >= limit) {
             cleanupInfoEntriesLoop();
             // Exit main loop.
@@ -4226,7 +4213,7 @@ async function install$1(pkgEnvDetails, options) {
     __proto__: null,
     ...options
   };
-  const useDebug = debug.isDebug('stdio');
+  const useDebug = require$$6.isDebug('stdio');
   const args = [
   // If "true", npm does not run scripts specified in package.json files.
   // Note that commands explicitly intended to run a particular script, such
@@ -4255,7 +4242,7 @@ async function install$1(pkgEnvDetails, options) {
   // https://docs.npmjs.com/cli/v8/using-npm/config#loglevel
   ...(useDebug ? [] : ['--silent']), ...(extraArgs ?? [])];
   const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  debug.debugFn('stdio', `spawn: ${quotedCmd}`);
+  require$$6.debugFn('stdio', `spawn: ${quotedCmd}`);
   const isSpinning = spinner?.isSpinning;
   spinner?.stop();
   let errored = false;
@@ -4266,8 +4253,8 @@ async function install$1(pkgEnvDetails, options) {
       stdio: useDebug ? 'inherit' : 'ignore'
     });
   } catch (e) {
-    debug.debugFn('error', `caught: ${quotedCmd} failed`);
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', `caught: ${quotedCmd} failed`);
+    require$$6.debugDir('inspect', {
       error: e
     });
     errored = true;
@@ -4277,8 +4264,8 @@ async function install$1(pkgEnvDetails, options) {
     try {
       actualTree = await getActualTree(cwd);
     } catch (e) {
-      debug.debugFn('error', 'caught: Arborist error');
-      debug.debugDir('inspect', {
+      require$$6.debugFn('error', 'caught: Arborist error');
+      require$$6.debugDir('inspect', {
         error: e
       });
     }
@@ -4315,8 +4302,8 @@ async function npmFix(pkgEnvDetails, fixConfig) {
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('error', 'caught: PURL API');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'caught: PURL API');
+    require$$6.debugDir('inspect', {
       error: e
     });
     return {
@@ -4421,7 +4408,7 @@ async function install(pkgEnvDetails, options) {
   // https://github.com/pnpm/pnpm/issues/6778
   '--config.confirmModulesPurge=false', ...(extraArgs ?? [])];
   const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  debug.debugFn('stdio', `spawn: ${quotedCmd}`);
+  require$$6.debugFn('stdio', `spawn: ${quotedCmd}`);
   const isSpinning = spinner?.isSpinning;
   spinner?.stop();
   let errored = false;
@@ -4429,11 +4416,11 @@ async function install(pkgEnvDetails, options) {
     await utils.runAgentInstall(pkgEnvDetails, {
       args,
       spinner,
-      stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
+      stdio: require$$6.isDebug('stdio') ? 'inherit' : 'ignore'
     });
   } catch (e) {
-    debug.debugFn('error', `caught: ${quotedCmd} failed`);
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', `caught: ${quotedCmd} failed`);
+    require$$6.debugDir('inspect', {
       error: e
     });
     errored = true;
@@ -4443,8 +4430,8 @@ async function install(pkgEnvDetails, options) {
     try {
       actualTree = await getActualTree(cwd);
     } catch (e) {
-      debug.debugFn('error', 'caught: Arborist error');
-      debug.debugDir('inspect', {
+      require$$6.debugFn('error', 'caught: Arborist error');
+      require$$6.debugDir('inspect', {
         error: e
       });
     }
@@ -4500,8 +4487,8 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
     alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions()) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getFixAlertsMapOptions());
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('error', 'caught: PURL API');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'caught: PURL API');
+    require$$6.debugDir('inspect', {
       error: e
     });
     return {
@@ -4657,7 +4644,7 @@ async function handleFix({
     }, outputKind);
     return;
   }
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     pkgEnvDetails
   });
 
@@ -4700,6 +4687,7 @@ async function handleFix({
 const {
   DRY_RUN_NOT_SAVING
 } = constants;
+const DEFAULT_LIMIT = 10;
 const config$H = {
   commandName: 'fix',
   description: 'Update dependencies with "fixable" Socket alerts',
@@ -4719,14 +4707,14 @@ const config$H = {
     ghsa: {
       type: 'string',
       default: [],
-      description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags.\n                        Use '--ghsa auto' to automatically lookup GHSA IDs and compute fixes for them.`,
+      description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags.\n                        Use '--ghsa all' to lookup all GHSA IDs and compute fixes for them.`,
       isMultiple: true,
       hidden: true
     },
     limit: {
       type: 'number',
-      default: Infinity,
-      description: 'The number of fixes to attempt at a time'
+      default: DEFAULT_LIMIT,
+      description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
     },
     maxSatisfying: {
       type: 'boolean',
@@ -4748,7 +4736,7 @@ const config$H = {
     purl: {
       type: 'string',
       default: [],
-      description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as multiple flags,\n                        instead of querying the Socket API`,
+      description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\n                        multiple flags, instead of querying the Socket API`,
       isMultiple: true,
       shortFlag: 'p'
     },
@@ -4756,7 +4744,7 @@ const config$H = {
       type: 'string',
       default: 'preserve',
       description: `
-                        Define how updated dependency versions should be written in package.json.
+                        Define how dependency version ranges are updated in package.json (default 'preserve').
                         Available styles:
                           * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
                           * gt - Use > to allow any newer version (e.g. >1.2.3)
@@ -4776,7 +4764,7 @@ const config$H = {
     testScript: {
       type: 'string',
       default: 'test',
-      description: 'The test script to run for each fix attempt'
+      description: "The test script to run for fix attempts (default 'test')"
     }
   },
   help: (command, config) => `
@@ -4868,7 +4856,7 @@ async function run$H(argv, importMeta, {
   // socket-cli/patches/meow#13.2.0.patch.
   const unknownFlags = cli.unknownFlags ?? [];
   const ghsas = utils.cmdFlagValueToArray(cli.flags['ghsa']);
-  const limit = (cli.flags['limit'] ? parseInt(String(cli.flags['limit'] || ''), 10) : Infinity) || Infinity;
+  const limit = Number(cli.flags['limit']) || DEFAULT_LIMIT;
   const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
   const minSatisfying = Boolean(cli.flags['minSatisfying']) || !maxSatisfying;
   const prCheck = Boolean(cli.flags['prCheck']);
@@ -4936,9 +4924,9 @@ async function setupTabCompletion(targetName) {
 
   // Target dir is something like ~/.local/share/socket/settings/completion (linux)
   const targetDir = path.dirname(targetPath);
-  debug.debugFn('notice', 'target: path + dir', targetPath, targetDir);
+  require$$6.debugFn('notice', 'target: path + dir', targetPath, targetDir);
   if (!fs$1.existsSync(targetDir)) {
-    debug.debugFn('notice', 'create: target dir');
+    require$$6.debugFn('notice', 'create: target dir');
     fs$1.mkdirSync(targetDir, {
       recursive: true
     });
@@ -5096,14 +5084,14 @@ async function outputCmdJson(cwd) {
     process.exitCode = 1;
     return;
   }
-  if (!utils.safeStatsSync(sockJsonPath)?.isFile()) {
+  if (!fs$2.safeStatsSync(sockJsonPath)?.isFile()) {
     logger.logger.fail(`This is not a regular file (maybe a directory?): ${tildeSockJsonPath}`);
     process.exitCode = 1;
     return;
   }
   logger.logger.success(`This is the contents of ${tildeSockJsonPath}:`);
   logger.logger.error('');
-  const data = utils.safeReadFileSync(sockJsonPath);
+  const data = fs$2.safeReadFileSync(sockJsonPath);
   logger.logger.log(data);
 }
 
@@ -5821,7 +5809,7 @@ async function run$B(argv, importMeta, {
   }
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
   const detected = await detectManifestActions(sockJson, cwd);
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     detected
   });
   if (cli.flags['dryRun']) {
@@ -6088,7 +6076,7 @@ async function run$z(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  require$$6.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6245,7 +6233,7 @@ async function run$y(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  require$$6.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6411,7 +6399,7 @@ async function run$x(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('inspect', 'override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
+  require$$6.debugFn('inspect', 'override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6505,7 +6493,7 @@ async function outputManifestSetup(result) {
 
 async function setupManifestConfig(cwd, defaultOnReadError = false) {
   const detected = await detectManifestActions(null, cwd);
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     detected
   });
 
@@ -7679,7 +7667,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   let loggedAddingText = false;
 
   // Chunk package names to process them in parallel 3 at a time.
-  await require$$8.pEach(manifestEntries, 3, async ({
+  await require$$8.pEach(manifestEntries, async ({
     1: data
   }) => {
     const {
@@ -7733,7 +7721,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         npmExecPath
       });
       // Chunk package names to process them in parallel 3 at a time.
-      await require$$8.pEach(overridesDataObjects, 3, async ({
+      await require$$8.pEach(overridesDataObjects, async ({
         overrides,
         type
       }) => {
@@ -7782,12 +7770,16 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
             }
           }
         }
+      }, {
+        concurrency: 3
       });
     }
+  }, {
+    concurrency: 3
   });
   if (isWorkspace) {
     // Chunk package names to process them in parallel 3 at a time.
-    await require$$8.pEach(workspacePkgJsonPaths, 3, async workspacePkgJsonPath => {
+    await require$$8.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
       const otherState = await addOverrides(pkgEnvDetails, path.dirname(workspacePkgJsonPath), {
         logger,
         pin,
@@ -7799,6 +7791,8 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
           state[key].add(value);
         }
       }
+    }, {
+      concurrency: 3
     });
   }
   if (state.added.size > 0 || state.updated.size > 0) {
@@ -7843,8 +7837,8 @@ async function updateLockfile(pkgEnvDetails, options) {
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('error', 'fail: update');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'fail: update');
+    require$$6.debugDir('inspect', {
       error: e
     });
     return {
@@ -7898,10 +7892,10 @@ async function applyOptimization(pkgEnvDetails, {
     ok: true,
     data: {
       addedCount,
-      updatedCount,
+      addedInWorkspaces: state.addedInWorkspaces.size,
       pkgJsonChanged,
-      updatedInWorkspaces: state.updatedInWorkspaces.size,
-      addedInWorkspaces: state.addedInWorkspaces.size
+      updatedCount,
+      updatedInWorkspaces: state.updatedInWorkspaces.size
     }
   };
 }
@@ -7971,7 +7965,7 @@ async function handleOptimize({
     await outputOptimizeResult({
       ok: false,
       message: 'Unsupported',
-      cause: utils.cmdPrefixMessage(CMD_NAME, `${agent} v${agentVersion} does not support overrides. Soon, though ⚡`)
+      cause: utils.cmdPrefixMessage(CMD_NAME, `${agent} v${agentVersion} does not support overrides.`)
     }, outputKind);
     return;
   }
@@ -9209,7 +9203,7 @@ function formatReportCard(artifact, color) {
   };
   const alertString = getAlertString(artifact.alerts, !color);
   if (!artifact.ecosystem) {
-    debug.debugFn('notice', 'miss: artifact ecosystem', artifact);
+    require$$6.debugFn('notice', 'miss: artifact ecosystem', artifact);
   }
   const purl = `pkg:${artifact.ecosystem}/${artifact.name}${artifact.version ? '@' + artifact.version : ''}`;
   return ['Package: ' + (color ? vendor.yoctocolorsCjsExports.bold(purl) : purl), '', ...Object.entries(scoreResult).map(score => `- ${score[0]}:`.padEnd(20, ' ') + `  ${formatScore(score[1], !color, true)}`), alertString].join('\n');
@@ -10018,8 +10012,8 @@ async function fetchListAllRepos(orgSlug, options) {
       desc: 'list of repositories'
     });
     if (!orgRepoListCResult.ok) {
-      debug.debugFn('error', 'fail: fetch repo');
-      debug.debugDir('inspect', {
+      require$$6.debugFn('error', 'fail: fetch repo');
+      require$$6.debugDir('inspect', {
         orgRepoListCResult
       });
       return orgRepoListCResult;
@@ -11604,7 +11598,7 @@ async function scanOneRepo(repoSlug, {
     };
   }
   const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
-  debug.debugFn('notice', 'init: temp dir for scan root', tmpDir);
+  require$$6.debugFn('notice', 'init: temp dir for scan root', tmpDir);
   const downloadResult = await testAndDownloadManifestFiles({
     files,
     tmpDir,
@@ -11717,11 +11711,11 @@ async function testAndDownloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('notice', 'testing: file', file);
+  require$$6.debugFn('notice', 'testing: file', file);
   const supportedFilesCResult = await fetchSupportedScanFileNames();
   const supportedFiles = supportedFilesCResult.ok ? supportedFilesCResult.data : undefined;
   if (!supportedFiles || !utils.isReportSupportedFile(file, supportedFiles)) {
-    debug.debugFn('notice', '  - skip: not a known pattern');
+    require$$6.debugFn('notice', '  - skip: not a known pattern');
     // Not an error.
     return {
       ok: true,
@@ -11730,7 +11724,7 @@ async function testAndDownloadManifestFile({
       }
     };
   }
-  debug.debugFn('notice', 'found: manifest file, going to attempt to download it;', file);
+  require$$6.debugFn('notice', 'found: manifest file, going to attempt to download it;', file);
   const result = await downloadManifestFile({
     file,
     tmpDir,
@@ -11752,9 +11746,9 @@ async function downloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('notice', 'request: download url from GitHub');
+  require$$6.debugFn('notice', 'request: download url from GitHub');
   const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     fileUrl
   });
   const downloadUrlResponse = await fetch(fileUrl, {
@@ -11763,9 +11757,9 @@ async function downloadManifestFile({
       Authorization: `Bearer ${githubToken}`
     }
   });
-  debug.debugFn('notice', 'complete: request');
+  require$$6.debugFn('notice', 'complete: request');
   const downloadUrlText = await downloadUrlResponse.text();
-  debug.debugFn('inspect', 'response: raw download url', downloadUrlText);
+  require$$6.debugFn('inspect', 'response: raw download url', downloadUrlText);
   let downloadUrl;
   try {
     downloadUrl = JSON.parse(downloadUrlText).download_url;
@@ -11778,7 +11772,7 @@ async function downloadManifestFile({
     };
   }
   const localPath = path.join(tmpDir, file);
-  debug.debugFn('notice', 'download: manifest file started', downloadUrl, '->', localPath);
+  require$$6.debugFn('notice', 'download: manifest file started', downloadUrl, '->', localPath);
 
   // Now stream the file to that file...
   const result = await streamDownloadWithFetch(localPath, downloadUrl);
@@ -11787,7 +11781,7 @@ async function downloadManifestFile({
     logger.logger.fail(`Failed to download manifest file, skipping to next file. File: ${file}`);
     return result;
   }
-  debug.debugFn('notice', 'download: manifest file completed');
+  require$$6.debugFn('notice', 'download: manifest file completed');
   return {
     ok: true,
     data: undefined
@@ -11839,7 +11833,7 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
     };
   } catch (error) {
     logger.logger.fail('An error was thrown while trying to download a manifest file... url:', downloadUrl);
-    debug.debugDir('inspect', {
+    require$$6.debugDir('inspect', {
       error
     });
 
@@ -11863,7 +11857,7 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       // If error was due to bad HTTP status
       detailedError += ` (HTTP Status: ${response.status} ${response.statusText})`;
     }
-    debug.debugFn('error', detailedError);
+    require$$6.debugFn('error', detailedError);
     return {
       ok: false,
       message: 'Download Failed',
@@ -11880,14 +11874,14 @@ async function getLastCommitDetails({
 }) {
   logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
   const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
-  debug.debugFn('inspect', 'url: commit', commitApiUrl);
+  require$$6.debugFn('inspect', 'url: commit', commitApiUrl);
   const commitResponse = await fetch(commitApiUrl, {
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
   const commitText = await commitResponse.text();
-  debug.debugFn('inspect', 'response: commit', commitText);
+  require$$6.debugFn('inspect', 'response: commit', commitText);
   let lastCommit;
   try {
     lastCommit = JSON.parse(commitText)?.[0];
@@ -11974,7 +11968,7 @@ async function getRepoDetails({
   repoSlug
 }) {
   const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
-  debug.debugDir('inspect', {
+  require$$6.debugDir('inspect', {
     repoApiUrl
   });
   const repoDetailsResponse = await fetch(repoApiUrl, {
@@ -11985,7 +11979,7 @@ async function getRepoDetails({
   });
   logger.logger.success(`Request completed.`);
   const repoDetailsText = await repoDetailsResponse.text();
-  debug.debugFn('inspect', 'response: repo', repoDetailsText);
+  require$$6.debugFn('inspect', 'response: repo', repoDetailsText);
   let repoDetails;
   try {
     repoDetails = JSON.parse(repoDetailsText);
@@ -12024,7 +12018,7 @@ async function getRepoBranchTree({
 }) {
   logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
   const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
-  debug.debugFn('inspect', 'url: tree', treeApiUrl);
+  require$$6.debugFn('inspect', 'url: tree', treeApiUrl);
   const treeResponse = await fetch(treeApiUrl, {
     method: 'GET',
     headers: {
@@ -12032,7 +12026,7 @@ async function getRepoBranchTree({
     }
   });
   const treeText = await treeResponse.text();
-  debug.debugFn('inspect', 'response: tree', treeText);
+  require$$6.debugFn('inspect', 'response: tree', treeText);
   let treeDetails;
   try {
     treeDetails = JSON.parse(treeText);
@@ -12061,7 +12055,7 @@ async function getRepoBranchTree({
     };
   }
   if (!treeDetails.tree || !Array.isArray(treeDetails.tree)) {
-    debug.debugDir('inspect', {
+    require$$6.debugDir('inspect', {
       treeDetails: {
         tree: treeDetails.tree
       }
@@ -13373,8 +13367,8 @@ async function fetchScan(orgSlug, scanId) {
       return JSON.parse(line);
     } catch {
       ok = false;
-      debug.debugFn('error', 'fail: parse NDJSON');
-      debug.debugDir('inspect', {
+      require$$6.debugFn('error', 'fail: parse NDJSON');
+      require$$6.debugDir('inspect', {
         line
       });
       return null;
@@ -14267,8 +14261,8 @@ Do you want to install "safe npm" (this will create an alias to the socket-npm c
       }
     }
   } catch (e) {
-    debug.debugFn('error', 'fail: setup tab completion');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'fail: setup tab completion');
+    require$$6.debugDir('inspect', {
       error: e
     });
     // Ignore. Skip tab completion setup.
@@ -14583,8 +14577,8 @@ void (async () => {
     });
   } catch (e) {
     process.exitCode = 1;
-    debug.debugFn('error', 'Uncaught error (BAD!):');
-    debug.debugDir('inspect', {
+    require$$6.debugFn('error', 'Uncaught error (BAD!):');
+    require$$6.debugDir('inspect', {
       error: e
     });
     let errorBody;
@@ -14628,7 +14622,7 @@ void (async () => {
       logger.logger.error('\n'); // Any-spinner-newline
       logger.logger.fail(utils.failMsgWithBadge(errorTitle, errorMessage));
       if (errorBody) {
-        debug.debugDir('inspect', {
+        require$$6.debugDir('inspect', {
           errorBody
         });
       }
@@ -14636,5 +14630,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=17c5b5ba-1b60-498d-8e4a-b6943d431dd2
+//# debugId=8579bbdd-d381-460b-9333-6759b277974a
 //# sourceMappingURL=cli.js.map