@socketsecurity/cli-with-sentry 1.1.0 → 1.1.1

package/dist/cli.js

@@ -18,13 +18,13 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
-var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
-var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
+var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
 var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
-var require$$11 = require('../external/@socketsecurity/registry/lib/promises');
+var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
+var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -923,7 +923,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
 
 async function fetchSupportedScanFileNames(options) {
   const {
-    sdkOpts
+    sdkOpts,
+    spinner
   } = {
     __proto__: null,
     ...options
@@ -934,7 +935,8 @@ async function fetchSupportedScanFileNames(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
-    desc: 'supported scan file types'
+    desc: 'supported scan file types',
+    spinner
   });
 }
 
@@ -2154,7 +2156,12 @@ async function handleCreateNewScan({
     });
     logger.logger.info('Auto-generation finished. Proceeding with Scan creation.');
   }
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const {
+    spinner
+  } = constants;
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputCreateNewScan(supportedFilesCResult, {
       interactive,
@@ -2162,9 +2169,6 @@ async function handleCreateNewScan({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local files to include in scan...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -3165,210 +3169,76 @@ const cmdConfig = {
   }
 };
 
-function formatBranchName(name) {
-  return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
+const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
+function getSocketFixBranchName(ghsaId) {
+  return `socket/fix/${ghsaId}`;
 }
-function createSocketBranchParser(options) {
-  const pattern = getSocketBranchPattern(options);
-  return function parse(branch) {
-    const match = pattern.exec(branch);
-    if (!match) {
-      return null;
+function getSocketFixBranchPattern(ghsaId) {
+  return new RegExp(`^socket/fix/(${ghsaId ?? '.+'})$`);
+}
+function getSocketFixCommitMessage(ghsaId, details) {
+  const summary = details?.summary;
+  return `fix: ${ghsaId}${summary ? ` - ${summary}` : ''}`;
+}
+function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
+  const vulnCount = ghsaIds.length;
+  if (vulnCount === 1) {
+    const ghsaId = ghsaIds[0];
+    const details = ghsaDetails?.get(ghsaId);
+    const body = `[Socket](${constants.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
+    if (!details) {
+      return body;
     }
-    const {
-      1: type,
-      2: workspace,
-      3: fullName,
-      4: version,
-      5: newVersion
-    } = match;
-    return {
-      fullName,
-      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
-      type,
-      workspace,
-      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
-    };
-  };
+    const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
+    return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
+  }
+  return [`[Socket](${constants.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+    const details = ghsaDetails?.get(id);
+    const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
+    if (details) {
+      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
+      return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
+    }
+    return item;
+  })].join('\n');
+}
+function getSocketFixPullRequestTitle(ghsaIds) {
+  const vulnCount = ghsaIds.length;
+  return vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
 }
-createSocketBranchParser();
-function getSocketBranchPattern(options) {
+
+async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
   const {
-    newVersion,
-    purl,
-    workspace
+    baseBranch = 'main',
+    ghsaDetails
   } = {
     __proto__: null,
     ...options
   };
-  const purlObj = purl ? utils.getPurlObject(purl) : null;
-  const escType = purlObj ? regexps.escapeRegExp(purlObj.type) : '[^/]+';
-  const escWorkspace = workspace ? `${regexps.escapeRegExp(formatBranchName(workspace))}` : '.+';
-  const escMaybeNamespace = purlObj?.namespace ? `${regexps.escapeRegExp(formatBranchName(purlObj.namespace))}--` : '';
-  const escFullName = purlObj ? `${escMaybeNamespace}${regexps.escapeRegExp(formatBranchName(purlObj.name))}` : '[^/_]+';
-  const escVersion = purlObj ? regexps.escapeRegExp(formatBranchName(purlObj.version)) : '[^_]+';
-  const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
-  return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
-}
-
-let _octokit;
-function getOctokit() {
-  if (_octokit === undefined) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    const octokitOptions = {
-      auth: SOCKET_CLI_GITHUB_TOKEN,
-      baseUrl: constants.ENV.GITHUB_API_URL
+  const octokit = utils.getOctokit();
+  try {
+    const octokitPullsCreateParams = {
+      owner,
+      repo,
+      title: getSocketFixPullRequestTitle(ghsaIds),
+      head: branch,
+      base: baseBranch,
+      body: getSocketFixPullRequestBody(ghsaIds, ghsaDetails)
     };
     require$$9.debugDir('inspect', {
-      octokitOptions
-    });
-    _octokit = new vendor.Octokit(octokitOptions);
-  }
-  return _octokit;
-}
-let _octokitGraphql;
-function getOctokitGraphql() {
-  if (!_octokitGraphql) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    _octokitGraphql = vendor.graphql2.defaults({
-      headers: {
-        authorization: `token ${SOCKET_CLI_GITHUB_TOKEN}`
-      }
-    });
-  }
-  return _octokitGraphql;
-}
-async function readCache(key,
-// 5 minute in milliseconds time to live (TTL).
-ttlMs = 5 * 60 * 1000) {
-  const cacheJsonPath = path.join(constants.githubCachePath, `${key}.json`);
-  const stat = fs$2.safeStatsSync(cacheJsonPath);
-  if (stat) {
-    const isExpired = Date.now() - stat.mtimeMs > ttlMs;
-    if (!isExpired) {
-      return await fs$2.readJson(cacheJsonPath);
-    }
-  }
-  return null;
-}
-async function writeCache(key, data) {
-  const {
-    githubCachePath
-  } = constants;
-  const cacheJsonPath = path.join(githubCachePath, `${key}.json`);
-  if (!fs$1.existsSync(githubCachePath)) {
-    await fs$1.promises.mkdir(githubCachePath, {
-      recursive: true
-    });
-  }
-  await fs$2.writeJson(cacheJsonPath, data);
-}
-async function cacheFetch(key, fetcher, ttlMs) {
-  // Optionally disable cache.
-  if (constants.ENV.DISABLE_GITHUB_CACHE) {
-    return await fetcher();
-  }
-  let data = await readCache(key, ttlMs);
-  if (!data) {
-    data = await fetcher();
-    await writeCache(key, data);
-  }
-  return data;
-}
-async function fetchGhsaDetails(ids) {
-  const results = new Map();
-  if (!ids.length) {
-    return results;
-  }
-  const octokitGraphql = getOctokitGraphql();
-  try {
-    const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
-    const aliases = ids.map((id, index) => `advisory${index}: securityAdvisory(ghsaId: "${id}") {
-        ghsaId
-        summary
-        severity
-        publishedAt
-        withdrawnAt
-        vulnerabilities(first: 10) {
-          nodes {
-            package {
-              ecosystem
-              name
-            }
-            vulnerableVersionRange
-          }
-        }
-      }`).join('\n');
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
-        query {
-          ${aliases}
-        }
-      `));
-    for (let i = 0, {
-        length
-      } = ids; i < length; i += 1) {
-      const id = ids[i];
-      const advisoryKey = `advisory${i}`;
-      const advisory = gqlResp?.[advisoryKey];
-      if (advisory && advisory.ghsaId) {
-        results.set(id, advisory);
-      } else {
-        require$$9.debugFn('notice', `miss: no advisory found for ${id}`);
-      }
-    }
-  } catch (e) {
-    require$$9.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
-  }
-  return results;
-}
-async function enablePrAutoMerge({
-  node_id: prId
-}) {
-  const octokitGraphql = getOctokitGraphql();
-  try {
-    const gqlResp = await octokitGraphql(`
-      mutation EnableAutoMerge($pullRequestId: ID!) {
-        enablePullRequestAutoMerge(input: {
-          pullRequestId: $pullRequestId,
-          mergeMethod: SQUASH
-        }) {
-          pullRequest {
-            number
-          }
-        }
-      }`, {
-      pullRequestId: prId
+      octokitPullsCreateParams
     });
-    const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
-    if (respPrNumber) {
-      return {
-        enabled: true
-      };
-    }
+    return await octokit.pulls.create(octokitPullsCreateParams);
   } catch (e) {
-    if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
-      const details = e.errors.map(({
-        message: m
-      }) => m.trim());
-      return {
-        enabled: false,
-        details
-      };
+    let message = `Failed to open pull request`;
+    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
+    if (Array.isArray(errors) && errors.length) {
+      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
+      message += `:\n${details}`;
     }
+    require$$9.debugFn('error', message);
   }
-  return {
-    enabled: false
-  };
+  return null;
 }
 async function getSocketPrs(owner, repo, options) {
   return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3376,22 +3246,23 @@ async function getSocketPrs(owner, repo, options) {
 async function getSocketPrsWithContext(owner, repo, options) {
   const {
     author,
+    ghsaId,
     states: statesValue = 'all'
   } = {
     __proto__: null,
     ...options
   };
-  const branchPattern = getSocketBranchPattern(options);
+  const branchPattern = getSocketFixBranchPattern(ghsaId);
   const checkAuthor = strings.isNonEmptyString(author);
-  const octokit = getOctokit();
-  const octokitGraphql = getOctokitGraphql();
+  const octokit = utils.getOctokit();
+  const octokitGraphql = utils.getOctokitGraphql();
   const contextualMatches = [];
   const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
     // API quota usage. Fallback to REST if no matching PRs are found.
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
+    const gqlResp = await utils.cacheFetch(gqlCacheKey, () => octokitGraphql(`
           query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
             repository(owner: $owner, name: $repo) {
               pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
@@ -3448,7 +3319,7 @@ async function getSocketPrsWithContext(owner, repo, options) {
   let allPrs;
   const cacheKey = `${repo}-pull-requests`;
   try {
-    allPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
+    allPrs = await utils.cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
       owner,
       repo,
       state: 'all',
@@ -3497,83 +3368,6 @@ async function getSocketPrsWithContext(owner, repo, options) {
   }
   return contextualMatches;
 }
-async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
-  const {
-    baseBranch = 'main',
-    ghsaDetails
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const octokit = getOctokit();
-  const vulnCount = ghsaIds.length;
-  const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
-  let prBody = '';
-  if (vulnCount === 1) {
-    const ghsaId = ghsaIds[0];
-    const details = ghsaDetails?.get(ghsaId);
-    prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
-    if (details) {
-      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
-      prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
-    }
-  } else {
-    prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
-      const details = ghsaDetails?.get(id);
-      const item = `- [${id}](https://github.com/advisories/${id})`;
-      if (details) {
-        const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
-        return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
-      }
-      return item;
-    })].join('\n');
-  }
-  try {
-    const octokitPullsCreateParams = {
-      owner,
-      repo,
-      title: prTitle,
-      head: branch,
-      base: baseBranch,
-      body: prBody
-    };
-    require$$9.debugDir('inspect', {
-      octokitPullsCreateParams
-    });
-    return await octokit.pulls.create(octokitPullsCreateParams);
-  } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
-    }
-    require$$9.debugFn('error', message);
-  }
-  return null;
-}
-async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
-  const {
-    host
-  } = new URL(constants.ENV.GITHUB_SERVER_URL);
-  const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
-  const stdioIgnoreOptions = {
-    cwd,
-    stdio: require$$9.isDebug('stdio') ? 'inherit' : 'ignore'
-  };
-  const quotedCmd = `\`git remote set-url origin ${url}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
-    return true;
-  } catch (e) {
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-  }
-  return false;
-}
 
 function ciRepoInfo() {
   const {
@@ -3652,7 +3446,9 @@ async function coanaFix(fixConfig) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     return supportedFilesCResult;
   }
@@ -3731,7 +3527,7 @@ async function coanaFix(fixConfig) {
     };
   }
   require$$9.debugFn('notice', `fetch: ${ids.length} GHSA details for ${arrays.joinAnd(ids)}`);
-  const ghsaDetails = await fetchGhsaDetails(ids);
+  const ghsaDetails = await utils.fetchGhsaDetails(ids);
   const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
   require$$9.debugFn('notice', `found: ${ghsaDetails.size} GHSA details`);
   let count = 0;
@@ -3741,18 +3537,18 @@ async function coanaFix(fixConfig) {
   ghsaLoop: for (let i = 0, {
       length
     } = ids; i < length; i += 1) {
-    const id = ids[i];
-    require$$9.debugFn('notice', `check: ${id}`);
+    const ghsaId = ids[i];
+    require$$9.debugFn('notice', `check: ${ghsaId}`);
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${id}: ${fixCResult.message || 'Unknown error'}`);
+      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || 'Unknown error'}`);
       continue ghsaLoop;
     }
 
@@ -3761,11 +3557,11 @@ async function coanaFix(fixConfig) {
     const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
     const modifiedFiles = unstagedCResult.ok ? unstagedCResult.data.filter(relPath => scanBaseNames.has(path.basename(relPath))) : [];
     if (!modifiedFiles.length) {
-      require$$9.debugFn('notice', `skip: no changes for ${id}`);
+      require$$9.debugFn('notice', `skip: no changes for ${ghsaId}`);
       continue ghsaLoop;
     }
     overallFixed = true;
-    const branch = `socket/fix/${id}`;
+    const branch = getSocketFixBranchName(ghsaId);
     try {
       // Check if branch already exists.
       // eslint-disable-next-line no-await-in-loop
@@ -3773,17 +3569,16 @@ async function coanaFix(fixConfig) {
         require$$9.debugFn('notice', `skip: remote branch "${branch}" exists`);
         continue ghsaLoop;
       }
-      require$$9.debugFn('notice', `pr: creating for ${id}`);
-      const details = ghsaDetails.get(id);
-      const summary = details?.summary;
-      require$$9.debugFn('notice', `ghsa: ${id} details ${details ? 'found' : 'missing'}`);
+      require$$9.debugFn('notice', `pr: creating for ${ghsaId}`);
+      const details = ghsaDetails.get(ghsaId);
+      require$$9.debugFn('notice', `ghsa: ${ghsaId} details ${details ? 'found' : 'missing'}`);
       const pushed =
       // eslint-disable-next-line no-await-in-loop
       (await utils.gitCreateBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
-      await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
+      await utils.gitCommit(getSocketFixCommitMessage(ghsaId, details), modifiedFiles, {
         cwd,
         email: fixEnv.gitEmail,
         user: fixEnv.gitUser
@@ -3791,7 +3586,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitPushBranch(branch, cwd));
       if (!pushed) {
-        logger.logger.warn(`Push failed for ${id}, skipping PR creation.`);
+        logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
         // eslint-disable-next-line no-await-in-loop
         await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
         // eslint-disable-next-line no-await-in-loop
@@ -3803,12 +3598,12 @@ async function coanaFix(fixConfig) {
 
       // Set up git remote.
       // eslint-disable-next-line no-await-in-loop
-      await setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
+      await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
       // eslint-disable-next-line no-await-in-loop
-      const prResponse = await openCoanaPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      const prResponse = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
       // Single GHSA ID.
-      [id], {
+      [ghsaId], {
         baseBranch: fixEnv.baseBranch,
         cwd,
         ghsaDetails
@@ -3818,7 +3613,7 @@ async function coanaFix(fixConfig) {
           data
         } = prResponse;
         const prRef = `PR #${data.number}`;
-        logger.logger.success(`Opened ${prRef} for ${id}.`);
+        logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
         if (autoMerge) {
           logger.logger.indent();
           spinner?.indent();
@@ -3826,7 +3621,7 @@ async function coanaFix(fixConfig) {
           const {
             details,
             enabled
-          } = await enablePrAutoMerge(data);
+          } = await utils.enablePrAutoMerge(data);
           if (enabled) {
             logger.logger.info(`Auto-merge enabled for ${prRef}.`);
           } else {
@@ -3844,7 +3639,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
-      logger.logger.warn(`Unexpected condition: Push failed for ${id}, skipping PR creation.`);
+      logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
       require$$9.debugDir('inspect', {
         error: e
       });
@@ -3942,12 +3737,11 @@ async function run$I(argv, importMeta, {
         description: `Shorthand for --auto-merge --test`,
         hidden: true
       },
-      ghsa: {
+      id: {
         type: 'string',
         default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags.\nUse '--ghsa all' to lookup all GHSA IDs and compute fixes for them.`,
-        isMultiple: true,
-        hidden: true
+        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+        isMultiple: true
       },
       limit: {
         type: 'number',
@@ -3999,12 +3793,14 @@ Available styles:
       test: {
         type: 'boolean',
         default: false,
-        description: 'Verify the fix by running unit tests'
+        description: 'Verify the fix by running unit tests',
+        hidden: true
       },
       testScript: {
         type: 'string',
         default: 'test',
-        description: "The test script to run for fix attempts (default 'test')"
+        description: "The test script to run for fix attempts (default 'test')",
+        hidden: true
       }
     },
     help: (command, config) => `
@@ -6847,8 +6643,8 @@ function updatePkgJsonField(editablePkgJson, field, value) {
   if (oldValue) {
     // The field already exists so we simply update the field value.
     if (field === PNPM) {
-      const isPnpmObj = require$$10.isObject(oldValue);
-      if (require$$10.hasKeys(value)) {
+      const isPnpmObj = require$$11.isObject(oldValue);
+      if (require$$11.hasKeys(value)) {
         editablePkgJson.update({
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
@@ -6860,7 +6656,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
         });
       } else {
         // Properties with undefined values are deleted when saved as JSON.
-        editablePkgJson.update(require$$10.hasKeys(oldValue) ? {
+        editablePkgJson.update(require$$11.hasKeys(oldValue) ? {
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
             overrides: undefined
@@ -6872,7 +6668,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     } else if (field === OVERRIDES || field === RESOLUTIONS) {
       // Properties with undefined values are deleted when saved as JSON.
       editablePkgJson.update({
-        [field]: require$$10.hasKeys(value) ? value : undefined
+        [field]: require$$11.hasKeys(value) ? value : undefined
       });
     } else {
       editablePkgJson.update({
@@ -6881,7 +6677,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     }
     return;
   }
-  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$10.hasKeys(value)) {
+  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$11.hasKeys(value)) {
     return;
   }
   // Since the field doesn't exist we want to insert it into the package.json
@@ -7013,7 +6809,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   let loggedAddingText = false;
 
   // Chunk package names to process them in parallel 3 at a time.
-  await require$$11.pEach(manifestEntries, async ({
+  await require$$12.pEach(manifestEntries, async ({
     1: data
   }) => {
     const {
@@ -7027,11 +6823,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
     for (const {
       1: depObj
     } of depEntries) {
-      const sockSpec = require$$10.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
+      const sockSpec = require$$11.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
       if (sockSpec) {
         depAliasMap.set(sockRegPkgName, sockSpec);
       }
-      const origSpec = require$$10.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
+      const origSpec = require$$11.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
       if (origSpec) {
         let thisSpec = origSpec;
         // Add package aliases for direct dependencies to avoid npm EOVERRIDE
@@ -7067,11 +6863,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         npmExecPath
       });
       // Chunk package names to process them in parallel 3 at a time.
-      await require$$11.pEach(overridesDataObjects, async ({
+      await require$$12.pEach(overridesDataObjects, async ({
         overrides,
         type
       }) => {
-        const overrideExists = require$$10.hasOwn(overrides, origPkgName);
+        const overrideExists = require$$11.hasOwn(overrides, origPkgName);
         if (overrideExists || thingScanner(pkgEnvDetails, thingToScan, origPkgName, lockName)) {
           const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
           const origDepAlias = depAliasMap.get(origPkgName);
@@ -7125,7 +6921,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   });
   if (isWorkspace) {
     // Chunk package names to process them in parallel 3 at a time.
-    await require$$11.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
+    await require$$12.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
       const otherState = await addOverrides(pkgEnvDetails, path.dirname(workspacePkgJsonPath), {
         logger,
         pin,
@@ -7148,7 +6944,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         overrides,
         type
       } of overridesDataObjects) {
-        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$10.toSortedObject(overrides));
+        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$11.toSortedObject(overrides));
       }
     }
     await pkgEnvDetails.editablePkgJson.save();
@@ -12266,8 +12062,14 @@ async function handleScanReach({
   reachabilityOptions,
   targets
 }) {
+  const {
+    spinner
+  } = constants;
+
   // Get supported file names
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputScanReach(supportedFilesCResult, {
       cwd,
@@ -12275,9 +12077,6 @@ async function handleScanReach({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local manifest files to include in reachability analysis...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -14203,5 +14002,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=2d71faa1-844b-480a-a713-c572fd14e2f4
+//# debugId=11a3cbfe-6b5a-4bf7-afd9-6885b9deef59
 //# sourceMappingURL=cli.js.map