@socketsecurity/cli-with-sentry 1.1.20 → 1.1.21

package/dist/utils.js

@@ -23,9 +23,10 @@ var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var agent = require('../external/@socketsecurity/registry/lib/agent');
 var bin = require('../external/@socketsecurity/registry/lib/bin');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
-var promises = require('node:timers/promises');
+var require$$0 = require('node:url');
 var globs = require('../external/@socketsecurity/registry/lib/globs');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
+var promises = require('node:timers/promises');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 /**
@@ -400,8 +401,8 @@ function getSupportedConfigEntries() {
 function getSupportedConfigKeys() {
   return [...supportedConfigKeys];
 }
-function isReadOnlyConfig() {
-  return _readOnlyConfig;
+function isConfigFromFlag() {
+  return _configFromFlag;
 }
 function isSensitiveConfigKey(key) {
   return sensitiveConfigKeyLookup.has(key);
@@ -411,7 +412,7 @@ function isSupportedConfigKey(key) {
 }
 let _cachedConfig;
 // When using --config or SOCKET_CLI_CONFIG, do not persist the config.
-let _readOnlyConfig = false;
+let _configFromFlag = false;
 function overrideCachedConfig(jsonConfig) {
   require$$9.debugFn('notice', 'override: full config (not stored)');
   let config;
@@ -429,7 +430,7 @@ function overrideCachedConfig(jsonConfig) {
   } catch {
     // Force set an empty config to prevent accidentally using system settings.
     _cachedConfig = {};
-    _readOnlyConfig = true;
+    _configFromFlag = true;
     return {
       ok: false,
       message: 'Could not parse Config as JSON',
@@ -439,7 +440,7 @@ function overrideCachedConfig(jsonConfig) {
 
   // @ts-ignore Override an illegal object.
   _cachedConfig = config;
-  _readOnlyConfig = true;
+  _configFromFlag = true;
 
   // Normalize apiKey to apiToken.
   if (_cachedConfig['apiKey']) {
@@ -463,7 +464,7 @@ function overrideConfigApiToken(apiToken) {
       apiToken: String(apiToken)
     })
   };
-  _readOnlyConfig = true;
+  _configFromFlag = true;
 }
 let _pendingSave = false;
 function updateConfigValue(configKey, value) {
@@ -488,7 +489,7 @@ function updateConfigValue(configKey, value) {
     }
     localConfig[key] = value;
   }
-  if (_readOnlyConfig) {
+  if (_configFromFlag) {
     return {
       ok: true,
       message: `Config key '${key}' was ${wasDeleted ? 'deleted' : `updated`}`,
@@ -528,7 +529,7 @@ function updateConfigValue(configKey, value) {
  * - Used for permission validation and help text
  */
 
-const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
 let _requirements;
 function getRequirements() {
   if (_requirements === undefined) {
@@ -1251,16 +1252,6 @@ function mailtoLink(email, text) {
   return vendor.terminalLinkExports(email, `mailto:${email}`);
 }
 
-/**
- * Creates a terminal link to a web URL.
- * @param url The web URL to link to
- * @param text Optional display text (defaults to the URL itself)
- * @returns A terminal link to the URL
- */
-function webLink(url, text) {
-  return vendor.terminalLinkExports(text ?? url, url);
-}
-
 /**
  * Creates a terminal link to the Socket.dev dashboard.
  * @param path The path within the dashboard (e.g., '/org/YOURORG/alerts')
@@ -1272,6 +1263,16 @@ function socketDashboardLink(dashPath, text) {
   return vendor.terminalLinkExports(text, url);
 }
 
+/**
+ * Creates a terminal link to the Socket.dev website.
+ * @param text Display text for the link (defaults to 'Socket.dev')
+ * @param urlPath Optional path to append to the base URL (e.g., '/pricing')
+ * @returns A terminal link to Socket.dev
+ */
+function socketDevLink(text, urlPath) {
+  return vendor.terminalLinkExports(text ?? 'Socket.dev', `${constants.SOCKET_WEBSITE_URL}${urlPath || ''}`);
+}
+
 /**
  * Creates a terminal link to Socket.dev documentation.
  * @param docPath The documentation path (e.g., '/docs/api-keys')
@@ -1303,7 +1304,17 @@ function socketPackageLink(ecosystem, packageName, version, text) {
   } else {
     url = `https://socket.dev/${ecosystem}/package/${packageName}`;
   }
-  return vendor.terminalLinkExports(text, url);
+  return vendor.terminalLinkExports(text ?? url, url);
+}
+
+/**
+ * Creates a terminal link to a web URL.
+ * @param url The web URL to link to
+ * @param text Optional display text (defaults to the URL itself)
+ * @returns A terminal link to the URL
+ */
+function webLink(url, text) {
+  return vendor.terminalLinkExports(text ?? url, url);
 }
 
 function checkCommandInput(outputKind, ...checks) {
@@ -1542,30 +1553,65 @@ function findBestCommandMatch(input, subcommands, aliases) {
   return bestMatch;
 }
 
+/**
+ * Determine the origin of the API token.
+ */
+function getTokenOrigin() {
+  if (constants.default.ENV.SOCKET_CLI_NO_API_TOKEN) {
+    return '';
+  }
+  if (constants.default.ENV.SOCKET_CLI_API_TOKEN) {
+    return '(env)';
+  }
+  const configToken = getConfigValueOrUndef(constants.CONFIG_KEY_API_TOKEN);
+  if (configToken) {
+    return isConfigFromFlag() ? '(--config flag)' : '(config)';
+  }
+  return '';
+}
+
 /**
  * Generate the ASCII banner header for Socket CLI commands.
  */
-function getAsciiHeader(command, orgFlag) {
+function getAsciiHeader(command, orgFlag, compactMode = false) {
   // Note: In tests we return <redacted> because otherwise snapshots will fail.
   const {
     REDACTED
   } = constants.default;
   const redacting = constants.default.ENV.VITEST;
-  const cliVersion = redacting ? REDACTED : constants.default.ENV.INLINED_SOCKET_CLI_VERSION_HASH;
+
+  // Version display: show hash in debug mode, otherwise show semantic version.
+  const fullVersion = constants.default.ENV.INLINED_SOCKET_CLI_VERSION;
+  const versionHash = constants.default.ENV.INLINED_SOCKET_CLI_VERSION_HASH;
+  const cliVersion = redacting ? REDACTED : require$$9.isDebug() ? versionHash : `v${fullVersion}`;
   const nodeVersion = redacting ? REDACTED : process.version;
+  const showNodeVersion = require$$9.isDebug();
   const defaultOrg = getConfigValueOrUndef(constants.CONFIG_KEY_DEFAULT_ORG);
-  const readOnlyConfig = isReadOnlyConfig() ? '*' : '.';
-  const shownToken = redacting ? REDACTED : getVisibleTokenPrefix() || '(not set)';
+  const readOnlyConfig = isConfigFromFlag() ? '*' : '.';
+
+  // Token display with origin indicator.
+  const tokenPrefix = getVisibleTokenPrefix();
+  const tokenOrigin = redacting ? '' : getTokenOrigin();
+  const noApiToken = constants.default.ENV.SOCKET_CLI_NO_API_TOKEN;
+  const shownToken = redacting ? REDACTED : noApiToken ? vendor.yoctocolorsCjsExports.red('(disabled)') : tokenPrefix ? `${vendor.yoctocolorsCjsExports.green(tokenPrefix)}***${tokenOrigin ? ` ${tokenOrigin}` : ''}` : vendor.yoctocolorsCjsExports.yellow('(not set)');
   const relCwd = redacting ? REDACTED : path$1.normalizePath(tildify(process.cwd()));
-  // Note: we must redact org when creating snapshots because dev machine probably
-  //       has a default org set but CI won't. Showing --org is fine either way.
-  const orgPart = orgFlag ? `--org: ${orgFlag}` : redacting ? 'org: <redacted>' : defaultOrg ? `default org: ${defaultOrg}` : '(org not set)';
+
+  // Consolidated org display format.
+  const orgPart = redacting ? `org: ${REDACTED}` : orgFlag ? `org: ${vendor.yoctocolorsCjsExports.cyan(orgFlag)} (${constants.FLAG_ORG} flag)` : defaultOrg && defaultOrg !== 'null' ? `org: ${vendor.yoctocolorsCjsExports.cyan(defaultOrg)} (config)` : vendor.yoctocolorsCjsExports.yellow('org: (not set)');
+
+  // Compact mode for CI/automation.
+  if (compactMode) {
+    const compactToken = noApiToken ? '(disabled)' : tokenPrefix ? `${tokenPrefix}***${tokenOrigin ? ` ${tokenOrigin}` : ''}` : '(not set)';
+    const compactOrg = orgFlag || (defaultOrg && defaultOrg !== 'null' ? defaultOrg : '(not set)');
+    return `CLI: ${cliVersion} | cmd: ${command} | org: ${compactOrg} | token: ${compactToken}`;
+  }
+
   // Note: We could draw these with ascii box art instead but I worry about
   //       portability and paste-ability. "simple" ascii chars just work.
   const body = `
    _____         _       _        /---------------
-  |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver ${cliVersion}
-  |__   | ${readOnlyConfig} |  _| '_| -_|  _|     | Node: ${nodeVersion}, API token: ${shownToken}, ${orgPart}
+  |   __|___ ___| |_ ___| |_      | ${socketDevLink()} CLI: ${cliVersion}
+  |__   | ${readOnlyConfig} |  _| '_| -_|  _|     | ${showNodeVersion ? `Node: ${nodeVersion}, ` : ''}token: ${shownToken}, ${orgPart}
   |_____|___|___|_,_|___|_|.dev   | Command: \`${command}\`, cwd: ${relCwd}
   `.trim();
   // Note: logger will auto-append a newline.
@@ -1610,7 +1656,7 @@ function shouldSuppressBanner(flags) {
 /**
  * Emit the Socket CLI banner to stderr for branding and debugging.
  */
-function emitBanner(name, orgFlag) {
+function emitBanner(name, orgFlag, compactMode = false) {
   // Print a banner at the top of each command.
   // This helps with brand recognition and marketing.
   // It also helps with debugging since it contains version and command details.
@@ -1619,19 +1665,32 @@ function emitBanner(name, orgFlag) {
   //       and pipe the result to other tools. By emitting the banner over stderr
   //       you can do something like `socket scan view xyz | jq | process`.
   //       The spinner also emits over stderr for example.
-  logger.logger.error(getAsciiHeader(name, orgFlag));
+  logger.logger.error(getAsciiHeader(name, orgFlag, compactMode));
 }
 
 /**
  * Main function for handling CLI with subcommands using meow.
+ * @param config Configuration object with name, argv, importMeta, and subcommands.
+ * @param options Optional settings like aliases and defaultSub.
+ * @example
+ * meowWithSubcommands(
+ *   { name, argv, importMeta, subcommands },
+ *   { aliases, defaultSub }
+ * )
  */
-async function meowWithSubcommands(subcommands, options) {
+async function meowWithSubcommands(config, options) {
   const {
-    aliases = {},
     argv,
-    defaultSub,
     importMeta,
     name,
+    subcommands
+  } = {
+    __proto__: null,
+    ...config
+  };
+  const {
+    aliases = {},
+    defaultSub,
     ...additionalOptions
   } = {
     __proto__: null,
@@ -1659,24 +1718,29 @@ async function meowWithSubcommands(subcommands, options) {
   if (!isRootCommand) {
     if (commandOrAliasName?.startsWith('pkg:')) {
       logger.logger.info('Invoking `socket package score`.');
-      return await meowWithSubcommands(subcommands, {
-        ...options,
-        argv: ['package', 'deep', ...argv]
-      });
+      return await meowWithSubcommands({
+        name,
+        argv: ['package', 'deep', ...argv],
+        importMeta,
+        subcommands
+      }, options);
     }
     // Support `socket npm/lodash` or whatever as a shorthand, too.
     // Accept any ecosystem and let the remote sort it out.
     if (/^[a-z]+\//.test(commandOrAliasName || '')) {
       logger.logger.info('Invoking `socket package score`.');
-      return await meowWithSubcommands(subcommands, {
-        ...options,
-        argv: ['package', 'deep', `pkg:${commandOrAliasName}`, ...rawCommandArgv]
-      });
+      return await meowWithSubcommands({
+        name,
+        argv: ['package', 'deep', `pkg:${commandOrAliasName}`, ...rawCommandArgv],
+        importMeta,
+        subcommands
+      }, options);
     }
   }
   if (isRootCommand) {
-    flags$1['help'] = {
-      ...flags$1['help'],
+    const hiddenDebugFlag = !require$$9.isDebug();
+    flags$1['compactHeader'] = {
+      ...flags$1['compactHeader'],
       hidden: false
     };
     flags$1['config'] = {
@@ -1687,13 +1751,21 @@ async function meowWithSubcommands(subcommands, options) {
       ...flags$1['dryRun'],
       hidden: false
     };
+    flags$1['help'] = {
+      ...flags$1['help'],
+      hidden: false
+    };
+    flags$1['helpFull'] = {
+      ...flags$1['helpFull'],
+      hidden: false
+    };
     flags$1['maxOldSpaceSize'] = {
       ...flags$1['maxOldSpaceSize'],
-      hidden: false
+      hidden: hiddenDebugFlag
     };
     flags$1['maxSemiSpaceSize'] = {
       ...flags$1['maxSemiSpaceSize'],
-      hidden: false
+      hidden: hiddenDebugFlag
     };
     flags$1['version'] = {
       ...flags$1['version'],
@@ -1703,6 +1775,7 @@ async function meowWithSubcommands(subcommands, options) {
     delete flags$1['markdown'];
   } else {
     delete flags$1['help'];
+    delete flags$1['helpFull'];
     delete flags$1['version'];
   }
 
@@ -1722,10 +1795,12 @@ async function meowWithSubcommands(subcommands, options) {
     booleanDefault: undefined
   });
   const {
+    compactHeader: compactHeaderFlag,
     config: configFlag,
     org: orgFlag,
     spinner: spinnerFlag
   } = cli1.flags;
+  const compactMode = compactHeaderFlag || constants.default.ENV.CI && !constants.default.ENV.VITEST;
   const noSpinner = spinnerFlag === false || require$$9.isDebug();
 
   // Use CI spinner style when --no-spinner is passed or debug mode is enabled.
@@ -1756,7 +1831,7 @@ async function meowWithSubcommands(subcommands, options) {
   }
   if (configOverrideResult?.ok === false) {
     if (!shouldSuppressBanner(cli1.flags)) {
-      emitBanner(name, orgFlag);
+      emitBanner(name, orgFlag, compactMode);
       // Add newline in stderr.
       logger.logger.error('');
     }
@@ -1793,7 +1868,7 @@ async function meowWithSubcommands(subcommands, options) {
   }
   const lines = ['', 'Usage', `  $ ${name} <command>`];
   if (isRootCommand) {
-    lines.push(`  $ ${name} scan create --json`, `  $ ${name} package score npm lodash --markdown`);
+    lines.push(`  $ ${name} scan create${constants.FLAG_JSON}`, `  $ ${name} package score ${constants.NPM} lodash ${constants.FLAG_MARKDOWN}`);
   }
   lines.push('');
   if (isRootCommand) {
@@ -1866,7 +1941,15 @@ async function meowWithSubcommands(subcommands, options) {
     padName: HELP_PAD_NAME
   })}`);
   if (isRootCommand) {
-    lines.push('', 'Environment variables', '  SOCKET_CLI_API_TOKEN        Set the Socket API token', '  SOCKET_CLI_CONFIG           A JSON stringified Socket configuration object', '  SOCKET_CLI_GITHUB_API_URL   Change the base URL for GitHub REST API calls', '  SOCKET_CLI_GIT_USER_EMAIL   The git config `user.email` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]@users.noreply.github.com`, '  SOCKET_CLI_GIT_USER_NAME    The git config `user.name` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]`, `  SOCKET_CLI_GITHUB_TOKEN     A classic or fine-grained ${vendor.terminalLinkExports('GitHub personal access token', 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens')}`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} GITHUB_TOKEN`, '  SOCKET_CLI_NO_API_TOKEN     Make the default API token `undefined`', '  SOCKET_CLI_NPM_PATH         The absolute location of the npm directory', '  SOCKET_CLI_ORG_SLUG         Specify the Socket organization slug', '', '  SOCKET_CLI_ACCEPT_RISKS     Accept risks of a Socket wrapped npm/npx run', '  SOCKET_CLI_VIEW_ALL_RISKS   View all risks of a Socket wrapped npm/npx run', '', 'Environment variables for development', '  SOCKET_CLI_API_BASE_URL     Change the base URL for Socket API calls', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} The "apiBaseUrl" value of socket/settings local app data`, `                              if present, else ${constants.API_V0_URL}`, '  SOCKET_CLI_API_PROXY        Set the proxy Socket API requests are routed through, e.g. if set to', `                              ${vendor.terminalLinkExports('http://127.0.0.1:9090', 'https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries')} then all request are passed through that proxy`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} HTTPS_PROXY, https_proxy, HTTP_PROXY, and http_proxy`, '  SOCKET_CLI_API_TIMEOUT      Set the timeout in milliseconds for Socket API requests', '  SOCKET_CLI_DEBUG            Enable debug logging in Socket CLI', `  DEBUG                       Enable debug logging based on the ${vendor.terminalLinkExports('debug', `${constants.SOCKET_WEBSITE_URL}/npm/package/debug`)} package`);
+    // Check if we should show full help with environment variables.
+    const showFullHelp = argv.includes(constants.FLAG_HELP_FULL);
+    if (showFullHelp) {
+      // Show full help with environment variables.
+      lines.push('', 'Environment variables', '  SOCKET_CLI_API_TOKEN        Set the Socket API token', '  SOCKET_CLI_CONFIG           A JSON stringified Socket configuration object', '  SOCKET_CLI_GITHUB_API_URL   Change the base URL for GitHub REST API calls', '  SOCKET_CLI_GIT_USER_EMAIL   The git config `user.email` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]@users.noreply.github.com`, '  SOCKET_CLI_GIT_USER_NAME    The git config `user.name` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]`, `  SOCKET_CLI_GITHUB_TOKEN     A classic or fine-grained ${vendor.terminalLinkExports('GitHub personal access token', 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens')}`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} GITHUB_TOKEN`, '  SOCKET_CLI_NO_API_TOKEN     Make the default API token `undefined`', '  SOCKET_CLI_NPM_PATH         The absolute location of the npm directory', '  SOCKET_CLI_ORG_SLUG         Specify the Socket organization slug', '', '  SOCKET_CLI_ACCEPT_RISKS     Accept risks of a Socket wrapped npm/npx run', '  SOCKET_CLI_VIEW_ALL_RISKS   View all risks of a Socket wrapped npm/npx run', '', 'Environment variables for development', '  SOCKET_CLI_API_BASE_URL     Change the base URL for Socket API calls', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} The "apiBaseUrl" value of socket/settings local app data`, `                              if present, else ${constants.API_V0_URL}`, '  SOCKET_CLI_API_PROXY        Set the proxy Socket API requests are routed through, e.g. if set to', `                              ${vendor.terminalLinkExports('http://127.0.0.1:9090', 'https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries')} then all request are passed through that proxy`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} HTTPS_PROXY, https_proxy, HTTP_PROXY, and http_proxy`, '  SOCKET_CLI_API_TIMEOUT      Set the timeout in milliseconds for Socket API requests', '  SOCKET_CLI_DEBUG            Enable debug logging in Socket CLI', `  DEBUG                       Enable debug logging based on the ${socketPackageLink('npm', 'debug', undefined, 'debug')} package`);
+    } else {
+      // Show condensed help with hint about --help-full.
+      lines.push('', 'Environment variables [more...]', `  Use ${vendor.yoctocolorsCjsExports.bold(constants.FLAG_HELP_FULL)} to view all environment variables`);
+    }
   }
 
   // Parse it again. Config overrides should now be applied (may affect help).
@@ -1887,34 +1970,53 @@ async function meowWithSubcommands(subcommands, options) {
     booleanDefault: undefined,
     help: lines.map(l => strings.indentString(l, HELP_INDENT)).join('\n')
   });
+  const {
+    dryRun,
+    help: helpFlag
+  } = cli2.flags;
 
   // ...else we provide basic instructions and help.
   if (!shouldSuppressBanner(cli2.flags)) {
-    emitBanner(name, orgFlag);
+    emitBanner(name, orgFlag, compactMode);
     // Meow will add newline so don't add stderr spacing here.
   }
-  if (!cli2.flags['help'] && cli2.flags['dryRun']) {
+  if (!helpFlag && dryRun) {
     process.exitCode = 0;
     logger.logger.log(`${constants.default.DRY_RUN_LABEL}: No-op, call a sub-command; ok`);
   } else {
     // When you explicitly request --help, the command should be successful
     // so we exit(0). If we do it because we need more input, we exit(2).
-    cli2.showHelp(cli2.flags['help'] ? 0 : 2);
+    cli2.showHelp(helpFlag ? 0 : 2);
   }
 }
-
 /**
  * Create meow CLI instance or exit with help/error (meow will exit immediately
  * if it calls .showHelp()).
+ * @param config Configuration object with argv, config, parentName, and importMeta.
+ * @param options Optional settings like allowUnknownFlags.
+ * @example
+ * meowOrExit(
+ *   { argv, config, parentName, importMeta },
+ *   { allowUnknownFlags: false }
+ * )
  */
-function meowOrExit({
-  allowUnknownFlags = true,
-  argv,
-  config,
-  importMeta,
-  parentName
-}) {
-  const command = `${parentName} ${config.commandName}`;
+function meowOrExit(config, options) {
+  const {
+    argv,
+    config: cliConfig,
+    importMeta,
+    parentName
+  } = {
+    __proto__: null,
+    ...config
+  };
+  const {
+    allowUnknownFlags = true
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const command = `${parentName} ${cliConfig.commandName}`;
 
   // This exits if .printHelp() is called either by meow itself or by us.
   const cli = vendor.meow({
@@ -1925,17 +2027,19 @@ function meowOrExit({
     // We want to detect whether a bool flag is given at all.
     booleanDefault: undefined,
     collectUnknownFlags: true,
-    description: config.description,
-    flags: config.flags,
-    help: strings.trimNewlines(config.help(command, config)),
+    description: cliConfig.description,
+    flags: cliConfig.flags,
+    help: strings.trimNewlines(cliConfig.help(command, cliConfig)),
     importMeta
   });
   const {
+    compactHeader: compactHeaderFlag,
     help: helpFlag,
     org: orgFlag,
     spinner: spinnerFlag,
     version: versionFlag
   } = cli.flags;
+  const compactMode = compactHeaderFlag || constants.default.ENV.CI && !constants.default.ENV.VITEST;
   const noSpinner = spinnerFlag === false || require$$9.isDebug();
 
   // Use CI spinner style when --no-spinner is passed.
@@ -1944,7 +2048,7 @@ function meowOrExit({
     constants.default.spinner.spinner = spinner.getCliSpinners('ci');
   }
   if (!shouldSuppressBanner(cli.flags)) {
-    emitBanner(command, orgFlag);
+    emitBanner(command, orgFlag, compactMode);
     // Add newline in stderr.
     // Meow help adds a newline too so we do it here.
     logger.logger.error('');
@@ -1973,7 +2077,7 @@ function meowOrExit({
   }
 
   // Meow doesn't detect 'version' as an unknown flag, so we do the leg work here.
-  if (versionFlag && !require$$11.hasOwn(config.flags, 'version')) {
+  if (versionFlag && !require$$11.hasOwn(cliConfig.flags, 'version')) {
     // Use `console.error` here instead of `logger.error` to match Meow behavior.
     console.error('Unknown flag\n--version');
     // eslint-disable-next-line n/no-process-exit
@@ -1994,10 +2098,10 @@ function meowOrExit({
     // Prevent meow from potentially exiting early.
     autoHelp: false,
     autoVersion: false,
-    description: config.description,
-    help: strings.trimNewlines(config.help(command, config)),
+    description: cliConfig.description,
+    help: strings.trimNewlines(cliConfig.help(command, cliConfig)),
     importMeta,
-    flags: config.flags
+    flags: cliConfig.flags
   });
   // Ok, no help, reset to default.
   process.exitCode = 0;
@@ -3251,7 +3355,7 @@ function isYarnBerry() {
  * - Configures environment for third-party tools
  */
 
-const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
 const {
   PACKAGE_LOCK_JSON,
   PNPM_LOCK_YAML,
@@ -4772,6 +4876,275 @@ function getEcosystemChoicesForMeow() {
   return [...ALL_ECOSYSTEMS];
 }
 
+/**
+ * Temporary package executor detection utilities for Socket CLI.
+ * Identifies and handles temporary execution contexts.
+ *
+ * Key Functions:
+ * - isRunningInTemporaryExecutor: Detects if running in npx/dlx/exec context
+ * - shouldSkipShadow: Determines if shadow installation should be skipped
+ *
+ * Temporary Execution Contexts:
+ * - npm exec/npx: Runs packages in temporary npm cache
+ * - pnpm dlx: Executes packages in temporary pnpm store
+ * - yarn dlx: Runs packages in temporary yarn environment
+ *
+ * Detection Methods:
+ * - Environment variable analysis (npm_config_user_agent)
+ * - Path pattern matching for temporary directories
+ * - Cache directory identification
+ *
+ * Usage:
+ * - Prevents shadow installation in temporary contexts
+ * - Avoids PATH pollution in ephemeral environments
+ * - Ensures package manager commands work correctly
+ */
+
+/**
+ * Determines if shadow binaries should be installed.
+ * Shadows should NOT be installed when:
+ * - Running in a temporary execution context (exec/npx/dlx)
+ * - On Windows with an existing binary path (required for Windows to function)
+ *
+ * @param binPath - Path to the binary being shadowed
+ * @param options - Configuration options
+ * @param options.cwd - Current working directory path to check
+ * @param options.win32 - Whether running on Windows
+ * @returns true if shadow installation should be skipped
+ */
+function shouldSkipShadow(binPath, options) {
+  const {
+    cwd = process.cwd(),
+    win32 = false
+  } = {
+    __proto__: null,
+    ...options
+  };
+
+  // Windows compatibility: Skip shadow installation if binary is already found.
+  //
+  // This check is required because Windows handles executables differently than Unix:
+  // 1. File locking - Windows locks running executables, so cmd-shim creation would
+  //    fail with EBUSY/EACCES errors when trying to create wrapper files.
+  // 2. PATH conflicts - Attempting to shadow an already-resolved binary can create
+  //    circular references or ambiguous command resolution.
+  // 3. Registry integration - Windows package managers often use system-level
+  //    integrations beyond just PATH that our shadowing would interfere with.
+  //
+  // Without this check, users would see "Access Denied" or file locking errors
+  // that are difficult to debug. This is not a performance optimization - the
+  // shadow installation will fail without it.
+  if (win32 && binPath) {
+    return true;
+  }
+
+  // Check environment variable for exec/npx/dlx indicators.
+  const userAgent = constants.default.ENV.npm_config_user_agent;
+  if (userAgent?.includes('exec') || userAgent?.includes('npx') || userAgent?.includes('dlx')) {
+    return true;
+  }
+
+  // Normalize the cwd path for consistent checking across platforms.
+  const normalizedCwd = path$1.normalizePath(cwd);
+
+  // Check if running from npm's npx cache.
+  const npmCache = constants.default.ENV.npm_config_cache;
+  if (npmCache && normalizedCwd.includes(path$1.normalizePath(npmCache))) {
+    return true;
+  }
+
+  // Check common temporary execution path patterns.
+  const tempPatterns = ['_npx',
+  // npm's npx cache directory
+  '.pnpm-store',
+  // pnpm dlx temporary store
+  'dlx-',
+  // Common dlx directory prefix
+  '.yarn/$$',
+  // Yarn Berry PnP virtual packages
+  path.sep === '\\' ? 'AppData\\Local\\Temp\\xfs-' : 'AppData/Local/Temp/xfs-' // Yarn on Windows
+  ];
+  return tempPatterns.some(pattern => normalizedCwd.includes(pattern));
+}
+
+/**
+ * PNPM path resolution utilities for Socket CLI.
+ * Locates and caches PNPM binary paths.
+ *
+ * Key Functions:
+ * - getPnpmBinPath: Get cached PNPM binary path
+ * - getPnpmBinPathDetails: Get detailed PNPM path information
+ *
+ * Error Handling:
+ * - Exits with code 127 if PNPM not found
+ * - Provides clear error messages for missing binaries
+ *
+ * Caching:
+ * - Caches binary path lookups for performance
+ * - Prevents repeated PATH searches
+ */
+
+function exitWithBinPathError(binName) {
+  logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  // eslint-disable-next-line n/no-process-exit
+  process.exit(127);
+  // This line is never reached in production, but helps tests.
+  throw new Error('process.exit called');
+}
+let _pnpmBinPath;
+function getPnpmBinPath() {
+  if (_pnpmBinPath === undefined) {
+    _pnpmBinPath = getPnpmBinPathDetails().path;
+    if (!_pnpmBinPath) {
+      exitWithBinPathError('pnpm');
+    }
+  }
+  return _pnpmBinPath;
+}
+let _pnpmBinPathDetails;
+function getPnpmBinPathDetails() {
+  if (_pnpmBinPathDetails === undefined) {
+    _pnpmBinPathDetails = findBinPathDetailsSync('pnpm');
+  }
+  return _pnpmBinPathDetails;
+}
+function isPnpmBinPathShadowed() {
+  return getPnpmBinPathDetails().shadowed;
+}
+
+/**
+ * Shadow binary link installation utilities for Socket CLI.
+ * Manages installation of shadow binaries for package managers.
+ *
+ * Key Functions:
+ * - installNpmLinks: Install shadow links for npm binary
+ * - installNpxLinks: Install shadow links for npx binary
+ * - installPnpmLinks: Install shadow links for pnpm binary
+ * - installYarnLinks: Install shadow links for yarn binary
+ *
+ * Shadow Installation:
+ * - Creates symlinks/cmd-shims to intercept package manager commands
+ * - Modifies PATH to prioritize shadow binaries
+ * - Skips installation in temporary execution contexts
+ *
+ * Security Integration:
+ * - Enables security scanning before package operations
+ * - Transparent interception of package manager commands
+ * - Preserves original binary functionality
+ */
+
+const __filename$1 = require$$0.fileURLToPath((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+const __dirname$1 = path.dirname(__filename$1);
+async function installNpmLinks(shadowBinPath) {
+  // Find npm being shadowed by this process.
+  const binPath = getNpmBinPath();
+  const {
+    WIN32
+  } = constants.default;
+
+  // Skip shadow installation when in temporary execution context or when required for Windows.
+  if (shouldSkipShadow(binPath, {
+    cwd: __dirname$1,
+    win32: WIN32
+  })) {
+    return binPath;
+  }
+  const shadowed = isNpmBinPathShadowed();
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'npm-cli.js'), path.join(shadowBinPath, 'npm'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+async function installNpxLinks(shadowBinPath) {
+  // Find npx being shadowed by this process.
+  const binPath = getNpxBinPath();
+  const {
+    WIN32
+  } = constants.default;
+
+  // Skip shadow installation when in temporary execution context or when required for Windows.
+  if (shouldSkipShadow(binPath, {
+    cwd: __dirname$1,
+    win32: WIN32
+  })) {
+    return binPath;
+  }
+  const shadowed = isNpxBinPathShadowed();
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'npx-cli.js'), path.join(shadowBinPath, 'npx'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+async function installPnpmLinks(shadowBinPath) {
+  // Find pnpm being shadowed by this process.
+  const binPath = getPnpmBinPath();
+  const {
+    WIN32
+  } = constants.default;
+
+  // Skip shadow installation when in temporary execution context or when required for Windows.
+  if (shouldSkipShadow(binPath, {
+    cwd: __dirname$1,
+    win32: WIN32
+  })) {
+    return binPath;
+  }
+  const shadowed = isPnpmBinPathShadowed();
+
+  // Move our bin directory to front of PATH so its found first.
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'pnpm-cli.js'), path.join(shadowBinPath, 'pnpm'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+async function installYarnLinks(shadowBinPath) {
+  const binPath = getYarnBinPath();
+  const {
+    WIN32
+  } = constants.default;
+
+  // Skip shadow installation when in temporary execution context or when required for Windows.
+  if (shouldSkipShadow(binPath, {
+    cwd: __dirname$1,
+    win32: WIN32
+  })) {
+    return binPath;
+  }
+  const shadowed = isYarnBinPathShadowed();
+  if (!shadowed) {
+    if (WIN32) {
+      await vendor.libExports(path.join(constants.default.distPath, 'yarn-cli.js'), path.join(shadowBinPath, 'yarn'));
+    }
+    const {
+      env
+    } = process;
+    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`;
+  }
+  return binPath;
+}
+
 /**
  * Filter configuration utilities for Socket CLI.
  * Manages filter configuration normalization for security scanning.
@@ -4943,7 +5316,7 @@ class ColorOrMarkdown {
   }
 }
 
-const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
 let _translations;
 function getTranslations() {
   if (_translations === undefined) {
@@ -5568,53 +5941,6 @@ function safeNpmSpecToPurl(pkgSpec) {
   return purlObj?.toString() ?? `pkg:${constants.NPM}/${name}${version ? `@${version}` : ''}`;
 }
 
-/**
- * PNPM path resolution utilities for Socket CLI.
- * Locates and caches PNPM binary paths.
- *
- * Key Functions:
- * - getPnpmBinPath: Get cached PNPM binary path
- * - getPnpmBinPathDetails: Get detailed PNPM path information
- *
- * Error Handling:
- * - Exits with code 127 if PNPM not found
- * - Provides clear error messages for missing binaries
- *
- * Caching:
- * - Caches binary path lookups for performance
- * - Prevents repeated PATH searches
- */
-
-function exitWithBinPathError(binName) {
-  logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  // eslint-disable-next-line n/no-process-exit
-  process.exit(127);
-  // This line is never reached in production, but helps tests.
-  throw new Error('process.exit called');
-}
-let _pnpmBinPath;
-function getPnpmBinPath() {
-  if (_pnpmBinPath === undefined) {
-    _pnpmBinPath = getPnpmBinPathDetails().path;
-    if (!_pnpmBinPath) {
-      exitWithBinPathError('pnpm');
-    }
-  }
-  return _pnpmBinPath;
-}
-let _pnpmBinPathDetails;
-function getPnpmBinPathDetails() {
-  if (_pnpmBinPathDetails === undefined) {
-    _pnpmBinPathDetails = findBinPathDetailsSync('pnpm');
-  }
-  return _pnpmBinPathDetails;
-}
-function isPnpmBinPathShadowed() {
-  return getPnpmBinPathDetails().shadowed;
-}
-
 exports.AuthError = AuthError;
 exports.COMPLETION_CMD_PREFIX = COMPLETION_CMD_PREFIX;
 exports.InputError = InputError;
@@ -5663,7 +5989,6 @@ exports.getOctokitGraphql = getOctokitGraphql;
 exports.getOrgSlugs = getOrgSlugs;
 exports.getOutputKind = getOutputKind;
 exports.getPackageFilesForScan = getPackageFilesForScan;
-exports.getPnpmBinPath = getPnpmBinPath;
 exports.getPublicApiToken = getPublicApiToken;
 exports.getPurlObject = getPurlObject;
 exports.getRepoInfo = getRepoInfo;
@@ -5672,7 +5997,6 @@ exports.getSocketDevPackageOverviewUrlFromPurl = getSocketDevPackageOverviewUrlF
 exports.getSupportedConfigEntries = getSupportedConfigEntries;
 exports.getSupportedConfigKeys = getSupportedConfigKeys;
 exports.getVisibleTokenPrefix = getVisibleTokenPrefix;
-exports.getYarnBinPath = getYarnBinPath;
 exports.gitBranch = gitBranch;
 exports.gitCheckoutBranch = gitCheckoutBranch;
 exports.gitCommit = gitCommit;
@@ -5688,16 +6012,16 @@ exports.handleApiCallNoSpinner = handleApiCallNoSpinner;
 exports.hasDefaultApiToken = hasDefaultApiToken;
 exports.hasEnterpriseOrgPlan = hasEnterpriseOrgPlan;
 exports.idToNpmPurl = idToNpmPurl;
+exports.installNpmLinks = installNpmLinks;
+exports.installNpxLinks = installNpxLinks;
+exports.installPnpmLinks = installPnpmLinks;
+exports.installYarnLinks = installYarnLinks;
+exports.isConfigFromFlag = isConfigFromFlag;
 exports.isHelpFlag = isHelpFlag;
-exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
-exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
-exports.isPnpmBinPathShadowed = isPnpmBinPathShadowed;
-exports.isReadOnlyConfig = isReadOnlyConfig;
 exports.isReportSupportedFile = isReportSupportedFile;
 exports.isSensitiveConfigKey = isSensitiveConfigKey;
 exports.isSupportedConfigKey = isSupportedConfigKey;
 exports.isYarnBerry = isYarnBerry;
-exports.isYarnBinPathShadowed = isYarnBinPathShadowed;
 exports.logAlertsMap = logAlertsMap;
 exports.mailtoLink = mailtoLink;
 exports.mapToObject = mapToObject;
@@ -5723,6 +6047,7 @@ exports.serializeResultJson = serializeResultJson;
 exports.setGitRemoteGithubRepoUrl = setGitRemoteGithubRepoUrl;
 exports.setupSdk = setupSdk;
 exports.socketDashboardLink = socketDashboardLink;
+exports.socketDevLink = socketDevLink;
 exports.socketDocsLink = socketDocsLink;
 exports.socketPackageLink = socketPackageLink;
 exports.spawnCdxgenDlx = spawnCdxgenDlx;
@@ -5735,5 +6060,5 @@ exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.webLink = webLink;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=ea20d1df-782c-49c5-bbda-ab4eac27ce58
+//# debugId=aca3fb2c-1435-481e-a911-c0547052c313
 //# sourceMappingURL=utils.js.map