npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.3 → 1.1.4 - Mend

@socketsecurity/cli-with-sentry 1.1.3 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/dist/cli.js CHANGED Viewed

@@ -12,12 +12,12 @@ var constants = require('./constants.js');
 var flags = require('./flags.js');
 var path = require('node:path');
 var words = require('../external/@socketsecurity/registry/lib/words');
+var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var fs$1 = require('node:fs');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
-var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
@@ -148,7 +148,7 @@ ${utils.mdTableStringNumber('Name', 'Counts', data['top_five_alert_types'])}
 function displayAnalyticsScreen(data) {
   const ScreenWidget = /*@__PURE__*/require$5('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   const GridLayout = /*@__PURE__*/require$5('../external/blessed-contrib/lib/layout/grid.js');
   const grid = new GridLayout({
@@ -444,7 +444,7 @@ async function run$Q(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   return await handleAnalytics({
@@ -555,7 +555,7 @@ async function outputAsJson(auditLogs, {
     ok: true,
     data: {
       desc: 'Audit logs for given query',
-      generated: constants.ENV.VITEST ? constants.REDACTED : new Date().toISOString(),
+      generated: constants.default.ENV.VITEST ? constants.default.REDACTED : new Date().toISOString(),
       logType,
       nextPage: auditLogs.data.nextPage,
       org: orgSlug,
@@ -600,7 +600,7 @@ These are the Socket.dev audit logs as per requested query.
 - page: ${page}
 - next page: ${auditLogs.nextPage}
 - per page: ${perPage}
-- generated: ${constants.ENV.VITEST ? constants.REDACTED : new Date().toISOString()}
+- generated: ${constants.default.ENV.VITEST ? constants.default.REDACTED : new Date().toISOString()}
 ${table}
 `;
@@ -622,7 +622,7 @@ async function outputWithBlessed(data, orgSlug) {
   // Note: this temporarily takes over the terminal (just like `man` does).
   const ScreenWidget = /*@__PURE__*/require$4('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   // Register these keys first so you can always exit, even when it gets stuck
   // If we don't do this and the code crashes, the user must hard-kill the
@@ -785,7 +785,7 @@ async function run$P(argv, importMeta, {
       ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
     This feature requires an Enterprise Plan. To learn more about getting access
-    to this feature and many more, please visit ${constants.SOCKET_WEBSITE_URL}/pricing
+    to this feature and many more, please visit ${constants.default.SOCKET_WEBSITE_URL}/pricing
     The type FILTER arg is an enum. Defaults to any. It should be one of these:
       associateLabel, cancelInvitation, changeMemberRole, changePlanSubscriptionSeats,
@@ -858,7 +858,7 @@ async function run$P(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleAuditLog({
@@ -980,7 +980,7 @@ async function fetchScanData(orgSlug, scanId, options) {
   let finishedFetching = false;
   const {
     spinner
-  } = constants;
+  } = constants.default;
   function updateScan(desc) {
     scanStatus = desc;
     updateProgress();
@@ -1081,7 +1081,9 @@ async function fetchScanData(orgSlug, scanId, options) {
   };
 }
-// Note: The returned cresult will only be ok:false when the generation
+const UNKNOWN_VALUE = '<unknown>';
+// Note: The returned cResult will only be ok:false when the generation
 //       failed. It won't reflect the healthy state.
 function generateReport(scan, securityPolicy, {
   fold,
@@ -1129,15 +1131,15 @@ function generateReport(scan, securityPolicy, {
     scan.forEach(artifact => {
       const {
         alerts,
-        name: pkgName = '<unknown>',
+        name: pkgName = UNKNOWN_VALUE,
         type: ecosystem,
-        version = '<unknown>'
+        version = UNKNOWN_VALUE
       } = artifact;
       alerts?.forEach(alert => {
         const alertName = alert.type; // => policy[type]
         const action = securityRules[alertName]?.action || '';
         switch (action) {
-          case 'error':
+          case constants.default.REPORT_LEVEL_ERROR:
             {
               healthy = false;
               if (!short) {
@@ -1145,31 +1147,31 @@ function generateReport(scan, securityPolicy, {
               }
               break;
             }
-          case 'warn':
+          case constants.default.REPORT_LEVEL_WARN:
             {
-              if (!short && reportLevel !== 'error') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'monitor':
+          case constants.default.REPORT_LEVEL_MONITOR:
             {
-              if (!short && reportLevel !== 'warn' && reportLevel !== 'error') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_WARN && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'ignore':
+          case constants.default.REPORT_LEVEL_IGNORE:
             {
-              if (!short && reportLevel !== 'warn' && reportLevel !== 'error' && reportLevel !== 'monitor') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_MONITOR && reportLevel !== constants.default.REPORT_LEVEL_WARN && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'defer':
+          case constants.default.REPORT_LEVEL_DEFER:
             {
               // Not sure but ignore for now. Defer to later ;)
-              if (!short && reportLevel === 'defer') {
+              if (!short && reportLevel === constants.default.REPORT_LEVEL_DEFER) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
@@ -1218,46 +1220,46 @@ function createLeaf(art, alert, policyAction) {
   };
   return leaf;
 }
-function addAlert(art, violations, foldSetting, ecosystem, pkgName, version, alert, policyAction) {
+function addAlert(art, violations, fold, ecosystem, pkgName, version, alert, policyAction) {
   if (!violations.has(ecosystem)) {
     violations.set(ecosystem, new Map());
   }
-  const ecomap = violations.get(ecosystem);
-  if (foldSetting === 'pkg') {
-    const existing = ecomap.get(pkgName);
+  const ecoMap = violations.get(ecosystem);
+  if (fold === constants.default.FOLD_SETTING_PKG) {
+    const existing = ecoMap.get(pkgName);
     if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-      ecomap.set(pkgName, createLeaf(art, alert, policyAction));
+      ecoMap.set(pkgName, createLeaf(art, alert, policyAction));
     }
   } else {
-    if (!ecomap.has(pkgName)) {
-      ecomap.set(pkgName, new Map());
+    if (!ecoMap.has(pkgName)) {
+      ecoMap.set(pkgName, new Map());
     }
-    const pkgmap = ecomap.get(pkgName);
-    if (foldSetting === 'version') {
-      const existing = pkgmap.get(version);
+    const pkgMap = ecoMap.get(pkgName);
+    if (fold === constants.default.FOLD_SETTING_VERSION) {
+      const existing = pkgMap.get(version);
       if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-        pkgmap.set(version, createLeaf(art, alert, policyAction));
+        pkgMap.set(version, createLeaf(art, alert, policyAction));
       }
     } else {
-      if (!pkgmap.has(version)) {
-        pkgmap.set(version, new Map());
+      if (!pkgMap.has(version)) {
+        pkgMap.set(version, new Map());
       }
-      const file = alert.file || '<unknown>';
-      const vermap = pkgmap.get(version);
-      if (foldSetting === 'file') {
-        const existing = vermap.get(file);
+      const file = alert.file || UNKNOWN_VALUE;
+      const verMap = pkgMap.get(version);
+      if (fold === constants.default.FOLD_SETTING_FILE) {
+        const existing = verMap.get(file);
         if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-          vermap.set(file, createLeaf(art, alert, policyAction));
+          verMap.set(file, createLeaf(art, alert, policyAction));
         }
       } else {
-        if (!vermap.has(file)) {
-          vermap.set(file, new Map());
+        if (!verMap.has(file)) {
+          verMap.set(file, new Map());
         }
         const key = `${alert.type} at ${alert.start}:${alert.end}`;
-        const filemap = vermap.get(file);
-        const existing = filemap.get(key);
+        const fileMap = verMap.get(file);
+        const existing = fileMap.get(key);
         if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-          filemap.set(key, createLeaf(art, alert, policyAction));
+          fileMap.set(key, createLeaf(art, alert, policyAction));
         }
       }
     }
@@ -1265,34 +1267,34 @@ function addAlert(art, violations, foldSetting, ecosystem, pkgName, version, ale
 }
 function isStricterPolicy(was, is) {
   // error > warn > monitor > ignore > defer > {unknown}
-  if (was === 'error') {
+  if (was === constants.default.REPORT_LEVEL_ERROR) {
     return false;
   }
-  if (is === 'error') {
+  if (is === constants.default.REPORT_LEVEL_ERROR) {
     return true;
   }
-  if (was === 'warn') {
+  if (was === constants.default.REPORT_LEVEL_WARN) {
     return false;
   }
-  if (is === 'warn') {
+  if (is === constants.default.REPORT_LEVEL_WARN) {
     return false;
   }
-  if (was === 'monitor') {
+  if (was === constants.default.REPORT_LEVEL_MONITOR) {
     return false;
   }
-  if (is === 'monitor') {
+  if (is === constants.default.REPORT_LEVEL_MONITOR) {
     return false;
   }
-  if (was === 'ignore') {
+  if (was === constants.default.REPORT_LEVEL_IGNORE) {
     return false;
   }
-  if (is === 'ignore') {
+  if (is === constants.default.REPORT_LEVEL_IGNORE) {
     return false;
   }
-  if (was === 'defer') {
+  if (was === constants.default.REPORT_LEVEL_DEFER) {
     return false;
   }
-  if (is === 'defer') {
+  if (is === constants.default.REPORT_LEVEL_DEFER) {
     return false;
   }
   // unreachable?
@@ -1300,7 +1302,7 @@ function isStricterPolicy(was, is) {
 }
 async function outputScanReport(result, {
-  filePath,
+  filepath,
   fold,
   includeLicensePolicy,
   orgSlug,
@@ -1313,7 +1315,7 @@ async function outputScanReport(result, {
     process.exitCode = result.code ?? 1;
   }
   if (!result.ok) {
-    if (outputKind === 'json') {
+    if (outputKind === constants.JSON) {
       logger.logger.log(utils.serializeResultJson(result));
       return;
     }
@@ -1326,14 +1328,14 @@ async function outputScanReport(result, {
     fold,
     reportLevel,
     short,
-    spinner: constants.spinner
+    spinner: constants.default.spinner
   });
   if (!scanReport.ok) {
     // Note: this means generation failed, it does not reflect the healthy state
     process.exitCode = scanReport.code ?? 1;
     // If report generation somehow failed then .data should not be set.
-    if (outputKind === 'json') {
+    if (outputKind === constants.JSON) {
       logger.logger.log(utils.serializeResultJson(scanReport));
       return;
     }
@@ -1347,22 +1349,22 @@ async function outputScanReport(result, {
   //   return
   // }
-  if (outputKind === 'json' || outputKind === 'text' && filePath && filePath.endsWith('.json')) {
+  if (outputKind === constants.JSON || outputKind === constants.TEXT && filepath && filepath.endsWith(constants.EXT_JSON)) {
     const json = short ? utils.serializeResultJson(scanReport) : toJsonReport(scanReport.data, includeLicensePolicy);
-    if (filePath && filePath !== '-') {
-      logger.logger.log('Writing json report to', filePath);
-      return await fs.writeFile(filePath, json);
+    if (filepath && filepath !== '-') {
+      logger.logger.log('Writing json report to', filepath);
+      return await fs.writeFile(filepath, json);
     }
     logger.logger.log(json);
     return;
   }
-  if (outputKind === 'markdown' || filePath && filePath.endsWith('.md')) {
+  if (outputKind === 'markdown' || filepath && filepath.endsWith('.md')) {
     const md = short ? `healthy = ${scanReport.data.healthy}` : toMarkdownReport(scanReport.data,
     // not short so must be regular report
     includeLicensePolicy);
-    if (filePath && filePath !== '-') {
-      logger.logger.log('Writing markdown report to', filePath);
-      return await fs.writeFile(filePath, md);
+    if (filepath && filepath !== '-') {
+      logger.logger.log('Writing markdown report to', filepath);
+      return await fs.writeFile(filepath, md);
     }
     logger.logger.log(md);
     logger.logger.log('');
@@ -1389,6 +1391,8 @@ function toJsonReport(report, includeLicensePolicy) {
   });
 }
 function toMarkdownReport(report, includeLicensePolicy) {
+  const reportLevel = report.options.reportLevel;
+  const alertFolding = report.options.fold === constants.default.FOLD_SETTING_NONE ? 'none' : `up to ${report.options.fold}`;
   const flatData = Array.from(utils.walkNestedMap(report.alerts)).map(({
     keys,
     value
@@ -1404,10 +1408,11 @@ function toMarkdownReport(report, includeLicensePolicy) {
       Package: keys[1] || '<unknown>',
       'Introduced by': keys[2] || '<unknown>',
       url,
-      'Manifest file': manifest.join(', '),
+      'Manifest file': arrays.joinAnd(manifest),
       Policy: policy
     };
   });
+  const minPolicyLevel = reportLevel === constants.default.REPORT_LEVEL_DEFER ? 'everything' : reportLevel;
   const md = `
 # Scan Policy Report
@@ -1424,13 +1429,13 @@ Configuration used to generate this report:
 - Organization: ${report.orgSlug}
 - Scan ID: ${report.scanId}
-- Alert folding: ${report.options.fold === 'none' ? 'none' : `up to ${report.options.fold}`}
-- Minimal policy level for alert to be included in report: ${report.options.reportLevel === 'defer' ? 'everything' : report.options.reportLevel}
+- Alert folding: ${alertFolding}
+- Minimal policy level for alert to be included in report: ${minPolicyLevel}
 - Include license alerts: ${includeLicensePolicy ? 'yes' : 'no'}
 ## Alerts
-${report.alerts.size ? `All the alerts from the scan with a policy set to at least "${report.options.reportLevel}".` : `The scan contained no alerts with a policy set to at least "${report.options.reportLevel}".`}
+${report.alerts.size ? `All the alerts from the scan with a policy set to at least "${reportLevel}".` : `The scan contained no alerts with a policy set to at least "${reportLevel}".`}
 ${!report.alerts.size ? '' : utils.mdTable(flatData, ['Policy', 'Alert Type', 'Package', 'Introduced by', 'url', 'Manifest file'])}
   `.trim() + '\n';
@@ -1438,7 +1443,7 @@ ${!report.alerts.size ? '' : utils.mdTable(flatData, ['Policy', 'Alert Type', 'P
 }
 async function handleScanReport({
-  filePath,
+  filepath,
   fold,
   includeLicensePolicy,
   orgSlug,
@@ -1451,7 +1456,7 @@ async function handleScanReport({
     includeLicensePolicy
   });
   await outputScanReport(scanDataCResult, {
-    filePath,
+    filepath,
     fold,
     scanId: scanId,
     includeLicensePolicy,
@@ -1466,7 +1471,7 @@ async function outputCreateNewScan(result, options) {
   const {
     interactive = false,
     outputKind = 'text',
-    spinner = constants.spinner
+    spinner = constants.default.spinner
   } = {
     __proto__: null,
     ...options
@@ -1576,7 +1581,7 @@ async function performReachabilityAnalysis(options) {
     // Exclude any .socket.facts.json files that happen to be in the scan
     // folder before the analysis was run.
-    const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON);
+    const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
     spinner?.start('Uploading manifests for reachability analysis...');
     const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload), {
       desc: 'upload manifests',
@@ -1607,27 +1612,25 @@ async function performReachabilityAnalysis(options) {
   spinner?.infoAndStop('Running reachability analysis with Coana...');
   // Build Coana arguments.
-  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
   // Build environment variables.
-  const env = {
-    ...process.env
-  };
+  const coanaEnv = {};
   // do not pass default repo and branch name to coana to avoid mixing
   // buckets (cached configuration) from projects that are likely very different.
-  if (repoName && repoName !== constants.SOCKET_DEFAULT_REPOSITORY) {
-    env['SOCKET_REPO_NAME'] = repoName;
+  if (repoName && repoName !== constants.default.SOCKET_DEFAULT_REPOSITORY) {
+    coanaEnv['SOCKET_REPO_NAME'] = repoName;
   }
-  if (branchName && branchName !== constants.SOCKET_DEFAULT_BRANCH) {
-    env['SOCKET_BRANCH_NAME'] = branchName;
+  if (branchName && branchName !== constants.default.SOCKET_DEFAULT_BRANCH) {
+    coanaEnv['SOCKET_BRANCH_NAME'] = branchName;
   }
   // Run Coana with the manifests tar hash.
   const coanaResult = await utils.spawnCoana(coanaArgs, orgSlug, {
     cwd,
-    env,
+    env: coanaEnv,
     spinner,
     stdio: 'inherit'
   });
@@ -1639,8 +1642,8 @@ async function performReachabilityAnalysis(options) {
     ok: true,
     data: {
       // Use the DOT_SOCKET_DOT_FACTS_JSON file for the scan.
-      reachabilityReport: constants.DOT_SOCKET_DOT_FACTS_JSON,
-      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.DOT_SOCKET_DOT_FACTS_JSON)
+      reachabilityReport: constants.default.DOT_SOCKET_DOT_FACTS_JSON,
+      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.default.DOT_SOCKET_DOT_FACTS_JSON)
     }
   } : coanaResult;
 }
@@ -1720,7 +1723,7 @@ async function convertGradleToMaven({
     // .socket folder. We could do a socket.pom.gz with all the poms, although
     // I'd prefer something plain-text if it is to be committed.
     // Note: init.gradle will be exported by .config/rollup.dist.config.mjs
-    const initLocation = path.join(constants.distPath, 'init.gradle');
+    const initLocation = path.join(constants.default.distPath, 'init.gradle');
     const commandArgs = ['--init-script', initLocation, ...gradleOpts, 'pom'];
     if (verbose) {
       logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
@@ -1764,7 +1767,7 @@ async function convertGradleToMaven({
 async function execGradleWithSpinner(bin, commandArgs, cwd) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   let pass = false;
   try {
     logger.logger.info('(Running gradle can take a while, it depends on how long gradlew has to run)');
@@ -1808,7 +1811,7 @@ async function convertSbtToMaven({
   const {
     spinner
-  } = constants;
+  } = constants.default;
   logger.logger.group('sbt2maven:');
   logger.logger.info(`- executing: \`${bin}\``);
   logger.logger.info(`- src dir: \`${cwd}\``);
@@ -2142,6 +2145,7 @@ async function handleCreateNewScan({
   readOnly,
   repoName,
   report,
+  reportLevel,
   targets,
   tmp
 }) {
@@ -2159,7 +2163,7 @@ async function handleCreateNewScan({
   }
   const {
     spinner
-  } = constants;
+  } = constants.default;
   const supportedFilesCResult = await fetchSupportedScanFileNames({
     spinner
   });
@@ -2223,7 +2227,7 @@ async function handleCreateNewScan({
     scanPaths = [...packagePaths.filter(
     // Ensure the .socket.facts.json isn't duplicated in case it happened
     // to be in the scan folder before the analysis was run.
-    p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON), ...(reachabilityReport ? [reachabilityReport] : [])];
+    p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON), ...(reachabilityReport ? [reachabilityReport] : [])];
     tier1ReachabilityScanId = reachResult.data?.tier1ReachabilityScanId;
   }
   const fullScanCResult = await fetchCreateOrgFullScan(scanPaths, orgSlug, {
@@ -2246,12 +2250,12 @@ async function handleCreateNewScan({
   if (report && fullScanCResult.ok) {
     if (scanId) {
       await handleScanReport({
-        filePath: '-',
-        fold: 'version',
+        filepath: '-',
+        fold: constants.default.FOLD_SETTING_VERSION,
         includeLicensePolicy: true,
         orgSlug,
         outputKind,
-        reportLevel: 'error',
+        reportLevel,
         scanId,
         short: false
       });
@@ -2313,6 +2317,7 @@ async function handleCi(autoManifest) {
     repoName,
     readOnly: false,
     report: true,
+    reportLevel: constants.default.REPORT_LEVEL_ERROR,
     targets: ['.'],
     // Don't set 'tmp' when 'pendingHead' is true.
     tmp: false
@@ -2370,7 +2375,7 @@ async function run$O(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCi(Boolean(cli.flags['autoManifest']));
@@ -2663,7 +2668,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigAuto({
@@ -2771,7 +2776,7 @@ async function run$M(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigGet({
@@ -2903,7 +2908,7 @@ async function run$L(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await outputConfigList({
@@ -3027,7 +3032,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigSet({
@@ -3139,7 +3144,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigUnset({
@@ -3186,14 +3191,14 @@ function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
   if (vulnCount === 1) {
     const ghsaId = ghsaIds[0];
     const details = ghsaDetails?.get(ghsaId);
-    const body = `[Socket](${constants.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
+    const body = `[Socket](${constants.default.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
     if (!details) {
       return body;
     }
     const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
     return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
   }
-  return [`[Socket](${constants.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+  return [`[Socket](${constants.default.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
     const details = ghsaDetails?.get(id);
     const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
     if (details) {
@@ -3373,7 +3378,7 @@ async function getSocketPrsWithContext(owner, repo, options) {
 function ciRepoInfo() {
   const {
     GITHUB_REPOSITORY
-  } = constants.ENV;
+  } = constants.default.ENV;
   if (!GITHUB_REPOSITORY) {
     require$$9.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
   }
@@ -3389,18 +3394,18 @@ function ciRepoInfo() {
 }
 async function getFixEnv() {
   const baseBranch = await utils.getBaseBranch();
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  const gitEmail = constants.default.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.default.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.default.ENV.CI && gitEmail && gitUser && githubToken);
   if (
   // If isCi is false,
   !isCi && (
   // but some CI checks are passing,
-  constants.ENV.CI || gitEmail || gitUser || githubToken) &&
+  constants.default.ENV.CI || gitEmail || gitUser || githubToken) &&
   // then log about it when in debug mode.
   require$$9.isDebug('notice')) {
-    const envVars = [...(constants.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
+    const envVars = [...(constants.default.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
     require$$9.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
   }
   let repoInfo = null;
@@ -3844,10 +3849,9 @@ async function run$I(argv, importMeta, {
   const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
   const purls = [];
   for (const purl of rawPurls) {
-    let version;
-    try {
-      version = vendor.packageurlJsExports$1.PackageURL.fromString(purl)?.version;
-    } catch {}
+    const version = utils.getPurlObject(purl, {
+      throws: false
+    })?.version;
     if (version) {
       purls.push(purl);
     } else {
@@ -3874,7 +3878,7 @@ async function run$I(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_NOT_SAVING);
+    logger.logger.log(constants.default.DRY_RUN_NOT_SAVING);
     return;
   }
   const orgSlugCResult = await utils.getDefaultOrgSlug();
@@ -3896,7 +3900,7 @@ async function run$I(argv, importMeta, {
   }
   const {
     spinner
-  } = constants;
+  } = constants.default;
   // We patched in this feature with `npx custompatch meow` at
   // socket-cli/patches/meow#13.2.0.patch.
   const unknownFlags = cli.unknownFlags ?? [];
@@ -3980,7 +3984,7 @@ async function setupTabCompletion(targetName) {
   let bashrcUpdated = false;
   // Add to ~/.bashrc if not already there
-  const bashrcPath = constants.homePath ? path.join(constants.homePath, '.bashrc') : '';
+  const bashrcPath = constants.default.homePath ? path.join(constants.default.homePath, '.bashrc') : '';
   const foundBashrc = Boolean(bashrcPath && fs$1.existsSync(bashrcPath));
   if (foundBashrc) {
     const content = fs$1.readFileSync(bashrcPath, 'utf8');
@@ -4026,7 +4030,7 @@ function updateInstalledTabCompletionScript(targetPath) {
   // When installing set the current package.json version.
   // Later, we can call _socket_completion_version to get the installed version.
-  fs$1.writeFileSync(targetPath, content.data.replaceAll('%SOCKET_VERSION_TOKEN%', constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH), 'utf8');
+  fs$1.writeFileSync(targetPath, content.data.replaceAll('%SOCKET_VERSION_TOKEN%', constants.default.ENV.INLINED_SOCKET_CLI_VERSION_HASH), 'utf8');
   return {
     ok: true,
     data: undefined
@@ -4090,7 +4094,7 @@ async function run$H(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const targetName = cli.input[0] || 'socket';
@@ -4116,9 +4120,9 @@ const cmdInstall = {
 };
 async function outputCmdJson(cwd) {
-  logger.logger.info('Target cwd:', constants.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
+  logger.logger.info('Target cwd:', constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
   const sockJsonPath = path.join(cwd, 'socket.json');
-  const tildeSockJsonPath = constants.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
+  const tildeSockJsonPath = constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
   if (!fs$1.existsSync(sockJsonPath)) {
     logger.logger.fail(`Not found: ${tildeSockJsonPath}`);
     process.exitCode = 1;
@@ -4199,7 +4203,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
       cause: 'Canceled by user'
     };
   }
-  const apiToken = apiTokenInput || constants.SOCKET_PUBLIC_API_TOKEN;
+  const apiToken = apiTokenInput || constants.default.SOCKET_PUBLIC_API_TOKEN;
   const sockSdkCResult = await utils.setupSdk({
     apiBaseUrl,
     apiProxy,
@@ -4367,7 +4371,7 @@ async function run$F(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (!vendor.isInteractiveExports()) {
@@ -4431,7 +4435,7 @@ async function run$E(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   attemptLogout();
@@ -4441,8 +4445,8 @@ const {
   PACKAGE_LOCK_JSON,
   YARN,
   YARN_LOCK
-} = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', 'npm', 'pnpm', 'ts', 'tsx', 'typescript']);
+} = constants.default;
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', constants.NPM, constants.PNPM, 'ts', 'tsx', 'typescript']);
 function argvToArray(argvObj) {
   if (argvObj['help']) {
     return ['--help'];
@@ -4485,29 +4489,29 @@ async function runCdxgen(argvObj) {
   };
   const shadowOpts = {
     ipc: {
-      [constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
-      [constants.SOCKET_CLI_SHADOW_API_TOKEN]: constants.SOCKET_PUBLIC_API_TOKEN,
-      [constants.SOCKET_CLI_SHADOW_SILENT]: true
+      [constants.default.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
+      [constants.default.SOCKET_CLI_SHADOW_API_TOKEN]: constants.default.SOCKET_PUBLIC_API_TOKEN,
+      [constants.default.SOCKET_CLI_SHADOW_SILENT]: true
     },
     stdio: 'inherit'
   };
   if (argvMutable['type'] !== YARN && nodejsPlatformTypes.has(argvMutable['type']) && fs$1.existsSync(`./${YARN_LOCK}`)) {
     if (fs$1.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
-      argvMutable['type'] = 'npm';
+      argvMutable['type'] = constants.NPM;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
         const {
           spawnPromise: synpPromise
-        } = await shadowNpmBin('npx', ['--yes', `synp@${constants.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`], shadowOpts);
+        } = await shadowNpmBin('npx', ['--yes', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`], shadowOpts);
         await synpPromise;
-        argvMutable['type'] = 'npm';
+        argvMutable['type'] = constants.NPM;
         cleanupPackageLock = true;
       } catch {}
     }
   }
-  const shadowResult = await shadowNpmBin('npx', ['--yes', `@cyclonedx/cdxgen@${constants.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
+  const shadowResult = await shadowNpmBin('npx', ['--yes', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
   shadowResult.spawnPromise.process.on('exit', () => {
     if (cleanupPackageLock) {
       try {
@@ -4770,7 +4774,7 @@ async function run$D(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
@@ -4878,7 +4882,7 @@ async function run$C(argv, importMeta, {
     detected
   });
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (!detected.count) {
@@ -5041,7 +5045,7 @@ async function run$B(argv, importMeta, {
   }
   logger.logger.warn('Warning: This will approximate your Conda dependencies using PyPI. We do not yet officially support Conda. Use at your own risk.');
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleManifestConda({
@@ -5192,7 +5196,7 @@ async function run$A(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertGradleToMaven({
@@ -5347,7 +5351,7 @@ async function run$z(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertGradleToMaven({
@@ -5525,7 +5529,7 @@ async function run$y(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertSbtToMaven({
@@ -6007,7 +6011,7 @@ async function run$x(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleManifestSetup(cwd, Boolean(defaultOnReadError));
@@ -6053,7 +6057,7 @@ async function run$w(argv, importMeta, {
 }
 const require$3 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$p = 'npm';
+const CMD_NAME$p = constants.NPM;
 const description$u = 'Run npm with the Socket wrapper';
 const hidden$o = false;
 const cmdNpm = {
@@ -6096,14 +6100,14 @@ async function run$v(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$3(constants.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$3(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
   const {
     spawnPromise
-  } = await shadowBin('npm', argv, {
+  } = await shadowBin(constants.NPM, argv, {
     stdio: 'inherit'
   });
@@ -6120,7 +6124,7 @@ async function run$v(argv, importMeta, {
 }
 const require$2 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$o = 'npx';
+const CMD_NAME$o = constants.NPX;
 const description$t = 'Run npx with the Socket wrapper';
 const hidden$n = false;
 const cmdNpx = {
@@ -6162,14 +6166,14 @@ async function run$u(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$2(constants.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$2(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
   const {
     spawnPromise
-  } = await shadowBin('npx', argv, {
+  } = await shadowBin(constants.NPX, argv, {
     stdio: 'inherit'
   });
@@ -6226,7 +6230,7 @@ async function run$t(argv, importMeta, {
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (json && !justThrow) {
@@ -6252,7 +6256,7 @@ const {
   VLT: VLT$5,
   YARN_BERRY: YARN_BERRY$4,
   YARN_CLASSIC: YARN_CLASSIC$4
-} = constants;
+} = constants.default;
 function matchLsCmdViewHumanStdout(stdout, name) {
   return stdout.includes(` ${name}@`);
 }
@@ -6306,7 +6310,7 @@ const {
   VLT: VLT$4,
   YARN_BERRY: YARN_BERRY$3,
   YARN_CLASSIC: YARN_CLASSIC$3
-} = constants;
+} = constants.default;
 function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
   const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
   return {
@@ -6381,13 +6385,13 @@ function getOverridesData(pkgEnvDetails, pkgJson) {
 const {
   BUN: BUN$2,
-  LOCK_EXT,
+  EXT_LOCK,
   NPM: NPM$2,
   PNPM: PNPM$2,
   VLT: VLT$3,
   YARN_BERRY: YARN_BERRY$2,
   YARN_CLASSIC: YARN_CLASSIC$2
-} = constants;
+} = constants.default;
 function npmLockSrcIncludes(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name":
@@ -6398,7 +6402,7 @@ function bunLockSrcIncludes(lockSrc, name, lockName) {
   // we treat it as a yarn.lock. When lockName ends with a .lock we
   // treat it as a package-lock.json. The bun.lock format is not identical
   // package-lock.json, however it close enough for npmLockIncludes to work.
-  const lockfileScanner = lockName?.endsWith(LOCK_EXT) ? npmLockSrcIncludes : yarnLockSrcIncludes;
+  const lockfileScanner = lockName?.endsWith(EXT_LOCK) ? npmLockSrcIncludes : yarnLockSrcIncludes;
   return lockfileScanner(lockSrc, name);
 }
 function pnpmLockSrcIncludes(lockSrc, name) {
@@ -6453,7 +6457,7 @@ const {
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$1,
   YARN_CLASSIC: YARN_CLASSIC$1
-} = constants;
+} = constants.default;
 function cleanupQueryStdout(stdout) {
   if (stdout === '') {
     return '';
@@ -6499,7 +6503,7 @@ async function npmQuery(npmExecPath, cwd) {
   try {
     stdout = (await spawn.spawn(npmExecPath, ['query', ':not(.dev)'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return cleanupQueryStdout(stdout);
@@ -6516,7 +6520,7 @@ async function lsBun(pkgEnvDetails, options) {
     // https://github.com/oven-sh/bun/issues/8283
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['pm', 'ls', '--all'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6551,7 +6555,7 @@ async function lsPnpm(pkgEnvDetails, options) {
     // https://en.wiktionary.org/wiki/parsable
     ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return parsableToQueryStdout(stdout);
@@ -6568,7 +6572,7 @@ async function lsVlt(pkgEnvDetails, options) {
     // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(pkgEnvDetails.agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return cleanupQueryStdout(stdout);
@@ -6585,7 +6589,7 @@ async function lsYarnBerry(pkgEnvDetails, options) {
     // https://github.com/yarnpkg/berry/issues/5117
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['info', '--recursive', '--name-only'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6604,7 +6608,7 @@ async function lsYarnClassic(pkgEnvDetails, options) {
     //   environment is production
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', '--prod'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6638,7 +6642,7 @@ const {
   VLT: VLT$1,
   YARN_BERRY,
   YARN_CLASSIC
-} = constants;
+} = constants.default;
 const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'peerDependenciesMeta', 'optionalDependencies', 'bundleDependencies'];
 function getEntryIndexes(entries, keys) {
   return keys.map(n => entries.findIndex(p => p[0] === n)).filter(n => n !== -1).sort((a, b) => a - b);
@@ -6763,7 +6767,7 @@ function updateManifest(agent, editablePkgJson, overrides) {
   }
 }
-const manifestNpmOverrides = registry.getManifestData('npm');
+const manifestNpmOverrides = registry.getManifestData(constants.NPM);
 async function addOverrides(pkgEnvDetails, pkgPath, options) {
   const {
     agent,
@@ -6789,14 +6793,14 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
     ...options
   };
   const workspacePkgJsonPaths = await utils.globWorkspace(agent, pkgPath);
-  const isPnpm = agent === 'pnpm';
+  const isPnpm = agent === constants.PNPM;
   const isWorkspace = workspacePkgJsonPaths.length > 0;
   const isWorkspaceRoot = pkgPath === rootPath;
   const isLockScanned = isWorkspaceRoot && !prod;
   const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
   if (isWorkspace && isPnpm &&
   // npmExecPath will === the agent name IF it CANNOT be resolved.
-  npmExecPath === 'npm' && !state.warnedPnpmWorkspaceRequiresNpm) {
+  npmExecPath === constants.NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
     logger?.warn(utils.cmdPrefixMessage(CMD_NAME$n, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
@@ -6885,7 +6889,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
           const sockRegDepAlias = depAliasMap.get(sockRegPkgName);
           const depAlias = sockRegDepAlias ?? origDepAlias;
           let newSpec = sockOverrideSpec;
-          if (type === 'npm' && depAlias) {
+          if (type === constants.NPM && depAlias) {
             // With npm one may not set an override for a package that one directly
             // depends on unless both the dependency and the override itself share
             // the exact same spec. To make this limitation easier to deal with,
@@ -6965,7 +6969,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
 const {
   NPM_BUGGY_OVERRIDES_PATCHED_VERSION
-} = constants;
+} = constants.default;
 async function updateLockfile(pkgEnvDetails, options) {
   const {
     cmdName = '',
@@ -7016,7 +7020,7 @@ async function applyOptimization(pkgEnvDetails, {
 }) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   spinner.start();
   const state = await addOverrides(pkgEnvDetails, pkgEnvDetails.pkgPath, {
     logger: logger.logger,
@@ -7083,7 +7087,7 @@ function createActionMessage(verb, overrideCount, workspaceCount) {
 const {
   VLT
-} = constants;
+} = constants.default;
 async function handleOptimize({
   cwd,
   outputKind,
@@ -7178,7 +7182,7 @@ async function run$s(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
@@ -7377,7 +7381,7 @@ async function run$r(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDependencies({
@@ -7514,7 +7518,7 @@ async function run$q(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleLicensePolicy(orgSlug, outputKind);
@@ -7648,7 +7652,7 @@ async function run$p(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleSecurityPolicy(orgSlug, outputKind);
@@ -7768,7 +7772,7 @@ async function run$o(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleOrganizationList(outputKind);
@@ -7898,7 +7902,7 @@ async function run$n(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleQuota(outputKind);
@@ -8256,7 +8260,7 @@ async function run$m(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handlePurlDeepScore(purls[0] || '', outputKind);
@@ -8638,7 +8642,7 @@ async function run$l(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handlePurlsShallowScore({
@@ -8710,13 +8714,14 @@ async function outputPatchResult(result, outputKind) {
     return;
   }
   const {
-    patchedPackages
+    patched
   } = result.data;
-  if (patchedPackages.length > 0) {
-    logger.logger.success(`Successfully processed patches for ${patchedPackages.length} package(s):`);
-    for (const pkg of patchedPackages) {
+  if (patched.length) {
+    logger.logger.group(`Successfully processed patches for ${patched.length} package(s):`);
+    for (const pkg of patched) {
       logger.logger.success(pkg);
     }
+    logger.logger.groupEnd();
   } else {
     logger.logger.info('No packages found requiring patches');
   }
@@ -8724,144 +8729,96 @@ async function outputPatchResult(result, outputKind) {
   logger.logger.success('Patch command completed!');
 }
-async function applyNPMPatches(patches, dryRun, socketDir, packages) {
+async function applyNPMPatches(patches, purlObjs, socketDir, dryRun) {
   const patchLookup = new Map();
   for (const patchInfo of patches) {
-    const {
-      purl
-    } = patchInfo;
-    const fullName = purl.namespace ? `@${purl.namespace}/${purl.name}` : purl.name;
-    const lookupKey = `${fullName}@${purl.version}`;
-    patchLookup.set(lookupKey, patchInfo);
-  }
-  const nodeModulesFolders = await findNodeModulesFolders(process.cwd());
-  logger.logger.log(`Found ${nodeModulesFolders.length} node_modules folders`);
-  for (const nodeModulesPath of nodeModulesFolders) {
-    try {
+    const key = getLookupKey(patchInfo.purlObj);
+    patchLookup.set(key, patchInfo);
+  }
+  const nmPaths = await findNodeModulesPaths(process.cwd());
+  logger.logger.log(`Found ${nmPaths.length} node_modules ${words.pluralize('folder', nmPaths.length)}`);
+  for (const nmPath of nmPaths) {
+    // eslint-disable-next-line no-await-in-loop
+    const dirNames = await fs$2.readDirNames(nmPath);
+    for (const dirName of dirNames) {
+      const isScoped = dirName.startsWith('@');
+      const pkgPath = path.join(nmPath, dirName);
+      const pkgSubNames = isScoped ?
       // eslint-disable-next-line no-await-in-loop
-      const entries = await fs$1.promises.readdir(nodeModulesPath);
-      for (const entry of entries) {
-        const entryPath = path.join(nodeModulesPath, entry);
-        if (entry.startsWith('@')) {
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            const scopedEntries = await fs$1.promises.readdir(entryPath);
-            for (const scopedEntry of scopedEntries) {
-              const packagePath = path.join(entryPath, scopedEntry);
-              // eslint-disable-next-line no-await-in-loop
-              const pkg = await readPackageJson(packagePath);
-              if (pkg) {
-                // Skip if specific packages requested and this isn't one of them
-                if (packages.length > 0 && !packages.includes(pkg.name)) {
-                  continue;
-                }
-                const lookupKey = `${pkg.name}@${pkg.version}`;
-                const patchInfo = patchLookup.get(lookupKey);
-                if (patchInfo) {
-                  logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${packagePath}`);
-                  logger.logger.log(`  Patch key: ${patchInfo.key}`);
-                  logger.logger.log(`  Processing files:`);
-                  for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
-                    // eslint-disable-next-line no-await-in-loop
-                    await processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir);
-                  }
-                }
-              }
-            }
-          } catch {
-            // Ignore errors reading scoped packages
-          }
-        } else {
+      await fs$2.readDirNames(pkgPath) : [dirName];
+      try {
+        for (const pkgSubName of pkgSubNames) {
+          const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
+          const pkgPath = path.join(nmPath, dirFullName);
           // eslint-disable-next-line no-await-in-loop
-          const pkg = await readPackageJson(entryPath);
-          if (pkg) {
-            // Skip if specific packages requested and this isn't one of them
-            if (packages.length > 0 && !packages.includes(pkg.name)) {
-              continue;
-            }
-            const lookupKey = `${pkg.name}@${pkg.version}`;
-            const patchInfo = patchLookup.get(lookupKey);
-            if (patchInfo) {
-              logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${entryPath}`);
-              logger.logger.log(`  Patch key: ${patchInfo.key}`);
-              logger.logger.log(`  Processing files:`);
-              for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
-                // eslint-disable-next-line no-await-in-loop
-                await processFilePatch(entryPath, fileName, fileInfo, dryRun, socketDir);
-              }
-            }
+          const pkgJson = await packages.readPackageJson(pkgPath, {
+            throws: false
+          });
+          if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
+            continue;
+          }
+          const pkgFullName = pkgJson.name;
+          const purlObj = utils.getPurlObject(`pkg:npm/${pkgFullName}`);
+          // Skip if specific packages requested and this isn't one of them
+          if (purlObjs.findIndex(p => p.type === 'npm' && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
+            continue;
+          }
+          const patchInfo = patchLookup.get(getLookupKey(purlObj));
+          if (!patchInfo) {
+            continue;
+          }
+          logger.logger.log(`Found match: ${pkgFullName}@${pkgJson.version} at ${pkgPath}`);
+          logger.logger.log(`Patch key: ${patchInfo.key}`);
+          logger.logger.group(`Processing files:`);
+          for (const {
+            0: fileName,
+            1: fileInfo
+          } of Object.entries(patchInfo.patch.files)) {
+            // eslint-disable-next-line no-await-in-loop
+            await processFilePatch(pkgPath, fileName, fileInfo, dryRun, socketDir);
           }
+          logger.logger.groupEnd();
         }
+      } catch (error) {
+        logger.logger.error(`Error processing ${nmPath}:`, error);
       }
-    } catch (error) {
-      logger.logger.error(`Error processing ${nodeModulesPath}:`, error);
     }
   }
 }
-async function computeSHA256(filePath) {
+async function computeSHA256(filepath) {
   try {
-    const content = await fs$1.promises.readFile(filePath);
+    const content = await fs$1.promises.readFile(filepath);
     const hash = require$$0$1.createHash('sha256');
     hash.update(content);
     return hash.digest('hex');
-  } catch {
-    return null;
-  }
+  } catch {}
+  return null;
 }
-async function findNodeModulesFolders(rootDir) {
-  const nodeModulesPaths = [];
-  async function searchDir(dir) {
-    try {
-      const entries = await fs$1.promises.readdir(dir);
-      for (const entry of entries) {
-        if (entry.startsWith('.') || entry === 'dist' || entry === 'build') {
-          continue;
-        }
-        const fullPath = path.join(dir, entry);
-        // eslint-disable-next-line no-await-in-loop
-        const stats = await fs$1.promises.stat(fullPath);
-        if (stats.isDirectory()) {
-          if (entry === 'node_modules') {
-            nodeModulesPaths.push(fullPath);
-          } else {
-            // eslint-disable-next-line no-await-in-loop
-            await searchDir(fullPath);
-          }
-        }
-      }
-    } catch (error) {
-      // Ignore permission errors or missing directories
-    }
-  }
-  await searchDir(rootDir);
-  return nodeModulesPaths;
-}
-function parsePURL(purlString) {
-  const [ecosystem, rest] = purlString.split(':', 2);
-  const [nameAndNamespace, version] = (rest ?? '').split('@', 2);
-  let namespace;
-  let name;
-  if (ecosystem === 'npm' && nameAndNamespace?.startsWith('@')) {
-    const parts = nameAndNamespace.split('/');
-    namespace = parts[0]?.substring(1);
-    name = parts.slice(1).join('/');
-  } else {
-    name = nameAndNamespace ?? '';
+async function findNodeModulesPaths(cwd) {
+  const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
+    cwd,
+    onlyDirectories: true
+  });
+  if (!rootNmPath) {
+    return [];
   }
-  return {
-    type: ecosystem ?? 'unknown',
-    namespace: namespace ?? '',
-    name: name ?? '',
-    version: version ?? '0.0.0'
-  };
+  return await vendor.outExports.glob([`**/${constants.NODE_MODULES}`], {
+    absolute: true,
+    cwd: path.dirname(rootNmPath),
+    onlyDirectories: true
+  });
 }
-async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir) {
-  const filePath = path.join(packagePath, fileName);
-  if (!fs$1.existsSync(filePath)) {
+function getLookupKey(purlObj) {
+  const fullName = purlObj.namespace ? `${purlObj.namespace}/${purlObj.name}` : purlObj.name;
+  return `${fullName}@${purlObj.version}`;
+}
+async function processFilePatch(pkgPath, fileName, fileInfo, dryRun, socketDir) {
+  const filepath = path.join(pkgPath, fileName);
+  if (!fs$1.existsSync(filepath)) {
     logger.logger.log(`File not found: ${fileName}`);
     return;
   }
-  const currentHash = await computeSHA256(filePath);
+  const currentHash = await computeSHA256(filepath);
   if (!currentHash) {
     logger.logger.log(`Failed to compute hash for: ${fileName}`);
     return;
@@ -8870,20 +8827,20 @@ async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketD
     logger.logger.success(`File matches expected hash: ${fileName}`);
     logger.logger.log(`Current hash: ${currentHash}`);
     logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
-    if (!dryRun) {
+    if (dryRun) {
+      logger.logger.log(`(dry run - no changes made)`);
+    } else {
       const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
       if (!fs$1.existsSync(blobPath)) {
         logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
         return;
       }
       try {
-        await fs$1.promises.copyFile(blobPath, filePath);
+        await fs$1.promises.copyFile(blobPath, filepath);
         logger.logger.success(`Patch applied successfully`);
       } catch (error) {
-        logger.logger.log(`Error applying patch: ${error}`);
+        logger.logger.error('Error applying patch:', error);
       }
-    } else {
-      logger.logger.log(`(dry run - no changes made)`);
     }
   } else if (currentHash === fileInfo.afterHash) {
     logger.logger.success(`File already patched: ${fileName}`);
@@ -8895,65 +8852,60 @@ async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketD
     logger.logger.log(`Target:   ${fileInfo.afterHash}`);
   }
 }
-async function readPackageJson(packagePath) {
-  const pkgJsonPath = path.join(packagePath, 'package.json');
-  const pkg = await fs$2.readJson(pkgJsonPath, {
-    throws: false
-  });
-  if (pkg) {
-    return {
-      name: pkg.name || '',
-      version: pkg.version || ''
-    };
-  }
-  return null;
-}
 async function handlePatch({
   cwd,
   dryRun,
   outputKind,
-  packages,
+  purlObjs,
   spinner
 }) {
   try {
     const dotSocketDirPath = path.join(cwd, '.socket');
     const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
-    // Read the manifest file.
     const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
     const manifestData = JSON.parse(manifestContent);
-    // Validate the schema.
+    const purls = purlObjs.map(String);
     const validated = PatchManifestSchema.parse(manifestData);
     // Parse PURLs and group by ecosystem.
-    const patchesByEcosystem = {};
-    for (const [key, patch] of Object.entries(validated.patches)) {
-      const purl = parsePURL(key);
-      if (!patchesByEcosystem[purl.type]) {
-        patchesByEcosystem[purl.type] = [];
+    const patchesByEcosystem = new Map();
+    for (const {
+      0: key,
+      1: patch
+    } of Object.entries(validated.patches)) {
+      const purlObj = utils.getPurlObject(key, {
+        throws: false
+      });
+      if (!purlObj) {
+        continue;
       }
-      patchesByEcosystem[purl.type]?.push({
+      let patches = patchesByEcosystem.get(purlObj.type);
+      if (!Array.isArray(patches)) {
+        patches = [];
+        patchesByEcosystem.set(purlObj.type, patches);
+      }
+      patches.push({
         key,
-        purl,
-        patch
+        patch,
+        purlObj
       });
     }
     spinner.stop();
     logger.logger.log('');
-    if (packages.length > 0) {
-      logger.logger.info(`Checking patches for: ${packages.join(', ')}`);
+    if (purlObjs.length) {
+      logger.logger.info(`Checking patches for: ${arrays.joinAnd(purls)}`);
     } else {
       logger.logger.info('Scanning all dependencies for available patches');
     }
     logger.logger.log('');
-    if (patchesByEcosystem['npm']) {
-      await applyNPMPatches(patchesByEcosystem['npm'], dryRun, dotSocketDirPath, packages);
+    const npmPatches = patchesByEcosystem.get(constants.NPM);
+    if (npmPatches) {
+      await applyNPMPatches(npmPatches, purlObjs, dotSocketDirPath, dryRun);
     }
     const result = {
       ok: true,
       data: {
-        patchedPackages: packages.length > 0 ? packages : ['patched successfully']
+        patched: purls.length ? purls : ['patched successfully']
       }
     };
     await outputPatchResult(result, outputKind);
@@ -8996,10 +8948,10 @@ async function run$k(argv, importMeta, {
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
-      package: {
+      purl: {
         type: 'string',
         default: [],
-        description: 'Specify packages to patch, as either a comma separated value or as multiple flags',
+        description: 'Specify purls to patch, as either a comma separated value or as multiple flags',
         isMultiple: true,
         shortFlag: 'p'
       }
@@ -9053,13 +9005,15 @@ async function run$k(argv, importMeta, {
   }
   const {
     spinner
-  } = constants;
-  const packages = utils.cmdFlagValueToArray(cli.flags['package']);
+  } = constants.default;
+  const purlObjs = arrays.arrayUnique(utils.cmdFlagValueToArray(cli.flags['purl'])).map(p => utils.getPurlObject(p, {
+    throws: false
+  })).filter(Boolean);
   await handlePatch({
     cwd,
     dryRun,
     outputKind,
-    packages,
+    purlObjs,
     spinner
   });
 }
@@ -9067,7 +9021,7 @@ async function run$k(argv, importMeta, {
 async function runRawNpm(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpmBinPath(), argv, {
-    shell: constants.WIN32,
+    shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9121,7 +9075,7 @@ async function run$j(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await runRawNpm(argv);
@@ -9130,7 +9084,7 @@ async function run$j(argv, importMeta, {
 async function runRawNpx(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpxBinPath(), argv, {
-    shell: constants.WIN32,
+    shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9184,7 +9138,7 @@ async function run$i(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await runRawNpx(argv);
@@ -9365,7 +9319,7 @@ async function run$h(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateRepo({
@@ -9499,7 +9453,7 @@ async function run$g(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDeleteRepo(orgSlug, repoName, outputKind);
@@ -9790,7 +9744,7 @@ async function run$f(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleListRepos({
@@ -9982,7 +9936,7 @@ async function run$e(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleUpdateRepo({
@@ -10147,7 +10101,7 @@ async function run$d(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleViewRepo(orgSlug, String(repoName), outputKind);
@@ -10300,6 +10254,11 @@ const generalFlags$1 = {
     type: 'boolean',
     description: 'Wait for the scan creation to complete, then basically run `socket scan report` on it'
   },
+  reportLevel: {
+    type: 'string',
+    default: constants.default.REPORT_LEVEL_ERROR,
+    description: `Which policy level alerts should be reported (default '${constants.default.REPORT_LEVEL_ERROR}')`
+  },
   setAsAlertsPage: {
     type: 'boolean',
     default: true,
@@ -10402,17 +10361,14 @@ async function run$c(argv, importMeta, {
     reachDisableAnalytics,
     reachSkipCache,
     readOnly,
+    reportLevel,
     setAsAlertsPage: pendingHeadFlag,
     tmp
   } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
-  // Process comma-separated values for isMultiple flags.
-  const reachEcosystemsRaw = utils.cmdFlagValueToArray(cli.flags['reachEcosystems']);
-  const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
   // Validate ecosystem values.
   const reachEcosystems = [];
+  const reachEcosystemsRaw = utils.cmdFlagValueToArray(cli.flags['reachEcosystems']);
   const validEcosystems = utils.getEcosystemChoicesForMeow();
   for (const ecosystem of reachEcosystemsRaw) {
     if (!validEcosystems.includes(ecosystem)) {
@@ -10420,6 +10376,7 @@ async function run$c(argv, importMeta, {
     }
     reachEcosystems.push(ecosystem);
   }
+  const dryRun = !!cli.flags['dryRun'];
   let {
     autoManifest,
     branch: branchName,
@@ -10519,6 +10476,7 @@ async function run$c(argv, importMeta, {
     logger.logger.info('You can also run `socket scan setup` to persist these flag defaults to a socket.json file.');
     logger.logger.error('');
   }
+  const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
   // Validation helpers for better readability.
   const hasReachEcosystems = reachEcosystems.length > 0;
@@ -10566,7 +10524,7 @@ async function run$c(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateNewScan({
@@ -10594,6 +10552,7 @@ async function run$c(argv, importMeta, {
     readOnly: Boolean(readOnly),
     repoName,
     report,
+    reportLevel,
     targets,
     tmp: Boolean(tmp)
   });
@@ -10715,7 +10674,7 @@ async function run$b(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDeleteScan(orgSlug, scanId, outputKind);
@@ -10797,7 +10756,7 @@ async function handleJson(data, file, dashboardMessage) {
   }
 }
 async function handleMarkdown(data) {
-  const SOCKET_SBOM_URL_PREFIX = `${constants.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
+  const SOCKET_SBOM_URL_PREFIX = `${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
   logger.logger.log('# Scan diff result');
   logger.logger.log('');
   logger.logger.log('This Socket.dev report shows the changes between two scans:');
@@ -10975,7 +10934,7 @@ async function run$a(argv, importMeta, {
     importMeta,
     parentName
   });
-  const SOCKET_SBOM_URL_PREFIX = `${constants.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
+  const SOCKET_SBOM_URL_PREFIX = `${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
   const SOCKET_SBOM_URL_PREFIX_LENGTH = SOCKET_SBOM_URL_PREFIX.length;
   const {
     depth,
@@ -11021,7 +10980,7 @@ async function run$a(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDiffScan({
@@ -11230,6 +11189,7 @@ async function scanOneRepo(repoSlug, {
     readOnly: false,
     repoName: repoSlug,
     report: false,
+    reportLevel: constants.default.REPORT_LEVEL_ERROR,
     targets: ['.'],
     tmp: false
   });
@@ -11693,6 +11653,7 @@ async function handleCreateGithubScan({
 }
 const CMD_NAME$6 = 'github';
+const DEFAULT_GITHUB_URL = 'https://api.github.com';
 const description$8 = 'Create a scan for given GitHub repo';
 const hidden$6 = true;
 const cmdScanGithub = {
@@ -11720,7 +11681,7 @@ async function run$9(argv, importMeta, {
       },
       githubApiUrl: {
         type: 'string',
-        description: 'Base URL of the GitHub API (default: https://api.github.com)'
+        description: `Base URL of the GitHub API (default: ${DEFAULT_GITHUB_URL})`
       },
       interactive: {
         type: 'boolean',
@@ -11774,7 +11735,7 @@ async function run$9(argv, importMeta, {
     parentName
   });
   const {
-    githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN,
+    githubToken = constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN,
     interactive = true,
     json,
     markdown,
@@ -11804,7 +11765,7 @@ async function run$9(argv, importMeta, {
     if (sockJson.defaults?.scan?.github?.githubApiUrl !== undefined) {
       githubApiUrl = sockJson.defaults.scan.github.githubApiUrl;
     } else {
-      githubApiUrl = 'https://api.github.com';
+      githubApiUrl = DEFAULT_GITHUB_URL;
     }
   }
   if (!orgGithub) {
@@ -11872,7 +11833,7 @@ async function run$9(argv, importMeta, {
   // Note exiting earlier to skirt a hidden auth requirement
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateGithubScan({
@@ -12137,7 +12098,7 @@ async function run$8(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleListScans({
@@ -12288,7 +12249,7 @@ async function run$7(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleOrgScanMetadata(orgSlug, scanId, outputKind);
@@ -12311,7 +12272,7 @@ async function outputScanReach(result, {
   }
   logger.logger.log('');
   logger.logger.success('Reachability analysis completed successfully!');
-  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.DOT_SOCKET_DOT_FACTS_JSON)}`);
+  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.default.DOT_SOCKET_DOT_FACTS_JSON)}`);
 }
 async function handleScanReach({
@@ -12324,7 +12285,7 @@ async function handleScanReach({
 }) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   // Get supported file names
   const supportedFilesCResult = await fetchSupportedScanFileNames({
@@ -12491,7 +12452,7 @@ async function run$6(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleScanReach({
@@ -12531,8 +12492,8 @@ async function run$5(argv, importMeta, {
       ...flags.outputFlags,
       fold: {
         type: 'string',
-        default: 'none',
-        description: 'Fold reported alerts to some degree'
+        default: constants.default.FOLD_SETTING_NONE,
+        description: `Fold reported alerts to some degree (default '${constants.default.FOLD_SETTING_NONE}')`
       },
       interactive: {
         type: 'boolean',
@@ -12545,8 +12506,8 @@ async function run$5(argv, importMeta, {
       },
       reportLevel: {
         type: 'string',
-        default: 'warn',
-        description: 'Which policy level alerts should be reported'
+        default: constants.default.REPORT_LEVEL_WARN,
+        description: `Which policy level alerts should be reported (default '${constants.default.REPORT_LEVEL_WARN}')`
       },
       short: {
         type: 'boolean',
@@ -12583,7 +12544,7 @@ async function run$5(argv, importMeta, {
     You can --fold these up to given level: 'pkg', 'version', 'file', and 'none'.
     For example: \`socket scan report --fold=version\` will dedupe alerts to only
-    show one alert of a particular kind, no matter how often it was foud in a
+    show one alert of a particular kind, no matter how often it was found in a
     file or in how many files it was found. At most one per version that has it.
     By default only the warn and error policy level alerts are reported. You can
@@ -12606,16 +12567,17 @@ async function run$5(argv, importMeta, {
     parentName
   });
   const {
-    fold = 'none',
     json,
-    license,
     markdown,
-    org: orgFlag,
-    reportLevel = 'warn'
+    org: orgFlag
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
+  const fold = cli.flags['fold'];
   const interactive = !!cli.flags['interactive'];
-  const [scanId = '', file = ''] = cli.input;
+  const includeLicensePolicy = !!cli.flags['license'];
+  const reportLevel = cli.flags['reportLevel'];
+  const short = !!cli.flags['short'];
+  const [scanId = '', filepath = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
   const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
@@ -12643,18 +12605,18 @@ async function run$5(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleScanReport({
     orgSlug,
     scanId,
-    includeLicensePolicy: !!license,
+    includeLicensePolicy,
     outputKind,
-    filePath: file,
-    fold: fold,
-    short: !!cli.flags['short'],
-    reportLevel: reportLevel
+    filepath,
+    fold,
+    short,
+    reportLevel
   });
 }
@@ -12899,14 +12861,14 @@ async function configureGithub(config) {
   }
   const defaultGithubApiUrl = await prompts.input({
     message: '(--github-api-url) Do you want to override the default github url?',
-    default: config.githubApiUrl || constants.ENV.GITHUB_API_URL,
+    default: config.githubApiUrl || constants.default.ENV.GITHUB_API_URL,
     required: false
     // validate: async string => bool
   });
   if (defaultGithubApiUrl === undefined) {
     return canceledByUser();
   }
-  if (defaultGithubApiUrl && defaultGithubApiUrl !== constants.ENV.GITHUB_API_URL) {
+  if (defaultGithubApiUrl && defaultGithubApiUrl !== constants.default.ENV.GITHUB_API_URL) {
     config.githubApiUrl = defaultGithubApiUrl;
   } else {
     delete config.githubApiUrl;
@@ -13003,7 +12965,7 @@ async function run$4(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
@@ -13106,7 +13068,7 @@ Scan ID: ${scanId}
 ${md}
-View this report at: ${constants.SOCKET_WEBSITE_URL}/dashboard/org/${orgSlug}/sbom/${scanId}
+View this report at: ${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/${orgSlug}/sbom/${scanId}
   `.trim() + '\n';
   if (filePath && filePath !== '-') {
     try {
@@ -13245,7 +13207,7 @@ async function run$3(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (json && stream) {
@@ -13332,7 +13294,7 @@ async function outputThreatFeed(result, outputKind) {
   // Note: this temporarily takes over the terminal (just like `man` does).
   const ScreenWidget = /*@__PURE__*/require$1('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   // Register these keys first so you can always exit, even when it gets stuck
   // If we don't do this and the code crashes, the user must hard-kill the
@@ -13471,7 +13433,7 @@ async function handleThreatFeed({
 }
 const CMD_NAME = 'threat-feed';
-const ECOSYSTEMS = new Set(['gem', 'golang', 'maven', 'npm', 'nuget', 'pypi']);
+const ECOSYSTEMS = new Set(['gem', 'golang', 'maven', constants.NPM, 'nuget', 'pypi']);
 const TYPE_FILTERS = new Set(['anom', 'c', 'fp', 'joke', 'mal', 'secret', 'spy', 'tp', 'typo', 'u', 'vuln']);
 const description$1 = '[Beta] View the threat-feed';
 const hidden = false;
@@ -13671,7 +13633,7 @@ async function run$2(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleThreatFeed({
@@ -13724,7 +13686,7 @@ async function teardownTabCompletion(targetName) {
   } = result.data;
   // Remove from ~/.bashrc if found
-  const bashrc = constants.homePath ? path.join(constants.homePath, '.bashrc') : '';
+  const bashrc = constants.default.homePath ? path.join(constants.default.homePath, '.bashrc') : '';
   if (bashrc && fs$1.existsSync(bashrc)) {
     const content = fs$1.readFileSync(bashrc, 'utf8');
     if (content.includes(toAddToBashrc)) {
@@ -13818,7 +13780,7 @@ async function run$1(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const targetName = cli.input[0] || 'socket';
@@ -13879,7 +13841,7 @@ async function postinstallWrapper() {
   const {
     bashRcPath,
     zshRcPath
-  } = constants;
+  } = constants.default;
   const socketWrapperEnabled = fs$1.existsSync(bashRcPath) && checkSocketWrapperSetup(bashRcPath) || fs$1.existsSync(zshRcPath) && checkSocketWrapperSetup(zshRcPath);
   if (!socketWrapperEnabled) {
     await setupShadowNpm(`
@@ -13935,7 +13897,7 @@ async function setupShadowNpm(query) {
     const {
       bashRcPath,
       zshRcPath
-    } = constants;
+    } = constants.default;
     try {
       if (fs$1.existsSync(bashRcPath)) {
         addSocketWrapper(bashRcPath);
@@ -14049,13 +14011,13 @@ async function run(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
     bashRcPath,
     zshRcPath
-  } = constants;
+  } = constants.default;
   if (enable) {
     if (fs$1.existsSync(bashRcPath) && !checkSocketWrapperSetup(bashRcPath)) {
       addSocketWrapper(bashRcPath);
@@ -14191,16 +14153,16 @@ void (async () => {
     authInfo: vendor.registryAuthTokenExports(registryUrl, {
       recursive: true
     }),
-    name: constants.SOCKET_CLI_BIN_NAME,
+    name: constants.default.SOCKET_CLI_BIN_NAME,
     registryUrl,
     ttl: 86_400_000 /* 24 hours in milliseconds */,
-    version: constants.ENV.INLINED_SOCKET_CLI_VERSION
+    version: constants.default.ENV.INLINED_SOCKET_CLI_VERSION
   });
   try {
     await utils.meowWithSubcommands(rootCommands, {
       aliases: rootAliases,
       argv: process.argv.slice(2),
-      name: constants.SOCKET_CLI_BIN_NAME,
+      name: constants.default.SOCKET_CLI_BIN_NAME,
       importMeta: {
         url: `${require$$0.pathToFileURL(__filename$1)}`
       }
@@ -14262,5 +14224,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=8481439d-81fb-4c40-8fb9-cbf6be031d3
+//# debugId=b4ee2d73-3b07-422f-bbc3-db4f36cb62dc
 //# sourceMappingURL=cli.js.map