npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.3 → 1.1.5 - Mend

@socketsecurity/cli-with-sentry 1.1.3 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/dist/cli.js CHANGED Viewed

@@ -12,12 +12,12 @@ var constants = require('./constants.js');
 var flags = require('./flags.js');
 var path = require('node:path');
 var words = require('../external/@socketsecurity/registry/lib/words');
+var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var fs$1 = require('node:fs');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
-var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
@@ -26,6 +26,7 @@ var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var require$$0$1 = require('node:crypto');
+var registryConstants = require('../external/@socketsecurity/registry/lib/constants');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -44,7 +45,7 @@ async function fetchOrgAnalyticsData(time, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgAnalytics(time.toString()), {
-    desc: 'analytics data'
+    description: 'analytics data'
   });
 }
@@ -61,7 +62,7 @@ async function fetchRepoAnalyticsData(repo, time, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getRepoAnalytics(repo, time.toString()), {
-    desc: 'analytics data'
+    description: 'analytics data'
   });
 }
@@ -73,7 +74,7 @@ const METRICS = ['total_critical_alerts', 'total_high_alerts', 'total_medium_ale
 // Note: This maps `new Date(date).getMonth()` to English three letters
 const Months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
 async function outputAnalytics(result, {
-  filePath,
+  filepath,
   outputKind,
   repo,
   scope,
@@ -92,10 +93,10 @@ async function outputAnalytics(result, {
   }
   if (outputKind === 'json') {
     const serialized = utils.serializeResultJson(result);
-    if (filePath) {
+    if (filepath) {
       try {
-        await fs.writeFile(filePath, serialized, 'utf8');
-        logger.logger.success(`Data successfully written to ${filePath}`);
+        await fs.writeFile(filepath, serialized, 'utf8');
+        logger.logger.success(`Data successfully written to ${filepath}`);
       } catch (e) {
         process.exitCode = 1;
         logger.logger.log(utils.serializeResultJson({
@@ -114,10 +115,10 @@ async function outputAnalytics(result, {
     const serialized = renderMarkdown(fdata, time, repo);
     // TODO: Do we want to write to file even if there was an error...?
-    if (filePath) {
+    if (filepath) {
       try {
-        await fs.writeFile(filePath, serialized, 'utf8');
-        logger.logger.success(`Data successfully written to ${filePath}`);
+        await fs.writeFile(filepath, serialized, 'utf8');
+        logger.logger.success(`Data successfully written to ${filepath}`);
       } catch (e) {
         logger.logger.error(e);
       }
@@ -148,7 +149,7 @@ ${utils.mdTableStringNumber('Name', 'Counts', data['top_five_alert_types'])}
 function displayAnalyticsScreen(data) {
   const ScreenWidget = /*@__PURE__*/require$5('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   const GridLayout = /*@__PURE__*/require$5('../external/blessed-contrib/lib/layout/grid.js');
   const grid = new GridLayout({
@@ -208,7 +209,10 @@ function formatDataRepo(data) {
     }
   }
   const topFiveAlertEntries = Object.entries(totalTopAlerts).sort(([_keya, a], [_keyb, b]) => b - a).slice(0, 5);
-  for (const [key, value] of topFiveAlertEntries) {
+  for (const {
+    0: key,
+    1: value
+  } of topFiveAlertEntries) {
     sortedTopFiveAlerts[key] = value;
   }
   return {
@@ -246,7 +250,10 @@ function formatDataOrg(data) {
     }
   }
   const topFiveAlertEntries = Object.entries(totalTopAlerts).sort(([_keya, a], [_keyb, b]) => b - a).slice(0, 5);
-  for (const [key, value] of topFiveAlertEntries) {
+  for (const {
+    0: key,
+    1: value
+  } of topFiveAlertEntries) {
     sortedTopFiveAlerts[key] = value;
   }
   return {
@@ -283,7 +290,7 @@ function renderLineCharts(grid, screen, title, coords, data) {
 }
 async function handleAnalytics({
-  filePath,
+  filepath,
   outputKind,
   repo,
   scope,
@@ -308,7 +315,7 @@ async function handleAnalytics({
     };
   }
   await outputAnalytics(result, {
-    filePath,
+    filepath,
     outputKind,
     repo,
     scope,
@@ -336,6 +343,7 @@ async function run$Q(argv, importMeta, {
       ...flags.outputFlags,
       file: {
         type: 'string',
+        default: '',
         description: 'Path to store result, only valid with --json/--markdown'
       }
     },
@@ -397,7 +405,7 @@ async function run$Q(argv, importMeta, {
     time = cli.input[0];
   }
   const {
-    file,
+    file: filepath,
     json,
     markdown
   } = cli.flags;
@@ -408,7 +416,7 @@ async function run$Q(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -426,7 +434,7 @@ async function run$Q(argv, importMeta, {
     fail: 'invalid range set, see --help for command arg details.'
   }, {
     nook: true,
-    test: !file || !!json || !!markdown,
+    test: !filepath || !!json || !!markdown,
     message: 'The `--file` flag is only valid when using `--json` or `--markdown`',
     fail: 'bad'
   }, {
@@ -444,15 +452,15 @@ async function run$Q(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   return await handleAnalytics({
-    scope,
-    time: time === '90' ? 90 : time === '30' ? 30 : 7,
-    repo: repoName,
+    filepath,
     outputKind,
-    filePath: String(file || '')
+    repo: repoName,
+    scope,
+    time: time === '90' ? 90 : time === '30' ? 30 : 7
   });
 }
@@ -488,7 +496,7 @@ async function fetchAuditLog(config, options) {
     page: String(page),
     per_page: String(perPage)
   }), {
-    desc: `audit log for ${orgSlug}`
+    description: `audit log for ${orgSlug}`
   });
 }
@@ -503,7 +511,7 @@ async function outputAuditLog(result, {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
   }
-  if (outputKind === 'json') {
+  if (outputKind === constants.OUTPUT_JSON) {
     logger.logger.log(await outputAsJson(result, {
       logType,
       orgSlug,
@@ -515,7 +523,7 @@ async function outputAuditLog(result, {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
-  if (outputKind === 'markdown') {
+  if (outputKind === constants.OUTPUT_MARKDOWN) {
     logger.logger.log(await outputAsMarkdown(result.data, {
       logType,
       orgSlug,
@@ -555,7 +563,7 @@ async function outputAsJson(auditLogs, {
     ok: true,
     data: {
       desc: 'Audit logs for given query',
-      generated: constants.ENV.VITEST ? constants.REDACTED : new Date().toISOString(),
+      generated: constants.default.ENV.VITEST ? constants.default.REDACTED : new Date().toISOString(),
       logType,
       nextPage: auditLogs.data.nextPage,
       org: orgSlug,
@@ -600,7 +608,7 @@ These are the Socket.dev audit logs as per requested query.
 - page: ${page}
 - next page: ${auditLogs.nextPage}
 - per page: ${perPage}
-- generated: ${constants.ENV.VITEST ? constants.REDACTED : new Date().toISOString()}
+- generated: ${constants.default.ENV.VITEST ? constants.default.REDACTED : new Date().toISOString()}
 ${table}
 `;
@@ -622,7 +630,7 @@ async function outputWithBlessed(data, orgSlug) {
   // Note: this temporarily takes over the terminal (just like `man` does).
   const ScreenWidget = /*@__PURE__*/require$4('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   // Register these keys first so you can always exit, even when it gets stuck
   // If we don't do this and the code crashes, the user must hard-kill the
@@ -785,7 +793,7 @@ async function run$P(argv, importMeta, {
       ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
     This feature requires an Enterprise Plan. To learn more about getting access
-    to this feature and many more, please visit ${constants.SOCKET_WEBSITE_URL}/pricing
+    to this feature and many more, please visit ${constants.default.SOCKET_WEBSITE_URL}/pricing
     The type FILTER arg is an enum. Defaults to any. It should be one of these:
       associateLabel, cancelInvitation, changeMemberRole, changePlanSubscriptionSeats,
@@ -814,6 +822,7 @@ async function run$P(argv, importMeta, {
     parentName
   });
   const {
+    interactive,
     json,
     markdown,
     org: orgFlag,
@@ -821,17 +830,18 @@ async function run$P(argv, importMeta, {
     perPage
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
-  const interactive = !!cli.flags['interactive'];
   const noLegacy = !cli.flags['type'];
   let [typeFilter = ''] = cli.input;
   typeFilter = String(typeFilter);
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -858,7 +868,7 @@ async function run$P(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleAuditLog({
@@ -918,7 +928,7 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
     set_as_pending_head: String(pendingHead),
     tmp: String(tmp)
   }), {
-    desc: 'to create a scan'
+    description: 'to create a scan'
   });
 }
@@ -936,7 +946,7 @@ async function fetchSupportedScanFileNames(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
-    desc: 'supported scan file types',
+    description: 'supported scan file types',
     spinner
   });
 }
@@ -980,13 +990,13 @@ async function fetchScanData(orgSlug, scanId, options) {
   let finishedFetching = false;
   const {
     spinner
-  } = constants;
-  function updateScan(desc) {
-    scanStatus = desc;
+  } = constants.default;
+  function updateScan(status) {
+    scanStatus = status;
     updateProgress();
   }
-  function updatePolicy(desc) {
-    policyStatus = desc;
+  function updatePolicy(status) {
+    policyStatus = status;
     updateProgress();
   }
   function updateProgress() {
@@ -1081,7 +1091,7 @@ async function fetchScanData(orgSlug, scanId, options) {
   };
 }
-// Note: The returned cresult will only be ok:false when the generation
+// Note: The returned cResult will only be ok:false when the generation
 //       failed. It won't reflect the healthy state.
 function generateReport(scan, securityPolicy, {
   fold,
@@ -1129,15 +1139,15 @@ function generateReport(scan, securityPolicy, {
     scan.forEach(artifact => {
       const {
         alerts,
-        name: pkgName = '<unknown>',
+        name: pkgName = constants.UNKNOWN_VALUE,
         type: ecosystem,
-        version = '<unknown>'
+        version = constants.UNKNOWN_VALUE
       } = artifact;
       alerts?.forEach(alert => {
         const alertName = alert.type; // => policy[type]
         const action = securityRules[alertName]?.action || '';
         switch (action) {
-          case 'error':
+          case constants.default.REPORT_LEVEL_ERROR:
             {
               healthy = false;
               if (!short) {
@@ -1145,31 +1155,31 @@ function generateReport(scan, securityPolicy, {
               }
               break;
             }
-          case 'warn':
+          case constants.default.REPORT_LEVEL_WARN:
             {
-              if (!short && reportLevel !== 'error') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'monitor':
+          case constants.default.REPORT_LEVEL_MONITOR:
             {
-              if (!short && reportLevel !== 'warn' && reportLevel !== 'error') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_WARN && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'ignore':
+          case constants.default.REPORT_LEVEL_IGNORE:
             {
-              if (!short && reportLevel !== 'warn' && reportLevel !== 'error' && reportLevel !== 'monitor') {
+              if (!short && reportLevel !== constants.default.REPORT_LEVEL_MONITOR && reportLevel !== constants.default.REPORT_LEVEL_WARN && reportLevel !== constants.default.REPORT_LEVEL_ERROR) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
             }
-          case 'defer':
+          case constants.default.REPORT_LEVEL_DEFER:
             {
               // Not sure but ignore for now. Defer to later ;)
-              if (!short && reportLevel === 'defer') {
+              if (!short && reportLevel === constants.default.REPORT_LEVEL_DEFER) {
                 addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
               }
               break;
@@ -1218,46 +1228,46 @@ function createLeaf(art, alert, policyAction) {
   };
   return leaf;
 }
-function addAlert(art, violations, foldSetting, ecosystem, pkgName, version, alert, policyAction) {
+function addAlert(art, violations, fold, ecosystem, pkgName, version, alert, policyAction) {
   if (!violations.has(ecosystem)) {
     violations.set(ecosystem, new Map());
   }
-  const ecomap = violations.get(ecosystem);
-  if (foldSetting === 'pkg') {
-    const existing = ecomap.get(pkgName);
+  const ecoMap = violations.get(ecosystem);
+  if (fold === constants.default.FOLD_SETTING_PKG) {
+    const existing = ecoMap.get(pkgName);
     if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-      ecomap.set(pkgName, createLeaf(art, alert, policyAction));
+      ecoMap.set(pkgName, createLeaf(art, alert, policyAction));
     }
   } else {
-    if (!ecomap.has(pkgName)) {
-      ecomap.set(pkgName, new Map());
+    if (!ecoMap.has(pkgName)) {
+      ecoMap.set(pkgName, new Map());
     }
-    const pkgmap = ecomap.get(pkgName);
-    if (foldSetting === 'version') {
-      const existing = pkgmap.get(version);
+    const pkgMap = ecoMap.get(pkgName);
+    if (fold === constants.default.FOLD_SETTING_VERSION) {
+      const existing = pkgMap.get(version);
       if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-        pkgmap.set(version, createLeaf(art, alert, policyAction));
+        pkgMap.set(version, createLeaf(art, alert, policyAction));
       }
     } else {
-      if (!pkgmap.has(version)) {
-        pkgmap.set(version, new Map());
+      if (!pkgMap.has(version)) {
+        pkgMap.set(version, new Map());
       }
-      const file = alert.file || '<unknown>';
-      const vermap = pkgmap.get(version);
-      if (foldSetting === 'file') {
-        const existing = vermap.get(file);
+      const file = alert.file || constants.UNKNOWN_VALUE;
+      const verMap = pkgMap.get(version);
+      if (fold === constants.default.FOLD_SETTING_FILE) {
+        const existing = verMap.get(file);
         if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-          vermap.set(file, createLeaf(art, alert, policyAction));
+          verMap.set(file, createLeaf(art, alert, policyAction));
         }
       } else {
-        if (!vermap.has(file)) {
-          vermap.set(file, new Map());
+        if (!verMap.has(file)) {
+          verMap.set(file, new Map());
         }
         const key = `${alert.type} at ${alert.start}:${alert.end}`;
-        const filemap = vermap.get(file);
-        const existing = filemap.get(key);
+        const fileMap = verMap.get(file);
+        const existing = fileMap.get(key);
         if (!existing || isStricterPolicy(existing.policy, policyAction)) {
-          filemap.set(key, createLeaf(art, alert, policyAction));
+          fileMap.set(key, createLeaf(art, alert, policyAction));
         }
       }
     }
@@ -1265,34 +1275,34 @@ function addAlert(art, violations, foldSetting, ecosystem, pkgName, version, ale
 }
 function isStricterPolicy(was, is) {
   // error > warn > monitor > ignore > defer > {unknown}
-  if (was === 'error') {
+  if (was === constants.default.REPORT_LEVEL_ERROR) {
     return false;
   }
-  if (is === 'error') {
+  if (is === constants.default.REPORT_LEVEL_ERROR) {
     return true;
   }
-  if (was === 'warn') {
+  if (was === constants.default.REPORT_LEVEL_WARN) {
     return false;
   }
-  if (is === 'warn') {
+  if (is === constants.default.REPORT_LEVEL_WARN) {
     return false;
   }
-  if (was === 'monitor') {
+  if (was === constants.default.REPORT_LEVEL_MONITOR) {
     return false;
   }
-  if (is === 'monitor') {
+  if (is === constants.default.REPORT_LEVEL_MONITOR) {
     return false;
   }
-  if (was === 'ignore') {
+  if (was === constants.default.REPORT_LEVEL_IGNORE) {
     return false;
   }
-  if (is === 'ignore') {
+  if (is === constants.default.REPORT_LEVEL_IGNORE) {
     return false;
   }
-  if (was === 'defer') {
+  if (was === constants.default.REPORT_LEVEL_DEFER) {
     return false;
   }
-  if (is === 'defer') {
+  if (is === constants.default.REPORT_LEVEL_DEFER) {
     return false;
   }
   // unreachable?
@@ -1300,7 +1310,7 @@ function isStricterPolicy(was, is) {
 }
 async function outputScanReport(result, {
-  filePath,
+  filepath,
   fold,
   includeLicensePolicy,
   orgSlug,
@@ -1313,7 +1323,7 @@ async function outputScanReport(result, {
     process.exitCode = result.code ?? 1;
   }
   if (!result.ok) {
-    if (outputKind === 'json') {
+    if (outputKind === constants.OUTPUT_JSON) {
       logger.logger.log(utils.serializeResultJson(result));
       return;
     }
@@ -1326,14 +1336,14 @@ async function outputScanReport(result, {
     fold,
     reportLevel,
     short,
-    spinner: constants.spinner
+    spinner: constants.default.spinner
   });
   if (!scanReport.ok) {
-    // Note: this means generation failed, it does not reflect the healthy state
+    // Note: This means generation failed, it does not reflect the healthy state.
     process.exitCode = scanReport.code ?? 1;
     // If report generation somehow failed then .data should not be set.
-    if (outputKind === 'json') {
+    if (outputKind === constants.OUTPUT_JSON) {
       logger.logger.log(utils.serializeResultJson(scanReport));
       return;
     }
@@ -1341,28 +1351,28 @@ async function outputScanReport(result, {
     return;
   }
-  // I don't think we emit the default error message with banner for an unhealhty report, do we?
-  // if (!scanReport.data.healhty) {
+  // I don't think we emit the default error message with banner for an unhealthy report, do we?
+  // if (!scanReport.data.healthy) {
   //   logger.fail(failMsgWithBadge(scanReport.message, scanReport.cause))
   //   return
   // }
-  if (outputKind === 'json' || outputKind === 'text' && filePath && filePath.endsWith('.json')) {
+  if (outputKind === constants.OUTPUT_JSON || outputKind === constants.OUTPUT_TEXT && filepath && filepath.endsWith(constants.EXT_JSON)) {
     const json = short ? utils.serializeResultJson(scanReport) : toJsonReport(scanReport.data, includeLicensePolicy);
-    if (filePath && filePath !== '-') {
-      logger.logger.log('Writing json report to', filePath);
-      return await fs.writeFile(filePath, json);
+    if (filepath && filepath !== '-') {
+      logger.logger.log('Writing json report to', filepath);
+      return await fs.writeFile(filepath, json);
     }
     logger.logger.log(json);
     return;
   }
-  if (outputKind === 'markdown' || filePath && filePath.endsWith('.md')) {
-    const md = short ? `healthy = ${scanReport.data.healthy}` : toMarkdownReport(scanReport.data,
-    // not short so must be regular report
-    includeLicensePolicy);
-    if (filePath && filePath !== '-') {
-      logger.logger.log('Writing markdown report to', filePath);
-      return await fs.writeFile(filePath, md);
+  if (outputKind === 'markdown' || filepath && filepath.endsWith('.md')) {
+    const md = short ? `healthy = ${scanReport.data.healthy}` : toMarkdownReport(
+    // Not short so must be a regular report.
+    scanReport.data, includeLicensePolicy);
+    if (filepath && filepath !== '-') {
+      logger.logger.log('Writing markdown report to', filepath);
+      return await fs.writeFile(filepath, md);
     }
     logger.logger.log(md);
     logger.logger.log('');
@@ -1389,6 +1399,8 @@ function toJsonReport(report, includeLicensePolicy) {
   });
 }
 function toMarkdownReport(report, includeLicensePolicy) {
+  const reportLevel = report.options.reportLevel;
+  const alertFolding = report.options.fold === constants.default.FOLD_SETTING_NONE ? 'none' : `up to ${report.options.fold}`;
   const flatData = Array.from(utils.walkNestedMap(report.alerts)).map(({
     keys,
     value
@@ -1404,10 +1416,11 @@ function toMarkdownReport(report, includeLicensePolicy) {
       Package: keys[1] || '<unknown>',
       'Introduced by': keys[2] || '<unknown>',
       url,
-      'Manifest file': manifest.join(', '),
+      'Manifest file': arrays.joinAnd(manifest),
       Policy: policy
     };
   });
+  const minPolicyLevel = reportLevel === constants.default.REPORT_LEVEL_DEFER ? 'everything' : reportLevel;
   const md = `
 # Scan Policy Report
@@ -1424,13 +1437,13 @@ Configuration used to generate this report:
 - Organization: ${report.orgSlug}
 - Scan ID: ${report.scanId}
-- Alert folding: ${report.options.fold === 'none' ? 'none' : `up to ${report.options.fold}`}
-- Minimal policy level for alert to be included in report: ${report.options.reportLevel === 'defer' ? 'everything' : report.options.reportLevel}
+- Alert folding: ${alertFolding}
+- Minimal policy level for alert to be included in report: ${minPolicyLevel}
 - Include license alerts: ${includeLicensePolicy ? 'yes' : 'no'}
 ## Alerts
-${report.alerts.size ? `All the alerts from the scan with a policy set to at least "${report.options.reportLevel}".` : `The scan contained no alerts with a policy set to at least "${report.options.reportLevel}".`}
+${report.alerts.size ? `All the alerts from the scan with a policy set to at least "${reportLevel}".` : `The scan contained no alerts with a policy set to at least "${reportLevel}".`}
 ${!report.alerts.size ? '' : utils.mdTable(flatData, ['Policy', 'Alert Type', 'Package', 'Introduced by', 'url', 'Manifest file'])}
   `.trim() + '\n';
@@ -1438,7 +1451,7 @@ ${!report.alerts.size ? '' : utils.mdTable(flatData, ['Policy', 'Alert Type', 'P
 }
 async function handleScanReport({
-  filePath,
+  filepath,
   fold,
   includeLicensePolicy,
   orgSlug,
@@ -1451,7 +1464,7 @@ async function handleScanReport({
     includeLicensePolicy
   });
   await outputScanReport(scanDataCResult, {
-    filePath,
+    filepath,
     fold,
     scanId: scanId,
     includeLicensePolicy,
@@ -1466,7 +1479,7 @@ async function outputCreateNewScan(result, options) {
   const {
     interactive = false,
     outputKind = 'text',
-    spinner = constants.spinner
+    spinner = constants.default.spinner
   } = {
     __proto__: null,
     ...options
@@ -1545,7 +1558,7 @@ async function performReachabilityAnalysis(options) {
     ...options
   };
-  // Check if user has enterprise plan for reachability analysis
+  // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await utils.fetchOrganization();
   if (!orgsCResult.ok) {
     return {
@@ -1564,6 +1577,7 @@ async function performReachabilityAnalysis(options) {
       cause: `Please ${vendor.terminalLinkExports('upgrade your plan', 'https://socket.dev/pricing')}. This feature is only available for organizations with an enterprise plan.`
     };
   }
+  const wasSpinning = !!spinner?.isSpinning;
   let tarHash;
   if (uploadManifests && orgSlug && packagePaths) {
     // Setup SDK for uploading manifests
@@ -1572,14 +1586,13 @@ async function performReachabilityAnalysis(options) {
       return sockSdkCResult;
     }
     const sockSdk = sockSdkCResult.data;
-    const wasSpinning = !!spinner?.isSpinning;
     // Exclude any .socket.facts.json files that happen to be in the scan
     // folder before the analysis was run.
-    const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON);
+    const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
     spinner?.start('Uploading manifests for reachability analysis...');
     const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload), {
-      desc: 'upload manifests',
+      description: 'upload manifests',
       spinner
     });
     spinner?.stop();
@@ -1607,31 +1620,28 @@ async function performReachabilityAnalysis(options) {
   spinner?.infoAndStop('Running reachability analysis with Coana...');
   // Build Coana arguments.
-  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
   // Build environment variables.
-  const env = {
-    ...process.env
-  };
+  const coanaEnv = {};
   // do not pass default repo and branch name to coana to avoid mixing
   // buckets (cached configuration) from projects that are likely very different.
-  if (repoName && repoName !== constants.SOCKET_DEFAULT_REPOSITORY) {
-    env['SOCKET_REPO_NAME'] = repoName;
+  if (repoName && repoName !== constants.default.SOCKET_DEFAULT_REPOSITORY) {
+    coanaEnv['SOCKET_REPO_NAME'] = repoName;
   }
-  if (branchName && branchName !== constants.SOCKET_DEFAULT_BRANCH) {
-    env['SOCKET_BRANCH_NAME'] = branchName;
+  if (branchName && branchName !== constants.default.SOCKET_DEFAULT_BRANCH) {
+    coanaEnv['SOCKET_BRANCH_NAME'] = branchName;
   }
   // Run Coana with the manifests tar hash.
   const coanaResult = await utils.spawnCoana(coanaArgs, orgSlug, {
     cwd,
-    env,
+    env: coanaEnv,
     spinner,
     stdio: 'inherit'
   });
-  const wasSpinning = !!spinner?.isSpinning;
   if (wasSpinning) {
     spinner.start();
   }
@@ -1639,8 +1649,8 @@ async function performReachabilityAnalysis(options) {
     ok: true,
     data: {
       // Use the DOT_SOCKET_DOT_FACTS_JSON file for the scan.
-      reachabilityReport: constants.DOT_SOCKET_DOT_FACTS_JSON,
-      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.DOT_SOCKET_DOT_FACTS_JSON)
+      reachabilityReport: constants.default.DOT_SOCKET_DOT_FACTS_JSON,
+      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.default.DOT_SOCKET_DOT_FACTS_JSON)
     }
   } : coanaResult;
 }
@@ -1720,7 +1730,7 @@ async function convertGradleToMaven({
     // .socket folder. We could do a socket.pom.gz with all the poms, although
     // I'd prefer something plain-text if it is to be committed.
     // Note: init.gradle will be exported by .config/rollup.dist.config.mjs
-    const initLocation = path.join(constants.distPath, 'init.gradle');
+    const initLocation = path.join(constants.default.distPath, 'init.gradle');
     const commandArgs = ['--init-script', initLocation, ...gradleOpts, 'pom'];
     if (verbose) {
       logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
@@ -1764,7 +1774,7 @@ async function convertGradleToMaven({
 async function execGradleWithSpinner(bin, commandArgs, cwd) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   let pass = false;
   try {
     logger.logger.info('(Running gradle can take a while, it depends on how long gradlew has to run)');
@@ -1808,7 +1818,7 @@ async function convertSbtToMaven({
   const {
     spinner
-  } = constants;
+  } = constants.default;
   logger.logger.group('sbt2maven:');
   logger.logger.info(`- executing: \`${bin}\``);
   logger.logger.info(`- src dir: \`${cwd}\``);
@@ -2142,6 +2152,7 @@ async function handleCreateNewScan({
   readOnly,
   repoName,
   report,
+  reportLevel,
   targets,
   tmp
 }) {
@@ -2159,7 +2170,7 @@ async function handleCreateNewScan({
   }
   const {
     spinner
-  } = constants;
+  } = constants.default;
   const supportedFilesCResult = await fetchSupportedScanFileNames({
     spinner
   });
@@ -2223,7 +2234,7 @@ async function handleCreateNewScan({
     scanPaths = [...packagePaths.filter(
     // Ensure the .socket.facts.json isn't duplicated in case it happened
     // to be in the scan folder before the analysis was run.
-    p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON), ...(reachabilityReport ? [reachabilityReport] : [])];
+    p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON), ...(reachabilityReport ? [reachabilityReport] : [])];
     tier1ReachabilityScanId = reachResult.data?.tier1ReachabilityScanId;
   }
   const fullScanCResult = await fetchCreateOrgFullScan(scanPaths, orgSlug, {
@@ -2246,12 +2257,12 @@ async function handleCreateNewScan({
   if (report && fullScanCResult.ok) {
     if (scanId) {
       await handleScanReport({
-        filePath: '-',
-        fold: 'version',
+        filepath: '-',
+        fold: constants.default.FOLD_SETTING_VERSION,
         includeLicensePolicy: true,
         orgSlug,
         outputKind,
-        reportLevel: 'error',
+        reportLevel,
         scanId,
         short: false
       });
@@ -2313,6 +2324,7 @@ async function handleCi(autoManifest) {
     repoName,
     readOnly: false,
     report: true,
+    reportLevel: constants.default.REPORT_LEVEL_ERROR,
     targets: ['.'],
     // Don't set 'tmp' when 'pendingHead' is true.
     tmp: false
@@ -2370,7 +2382,7 @@ async function run$O(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCi(Boolean(cli.flags['autoManifest']));
@@ -2633,7 +2645,10 @@ async function run$N(argv, importMeta, {
       $ ${command} defaultOrg
     Keys:
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
   `
   };
   const cli = utils.meowOrExit({
@@ -2663,7 +2678,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigAuto({
@@ -2730,7 +2745,10 @@ const config$j = {
     KEY is an enum. Valid keys:
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+    0: key,
+    1: description
+  }) => `     - ${key} -- ${description}`).join('\n')}
     Examples
       $ ${command} defaultOrg
@@ -2771,7 +2789,7 @@ async function run$M(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigGet({
@@ -2903,7 +2921,7 @@ async function run$L(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await outputConfigList({
@@ -2988,7 +3006,10 @@ async function run$K(argv, importMeta, {
     Keys:
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
     Examples
       $ ${command} apiProxy https://example.com
@@ -3027,7 +3048,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigSet({
@@ -3106,7 +3127,10 @@ async function run$J(argv, importMeta, {
     Keys:
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
     Examples
       $ ${command} defaultOrg
@@ -3139,7 +3163,7 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleConfigUnset({
@@ -3186,14 +3210,14 @@ function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
   if (vulnCount === 1) {
     const ghsaId = ghsaIds[0];
     const details = ghsaDetails?.get(ghsaId);
-    const body = `[Socket](${constants.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
+    const body = `[Socket](${constants.default.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
     if (!details) {
       return body;
     }
     const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
     return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
   }
-  return [`[Socket](${constants.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+  return [`[Socket](${constants.default.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
     const details = ghsaDetails?.get(id);
     const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
     if (details) {
@@ -3241,10 +3265,10 @@ async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
   }
   return null;
 }
-async function getSocketPrs(owner, repo, options) {
-  return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+async function getSocketFixPrs(owner, repo, options) {
+  return (await getSocketFixPrsWithContext(owner, repo, options)).map(d => d.match);
 }
-async function getSocketPrsWithContext(owner, repo, options) {
+async function getSocketFixPrsWithContext(owner, repo, options) {
   const {
     author,
     ghsaId,
@@ -3255,117 +3279,101 @@ async function getSocketPrsWithContext(owner, repo, options) {
   };
   const branchPattern = getSocketFixBranchPattern(ghsaId);
   const checkAuthor = strings.isNonEmptyString(author);
-  const octokit = utils.getOctokit();
   const octokitGraphql = utils.getOctokitGraphql();
   const contextualMatches = [];
-  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
+  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? [constants.GQL_PR_STATE_OPEN, constants.GQL_PR_STATE_CLOSED, constants.GQL_PR_STATE_MERGED] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
-    // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
-    // API quota usage. Fallback to REST if no matching PRs are found.
+    let hasNextPage = true;
+    let cursor = null;
+    let pageIndex = 0;
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
-    const gqlResp = await utils.cacheFetch(gqlCacheKey, () => octokitGraphql(`
-          query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
-            repository(owner: $owner, name: $repo) {
-              pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
-                nodes {
-                  author {
-                    login
+    while (hasNextPage) {
+      // eslint-disable-next-line no-await-in-loop
+      const gqlResp = await utils.cacheFetch(`${gqlCacheKey}-page-${pageIndex}`, () => octokitGraphql(`
+              query($owner: String!, $repo: String!, $states: [PullRequestState!], $after: String) {
+                repository(owner: $owner, name: $repo) {
+                  pullRequests(first: 100, states: $states, after: $after, orderBy: {field: CREATED_AT, direction: DESC}) {
+                    pageInfo {
+                      hasNextPage
+                      endCursor
+                    }
+                    nodes {
+                      author {
+                        login
+                      }
+                      baseRefName
+                      headRefName
+                      mergeStateStatus
+                      number
+                      state
+                      title
+                    }
                   }
-                  baseRefName
-                  headRefName
-                  mergeStateStatus
-                  number
-                  state
-                  title
                 }
               }
+              `, {
+        owner,
+        repo,
+        states,
+        after: cursor
+      }));
+      const {
+        nodes,
+        pageInfo
+      } = gqlResp?.repository?.pullRequests ?? {
+        nodes: [],
+        pageInfo: {
+          hasNextPage: false,
+          endCursor: null
+        }
+      };
+      for (let i = 0, {
+          length
+        } = nodes; i < length; i += 1) {
+        const node = nodes[i];
+        const login = node.author?.login;
+        const matchesAuthor = checkAuthor ? login === author : true;
+        const matchesBranch = branchPattern.test(node.headRefName);
+        if (matchesAuthor && matchesBranch) {
+          contextualMatches.push({
+            context: {
+              apiType: 'graphql',
+              cacheKey: `${gqlCacheKey}-page-${pageIndex}`,
+              data: gqlResp,
+              entry: node,
+              index: i,
+              parent: nodes
+            },
+            match: {
+              ...node,
+              author: login ?? constants.UNKNOWN_VALUE
             }
-          }
-          `, {
-      owner,
-      repo,
-      states
-    }));
-    const nodes = gqlResp?.repository?.pullRequests?.nodes ?? [];
-    for (let i = 0, {
-        length
-      } = nodes; i < length; i += 1) {
-      const node = nodes[i];
-      const login = node.author?.login;
-      const matchesAuthor = checkAuthor ? login === author : true;
-      const matchesBranch = branchPattern.test(node.headRefName);
-      if (matchesAuthor && matchesBranch) {
-        contextualMatches.push({
-          context: {
-            apiType: 'graphql',
-            cacheKey: gqlCacheKey,
-            data: gqlResp,
-            entry: node,
-            index: i,
-            parent: nodes
-          },
-          match: {
-            ...node,
-            author: login ?? '<unknown>'
-          }
-        });
+          });
+        }
       }
-    }
-  } catch {}
-  if (contextualMatches.length) {
-    return contextualMatches;
-  }
-  // Fallback to REST if GraphQL found no matching PRs.
-  let allPrs;
-  const cacheKey = `${repo}-pull-requests`;
-  try {
-    allPrs = await utils.cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
-      owner,
-      repo,
-      state: 'all',
-      per_page: 100
-    }));
-  } catch {}
-  if (!allPrs) {
-    return contextualMatches;
-  }
-  for (let i = 0, {
-      length
-    } = allPrs; i < length; i += 1) {
-    const pr = allPrs[i];
-    const login = pr.user?.login;
-    const headRefName = pr.head.ref;
-    const matchesAuthor = checkAuthor ? login === author : true;
-    const matchesBranch = branchPattern.test(headRefName);
-    if (matchesAuthor && matchesBranch) {
-      // Upper cased mergeable_state is equivalent to mergeStateStatus.
-      // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
-      const mergeStateStatus = pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN';
-      // The REST API does not have a distinct merged state for pull requests.
-      // Instead, a merged pull request is represented as a closed pull request
-      // with a non-null merged_at timestamp.
-      const state = pr.merged_at ? 'MERGED' : pr.state.toUpperCase();
-      contextualMatches.push({
-        context: {
-          apiType: 'rest',
-          cacheKey,
-          data: allPrs,
-          entry: pr,
-          index: i,
-          parent: allPrs
-        },
-        match: {
-          author: login ?? '<unknown>',
-          baseRefName: pr.base.ref,
-          headRefName,
-          mergeStateStatus,
-          number: pr.number,
-          state,
-          title: pr.title
-        }
-      });
+      // Continue to next page.
+      hasNextPage = pageInfo.hasNextPage;
+      cursor = pageInfo.endCursor;
+      pageIndex += 1;
+      // Safety limit to prevent infinite loops.
+      if (pageIndex === constants.GQL_PAGE_SENTINEL) {
+        require$$9.debugFn('warn', `GraphQL pagination reached safety limit (${constants.GQL_PAGE_SENTINEL} pages) for ${owner}/${repo}`);
+        break;
+      }
+      // Early exit optimization: if we found matches and only looking for specific GHSA,
+      // we can stop pagination since we likely found what we need.
+      if (contextualMatches.length > 0 && ghsaId) {
+        break;
+      }
     }
+  } catch (e) {
+    require$$9.debugFn('error', `GraphQL pagination failed for ${owner}/${repo}`);
+    require$$9.debugDir('inspect', {
+      error: e
+    });
   }
   return contextualMatches;
 }
@@ -3373,7 +3381,7 @@ async function getSocketPrsWithContext(owner, repo, options) {
 function ciRepoInfo() {
   const {
     GITHUB_REPOSITORY
-  } = constants.ENV;
+  } = constants.default.ENV;
   if (!GITHUB_REPOSITORY) {
     require$$9.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
   }
@@ -3389,18 +3397,18 @@ function ciRepoInfo() {
 }
 async function getFixEnv() {
   const baseBranch = await utils.getBaseBranch();
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  const gitEmail = constants.default.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.default.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.default.ENV.CI && gitEmail && gitUser && githubToken);
   if (
   // If isCi is false,
   !isCi && (
   // but some CI checks are passing,
-  constants.ENV.CI || gitEmail || gitUser || githubToken) &&
+  constants.default.ENV.CI || gitEmail || gitUser || githubToken) &&
   // then log about it when in debug mode.
   require$$9.isDebug('notice')) {
-    const envVars = [...(constants.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
+    const envVars = [...(constants.default.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
     require$$9.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
   }
   let repoInfo = null;
@@ -3413,7 +3421,7 @@ async function getFixEnv() {
     }
     repoInfo = await utils.getRepoInfo();
   }
-  const prs = isCi && repoInfo ? await getSocketPrs(repoInfo.owner, repoInfo.repo, {
+  const prs = isCi && repoInfo ? await getSocketFixPrs(repoInfo.owner, repoInfo.repo, {
     author: gitUser,
     states: 'all'
   }) : [];
@@ -3430,7 +3438,7 @@ async function getFixEnv() {
 async function coanaFix(fixConfig) {
   const {
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3458,7 +3466,7 @@ async function coanaFix(fixConfig) {
     cwd
   });
   const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, scanFilepaths), {
-    desc: 'upload manifests',
+    description: 'upload manifests',
     spinner
   });
   if (!uploadCResult.ok) {
@@ -3499,18 +3507,40 @@ async function coanaFix(fixConfig) {
       }
     } : fixCResult;
   }
+  // Adjust limit based on open Socket Fix PRs.
+  let adjustedLimit = limit;
+  if (shouldOpenPrs && fixEnv.repoInfo) {
+    try {
+      const openPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
+        states: constants.GQL_PR_STATE_OPEN
+      });
+      const openPrCount = openPrs.length;
+      // Reduce limit by number of open PRs to avoid creating too many.
+      adjustedLimit = Math.max(0, limit - openPrCount);
+      if (openPrCount > 0) {
+        require$$9.debugFn('notice', `limit: adjusted from ${limit} to ${adjustedLimit} (${openPrCount} open Socket Fix PRs)`);
+      }
+    } catch (e) {
+      require$$9.debugFn('warn', 'Failed to count open PRs, using original limit');
+      require$$9.debugDir('inspect', {
+        error: e
+      });
+    }
+  }
+  const shouldSpawnCoana = adjustedLimit > 0;
   let ids;
-  if (isAll) {
+  if (shouldSpawnCoana && isAll) {
     const foundCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner
     });
     if (foundCResult.ok) {
       const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
-      ids = foundIds.slice(0, limit);
+      ids = foundIds.slice(0, adjustedLimit);
     }
-  } else {
-    ids = ghsas.slice(0, limit);
+  } else if (shouldSpawnCoana) {
+    ids = ghsas.slice(0, adjustedLimit);
   }
   if (!ids?.length) {
     require$$9.debugFn('notice', 'miss: no GHSA IDs to process');
@@ -3534,7 +3564,7 @@ async function coanaFix(fixConfig) {
   let count = 0;
   let overallFixed = false;
-  // Process each GHSA ID individually, similar to npm-fix/pnpm-fix.
+  // Process each GHSA ID individually.
   ghsaLoop: for (let i = 0, {
       length
     } = ids; i < length; i += 1) {
@@ -3549,7 +3579,7 @@ async function coanaFix(fixConfig) {
       stdio: 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || 'Unknown error'}`);
+      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || constants.UNKNOWN_ERROR}`);
       continue ghsaLoop;
     }
@@ -3615,7 +3645,7 @@ async function coanaFix(fixConfig) {
         } = prResponse;
         const prRef = `PR #${data.number}`;
         logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
-        if (autoMerge) {
+        if (autopilot) {
           logger.logger.indent();
           spinner?.indent();
           // eslint-disable-next-line no-await-in-loop
@@ -3650,8 +3680,8 @@ async function coanaFix(fixConfig) {
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     }
     count += 1;
-    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(limit, ids.length)}`);
-    if (count >= limit) {
+    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedLimit, ids.length)}`);
+    if (count >= adjustedLimit) {
       break ghsaLoop;
     }
   }
@@ -3681,7 +3711,7 @@ async function outputFixResult(result, outputKind) {
 }
 async function handleFix({
-  autoMerge,
+  autopilot,
   cwd,
   ghsas,
   limit,
@@ -3689,15 +3719,12 @@ async function handleFix({
   orgSlug,
   outputKind,
   prCheck,
-  purls,
   rangeStyle,
   spinner,
-  test,
-  testScript,
   unknownFlags
 }) {
   await outputFixResult(await coanaFix({
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3718,7 +3745,7 @@ const cmdFix = {
   run: run$I
 };
 const generalFlags$2 = {
-  autoMerge: {
+  autopilot: {
     type: 'boolean',
     default: false,
     description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
@@ -3752,10 +3779,8 @@ Available styles:
   }
 };
 const hiddenFlags = {
-  autopilot: {
-    type: 'boolean',
-    default: false,
-    description: `Shorthand for --auto-merge --test`,
+  autoMerge: {
+    ...generalFlags$2['autopilot'],
     hidden: true
   },
   ghsa: {
@@ -3836,18 +3861,26 @@ async function run$I(argv, importMeta, {
     importMeta,
     parentName
   });
+  const {
+    autopilot,
+    json,
+    limit,
+    markdown,
+    maxSatisfying,
+    prCheck,
+    rangeStyle,
+    // We patched in this feature with `npx custompatch meow` at
+    // socket-cli/patches/meow#13.2.0.patch.
+    unknownFlags = []
+  } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
-  let rangeStyle = cli.flags['rangeStyle'];
-  if (!rangeStyle) {
-    rangeStyle = 'preserve';
-  }
+  const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
   const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
   const purls = [];
   for (const purl of rawPurls) {
-    let version;
-    try {
-      version = vendor.packageurlJsExports$1.PackageURL.fromString(purl)?.version;
-    } catch {}
+    const version = utils.getPurlObject(purl, {
+      throws: false
+    })?.version;
     if (version) {
       purls.push(purl);
     } else {
@@ -3859,14 +3892,14 @@ async function run$I(argv, importMeta, {
     logger.logger.fail('No valid --purl values provided.');
     return;
   }
-  const outputKind = utils.getOutputKind(cli.flags['json'], cli.flags['markdown']);
+  const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
     fail: 'invalid'
   }, {
     nook: true,
-    test: !cli.flags['json'] || !cli.flags['markdown'],
+    test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
   });
@@ -3874,7 +3907,7 @@ async function run$I(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_NOT_SAVING);
+    logger.logger.log(constants.default.DRY_RUN_NOT_SAVING);
     return;
   }
   const orgSlugCResult = await utils.getDefaultOrgSlug();
@@ -3888,26 +3921,12 @@ async function run$I(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  let autoMerge = Boolean(cli.flags['autoMerge']);
-  let test = Boolean(cli.flags['test']);
-  if (cli.flags['autopilot']) {
-    autoMerge = true;
-    test = true;
-  }
   const {
     spinner
-  } = constants;
-  // We patched in this feature with `npx custompatch meow` at
-  // socket-cli/patches/meow#13.2.0.patch.
-  const unknownFlags = cli.unknownFlags ?? [];
+  } = constants.default;
   const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
-  const limit = Number(cli.flags['limit']) || DEFAULT_LIMIT;
-  const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
-  const minSatisfying = Boolean(cli.flags['minSatisfying']) || !maxSatisfying;
-  const prCheck = Boolean(cli.flags['prCheck']);
-  const testScript = String(cli.flags['testScript'] || 'test');
   await handleFix({
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3915,11 +3934,8 @@ async function run$I(argv, importMeta, {
     prCheck,
     orgSlug,
     outputKind,
-    purls,
     rangeStyle,
     spinner,
-    test,
-    testScript,
     unknownFlags
   });
 }
@@ -3980,7 +3996,7 @@ async function setupTabCompletion(targetName) {
   let bashrcUpdated = false;
   // Add to ~/.bashrc if not already there
-  const bashrcPath = constants.homePath ? path.join(constants.homePath, '.bashrc') : '';
+  const bashrcPath = constants.default.homePath ? path.join(constants.default.homePath, '.bashrc') : '';
   const foundBashrc = Boolean(bashrcPath && fs$1.existsSync(bashrcPath));
   if (foundBashrc) {
     const content = fs$1.readFileSync(bashrcPath, 'utf8');
@@ -4026,7 +4042,7 @@ function updateInstalledTabCompletionScript(targetPath) {
   // When installing set the current package.json version.
   // Later, we can call _socket_completion_version to get the installed version.
-  fs$1.writeFileSync(targetPath, content.data.replaceAll('%SOCKET_VERSION_TOKEN%', constants.ENV.INLINED_SOCKET_CLI_VERSION_HASH), 'utf8');
+  fs$1.writeFileSync(targetPath, content.data.replaceAll('%SOCKET_VERSION_TOKEN%', constants.default.ENV.INLINED_SOCKET_CLI_VERSION_HASH), 'utf8');
   return {
     ok: true,
     data: undefined
@@ -4090,7 +4106,7 @@ async function run$H(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const targetName = cli.input[0] || 'socket';
@@ -4116,9 +4132,9 @@ const cmdInstall = {
 };
 async function outputCmdJson(cwd) {
-  logger.logger.info('Target cwd:', constants.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
+  logger.logger.info('Target cwd:', constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
   const sockJsonPath = path.join(cwd, 'socket.json');
-  const tildeSockJsonPath = constants.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
+  const tildeSockJsonPath = constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
   if (!fs$1.existsSync(sockJsonPath)) {
     logger.logger.fail(`Not found: ${tildeSockJsonPath}`);
     process.exitCode = 1;
@@ -4199,7 +4215,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
       cause: 'Canceled by user'
     };
   }
-  const apiToken = apiTokenInput || constants.SOCKET_PUBLIC_API_TOKEN;
+  const apiToken = apiTokenInput || constants.default.SOCKET_PUBLIC_API_TOKEN;
   const sockSdkCResult = await utils.setupSdk({
     apiBaseUrl,
     apiProxy,
@@ -4212,7 +4228,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
   const sockSdk = sockSdkCResult.data;
   const orgsCResult = await utils.fetchOrganization({
-    desc: 'token verification',
+    description: 'token verification',
     sdk: sockSdk
   });
   if (!orgsCResult.ok) {
@@ -4335,10 +4351,12 @@ async function run$F(argv, importMeta, {
       ...flags.commonFlags,
       apiBaseUrl: {
         type: 'string',
+        default: '',
         description: 'API server to connect to for login'
       },
       apiProxy: {
         type: 'string',
+        default: '',
         description: 'Proxy to use when making connection to API server'
       }
     },
@@ -4367,14 +4385,16 @@ async function run$F(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (!vendor.isInteractiveExports()) {
     throw new utils.InputError('Cannot prompt for credentials in a non-interactive shell. Use SOCKET_CLI_API_TOKEN environment variable instead');
   }
-  const apiBaseUrl = cli.flags['apiBaseUrl'];
-  const apiProxy = cli.flags['apiProxy'];
+  const {
+    apiBaseUrl,
+    apiProxy
+  } = cli.flags;
   await attemptLogin(apiBaseUrl, apiProxy);
 }
@@ -4431,7 +4451,7 @@ async function run$E(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   attemptLogout();
@@ -4441,8 +4461,8 @@ const {
   PACKAGE_LOCK_JSON,
   YARN,
   YARN_LOCK
-} = constants;
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', 'npm', 'pnpm', 'ts', 'tsx', 'typescript']);
+} = constants.default;
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', constants.NPM, constants.PNPM, 'ts', 'tsx', 'typescript']);
 function argvToArray(argvObj) {
   if (argvObj['help']) {
     return ['--help'];
@@ -4485,29 +4505,29 @@ async function runCdxgen(argvObj) {
   };
   const shadowOpts = {
     ipc: {
-      [constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
-      [constants.SOCKET_CLI_SHADOW_API_TOKEN]: constants.SOCKET_PUBLIC_API_TOKEN,
-      [constants.SOCKET_CLI_SHADOW_SILENT]: true
+      [constants.default.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
+      [constants.default.SOCKET_CLI_SHADOW_API_TOKEN]: constants.default.SOCKET_PUBLIC_API_TOKEN,
+      [constants.default.SOCKET_CLI_SHADOW_SILENT]: true
     },
     stdio: 'inherit'
   };
   if (argvMutable['type'] !== YARN && nodejsPlatformTypes.has(argvMutable['type']) && fs$1.existsSync(`./${YARN_LOCK}`)) {
     if (fs$1.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
-      argvMutable['type'] = 'npm';
+      argvMutable['type'] = constants.NPM;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
         const {
           spawnPromise: synpPromise
-        } = await shadowNpmBin('npx', ['--yes', `synp@${constants.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`], shadowOpts);
+        } = await shadowNpmBin('npx', ['--yes', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`], shadowOpts);
         await synpPromise;
-        argvMutable['type'] = 'npm';
+        argvMutable['type'] = constants.NPM;
         cleanupPackageLock = true;
       } catch {}
     }
   }
-  const shadowResult = await shadowNpmBin('npx', ['--yes', `@cyclonedx/cdxgen@${constants.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
+  const shadowResult = await shadowNpmBin('npx', ['--yes', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
   shadowResult.spawnPromise.process.on('exit', () => {
     if (cleanupPackageLock) {
       try {
@@ -4770,7 +4790,7 @@ async function run$D(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
@@ -4878,7 +4898,7 @@ async function run$C(argv, importMeta, {
     detected
   });
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (!detected.count) {
@@ -5041,7 +5061,7 @@ async function run$B(argv, importMeta, {
   }
   logger.logger.warn('Warning: This will approximate your Conda dependencies using PyPI. We do not yet officially support Conda. Use at your own risk.');
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleManifestConda({
@@ -5192,7 +5212,7 @@ async function run$A(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertGradleToMaven({
@@ -5347,7 +5367,7 @@ async function run$z(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertGradleToMaven({
@@ -5525,7 +5545,7 @@ async function run$y(argv, importMeta, {
     logger.logger.groupEnd();
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await convertSbtToMaven({
@@ -6007,7 +6027,7 @@ async function run$x(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleManifestSetup(cwd, Boolean(defaultOnReadError));
@@ -6053,7 +6073,7 @@ async function run$w(argv, importMeta, {
 }
 const require$3 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$p = 'npm';
+const CMD_NAME$p = constants.NPM;
 const description$u = 'Run npm with the Socket wrapper';
 const hidden$o = false;
 const cmdNpm = {
@@ -6096,14 +6116,14 @@ async function run$v(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$3(constants.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$3(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
   const {
     spawnPromise
-  } = await shadowBin('npm', argv, {
+  } = await shadowBin(constants.NPM, argv, {
     stdio: 'inherit'
   });
@@ -6120,7 +6140,7 @@ async function run$v(argv, importMeta, {
 }
 const require$2 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$o = 'npx';
+const CMD_NAME$o = constants.NPX;
 const description$t = 'Run npx with the Socket wrapper';
 const hidden$n = false;
 const cmdNpx = {
@@ -6162,14 +6182,14 @@ async function run$u(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$2(constants.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$2(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
   const {
     spawnPromise
-  } = await shadowBin('npx', argv, {
+  } = await shadowBin(constants.NPX, argv, {
     stdio: 'inherit'
   });
@@ -6226,7 +6246,7 @@ async function run$t(argv, importMeta, {
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (json && !justThrow) {
@@ -6252,7 +6272,7 @@ const {
   VLT: VLT$5,
   YARN_BERRY: YARN_BERRY$4,
   YARN_CLASSIC: YARN_CLASSIC$4
-} = constants;
+} = constants.default;
 function matchLsCmdViewHumanStdout(stdout, name) {
   return stdout.includes(` ${name}@`);
 }
@@ -6306,7 +6326,7 @@ const {
   VLT: VLT$4,
   YARN_BERRY: YARN_BERRY$3,
   YARN_CLASSIC: YARN_CLASSIC$3
-} = constants;
+} = constants.default;
 function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
   const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
   return {
@@ -6381,13 +6401,13 @@ function getOverridesData(pkgEnvDetails, pkgJson) {
 const {
   BUN: BUN$2,
-  LOCK_EXT,
+  EXT_LOCK,
   NPM: NPM$2,
   PNPM: PNPM$2,
   VLT: VLT$3,
   YARN_BERRY: YARN_BERRY$2,
   YARN_CLASSIC: YARN_CLASSIC$2
-} = constants;
+} = constants.default;
 function npmLockSrcIncludes(lockSrc, name) {
   // Detects the package name in the following cases:
   //   "name":
@@ -6398,7 +6418,7 @@ function bunLockSrcIncludes(lockSrc, name, lockName) {
   // we treat it as a yarn.lock. When lockName ends with a .lock we
   // treat it as a package-lock.json. The bun.lock format is not identical
   // package-lock.json, however it close enough for npmLockIncludes to work.
-  const lockfileScanner = lockName?.endsWith(LOCK_EXT) ? npmLockSrcIncludes : yarnLockSrcIncludes;
+  const lockfileScanner = lockName?.endsWith(EXT_LOCK) ? npmLockSrcIncludes : yarnLockSrcIncludes;
   return lockfileScanner(lockSrc, name);
 }
 function pnpmLockSrcIncludes(lockSrc, name) {
@@ -6453,7 +6473,7 @@ const {
   VLT: VLT$2,
   YARN_BERRY: YARN_BERRY$1,
   YARN_CLASSIC: YARN_CLASSIC$1
-} = constants;
+} = constants.default;
 function cleanupQueryStdout(stdout) {
   if (stdout === '') {
     return '';
@@ -6499,7 +6519,7 @@ async function npmQuery(npmExecPath, cwd) {
   try {
     stdout = (await spawn.spawn(npmExecPath, ['query', ':not(.dev)'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return cleanupQueryStdout(stdout);
@@ -6516,7 +6536,7 @@ async function lsBun(pkgEnvDetails, options) {
     // https://github.com/oven-sh/bun/issues/8283
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['pm', 'ls', '--all'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6551,7 +6571,7 @@ async function lsPnpm(pkgEnvDetails, options) {
     // https://en.wiktionary.org/wiki/parsable
     ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return parsableToQueryStdout(stdout);
@@ -6568,7 +6588,7 @@ async function lsVlt(pkgEnvDetails, options) {
     // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(pkgEnvDetails.agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return cleanupQueryStdout(stdout);
@@ -6585,7 +6605,7 @@ async function lsYarnBerry(pkgEnvDetails, options) {
     // https://github.com/yarnpkg/berry/issues/5117
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['info', '--recursive', '--name-only'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6604,7 +6624,7 @@ async function lsYarnClassic(pkgEnvDetails, options) {
     //   environment is production
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', '--prod'], {
       cwd,
-      shell: constants.WIN32
+      shell: constants.default.WIN32
     })).stdout;
   } catch {}
   return '';
@@ -6638,7 +6658,7 @@ const {
   VLT: VLT$1,
   YARN_BERRY,
   YARN_CLASSIC
-} = constants;
+} = constants.default;
 const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'peerDependenciesMeta', 'optionalDependencies', 'bundleDependencies'];
 function getEntryIndexes(entries, keys) {
   return keys.map(n => entries.findIndex(p => p[0] === n)).filter(n => n !== -1).sort((a, b) => a - b);
@@ -6763,7 +6783,7 @@ function updateManifest(agent, editablePkgJson, overrides) {
   }
 }
-const manifestNpmOverrides = registry.getManifestData('npm');
+const manifestNpmOverrides = registry.getManifestData(constants.NPM);
 async function addOverrides(pkgEnvDetails, pkgPath, options) {
   const {
     agent,
@@ -6789,14 +6809,14 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
     ...options
   };
   const workspacePkgJsonPaths = await utils.globWorkspace(agent, pkgPath);
-  const isPnpm = agent === 'pnpm';
+  const isPnpm = agent === constants.PNPM;
   const isWorkspace = workspacePkgJsonPaths.length > 0;
   const isWorkspaceRoot = pkgPath === rootPath;
   const isLockScanned = isWorkspaceRoot && !prod;
   const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
   if (isWorkspace && isPnpm &&
   // npmExecPath will === the agent name IF it CANNOT be resolved.
-  npmExecPath === 'npm' && !state.warnedPnpmWorkspaceRequiresNpm) {
+  npmExecPath === constants.NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
     logger?.warn(utils.cmdPrefixMessage(CMD_NAME$n, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
@@ -6885,7 +6905,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
           const sockRegDepAlias = depAliasMap.get(sockRegPkgName);
           const depAlias = sockRegDepAlias ?? origDepAlias;
           let newSpec = sockOverrideSpec;
-          if (type === 'npm' && depAlias) {
+          if (type === constants.NPM && depAlias) {
             // With npm one may not set an override for a package that one directly
             // depends on unless both the dependency and the override itself share
             // the exact same spec. To make this limitation easier to deal with,
@@ -6965,7 +6985,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
 const {
   NPM_BUGGY_OVERRIDES_PATCHED_VERSION
-} = constants;
+} = constants.default;
 async function updateLockfile(pkgEnvDetails, options) {
   const {
     cmdName = '',
@@ -7016,7 +7036,7 @@ async function applyOptimization(pkgEnvDetails, {
 }) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   spinner.start();
   const state = await addOverrides(pkgEnvDetails, pkgEnvDetails.pkgPath, {
     logger: logger.logger,
@@ -7083,7 +7103,7 @@ function createActionMessage(verb, overrideCount, workspaceCount) {
 const {
   VLT
-} = constants;
+} = constants.default;
 async function handleOptimize({
   cwd,
   outputKind,
@@ -7178,7 +7198,7 @@ async function run$s(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
@@ -7223,7 +7243,7 @@ async function fetchDependencies(config, options) {
     limit,
     offset
   }), {
-    desc: 'organization dependencies'
+    description: 'organization dependencies'
   });
 }
@@ -7377,7 +7397,7 @@ async function run$r(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDependencies({
@@ -7400,7 +7420,7 @@ async function fetchLicensePolicy(orgSlug, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgLicensePolicy(orgSlug), {
-    desc: 'organization license policy'
+    description: 'organization license policy'
   });
 }
@@ -7497,7 +7517,9 @@ async function run$q(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -7514,7 +7536,7 @@ async function run$q(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleLicensePolicy(orgSlug, outputKind);
@@ -7533,7 +7555,7 @@ async function fetchSecurityPolicy(orgSlug, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgSecurityPolicy(orgSlug), {
-    desc: 'organization security policy'
+    description: 'organization security policy'
   });
 }
@@ -7631,7 +7653,9 @@ async function run$p(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -7648,7 +7672,7 @@ async function run$p(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleSecurityPolicy(orgSlug, outputKind);
@@ -7768,7 +7792,7 @@ async function run$o(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleOrganizationList(outputKind);
@@ -7812,7 +7836,7 @@ async function fetchQuota(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getQuota(), {
-    desc: 'token quota'
+    description: 'token quota'
   });
 }
@@ -7898,7 +7922,7 @@ async function run$n(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleQuota(outputKind);
@@ -8256,7 +8280,7 @@ async function run$m(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handlePurlDeepScore(purls[0] || '', outputKind);
@@ -8282,7 +8306,7 @@ async function fetchPurlsShallowScore(purls, options) {
   }, {
     alerts: 'true'
   }), {
-    desc: 'looking up package'
+    description: 'looking up package'
   });
   if (!batchPackageCResult.ok) {
     return batchPackageCResult;
@@ -8638,7 +8662,7 @@ async function run$l(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handlePurlsShallowScore({
@@ -8701,7 +8725,7 @@ async function outputPatchResult(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
   }
-  if (outputKind === 'json') {
+  if (outputKind === constants.OUTPUT_JSON) {
     logger.logger.log(utils.serializeResultJson(result));
     return;
   }
@@ -8710,271 +8734,316 @@ async function outputPatchResult(result, outputKind) {
     return;
   }
   const {
-    patchedPackages
+    patched
   } = result.data;
-  if (patchedPackages.length > 0) {
-    logger.logger.success(`Successfully processed patches for ${patchedPackages.length} package(s):`);
-    for (const pkg of patchedPackages) {
+  logger.logger.log('');
+  if (patched.length) {
+    logger.logger.group(`Successfully processed patches for ${patched.length} ${words.pluralize('package', patched.length)}:`);
+    for (const pkg of patched) {
       logger.logger.success(pkg);
     }
+    logger.logger.groupEnd();
   } else {
-    logger.logger.info('No packages found requiring patches');
+    logger.logger.warn('No packages found requiring patches');
   }
   logger.logger.log('');
   logger.logger.success('Patch command completed!');
 }
-async function applyNPMPatches(patches, dryRun, socketDir, packages) {
+async function applyNpmPatches(socketDir, patches, options) {
+  const {
+    cwd = process.cwd(),
+    dryRun = false,
+    purlObjs,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const wasSpinning = !!spinner?.isSpinning;
+  spinner?.start();
   const patchLookup = new Map();
   for (const patchInfo of patches) {
-    const {
-      purl
-    } = patchInfo;
-    const fullName = purl.namespace ? `@${purl.namespace}/${purl.name}` : purl.name;
-    const lookupKey = `${fullName}@${purl.version}`;
-    patchLookup.set(lookupKey, patchInfo);
-  }
-  const nodeModulesFolders = await findNodeModulesFolders(process.cwd());
-  logger.logger.log(`Found ${nodeModulesFolders.length} node_modules folders`);
-  for (const nodeModulesPath of nodeModulesFolders) {
-    try {
+    patchLookup.set(patchInfo.purl, patchInfo);
+  }
+  const nmPaths = await findNodeModulesPaths(cwd);
+  spinner?.stop();
+  logger.logger.log(`Found ${nmPaths.length} ${constants.NODE_MODULES} ${words.pluralize('folder', nmPaths.length)}`);
+  logger.logger.group('');
+  spinner?.start();
+  const result = {
+    passed: [],
+    failed: []
+  };
+  for (const nmPath of nmPaths) {
+    // eslint-disable-next-line no-await-in-loop
+    const dirNames = await fs$2.readDirNames(nmPath);
+    for (const dirName of dirNames) {
+      const isScoped = dirName.startsWith('@');
+      const pkgPath = path.join(nmPath, dirName);
+      const pkgSubNames = isScoped ?
       // eslint-disable-next-line no-await-in-loop
-      const entries = await fs$1.promises.readdir(nodeModulesPath);
-      for (const entry of entries) {
-        const entryPath = path.join(nodeModulesPath, entry);
-        if (entry.startsWith('@')) {
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            const scopedEntries = await fs$1.promises.readdir(entryPath);
-            for (const scopedEntry of scopedEntries) {
-              const packagePath = path.join(entryPath, scopedEntry);
-              // eslint-disable-next-line no-await-in-loop
-              const pkg = await readPackageJson(packagePath);
-              if (pkg) {
-                // Skip if specific packages requested and this isn't one of them
-                if (packages.length > 0 && !packages.includes(pkg.name)) {
-                  continue;
-                }
-                const lookupKey = `${pkg.name}@${pkg.version}`;
-                const patchInfo = patchLookup.get(lookupKey);
-                if (patchInfo) {
-                  logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${packagePath}`);
-                  logger.logger.log(`  Patch key: ${patchInfo.key}`);
-                  logger.logger.log(`  Processing files:`);
-                  for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
-                    // eslint-disable-next-line no-await-in-loop
-                    await processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir);
-                  }
-                }
-              }
-            }
-          } catch {
-            // Ignore errors reading scoped packages
-          }
-        } else {
+      await fs$2.readDirNames(pkgPath) : [dirName];
+      for (const pkgSubName of pkgSubNames) {
+        const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
+        const pkgPath = path.join(nmPath, dirFullName);
+        // eslint-disable-next-line no-await-in-loop
+        const pkgJson = await packages.readPackageJson(pkgPath, {
+          throws: false
+        });
+        if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
+          continue;
+        }
+        const purl = `pkg:npm/${pkgJson.name}@${pkgJson.version}`;
+        const purlObj = utils.getPurlObject(purl, {
+          throws: false
+        });
+        if (!purlObj) {
+          continue;
+        }
+        // Skip if specific packages requested and this isn't one of them
+        if (purlObjs?.length && purlObjs.findIndex(p => p.type === constants.NPM && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
+          continue;
+        }
+        const patchInfo = patchLookup.get(purl);
+        if (!patchInfo) {
+          continue;
+        }
+        spinner?.stop();
+        logger.logger.log(`Found match: ${pkgJson.name}@${pkgJson.version} at ${pkgPath}`);
+        logger.logger.log(`Patch key: ${patchInfo.key}`);
+        logger.logger.group(`Processing files:`);
+        spinner?.start();
+        let passed = true;
+        for (const {
+          0: fileName,
+          1: fileInfo
+        } of Object.entries(patchInfo.patch.files)) {
           // eslint-disable-next-line no-await-in-loop
-          const pkg = await readPackageJson(entryPath);
-          if (pkg) {
-            // Skip if specific packages requested and this isn't one of them
-            if (packages.length > 0 && !packages.includes(pkg.name)) {
-              continue;
-            }
-            const lookupKey = `${pkg.name}@${pkg.version}`;
-            const patchInfo = patchLookup.get(lookupKey);
-            if (patchInfo) {
-              logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${entryPath}`);
-              logger.logger.log(`  Patch key: ${patchInfo.key}`);
-              logger.logger.log(`  Processing files:`);
-              for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
-                // eslint-disable-next-line no-await-in-loop
-                await processFilePatch(entryPath, fileName, fileInfo, dryRun, socketDir);
-              }
-            }
+          const filePatchPassed = await processFilePatch(pkgPath, fileName, fileInfo, socketDir, {
+            dryRun,
+            spinner
+          });
+          if (!filePatchPassed) {
+            passed = false;
           }
         }
+        logger.logger.groupEnd();
+        if (passed) {
+          result.passed.push(purl);
+        } else {
+          result.failed.push(purl);
+        }
       }
-    } catch (error) {
-      logger.logger.error(`Error processing ${nodeModulesPath}:`, error);
     }
   }
+  spinner?.stop();
+  logger.logger.groupEnd();
+  if (wasSpinning) {
+    spinner.start();
+  }
+  return result;
 }
-async function computeSHA256(filePath) {
+async function computeSHA256(filepath) {
   try {
-    const content = await fs$1.promises.readFile(filePath);
+    const content = await fs$1.promises.readFile(filepath);
     const hash = require$$0$1.createHash('sha256');
     hash.update(content);
     return hash.digest('hex');
-  } catch {
-    return null;
-  }
+  } catch {}
+  return null;
 }
-async function findNodeModulesFolders(rootDir) {
-  const nodeModulesPaths = [];
-  async function searchDir(dir) {
-    try {
-      const entries = await fs$1.promises.readdir(dir);
-      for (const entry of entries) {
-        if (entry.startsWith('.') || entry === 'dist' || entry === 'build') {
-          continue;
-        }
-        const fullPath = path.join(dir, entry);
-        // eslint-disable-next-line no-await-in-loop
-        const stats = await fs$1.promises.stat(fullPath);
-        if (stats.isDirectory()) {
-          if (entry === 'node_modules') {
-            nodeModulesPaths.push(fullPath);
-          } else {
-            // eslint-disable-next-line no-await-in-loop
-            await searchDir(fullPath);
-          }
-        }
-      }
-    } catch (error) {
-      // Ignore permission errors or missing directories
-    }
-  }
-  await searchDir(rootDir);
-  return nodeModulesPaths;
-}
-function parsePURL(purlString) {
-  const [ecosystem, rest] = purlString.split(':', 2);
-  const [nameAndNamespace, version] = (rest ?? '').split('@', 2);
-  let namespace;
-  let name;
-  if (ecosystem === 'npm' && nameAndNamespace?.startsWith('@')) {
-    const parts = nameAndNamespace.split('/');
-    namespace = parts[0]?.substring(1);
-    name = parts.slice(1).join('/');
-  } else {
-    name = nameAndNamespace ?? '';
+async function findNodeModulesPaths(cwd) {
+  const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
+    cwd,
+    onlyDirectories: true
+  });
+  if (!rootNmPath) {
+    return [];
   }
-  return {
-    type: ecosystem ?? 'unknown',
-    namespace: namespace ?? '',
-    name: name ?? '',
-    version: version ?? '0.0.0'
-  };
+  return await vendor.outExports.glob([`**/${constants.NODE_MODULES}`], {
+    absolute: true,
+    cwd: path.dirname(rootNmPath),
+    dot: true,
+    onlyDirectories: true
+  });
 }
-async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir) {
-  const filePath = path.join(packagePath, fileName);
-  if (!fs$1.existsSync(filePath)) {
+async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options) {
+  const {
+    dryRun,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const wasSpinning = !!spinner?.isSpinning;
+  spinner?.stop();
+  const filepath = path.join(pkgPath, fileName);
+  if (!fs$1.existsSync(filepath)) {
     logger.logger.log(`File not found: ${fileName}`);
-    return;
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
   }
-  const currentHash = await computeSHA256(filePath);
+  const currentHash = await computeSHA256(filepath);
   if (!currentHash) {
     logger.logger.log(`Failed to compute hash for: ${fileName}`);
-    return;
-  }
-  if (currentHash === fileInfo.beforeHash) {
-    logger.logger.success(`File matches expected hash: ${fileName}`);
-    logger.logger.log(`Current hash: ${currentHash}`);
-    logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
-    if (!dryRun) {
-      const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
-      if (!fs$1.existsSync(blobPath)) {
-        logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
-        return;
-      }
-      try {
-        await fs$1.promises.copyFile(blobPath, filePath);
-        logger.logger.success(`Patch applied successfully`);
-      } catch (error) {
-        logger.logger.log(`Error applying patch: ${error}`);
-      }
-    } else {
-      logger.logger.log(`(dry run - no changes made)`);
+    if (wasSpinning) {
+      spinner?.start();
     }
-  } else if (currentHash === fileInfo.afterHash) {
+    return false;
+  }
+  if (currentHash === fileInfo.afterHash) {
     logger.logger.success(`File already patched: ${fileName}`);
+    logger.logger.group();
     logger.logger.log(`Current hash: ${currentHash}`);
-  } else {
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return true;
+  }
+  if (currentHash !== fileInfo.beforeHash) {
     logger.logger.fail(`File hash mismatch: ${fileName}`);
+    logger.logger.group();
     logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
     logger.logger.log(`Current:  ${currentHash}`);
     logger.logger.log(`Target:   ${fileInfo.afterHash}`);
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
   }
-}
-async function readPackageJson(packagePath) {
-  const pkgJsonPath = path.join(packagePath, 'package.json');
-  const pkg = await fs$2.readJson(pkgJsonPath, {
-    throws: false
-  });
-  if (pkg) {
-    return {
-      name: pkg.name || '',
-      version: pkg.version || ''
-    };
+  logger.logger.success(`File matches expected hash: ${fileName}`);
+  logger.logger.group();
+  logger.logger.log(`Current hash: ${currentHash}`);
+  logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
+  logger.logger.group();
+  if (dryRun) {
+    logger.logger.log(`(dry run - no changes made)`);
+    logger.logger.groupEnd();
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
   }
-  return null;
+  const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
+  if (!fs$1.existsSync(blobPath)) {
+    logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
+    logger.logger.groupEnd();
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
+  }
+  spinner?.start();
+  let result = true;
+  try {
+    await fs$1.promises.copyFile(blobPath, filepath);
+    logger.logger.success(`Patch applied successfully`);
+  } catch (e) {
+    logger.logger.error('Error applying patch');
+    require$$9.debugDir('inspect', {
+      error: e
+    });
+    result = false;
+  }
+  logger.logger.groupEnd();
+  logger.logger.groupEnd();
+  spinner?.stop();
+  if (wasSpinning) {
+    spinner?.start();
+  }
+  return result;
 }
 async function handlePatch({
   cwd,
   dryRun,
   outputKind,
-  packages,
+  purlObjs,
   spinner
 }) {
   try {
-    const dotSocketDirPath = path.join(cwd, '.socket');
+    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
     const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
-    // Read the manifest file.
     const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
     const manifestData = JSON.parse(manifestContent);
-    // Validate the schema.
+    const purls = purlObjs.map(String);
     const validated = PatchManifestSchema.parse(manifestData);
     // Parse PURLs and group by ecosystem.
-    const patchesByEcosystem = {};
-    for (const [key, patch] of Object.entries(validated.patches)) {
-      const purl = parsePURL(key);
-      if (!patchesByEcosystem[purl.type]) {
-        patchesByEcosystem[purl.type] = [];
+    const patchesByEcosystem = new Map();
+    for (const {
+      0: key,
+      1: patch
+    } of Object.entries(validated.patches)) {
+      const purl = utils.normalizePurl(key);
+      if (purls.length && !purls.includes(purl)) {
+        continue;
+      }
+      const purlObj = utils.getPurlObject(purl, {
+        throws: false
+      });
+      if (!purlObj) {
+        continue;
+      }
+      let patches = patchesByEcosystem.get(purlObj.type);
+      if (!Array.isArray(patches)) {
+        patches = [];
+        patchesByEcosystem.set(purlObj.type, patches);
       }
-      patchesByEcosystem[purl.type]?.push({
+      patches.push({
         key,
+        patch,
         purl,
-        patch
+        purlObj
       });
     }
-    spinner.stop();
-    logger.logger.log('');
-    if (packages.length > 0) {
-      logger.logger.info(`Checking patches for: ${packages.join(', ')}`);
+    if (purls.length) {
+      spinner.start(`Checking patches for: ${arrays.joinAnd(purls)}`);
     } else {
-      logger.logger.info('Scanning all dependencies for available patches');
+      spinner.start('Scanning all dependencies for available patches');
     }
-    logger.logger.log('');
-    if (patchesByEcosystem['npm']) {
-      await applyNPMPatches(patchesByEcosystem['npm'], dryRun, dotSocketDirPath, packages);
+    const patched = [];
+    const npmPatches = patchesByEcosystem.get(constants.NPM);
+    if (npmPatches) {
+      const patchingResults = await applyNpmPatches(dotSocketDirPath, npmPatches, {
+        cwd,
+        dryRun,
+        purlObjs,
+        spinner
+      });
+      patched.push(...patchingResults.passed);
     }
-    const result = {
+    spinner.stop();
+    await outputPatchResult({
       ok: true,
       data: {
-        patchedPackages: packages.length > 0 ? packages : ['patched successfully']
+        patched
       }
-    };
-    await outputPatchResult(result, outputKind);
+    }, outputKind);
   } catch (e) {
     spinner.stop();
     let message = 'Failed to apply patches';
-    let cause = e?.message || 'Unknown error';
+    let cause = e?.message || constants.UNKNOWN_ERROR;
     if (e instanceof SyntaxError) {
-      message = 'Invalid JSON in manifest.json';
+      message = `Invalid JSON in ${registryConstants.MANIFEST_JSON}`;
       cause = e.message;
     } else if (e instanceof Error && 'issues' in e) {
       message = 'Schema validation failed';
       cause = String(e);
     }
-    const result = {
+    await outputPatchResult({
       ok: false,
       code: 1,
       message,
       cause
-    };
-    await outputPatchResult(result, outputKind);
+    }, outputKind);
   }
 }
@@ -8996,10 +9065,10 @@ async function run$k(argv, importMeta, {
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
-      package: {
+      purl: {
         type: 'string',
         default: [],
-        description: 'Specify packages to patch, as either a comma separated value or as multiple flags',
+        description: 'Specify purls to patch, as either a comma separated value or as multiple flags',
         isMultiple: true,
         shortFlag: 'p'
       }
@@ -9042,24 +9111,27 @@ async function run$k(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  const dotSocketDirPath = path.join(cwd, '.socket');
+  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
   if (!fs$1.existsSync(dotSocketDirPath)) {
-    logger.logger.error('Error: No .socket directory found in current directory');
+    logger.logger.error(`Error: No ${constants.DOT_SOCKET} directory found in current directory`);
     return;
   }
-  const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+  const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
   if (!fs$1.existsSync(manifestPath)) {
-    logger.logger.error('Error: No manifest.json found in .socket directory');
+    logger.logger.error(`Error: No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
+    return;
   }
   const {
     spinner
-  } = constants;
-  const packages = utils.cmdFlagValueToArray(cli.flags['package']);
+  } = constants.default;
+  const purlObjs = arrays.arrayUnique(utils.cmdFlagValueToArray(cli.flags['purl'])).map(p => utils.getPurlObject(p, {
+    throws: false
+  })).filter(Boolean);
   await handlePatch({
     cwd,
     dryRun,
     outputKind,
-    packages,
+    purlObjs,
     spinner
   });
 }
@@ -9067,7 +9139,7 @@ async function run$k(argv, importMeta, {
 async function runRawNpm(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpmBinPath(), argv, {
-    shell: constants.WIN32,
+    shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9121,7 +9193,7 @@ async function run$j(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await runRawNpm(argv);
@@ -9130,7 +9202,7 @@ async function run$j(argv, importMeta, {
 async function runRawNpx(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpxBinPath(), argv, {
-    shell: constants.WIN32,
+    shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9184,7 +9256,7 @@ async function run$i(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await runRawNpx(argv);
@@ -9217,7 +9289,7 @@ async function fetchCreateRepo(config, options) {
     name: repoName,
     visibility
   }), {
-    desc: 'to create a repository'
+    description: 'to create a repository'
   });
 }
@@ -9339,7 +9411,9 @@ async function run$h(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -9349,7 +9423,7 @@ async function run$h(argv, importMeta, {
   }, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     test: !!repoName,
@@ -9365,7 +9439,7 @@ async function run$h(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateRepo({
@@ -9391,7 +9465,7 @@ async function fetchDeleteRepo(orgSlug, repoName, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.deleteOrgRepo(orgSlug, repoName), {
-    desc: 'to delete a repository'
+    description: 'to delete a repository'
   });
 }
@@ -9473,12 +9547,14 @@ async function run$g(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -9499,7 +9575,7 @@ async function run$g(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDeleteRepo(orgSlug, repoName, outputKind);
@@ -9538,7 +9614,7 @@ async function fetchListAllRepos(orgSlug, options) {
       // max
       page: String(nextPage)
     }), {
-      desc: 'list of repositories'
+      description: 'list of repositories'
     });
     if (!orgRepoListCResult.ok) {
       return orgRepoListCResult;
@@ -9583,7 +9659,7 @@ async function fetchListRepos(config, options) {
     per_page: String(perPage),
     page: String(page)
   }), {
-    desc: 'list of repositories'
+    description: 'list of repositories'
   });
 }
@@ -9763,7 +9839,9 @@ async function run$f(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -9790,7 +9868,7 @@ async function run$f(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleListRepos({
@@ -9835,7 +9913,7 @@ async function fetchUpdateRepo(config, options) {
     orgSlug,
     visibility
   }), {
-    desc: 'to update a repository'
+    description: 'to update a repository'
   });
 }
@@ -9956,12 +10034,14 @@ async function run$e(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -9982,7 +10062,7 @@ async function run$e(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleUpdateRepo({
@@ -10008,7 +10088,7 @@ async function fetchViewRepo(orgSlug, repoName, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgRepo(orgSlug, repoName), {
-    desc: 'repository data'
+    description: 'repository data'
   });
 }
@@ -10116,12 +10196,14 @@ async function run$d(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -10147,7 +10229,7 @@ async function run$d(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleViewRepo(orgSlug, String(repoName), outputKind);
@@ -10237,29 +10319,31 @@ const generalFlags$1 = {
   },
   branch: {
     type: 'string',
-    shortFlag: 'b',
-    description: 'Branch name'
+    default: '',
+    description: 'Branch name',
+    shortFlag: 'b'
   },
   commitHash: {
     type: 'string',
-    shortFlag: 'ch',
     default: '',
-    description: 'Commit hash'
+    description: 'Commit hash',
+    shortFlag: 'ch'
   },
   commitMessage: {
     type: 'string',
-    shortFlag: 'm',
     default: '',
-    description: 'Commit message'
+    description: 'Commit message',
+    shortFlag: 'm'
   },
   committers: {
     type: 'string',
-    shortFlag: 'c',
     default: '',
-    description: 'Committers'
+    description: 'Committers',
+    shortFlag: 'c'
   },
   cwd: {
     type: 'string',
+    default: '',
     description: 'working directory, defaults to process.cwd()'
   },
   defaultBranch: {
@@ -10274,11 +10358,13 @@ const generalFlags$1 = {
   },
   pullRequest: {
     type: 'number',
-    shortFlag: 'pr',
-    description: 'Pull request number'
+    default: 0,
+    description: 'Pull request number',
+    shortFlag: 'pr'
   },
   org: {
     type: 'string',
+    default: '',
     description: 'Force override the organization slug, overrides the default org from config'
   },
   reach: {
@@ -10300,17 +10386,22 @@ const generalFlags$1 = {
     type: 'boolean',
     description: 'Wait for the scan creation to complete, then basically run `socket scan report` on it'
   },
+  reportLevel: {
+    type: 'string',
+    default: constants.default.REPORT_LEVEL_ERROR,
+    description: `Which policy level alerts should be reported (default '${constants.default.REPORT_LEVEL_ERROR}')`
+  },
   setAsAlertsPage: {
     type: 'boolean',
     default: true,
-    aliases: ['pendingHead'],
-    description: 'When true and if this is the "default branch" then this Scan will be the one reflected on your alerts page. See help for details. Defaults to true.'
+    description: 'When true and if this is the "default branch" then this Scan will be the one reflected on your alerts page. See help for details. Defaults to true.',
+    aliases: ['pendingHead']
   },
   tmp: {
     type: 'boolean',
-    shortFlag: 't',
     default: false,
-    description: 'Set the visibility (true/false) of the scan in your dashboard.'
+    description: 'Set the visibility (true/false) of the scan in your dashboard.',
+    shortFlag: 't'
   }
 };
 const cmdScanCreate = {
@@ -10402,17 +10493,14 @@ async function run$c(argv, importMeta, {
     reachDisableAnalytics,
     reachSkipCache,
     readOnly,
+    reportLevel,
     setAsAlertsPage: pendingHeadFlag,
     tmp
   } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
-  // Process comma-separated values for isMultiple flags.
-  const reachEcosystemsRaw = utils.cmdFlagValueToArray(cli.flags['reachEcosystems']);
-  const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
   // Validate ecosystem values.
   const reachEcosystems = [];
+  const reachEcosystemsRaw = utils.cmdFlagValueToArray(cli.flags['reachEcosystems']);
   const validEcosystems = utils.getEcosystemChoicesForMeow();
   for (const ecosystem of reachEcosystemsRaw) {
     if (!validEcosystems.includes(ecosystem)) {
@@ -10420,15 +10508,18 @@ async function run$c(argv, importMeta, {
     }
     reachEcosystems.push(ecosystem);
   }
+  const dryRun = !!cli.flags['dryRun'];
   let {
     autoManifest,
     branch: branchName,
     repo: repoName,
     report
   } = cli.flags;
-  let [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  let {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const processCwd = process.cwd();
-  const cwd = cwdOverride && cwdOverride !== processCwd ? path.resolve(processCwd, String(cwdOverride)) : processCwd;
+  const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
   const sockJson = utils.readOrDefaultSocketJson(cwd);
   // Note: This needs meow booleanDefault=undefined.
@@ -10519,6 +10610,7 @@ async function run$c(argv, importMeta, {
     logger.logger.info('You can also run `socket scan setup` to persist these flag defaults to a socket.json file.');
     logger.logger.error('');
   }
+  const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
   // Validation helpers for better readability.
   const hasReachEcosystems = reachEcosystems.length > 0;
@@ -10566,7 +10658,7 @@ async function run$c(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateNewScan({
@@ -10594,6 +10686,7 @@ async function run$c(argv, importMeta, {
     readOnly: Boolean(readOnly),
     repoName,
     report,
+    reportLevel,
     targets,
     tmp: Boolean(tmp)
   });
@@ -10612,7 +10705,7 @@ async function fetchDeleteOrgFullScan(orgSlug, scanId, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.deleteOrgFullScan(orgSlug, scanId), {
-    desc: 'to delete a scan'
+    description: 'to delete a scan'
   });
 }
@@ -10715,7 +10808,7 @@ async function run$b(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDeleteScan(orgSlug, scanId, outputKind);
@@ -10797,7 +10890,7 @@ async function handleJson(data, file, dashboardMessage) {
   }
 }
 async function handleMarkdown(data) {
-  const SOCKET_SBOM_URL_PREFIX = `${constants.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
+  const SOCKET_SBOM_URL_PREFIX = `${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
   logger.logger.log('# Scan diff result');
   logger.logger.log('');
   logger.logger.log('This Socket.dev report shows the changes between two scans:');
@@ -10861,7 +10954,10 @@ async function handleMarkdown(data) {
   logger.logger.log('');
   logger.logger.log('This Scan was considered to be the "base" / "from" / "before" Scan.');
   logger.logger.log('');
-  for (const [key, value] of Object.entries(data.before)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(data.before)) {
     if (key === 'pull_request' && !value) {
       continue;
     }
@@ -10875,7 +10971,10 @@ async function handleMarkdown(data) {
   logger.logger.log('');
   logger.logger.log('This Scan was considered to be the "head" / "to" / "after" Scan.');
   logger.logger.log('');
-  for (const [key, value] of Object.entries(data.after)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(data.after)) {
     if (key === 'pull_request' && !value) {
       continue;
     }
@@ -10975,7 +11074,7 @@ async function run$a(argv, importMeta, {
     importMeta,
     parentName
   });
-  const SOCKET_SBOM_URL_PREFIX = `${constants.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
+  const SOCKET_SBOM_URL_PREFIX = `${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/SocketDev/sbom/`;
   const SOCKET_SBOM_URL_PREFIX_LENGTH = SOCKET_SBOM_URL_PREFIX.length;
   const {
     depth,
@@ -10995,7 +11094,9 @@ async function run$a(argv, importMeta, {
     id2 = id2.slice(SOCKET_SBOM_URL_PREFIX_LENGTH);
   }
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: !!(id1 && id2),
@@ -11021,7 +11122,7 @@ async function run$a(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleDiffScan({
@@ -11230,6 +11331,7 @@ async function scanOneRepo(repoSlug, {
     readOnly: false,
     repoName: repoSlug,
     report: false,
+    reportLevel: constants.default.REPORT_LEVEL_ERROR,
     targets: ['.'],
     tmp: false
   });
@@ -11693,6 +11795,7 @@ async function handleCreateGithubScan({
 }
 const CMD_NAME$6 = 'github';
+const DEFAULT_GITHUB_URL = 'https://api.github.com';
 const description$8 = 'Create a scan for given GitHub repo';
 const hidden$6 = true;
 const cmdScanGithub = {
@@ -11716,11 +11819,13 @@ async function run$9(argv, importMeta, {
       },
       githubToken: {
         type: 'string',
+        default: constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN,
         description: 'Required GitHub token for authentication.\nMay set environment variable GITHUB_TOKEN or SOCKET_CLI_GITHUB_TOKEN instead.'
       },
       githubApiUrl: {
         type: 'string',
-        description: 'Base URL of the GitHub API (default: https://api.github.com)'
+        default: DEFAULT_GITHUB_URL,
+        description: `Base URL of the GitHub API (default: ${DEFAULT_GITHUB_URL})`
       },
       interactive: {
         type: 'boolean',
@@ -11729,14 +11834,17 @@ async function run$9(argv, importMeta, {
       },
       org: {
         type: 'string',
+        default: '',
         description: 'Force override the organization slug, overrides the default org from config'
       },
       orgGithub: {
         type: 'string',
+        default: '',
         description: 'Alternate GitHub Org if the name is different than the Socket Org'
       },
       repos: {
         type: 'string',
+        default: '',
         description: 'List of repos to target in a comma-separated format (e.g., repo1,repo2). If not specified, the script will pull the list from Socket and ask you to pick one. Use --all to use them all.'
       }
     },
@@ -11774,7 +11882,7 @@ async function run$9(argv, importMeta, {
     parentName
   });
   const {
-    githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN,
+    githubToken = constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN,
     interactive = true,
     json,
     markdown,
@@ -11791,7 +11899,9 @@ async function run$9(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  let [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  let {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const sockJson = utils.readOrDefaultSocketJson(cwd);
   if (all === undefined) {
     if (sockJson.defaults?.scan?.github?.all !== undefined) {
@@ -11804,7 +11914,7 @@ async function run$9(argv, importMeta, {
     if (sockJson.defaults?.scan?.github?.githubApiUrl !== undefined) {
       githubApiUrl = sockJson.defaults.scan.github.githubApiUrl;
     } else {
-      githubApiUrl = 'https://api.github.com';
+      githubApiUrl = DEFAULT_GITHUB_URL;
     }
   }
   if (!orgGithub) {
@@ -11872,7 +11982,7 @@ async function run$9(argv, importMeta, {
   // Note exiting earlier to skirt a hidden auth requirement
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleCreateGithubScan({
@@ -11925,7 +12035,7 @@ async function fetchOrgFullScanList(config, options) {
     page: String(page),
     per_page: String(perPage)
   }), {
-    desc: 'list of scans'
+    description: 'list of scans'
   });
 }
@@ -12105,12 +12215,14 @@ async function run$8(argv, importMeta, {
   const [repo = '', branchArg = ''] = cli.input;
   const branch = String(branchFlag || branchArg || '');
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -12137,7 +12249,7 @@ async function run$8(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleListScans({
@@ -12166,7 +12278,7 @@ async function fetchScanMetadata(orgSlug, scanId, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgFullScanMetadata(orgSlug, scanId), {
-    desc: 'meta data for a full scan'
+    description: 'meta data for a full scan'
   });
 }
@@ -12186,7 +12298,10 @@ async function outputScanMetadata(result, scanId, outputKind) {
     logger.logger.log('# Scan meta data\n');
   }
   logger.logger.log(`Scan ID: ${scanId}\n`);
-  for (const [key, value] of Object.entries(result.data)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(result.data)) {
     if (['id', 'updated_at', 'organization_id', 'repository_id', 'commit_hash', 'html_report_url'].includes(key)) {
       continue;
     }
@@ -12262,7 +12377,9 @@ async function run$7(argv, importMeta, {
   const interactive = !!cli.flags['interactive'];
   const [scanId = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -12288,7 +12405,7 @@ async function run$7(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleOrgScanMetadata(orgSlug, scanId, outputKind);
@@ -12311,7 +12428,7 @@ async function outputScanReach(result, {
   }
   logger.logger.log('');
   logger.logger.success('Reachability analysis completed successfully!');
-  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.DOT_SOCKET_DOT_FACTS_JSON)}`);
+  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.default.DOT_SOCKET_DOT_FACTS_JSON)}`);
 }
 async function handleScanReach({
@@ -12324,7 +12441,7 @@ async function handleScanReach({
 }) {
   const {
     spinner
-  } = constants;
+  } = constants.default;
   // Get supported file names
   const supportedFilesCResult = await fetchSupportedScanFileNames({
@@ -12377,10 +12494,12 @@ const generalFlags = {
   ...flags.outputFlags,
   cwd: {
     type: 'string',
+    default: '',
     description: 'working directory, defaults to process.cwd()'
   },
   org: {
     type: 'string',
+    default: '',
     description: 'Force override the organization slug, overrides the default org from config'
   }
 };
@@ -12459,7 +12578,7 @@ async function run$6(argv, importMeta, {
     reachEcosystems.push(ecosystem);
   }
   const processCwd = process.cwd();
-  const cwd = cwdOverride && cwdOverride !== processCwd ? path.resolve(processCwd, String(cwdOverride)) : processCwd;
+  const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
   // Accept zero or more paths. Default to cwd() if none given.
   let targets = cli.input || [cwd];
@@ -12468,7 +12587,9 @@ async function run$6(argv, importMeta, {
   if (!targets.length && !dryRun && interactive) {
     targets = await suggestTarget();
   }
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(orgFlag, interactive, dryRun);
   const hasApiToken = utils.hasDefaultApiToken();
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
@@ -12491,7 +12612,7 @@ async function run$6(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleScanReach({
@@ -12531,8 +12652,8 @@ async function run$5(argv, importMeta, {
       ...flags.outputFlags,
       fold: {
         type: 'string',
-        default: 'none',
-        description: 'Fold reported alerts to some degree'
+        default: constants.default.FOLD_SETTING_NONE,
+        description: `Fold reported alerts to some degree (default '${constants.default.FOLD_SETTING_NONE}')`
       },
       interactive: {
         type: 'boolean',
@@ -12545,8 +12666,8 @@ async function run$5(argv, importMeta, {
       },
       reportLevel: {
         type: 'string',
-        default: 'warn',
-        description: 'Which policy level alerts should be reported'
+        default: constants.default.REPORT_LEVEL_WARN,
+        description: `Which policy level alerts should be reported (default '${constants.default.REPORT_LEVEL_WARN}')`
       },
       short: {
         type: 'boolean',
@@ -12583,7 +12704,7 @@ async function run$5(argv, importMeta, {
     You can --fold these up to given level: 'pkg', 'version', 'file', and 'none'.
     For example: \`socket scan report --fold=version\` will dedupe alerts to only
-    show one alert of a particular kind, no matter how often it was foud in a
+    show one alert of a particular kind, no matter how often it was found in a
     file or in how many files it was found. At most one per version that has it.
     By default only the warn and error policy level alerts are reported. You can
@@ -12606,18 +12727,21 @@ async function run$5(argv, importMeta, {
     parentName
   });
   const {
-    fold = 'none',
     json,
-    license,
     markdown,
-    org: orgFlag,
-    reportLevel = 'warn'
+    org: orgFlag
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
+  const fold = cli.flags['fold'];
   const interactive = !!cli.flags['interactive'];
-  const [scanId = '', file = ''] = cli.input;
+  const includeLicensePolicy = !!cli.flags['license'];
+  const reportLevel = cli.flags['reportLevel'];
+  const short = !!cli.flags['short'];
+  const [scanId = '', filepath = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -12643,18 +12767,18 @@ async function run$5(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleScanReport({
     orgSlug,
     scanId,
-    includeLicensePolicy: !!license,
+    includeLicensePolicy,
     outputKind,
-    filePath: file,
-    fold: fold,
-    short: !!cli.flags['short'],
-    reportLevel: reportLevel
+    filepath,
+    fold,
+    short,
+    reportLevel
   });
 }
@@ -12899,14 +13023,14 @@ async function configureGithub(config) {
   }
   const defaultGithubApiUrl = await prompts.input({
     message: '(--github-api-url) Do you want to override the default github url?',
-    default: config.githubApiUrl || constants.ENV.GITHUB_API_URL,
+    default: config.githubApiUrl || constants.default.ENV.GITHUB_API_URL,
     required: false
     // validate: async string => bool
   });
   if (defaultGithubApiUrl === undefined) {
     return canceledByUser();
   }
-  if (defaultGithubApiUrl && defaultGithubApiUrl !== constants.ENV.GITHUB_API_URL) {
+  if (defaultGithubApiUrl && defaultGithubApiUrl !== constants.default.ENV.GITHUB_API_URL) {
     config.githubApiUrl = defaultGithubApiUrl;
   } else {
     delete config.githubApiUrl;
@@ -13003,7 +13127,7 @@ async function run$4(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
@@ -13106,7 +13230,7 @@ Scan ID: ${scanId}
 ${md}
-View this report at: ${constants.SOCKET_WEBSITE_URL}/dashboard/org/${orgSlug}/sbom/${scanId}
+View this report at: ${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/${orgSlug}/sbom/${scanId}
   `.trim() + '\n';
   if (filePath && filePath !== '-') {
     try {
@@ -13144,7 +13268,7 @@ async function streamScan(orgSlug, scanId, options) {
   // Note: this will write to stdout or target file. It's not a noop
   return await utils.handleApiCall(sockSdk.getOrgFullScan(orgSlug, scanId, file === '-' ? undefined : file), {
-    desc: 'a scan'
+    description: 'a scan'
   });
 }
@@ -13214,7 +13338,9 @@ async function run$3(argv, importMeta, {
   const interactive = !!cli.flags['interactive'];
   const [scanId = '', file = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -13245,7 +13371,7 @@ async function run$3(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   if (json && stream) {
@@ -13332,7 +13458,7 @@ async function outputThreatFeed(result, outputKind) {
   // Note: this temporarily takes over the terminal (just like `man` does).
   const ScreenWidget = /*@__PURE__*/require$1('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
-    ...constants.blessedOptions
+    ...constants.default.blessedOptions
   });
   // Register these keys first so you can always exit, even when it gets stuck
   // If we don't do this and the code crashes, the user must hard-kill the
@@ -13471,7 +13597,7 @@ async function handleThreatFeed({
 }
 const CMD_NAME = 'threat-feed';
-const ECOSYSTEMS = new Set(['gem', 'golang', 'maven', 'npm', 'nuget', 'pypi']);
+const ECOSYSTEMS = new Set(['gem', 'golang', 'maven', constants.NPM, 'nuget', 'pypi']);
 const TYPE_FILTERS = new Set(['anom', 'c', 'fp', 'joke', 'mal', 'secret', 'spy', 'tp', 'typo', 'u', 'vuln']);
 const description$1 = '[Beta] View the threat-feed';
 const hidden = false;
@@ -13649,7 +13775,9 @@ async function run$2(argv, importMeta, {
     logger.logger.info(`Warning: ignoring these excessive args: ${Array.from(argSet).join(', ')}`);
   }
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -13671,7 +13799,7 @@ async function run$2(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   await handleThreatFeed({
@@ -13724,7 +13852,7 @@ async function teardownTabCompletion(targetName) {
   } = result.data;
   // Remove from ~/.bashrc if found
-  const bashrc = constants.homePath ? path.join(constants.homePath, '.bashrc') : '';
+  const bashrc = constants.default.homePath ? path.join(constants.default.homePath, '.bashrc') : '';
   if (bashrc && fs$1.existsSync(bashrc)) {
     const content = fs$1.readFileSync(bashrc, 'utf8');
     if (content.includes(toAddToBashrc)) {
@@ -13818,7 +13946,7 @@ async function run$1(argv, importMeta, {
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const targetName = cli.input[0] || 'socket';
@@ -13879,7 +14007,7 @@ async function postinstallWrapper() {
   const {
     bashRcPath,
     zshRcPath
-  } = constants;
+  } = constants.default;
   const socketWrapperEnabled = fs$1.existsSync(bashRcPath) && checkSocketWrapperSetup(bashRcPath) || fs$1.existsSync(zshRcPath) && checkSocketWrapperSetup(zshRcPath);
   if (!socketWrapperEnabled) {
     await setupShadowNpm(`
@@ -13935,7 +14063,7 @@ async function setupShadowNpm(query) {
     const {
       bashRcPath,
       zshRcPath
-    } = constants;
+    } = constants.default;
     try {
       if (fs$1.existsSync(bashRcPath)) {
         addSocketWrapper(bashRcPath);
@@ -14049,13 +14177,13 @@ async function run(argv, importMeta, {
     return;
   }
   if (dryRun) {
-    logger.logger.log(constants.DRY_RUN_BAILING_NOW);
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
   const {
     bashRcPath,
     zshRcPath
-  } = constants;
+  } = constants.default;
   if (enable) {
     if (fs$1.existsSync(bashRcPath) && !checkSocketWrapperSetup(bashRcPath)) {
       addSocketWrapper(bashRcPath);
@@ -14191,16 +14319,16 @@ void (async () => {
     authInfo: vendor.registryAuthTokenExports(registryUrl, {
       recursive: true
     }),
-    name: constants.SOCKET_CLI_BIN_NAME,
+    name: constants.default.SOCKET_CLI_BIN_NAME,
     registryUrl,
     ttl: 86_400_000 /* 24 hours in milliseconds */,
-    version: constants.ENV.INLINED_SOCKET_CLI_VERSION
+    version: constants.default.ENV.INLINED_SOCKET_CLI_VERSION
   });
   try {
     await utils.meowWithSubcommands(rootCommands, {
       aliases: rootAliases,
       argv: process.argv.slice(2),
-      name: constants.SOCKET_CLI_BIN_NAME,
+      name: constants.default.SOCKET_CLI_BIN_NAME,
       importMeta: {
         url: `${require$$0.pathToFileURL(__filename$1)}`
       }
@@ -14262,5 +14390,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=8481439d-81fb-4c40-8fb9-cbf6be031d3
+//# debugId=d759edd3-a3fb-4517-b02a-4526b3195d3
 //# sourceMappingURL=cli.js.map