@socketsecurity/cli-with-sentry 1.1.4 → 1.1.6

package/dist/cli.js

@@ -26,6 +26,7 @@ var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var require$$0$1 = require('node:crypto');
+var registryConstants = require('../external/@socketsecurity/registry/lib/constants');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -44,7 +45,7 @@ async function fetchOrgAnalyticsData(time, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgAnalytics(time.toString()), {
-    desc: 'analytics data'
+    description: 'analytics data'
   });
 }
 
@@ -61,7 +62,7 @@ async function fetchRepoAnalyticsData(repo, time, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getRepoAnalytics(repo, time.toString()), {
-    desc: 'analytics data'
+    description: 'analytics data'
   });
 }
 
@@ -73,7 +74,7 @@ const METRICS = ['total_critical_alerts', 'total_high_alerts', 'total_medium_ale
 // Note: This maps `new Date(date).getMonth()` to English three letters
 const Months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
 async function outputAnalytics(result, {
-  filePath,
+  filepath,
   outputKind,
   repo,
   scope,
@@ -92,10 +93,10 @@ async function outputAnalytics(result, {
   }
   if (outputKind === 'json') {
     const serialized = utils.serializeResultJson(result);
-    if (filePath) {
+    if (filepath) {
       try {
-        await fs.writeFile(filePath, serialized, 'utf8');
-        logger.logger.success(`Data successfully written to ${filePath}`);
+        await fs.writeFile(filepath, serialized, 'utf8');
+        logger.logger.success(`Data successfully written to ${filepath}`);
       } catch (e) {
         process.exitCode = 1;
         logger.logger.log(utils.serializeResultJson({
@@ -114,10 +115,10 @@ async function outputAnalytics(result, {
     const serialized = renderMarkdown(fdata, time, repo);
 
     // TODO: Do we want to write to file even if there was an error...?
-    if (filePath) {
+    if (filepath) {
       try {
-        await fs.writeFile(filePath, serialized, 'utf8');
-        logger.logger.success(`Data successfully written to ${filePath}`);
+        await fs.writeFile(filepath, serialized, 'utf8');
+        logger.logger.success(`Data successfully written to ${filepath}`);
       } catch (e) {
         logger.logger.error(e);
       }
@@ -208,7 +209,10 @@ function formatDataRepo(data) {
     }
   }
   const topFiveAlertEntries = Object.entries(totalTopAlerts).sort(([_keya, a], [_keyb, b]) => b - a).slice(0, 5);
-  for (const [key, value] of topFiveAlertEntries) {
+  for (const {
+    0: key,
+    1: value
+  } of topFiveAlertEntries) {
     sortedTopFiveAlerts[key] = value;
   }
   return {
@@ -246,7 +250,10 @@ function formatDataOrg(data) {
     }
   }
   const topFiveAlertEntries = Object.entries(totalTopAlerts).sort(([_keya, a], [_keyb, b]) => b - a).slice(0, 5);
-  for (const [key, value] of topFiveAlertEntries) {
+  for (const {
+    0: key,
+    1: value
+  } of topFiveAlertEntries) {
     sortedTopFiveAlerts[key] = value;
   }
   return {
@@ -283,7 +290,7 @@ function renderLineCharts(grid, screen, title, coords, data) {
 }
 
 async function handleAnalytics({
-  filePath,
+  filepath,
   outputKind,
   repo,
   scope,
@@ -308,7 +315,7 @@ async function handleAnalytics({
     };
   }
   await outputAnalytics(result, {
-    filePath,
+    filepath,
     outputKind,
     repo,
     scope,
@@ -336,6 +343,7 @@ async function run$Q(argv, importMeta, {
       ...flags.outputFlags,
       file: {
         type: 'string',
+        default: '',
         description: 'Path to store result, only valid with --json/--markdown'
       }
     },
@@ -397,7 +405,7 @@ async function run$Q(argv, importMeta, {
     time = cli.input[0];
   }
   const {
-    file,
+    file: filepath,
     json,
     markdown
   } = cli.flags;
@@ -408,7 +416,7 @@ async function run$Q(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -426,7 +434,7 @@ async function run$Q(argv, importMeta, {
     fail: 'invalid range set, see --help for command arg details.'
   }, {
     nook: true,
-    test: !file || !!json || !!markdown,
+    test: !filepath || !!json || !!markdown,
     message: 'The `--file` flag is only valid when using `--json` or `--markdown`',
     fail: 'bad'
   }, {
@@ -448,11 +456,11 @@ async function run$Q(argv, importMeta, {
     return;
   }
   return await handleAnalytics({
-    scope,
-    time: time === '90' ? 90 : time === '30' ? 30 : 7,
-    repo: repoName,
+    filepath,
     outputKind,
-    filePath: String(file || '')
+    repo: repoName,
+    scope,
+    time: time === '90' ? 90 : time === '30' ? 30 : 7
   });
 }
 
@@ -488,7 +496,7 @@ async function fetchAuditLog(config, options) {
     page: String(page),
     per_page: String(perPage)
   }), {
-    desc: `audit log for ${orgSlug}`
+    description: `audit log for ${orgSlug}`
   });
 }
 
@@ -503,7 +511,7 @@ async function outputAuditLog(result, {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
   }
-  if (outputKind === 'json') {
+  if (outputKind === constants.OUTPUT_JSON) {
     logger.logger.log(await outputAsJson(result, {
       logType,
       orgSlug,
@@ -515,7 +523,7 @@ async function outputAuditLog(result, {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
-  if (outputKind === 'markdown') {
+  if (outputKind === constants.OUTPUT_MARKDOWN) {
     logger.logger.log(await outputAsMarkdown(result.data, {
       logType,
       orgSlug,
@@ -814,6 +822,7 @@ async function run$P(argv, importMeta, {
     parentName
   });
   const {
+    interactive,
     json,
     markdown,
     org: orgFlag,
@@ -821,17 +830,18 @@ async function run$P(argv, importMeta, {
     perPage
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
-  const interactive = !!cli.flags['interactive'];
   const noLegacy = !cli.flags['type'];
   let [typeFilter = ''] = cli.input;
   typeFilter = String(typeFilter);
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -918,7 +928,7 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
     set_as_pending_head: String(pendingHead),
     tmp: String(tmp)
   }), {
-    desc: 'to create a scan'
+    description: 'to create a scan'
   });
 }
 
@@ -936,7 +946,7 @@ async function fetchSupportedScanFileNames(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
-    desc: 'supported scan file types',
+    description: 'supported scan file types',
     spinner
   });
 }
@@ -981,12 +991,12 @@ async function fetchScanData(orgSlug, scanId, options) {
   const {
     spinner
   } = constants.default;
-  function updateScan(desc) {
-    scanStatus = desc;
+  function updateScan(status) {
+    scanStatus = status;
     updateProgress();
   }
-  function updatePolicy(desc) {
-    policyStatus = desc;
+  function updatePolicy(status) {
+    policyStatus = status;
     updateProgress();
   }
   function updateProgress() {
@@ -1081,8 +1091,6 @@ async function fetchScanData(orgSlug, scanId, options) {
   };
 }
 
-const UNKNOWN_VALUE = '<unknown>';
-
 // Note: The returned cResult will only be ok:false when the generation
 //       failed. It won't reflect the healthy state.
 function generateReport(scan, securityPolicy, {
@@ -1131,9 +1139,9 @@ function generateReport(scan, securityPolicy, {
     scan.forEach(artifact => {
       const {
         alerts,
-        name: pkgName = UNKNOWN_VALUE,
+        name: pkgName = constants.UNKNOWN_VALUE,
         type: ecosystem,
-        version = UNKNOWN_VALUE
+        version = constants.UNKNOWN_VALUE
       } = artifact;
       alerts?.forEach(alert => {
         const alertName = alert.type; // => policy[type]
@@ -1244,7 +1252,7 @@ function addAlert(art, violations, fold, ecosystem, pkgName, version, alert, pol
       if (!pkgMap.has(version)) {
         pkgMap.set(version, new Map());
       }
-      const file = alert.file || UNKNOWN_VALUE;
+      const file = alert.file || constants.UNKNOWN_VALUE;
       const verMap = pkgMap.get(version);
       if (fold === constants.default.FOLD_SETTING_FILE) {
         const existing = verMap.get(file);
@@ -1315,7 +1323,7 @@ async function outputScanReport(result, {
     process.exitCode = result.code ?? 1;
   }
   if (!result.ok) {
-    if (outputKind === constants.JSON) {
+    if (outputKind === constants.OUTPUT_JSON) {
       logger.logger.log(utils.serializeResultJson(result));
       return;
     }
@@ -1331,11 +1339,11 @@ async function outputScanReport(result, {
     spinner: constants.default.spinner
   });
   if (!scanReport.ok) {
-    // Note: this means generation failed, it does not reflect the healthy state
+    // Note: This means generation failed, it does not reflect the healthy state.
     process.exitCode = scanReport.code ?? 1;
 
     // If report generation somehow failed then .data should not be set.
-    if (outputKind === constants.JSON) {
+    if (outputKind === constants.OUTPUT_JSON) {
       logger.logger.log(utils.serializeResultJson(scanReport));
       return;
     }
@@ -1343,13 +1351,13 @@ async function outputScanReport(result, {
     return;
   }
 
-  // I don't think we emit the default error message with banner for an unhealhty report, do we?
-  // if (!scanReport.data.healhty) {
+  // I don't think we emit the default error message with banner for an unhealthy report, do we?
+  // if (!scanReport.data.healthy) {
   //   logger.fail(failMsgWithBadge(scanReport.message, scanReport.cause))
   //   return
   // }
 
-  if (outputKind === constants.JSON || outputKind === constants.TEXT && filepath && filepath.endsWith(constants.EXT_JSON)) {
+  if (outputKind === constants.OUTPUT_JSON || outputKind === constants.OUTPUT_TEXT && filepath && filepath.endsWith(constants.EXT_JSON)) {
     const json = short ? utils.serializeResultJson(scanReport) : toJsonReport(scanReport.data, includeLicensePolicy);
     if (filepath && filepath !== '-') {
       logger.logger.log('Writing json report to', filepath);
@@ -1359,9 +1367,9 @@ async function outputScanReport(result, {
     return;
   }
   if (outputKind === 'markdown' || filepath && filepath.endsWith('.md')) {
-    const md = short ? `healthy = ${scanReport.data.healthy}` : toMarkdownReport(scanReport.data,
-    // not short so must be regular report
-    includeLicensePolicy);
+    const md = short ? `healthy = ${scanReport.data.healthy}` : toMarkdownReport(
+    // Not short so must be a regular report.
+    scanReport.data, includeLicensePolicy);
     if (filepath && filepath !== '-') {
       logger.logger.log('Writing markdown report to', filepath);
       return await fs.writeFile(filepath, md);
@@ -1550,7 +1558,7 @@ async function performReachabilityAnalysis(options) {
     ...options
   };
 
-  // Check if user has enterprise plan for reachability analysis
+  // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await utils.fetchOrganization();
   if (!orgsCResult.ok) {
     return {
@@ -1569,6 +1577,7 @@ async function performReachabilityAnalysis(options) {
       cause: `Please ${vendor.terminalLinkExports('upgrade your plan', 'https://socket.dev/pricing')}. This feature is only available for organizations with an enterprise plan.`
     };
   }
+  const wasSpinning = !!spinner?.isSpinning;
   let tarHash;
   if (uploadManifests && orgSlug && packagePaths) {
     // Setup SDK for uploading manifests
@@ -1577,14 +1586,13 @@ async function performReachabilityAnalysis(options) {
       return sockSdkCResult;
     }
     const sockSdk = sockSdkCResult.data;
-    const wasSpinning = !!spinner?.isSpinning;
 
     // Exclude any .socket.facts.json files that happen to be in the scan
     // folder before the analysis was run.
     const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
     spinner?.start('Uploading manifests for reachability analysis...');
     const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload), {
-      desc: 'upload manifests',
+      description: 'upload manifests',
       spinner
     });
     spinner?.stop();
@@ -1634,7 +1642,6 @@ async function performReachabilityAnalysis(options) {
     spinner,
     stdio: 'inherit'
   });
-  const wasSpinning = !!spinner?.isSpinning;
   if (wasSpinning) {
     spinner.start();
   }
@@ -2638,7 +2645,10 @@ async function run$N(argv, importMeta, {
       $ ${command} defaultOrg
 
     Keys:
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
   `
   };
   const cli = utils.meowOrExit({
@@ -2735,7 +2745,10 @@ const config$j = {
 
     KEY is an enum. Valid keys:
 
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+    0: key,
+    1: description
+  }) => `     - ${key} -- ${description}`).join('\n')}
 
     Examples
       $ ${command} defaultOrg
@@ -2993,7 +3006,10 @@ async function run$K(argv, importMeta, {
 
     Keys:
 
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
 
     Examples
       $ ${command} apiProxy https://example.com
@@ -3111,7 +3127,10 @@ async function run$J(argv, importMeta, {
 
     Keys:
 
-${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${desc}`).join('\n')}
+${utils.getSupportedConfigEntries().map(({
+      0: key,
+      1: description
+    }) => `     - ${key} -- ${description}`).join('\n')}
 
     Examples
       $ ${command} defaultOrg
@@ -3246,10 +3265,10 @@ async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
   }
   return null;
 }
-async function getSocketPrs(owner, repo, options) {
-  return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+async function getSocketFixPrs(owner, repo, options) {
+  return (await getSocketFixPrsWithContext(owner, repo, options)).map(d => d.match);
 }
-async function getSocketPrsWithContext(owner, repo, options) {
+async function getSocketFixPrsWithContext(owner, repo, options) {
   const {
     author,
     ghsaId,
@@ -3260,117 +3279,101 @@ async function getSocketPrsWithContext(owner, repo, options) {
   };
   const branchPattern = getSocketFixBranchPattern(ghsaId);
   const checkAuthor = strings.isNonEmptyString(author);
-  const octokit = utils.getOctokit();
   const octokitGraphql = utils.getOctokitGraphql();
   const contextualMatches = [];
-  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
+  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? [constants.GQL_PR_STATE_OPEN, constants.GQL_PR_STATE_CLOSED, constants.GQL_PR_STATE_MERGED] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
-    // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
-    // API quota usage. Fallback to REST if no matching PRs are found.
-    const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
-    const gqlResp = await utils.cacheFetch(gqlCacheKey, () => octokitGraphql(`
-          query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
-            repository(owner: $owner, name: $repo) {
-              pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
-                nodes {
-                  author {
-                    login
+    let hasNextPage = true;
+    let cursor = null;
+    let pageIndex = 0;
+    const gqlCacheKey = `${repo}-pr-graphql-snapshot-${states.join('-').toLowerCase()}`;
+    while (hasNextPage) {
+      // eslint-disable-next-line no-await-in-loop
+      const gqlResp = await utils.cacheFetch(`${gqlCacheKey}-page-${pageIndex}`, () => octokitGraphql(`
+              query($owner: String!, $repo: String!, $states: [PullRequestState!], $after: String) {
+                repository(owner: $owner, name: $repo) {
+                  pullRequests(first: 100, states: $states, after: $after, orderBy: {field: CREATED_AT, direction: DESC}) {
+                    pageInfo {
+                      hasNextPage
+                      endCursor
+                    }
+                    nodes {
+                      author {
+                        login
+                      }
+                      baseRefName
+                      headRefName
+                      mergeStateStatus
+                      number
+                      state
+                      title
+                    }
                   }
-                  baseRefName
-                  headRefName
-                  mergeStateStatus
-                  number
-                  state
-                  title
                 }
               }
+              `, {
+        owner,
+        repo,
+        states,
+        after: cursor
+      }));
+      const {
+        nodes,
+        pageInfo
+      } = gqlResp?.repository?.pullRequests ?? {
+        nodes: [],
+        pageInfo: {
+          hasNextPage: false,
+          endCursor: null
+        }
+      };
+      for (let i = 0, {
+          length
+        } = nodes; i < length; i += 1) {
+        const node = nodes[i];
+        const login = node.author?.login;
+        const matchesAuthor = checkAuthor ? login === author : true;
+        const matchesBranch = branchPattern.test(node.headRefName);
+        if (matchesAuthor && matchesBranch) {
+          contextualMatches.push({
+            context: {
+              apiType: 'graphql',
+              cacheKey: `${gqlCacheKey}-page-${pageIndex}`,
+              data: gqlResp,
+              entry: node,
+              index: i,
+              parent: nodes
+            },
+            match: {
+              ...node,
+              author: login ?? constants.UNKNOWN_VALUE
             }
-          }
-          `, {
-      owner,
-      repo,
-      states
-    }));
-    const nodes = gqlResp?.repository?.pullRequests?.nodes ?? [];
-    for (let i = 0, {
-        length
-      } = nodes; i < length; i += 1) {
-      const node = nodes[i];
-      const login = node.author?.login;
-      const matchesAuthor = checkAuthor ? login === author : true;
-      const matchesBranch = branchPattern.test(node.headRefName);
-      if (matchesAuthor && matchesBranch) {
-        contextualMatches.push({
-          context: {
-            apiType: 'graphql',
-            cacheKey: gqlCacheKey,
-            data: gqlResp,
-            entry: node,
-            index: i,
-            parent: nodes
-          },
-          match: {
-            ...node,
-            author: login ?? '<unknown>'
-          }
-        });
+          });
+        }
       }
-    }
-  } catch {}
-  if (contextualMatches.length) {
-    return contextualMatches;
-  }
 
-  // Fallback to REST if GraphQL found no matching PRs.
-  let allPrs;
-  const cacheKey = `${repo}-pull-requests`;
-  try {
-    allPrs = await utils.cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
-      owner,
-      repo,
-      state: 'all',
-      per_page: 100
-    }));
-  } catch {}
-  if (!allPrs) {
-    return contextualMatches;
-  }
-  for (let i = 0, {
-      length
-    } = allPrs; i < length; i += 1) {
-    const pr = allPrs[i];
-    const login = pr.user?.login;
-    const headRefName = pr.head.ref;
-    const matchesAuthor = checkAuthor ? login === author : true;
-    const matchesBranch = branchPattern.test(headRefName);
-    if (matchesAuthor && matchesBranch) {
-      // Upper cased mergeable_state is equivalent to mergeStateStatus.
-      // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
-      const mergeStateStatus = pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN';
-      // The REST API does not have a distinct merged state for pull requests.
-      // Instead, a merged pull request is represented as a closed pull request
-      // with a non-null merged_at timestamp.
-      const state = pr.merged_at ? 'MERGED' : pr.state.toUpperCase();
-      contextualMatches.push({
-        context: {
-          apiType: 'rest',
-          cacheKey,
-          data: allPrs,
-          entry: pr,
-          index: i,
-          parent: allPrs
-        },
-        match: {
-          author: login ?? '<unknown>',
-          baseRefName: pr.base.ref,
-          headRefName,
-          mergeStateStatus,
-          number: pr.number,
-          state,
-          title: pr.title
-        }
-      });
+      // Continue to next page.
+      hasNextPage = pageInfo.hasNextPage;
+      cursor = pageInfo.endCursor;
+      pageIndex += 1;
+
+      // Safety limit to prevent infinite loops.
+      if (pageIndex === constants.GQL_PAGE_SENTINEL) {
+        require$$9.debugFn('warn', `GraphQL pagination reached safety limit (${constants.GQL_PAGE_SENTINEL} pages) for ${owner}/${repo}`);
+        break;
+      }
+
+      // Early exit optimization: if we found matches and only looking for specific GHSA,
+      // we can stop pagination since we likely found what we need.
+      if (contextualMatches.length > 0 && ghsaId) {
+        break;
+      }
     }
+  } catch (e) {
+    require$$9.debugFn('error', `GraphQL pagination failed for ${owner}/${repo}`);
+    require$$9.debugDir('inspect', {
+      error: e
+    });
   }
   return contextualMatches;
 }
@@ -3418,7 +3421,7 @@ async function getFixEnv() {
     }
     repoInfo = await utils.getRepoInfo();
   }
-  const prs = isCi && repoInfo ? await getSocketPrs(repoInfo.owner, repoInfo.repo, {
+  const prs = isCi && repoInfo ? await getSocketFixPrs(repoInfo.owner, repoInfo.repo, {
     author: gitUser,
     states: 'all'
   }) : [];
@@ -3435,7 +3438,7 @@ async function getFixEnv() {
 
 async function coanaFix(fixConfig) {
   const {
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3463,7 +3466,7 @@ async function coanaFix(fixConfig) {
     cwd
   });
   const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, scanFilepaths), {
-    desc: 'upload manifests',
+    description: 'upload manifests',
     spinner
   });
   if (!uploadCResult.ok) {
@@ -3504,18 +3507,40 @@ async function coanaFix(fixConfig) {
       }
     } : fixCResult;
   }
+
+  // Adjust limit based on open Socket Fix PRs.
+  let adjustedLimit = limit;
+  if (shouldOpenPrs && fixEnv.repoInfo) {
+    try {
+      const openPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
+        states: constants.GQL_PR_STATE_OPEN
+      });
+      const openPrCount = openPrs.length;
+      // Reduce limit by number of open PRs to avoid creating too many.
+      adjustedLimit = Math.max(0, limit - openPrCount);
+      if (openPrCount > 0) {
+        require$$9.debugFn('notice', `limit: adjusted from ${limit} to ${adjustedLimit} (${openPrCount} open Socket Fix ${words.pluralize('PR', openPrCount)}`);
+      }
+    } catch (e) {
+      require$$9.debugFn('warn', 'Failed to count open PRs, using original limit');
+      require$$9.debugDir('inspect', {
+        error: e
+      });
+    }
+  }
+  const shouldSpawnCoana = adjustedLimit > 0;
   let ids;
-  if (isAll) {
+  if (shouldSpawnCoana && isAll) {
     const foundCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner
     });
     if (foundCResult.ok) {
       const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
-      ids = foundIds.slice(0, limit);
+      ids = foundIds.slice(0, adjustedLimit);
     }
-  } else {
-    ids = ghsas.slice(0, limit);
+  } else if (shouldSpawnCoana) {
+    ids = ghsas.slice(0, adjustedLimit);
   }
   if (!ids?.length) {
     require$$9.debugFn('notice', 'miss: no GHSA IDs to process');
@@ -3539,7 +3564,7 @@ async function coanaFix(fixConfig) {
   let count = 0;
   let overallFixed = false;
 
-  // Process each GHSA ID individually, similar to npm-fix/pnpm-fix.
+  // Process each GHSA ID individually.
   ghsaLoop: for (let i = 0, {
       length
     } = ids; i < length; i += 1) {
@@ -3554,7 +3579,7 @@ async function coanaFix(fixConfig) {
       stdio: 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || 'Unknown error'}`);
+      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || constants.UNKNOWN_ERROR}`);
       continue ghsaLoop;
     }
 
@@ -3620,7 +3645,7 @@ async function coanaFix(fixConfig) {
         } = prResponse;
         const prRef = `PR #${data.number}`;
         logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
-        if (autoMerge) {
+        if (autopilot) {
           logger.logger.indent();
           spinner?.indent();
           // eslint-disable-next-line no-await-in-loop
@@ -3655,8 +3680,8 @@ async function coanaFix(fixConfig) {
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     }
     count += 1;
-    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(limit, ids.length)}`);
-    if (count >= limit) {
+    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedLimit, ids.length)}`);
+    if (count >= adjustedLimit) {
       break ghsaLoop;
     }
   }
@@ -3686,7 +3711,7 @@ async function outputFixResult(result, outputKind) {
 }
 
 async function handleFix({
-  autoMerge,
+  autopilot,
   cwd,
   ghsas,
   limit,
@@ -3694,15 +3719,12 @@ async function handleFix({
   orgSlug,
   outputKind,
   prCheck,
-  purls,
   rangeStyle,
   spinner,
-  test,
-  testScript,
   unknownFlags
 }) {
   await outputFixResult(await coanaFix({
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3723,7 +3745,7 @@ const cmdFix = {
   run: run$I
 };
 const generalFlags$2 = {
-  autoMerge: {
+  autopilot: {
     type: 'boolean',
     default: false,
     description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
@@ -3757,10 +3779,8 @@ Available styles:
   }
 };
 const hiddenFlags = {
-  autopilot: {
-    type: 'boolean',
-    default: false,
-    description: `Shorthand for --auto-merge --test`,
+  autoMerge: {
+    ...generalFlags$2['autopilot'],
     hidden: true
   },
   ghsa: {
@@ -3841,11 +3861,20 @@ async function run$I(argv, importMeta, {
     importMeta,
     parentName
   });
+  const {
+    autopilot,
+    json,
+    limit,
+    markdown,
+    maxSatisfying,
+    prCheck,
+    rangeStyle,
+    // We patched in this feature with `npx custompatch meow` at
+    // socket-cli/patches/meow#13.2.0.patch.
+    unknownFlags = []
+  } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
-  let rangeStyle = cli.flags['rangeStyle'];
-  if (!rangeStyle) {
-    rangeStyle = 'preserve';
-  }
+  const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
   const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
   const purls = [];
   for (const purl of rawPurls) {
@@ -3863,14 +3892,14 @@ async function run$I(argv, importMeta, {
     logger.logger.fail('No valid --purl values provided.');
     return;
   }
-  const outputKind = utils.getOutputKind(cli.flags['json'], cli.flags['markdown']);
+  const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
     fail: 'invalid'
   }, {
     nook: true,
-    test: !cli.flags['json'] || !cli.flags['markdown'],
+    test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
   });
@@ -3892,26 +3921,12 @@ async function run$I(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  let autoMerge = Boolean(cli.flags['autoMerge']);
-  let test = Boolean(cli.flags['test']);
-  if (cli.flags['autopilot']) {
-    autoMerge = true;
-    test = true;
-  }
   const {
     spinner
   } = constants.default;
-  // We patched in this feature with `npx custompatch meow` at
-  // socket-cli/patches/meow#13.2.0.patch.
-  const unknownFlags = cli.unknownFlags ?? [];
   const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
-  const limit = Number(cli.flags['limit']) || DEFAULT_LIMIT;
-  const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
-  const minSatisfying = Boolean(cli.flags['minSatisfying']) || !maxSatisfying;
-  const prCheck = Boolean(cli.flags['prCheck']);
-  const testScript = String(cli.flags['testScript'] || 'test');
   await handleFix({
-    autoMerge,
+    autopilot,
     cwd,
     ghsas,
     limit,
@@ -3919,11 +3934,8 @@ async function run$I(argv, importMeta, {
     prCheck,
     orgSlug,
     outputKind,
-    purls,
     rangeStyle,
     spinner,
-    test,
-    testScript,
     unknownFlags
   });
 }
@@ -4216,7 +4228,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
   const sockSdk = sockSdkCResult.data;
   const orgsCResult = await utils.fetchOrganization({
-    desc: 'token verification',
+    description: 'token verification',
     sdk: sockSdk
   });
   if (!orgsCResult.ok) {
@@ -4339,10 +4351,12 @@ async function run$F(argv, importMeta, {
       ...flags.commonFlags,
       apiBaseUrl: {
         type: 'string',
+        default: '',
         description: 'API server to connect to for login'
       },
       apiProxy: {
         type: 'string',
+        default: '',
         description: 'Proxy to use when making connection to API server'
       }
     },
@@ -4377,8 +4391,10 @@ async function run$F(argv, importMeta, {
   if (!vendor.isInteractiveExports()) {
     throw new utils.InputError('Cannot prompt for credentials in a non-interactive shell. Use SOCKET_CLI_API_TOKEN environment variable instead');
   }
-  const apiBaseUrl = cli.flags['apiBaseUrl'];
-  const apiProxy = cli.flags['apiProxy'];
+  const {
+    apiBaseUrl,
+    apiProxy
+  } = cli.flags;
   await attemptLogin(apiBaseUrl, apiProxy);
 }
 
@@ -7227,7 +7243,7 @@ async function fetchDependencies(config, options) {
     limit,
     offset
   }), {
-    desc: 'organization dependencies'
+    description: 'organization dependencies'
   });
 }
 
@@ -7404,7 +7420,7 @@ async function fetchLicensePolicy(orgSlug, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgLicensePolicy(orgSlug), {
-    desc: 'organization license policy'
+    description: 'organization license policy'
   });
 }
 
@@ -7501,7 +7517,9 @@ async function run$q(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -7537,7 +7555,7 @@ async function fetchSecurityPolicy(orgSlug, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgSecurityPolicy(orgSlug), {
-    desc: 'organization security policy'
+    description: 'organization security policy'
   });
 }
 
@@ -7635,7 +7653,9 @@ async function run$p(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -7816,7 +7836,7 @@ async function fetchQuota(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getQuota(), {
-    desc: 'token quota'
+    description: 'token quota'
   });
 }
 
@@ -8286,7 +8306,7 @@ async function fetchPurlsShallowScore(purls, options) {
   }, {
     alerts: 'true'
   }), {
-    desc: 'looking up package'
+    description: 'looking up package'
   });
   if (!batchPackageCResult.ok) {
     return batchPackageCResult;
@@ -8705,7 +8725,7 @@ async function outputPatchResult(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
   }
-  if (outputKind === 'json') {
+  if (outputKind === constants.OUTPUT_JSON) {
     logger.logger.log(utils.serializeResultJson(result));
     return;
   }
@@ -8716,27 +8736,45 @@ async function outputPatchResult(result, outputKind) {
   const {
     patched
   } = result.data;
+  logger.logger.log('');
   if (patched.length) {
-    logger.logger.group(`Successfully processed patches for ${patched.length} package(s):`);
+    logger.logger.group(`Successfully processed patches for ${patched.length} ${words.pluralize('package', patched.length)}:`);
     for (const pkg of patched) {
       logger.logger.success(pkg);
     }
     logger.logger.groupEnd();
   } else {
-    logger.logger.info('No packages found requiring patches');
+    logger.logger.warn('No packages found requiring patches');
   }
   logger.logger.log('');
   logger.logger.success('Patch command completed!');
 }
 
-async function applyNPMPatches(patches, purlObjs, socketDir, dryRun) {
+async function applyNpmPatches(socketDir, patches, options) {
+  const {
+    cwd = process.cwd(),
+    dryRun = false,
+    purlObjs,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const wasSpinning = !!spinner?.isSpinning;
+  spinner?.start();
   const patchLookup = new Map();
   for (const patchInfo of patches) {
-    const key = getLookupKey(patchInfo.purlObj);
-    patchLookup.set(key, patchInfo);
+    patchLookup.set(patchInfo.purl, patchInfo);
   }
-  const nmPaths = await findNodeModulesPaths(process.cwd());
-  logger.logger.log(`Found ${nmPaths.length} node_modules ${words.pluralize('folder', nmPaths.length)}`);
+  const nmPaths = await findNodeModulesPaths(cwd);
+  spinner?.stop();
+  logger.logger.log(`Found ${nmPaths.length} ${constants.NODE_MODULES} ${words.pluralize('folder', nmPaths.length)}`);
+  logger.logger.group('');
+  spinner?.start();
+  const result = {
+    passed: [],
+    failed: []
+  };
   for (const nmPath of nmPaths) {
     // eslint-disable-next-line no-await-in-loop
     const dirNames = await fs$2.readDirNames(nmPath);
@@ -8746,44 +8784,66 @@ async function applyNPMPatches(patches, purlObjs, socketDir, dryRun) {
       const pkgSubNames = isScoped ?
       // eslint-disable-next-line no-await-in-loop
       await fs$2.readDirNames(pkgPath) : [dirName];
-      try {
-        for (const pkgSubName of pkgSubNames) {
-          const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
-          const pkgPath = path.join(nmPath, dirFullName);
+      for (const pkgSubName of pkgSubNames) {
+        const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
+        const pkgPath = path.join(nmPath, dirFullName);
+        // eslint-disable-next-line no-await-in-loop
+        const pkgJson = await packages.readPackageJson(pkgPath, {
+          throws: false
+        });
+        if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
+          continue;
+        }
+        const purl = `pkg:npm/${pkgJson.name}@${pkgJson.version}`;
+        const purlObj = utils.getPurlObject(purl, {
+          throws: false
+        });
+        if (!purlObj) {
+          continue;
+        }
+
+        // Skip if specific packages requested and this isn't one of them
+        if (purlObjs?.length && purlObjs.findIndex(p => p.type === constants.NPM && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
+          continue;
+        }
+        const patchInfo = patchLookup.get(purl);
+        if (!patchInfo) {
+          continue;
+        }
+        spinner?.stop();
+        logger.logger.log(`Found match: ${pkgJson.name}@${pkgJson.version} at ${pkgPath}`);
+        logger.logger.log(`Patch key: ${patchInfo.key}`);
+        logger.logger.group(`Processing files:`);
+        spinner?.start();
+        let passed = true;
+        for (const {
+          0: fileName,
+          1: fileInfo
+        } of Object.entries(patchInfo.patch.files)) {
           // eslint-disable-next-line no-await-in-loop
-          const pkgJson = await packages.readPackageJson(pkgPath, {
-            throws: false
+          const filePatchPassed = await processFilePatch(pkgPath, fileName, fileInfo, socketDir, {
+            dryRun,
+            spinner
           });
-          if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
-            continue;
-          }
-          const pkgFullName = pkgJson.name;
-          const purlObj = utils.getPurlObject(`pkg:npm/${pkgFullName}`);
-          // Skip if specific packages requested and this isn't one of them
-          if (purlObjs.findIndex(p => p.type === 'npm' && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
-            continue;
-          }
-          const patchInfo = patchLookup.get(getLookupKey(purlObj));
-          if (!patchInfo) {
-            continue;
-          }
-          logger.logger.log(`Found match: ${pkgFullName}@${pkgJson.version} at ${pkgPath}`);
-          logger.logger.log(`Patch key: ${patchInfo.key}`);
-          logger.logger.group(`Processing files:`);
-          for (const {
-            0: fileName,
-            1: fileInfo
-          } of Object.entries(patchInfo.patch.files)) {
-            // eslint-disable-next-line no-await-in-loop
-            await processFilePatch(pkgPath, fileName, fileInfo, dryRun, socketDir);
+          if (!filePatchPassed) {
+            passed = false;
           }
-          logger.logger.groupEnd();
         }
-      } catch (error) {
-        logger.logger.error(`Error processing ${nmPath}:`, error);
+        logger.logger.groupEnd();
+        if (passed) {
+          result.passed.push(purl);
+        } else {
+          result.failed.push(purl);
+        }
       }
     }
   }
+  spinner?.stop();
+  logger.logger.groupEnd();
+  if (wasSpinning) {
+    spinner.start();
+  }
+  return result;
 }
 async function computeSHA256(filepath) {
   try {
@@ -8805,52 +8865,101 @@ async function findNodeModulesPaths(cwd) {
   return await vendor.outExports.glob([`**/${constants.NODE_MODULES}`], {
     absolute: true,
     cwd: path.dirname(rootNmPath),
+    dot: true,
     onlyDirectories: true
   });
 }
-function getLookupKey(purlObj) {
-  const fullName = purlObj.namespace ? `${purlObj.namespace}/${purlObj.name}` : purlObj.name;
-  return `${fullName}@${purlObj.version}`;
-}
-async function processFilePatch(pkgPath, fileName, fileInfo, dryRun, socketDir) {
+async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options) {
+  const {
+    dryRun,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const wasSpinning = !!spinner?.isSpinning;
+  spinner?.stop();
   const filepath = path.join(pkgPath, fileName);
   if (!fs$1.existsSync(filepath)) {
     logger.logger.log(`File not found: ${fileName}`);
-    return;
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
   }
   const currentHash = await computeSHA256(filepath);
   if (!currentHash) {
     logger.logger.log(`Failed to compute hash for: ${fileName}`);
-    return;
-  }
-  if (currentHash === fileInfo.beforeHash) {
-    logger.logger.success(`File matches expected hash: ${fileName}`);
-    logger.logger.log(`Current hash: ${currentHash}`);
-    logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
-    if (dryRun) {
-      logger.logger.log(`(dry run - no changes made)`);
-    } else {
-      const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
-      if (!fs$1.existsSync(blobPath)) {
-        logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
-        return;
-      }
-      try {
-        await fs$1.promises.copyFile(blobPath, filepath);
-        logger.logger.success(`Patch applied successfully`);
-      } catch (error) {
-        logger.logger.error('Error applying patch:', error);
-      }
+    if (wasSpinning) {
+      spinner?.start();
     }
-  } else if (currentHash === fileInfo.afterHash) {
+    return false;
+  }
+  if (currentHash === fileInfo.afterHash) {
     logger.logger.success(`File already patched: ${fileName}`);
+    logger.logger.group();
     logger.logger.log(`Current hash: ${currentHash}`);
-  } else {
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return true;
+  }
+  if (currentHash !== fileInfo.beforeHash) {
     logger.logger.fail(`File hash mismatch: ${fileName}`);
+    logger.logger.group();
     logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
     logger.logger.log(`Current:  ${currentHash}`);
     logger.logger.log(`Target:   ${fileInfo.afterHash}`);
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
   }
+  logger.logger.success(`File matches expected hash: ${fileName}`);
+  logger.logger.group();
+  logger.logger.log(`Current hash: ${currentHash}`);
+  logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
+  logger.logger.group();
+  if (dryRun) {
+    logger.logger.log(`(dry run - no changes made)`);
+    logger.logger.groupEnd();
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
+  }
+  const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
+  if (!fs$1.existsSync(blobPath)) {
+    logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
+    logger.logger.groupEnd();
+    logger.logger.groupEnd();
+    if (wasSpinning) {
+      spinner?.start();
+    }
+    return false;
+  }
+  spinner?.start();
+  let result = true;
+  try {
+    await fs$1.promises.copyFile(blobPath, filepath);
+    logger.logger.success(`Patch applied successfully`);
+  } catch (e) {
+    logger.logger.error('Error applying patch');
+    require$$9.debugDir('inspect', {
+      error: e
+    });
+    result = false;
+  }
+  logger.logger.groupEnd();
+  logger.logger.groupEnd();
+  spinner?.stop();
+  if (wasSpinning) {
+    spinner?.start();
+  }
+  return result;
 }
 async function handlePatch({
   cwd,
@@ -8860,7 +8969,7 @@ async function handlePatch({
   spinner
 }) {
   try {
-    const dotSocketDirPath = path.join(cwd, '.socket');
+    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
     const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
     const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
     const manifestData = JSON.parse(manifestContent);
@@ -8873,7 +8982,11 @@ async function handlePatch({
       0: key,
       1: patch
     } of Object.entries(validated.patches)) {
-      const purlObj = utils.getPurlObject(key, {
+      const purl = utils.normalizePurl(key);
+      if (purls.length && !purls.includes(purl)) {
+        continue;
+      }
+      const purlObj = utils.getPurlObject(purl, {
         throws: false
       });
       if (!purlObj) {
@@ -8887,46 +9000,50 @@ async function handlePatch({
       patches.push({
         key,
         patch,
+        purl,
         purlObj
       });
     }
-    spinner.stop();
-    logger.logger.log('');
-    if (purlObjs.length) {
-      logger.logger.info(`Checking patches for: ${arrays.joinAnd(purls)}`);
+    if (purls.length) {
+      spinner.start(`Checking patches for: ${arrays.joinAnd(purls)}`);
     } else {
-      logger.logger.info('Scanning all dependencies for available patches');
+      spinner.start('Scanning all dependencies for available patches');
     }
-    logger.logger.log('');
+    const patched = [];
     const npmPatches = patchesByEcosystem.get(constants.NPM);
     if (npmPatches) {
-      await applyNPMPatches(npmPatches, purlObjs, dotSocketDirPath, dryRun);
+      const patchingResults = await applyNpmPatches(dotSocketDirPath, npmPatches, {
+        cwd,
+        dryRun,
+        purlObjs,
+        spinner
+      });
+      patched.push(...patchingResults.passed);
     }
-    const result = {
+    spinner.stop();
+    await outputPatchResult({
       ok: true,
       data: {
-        patched: purls.length ? purls : ['patched successfully']
+        patched
       }
-    };
-    await outputPatchResult(result, outputKind);
+    }, outputKind);
   } catch (e) {
     spinner.stop();
     let message = 'Failed to apply patches';
-    let cause = e?.message || 'Unknown error';
+    let cause = e?.message || constants.UNKNOWN_ERROR;
     if (e instanceof SyntaxError) {
-      message = 'Invalid JSON in manifest.json';
+      message = `Invalid JSON in ${registryConstants.MANIFEST_JSON}`;
       cause = e.message;
     } else if (e instanceof Error && 'issues' in e) {
       message = 'Schema validation failed';
       cause = String(e);
     }
-    const result = {
+    await outputPatchResult({
       ok: false,
       code: 1,
       message,
       cause
-    };
-    await outputPatchResult(result, outputKind);
+    }, outputKind);
   }
 }
 
@@ -8994,14 +9111,15 @@ async function run$k(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  const dotSocketDirPath = path.join(cwd, '.socket');
+  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
   if (!fs$1.existsSync(dotSocketDirPath)) {
-    logger.logger.error('Error: No .socket directory found in current directory');
+    logger.logger.error(`Error: No ${constants.DOT_SOCKET} directory found in current directory`);
     return;
   }
-  const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+  const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
   if (!fs$1.existsSync(manifestPath)) {
-    logger.logger.error('Error: No manifest.json found in .socket directory');
+    logger.logger.error(`Error: No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
+    return;
   }
   const {
     spinner
@@ -9171,7 +9289,7 @@ async function fetchCreateRepo(config, options) {
     name: repoName,
     visibility
   }), {
-    desc: 'to create a repository'
+    description: 'to create a repository'
   });
 }
 
@@ -9293,7 +9411,9 @@ async function run$h(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -9303,7 +9423,7 @@ async function run$h(argv, importMeta, {
   }, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     test: !!repoName,
@@ -9345,7 +9465,7 @@ async function fetchDeleteRepo(orgSlug, repoName, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.deleteOrgRepo(orgSlug, repoName), {
-    desc: 'to delete a repository'
+    description: 'to delete a repository'
   });
 }
 
@@ -9427,12 +9547,14 @@ async function run$g(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -9492,7 +9614,7 @@ async function fetchListAllRepos(orgSlug, options) {
       // max
       page: String(nextPage)
     }), {
-      desc: 'list of repositories'
+      description: 'list of repositories'
     });
     if (!orgRepoListCResult.ok) {
       return orgRepoListCResult;
@@ -9537,7 +9659,7 @@ async function fetchListRepos(config, options) {
     per_page: String(perPage),
     page: String(page)
   }), {
-    desc: 'list of repositories'
+    description: 'list of repositories'
   });
 }
 
@@ -9717,7 +9839,9 @@ async function run$f(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -9789,7 +9913,7 @@ async function fetchUpdateRepo(config, options) {
     orgSlug,
     visibility
   }), {
-    desc: 'to update a repository'
+    description: 'to update a repository'
   });
 }
 
@@ -9910,12 +10034,14 @@ async function run$e(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -9962,7 +10088,7 @@ async function fetchViewRepo(orgSlug, repoName, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgRepo(orgSlug, repoName), {
-    desc: 'repository data'
+    description: 'repository data'
   });
 }
 
@@ -10070,12 +10196,14 @@ async function run$d(argv, importMeta, {
   const noLegacy = !cli.flags['repoName'];
   const [repoName = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -10191,29 +10319,31 @@ const generalFlags$1 = {
   },
   branch: {
     type: 'string',
-    shortFlag: 'b',
-    description: 'Branch name'
+    default: '',
+    description: 'Branch name',
+    shortFlag: 'b'
   },
   commitHash: {
     type: 'string',
-    shortFlag: 'ch',
     default: '',
-    description: 'Commit hash'
+    description: 'Commit hash',
+    shortFlag: 'ch'
   },
   commitMessage: {
     type: 'string',
-    shortFlag: 'm',
     default: '',
-    description: 'Commit message'
+    description: 'Commit message',
+    shortFlag: 'm'
   },
   committers: {
     type: 'string',
-    shortFlag: 'c',
     default: '',
-    description: 'Committers'
+    description: 'Committers',
+    shortFlag: 'c'
   },
   cwd: {
     type: 'string',
+    default: '',
     description: 'working directory, defaults to process.cwd()'
   },
   defaultBranch: {
@@ -10228,11 +10358,13 @@ const generalFlags$1 = {
   },
   pullRequest: {
     type: 'number',
-    shortFlag: 'pr',
-    description: 'Pull request number'
+    default: 0,
+    description: 'Pull request number',
+    shortFlag: 'pr'
   },
   org: {
     type: 'string',
+    default: '',
     description: 'Force override the organization slug, overrides the default org from config'
   },
   reach: {
@@ -10262,14 +10394,14 @@ const generalFlags$1 = {
   setAsAlertsPage: {
     type: 'boolean',
     default: true,
-    aliases: ['pendingHead'],
-    description: 'When true and if this is the "default branch" then this Scan will be the one reflected on your alerts page. See help for details. Defaults to true.'
+    description: 'When true and if this is the "default branch" then this Scan will be the one reflected on your alerts page. See help for details. Defaults to true.',
+    aliases: ['pendingHead']
   },
   tmp: {
     type: 'boolean',
-    shortFlag: 't',
     default: false,
-    description: 'Set the visibility (true/false) of the scan in your dashboard.'
+    description: 'Set the visibility (true/false) of the scan in your dashboard.',
+    shortFlag: 't'
   }
 };
 const cmdScanCreate = {
@@ -10383,9 +10515,11 @@ async function run$c(argv, importMeta, {
     repo: repoName,
     report
   } = cli.flags;
-  let [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  let {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const processCwd = process.cwd();
-  const cwd = cwdOverride && cwdOverride !== processCwd ? path.resolve(processCwd, String(cwdOverride)) : processCwd;
+  const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
   const sockJson = utils.readOrDefaultSocketJson(cwd);
 
   // Note: This needs meow booleanDefault=undefined.
@@ -10571,7 +10705,7 @@ async function fetchDeleteOrgFullScan(orgSlug, scanId, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.deleteOrgFullScan(orgSlug, scanId), {
-    desc: 'to delete a scan'
+    description: 'to delete a scan'
   });
 }
 
@@ -10820,7 +10954,10 @@ async function handleMarkdown(data) {
   logger.logger.log('');
   logger.logger.log('This Scan was considered to be the "base" / "from" / "before" Scan.');
   logger.logger.log('');
-  for (const [key, value] of Object.entries(data.before)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(data.before)) {
     if (key === 'pull_request' && !value) {
       continue;
     }
@@ -10834,7 +10971,10 @@ async function handleMarkdown(data) {
   logger.logger.log('');
   logger.logger.log('This Scan was considered to be the "head" / "to" / "after" Scan.');
   logger.logger.log('');
-  for (const [key, value] of Object.entries(data.after)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(data.after)) {
     if (key === 'pull_request' && !value) {
       continue;
     }
@@ -10954,7 +11094,9 @@ async function run$a(argv, importMeta, {
     id2 = id2.slice(SOCKET_SBOM_URL_PREFIX_LENGTH);
   }
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: !!(id1 && id2),
@@ -11677,10 +11819,12 @@ async function run$9(argv, importMeta, {
       },
       githubToken: {
         type: 'string',
+        default: constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN,
         description: 'Required GitHub token for authentication.\nMay set environment variable GITHUB_TOKEN or SOCKET_CLI_GITHUB_TOKEN instead.'
       },
       githubApiUrl: {
         type: 'string',
+        default: DEFAULT_GITHUB_URL,
         description: `Base URL of the GitHub API (default: ${DEFAULT_GITHUB_URL})`
       },
       interactive: {
@@ -11690,14 +11834,17 @@ async function run$9(argv, importMeta, {
       },
       org: {
         type: 'string',
+        default: '',
         description: 'Force override the organization slug, overrides the default org from config'
       },
       orgGithub: {
         type: 'string',
+        default: '',
         description: 'Alternate GitHub Org if the name is different than the Socket Org'
       },
       repos: {
         type: 'string',
+        default: '',
         description: 'List of repos to target in a comma-separated format (e.g., repo1,repo2). If not specified, the script will pull the list from Socket and ask you to pick one. Use --all to use them all.'
       }
     },
@@ -11752,7 +11899,9 @@ async function run$9(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  let [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  let {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const sockJson = utils.readOrDefaultSocketJson(cwd);
   if (all === undefined) {
     if (sockJson.defaults?.scan?.github?.all !== undefined) {
@@ -11886,7 +12035,7 @@ async function fetchOrgFullScanList(config, options) {
     page: String(page),
     per_page: String(perPage)
   }), {
-    desc: 'list of scans'
+    description: 'list of scans'
   });
 }
 
@@ -12066,12 +12215,14 @@ async function run$8(argv, importMeta, {
   const [repo = '', branchArg = ''] = cli.input;
   const branch = String(branchFlag || branchArg || '');
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: 'Legacy flags are no longer supported. See v1 migration guide.',
+    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -12127,7 +12278,7 @@ async function fetchScanMetadata(orgSlug, scanId, options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getOrgFullScanMetadata(orgSlug, scanId), {
-    desc: 'meta data for a full scan'
+    description: 'meta data for a full scan'
   });
 }
 
@@ -12147,7 +12298,10 @@ async function outputScanMetadata(result, scanId, outputKind) {
     logger.logger.log('# Scan meta data\n');
   }
   logger.logger.log(`Scan ID: ${scanId}\n`);
-  for (const [key, value] of Object.entries(result.data)) {
+  for (const {
+    0: key,
+    1: value
+  } of Object.entries(result.data)) {
     if (['id', 'updated_at', 'organization_id', 'repository_id', 'commit_hash', 'html_report_url'].includes(key)) {
       continue;
     }
@@ -12223,7 +12377,9 @@ async function run$7(argv, importMeta, {
   const interactive = !!cli.flags['interactive'];
   const [scanId = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -12338,10 +12494,12 @@ const generalFlags = {
   ...flags.outputFlags,
   cwd: {
     type: 'string',
+    default: '',
     description: 'working directory, defaults to process.cwd()'
   },
   org: {
     type: 'string',
+    default: '',
     description: 'Force override the organization slug, overrides the default org from config'
   }
 };
@@ -12420,7 +12578,7 @@ async function run$6(argv, importMeta, {
     reachEcosystems.push(ecosystem);
   }
   const processCwd = process.cwd();
-  const cwd = cwdOverride && cwdOverride !== processCwd ? path.resolve(processCwd, String(cwdOverride)) : processCwd;
+  const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
 
   // Accept zero or more paths. Default to cwd() if none given.
   let targets = cli.input || [cwd];
@@ -12429,7 +12587,9 @@ async function run$6(argv, importMeta, {
   if (!targets.length && !dryRun && interactive) {
     targets = await suggestTarget();
   }
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(orgFlag, interactive, dryRun);
   const hasApiToken = utils.hasDefaultApiToken();
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
@@ -12579,7 +12739,9 @@ async function run$5(argv, importMeta, {
   const short = !!cli.flags['short'];
   const [scanId = '', filepath = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -13106,7 +13268,7 @@ async function streamScan(orgSlug, scanId, options) {
 
   // Note: this will write to stdout or target file. It's not a noop
   return await utils.handleApiCall(sockSdk.getOrgFullScan(orgSlug, scanId, file === '-' ? undefined : file), {
-    desc: 'a scan'
+    description: 'a scan'
   });
 }
 
@@ -13176,7 +13338,9 @@ async function run$3(argv, importMeta, {
   const interactive = !!cli.flags['interactive'];
   const [scanId = '', file = ''] = cli.input;
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -13611,7 +13775,9 @@ async function run$2(argv, importMeta, {
     logger.logger.info(`Warning: ignoring these excessive args: ${Array.from(argSet).join(', ')}`);
   }
   const hasApiToken = utils.hasDefaultApiToken();
-  const [orgSlug] = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  const {
+    0: orgSlug
+  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -14224,5 +14390,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=b4ee2d73-3b07-422f-bbc3-db4f36cb62dc
+//# debugId=4e95a2aa-15d9-468e-bbee-5bed1dff404f
 //# sourceMappingURL=cli.js.map