@socketsecurity/cli-with-sentry 1.1.49 → 1.1.51

package/dist/cli.js

@@ -25,7 +25,6 @@ var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var require$$0$1 = require('node:crypto');
 var require$$1 = require('node:util');
 var promises = require('node:stream/promises');
 
@@ -325,7 +324,7 @@ async function handleAnalytics({
   });
 }
 
-const CMD_NAME$y = 'analytics';
+const CMD_NAME$x = 'analytics';
 const description$F = 'Look up analytics data';
 const hidden$x = false;
 const cmdAnalytics = {
@@ -337,7 +336,7 @@ async function run$S(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$y,
+    commandName: CMD_NAME$x,
     description: description$F,
     hidden: hidden$x,
     flags: {
@@ -356,7 +355,7 @@ async function run$S(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$y}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
 
     The scope is either org or repo level, defaults to org.
 
@@ -748,7 +747,7 @@ async function handleAuditLog({
   });
 }
 
-const CMD_NAME$x = 'audit-log';
+const CMD_NAME$w = 'audit-log';
 const description$E = 'Look up the audit log for an organization';
 const hidden$w = false;
 const cmdAuditLog = {
@@ -760,7 +759,7 @@ async function run$R(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$x,
+    commandName: CMD_NAME$w,
     description: description$E,
     hidden: hidden$w,
     flags: {
@@ -790,7 +789,7 @@ async function run$R(argv, importMeta, {
       $ ${command} [options] [FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit the ${utils.webLink(`${constants.default.SOCKET_WEBSITE_URL}/pricing`, 'Socket pricing page')}.
@@ -1361,6 +1360,10 @@ async function outputScanReport(result, {
     logger.logger.fail(utils.failMsgWithBadge(scanReport.message, scanReport.cause));
     return;
   }
+  if (!scanReport.data.healthy) {
+    // When report contains healthy: false, process should exit with non-zero code.
+    process.exitCode = 1;
+  }
 
   // I don't think we emit the default error message with banner for an unhealthy report, do we?
   // if (!scanReport.data.healthy) {
@@ -1643,7 +1646,7 @@ async function performReachabilityAnalysis(options) {
   // Build Coana arguments.
   const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
-  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : [])];
+  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : [])];
 
   // Build environment variables.
   const coanaEnv = {};
@@ -2419,6 +2422,7 @@ async function handleCi(autoManifest) {
       reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
+      reachLazyMode: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -2716,7 +2720,7 @@ async function handleConfigAuto({
   await outputConfigAuto(key, result, outputKind);
 }
 
-const CMD_NAME$w = 'auto';
+const CMD_NAME$v = 'auto';
 const description$D = 'Automatically discover and set the correct value config item';
 const hidden$v = false;
 const cmdConfigAuto = {
@@ -2728,7 +2732,7 @@ async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
+    commandName: CMD_NAME$v,
     description: description$D,
     hidden: hidden$v,
     flags: {
@@ -3082,7 +3086,7 @@ async function handleConfigSet({
   await outputConfigSet(result, outputKind);
 }
 
-const CMD_NAME$v = 'set';
+const CMD_NAME$u = 'set';
 const description$C = 'Update the value of a local CLI config item';
 const hidden$u = false;
 const cmdConfigSet = {
@@ -3094,7 +3098,7 @@ async function run$M(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
+    commandName: CMD_NAME$u,
     description: description$C,
     hidden: hidden$u,
     flags: {
@@ -3209,7 +3213,7 @@ async function handleConfigUnset({
   await outputConfigUnset(updateResult, outputKind);
 }
 
-const CMD_NAME$u = 'unset';
+const CMD_NAME$t = 'unset';
 const description$B = 'Clear the value of a local CLI config item';
 const hidden$t = false;
 const cmdConfigUnset = {
@@ -3221,7 +3225,7 @@ async function run$L(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
+    commandName: CMD_NAME$t,
     description: description$B,
     hidden: hidden$t,
     flags: {
@@ -4277,7 +4281,7 @@ async function handleFix({
   }), outputKind);
 }
 
-const CMD_NAME$t = 'fix';
+const CMD_NAME$s = 'fix';
 const DEFAULT_LIMIT = 10;
 const description$z = 'Fix CVEs in dependencies';
 const hidden$s = false;
@@ -4436,7 +4440,7 @@ async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
+    commandName: CMD_NAME$s,
     description: description$z,
     hidden: hidden$s,
     flags: {
@@ -4450,7 +4454,7 @@ async function run$K(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$t}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$s}`)}
 
     Options
       ${utils.getFlagListOutput({
@@ -4991,7 +4995,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
 }
 
-const CMD_NAME$s = 'login';
+const CMD_NAME$r = 'login';
 const description$x = 'Setup Socket CLI with an API token and defaults';
 const hidden$r = false;
 const cmdLogin = {
@@ -5003,7 +5007,7 @@ async function run$H(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$s,
+    commandName: CMD_NAME$r,
     description: description$x,
     hidden: hidden$r,
     flags: {
@@ -5024,7 +5028,7 @@ async function run$H(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$s}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
 
     Logs into the Socket API by prompting for an API token
 
@@ -6766,7 +6770,7 @@ async function run$y(argv, importMeta, {
 }
 
 const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
-const CMD_NAME$r = constants.NPM;
+const CMD_NAME$q = constants.NPM;
 const description$w = 'Wraps npm with Socket security scanning';
 const hidden$q = false;
 const cmdNpm = {
@@ -6782,7 +6786,7 @@ async function run$x(argv, importMeta, context) {
     ...context
   };
   const config = {
-    commandName: CMD_NAME$r,
+    commandName: CMD_NAME$q,
     description: description$w,
     hidden: hidden$q,
     flags: {
@@ -6793,7 +6797,7 @@ async function run$x(argv, importMeta, context) {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
 
     Note: Everything after "${constants.NPM}" is passed to the ${constants.NPM} command.
           Only the \`${constants.FLAG_DRY_RUN}\` and \`${constants.FLAG_HELP}\` flags are caught here.
@@ -6852,7 +6856,7 @@ async function run$x(argv, importMeta, context) {
 }
 
 const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
-const CMD_NAME$q = constants.NPX;
+const CMD_NAME$p = constants.NPX;
 const description$v = 'Wraps npx with Socket security scanning';
 const hidden$p = false;
 const cmdNpx = {
@@ -6864,7 +6868,7 @@ async function run$w(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$q,
+    commandName: CMD_NAME$p,
     description: description$v,
     hidden: hidden$p,
     flags: {
@@ -6875,7 +6879,7 @@ async function run$w(argv, importMeta, {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$p}`)}
 
     Note: Everything after "${constants.NPX}" is passed to the ${constants.NPX} command.
           Only the \`${constants.FLAG_DRY_RUN}\` and \`${constants.FLAG_HELP}\` flags are caught here.
@@ -7386,7 +7390,7 @@ async function listPackages(pkgEnvDetails, options) {
   }
 }
 
-const CMD_NAME$p = 'socket optimize';
+const CMD_NAME$o = 'socket optimize';
 
 const {
   BUN,
@@ -7558,7 +7562,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   npmExecPath === constants.NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
-    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$p, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
+    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$o, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
     spinner?.start();
   }
   const overridesDataObjects = [];
@@ -7786,7 +7790,7 @@ async function applyOptimization(pkgEnvDetails, {
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
   if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
     const result = await updateLockfile(pkgEnvDetails, {
-      cmdName: CMD_NAME$p,
+      cmdName: CMD_NAME$o,
       logger: logger.logger,
       spinner
     });
@@ -7855,7 +7859,7 @@ async function handleOptimize({
     prod
   });
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$p,
+    cmdName: CMD_NAME$o,
     logger: logger.logger,
     prod
   });
@@ -7893,7 +7897,7 @@ async function handleOptimize({
     await outputOptimizeResult({
       ok: false,
       message: 'Unsupported',
-      cause: utils.cmdPrefixMessage(CMD_NAME$p, `${agent} v${agentVersion} does not support overrides.`)
+      cause: utils.cmdPrefixMessage(CMD_NAME$o, `${agent} v${agentVersion} does not support overrides.`)
     }, outputKind);
     return;
   }
@@ -7913,7 +7917,7 @@ async function handleOptimize({
   await outputOptimizeResult(optimizationResult, outputKind);
 }
 
-const CMD_NAME$o = 'optimize';
+const CMD_NAME$n = 'optimize';
 const description$u = 'Optimize dependencies with @socketregistry overrides';
 const hidden$o = false;
 const cmdOptimize = {
@@ -7925,7 +7929,7 @@ async function run$u(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$o,
+    commandName: CMD_NAME$n,
     description: description$u,
     hidden: hidden$o,
     flags: {
@@ -7946,7 +7950,7 @@ async function run$u(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8099,7 +8103,7 @@ async function handleDependencies({
   });
 }
 
-const CMD_NAME$n = 'dependencies';
+const CMD_NAME$m = 'dependencies';
 const description$t = 'Search for any dependency that is being used in your organization';
 const hidden$n = false;
 const cmdOrganizationDependencies = {
@@ -8111,7 +8115,7 @@ async function run$t(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$n,
+    commandName: CMD_NAME$m,
     description: description$t,
     hidden: hidden$n,
     flags: {
@@ -8133,7 +8137,7 @@ async function run$t(argv, importMeta, {
       ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8233,7 +8237,7 @@ async function handleLicensePolicy(orgSlug, outputKind) {
   await outputLicensePolicy(data, outputKind);
 }
 
-const CMD_NAME$m = 'license';
+const CMD_NAME$l = 'license';
 const description$s = 'Retrieve the license policy of an organization';
 const hidden$m = false;
 const cmdOrganizationPolicyLicense = {
@@ -8245,7 +8249,7 @@ async function run$s(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$m,
+    commandName: CMD_NAME$l,
     description: description$s,
     hidden: hidden$m,
     flags: {
@@ -8266,7 +8270,7 @@ async function run$s(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8369,7 +8373,7 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
   await outputSecurityPolicy(data, outputKind);
 }
 
-const CMD_NAME$l = 'security';
+const CMD_NAME$k = 'security';
 const description$r = 'Retrieve the security policy of an organization';
 const hidden$l = true;
 const cmdOrganizationPolicySecurity = {
@@ -8381,7 +8385,7 @@ async function run$r(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$l,
+    commandName: CMD_NAME$k,
     description: description$r,
     hidden: hidden$l,
     flags: {
@@ -8402,7 +8406,7 @@ async function run$r(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8514,7 +8518,7 @@ async function handleOrganizationList(outputKind = 'text') {
   await outputOrganizationList(data, outputKind);
 }
 
-const CMD_NAME$k = 'list';
+const CMD_NAME$j = 'list';
 const description$q = 'List organizations associated with the Socket API token';
 const hidden$k = false;
 const cmdOrganizationList = {
@@ -8526,7 +8530,7 @@ async function run$q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$k,
+    commandName: CMD_NAME$j,
     description: description$q,
     hidden: hidden$k,
     flags: {
@@ -8538,7 +8542,7 @@ async function run$q(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8980,7 +8984,7 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
   };
 }
 
-const CMD_NAME$j = 'score';
+const CMD_NAME$i = 'score';
 const description$n = 'Look up score for one package which reflects all of its transitive dependencies as well';
 const hidden$j = false;
 const cmdPackageScore = {
@@ -8992,7 +8996,7 @@ async function run$o(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$j,
+    commandName: CMD_NAME$i,
     description: description$n,
     hidden: hidden$j,
     flags: {
@@ -9004,7 +9008,7 @@ async function run$o(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <NAME> | <PURL>>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9371,7 +9375,7 @@ async function handlePurlsShallowScore({
   outputPurlsShallowScore(purls, packageData, outputKind);
 }
 
-const CMD_NAME$i = 'shallow';
+const CMD_NAME$h = 'shallow';
 const description$m = 'Look up info regarding one or more packages but not their transitives';
 const hidden$i = false;
 const cmdPackageShallow = {
@@ -9390,7 +9394,7 @@ async function run$n(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$i,
+    commandName: CMD_NAME$h,
     description: description$m,
     hidden: hidden$i,
     flags: {
@@ -9402,7 +9406,7 @@ async function run$n(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <PKGNAME> [<PKGNAME> ...] | <PURL> [<PURL> ...]>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9504,472 +9508,48 @@ const cmdPackage = {
   }
 };
 
-const PatchRecordSchema = vendor.object({
-  exportedAt: vendor.string(),
-  files: vendor.record(vendor.string(),
-  // File path
-  vendor.object({
-    beforeHash: vendor.string(),
-    afterHash: vendor.string()
-  })),
-  vulnerabilities: vendor.record(vendor.string(),
-  // Vulnerability ID like "GHSA-jrhj-2j3q-xf3v"
-  vendor.object({
-    cves: vendor.array(vendor.string()),
-    summary: vendor.string(),
-    severity: vendor.string(),
-    description: vendor.string(),
-    patchExplanation: vendor.string()
-  }))
-});
-const PatchManifestSchema = vendor.object({
-  patches: vendor.record(
-  // Package identifier like "npm:simplehttpserver@0.0.6".
-  vendor.string(), PatchRecordSchema)
-});
-
-async function outputPatchResult(result, outputKind) {
-  if (!result.ok) {
-    process.exitCode = result.code ?? 1;
-  }
-  if (outputKind === constants.OUTPUT_JSON) {
-    logger.logger.log(utils.serializeResultJson(result));
-    return;
-  }
-  if (!result.ok) {
-    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
-    return;
-  }
+const description$k = 'Manage CVE patches for dependencies';
+const hidden$h = false;
+const cmdPatch = {
+  description: description$k,
+  hidden: hidden$h,
+  run: run$m
+};
+async function run$m(argv, _importMeta, _context) {
   const {
-    patched
-  } = result.data;
-  logger.logger.log('');
-  if (patched.length) {
-    logger.logger.group(`Successfully processed patches for ${patched.length} ${words.pluralize('package', patched.length)}:`);
-    for (const pkg of patched) {
-      logger.logger.success(pkg);
-    }
-    logger.logger.groupEnd();
-  } else {
-    logger.logger.warn('No packages found requiring patches.');
-  }
-  logger.logger.log('');
-  logger.logger.success('Patch command completed!');
-}
+    ENV
+  } = constants.default;
 
-async function applyNpmPatches(socketDir, patches, options) {
-  const {
-    cwd = process.cwd(),
-    dryRun = false,
-    purlObjs,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.start();
-  const patchLookup = new Map();
-  for (const patchInfo of patches) {
-    patchLookup.set(patchInfo.purl, patchInfo);
-  }
-  const nmPaths = await findNodeModulesPaths(cwd);
-  spinner?.stop();
-  logger.logger.log(`Found ${nmPaths.length} ${constants.NODE_MODULES} ${words.pluralize('folder', nmPaths.length)}`);
-  logger.logger.group('');
-  spinner?.start();
-  const result = {
-    passed: [],
-    failed: []
-  };
-  for (const nmPath of nmPaths) {
-    // eslint-disable-next-line no-await-in-loop
-    const dirNames = await fs$2.readDirNames(nmPath);
-    for (const dirName of dirNames) {
-      const isScoped = dirName.startsWith('@');
-      const pkgPath = path.join(nmPath, dirName);
-      const pkgSubNames = isScoped ?
-      // eslint-disable-next-line no-await-in-loop
-      await fs$2.readDirNames(pkgPath) : [dirName];
-      for (const pkgSubName of pkgSubNames) {
-        const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
-        const pkgPath = path.join(nmPath, dirFullName);
-        // eslint-disable-next-line no-await-in-loop
-        const pkgJson = await packages.readPackageJson(pkgPath, {
-          throws: false
-        });
-        if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
-          continue;
-        }
-        const purl = `pkg:npm/${pkgJson.name}@${pkgJson.version}`;
-        const purlObj = utils.getPurlObject(purl, {
-          throws: false
-        });
-        if (!purlObj) {
-          continue;
-        }
+  // Map socket-cli environment to socket-patch options.
+  // Only include properties with defined values (exactOptionalPropertyTypes).
+  const options = {};
 
-        // Skip if specific packages requested and this isn't one of them
-        if (purlObjs?.length && purlObjs.findIndex(p => p.type === constants.NPM && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
-          continue;
-        }
-        const patchInfo = patchLookup.get(purl);
-        if (!patchInfo) {
-          continue;
-        }
-        spinner?.stop();
-        logger.logger.log(`Found match: ${pkgJson.name}@${pkgJson.version} at ${pkgPath}`);
-        logger.logger.log(`Patch key: ${patchInfo.key}`);
-        logger.logger.group(`Processing files:`);
-        spinner?.start();
-        let passed = true;
-        for (const {
-          0: fileName,
-          1: fileInfo
-        } of Object.entries(patchInfo.patch.files)) {
-          // eslint-disable-next-line no-await-in-loop
-          const filePatchPassed = await processFilePatch(pkgPath, fileName, fileInfo, socketDir, {
-            dryRun,
-            spinner
-          });
-          if (!filePatchPassed) {
-            passed = false;
-          }
-        }
-        logger.logger.groupEnd();
-        if (passed) {
-          result.passed.push(purl);
-        } else {
-          result.failed.push(purl);
-        }
-      }
-    }
+  // Strip /v0/ suffix from API URL if present.
+  const apiUrl = ENV.SOCKET_CLI_API_BASE_URL?.replace(/\/v0\/?$/, '');
+  if (apiUrl) {
+    options.apiUrl = apiUrl;
   }
-  spinner?.stop();
-  logger.logger.groupEnd();
-  if (wasSpinning) {
-    spinner.start();
+  if (ENV.SOCKET_CLI_API_TOKEN) {
+    options.apiToken = ENV.SOCKET_CLI_API_TOKEN;
   }
-  return result;
-}
-
-/**
- * Compute SHA256 hash of file contents.
- */
-async function computeSHA256(filepath) {
-  try {
-    const content = await fs$1.promises.readFile(filepath);
-    const hash = require$$0$1.createHash('sha256');
-    hash.update(content);
-    return {
-      ok: true,
-      data: hash.digest('hex')
-    };
-  } catch (e) {
-    return {
-      ok: false,
-      message: 'Failed to compute file hash',
-      cause: `Unable to read file ${filepath}: ${utils.getErrorCause(e)}`
-    };
+  if (ENV.SOCKET_CLI_ORG_SLUG) {
+    options.orgSlug = ENV.SOCKET_CLI_ORG_SLUG;
   }
-}
-async function findNodeModulesPaths(cwd) {
-  const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
-    cwd,
-    onlyDirectories: true
-  });
-  if (!rootNmPath) {
-    return [];
+  if (ENV.SOCKET_PATCH_PROXY_URL) {
+    options.patchProxyUrl = ENV.SOCKET_PATCH_PROXY_URL;
   }
-  return await vendor.outExports.glob([`**/${constants.NODE_MODULES}`], {
-    absolute: true,
-    cwd: path.dirname(rootNmPath),
-    dot: true,
-    followSymbolicLinks: false,
-    onlyDirectories: true
-  });
-}
-async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options) {
-  const {
-    dryRun,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const filepath = path.join(pkgPath, fileName);
-  if (!fs$1.existsSync(filepath)) {
-    logger.logger.log(`File not found: ${fileName}`);
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
+  if (ENV.SOCKET_CLI_API_PROXY) {
+    options.httpProxy = ENV.SOCKET_CLI_API_PROXY;
   }
-  const currentHashResult = await computeSHA256(filepath);
-  if (!currentHashResult.ok) {
-    logger.logger.log(`Failed to compute hash for: ${fileName}: ${currentHashResult.cause || currentHashResult.message}`);
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  if (currentHashResult.data === fileInfo.afterHash) {
-    logger.logger.success(`File already patched: ${fileName}`);
-    logger.logger.group();
-    logger.logger.log(`Current hash: ${currentHashResult.data}`);
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return true;
-  }
-  if (currentHashResult.data !== fileInfo.beforeHash) {
-    logger.logger.fail(`File hash mismatch: ${fileName}`);
-    logger.logger.group();
-    logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
-    logger.logger.log(`Current:  ${currentHashResult.data}`);
-    logger.logger.log(`Target:   ${fileInfo.afterHash}`);
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  logger.logger.success(`File matches expected hash: ${fileName}`);
-  logger.logger.group();
-  logger.logger.log(`Current hash: ${currentHashResult.data}`);
-  logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
-  logger.logger.group();
-  if (dryRun) {
-    logger.logger.log(`(dry run - no changes made)`);
-    logger.logger.groupEnd();
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
-  if (!fs$1.existsSync(blobPath)) {
-    logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
-    logger.logger.groupEnd();
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  spinner?.start();
-  let result = true;
-  try {
-    await fs$1.promises.copyFile(blobPath, filepath);
-
-    // Verify the hash after copying to ensure file integrity.
-    const verifyHashResult = await computeSHA256(filepath);
-    if (!verifyHashResult.ok) {
-      logger.logger.error(`Failed to verify hash after patch: ${verifyHashResult.cause || verifyHashResult.message}`);
-      result = false;
-    } else if (verifyHashResult.data !== fileInfo.afterHash) {
-      logger.logger.error(`Hash verification failed after patch`);
-      logger.logger.group();
-      logger.logger.log(`Expected: ${fileInfo.afterHash}`);
-      logger.logger.log(`Got:      ${verifyHashResult.data}`);
-      logger.logger.groupEnd();
-      result = false;
-    } else {
-      logger.logger.success(`Patch applied successfully`);
-    }
-  } catch (e) {
-    logger.logger.error('Error applying patch');
-    require$$9.debugDir('error', e);
-    result = false;
-  }
-  logger.logger.groupEnd();
-  logger.logger.groupEnd();
-  spinner?.stop();
-  if (wasSpinning) {
-    spinner?.start();
+  if (ENV.SOCKET_CLI_DEBUG) {
+    options.debug = ENV.SOCKET_CLI_DEBUG;
   }
-  return result;
-}
-async function handlePatch({
-  cwd,
-  dryRun,
-  outputKind,
-  purlObjs,
-  spinner
-}) {
-  try {
-    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
-    const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
-    const manifestContent = await fs$1.promises.readFile(manifestPath, constants.UTF8);
-    const manifestData = JSON.parse(manifestContent);
-    const purls = purlObjs.map(String);
-    const validated = PatchManifestSchema.parse(manifestData);
-
-    // Parse PURLs and group by ecosystem.
-    const patchesByEcosystem = new Map();
-    for (const {
-      0: key,
-      1: patch
-    } of Object.entries(validated.patches)) {
-      const purl = utils.normalizePurl(key);
-      if (purls.length && !purls.includes(purl)) {
-        continue;
-      }
-      const purlObj = utils.getPurlObject(purl, {
-        throws: false
-      });
-      if (!purlObj) {
-        continue;
-      }
-      let patches = patchesByEcosystem.get(purlObj.type);
-      if (!Array.isArray(patches)) {
-        patches = [];
-        patchesByEcosystem.set(purlObj.type, patches);
-      }
-      patches.push({
-        key,
-        patch,
-        purl,
-        purlObj
-      });
-    }
-    if (purls.length) {
-      spinner.start(`Checking patches for: ${arrays.joinAnd(purls)}`);
-    } else {
-      spinner.start('Scanning all dependencies for available patches');
-    }
-    const patched = [];
-    const npmPatches = patchesByEcosystem.get(constants.NPM);
-    if (npmPatches) {
-      const patchingResults = await applyNpmPatches(dotSocketDirPath, npmPatches, {
-        cwd,
-        dryRun,
-        purlObjs,
-        spinner
-      });
-      patched.push(...patchingResults.passed);
-    }
-    spinner.stop();
-    await outputPatchResult({
-      ok: true,
-      data: {
-        patched
-      }
-    }, outputKind);
-  } catch (e) {
-    spinner.stop();
-    let message = 'Failed to apply patches';
-    let cause = utils.getErrorCause(e);
-    if (e instanceof SyntaxError) {
-      message = `Invalid JSON in ${constants.MANIFEST_JSON}`;
-      cause = e.message;
-    } else if (e instanceof Error && 'issues' in e) {
-      message = 'Schema validation failed';
-      cause = String(e);
-    }
-    await outputPatchResult({
-      ok: false,
-      code: 1,
-      message,
-      cause
-    }, outputKind);
-  }
-}
 
-const CMD_NAME$h = 'patch';
-const description$k = 'Apply CVE patches to dependencies';
-const hidden$h = true;
-const cmdPatch = {
-  description: description$k,
-  hidden: hidden$h,
-  run: run$m
-};
-async function run$m(argv, importMeta, {
-  parentName
-}) {
-  const config = {
-    commandName: CMD_NAME$h,
-    description: description$k,
-    hidden: hidden$h,
-    flags: {
-      ...flags.commonFlags,
-      ...flags.outputFlags,
-      purl: {
-        type: 'string',
-        default: [],
-        description: 'Specify purls to patch, as either a comma separated value or as multiple flags',
-        isMultiple: true,
-        shortFlag: 'p'
-      }
-    },
-    help: (command, config) => `
-    Usage
-      $ ${command} [options] [CWD=.]
-
-    API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
-
-    Options
-      ${utils.getFlagListOutput(config.flags)}
-
-    Examples
-      $ ${command}
-      $ ${command} --package lodash
-      $ ${command} ./path/to/project --package lodash,react
-    `
-  };
-  const cli = utils.meowOrExit({
-    argv,
-    config,
-    parentName,
-    importMeta
-  }, {
-    allowUnknownFlags: false
-  });
-  const {
-    dryRun,
-    json,
-    markdown
-  } = cli.flags;
-  const outputKind = utils.getOutputKind(json, markdown);
-  const wasValidInput = utils.checkCommandInput(outputKind, {
-    nook: true,
-    test: !json || !markdown,
-    message: 'The json and markdown flags cannot be both set, pick one',
-    fail: 'omit one'
-  });
-  if (!wasValidInput) {
-    return;
+  // Forward all arguments to socket-patch.
+  const exitCode = await vendor.runExports.runPatch([...argv], options);
+  if (exitCode !== 0) {
+    process.exitCode = exitCode;
   }
-  let [cwd = '.'] = cli.input;
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd);
-  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
-  if (!fs$1.existsSync(dotSocketDirPath)) {
-    throw new utils.InputError(`No ${constants.DOT_SOCKET_DIR} directory found in current directory`);
-  }
-  const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
-  if (!fs$1.existsSync(manifestPath)) {
-    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET_DIR} directory`);
-  }
-  const {
-    spinner
-  } = constants.default;
-  const purlObjs = arrays.arrayUnique(utils.cmdFlagValueToArray(cli.flags['purl'])).map(p => utils.getPurlObject(p, {
-    throws: false
-  })).filter(Boolean);
-  await handlePatch({
-    cwd,
-    dryRun,
-    outputKind,
-    purlObjs,
-    spinner
-  });
 }
 
 const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
@@ -11247,6 +10827,12 @@ const reachabilityFlags = {
     isMultiple: true,
     description: 'List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.'
   },
+  reachLazyMode: {
+    type: 'boolean',
+    default: false,
+    description: 'Enable lazy mode for reachability analysis.',
+    hidden: true
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,
@@ -11499,6 +11085,7 @@ async function run$d(argv, importMeta, {
     reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion,
@@ -11630,7 +11217,7 @@ async function run$d(argv, importMeta, {
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
   const isUsingNonDefaultVersion = reachVersion !== reachabilityFlags['reachVersion']?.default;
-  const isUsingAnyReachabilityFlags = hasReachEcosystems || hasReachExcludePaths || isUsingNonDefaultAnalytics || isUsingNonDefaultConcurrency || isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || reachDisableAnalysisSplitting || reachSkipCache || reachUseOnlyPregeneratedSboms;
+  const isUsingAnyReachabilityFlags = hasReachEcosystems || hasReachExcludePaths || isUsingNonDefaultAnalytics || isUsingNonDefaultConcurrency || isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || reachDisableAnalysisSplitting || reachLazyMode || reachSkipCache || reachUseOnlyPregeneratedSboms;
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach ? await validateReachabilityTarget(targets, cwd) : {
@@ -11723,6 +11310,7 @@ async function run$d(argv, importMeta, {
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
+      reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
@@ -12373,6 +11961,7 @@ async function scanOneRepo(repoSlug, {
       reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
+      reachLazyMode: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -13662,6 +13251,7 @@ async function run$7(argv, importMeta, {
     reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion
@@ -13762,6 +13352,7 @@ async function run$7(argv, importMeta, {
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
+      reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion
@@ -15676,5 +15267,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=7bd1ad51-3d27-483b-96d7-504fe33c820f
+//# debugId=90b6bd73-b1dd-42e8-a3d1-d309882d77f4
 //# sourceMappingURL=cli.js.map