@socketsecurity/cli-with-sentry 1.1.49 → 1.1.51

package/dist/utils.js

@@ -16,9 +16,9 @@ var path = require('node:path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
-var fs = require('../external/@socketsecurity/registry/lib/fs');
+var fs$1 = require('../external/@socketsecurity/registry/lib/fs');
 var require$$5 = require('node:module');
-var fs$1 = require('node:fs');
+var fs = require('node:fs');
 var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var agent = require('../external/@socketsecurity/registry/lib/agent');
 var bin = require('../external/@socketsecurity/registry/lib/bin');
@@ -27,6 +27,7 @@ var require$$0$1 = require('node:url');
 var globs = require('../external/@socketsecurity/registry/lib/globs');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
 var promises = require('node:timers/promises');
+var require$$1 = require('node:util');
 var os = require('node:os');
 var process$1 = require('node:process');
 var require$$0 = require('node:crypto');
@@ -163,6 +164,324 @@ function debugGit(operation, success, details) {
   }
 }
 
+/**
+ * @fileoverview EditableJson utility for non-destructive JSON file manipulation.
+ * Preserves formatting (indentation and line endings) when updating JSON files.
+ * This is a standalone implementation copied from @socketsecurity/lib/json/edit.
+ */
+
+
+// Symbols used to store formatting metadata in JSON objects.
+const INDENT_SYMBOL = Symbol.for('indent');
+const NEWLINE_SYMBOL = Symbol.for('newline');
+
+/**
+ * Formatting metadata for JSON files.
+ */
+
+/**
+ * Options for saving editable JSON files.
+ */
+
+/**
+ * Detect indentation from a JSON string.
+ * Supports space-based indentation (returns count) or mixed indentation (returns string).
+ */
+function detectIndent(json) {
+  const match = json.match(/^[{[][\r\n]+(\s+)/m);
+  if (!match || !match[1]) {
+    return 2;
+  }
+  const indent = match[1];
+  if (/^ +$/.test(indent)) {
+    return indent.length;
+  }
+  return indent;
+}
+
+/**
+ * Detect newline character(s) from a JSON string.
+ * Supports LF (\n) and CRLF (\r\n) line endings.
+ */
+function detectNewline(json) {
+  const match = json.match(/\r?\n/);
+  return match ? match[0] : '\n';
+}
+
+/**
+ * Sort object keys alphabetically.
+ * Creates a new object with sorted keys (does not mutate input).
+ */
+function sortKeys(obj) {
+  const sorted = {
+    __proto__: null
+  };
+  const keys = Object.keys(obj).sort();
+  for (const key of keys) {
+    sorted[key] = obj[key];
+  }
+  return sorted;
+}
+
+/**
+ * Stringify JSON with specific formatting.
+ * Applies indentation and line ending preferences.
+ */
+function stringifyWithFormatting(content, formatting) {
+  const {
+    indent,
+    newline
+  } = formatting;
+  const format = indent === undefined || indent === null ? '  ' : indent;
+  const eol = newline === undefined || newline === null ? '\n' : newline;
+  return `${JSON.stringify(content, undefined, format)}\n`.replace(/\n/g, eol);
+}
+
+/**
+ * Strip formatting symbols from content object.
+ * Removes Symbol.for('indent') and Symbol.for('newline') from the object.
+ */
+function stripFormattingSymbols(content) {
+  const {
+    [INDENT_SYMBOL]: _indent,
+    [NEWLINE_SYMBOL]: _newline,
+    ...rest
+  } = content;
+  return rest;
+}
+
+/**
+ * Extract formatting from content object that has symbol-based metadata.
+ */
+function getFormattingFromContent(content) {
+  const indent = content[INDENT_SYMBOL];
+  const newline = content[NEWLINE_SYMBOL];
+  return {
+    indent: indent === undefined || indent === null ? 2 : indent,
+    newline: newline === undefined || newline === null ? '\n' : newline
+  };
+}
+
+/**
+ * Determine if content should be saved based on changes and options.
+ */
+function shouldSave(currentContent, originalContent, originalFileContent, options = {}) {
+  const {
+    ignoreWhitespace = false,
+    sort = false
+  } = options;
+  const content = stripFormattingSymbols(currentContent);
+  const sortedContent = sort ? sortKeys(content) : content;
+  const origContent = originalContent ? stripFormattingSymbols(originalContent) : {};
+  if (ignoreWhitespace) {
+    return !require$$1.isDeepStrictEqual(sortedContent, origContent);
+  }
+  const formatting = getFormattingFromContent(currentContent);
+  const newFileContent = stringifyWithFormatting(sortedContent, formatting);
+  return newFileContent.trim() !== originalFileContent.trim();
+}
+
+/**
+ * Retry write operation with exponential backoff for file system issues.
+ */
+async function retryWrite(filepath, content, retries = 3, baseDelay = 10) {
+  for (let attempt = 0; attempt <= retries; attempt++) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      await fs.promises.writeFile(filepath, content);
+      if (process.platform === 'win32') {
+        // eslint-disable-next-line no-await-in-loop
+        await promises.setTimeout(50);
+        let accessRetries = 0;
+        const maxAccessRetries = 5;
+        while (accessRetries < maxAccessRetries) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await fs.promises.access(filepath);
+            // eslint-disable-next-line no-await-in-loop
+            await promises.setTimeout(10);
+            break;
+          } catch {
+            const delay = 20 * (accessRetries + 1);
+            // eslint-disable-next-line no-await-in-loop
+            await promises.setTimeout(delay);
+            accessRetries++;
+          }
+        }
+      }
+      return;
+    } catch (err) {
+      const isLastAttempt = attempt === retries;
+      const isRetriableError = err instanceof Error && 'code' in err && (err.code === 'EPERM' || err.code === 'EBUSY' || err.code === 'ENOENT');
+      if (!isRetriableError || isLastAttempt) {
+        throw err;
+      }
+      const delay = baseDelay * 2 ** attempt;
+      // eslint-disable-next-line no-await-in-loop
+      await promises.setTimeout(delay);
+    }
+  }
+}
+
+/**
+ * Parse JSON string.
+ */
+function parseJson(content) {
+  return JSON.parse(content);
+}
+
+/**
+ * Read file with retry logic for file system issues.
+ */
+async function readFile(filepath) {
+  const maxRetries = process.platform === 'win32' ? 5 : 1;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      return await fs.promises.readFile(filepath, 'utf8');
+    } catch (err) {
+      const isLastAttempt = attempt === maxRetries;
+      const isEnoent = err instanceof Error && 'code' in err && err.code === 'ENOENT';
+      if (!isEnoent || isLastAttempt) {
+        throw err;
+      }
+      const delay = process.platform === 'win32' ? 50 * (attempt + 1) : 20;
+      // eslint-disable-next-line no-await-in-loop
+      await promises.setTimeout(delay);
+    }
+  }
+  throw new Error('Unreachable code');
+}
+
+/**
+ * EditableJson class for non-destructive JSON file manipulation.
+ * Preserves formatting when updating JSON files.
+ */
+class EditableJson {
+  _canSave = true;
+  _content = {};
+  _path = undefined;
+  _readFileContent = '';
+  _readFileJson = undefined;
+  get content() {
+    return this._content;
+  }
+  get filename() {
+    const path = this._path;
+    if (!path) {
+      return '';
+    }
+    return path;
+  }
+  get path() {
+    return this._path;
+  }
+
+  /**
+   * Create a new JSON file instance.
+   */
+  create(path) {
+    this._path = path;
+    this._content = {};
+    this._canSave = true;
+    return this;
+  }
+
+  /**
+   * Initialize from content object (disables saving).
+   */
+  fromContent(data) {
+    this._content = data;
+    this._canSave = false;
+    return this;
+  }
+
+  /**
+   * Initialize from JSON string.
+   */
+  fromJSON(data) {
+    const parsed = parseJson(data);
+    const indent = detectIndent(data);
+    const newline = detectNewline(data)
+    // Use type assertion to allow symbol indexing.
+    ;
+    parsed[INDENT_SYMBOL] = indent;
+    parsed[NEWLINE_SYMBOL] = newline;
+    this._content = parsed;
+    return this;
+  }
+
+  /**
+   * Load JSON file from disk.
+   */
+  async load(path, create) {
+    this._path = path;
+    try {
+      this._readFileContent = await readFile(this.filename);
+      this.fromJSON(this._readFileContent);
+      this._readFileJson = parseJson(this._readFileContent);
+    } catch (err) {
+      if (!create) {
+        throw err;
+      }
+      // File doesn't exist and create is true - initialize empty.
+      this._content = {};
+      this._readFileContent = '';
+      this._readFileJson = undefined;
+      this._canSave = true;
+    }
+    return this;
+  }
+
+  /**
+   * Update content with new values.
+   */
+  update(content) {
+    this._content = {
+      ...this._content,
+      ...content
+    };
+    return this;
+  }
+
+  /**
+   * Save JSON file to disk asynchronously.
+   */
+  async save(options) {
+    if (!this._canSave || this.content === undefined) {
+      throw new Error('No file path to save to');
+    }
+    if (!shouldSave(this._content, this._readFileJson, this._readFileContent, options)) {
+      return false;
+    }
+    const content = stripFormattingSymbols(this._content);
+    const sortedContent = options?.sort ? sortKeys(content) : content;
+    const formatting = getFormattingFromContent(this._content);
+    const fileContent = stringifyWithFormatting(sortedContent, formatting);
+    await retryWrite(this.filename, fileContent);
+    this._readFileContent = fileContent;
+    this._readFileJson = parseJson(fileContent);
+    return true;
+  }
+
+  /**
+   * Check if save will occur based on current changes.
+   */
+  willSave(options) {
+    if (!this._canSave || this.content === undefined) {
+      return false;
+    }
+    return shouldSave(this._content, this._readFileJson, this._readFileContent, options);
+  }
+}
+
+/**
+ * Get the EditableJson class for JSON file manipulation.
+ */
+function getEditableJsonClass() {
+  return EditableJson;
+}
+
 /**
  * Error utilities for Socket CLI.
  * Provides consistent error handling, formatting, and message extraction.
@@ -307,14 +626,15 @@ function getConfigValues() {
       socketAppDataPath
     } = constants.default;
     if (socketAppDataPath) {
-      const raw = fs.safeReadFileSync(socketAppDataPath);
+      const configFilePath = path.join(socketAppDataPath, 'config.json');
+      const raw = fs$1.safeReadFileSync(configFilePath);
       if (raw) {
         try {
           Object.assign(_cachedConfig, JSON.parse(Buffer.from(raw, 'base64').toString()));
-          debugConfig(socketAppDataPath, true);
+          debugConfig(configFilePath, true);
         } catch (e) {
-          logger.logger.warn(`Failed to parse config at ${socketAppDataPath}`);
-          debugConfig(socketAppDataPath, false, e);
+          logger.logger.warn(`Failed to parse config at ${configFilePath}`);
+          debugConfig(configFilePath, false, e);
         }
         // Normalize apiKey to apiToken and persist it.
         // This is a one time migration per user.
@@ -324,7 +644,7 @@ function getConfigValues() {
           updateConfigValue(constants.CONFIG_KEY_API_TOKEN, token);
         }
       } else {
-        fs$1.mkdirSync(path.dirname(socketAppDataPath), {
+        fs.mkdirSync(socketAppDataPath, {
           recursive: true
         });
       }
@@ -353,10 +673,10 @@ function findSocketYmlSync(dir = process.cwd()) {
   let prevDir = null;
   while (dir !== prevDir) {
     let ymlPath = path.join(dir, constants.SOCKET_YML);
-    let yml = fs.safeReadFileSync(ymlPath);
+    let yml = fs$1.safeReadFileSync(ymlPath);
     if (yml === undefined) {
       ymlPath = path.join(dir, constants.SOCKET_YAML);
-      yml = fs.safeReadFileSync(ymlPath);
+      yml = fs$1.safeReadFileSync(ymlPath);
     }
     if (typeof yml === 'string') {
       try {
@@ -519,11 +839,68 @@ function updateConfigValue(configKey, value) {
     _pendingSave = true;
     process.nextTick(() => {
       _pendingSave = false;
+      // Capture the config state at write time, not at schedule time.
+      // This ensures all updates in the same tick are included.
+      const configToSave = {
+        ...localConfig
+      };
       const {
         socketAppDataPath
       } = constants.default;
       if (socketAppDataPath) {
-        fs$1.writeFileSync(socketAppDataPath, Buffer.from(JSON.stringify(localConfig)).toString('base64'));
+        fs.mkdirSync(socketAppDataPath, {
+          recursive: true
+        });
+        const configFilePath = path.join(socketAppDataPath, 'config.json');
+        // Read existing file to preserve formatting, then update with new values.
+        const existingRaw = fs$1.safeReadFileSync(configFilePath);
+        const EditableJson = getEditableJsonClass();
+        const editor = new EditableJson();
+        if (existingRaw !== undefined) {
+          const rawString = Buffer.isBuffer(existingRaw) ? existingRaw.toString('utf8') : existingRaw;
+          try {
+            const decoded = Buffer.from(rawString, 'base64').toString('utf8');
+            editor.fromJSON(decoded);
+          } catch {
+            // If decoding fails, start fresh.
+          }
+        } else {
+          // Initialize empty editor for new file.
+          editor.create(configFilePath);
+        }
+        // Update with the captured config state.
+        // Note: We need to handle deletions explicitly since editor.update() only merges.
+        // First, get all keys from the existing content.
+        const existingKeys = new Set(Object.keys(editor.content).filter(k => typeof k === 'string'));
+        const newKeys = new Set(Object.keys(configToSave));
+
+        // Delete keys that are in existing but not in new config.
+        for (const key of existingKeys) {
+          if (!newKeys.has(key)) {
+            delete editor.content[key];
+          }
+        }
+
+        // Now update with new values.
+        editor.update(configToSave);
+        // Use the editor's internal stringify which preserves formatting.
+        // Extract the formatting symbols from the content.
+        const INDENT_SYMBOL = Symbol.for('indent');
+        const NEWLINE_SYMBOL = Symbol.for('newline');
+        const indent = editor.content[INDENT_SYMBOL] ?? 2;
+        const newline = editor.content[NEWLINE_SYMBOL] ?? '\n';
+
+        // Strip formatting symbols from content.
+        const contentToSave = {};
+        for (const [key, val] of Object.entries(editor.content)) {
+          if (typeof key === 'string') {
+            contentToSave[key] = val;
+          }
+        }
+
+        // Stringify with formatting preserved.
+        const jsonContent = JSON.stringify(contentToSave, undefined, indent).replace(/\n/g, newline);
+        fs.writeFileSync(configFilePath, Buffer.from(jsonContent + newline).toString('base64'));
       }
     });
   }
@@ -3894,7 +4271,7 @@ function* walkNestedMap(map, keys = []) {
  */
 
 function extractTier1ReachabilityScanId(socketFactsFile) {
-  const json = fs.readJsonSync(socketFactsFile, {
+  const json = fs$1.readJsonSync(socketFactsFile, {
     throws: false
   });
   const tier1ReachabilityScanId = String(json?.['tier1ReachabilityScanId'] ?? '').trim();
@@ -3952,7 +4329,7 @@ async function findUp(name, options) {
       const thePath = path.join(dir, name);
       try {
         // eslint-disable-next-line no-await-in-loop
-        const stats = await fs$1.promises.stat(thePath);
+        const stats = await fs.promises.stat(thePath);
         if (!onlyDirectories && stats.isFile()) {
           return thePath;
         }
@@ -3994,7 +4371,7 @@ async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
   let workspacePatterns;
   if (agent === constants.PNPM) {
     const workspacePath = path.join(cwd, 'pnpm-workspace.yaml');
-    const yml = await fs.safeReadFile(workspacePath);
+    const yml = await fs$1.safeReadFile(workspacePath);
     if (yml) {
       try {
         workspacePatterns = vendor.distExports$1.parse(yml)?.packages;
@@ -4104,7 +4481,7 @@ async function globWithGitIgnore(patterns, options) {
     cwd,
     ignore: DEFAULT_IGNORE_FOR_GIT_IGNORE
   });
-  for await (const ignorePatterns of streams.transform(gitIgnoreStream, async filepath => ignoreFileToGlobPatterns((await fs.safeReadFile(filepath)) ?? '', filepath, cwd), {
+  for await (const ignorePatterns of streams.transform(gitIgnoreStream, async filepath => ignoreFileToGlobPatterns((await fs$1.safeReadFile(filepath)) ?? '', filepath, cwd), {
     concurrency: 8
   })) {
     for (const p of ignorePatterns) {
@@ -4166,7 +4543,7 @@ function pathsToGlobPatterns(paths, cwd) {
     }
     const absolutePath = path.isAbsolute(p) ? p : path.resolve(cwd ?? process.cwd(), p);
     // If the path is a directory, scan it recursively for all files.
-    if (fs.isDirSync(absolutePath)) {
+    if (fs$1.isDirSync(absolutePath)) {
       return `${p}/**/*`;
     }
     return p;
@@ -4219,11 +4596,11 @@ function findNpmDirPathSync(npmBinPath) {
     // Use existsSync here because statsSync, even with { throwIfNoEntry: false },
     // will throw an ENOTDIR error for paths like ./a-file-that-exists/a-directory-that-does-not.
     // See https://github.com/nodejs/node/issues/56993.
-    fs.isDirSync(libNmNpmPath)) {
+    fs$1.isDirSync(libNmNpmPath)) {
       thePath = libNmNpmPath;
     }
-    const hasNmInCurrPath = fs.isDirSync(path.join(thePath, constants.NODE_MODULES));
-    const hasNmInParentPath = !hasNmInCurrPath && fs.isDirSync(path.join(thePath, `../${constants.NODE_MODULES}`));
+    const hasNmInCurrPath = fs$1.isDirSync(path.join(thePath, constants.NODE_MODULES));
+    const hasNmInParentPath = !hasNmInCurrPath && fs$1.isDirSync(path.join(thePath, `../${constants.NODE_MODULES}`));
     if (
     // npm bin paths may look like:
     //   /usr/local/share/npm/bin/npm
@@ -4241,7 +4618,7 @@ function findNpmDirPathSync(npmBinPath) {
     // Optimistically look for the default location.
     path.basename(thePath) === constants.NPM ||
     // Chocolatey installs npm bins in the same directory as node bins.
-    WIN32 && fs$1.existsSync(path.join(thePath, `${constants.NPM}.cmd`)))) {
+    WIN32 && fs.existsSync(path.join(thePath, `${constants.NPM}.cmd`)))) {
       return hasNmInParentPath ? path.dirname(thePath) : thePath;
     }
     const parent = path.dirname(thePath);
@@ -4635,7 +5012,7 @@ function getDefaultSocketJson() {
 }
 function readSocketJsonSync(cwd, defaultOnError = false) {
   const sockJsonPath = path.join(cwd, constants.SOCKET_JSON);
-  if (!fs$1.existsSync(sockJsonPath)) {
+  if (!fs.existsSync(sockJsonPath)) {
     require$$9.debugFn('notice', `miss: ${constants.SOCKET_JSON} not found at ${cwd}`);
     return {
       ok: true,
@@ -4644,7 +5021,7 @@ function readSocketJsonSync(cwd, defaultOnError = false) {
   }
   let jsonContent = null;
   try {
-    jsonContent = fs$1.readFileSync(sockJsonPath, 'utf8');
+    jsonContent = fs.readFileSync(sockJsonPath, 'utf8');
   } catch (e) {
     if (defaultOnError) {
       logger.logger.warn(`Failed to read ${constants.SOCKET_JSON}, using default`);
@@ -4718,7 +5095,7 @@ async function writeSocketJson(cwd, sockJson) {
     };
   }
   const filepath = path.join(cwd, constants.SOCKET_JSON);
-  await fs$1.promises.writeFile(filepath, `${jsonContent}\n`, 'utf8');
+  await fs.promises.writeFile(filepath, `${jsonContent}\n`, 'utf8');
   return {
     ok: true,
     data: undefined
@@ -4755,11 +5132,11 @@ async function readCache(key,
 // 5 minute in milliseconds time to live (TTL).
 ttlMs = 5 * 60 * 1000) {
   const cacheJsonPath = path.join(constants.default.githubCachePath, `${key}.json`);
-  const stat = fs.safeStatsSync(cacheJsonPath);
+  const stat = fs$1.safeStatsSync(cacheJsonPath);
   if (stat) {
     const isExpired = Date.now() - stat.mtimeMs > ttlMs;
     if (!isExpired) {
-      return await fs.readJson(cacheJsonPath);
+      return await fs$1.readJson(cacheJsonPath);
     }
   }
   return undefined;
@@ -4769,12 +5146,12 @@ async function writeCache(key, data) {
     githubCachePath
   } = constants.default;
   const cacheJsonPath = path.join(githubCachePath, `${key}.json`);
-  if (!fs$1.existsSync(githubCachePath)) {
-    await fs$1.promises.mkdir(githubCachePath, {
+  if (!fs.existsSync(githubCachePath)) {
+    await fs.promises.mkdir(githubCachePath, {
       recursive: true
     });
   }
-  await fs.writeJson(cacheJsonPath, data);
+  await fs$1.writeJson(cacheJsonPath, data);
 }
 async function cacheFetch(key, fetcher, ttlMs) {
   // Optionally disable cache.
@@ -5251,7 +5628,7 @@ const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
 function getCompletionSourcingCommand() {
   // Note: this is exported to distPath in .config/rollup.dist.config.mjs
   const completionScriptExportPath = path.join(constants.default.distPath, 'socket-completion.bash');
-  if (!fs$1.existsSync(completionScriptExportPath)) {
+  if (!fs.existsSync(completionScriptExportPath)) {
     return {
       ok: false,
       message: 'Tab Completion script not found',
@@ -5372,7 +5749,7 @@ function getNpmRequire() {
   if (_npmRequire === undefined) {
     const npmDirPath = getNpmDirPath();
     const npmNmPath = path.join(npmDirPath, `${constants.NODE_MODULES}/npm`);
-    _npmRequire = require$$5.createRequire(path.join(fs$1.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
+    _npmRequire = require$$5.createRequire(path.join(fs.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
   }
   return _npmRequire;
 }
@@ -5588,8 +5965,8 @@ const readLockFileByAgent = (() => {
       return undefined;
     };
   }
-  const binaryReader = wrapReader(fs.readFileBinary);
-  const defaultReader = wrapReader(async lockPath => await fs.readFileUtf8(lockPath));
+  const binaryReader = wrapReader(fs$1.readFileBinary);
+  const defaultReader = wrapReader(async lockPath => await fs$1.readFileUtf8(lockPath));
   return new Map([[BUN, wrapReader(async (lockPath, agentExecPath, cwd = process.cwd()) => {
     const ext = path.extname(lockPath);
     if (ext === EXT_LOCK) {
@@ -5637,20 +6014,54 @@ const LOCKS = {
   // it has to be handled differently.
   [`${NODE_MODULES}/${DOT_PACKAGE_LOCK_JSON}`]: NPM
 };
+function preferWindowsCmdShim(binPath, binName) {
+  // Only Windows uses .cmd shims
+  if (!constants.default.WIN32) {
+    return binPath;
+  }
+
+  // Relative paths might be shell commands or aliases, not file paths with potential shims
+  if (!path.isAbsolute(binPath)) {
+    return binPath;
+  }
+
+  // If the path already has an extension (.exe, .bat, etc.), it is probably a Windows executable
+  if (path.extname(binPath) !== '') {
+    return binPath;
+  }
+
+  // Ensures binPath actually points to the expected binary, not a parent directory that happens to match `binName`
+  // For example, if binPath is C:\foo\npm\something and binName is npm, we shouldn't replace it
+  if (path.basename(binPath).toLowerCase() !== binName.toLowerCase()) {
+    return binPath;
+  }
+
+  // Finally attempt to construct a .cmd shim from binPAth
+  const cmdShim = path.join(path.dirname(binPath), `${binName}.cmd`);
+
+  // Ensure shim exists, otherwise failback to binPath
+  return fs.existsSync(cmdShim) ? cmdShim : binPath;
+}
 async function getAgentExecPath(agent) {
   const binName = binByAgent.get(agent);
   if (binName === NPM) {
     // Try to use constants.npmExecPath first, but verify it exists.
-    const npmPath = constants.default.npmExecPath;
-    if (fs$1.existsSync(npmPath)) {
+    const npmPath = preferWindowsCmdShim(constants.default.npmExecPath, NPM);
+    if (fs.existsSync(npmPath)) {
       return npmPath;
     }
     // If npmExecPath doesn't exist, try common locations.
     // Check npm in the same directory as node.
     const nodeDir = path.dirname(process.execPath);
+    if (constants.default.WIN32) {
+      const npmCmdInNodeDir = path.join(nodeDir, `${NPM}.cmd`);
+      if (fs.existsSync(npmCmdInNodeDir)) {
+        return npmCmdInNodeDir;
+      }
+    }
     const npmInNodeDir = path.join(nodeDir, NPM);
-    if (fs$1.existsSync(npmInNodeDir)) {
-      return npmInNodeDir;
+    if (fs.existsSync(npmInNodeDir)) {
+      return preferWindowsCmdShim(npmInNodeDir, NPM);
     }
     // Fall back to whichBin.
     return (await bin.whichBin(binName, {
@@ -5660,7 +6071,7 @@ async function getAgentExecPath(agent) {
   if (binName === PNPM) {
     // Try to use constants.pnpmExecPath first, but verify it exists.
     const pnpmPath = constants.default.pnpmExecPath;
-    if (fs$1.existsSync(pnpmPath)) {
+    if (fs.existsSync(pnpmPath)) {
       return pnpmPath;
     }
     // Fall back to whichBin.
@@ -5677,19 +6088,42 @@ async function getAgentVersion(agent, agentExecPath, cwd) {
   const quotedCmd = `\`${agent} ${constants.FLAG_VERSION}\``;
   require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
+    let stdout;
+
+    // Some package manager "executables" may resolve to non-executable wrapper scripts
+    // (e.g. the extensionless `npm` shim on Windows). Resolve the underlying entrypoint
+    // and run it with Node when it is a JS file.
+    let shouldRunWithNode = null;
+    if (constants.default.WIN32) {
+      try {
+        const resolved = bin.resolveBinPathSync(agentExecPath);
+        const ext = path.extname(resolved).toLowerCase();
+        if (ext === '.js' || ext === '.cjs' || ext === '.mjs') {
+          shouldRunWithNode = resolved;
+        }
+      } catch (e) {
+        require$$9.debugFn('warn', `Failed to resolve bin path for ${agentExecPath}, falling back to direct spawn.`);
+        require$$9.debugDir('error', e);
+      }
+    }
+    if (shouldRunWithNode) {
+      stdout = (await spawn.spawn(constants.default.execPath, [...constants.default.nodeNoWarningsFlags, shouldRunWithNode, constants.FLAG_VERSION], {
+        cwd
+      })).stdout;
+    } else {
+      stdout = (await spawn.spawn(agentExecPath, [constants.FLAG_VERSION], {
+        cwd,
+        // On Windows, package managers are often .cmd files that require shell execution.
+        // The spawn function from @socketsecurity/registry will handle this properly
+        // when shell is true.
+        shell: constants.default.WIN32
+      })).stdout;
+    }
     result =
     // Coerce version output into a valid semver version by passing it through
     // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
     // and tildes (~).
-    vendor.semverExports.coerce(
-    // All package managers support the "--version" flag.
-    (await spawn.spawn(agentExecPath, [constants.FLAG_VERSION], {
-      cwd,
-      // On Windows, package managers are often .cmd files that require shell execution.
-      // The spawn function from @socketsecurity/registry will handle this properly
-      // when shell is true.
-      shell: constants.default.WIN32
-    })).stdout) ?? undefined;
+    vendor.semverExports.coerce(stdout) ?? undefined;
   } catch (e) {
     require$$9.debugFn('error', `Package manager command failed: ${quotedCmd}`);
     require$$9.debugDir('inspect', {
@@ -5711,7 +6145,7 @@ async function detectPackageEnvironment({
   const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await findUp(PACKAGE_JSON, {
     cwd
   });
-  const pkgPath = pkgJsonPath && fs$1.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
+  const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
   const editablePkgJson = pkgPath ? await packages.readPackageJson(pkgPath, {
     editable: true
   }) : undefined;
@@ -6266,7 +6700,7 @@ function parsePnpmLockfile(lockfileContent) {
   return require$$11.isObjectObject(result) ? result : null;
 }
 async function readPnpmLockfile(lockfilePath) {
-  return fs$1.existsSync(lockfilePath) ? await fs.readFileUtf8(lockfilePath) : undefined;
+  return fs.existsSync(lockfilePath) ? await fs$1.readFileUtf8(lockfilePath) : undefined;
 }
 function stripLeadingPnpmDepPathSlash(depPath) {
   return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
@@ -7041,7 +7475,6 @@ exports.getOrgSlugs = getOrgSlugs;
 exports.getOutputKind = getOutputKind;
 exports.getPackageFilesForScan = getPackageFilesForScan;
 exports.getPublicApiToken = getPublicApiToken;
-exports.getPurlObject = getPurlObject;
 exports.getRepoInfo = getRepoInfo;
 exports.getRepoName = getRepoName;
 exports.getSocketDevPackageOverviewUrlFromPurl = getSocketDevPackageOverviewUrlFromPurl;
@@ -7085,7 +7518,6 @@ exports.mdTableStringNumber = mdTableStringNumber;
 exports.meowOrExit = meowOrExit;
 exports.meowWithSubcommands = meowWithSubcommands;
 exports.msAtHome = msAtHome;
-exports.normalizePurl = normalizePurl;
 exports.parsePnpmLockfile = parsePnpmLockfile;
 exports.queryApiSafeJson = queryApiSafeJson;
 exports.queryApiSafeText = queryApiSafeText;
@@ -7120,5 +7552,5 @@ exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.webLink = webLink;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=a083299b-d999-403d-b54b-00740d629c69
+//# debugId=223b2750-92b4-4170-901e-7e9746f5b2c5
 //# sourceMappingURL=utils.js.map