@socketsecurity/cli-with-sentry 1.1.50 → 1.1.52

package/dist/cli.js

@@ -25,7 +25,6 @@ var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var require$$0$1 = require('node:crypto');
 var require$$1 = require('node:util');
 var promises = require('node:stream/promises');
 
@@ -325,7 +324,7 @@ async function handleAnalytics({
   });
 }
 
-const CMD_NAME$y = 'analytics';
+const CMD_NAME$x = 'analytics';
 const description$F = 'Look up analytics data';
 const hidden$x = false;
 const cmdAnalytics = {
@@ -337,7 +336,7 @@ async function run$S(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$y,
+    commandName: CMD_NAME$x,
     description: description$F,
     hidden: hidden$x,
     flags: {
@@ -356,7 +355,7 @@ async function run$S(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$y}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
 
     The scope is either org or repo level, defaults to org.
 
@@ -748,7 +747,7 @@ async function handleAuditLog({
   });
 }
 
-const CMD_NAME$x = 'audit-log';
+const CMD_NAME$w = 'audit-log';
 const description$E = 'Look up the audit log for an organization';
 const hidden$w = false;
 const cmdAuditLog = {
@@ -760,7 +759,7 @@ async function run$R(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$x,
+    commandName: CMD_NAME$w,
     description: description$E,
     hidden: hidden$w,
     flags: {
@@ -790,7 +789,7 @@ async function run$R(argv, importMeta, {
       $ ${command} [options] [FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit the ${utils.webLink(`${constants.default.SOCKET_WEBSITE_URL}/pricing`, 'Socket pricing page')}.
@@ -946,7 +945,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
 async function fetchSupportedScanFileNames(options) {
   const {
     sdkOpts,
-    spinner
+    spinner,
+    silence = false
   } = {
     __proto__: null,
     ...options
@@ -958,7 +958,8 @@ async function fetchSupportedScanFileNames(options) {
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
     description: 'supported scan file types',
-    spinner
+    spinner,
+    silence
   });
 }
 
@@ -1647,7 +1648,7 @@ async function performReachabilityAnalysis(options) {
   // Build Coana arguments.
   const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
-  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : [])];
+  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : [])];
 
   // Build environment variables.
   const coanaEnv = {};
@@ -2423,6 +2424,7 @@ async function handleCi(autoManifest) {
       reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
+      reachLazyMode: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -2720,7 +2722,7 @@ async function handleConfigAuto({
   await outputConfigAuto(key, result, outputKind);
 }
 
-const CMD_NAME$w = 'auto';
+const CMD_NAME$v = 'auto';
 const description$D = 'Automatically discover and set the correct value config item';
 const hidden$v = false;
 const cmdConfigAuto = {
@@ -2732,7 +2734,7 @@ async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
+    commandName: CMD_NAME$v,
     description: description$D,
     hidden: hidden$v,
     flags: {
@@ -3086,7 +3088,7 @@ async function handleConfigSet({
   await outputConfigSet(result, outputKind);
 }
 
-const CMD_NAME$v = 'set';
+const CMD_NAME$u = 'set';
 const description$C = 'Update the value of a local CLI config item';
 const hidden$u = false;
 const cmdConfigSet = {
@@ -3098,7 +3100,7 @@ async function run$M(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
+    commandName: CMD_NAME$u,
     description: description$C,
     hidden: hidden$u,
     flags: {
@@ -3213,7 +3215,7 @@ async function handleConfigUnset({
   await outputConfigUnset(updateResult, outputKind);
 }
 
-const CMD_NAME$u = 'unset';
+const CMD_NAME$t = 'unset';
 const description$B = 'Clear the value of a local CLI config item';
 const hidden$t = false;
 const cmdConfigUnset = {
@@ -3225,7 +3227,7 @@ async function run$L(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
+    commandName: CMD_NAME$t,
     description: description$B,
     hidden: hidden$t,
     flags: {
@@ -3730,6 +3732,7 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
     ecosystems,
+    silence = false,
     spinner
   } = {
     __proto__: null,
@@ -3737,7 +3740,7 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   };
   const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
     cwd,
-    spinner,
+    spinner: silence ? undefined : spinner,
     coanaVersion: options?.coanaVersion
   }, {
     stdio: 'pipe'
@@ -3771,20 +3774,24 @@ async function coanaFix(fixConfig) {
     outputFile,
     prLimit,
     showAffectedDirectDependencies,
+    silence,
     spinner
   } = fixConfig;
   const fixEnv = await getFixEnv();
   require$$9.debugDir('inspect', {
     fixEnv
   });
-  spinner?.start();
+  if (!silence) {
+    spinner?.start();
+  }
   const sockSdkCResult = await utils.setupSdk();
   if (!sockSdkCResult.ok) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
   const supportedFilesCResult = await fetchSupportedScanFileNames({
-    spinner
+    spinner: silence ? undefined : spinner,
+    silence
   });
   if (!supportedFilesCResult.ok) {
     return supportedFilesCResult;
@@ -3798,14 +3805,17 @@ async function coanaFix(fixConfig) {
   const filepathsToUpload = scanFilepaths.filter(p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON);
   const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload, cwd), {
     description: 'upload manifests',
-    spinner
+    spinner,
+    silence
   });
   if (!uploadCResult.ok) {
     return uploadCResult;
   }
   const tarHash = uploadCResult.data.tarHash;
   if (!tarHash) {
-    spinner?.stop();
+    if (!silence) {
+      spinner?.stop();
+    }
     return {
       ok: false,
       message: 'No tar hash returned from Socket API upload-manifest-files endpoint',
@@ -3816,12 +3826,12 @@ async function coanaFix(fixConfig) {
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     // In local mode, if neither --all nor --id is provided, show deprecation warning.
-    if (shouldDiscoverGhsaIds && !all) {
+    if (!silence && shouldDiscoverGhsaIds && !all) {
       logger.logger.warn('Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.');
     }
 
     // Inform user about local mode when fixes will be applied.
-    if (applyFixes && ghsas.length) {
+    if (!silence && applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars();
       if (envCheck.present.length) {
         // Some CI vars are set but not all - show what's missing.
@@ -3839,10 +3849,13 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      silence,
       spinner
     }) : ghsas;
     if (ids.length === 0) {
-      spinner?.stop();
+      if (!silence) {
+        spinner?.stop();
+      }
       return {
         ok: true,
         data: {
@@ -3858,10 +3871,12 @@ async function coanaFix(fixConfig) {
       const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
-        spinner,
-        stdio: 'inherit'
+        spinner: silence ? undefined : spinner,
+        stdio: silence ? 'pipe' : 'inherit'
       });
-      spinner?.stop();
+      if (!silence) {
+        spinner?.stop();
+      }
       if (!fixCResult.ok) {
         return fixCResult;
       }
@@ -3873,7 +3888,9 @@ async function coanaFix(fixConfig) {
 
       // Copy to outputFile if provided.
       if (outputFile) {
-        logger.logger.info(`Copying fixes result to ${outputFile}`);
+        if (!silence) {
+          logger.logger.info(`Copying fixes result to ${outputFile}`);
+        }
         const tmpContent = await fs$1.promises.readFile(tmpFile, 'utf8');
         await fs$1.promises.writeFile(outputFile, tmpContent, 'utf8');
       }
@@ -3919,6 +3936,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      silence,
       spinner
     }) : ghsas).slice(0, adjustedPrLimit);
   }
@@ -3929,7 +3947,9 @@ async function coanaFix(fixConfig) {
     require$$9.debugFn('notice', 'miss: no repo info detected');
   }
   if (!ids?.length || !fixEnv.repoInfo) {
-    spinner?.stop();
+    if (!silence) {
+      spinner?.stop();
+    }
     return {
       ok: true,
       data: {
@@ -3956,11 +3976,13 @@ async function coanaFix(fixConfig) {
     const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(debug ? ['--debug'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
-      spinner,
-      stdio: 'inherit'
+      spinner: silence ? undefined : spinner,
+      stdio: silence ? 'pipe' : 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${ghsaId}: ${utils.getErrorCause(fixCResult)}`);
+      if (!silence) {
+        logger.logger.error(`Update failed for ${ghsaId}: ${utils.getErrorCause(fixCResult)}`);
+      }
       continue ghsaLoop;
     }
 
@@ -3983,7 +4005,9 @@ async function coanaFix(fixConfig) {
       });
       if (existingOpenPrs.length > 0) {
         const prNum = existingOpenPrs[0].number;
-        logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        if (!silence) {
+          logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        }
         require$$9.debugFn('notice', `skip: open PR #${prNum} exists for ${ghsaId}`);
         continue ghsaLoop;
       }
@@ -4001,7 +4025,9 @@ async function coanaFix(fixConfig) {
 
       // Check for GitHub token before doing any git operations.
       if (!fixEnv.githubToken) {
-        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        if (!silence) {
+          logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        }
         require$$9.debugFn('error', `skip: missing GitHub token for ${ghsaId}`);
         continue ghsaLoop;
       }
@@ -4022,7 +4048,9 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitPushBranch(branch, cwd));
       if (!pushed) {
-        logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
+        if (!silence) {
+          logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
+        }
         // eslint-disable-next-line no-await-in-loop
         await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
         // eslint-disable-next-line no-await-in-loop
@@ -4049,23 +4077,29 @@ async function coanaFix(fixConfig) {
           data
         } = prResult.pr;
         const prRef = `PR #${data.number}`;
-        logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
+        if (!silence) {
+          logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
+        }
         if (autopilot) {
-          logger.logger.indent();
-          spinner?.indent();
+          if (!silence) {
+            logger.logger.indent();
+            spinner?.indent();
+          }
           // eslint-disable-next-line no-await-in-loop
           const {
             details,
             enabled
           } = await utils.enablePrAutoMerge(data);
-          if (enabled) {
-            logger.logger.info(`Auto-merge enabled for ${prRef}.`);
-          } else {
-            const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
-            logger.logger.error(message);
+          if (!silence) {
+            if (enabled) {
+              logger.logger.info(`Auto-merge enabled for ${prRef}.`);
+            } else {
+              const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
+              logger.logger.error(message);
+            }
+            logger.logger.dedent();
+            spinner?.dedent();
           }
-          logger.logger.dedent();
-          spinner?.dedent();
         }
 
         // Clean up local branch only - keep remote branch for PR merge.
@@ -4074,22 +4108,32 @@ async function coanaFix(fixConfig) {
       } else {
         // Handle PR creation failures.
         if (prResult.reason === 'already_exists') {
-          logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          if (!silence) {
+            logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          }
           // Don't delete branch - PR exists and needs it.
         } else if (prResult.reason === 'validation_error') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else if (prResult.reason === 'permission_denied') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else if (prResult.reason === 'network_error') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         }
@@ -4101,7 +4145,9 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
-      logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
+      if (!silence) {
+        logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
+      }
       require$$9.debugDir('error', e);
       // Clean up branches (push may have succeeded before error).
       // eslint-disable-next-line no-await-in-loop
@@ -4119,7 +4165,9 @@ async function coanaFix(fixConfig) {
       break ghsaLoop;
     }
   }
-  spinner?.stop();
+  if (!silence) {
+    spinner?.stop();
+  }
   return {
     ok: true,
     data: {
@@ -4150,7 +4198,13 @@ const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/;
  * Converts mixed CVE/GHSA/PURL IDs to GHSA IDs only.
  * Filters out invalid IDs and logs conversion results.
  */
-async function convertIdsToGhsas(ids) {
+async function convertIdsToGhsas(ids, options) {
+  const {
+    silence = false
+  } = {
+    __proto__: null,
+    ...options
+  };
   require$$9.debugFn('notice', `Converting ${ids.length} IDs to GHSA format`);
   require$$9.debugDir('inspect', {
     ids
@@ -4177,17 +4231,21 @@ async function convertIdsToGhsas(ids) {
       const conversionResult = await utils.convertCveToGhsa(trimmedId);
       if (conversionResult.ok) {
         validGhsas.push(conversionResult.data);
-        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+        if (!silence) {
+          logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+        }
       } else {
         errors.push(`${trimmedId}: ${conversionResult.message}`);
       }
     } else if (trimmedId.startsWith('pkg:')) {
-      // Convert PURL to GHSAs
+      // Convert PURL to GHSAs.
       // eslint-disable-next-line no-await-in-loop
       const conversionResult = await utils.convertPurlToGhsas(trimmedId);
       if (conversionResult.ok && conversionResult.data.length) {
         validGhsas.push(...conversionResult.data);
-        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${arrays.joinAnd(conversionResult.data)}`);
+        if (!silence) {
+          logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${arrays.joinAnd(conversionResult.data)}`);
+        }
       } else {
         errors.push(`${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`);
       }
@@ -4197,7 +4255,9 @@ async function convertIdsToGhsas(ids) {
     }
   }
   if (errors.length) {
-    logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+    if (!silence) {
+      logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+    }
     require$$9.debugDir('inspect', {
       errors
     });
@@ -4229,6 +4289,7 @@ async function handleFix({
   prLimit,
   rangeStyle,
   showAffectedDirectDependencies,
+  silence,
   spinner,
   unknownFlags
 }) {
@@ -4253,6 +4314,7 @@ async function handleFix({
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     unknownFlags
   });
   await outputFixResult(await coanaFix({
@@ -4266,7 +4328,9 @@ async function handleFix({
     ecosystems,
     exclude,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
-    ghsas: await convertIdsToGhsas(ghsas),
+    ghsas: await convertIdsToGhsas(ghsas, {
+      silence
+    }),
     include,
     minimumReleaseAge,
     minSatisfying,
@@ -4276,12 +4340,13 @@ async function handleFix({
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     spinner,
     unknownFlags
   }), outputKind);
 }
 
-const CMD_NAME$t = 'fix';
+const CMD_NAME$s = 'fix';
 const DEFAULT_LIMIT = 10;
 const description$z = 'Fix CVEs in dependencies';
 const hidden$s = false;
@@ -4386,6 +4451,11 @@ Available styles:
     type: 'boolean',
     default: false,
     description: 'List the direct dependencies responsible for introducing transitive vulnerabilities and list the updates required to resolve the vulnerabilities'
+  },
+  silence: {
+    type: 'boolean',
+    default: false,
+    description: 'Silence all output except the final result'
   }
 };
 const hiddenFlags = {
@@ -4440,7 +4510,7 @@ async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
+    commandName: CMD_NAME$s,
     description: description$z,
     hidden: hidden$s,
     flags: {
@@ -4454,7 +4524,7 @@ async function run$K(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$t}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$s}`)}
 
     Options
       ${utils.getFlagListOutput({
@@ -4511,6 +4581,7 @@ async function run$K(argv, importMeta, {
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     // We patched in this feature with `npx custompatch meow` at
     // socket-cli/patches/meow#13.2.0.patch.
     unknownFlags = []
@@ -4559,7 +4630,7 @@ async function run$K(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_NOT_SAVING);
     return;
   }
-  const orgSlugCResult = await utils.getDefaultOrgSlug();
+  const orgSlugCResult = await utils.getDefaultOrgSlug(silence);
   if (!orgSlugCResult.ok) {
     process.exitCode = orgSlugCResult.code ?? 1;
     logger.logger.fail(`${constants.ERROR_UNABLE_RESOLVE_ORG}.\nEnsure a Socket API token is specified for the organization using the SOCKET_CLI_API_TOKEN environment variable.`);
@@ -4596,6 +4667,7 @@ async function run$K(argv, importMeta, {
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     spinner,
     unknownFlags
   });
@@ -4995,7 +5067,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
 }
 
-const CMD_NAME$s = 'login';
+const CMD_NAME$r = 'login';
 const description$x = 'Setup Socket CLI with an API token and defaults';
 const hidden$r = false;
 const cmdLogin = {
@@ -5007,7 +5079,7 @@ async function run$H(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$s,
+    commandName: CMD_NAME$r,
     description: description$x,
     hidden: hidden$r,
     flags: {
@@ -5028,7 +5100,7 @@ async function run$H(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$s}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
 
     Logs into the Socket API by prompting for an API token
 
@@ -6770,7 +6842,7 @@ async function run$y(argv, importMeta, {
 }
 
 const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
-const CMD_NAME$r = constants.NPM;
+const CMD_NAME$q = constants.NPM;
 const description$w = 'Wraps npm with Socket security scanning';
 const hidden$q = false;
 const cmdNpm = {
@@ -6786,7 +6858,7 @@ async function run$x(argv, importMeta, context) {
     ...context
   };
   const config = {
-    commandName: CMD_NAME$r,
+    commandName: CMD_NAME$q,
     description: description$w,
     hidden: hidden$q,
     flags: {
@@ -6797,7 +6869,7 @@ async function run$x(argv, importMeta, context) {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
 
     Note: Everything after "${constants.NPM}" is passed to the ${constants.NPM} command.
           Only the \`${constants.FLAG_DRY_RUN}\` and \`${constants.FLAG_HELP}\` flags are caught here.
@@ -6856,7 +6928,7 @@ async function run$x(argv, importMeta, context) {
 }
 
 const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
-const CMD_NAME$q = constants.NPX;
+const CMD_NAME$p = constants.NPX;
 const description$v = 'Wraps npx with Socket security scanning';
 const hidden$p = false;
 const cmdNpx = {
@@ -6868,7 +6940,7 @@ async function run$w(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$q,
+    commandName: CMD_NAME$p,
     description: description$v,
     hidden: hidden$p,
     flags: {
@@ -6879,7 +6951,7 @@ async function run$w(argv, importMeta, {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$p}`)}
 
     Note: Everything after "${constants.NPX}" is passed to the ${constants.NPX} command.
           Only the \`${constants.FLAG_DRY_RUN}\` and \`${constants.FLAG_HELP}\` flags are caught here.
@@ -7390,7 +7462,7 @@ async function listPackages(pkgEnvDetails, options) {
   }
 }
 
-const CMD_NAME$p = 'socket optimize';
+const CMD_NAME$o = 'socket optimize';
 
 const {
   BUN,
@@ -7562,7 +7634,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   npmExecPath === constants.NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
-    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$p, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
+    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$o, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
     spinner?.start();
   }
   const overridesDataObjects = [];
@@ -7790,7 +7862,7 @@ async function applyOptimization(pkgEnvDetails, {
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
   if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
     const result = await updateLockfile(pkgEnvDetails, {
-      cmdName: CMD_NAME$p,
+      cmdName: CMD_NAME$o,
       logger: logger.logger,
       spinner
     });
@@ -7859,7 +7931,7 @@ async function handleOptimize({
     prod
   });
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$p,
+    cmdName: CMD_NAME$o,
     logger: logger.logger,
     prod
   });
@@ -7897,7 +7969,7 @@ async function handleOptimize({
     await outputOptimizeResult({
       ok: false,
       message: 'Unsupported',
-      cause: utils.cmdPrefixMessage(CMD_NAME$p, `${agent} v${agentVersion} does not support overrides.`)
+      cause: utils.cmdPrefixMessage(CMD_NAME$o, `${agent} v${agentVersion} does not support overrides.`)
     }, outputKind);
     return;
   }
@@ -7917,7 +7989,7 @@ async function handleOptimize({
   await outputOptimizeResult(optimizationResult, outputKind);
 }
 
-const CMD_NAME$o = 'optimize';
+const CMD_NAME$n = 'optimize';
 const description$u = 'Optimize dependencies with @socketregistry overrides';
 const hidden$o = false;
 const cmdOptimize = {
@@ -7929,7 +8001,7 @@ async function run$u(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$o,
+    commandName: CMD_NAME$n,
     description: description$u,
     hidden: hidden$o,
     flags: {
@@ -7950,7 +8022,7 @@ async function run$u(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8103,7 +8175,7 @@ async function handleDependencies({
   });
 }
 
-const CMD_NAME$n = 'dependencies';
+const CMD_NAME$m = 'dependencies';
 const description$t = 'Search for any dependency that is being used in your organization';
 const hidden$n = false;
 const cmdOrganizationDependencies = {
@@ -8115,7 +8187,7 @@ async function run$t(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$n,
+    commandName: CMD_NAME$m,
     description: description$t,
     hidden: hidden$n,
     flags: {
@@ -8137,7 +8209,7 @@ async function run$t(argv, importMeta, {
       ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8237,7 +8309,7 @@ async function handleLicensePolicy(orgSlug, outputKind) {
   await outputLicensePolicy(data, outputKind);
 }
 
-const CMD_NAME$m = 'license';
+const CMD_NAME$l = 'license';
 const description$s = 'Retrieve the license policy of an organization';
 const hidden$m = false;
 const cmdOrganizationPolicyLicense = {
@@ -8249,7 +8321,7 @@ async function run$s(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$m,
+    commandName: CMD_NAME$l,
     description: description$s,
     hidden: hidden$m,
     flags: {
@@ -8270,7 +8342,7 @@ async function run$s(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8373,7 +8445,7 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
   await outputSecurityPolicy(data, outputKind);
 }
 
-const CMD_NAME$l = 'security';
+const CMD_NAME$k = 'security';
 const description$r = 'Retrieve the security policy of an organization';
 const hidden$l = true;
 const cmdOrganizationPolicySecurity = {
@@ -8385,7 +8457,7 @@ async function run$r(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$l,
+    commandName: CMD_NAME$k,
     description: description$r,
     hidden: hidden$l,
     flags: {
@@ -8406,7 +8478,7 @@ async function run$r(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8518,7 +8590,7 @@ async function handleOrganizationList(outputKind = 'text') {
   await outputOrganizationList(data, outputKind);
 }
 
-const CMD_NAME$k = 'list';
+const CMD_NAME$j = 'list';
 const description$q = 'List organizations associated with the Socket API token';
 const hidden$k = false;
 const cmdOrganizationList = {
@@ -8530,7 +8602,7 @@ async function run$q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$k,
+    commandName: CMD_NAME$j,
     description: description$q,
     hidden: hidden$k,
     flags: {
@@ -8542,7 +8614,7 @@ async function run$q(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8984,7 +9056,7 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
   };
 }
 
-const CMD_NAME$j = 'score';
+const CMD_NAME$i = 'score';
 const description$n = 'Look up score for one package which reflects all of its transitive dependencies as well';
 const hidden$j = false;
 const cmdPackageScore = {
@@ -8996,7 +9068,7 @@ async function run$o(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$j,
+    commandName: CMD_NAME$i,
     description: description$n,
     hidden: hidden$j,
     flags: {
@@ -9008,7 +9080,7 @@ async function run$o(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <NAME> | <PURL>>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9375,7 +9447,7 @@ async function handlePurlsShallowScore({
   outputPurlsShallowScore(purls, packageData, outputKind);
 }
 
-const CMD_NAME$i = 'shallow';
+const CMD_NAME$h = 'shallow';
 const description$m = 'Look up info regarding one or more packages but not their transitives';
 const hidden$i = false;
 const cmdPackageShallow = {
@@ -9394,7 +9466,7 @@ async function run$n(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$i,
+    commandName: CMD_NAME$h,
     description: description$m,
     hidden: hidden$i,
     flags: {
@@ -9406,7 +9478,7 @@ async function run$n(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <PKGNAME> [<PKGNAME> ...] | <PURL> [<PURL> ...]>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9508,472 +9580,48 @@ const cmdPackage = {
   }
 };
 
-const PatchRecordSchema = vendor.object({
-  exportedAt: vendor.string(),
-  files: vendor.record(vendor.string(),
-  // File path
-  vendor.object({
-    beforeHash: vendor.string(),
-    afterHash: vendor.string()
-  })),
-  vulnerabilities: vendor.record(vendor.string(),
-  // Vulnerability ID like "GHSA-jrhj-2j3q-xf3v"
-  vendor.object({
-    cves: vendor.array(vendor.string()),
-    summary: vendor.string(),
-    severity: vendor.string(),
-    description: vendor.string(),
-    patchExplanation: vendor.string()
-  }))
-});
-const PatchManifestSchema = vendor.object({
-  patches: vendor.record(
-  // Package identifier like "npm:simplehttpserver@0.0.6".
-  vendor.string(), PatchRecordSchema)
-});
-
-async function outputPatchResult(result, outputKind) {
-  if (!result.ok) {
-    process.exitCode = result.code ?? 1;
-  }
-  if (outputKind === constants.OUTPUT_JSON) {
-    logger.logger.log(utils.serializeResultJson(result));
-    return;
-  }
-  if (!result.ok) {
-    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
-    return;
-  }
+const description$k = 'Manage CVE patches for dependencies';
+const hidden$h = false;
+const cmdPatch = {
+  description: description$k,
+  hidden: hidden$h,
+  run: run$m
+};
+async function run$m(argv, _importMeta, _context) {
   const {
-    patched
-  } = result.data;
-  logger.logger.log('');
-  if (patched.length) {
-    logger.logger.group(`Successfully processed patches for ${patched.length} ${words.pluralize('package', patched.length)}:`);
-    for (const pkg of patched) {
-      logger.logger.success(pkg);
-    }
-    logger.logger.groupEnd();
-  } else {
-    logger.logger.warn('No packages found requiring patches.');
-  }
-  logger.logger.log('');
-  logger.logger.success('Patch command completed!');
-}
+    ENV
+  } = constants.default;
 
-async function applyNpmPatches(socketDir, patches, options) {
-  const {
-    cwd = process.cwd(),
-    dryRun = false,
-    purlObjs,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.start();
-  const patchLookup = new Map();
-  for (const patchInfo of patches) {
-    patchLookup.set(patchInfo.purl, patchInfo);
-  }
-  const nmPaths = await findNodeModulesPaths(cwd);
-  spinner?.stop();
-  logger.logger.log(`Found ${nmPaths.length} ${constants.NODE_MODULES} ${words.pluralize('folder', nmPaths.length)}`);
-  logger.logger.group('');
-  spinner?.start();
-  const result = {
-    passed: [],
-    failed: []
-  };
-  for (const nmPath of nmPaths) {
-    // eslint-disable-next-line no-await-in-loop
-    const dirNames = await fs$2.readDirNames(nmPath);
-    for (const dirName of dirNames) {
-      const isScoped = dirName.startsWith('@');
-      const pkgPath = path.join(nmPath, dirName);
-      const pkgSubNames = isScoped ?
-      // eslint-disable-next-line no-await-in-loop
-      await fs$2.readDirNames(pkgPath) : [dirName];
-      for (const pkgSubName of pkgSubNames) {
-        const dirFullName = isScoped ? `${dirName}/${pkgSubName}` : pkgSubName;
-        const pkgPath = path.join(nmPath, dirFullName);
-        // eslint-disable-next-line no-await-in-loop
-        const pkgJson = await packages.readPackageJson(pkgPath, {
-          throws: false
-        });
-        if (!strings.isNonEmptyString(pkgJson?.name) || !strings.isNonEmptyString(pkgJson?.version)) {
-          continue;
-        }
-        const purl = `pkg:npm/${pkgJson.name}@${pkgJson.version}`;
-        const purlObj = utils.getPurlObject(purl, {
-          throws: false
-        });
-        if (!purlObj) {
-          continue;
-        }
+  // Map socket-cli environment to socket-patch options.
+  // Only include properties with defined values (exactOptionalPropertyTypes).
+  const options = {};
 
-        // Skip if specific packages requested and this isn't one of them
-        if (purlObjs?.length && purlObjs.findIndex(p => p.type === constants.NPM && p.namespace === purlObj.namespace && p.name === purlObj.name) === -1) {
-          continue;
-        }
-        const patchInfo = patchLookup.get(purl);
-        if (!patchInfo) {
-          continue;
-        }
-        spinner?.stop();
-        logger.logger.log(`Found match: ${pkgJson.name}@${pkgJson.version} at ${pkgPath}`);
-        logger.logger.log(`Patch key: ${patchInfo.key}`);
-        logger.logger.group(`Processing files:`);
-        spinner?.start();
-        let passed = true;
-        for (const {
-          0: fileName,
-          1: fileInfo
-        } of Object.entries(patchInfo.patch.files)) {
-          // eslint-disable-next-line no-await-in-loop
-          const filePatchPassed = await processFilePatch(pkgPath, fileName, fileInfo, socketDir, {
-            dryRun,
-            spinner
-          });
-          if (!filePatchPassed) {
-            passed = false;
-          }
-        }
-        logger.logger.groupEnd();
-        if (passed) {
-          result.passed.push(purl);
-        } else {
-          result.failed.push(purl);
-        }
-      }
-    }
+  // Strip /v0/ suffix from API URL if present.
+  const apiUrl = ENV.SOCKET_CLI_API_BASE_URL?.replace(/\/v0\/?$/, '');
+  if (apiUrl) {
+    options.apiUrl = apiUrl;
   }
-  spinner?.stop();
-  logger.logger.groupEnd();
-  if (wasSpinning) {
-    spinner.start();
+  if (ENV.SOCKET_CLI_API_TOKEN) {
+    options.apiToken = ENV.SOCKET_CLI_API_TOKEN;
   }
-  return result;
-}
-
-/**
- * Compute SHA256 hash of file contents.
- */
-async function computeSHA256(filepath) {
-  try {
-    const content = await fs$1.promises.readFile(filepath);
-    const hash = require$$0$1.createHash('sha256');
-    hash.update(content);
-    return {
-      ok: true,
-      data: hash.digest('hex')
-    };
-  } catch (e) {
-    return {
-      ok: false,
-      message: 'Failed to compute file hash',
-      cause: `Unable to read file ${filepath}: ${utils.getErrorCause(e)}`
-    };
-  }
-}
-async function findNodeModulesPaths(cwd) {
-  const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
-    cwd,
-    onlyDirectories: true
-  });
-  if (!rootNmPath) {
-    return [];
-  }
-  return await vendor.outExports.glob([`**/${constants.NODE_MODULES}`], {
-    absolute: true,
-    cwd: path.dirname(rootNmPath),
-    dot: true,
-    followSymbolicLinks: false,
-    onlyDirectories: true
-  });
-}
-async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options) {
-  const {
-    dryRun,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const filepath = path.join(pkgPath, fileName);
-  if (!fs$1.existsSync(filepath)) {
-    logger.logger.log(`File not found: ${fileName}`);
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
+  if (ENV.SOCKET_CLI_ORG_SLUG) {
+    options.orgSlug = ENV.SOCKET_CLI_ORG_SLUG;
   }
-  const currentHashResult = await computeSHA256(filepath);
-  if (!currentHashResult.ok) {
-    logger.logger.log(`Failed to compute hash for: ${fileName}: ${currentHashResult.cause || currentHashResult.message}`);
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  if (currentHashResult.data === fileInfo.afterHash) {
-    logger.logger.success(`File already patched: ${fileName}`);
-    logger.logger.group();
-    logger.logger.log(`Current hash: ${currentHashResult.data}`);
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return true;
+  if (ENV.SOCKET_PATCH_PROXY_URL) {
+    options.patchProxyUrl = ENV.SOCKET_PATCH_PROXY_URL;
   }
-  if (currentHashResult.data !== fileInfo.beforeHash) {
-    logger.logger.fail(`File hash mismatch: ${fileName}`);
-    logger.logger.group();
-    logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
-    logger.logger.log(`Current:  ${currentHashResult.data}`);
-    logger.logger.log(`Target:   ${fileInfo.afterHash}`);
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
+  if (ENV.SOCKET_CLI_API_PROXY) {
+    options.httpProxy = ENV.SOCKET_CLI_API_PROXY;
   }
-  logger.logger.success(`File matches expected hash: ${fileName}`);
-  logger.logger.group();
-  logger.logger.log(`Current hash: ${currentHashResult.data}`);
-  logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
-  logger.logger.group();
-  if (dryRun) {
-    logger.logger.log(`(dry run - no changes made)`);
-    logger.logger.groupEnd();
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
-  if (!fs$1.existsSync(blobPath)) {
-    logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
-    logger.logger.groupEnd();
-    logger.logger.groupEnd();
-    if (wasSpinning) {
-      spinner?.start();
-    }
-    return false;
-  }
-  spinner?.start();
-  let result = true;
-  try {
-    await fs$1.promises.copyFile(blobPath, filepath);
-
-    // Verify the hash after copying to ensure file integrity.
-    const verifyHashResult = await computeSHA256(filepath);
-    if (!verifyHashResult.ok) {
-      logger.logger.error(`Failed to verify hash after patch: ${verifyHashResult.cause || verifyHashResult.message}`);
-      result = false;
-    } else if (verifyHashResult.data !== fileInfo.afterHash) {
-      logger.logger.error(`Hash verification failed after patch`);
-      logger.logger.group();
-      logger.logger.log(`Expected: ${fileInfo.afterHash}`);
-      logger.logger.log(`Got:      ${verifyHashResult.data}`);
-      logger.logger.groupEnd();
-      result = false;
-    } else {
-      logger.logger.success(`Patch applied successfully`);
-    }
-  } catch (e) {
-    logger.logger.error('Error applying patch');
-    require$$9.debugDir('error', e);
-    result = false;
-  }
-  logger.logger.groupEnd();
-  logger.logger.groupEnd();
-  spinner?.stop();
-  if (wasSpinning) {
-    spinner?.start();
-  }
-  return result;
-}
-async function handlePatch({
-  cwd,
-  dryRun,
-  outputKind,
-  purlObjs,
-  spinner
-}) {
-  try {
-    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
-    const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
-    const manifestContent = await fs$1.promises.readFile(manifestPath, constants.UTF8);
-    const manifestData = JSON.parse(manifestContent);
-    const purls = purlObjs.map(String);
-    const validated = PatchManifestSchema.parse(manifestData);
-
-    // Parse PURLs and group by ecosystem.
-    const patchesByEcosystem = new Map();
-    for (const {
-      0: key,
-      1: patch
-    } of Object.entries(validated.patches)) {
-      const purl = utils.normalizePurl(key);
-      if (purls.length && !purls.includes(purl)) {
-        continue;
-      }
-      const purlObj = utils.getPurlObject(purl, {
-        throws: false
-      });
-      if (!purlObj) {
-        continue;
-      }
-      let patches = patchesByEcosystem.get(purlObj.type);
-      if (!Array.isArray(patches)) {
-        patches = [];
-        patchesByEcosystem.set(purlObj.type, patches);
-      }
-      patches.push({
-        key,
-        patch,
-        purl,
-        purlObj
-      });
-    }
-    if (purls.length) {
-      spinner.start(`Checking patches for: ${arrays.joinAnd(purls)}`);
-    } else {
-      spinner.start('Scanning all dependencies for available patches');
-    }
-    const patched = [];
-    const npmPatches = patchesByEcosystem.get(constants.NPM);
-    if (npmPatches) {
-      const patchingResults = await applyNpmPatches(dotSocketDirPath, npmPatches, {
-        cwd,
-        dryRun,
-        purlObjs,
-        spinner
-      });
-      patched.push(...patchingResults.passed);
-    }
-    spinner.stop();
-    await outputPatchResult({
-      ok: true,
-      data: {
-        patched
-      }
-    }, outputKind);
-  } catch (e) {
-    spinner.stop();
-    let message = 'Failed to apply patches';
-    let cause = utils.getErrorCause(e);
-    if (e instanceof SyntaxError) {
-      message = `Invalid JSON in ${constants.MANIFEST_JSON}`;
-      cause = e.message;
-    } else if (e instanceof Error && 'issues' in e) {
-      message = 'Schema validation failed';
-      cause = String(e);
-    }
-    await outputPatchResult({
-      ok: false,
-      code: 1,
-      message,
-      cause
-    }, outputKind);
+  if (ENV.SOCKET_CLI_DEBUG) {
+    options.debug = ENV.SOCKET_CLI_DEBUG;
   }
-}
-
-const CMD_NAME$h = 'patch';
-const description$k = 'Apply CVE patches to dependencies';
-const hidden$h = true;
-const cmdPatch = {
-  description: description$k,
-  hidden: hidden$h,
-  run: run$m
-};
-async function run$m(argv, importMeta, {
-  parentName
-}) {
-  const config = {
-    commandName: CMD_NAME$h,
-    description: description$k,
-    hidden: hidden$h,
-    flags: {
-      ...flags.commonFlags,
-      ...flags.outputFlags,
-      purl: {
-        type: 'string',
-        default: [],
-        description: 'Specify purls to patch, as either a comma separated value or as multiple flags',
-        isMultiple: true,
-        shortFlag: 'p'
-      }
-    },
-    help: (command, config) => `
-    Usage
-      $ ${command} [options] [CWD=.]
 
-    API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
-
-    Options
-      ${utils.getFlagListOutput(config.flags)}
-
-    Examples
-      $ ${command}
-      $ ${command} --package lodash
-      $ ${command} ./path/to/project --package lodash,react
-    `
-  };
-  const cli = utils.meowOrExit({
-    argv,
-    config,
-    parentName,
-    importMeta
-  }, {
-    allowUnknownFlags: false
-  });
-  const {
-    dryRun,
-    json,
-    markdown
-  } = cli.flags;
-  const outputKind = utils.getOutputKind(json, markdown);
-  const wasValidInput = utils.checkCommandInput(outputKind, {
-    nook: true,
-    test: !json || !markdown,
-    message: 'The json and markdown flags cannot be both set, pick one',
-    fail: 'omit one'
-  });
-  if (!wasValidInput) {
-    return;
+  // Forward all arguments to socket-patch.
+  const exitCode = await vendor.runExports.runPatch([...argv], options);
+  if (exitCode !== 0) {
+    process.exitCode = exitCode;
   }
-  let [cwd = '.'] = cli.input;
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd);
-  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
-  if (!fs$1.existsSync(dotSocketDirPath)) {
-    throw new utils.InputError(`No ${constants.DOT_SOCKET_DIR} directory found in current directory`);
-  }
-  const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
-  if (!fs$1.existsSync(manifestPath)) {
-    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET_DIR} directory`);
-  }
-  const {
-    spinner
-  } = constants.default;
-  const purlObjs = arrays.arrayUnique(utils.cmdFlagValueToArray(cli.flags['purl'])).map(p => utils.getPurlObject(p, {
-    throws: false
-  })).filter(Boolean);
-  await handlePatch({
-    cwd,
-    dryRun,
-    outputKind,
-    purlObjs,
-    spinner
-  });
 }
 
 const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
@@ -11251,6 +10899,12 @@ const reachabilityFlags = {
     isMultiple: true,
     description: 'List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.'
   },
+  reachLazyMode: {
+    type: 'boolean',
+    default: false,
+    description: 'Enable lazy mode for reachability analysis.',
+    hidden: true
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,
@@ -11503,6 +11157,7 @@ async function run$d(argv, importMeta, {
     reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion,
@@ -11634,7 +11289,7 @@ async function run$d(argv, importMeta, {
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
   const isUsingNonDefaultVersion = reachVersion !== reachabilityFlags['reachVersion']?.default;
-  const isUsingAnyReachabilityFlags = hasReachEcosystems || hasReachExcludePaths || isUsingNonDefaultAnalytics || isUsingNonDefaultConcurrency || isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || reachDisableAnalysisSplitting || reachSkipCache || reachUseOnlyPregeneratedSboms;
+  const isUsingAnyReachabilityFlags = hasReachEcosystems || hasReachExcludePaths || isUsingNonDefaultAnalytics || isUsingNonDefaultConcurrency || isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || reachDisableAnalysisSplitting || reachLazyMode || reachSkipCache || reachUseOnlyPregeneratedSboms;
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach ? await validateReachabilityTarget(targets, cwd) : {
@@ -11727,6 +11382,7 @@ async function run$d(argv, importMeta, {
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
+      reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
@@ -12377,6 +12033,7 @@ async function scanOneRepo(repoSlug, {
       reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
+      reachLazyMode: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -13666,6 +13323,7 @@ async function run$7(argv, importMeta, {
     reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion
@@ -13766,6 +13424,7 @@ async function run$7(argv, importMeta, {
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
+      reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion
@@ -15680,5 +15339,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=3f5f54d9-596a-4c89-8916-eb66d170a333
+//# debugId=5b7cab4d-0164-4136-aa68-598e06dbdd58
 //# sourceMappingURL=cli.js.map