@socketsecurity/cli-with-sentry 1.1.8 → 1.1.12

package/dist/utils.js

@@ -11,21 +11,21 @@ var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var sorts = require('../external/@socketsecurity/registry/lib/sorts');
 var spinner = require('../external/@socketsecurity/registry/lib/spinner');
 var words = require('../external/@socketsecurity/registry/lib/words');
-var Module = require('node:module');
-var path = require('node:path');
 var flags = require('./flags.js');
+var path = require('node:path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs = require('../external/@socketsecurity/registry/lib/fs');
+var require$$5 = require('node:module');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var fs$1 = require('node:fs');
+var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var promises = require('node:timers/promises');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
-var globs = require('../external/@socketsecurity/registry/lib/globs');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
+var globs = require('../external/@socketsecurity/registry/lib/globs');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
-var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 const sensitiveConfigKeyLookup = new Set(['apiToken']);
@@ -92,20 +92,30 @@ function findSocketYmlSync(dir = process.cwd()) {
     if (typeof yml === 'string') {
       try {
         return {
-          path: ymlPath,
-          parsed: vendor.configExports.parseSocketConfig(yml)
+          ok: true,
+          data: {
+            path: ymlPath,
+            parsed: vendor.configExports.parseSocketConfig(yml)
+          }
         };
       } catch (e) {
         require$$9.debugDir('inspect', {
           error: e
         });
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+        return {
+          ok: false,
+          message: `Found file but was unable to parse ${ymlPath}`,
+          cause: e instanceof Error ? e.message : String(e)
+        };
       }
     }
     prevDir = dir;
     dir = path.join(dir, '..');
   }
-  return undefined;
+  return {
+    ok: true,
+    data: undefined
+  };
 }
 function getConfigValue(key) {
   const localConfig = getConfigValues();
@@ -256,6 +266,22 @@ function updateConfigValue(configKey, value) {
   };
 }
 
+const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+let _requirements;
+function getRequirements() {
+  if (_requirements === undefined) {
+    _requirements = /*@__PURE__*/require$2(path.join(constants.default.rootPath, 'requirements.json'));
+  }
+  return _requirements;
+}
+
+/**
+ * Convert command path to requirements key.
+ */
+function getRequirementsKey(cmdPath) {
+  return cmdPath.replace(/^socket[: ]/, '').replace(/ +/g, ':');
+}
+
 const TOKEN_PREFIX = 'sktsec_';
 const TOKEN_PREFIX_LENGTH = TOKEN_PREFIX.length;
 const TOKEN_VISIBLE_LENGTH = 5;
@@ -330,10 +356,14 @@ async function setupSdk(options) {
   return {
     ok: true,
     data: new vendor.distExports.SocketSdk(apiToken, {
-      agent: apiProxy ? new ProxyAgent({
-        proxy: apiProxy
-      }) : undefined,
-      baseUrl: apiBaseUrl,
+      ...(apiProxy ? {
+        agent: new ProxyAgent({
+          proxy: apiProxy
+        })
+      } : {}),
+      ...(apiBaseUrl ? {
+        baseUrl: apiBaseUrl
+      } : {}),
       timeout: constants.default.ENV.SOCKET_CLI_API_TIMEOUT,
       userAgent: vendor.distExports.createUserAgentFromPkgJson({
         name: constants.default.ENV.INLINED_SOCKET_CLI_NAME,
@@ -345,6 +375,32 @@ async function setupSdk(options) {
 }
 
 const NO_ERROR_MESSAGE = 'No error message returned';
+/**
+ * Get command requirements from requirements.json based on command path.
+ */
+function getCommandRequirements(cmdPath) {
+  if (!cmdPath) {
+    return undefined;
+  }
+  const requirements = getRequirements();
+  const key = getRequirementsKey(cmdPath);
+  return requirements.api[key] || undefined;
+}
+
+/**
+ * Log required permissions for a command when encountering 403 errors.
+ */
+function logPermissionsFor403(cmdPath) {
+  const requirements = getCommandRequirements(cmdPath);
+  if (!requirements?.permissions?.length) {
+    return;
+  }
+  logger.logger.error('This command requires the following API permissions:');
+  for (const permission of requirements.permissions) {
+    logger.logger.error(`  - ${permission}`);
+  }
+  logger.logger.error('Please ensure your API token has the required permissions.');
+}
 
 // The Socket API server that should be used for operations.
 function getDefaultApiBaseUrl() {
@@ -355,6 +411,10 @@ function getDefaultApiBaseUrl() {
   const API_V0_URL = constants.default.API_V0_URL;
   return API_V0_URL;
 }
+
+/**
+ * Get user-friendly error message for HTTP status codes.
+ */
 async function getErrorMessageForHttpStatusCode(code) {
   if (code === 400) {
     return 'One of the options passed might be incorrect';
@@ -370,8 +430,12 @@ async function getErrorMessageForHttpStatusCode(code) {
   }
   return `Server responded with status code ${code}`;
 }
+/**
+ * Handle Socket SDK API calls with error handling and permission logging.
+ */
 async function handleApiCall(value, options) {
   const {
+    commandPath,
     description,
     spinner
   } = {
@@ -399,7 +463,7 @@ async function handleApiCall(value, options) {
     spinner?.stop();
     const socketSdkErrorResult = {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause: vendor.messageWithCauses(e)
     };
     if (description) {
@@ -430,12 +494,17 @@ async function handleApiCall(value, options) {
     const cause = reason && message !== reason ? `${message} (reason: ${reason})` : message;
     const socketSdkErrorResult = {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause,
       data: {
         code: sdkResult.status
       }
     };
+
+    // Log required permissions for 403 errors when in a command context.
+    if (commandPath && sdkResult.status === 403) {
+      logPermissionsFor403(commandPath);
+    }
     return socketSdkErrorResult;
   }
   const socketSdkSuccessResult = {
@@ -454,7 +523,7 @@ async function handleApiCallNoSpinner(value, description) {
       error: e
     });
     const errStr = e ? String(e).trim() : '';
-    const message = 'Socket API returned an error';
+    const message = 'Socket API error';
     const rawCause = errStr || NO_ERROR_MESSAGE;
     const cause = message !== rawCause ? rawCause : '';
     return {
@@ -479,7 +548,7 @@ async function handleApiCallNoSpinner(value, description) {
     const cause = reason && message !== reason ? `${message} (reason: ${reason})` : message;
     return {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause,
       data: {
         code: sdkResult.status
@@ -494,9 +563,9 @@ async function handleApiCallNoSpinner(value, description) {
   }
 }
 async function queryApi(path, apiToken) {
-  const baseUrl = getDefaultApiBaseUrl() || '';
+  const baseUrl = getDefaultApiBaseUrl();
   if (!baseUrl) {
-    logger.logger.warn('API endpoint is not set and default was empty. Request is likely to fail.');
+    throw new Error('Socket API base URL is not configured.');
   }
   return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {
     method: 'GET',
@@ -505,7 +574,11 @@ async function queryApi(path, apiToken) {
     }
   });
 }
-async function queryApiSafeText(path, description) {
+
+/**
+ * Query Socket API endpoint and return text response with error handling.
+ */
+async function queryApiSafeText(path, description, commandPath) {
   const apiToken = getDefaultApiToken();
   if (!apiToken) {
     return {
@@ -550,11 +623,10 @@ async function queryApiSafeText(path, description) {
     const {
       status
     } = result;
-    const reason = await getErrorMessageForHttpStatusCode(status);
     return {
       ok: false,
-      message: 'Socket API returned an error',
-      cause: `${result.statusText} (reason: ${reason})`,
+      message: 'Socket API error',
+      cause: `${result.statusText} (reason: ${await getErrorMessageForHttpStatusCode(status)})`,
       data: {
         code: status
       }
@@ -578,6 +650,10 @@ async function queryApiSafeText(path, description) {
     };
   }
 }
+
+/**
+ * Query Socket API endpoint and return parsed JSON response.
+ */
 async function queryApiSafeJson(path, description = '') {
   const result = await queryApiSafeText(path, description);
   if (!result.ok) {
@@ -592,10 +668,13 @@ async function queryApiSafeJson(path, description = '') {
     return {
       ok: false,
       message: 'Server returned invalid JSON',
-      cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\``
+      cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || constants.EMPTY_VALUE).trim() + (result.data?.length > 100 ? '...' : '')}\``
     };
   }
 }
+/**
+ * Send POST/PUT request to Socket API with JSON response handling.
+ */
 async function sendApiRequest(path, options) {
   const apiToken = getDefaultApiToken();
   if (!apiToken) {
@@ -605,12 +684,17 @@ async function sendApiRequest(path, options) {
       cause: 'User must be authenticated to run this command. To log in, run the command `socket login` and enter your Socket API token.'
     };
   }
-  const baseUrl = getDefaultApiBaseUrl() || '';
+  const baseUrl = getDefaultApiBaseUrl();
   if (!baseUrl) {
-    logger.logger.warn('API endpoint is not set and default was empty. Request is likely to fail.');
+    return {
+      ok: false,
+      message: 'Configuration Error',
+      cause: 'Socket API endpoint is not configured. Please check your environment configuration.'
+    };
   }
   const {
     body,
+    commandPath,
     description,
     method
   } = {
@@ -663,11 +747,14 @@ async function sendApiRequest(path, options) {
     const {
       status
     } = result;
-    const reason = await getErrorMessageForHttpStatusCode(status);
+    // Log required permissions for 403 errors when in a command context.
+    if (commandPath && status === 403) {
+      logPermissionsFor403(commandPath);
+    }
     return {
       ok: false,
-      message: 'Socket API returned an error',
-      cause: `${result.statusText} (reason: ${reason})`,
+      message: 'Socket API error',
+      cause: `${result.statusText} (reason: ${await getErrorMessageForHttpStatusCode(status)})`,
       data: {
         code: status
       }
@@ -693,7 +780,7 @@ async function sendApiRequest(path, options) {
 }
 
 function failMsgWithBadge(badge, message) {
-  const prefix = vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}${message ? ': ' : ''}`)));
+  const prefix = vendor.yoctocolorsCjsExports.bgRedBright(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.red(` ${badge}${message ? ': ' : ''}`)));
   const postfix = message ? ` ${vendor.yoctocolorsCjsExports.bold(message)}` : '';
   return `${prefix}${postfix}`;
 }
@@ -887,18 +974,10 @@ function getOutputKind(json, markdown) {
   return constants.OUTPUT_TEXT;
 }
 
-const require$2 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-let _requirements;
-function getRequirements() {
-  if (_requirements === undefined) {
-    _requirements = /*@__PURE__*/require$2(path.join(constants.default.rootPath, 'requirements.json'));
-  }
-  return _requirements;
+function camelToKebab(str) {
+  return str === '' ? '' : str.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
 }
 
-function camelToKebab(string) {
-  return string.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
-}
 function getFlagApiRequirementsOutput(cmdPath, options) {
   const {
     indent = 6
@@ -906,20 +985,21 @@ function getFlagApiRequirementsOutput(cmdPath, options) {
     __proto__: null,
     ...options
   };
-  const key = cmdPath.replace(/^socket[: ]/, '').replace(/ +/g, ':');
+  const key = getRequirementsKey(cmdPath);
   const requirements = getRequirements();
   const data = requirements.api[key];
   let result = '';
   if (data) {
     const quota = data?.quota;
-    const perms = data?.permissions;
+    const rawPerms = data?.permissions;
     const padding = ''.padEnd(indent);
     const lines = [];
-    if (typeof quota === 'number') {
+    if (Number.isFinite(quota) && quota > 0) {
       lines.push(`${padding}- Quota: ${quota} ${words.pluralize('unit', quota)}`);
     }
-    if (Array.isArray(perms) && perms.length) {
-      lines.push(`${padding}- Permissions: ${perms.join(' ')}`);
+    if (Array.isArray(rawPerms) && rawPerms.length) {
+      const perms = rawPerms.slice().sort(sorts.naturalCompare);
+      lines.push(`${padding}- Permissions: ${arrays.joinAnd(perms)}`);
     }
     result += lines.join('\n');
   }
@@ -980,6 +1060,10 @@ function tildify(cwd) {
 
 const HELP_INDENT = 2;
 const HELP_PAD_NAME = 28;
+
+/**
+ * Format a command description for help output.
+ */
 function description(command) {
   const description = command?.description;
   const str = typeof description === 'string' ? description : String(description);
@@ -1004,6 +1088,10 @@ function findBestCommandMatch(input, subcommands, aliases) {
   }
   return bestMatch;
 }
+
+/**
+ * Generate the ASCII banner header for Socket CLI commands.
+ */
 function getAsciiHeader(command, orgFlag) {
   // Note: In tests we return <redacted> because otherwise snapshots will fail.
   const {
@@ -1047,19 +1135,28 @@ function levenshteinDistance(a, b) {
   for (let i = 1; i <= a.length; i++) {
     for (let j = 1; j <= b.length; j++) {
       const cost = a[i - 1] === b[j - 1] ? 0 : 1;
-      matrix[i][j] = Math.min(matrix[i - 1][j] + 1,
+      matrix[i][j] = Math.min(
       // Deletion.
-      matrix[i][j - 1] + 1,
+      matrix[i - 1][j] + 1,
       // Insertion.
-      matrix[i - 1][j - 1] + cost // Substitution.
-      );
+      matrix[i][j - 1] + 1,
+      // Substitution.
+      matrix[i - 1][j - 1] + cost);
     }
   }
   return matrix[a.length][b.length];
 }
+
+/**
+ * Determine if the banner should be suppressed based on output flags.
+ */
 function shouldSuppressBanner(flags) {
-  return Boolean(flags['json'] || flags['markdown'] || flags['nobanner']);
+  return Boolean(flags['json'] || flags['markdown'] || flags['banner'] === false);
 }
+
+/**
+ * Emit the Socket CLI banner to stderr for branding and debugging.
+ */
 function emitBanner(name, orgFlag) {
   // Print a banner at the top of each command.
   // This helps with brand recognition and marketing.
@@ -1071,6 +1168,10 @@ function emitBanner(name, orgFlag) {
   //       The spinner also emits over stderr for example.
   logger.logger.error(getAsciiHeader(name, orgFlag));
 }
+
+/**
+ * Main function for handling CLI with subcommands using meow.
+ */
 async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
@@ -1083,11 +1184,6 @@ async function meowWithSubcommands(subcommands, options) {
     __proto__: null,
     ...options
   };
-  const [commandOrAliasName_, ...rawCommandArgv] = argv;
-  let commandOrAliasName = commandOrAliasName_;
-  if (!commandOrAliasName && defaultSub) {
-    commandOrAliasName = defaultSub;
-  }
   const flags$1 = {
     ...flags.commonFlags,
     version: {
@@ -1095,13 +1191,18 @@ async function meowWithSubcommands(subcommands, options) {
       hidden: true,
       description: 'Print the app version'
     },
-    ...additionalOptions.flags
+    ...require$$11.getOwn(additionalOptions, 'flags')
   };
+  const [commandOrAliasName_, ...rawCommandArgv] = argv;
+  let commandOrAliasName = commandOrAliasName_;
+  if (!commandOrAliasName && defaultSub) {
+    commandOrAliasName = defaultSub;
+  }
 
-  // No further args or first arg is a flag (shrug)
+  // No further args or first arg is a flag (shrug).
   const isRootCommand = name === 'socket' && (!commandOrAliasName || commandOrAliasName?.startsWith('-'));
 
-  // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`
+  // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`.
   if (!isRootCommand) {
     if (commandOrAliasName?.startsWith('pkg:')) {
       logger.logger.info('Invoking `socket package score`.');
@@ -1174,7 +1275,6 @@ async function meowWithSubcommands(subcommands, options) {
   if (noSpinner) {
     constants.default.spinner.spinner = spinner.getCliSpinners('ci');
   }
-
   // Hard override the config if instructed to do so.
   // The env var overrides the --flag, which overrides the persisted config
   // Also, when either of these are used, config updates won't persist.
@@ -1182,7 +1282,7 @@ async function meowWithSubcommands(subcommands, options) {
   if (constants.default.ENV.SOCKET_CLI_CONFIG) {
     configOverrideResult = overrideCachedConfig(constants.default.ENV.SOCKET_CLI_CONFIG);
   } else if (cli1.flags['config']) {
-    configOverrideResult = overrideCachedConfig(String(cli1.flags['config'] || ''));
+    configOverrideResult = overrideCachedConfig(cli1.flags['config']);
   }
   if (constants.default.ENV.SOCKET_CLI_NO_API_TOKEN) {
     // This overrides the config override and even the explicit token env var.
@@ -1216,6 +1316,8 @@ async function meowWithSubcommands(subcommands, options) {
     const commandDefinition = commandName ? subcommands[commandName] : undefined;
     // Third: If a valid command has been found, then we run it...
     if (commandDefinition) {
+      // Extract the original command arguments from the full argv
+      // by skipping the command name
       return await commandDefinition.run(commandArgv, importMeta, {
         parentName: name
       });
@@ -1242,9 +1344,12 @@ async function meowWithSubcommands(subcommands, options) {
     //'json',
     'license', 'login', 'logout', 'manifest', constants.NPM, constants.NPX, 'optimize', 'organization', 'package',
     //'patch',
+    // PNPM,
     'raw-npm', 'raw-npx', 'repository', 'scan',
     //'security',
-    'threat-feed', 'uninstall', 'wrapper']);
+    'threat-feed', 'uninstall', 'wrapper'
+    // YARN,
+    ]);
     Object.entries(subcommands).filter(([_name, subcommand]) => !subcommand.hidden).map(([name]) => name).forEach(name => {
       if (commands.has(name)) {
         commands.delete(name);
@@ -1288,6 +1393,11 @@ async function meowWithSubcommands(subcommands, options) {
   }
   lines.push(`  ${getFlagListOutput({
     ...flags$1,
+    // Explicitly document the negated --no-banner variant.
+    noBanner: {
+      ...flags$1['banner'],
+      hidden: false
+    },
     // Explicitly document the negated --no-spinner variant.
     noSpinner: {
       ...flags$1['spinner'],
@@ -1298,12 +1408,12 @@ async function meowWithSubcommands(subcommands, options) {
     padName: HELP_PAD_NAME
   })}`);
   if (isRootCommand) {
-    lines.push('', 'Environment variables', '  SOCKET_CLI_API_TOKEN        Set the Socket API token', '  SOCKET_CLI_CONFIG           A JSON stringified Socket configuration object', '  SOCKET_CLI_GITHUB_API_URL   Change the base URL for GitHub REST API calls', '  SOCKET_CLI_GIT_USER_EMAIL   The git config `user.email` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]@users.noreply.github.com`, '  SOCKET_CLI_GIT_USER_NAME    The git config `user.name` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]`, `  SOCKET_CLI_GITHUB_TOKEN     A classic or fine-grained ${vendor.terminalLinkExports('GitHub personal access token', 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens')}`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} GITHUB_TOKEN`, '  SOCKET_CLI_NO_API_TOKEN     Make the default API token `undefined`', '  SOCKET_CLI_NPM_PATH         The absolute location of the npm directory', '  SOCKET_CLI_ORG_SLUG         Specify the Socket organization slug', '', '  SOCKET_CLI_ACCEPT_RISKS     Accept risks of a Socket wrapped npm/npx run', '  SOCKET_CLI_VIEW_ALL_RISKS   View all risks of a Socket wrapped npm/npx run', '', 'Environment variables for development', '  SOCKET_CLI_API_BASE_URL     Change the base URL for Socket API calls', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} The "apiBaseUrl" value of socket/settings local app data`, '                              if present, else https://api.socket.dev/v0/', '  SOCKET_CLI_API_PROXY        Set the proxy Socket API requests are routed through, e.g. if set to', `                              ${vendor.terminalLinkExports('http://127.0.0.1:9090', 'https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries')} then all request are passed through that proxy`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} HTTPS_PROXY, https_proxy, HTTP_PROXY, and http_proxy`, '  SOCKET_CLI_API_TIMEOUT      Set the timeout in milliseconds for Socket API requests', '  SOCKET_CLI_DEBUG            Enable debug logging in Socket CLI', `  DEBUG                       Enable debug logging based on the ${vendor.terminalLinkExports('debug', 'https://socket.dev/npm/package/debug')} package`);
+    lines.push('', 'Environment variables', '  SOCKET_CLI_API_TOKEN        Set the Socket API token', '  SOCKET_CLI_CONFIG           A JSON stringified Socket configuration object', '  SOCKET_CLI_GITHUB_API_URL   Change the base URL for GitHub REST API calls', '  SOCKET_CLI_GIT_USER_EMAIL   The git config `user.email` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]@users.noreply.github.com`, '  SOCKET_CLI_GIT_USER_NAME    The git config `user.name` used by Socket CLI', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} github-actions[bot]`, `  SOCKET_CLI_GITHUB_TOKEN     A classic or fine-grained ${vendor.terminalLinkExports('GitHub personal access token', 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens')}`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} GITHUB_TOKEN`, '  SOCKET_CLI_NO_API_TOKEN     Make the default API token `undefined`', '  SOCKET_CLI_NPM_PATH         The absolute location of the npm directory', '  SOCKET_CLI_ORG_SLUG         Specify the Socket organization slug', '', '  SOCKET_CLI_ACCEPT_RISKS     Accept risks of a Socket wrapped npm/npx run', '  SOCKET_CLI_VIEW_ALL_RISKS   View all risks of a Socket wrapped npm/npx run', '', 'Environment variables for development', '  SOCKET_CLI_API_BASE_URL     Change the base URL for Socket API calls', `                              ${vendor.yoctocolorsCjsExports.italic('Defaults:')} The "apiBaseUrl" value of socket/settings local app data`, `                              if present, else ${constants.API_V0_URL}`, '  SOCKET_CLI_API_PROXY        Set the proxy Socket API requests are routed through, e.g. if set to', `                              ${vendor.terminalLinkExports('http://127.0.0.1:9090', 'https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries')} then all request are passed through that proxy`, `                              ${vendor.yoctocolorsCjsExports.italic('Aliases:')} HTTPS_PROXY, https_proxy, HTTP_PROXY, and http_proxy`, '  SOCKET_CLI_API_TIMEOUT      Set the timeout in milliseconds for Socket API requests', '  SOCKET_CLI_DEBUG            Enable debug logging in Socket CLI', `  DEBUG                       Enable debug logging based on the ${vendor.terminalLinkExports('debug', `${constants.SOCKET_WEBSITE_URL}/npm/package/debug`)} package`);
   }
 
   // Parse it again. Config overrides should now be applied (may affect help).
   // Note: this is displayed as help screen if the command does not override it
-  //       (which is the case for most sub-commands with sub-commands)
+  //       (which is the case for most sub-commands with sub-commands).
   const cli2 = vendor.meow({
     argv,
     importMeta,
@@ -1323,7 +1433,7 @@ async function meowWithSubcommands(subcommands, options) {
   // ...else we provide basic instructions and help.
   if (!shouldSuppressBanner(cli2.flags)) {
     emitBanner(name, orgFlag);
-    // meow will add newline so don't add stderr spacing here
+    // Meow will add newline so don't add stderr spacing here.
   }
   if (!cli2.flags['help'] && cli2.flags['dryRun']) {
     process.exitCode = 0;
@@ -1336,7 +1446,8 @@ async function meowWithSubcommands(subcommands, options) {
 }
 
 /**
- * Note: meow will exit immediately if it calls its .showHelp()
+ * Create meow CLI instance or exit with help/error (meow will exit immediately
+ * if it calls .showHelp()).
  */
 function meowOrExit({
   allowUnknownFlags = true,
@@ -1361,14 +1472,19 @@ function meowOrExit({
     help: strings.trimNewlines(config.help(command, config)),
     importMeta
   });
-  const noSpinner = cli.flags['spinner'] === false;
+  const {
+    help: helpFlag,
+    org: orgFlag,
+    spinner: spinnerFlag,
+    version: versionFlag
+  } = cli.flags;
+  const noSpinner = spinnerFlag === false;
 
   // Use CI spinner style when --no-spinner is passed.
   if (noSpinner) {
     constants.default.spinner.spinner = spinner.getCliSpinners('ci');
   }
   if (!shouldSuppressBanner(cli.flags)) {
-    const orgFlag = String(cli.flags['org'] || '').trim() || undefined;
     emitBanner(command, orgFlag);
     // Add newline in stderr.
     // Meow help adds a newline too so we do it here.
@@ -1393,12 +1509,12 @@ function meowOrExit({
   //   })
   // }
 
-  if (cli.flags['help']) {
+  if (helpFlag) {
     cli.showHelp(0);
   }
 
   // Meow doesn't detect 'version' as an unknown flag, so we do the leg work here.
-  if (!require$$11.hasOwn(config.flags, 'version') && cli.flags['version']) {
+  if (versionFlag && !require$$11.hasOwn(config.flags, 'version')) {
     // Use `console.error` here instead of `logger.error` to match Meow behavior.
     console.error('Unknown flag\n--version');
     // eslint-disable-next-line n/no-process-exit
@@ -1408,7 +1524,6 @@ function meowOrExit({
   // Now test for help state. Run Meow again. If it exits now, it must be due
   // to wanting to print the help screen. But it would exit(0) and we want a
   // consistent exit(2) for that case (missing input).
-  // TODO: Move away from meow.
   process.exitCode = 2;
   vendor.meow({
     argv,
@@ -1679,7 +1794,7 @@ async function getBaseBranch(cwd = process.cwd()) {
   return 'main';
 }
 async function getRepoInfo(cwd = process.cwd()) {
-  let info = null;
+  let info;
   const quotedCmd = '`git remote get-url origin`';
   require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
@@ -1745,7 +1860,7 @@ async function gitBranch(cwd = process.cwd()) {
       });
     }
   }
-  return null;
+  return undefined;
 }
 
 /**
@@ -2056,7 +2171,7 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
 }
 const parsedGitRemoteUrlCache = new Map();
 function parseGitRemoteUrl(remoteUrl) {
-  let result = parsedGitRemoteUrlCache.get(remoteUrl) ?? null;
+  let result = parsedGitRemoteUrlCache.get(remoteUrl);
   if (result) {
     return {
       ...result
@@ -2108,7 +2223,7 @@ function getPurlObject(purl, options) {
     if (shouldThrow) {
       throw e;
     }
-    return null;
+    return undefined;
   }
 }
 function normalizePurl(rawPurl) {
@@ -2448,7 +2563,7 @@ async function getPackageFilesForScan(inputPaths, supportedFiles, options) {
   return filterBySupportedScanFiles(filepaths, supportedFiles);
 }
 
-function exitWithBinPathError(binName) {
+function exitWithBinPathError$2(binName) {
   logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
   // The exit code 127 indicates that the command or binary being executed
   // could not be found.
@@ -2460,7 +2575,7 @@ function getNpmBinPath() {
   if (_npmBinPath === undefined) {
     _npmBinPath = getNpmBinPathDetails().path;
     if (!_npmBinPath) {
-      exitWithBinPathError(constants.NPM);
+      exitWithBinPathError$2(constants.NPM);
     }
   }
   return _npmBinPath;
@@ -2501,7 +2616,7 @@ function getNpmRequire() {
   if (_npmRequire === undefined) {
     const npmDirPath = getNpmDirPath();
     const npmNmPath = path.join(npmDirPath, `${constants.NODE_MODULES}/npm`);
-    _npmRequire = Module.createRequire(path.join(fs$1.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
+    _npmRequire = require$$5.createRequire(path.join(fs$1.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
   }
   return _npmRequire;
 }
@@ -2510,7 +2625,7 @@ function getNpxBinPath() {
   if (_npxBinPath === undefined) {
     _npxBinPath = getNpxBinPathDetails().path;
     if (!_npxBinPath) {
-      exitWithBinPathError('npx');
+      exitWithBinPathError$2('npx');
     }
   }
   return _npxBinPath;
@@ -2530,23 +2645,33 @@ function isNpxBinPathShadowed() {
 }
 
 const helpFlags = new Set(['--help', '-h']);
+
+/**
+ * Convert command arguments to a properly formatted string representation.
+ */
 function cmdFlagsToString(args) {
   const result = [];
   for (let i = 0, {
       length
     } = args; i < length; i += 1) {
-    if (args[i].startsWith('--')) {
+    const arg = args[i].trim();
+    if (arg.startsWith('--')) {
+      const nextArg = i + 1 < length ? args[i + 1].trim() : undefined;
       // Check if the next item exists and is NOT another flag.
-      if (i + 1 < length && !args[i + 1].startsWith('--')) {
-        result.push(`${args[i]}=${args[i + 1]}`);
+      if (nextArg?.startsWith('--')) {
+        result.push(`${arg}=${nextArg}`);
         i += 1;
       } else {
-        result.push(args[i]);
+        result.push(arg);
       }
     }
   }
   return result.join(' ');
 }
+
+/**
+ * Convert flag values to array format for processing.
+ */
 function cmdFlagValueToArray(value) {
   if (typeof value === 'string') {
     return value.trim().split(/, */).filter(Boolean);
@@ -2556,10 +2681,81 @@ function cmdFlagValueToArray(value) {
   }
   return [];
 }
+
+/**
+ * Add command name prefix to message text.
+ */
 function cmdPrefixMessage(cmdName, text) {
   const cmdPrefix = cmdName ? `${cmdName}: ` : '';
   return `${cmdPrefix}${text}`;
 }
+
+/**
+ * Filter out Socket flags from argv before passing to subcommands.
+ */
+function filterFlags(argv, flagsToFilter, exceptions) {
+  const filtered = [];
+
+  // Build set of flags to filter from the provided flag objects.
+  const flagsToFilterSet = new Set();
+  const flagsWithValueSet = new Set();
+  for (const [flagName, flag] of Object.entries(flagsToFilter)) {
+    const longFlag = `--${camelToKebab(flagName)}`;
+    // Special case for negated booleans.
+    if (flagName === 'spinner' || flagName === 'banner') {
+      flagsToFilterSet.add(`--no-${flagName}`);
+    } else {
+      flagsToFilterSet.add(longFlag);
+    }
+    if (flag?.shortFlag) {
+      flagsToFilterSet.add(`-${flag.shortFlag}`);
+    }
+    // Track flags that take values.
+    if (flag.type !== 'boolean') {
+      flagsWithValueSet.add(longFlag);
+      if (flag?.shortFlag) {
+        flagsWithValueSet.add(`-${flag.shortFlag}`);
+      }
+    }
+  }
+  for (let i = 0, {
+      length
+    } = argv; i < length; i += 1) {
+    const arg = argv[i];
+    // Check if this flag should be kept as an exception.
+    if (exceptions?.includes(arg)) {
+      filtered.push(arg);
+      // Handle flags that take values.
+      if (flagsWithValueSet.has(arg)) {
+        // Include the next argument (the flag value).
+        i += 1;
+        if (i < length) {
+          filtered.push(argv[i]);
+        }
+      }
+    } else if (flagsToFilterSet.has(arg)) {
+      // Skip flags that take values.
+      if (flagsWithValueSet.has(arg)) {
+        // Skip the next argument (the flag value).
+        i += 1;
+      }
+      // Skip boolean flags (no additional argument to skip).
+    } else if (arg && Array.from(flagsWithValueSet).some(flag => arg.startsWith(`${flag}=`))) {
+      // Skip --flag=value format for Socket flags unless it's an exception.
+      if (exceptions?.some(exc => arg.startsWith(`${exc}=`))) {
+        filtered.push(arg);
+      }
+      // Otherwise skip it.
+    } else {
+      filtered.push(arg);
+    }
+  }
+  return filtered;
+}
+
+/**
+ * Check if argument is a help flag.
+ */
 function isHelpFlag(cmdArg) {
   return helpFlags.has(cmdArg);
 }
@@ -2670,7 +2866,8 @@ async function spawnCoana(args, orgSlug, options, extra) {
     };
   } catch (e) {
     const stderr = e?.stderr;
-    const message = stderr ? stderr : e?.message;
+    const cause = e?.message || constants.UNKNOWN_ERROR;
+    const message = stderr ? stderr : cause;
     return {
       ok: false,
       data: e,
@@ -2695,30 +2892,45 @@ function readOrDefaultSocketJson(cwd) {
   // This should be unreachable but it makes TS happy.
   getDefaultSocketJson();
 }
+async function findSocketJsonUp(cwd) {
+  return await findUp(constants.SOCKET_JSON, {
+    onlyFiles: true,
+    cwd
+  });
+}
+async function readOrDefaultSocketJsonUp(cwd) {
+  const socketJsonPath = await findSocketJsonUp(cwd);
+  if (socketJsonPath) {
+    const socketJsonDir = path.dirname(socketJsonPath);
+    const jsonCResult = readSocketJsonSync(socketJsonDir, true);
+    return jsonCResult.ok ? jsonCResult.data : getDefaultSocketJson();
+  }
+  return getDefaultSocketJson();
+}
 function getDefaultSocketJson() {
   return {
-    ' _____         _       _     ': 'Local config file for Socket CLI tool ( https://npmjs.org/socket ), to work with https://socket.dev',
+    ' _____         _       _     ': `Local config file for Socket CLI tool ( ${constants.SOCKET_WEBSITE_URL}/npm/package/${constants.SOCKET_JSON.replace('.json', '')} ), to work with ${constants.SOCKET_WEBSITE_URL}`,
     '|   __|___ ___| |_ ___| |_   ': '     The config in this file is used to set as defaults for flags or command args when using the CLI',
     "|__   | . |  _| '_| -_|  _|  ": '     in this dir, often a repo root. You can choose commit or .ignore this file, both works.',
-    '|_____|___|___|_,_|___|_|.dev': 'Warning: This file may be overwritten without warning by `socket manifest setup` or other commands',
+    '|_____|___|___|_,_|___|_|.dev': `Warning: This file may be overwritten without warning by \`${constants.SOCKET_JSON.replace('.json', '')} manifest setup\` or other commands`,
     version: 1
   };
 }
 function readSocketJsonSync(cwd, defaultOnError = false) {
-  const sockJsonPath = path.join(cwd, 'socket.json');
+  const sockJsonPath = path.join(cwd, constants.SOCKET_JSON);
   if (!fs$1.existsSync(sockJsonPath)) {
-    require$$9.debugFn('notice', `miss: socket.json not found at ${cwd}`);
+    require$$9.debugFn('notice', `miss: ${constants.SOCKET_JSON} not found at ${cwd}`);
     return {
       ok: true,
       data: getDefaultSocketJson()
     };
   }
-  let json = null;
+  let jsonContent = null;
   try {
-    json = fs$1.readFileSync(sockJsonPath, 'utf8');
+    jsonContent = fs$1.readFileSync(sockJsonPath, 'utf8');
   } catch (e) {
     if (defaultOnError) {
-      logger.logger.warn('Failed to read socket.json, using default');
+      logger.logger.warn(`Failed to read ${constants.SOCKET_JSON}, using default`);
       require$$9.debugDir('inspect', {
         error: e
       });
@@ -2727,27 +2939,29 @@ function readSocketJsonSync(cwd, defaultOnError = false) {
         data: getDefaultSocketJson()
       };
     }
-    const msg = e?.message;
+    const cause = e?.message;
     require$$9.debugDir('inspect', {
       error: e
     });
     return {
       ok: false,
-      message: 'Failed to read socket.json',
-      cause: `An error occurred while trying to read socket.json${msg ? `: ${msg}` : ''}`
+      message: `Failed to read ${constants.SOCKET_JSON}`,
+      cause: `An error occurred while trying to read ${constants.SOCKET_JSON}${cause ? `: ${cause}` : ''}`
     };
   }
-  let obj;
+  let jsonObj;
   try {
-    obj = JSON.parse(json);
+    jsonObj = JSON.parse(jsonContent);
   } catch (e) {
     require$$9.debugFn('error', 'caught: JSON.parse error');
     require$$9.debugDir('inspect', {
-      error: e,
-      json
+      jsonContent
+    });
+    require$$9.debugDir('inspect', {
+      error: e
     });
     if (defaultOnError) {
-      logger.logger.warn('Failed to parse socket.json, using default');
+      logger.logger.warn(`Failed to parse ${constants.SOCKET_JSON}, using default`);
       return {
         ok: true,
         data: getDefaultSocketJson()
@@ -2755,11 +2969,11 @@ function readSocketJsonSync(cwd, defaultOnError = false) {
     }
     return {
       ok: false,
-      message: 'Failed to parse socket.json',
-      cause: 'socket.json does not contain valid JSON, please verify'
+      message: `Failed to parse ${constants.SOCKET_JSON}`,
+      cause: `${constants.SOCKET_JSON} does not contain valid JSON, please verify`
     };
   }
-  if (!obj) {
+  if (!jsonObj) {
     logger.logger.warn('Warning: file contents was empty, using default');
     return {
       ok: true,
@@ -2767,17 +2981,17 @@ function readSocketJsonSync(cwd, defaultOnError = false) {
     };
   }
 
-  // Do we really care to validate? All properties are optional so code will have
-  // to check every step of the way regardless. Who cares about validation here...?
+  // TODO: Do we need to validate? All properties are optional so code will have
+  // to check every step of the way regardless.
   return {
     ok: true,
-    data: obj
+    data: jsonObj
   };
 }
 async function writeSocketJson(cwd, sockJson) {
-  let json = '';
+  let jsonContent = '';
   try {
-    json = JSON.stringify(sockJson, null, 2);
+    jsonContent = JSON.stringify(sockJson, null, 2);
   } catch (e) {
     require$$9.debugFn('error', 'caught: JSON.stringify error');
     require$$9.debugDir('inspect', {
@@ -2787,11 +3001,11 @@ async function writeSocketJson(cwd, sockJson) {
     return {
       ok: false,
       message: 'Failed to serialize to JSON',
-      cause: 'There was an unexpected problem converting the socket json object to a JSON string. Unable to store it.'
+      cause: `There was an unexpected problem converting the ${constants.SOCKET_JSON} object to a JSON string. Unable to store it.`
     };
   }
-  const filepath = path.join(cwd, 'socket.json');
-  await fs$1.promises.writeFile(filepath, json + '\n', 'utf8');
+  const filepath = path.join(cwd, constants.SOCKET_JSON);
+  await fs$1.promises.writeFile(filepath, `${jsonContent}\n`, 'utf8');
   return {
     ok: true,
     data: undefined
@@ -2809,7 +3023,7 @@ ttlMs = 5 * 60 * 1000) {
       return await fs.readJson(cacheJsonPath);
     }
   }
-  return null;
+  return undefined;
 }
 async function writeCache(key, data) {
   const {
@@ -2877,7 +3091,11 @@ async function fetchGhsaDetails(ids) {
       }
     }
   } catch (e) {
-    require$$9.debugFn('error', `Failed to fetch GHSA details: ${e?.message || constants.UNKNOWN_ERROR}`);
+    const cause = e?.message;
+    require$$9.debugFn('error', `Failed to fetch GHSA details${cause ? `: ${cause}` : ''}`);
+    require$$9.debugDir('inspect', {
+      error: e
+    });
   }
   return results;
 }
@@ -2959,8 +3177,17 @@ async function enablePrAutoMerge({
 }
 async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const {
-    host
-  } = new URL(constants.default.ENV.GITHUB_SERVER_URL);
+    GITHUB_SERVER_URL
+  } = constants.default.ENV;
+  const urlObj = require$$13.parseUrl(GITHUB_SERVER_URL);
+  const host = urlObj?.host;
+  if (!host) {
+    require$$9.debugFn('error', 'invalid: GITHUB_SERVER_URL env var');
+    require$$9.debugDir('inspect', {
+      GITHUB_SERVER_URL
+    });
+    return false;
+  }
   const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
   const stdioIgnoreOptions = {
     cwd,
@@ -2980,13 +3207,106 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   return false;
 }
 
-const RangeStyles = ['caret', 'gt', 'gte', 'lt', 'lte', 'pin', 'preserve', 'tilde'];
+/**
+ * Converts CVE IDs to GHSA IDs using GitHub API.
+ */
+async function convertCveToGhsa(cveId) {
+  try {
+    const cacheKey = `cve-to-ghsa-${cveId}`;
+    const octokit = getOctokit();
+    const response = await cacheFetch(cacheKey, () => octokit.rest.securityAdvisories.listGlobalAdvisories({
+      cve_id: cveId,
+      per_page: 1
+    }));
+    if (!response.data.length) {
+      return {
+        ok: false,
+        message: `No GHSA found for CVE ${cveId}`
+      };
+    }
+    return {
+      ok: true,
+      data: response.data[0].ghsa_id
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: `Failed to convert CVE to GHSA: ${e instanceof Error ? e.message : 'Unknown error'}`
+    };
+  }
+}
+
+const PURL_TO_GITHUB_ECOSYSTEM_MAPPING = {
+  __proto__: null,
+  // GitHub Advisory Database supported ecosystems
+  cargo: 'rust',
+  composer: 'composer',
+  gem: 'rubygems',
+  go: 'go',
+  golang: 'go',
+  maven: 'maven',
+  npm: 'npm',
+  nuget: 'nuget',
+  pypi: 'pip',
+  swift: 'swift'
+};
+
+/**
+ * Converts PURL to GHSA IDs using GitHub API.
+ */
+async function convertPurlToGhsas(purl) {
+  try {
+    const purlObj = getPurlObject(purl, {
+      throws: false
+    });
+    if (!purlObj) {
+      return {
+        ok: false,
+        message: `Invalid PURL format: ${purl}`
+      };
+    }
+    const {
+      name,
+      type: ecosystem,
+      version
+    } = purlObj;
+
+    // Map PURL ecosystem to GitHub ecosystem.
+    const githubEcosystem = PURL_TO_GITHUB_ECOSYSTEM_MAPPING[ecosystem];
+    if (!githubEcosystem) {
+      return {
+        ok: false,
+        message: `Unsupported PURL ecosystem: ${ecosystem}`
+      };
+    }
+
+    // Search for advisories affecting this package.
+    const cacheKey = `purl-to-ghsa-${ecosystem}-${name}-${version || constants.LATEST}`;
+    const octokit = getOctokit();
+    const affects = version ? `${name}@${version}` : name;
+    const response = await cacheFetch(cacheKey, () => octokit.rest.securityAdvisories.listGlobalAdvisories({
+      ecosystem: githubEcosystem,
+      affects
+    }));
+    return {
+      ok: true,
+      data: response.data.map(a => a.ghsa_id)
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: `Failed to convert PURL to GHSA: ${e instanceof Error ? e.message : constants.UNKNOWN_ERROR}`
+    };
+  }
+}
+
+const RangeStyles = ['pin', 'preserve'];
 function getMajor(version) {
   try {
     const coerced = vendor.semverExports.coerce(version);
-    return coerced ? vendor.semverExports.major(coerced) : null;
+    return coerced ? vendor.semverExports.major(coerced) : undefined;
   } catch {}
-  return null;
+  return undefined;
 }
 
 const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
@@ -3074,11 +3394,63 @@ function captureExceptionSync(exception, hint) {
   return Sentry.captureException(exception, hint);
 }
 
+function exitWithBinPathError$1(binName) {
+  logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  // eslint-disable-next-line n/no-process-exit
+  process.exit(127);
+}
+let _yarnBinPath;
+function getYarnBinPath() {
+  if (_yarnBinPath === undefined) {
+    _yarnBinPath = getYarnBinPathDetails().path;
+    if (!_yarnBinPath) {
+      exitWithBinPathError$1(constants.default.YARN);
+    }
+  }
+  return _yarnBinPath;
+}
+let _yarnBinPathDetails;
+function getYarnBinPathDetails() {
+  if (_yarnBinPathDetails === undefined) {
+    _yarnBinPathDetails = findBinPathDetailsSync(constants.default.YARN);
+  }
+  return _yarnBinPathDetails;
+}
+function isYarnBinPathShadowed() {
+  return getYarnBinPathDetails().shadowed;
+}
+
+let _isYarnBerry;
+function isYarnBerry() {
+  if (_isYarnBerry === undefined) {
+    try {
+      const yarnBinPath = getYarnBinPath();
+      const result = spawn.spawnSync(yarnBinPath, ['--version'], {
+        encoding: 'utf8',
+        shell: constants.default.WIN32
+      });
+      if (result.status === 0 && result.stdout) {
+        const version = result.stdout;
+        // Yarn Berry starts from version 2.x
+        const majorVersion = parseInt(version.split('.')[0], 10);
+        _isYarnBerry = majorVersion >= 2;
+      } else {
+        _isYarnBerry = false;
+      }
+    } catch {
+      _isYarnBerry = false;
+    }
+  }
+  return _isYarnBerry;
+}
+
 function npa(...args) {
   try {
     return Reflect.apply(vendor.npaExports, undefined, args);
   } catch {}
-  return null;
+  return undefined;
 }
 
 function shadowNpmInstall(options) {
@@ -3242,10 +3614,10 @@ const LOCKS = {
   // will be ignored.
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
   'npm-shrinkwrap.json': NPM,
-  'package-lock.json': NPM,
-  'pnpm-lock.yaml': PNPM,
-  'pnpm-lock.yml': PNPM,
-  [`yarn${EXT_LOCK}`]: YARN_CLASSIC,
+  [constants.PACKAGE_LOCK_JSON]: NPM,
+  [constants.PNPM_LOCK_YAML]: PNPM,
+  ['pnpm-lock.yml']: PNPM,
+  [constants.YARN_LOCK]: YARN_CLASSIC,
   'vlt-lock.json': VLT,
   // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
@@ -3517,6 +3889,105 @@ function getEcosystemChoicesForMeow() {
   return [...ALL_ECOSYSTEMS];
 }
 
+function exitWithBinPathError(binName) {
+  logger.logger.fail(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable`);
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  // eslint-disable-next-line n/no-process-exit
+  process.exit(127);
+}
+let _pnpmBinPath;
+function getPnpmBinPath() {
+  if (_pnpmBinPath === undefined) {
+    _pnpmBinPath = getPnpmBinPathDetails().path;
+    if (!_pnpmBinPath) {
+      exitWithBinPathError('pnpm');
+    }
+  }
+  return _pnpmBinPath;
+}
+let _pnpmBinPathDetails;
+function getPnpmBinPathDetails() {
+  if (_pnpmBinPathDetails === undefined) {
+    _pnpmBinPathDetails = findBinPathDetailsSync('pnpm');
+  }
+  return _pnpmBinPathDetails;
+}
+function isPnpmBinPathShadowed() {
+  return getPnpmBinPathDetails().shadowed;
+}
+
+function toFilterConfig(obj) {
+  const normalized = {
+    __proto__: null
+  };
+  const keys = require$$11.isObject(obj) ? Object.keys(obj) : [];
+  for (const key of keys) {
+    const value = obj[key];
+    if (typeof value === 'boolean' || Array.isArray(value)) {
+      normalized[key] = value;
+    }
+  }
+  return normalized;
+}
+
+function idToNpmPurl(id) {
+  return `pkg:${constants.NPM}/${id}`;
+}
+
+async function extractPurlsFromPnpmLockfile(lockfile) {
+  const packages = lockfile?.packages ?? {};
+  const seen = new Set();
+  const visit = pkgPath => {
+    if (seen.has(pkgPath)) {
+      return;
+    }
+    const pkg = packages[pkgPath];
+    if (!pkg) {
+      return;
+    }
+    seen.add(pkgPath);
+    const deps = {
+      __proto__: null,
+      ...pkg.dependencies,
+      ...pkg.optionalDependencies,
+      ...pkg.devDependencies
+    };
+    for (const depName in deps) {
+      const ref = deps[depName];
+      const subKey = isPnpmDepPath(ref) ? ref : `/${depName}@${ref}`;
+      visit(subKey);
+    }
+  };
+  for (const pkgPath of Object.keys(packages)) {
+    visit(pkgPath);
+  }
+  return Array.from(seen).map(p => idToNpmPurl(stripPnpmPeerSuffix(stripLeadingPnpmDepPathSlash(p))));
+}
+function isPnpmDepPath(maybeDepPath) {
+  return maybeDepPath.length > 0 && maybeDepPath.charCodeAt(0) === 47; /*'/'*/
+}
+function parsePnpmLockfile(lockfileContent) {
+  let result;
+  if (typeof lockfileContent === 'string') {
+    try {
+      result = vendor.jsYaml.load(strings.stripBom(lockfileContent));
+    } catch {}
+  }
+  return require$$11.isObjectObject(result) ? result : null;
+}
+async function readPnpmLockfile(lockfilePath) {
+  return fs$1.existsSync(lockfilePath) ? await fs.readFileUtf8(lockfilePath) : undefined;
+}
+function stripLeadingPnpmDepPathSlash(depPath) {
+  return isPnpmDepPath(depPath) ? depPath.slice(1) : depPath;
+}
+function stripPnpmPeerSuffix(depPath) {
+  const parenIndex = depPath.indexOf('(');
+  const index = parenIndex === -1 ? depPath.indexOf('_') : parenIndex;
+  return index === -1 ? depPath : depPath.slice(0, index);
+}
+
 function isArtifactAlertCve(alert) {
   const {
     type
@@ -3580,21 +4051,7 @@ class ColorOrMarkdown {
   }
 }
 
-function toFilterConfig(obj) {
-  const normalized = {
-    __proto__: null
-  };
-  const keys = require$$11.isObject(obj) ? Object.keys(obj) : [];
-  for (const key of keys) {
-    const value = obj[key];
-    if (typeof value === 'boolean' || Array.isArray(value)) {
-      normalized[key] = value;
-    }
-  }
-  return normalized;
-}
-
-const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
 let _translations;
 function getTranslations() {
   if (_translations === undefined) {
@@ -3947,10 +4404,13 @@ function logAlertsMap(alertsMap, options) {
   output.write('\n');
 }
 
-function idToNpmPurl(id) {
-  return `pkg:${constants.NPM}/${id}`;
+async function getAlertsMapFromPnpmLockfile(lockfile, options) {
+  const purls = await extractPurlsFromPnpmLockfile(lockfile);
+  return await getAlertsMapFromPurls(purls, {
+    overrides: lockfile.overrides,
+    ...options
+  });
 }
-
 async function getAlertsMapFromPurls(purls, options) {
   const uniqPurls = arrays.arrayUnique(purls);
   require$$9.debugDir('silly', {
@@ -3984,10 +4444,11 @@ async function getAlertsMapFromPurls(purls, options) {
   });
   if (!sockSdkCResult.ok) {
     spinner?.stop();
-    throw new Error('Auth error: Run `socket login` first');
+    throw new Error('Auth error: Run `socket login` first.');
   }
   const sockSdk = sockSdkCResult.data;
-  const socketYml = findSocketYmlSync()?.parsed;
+  const socketYmlResult = findSocketYmlSync();
+  const socketYml = socketYmlResult.ok && socketYmlResult.data ? socketYmlResult.data.parsed : undefined;
   const alertsMapOptions = {
     consolidate: opts.consolidate,
     filter: opts.filter,
@@ -4053,6 +4514,8 @@ exports.checkCommandInput = checkCommandInput;
 exports.cmdFlagValueToArray = cmdFlagValueToArray;
 exports.cmdFlagsToString = cmdFlagsToString;
 exports.cmdPrefixMessage = cmdPrefixMessage;
+exports.convertCveToGhsa = convertCveToGhsa;
+exports.convertPurlToGhsas = convertPurlToGhsas;
 exports.createEnum = createEnum;
 exports.detectAndValidatePackageEnvironment = detectAndValidatePackageEnvironment;
 exports.detectDefaultBranch = detectDefaultBranch;
@@ -4062,7 +4525,9 @@ exports.extractTier1ReachabilityScanId = extractTier1ReachabilityScanId;
 exports.failMsgWithBadge = failMsgWithBadge;
 exports.fetchGhsaDetails = fetchGhsaDetails;
 exports.fetchOrganization = fetchOrganization;
+exports.filterFlags = filterFlags;
 exports.findUp = findUp;
+exports.getAlertsMapFromPnpmLockfile = getAlertsMapFromPnpmLockfile;
 exports.getAlertsMapFromPurls = getAlertsMapFromPurls;
 exports.getBaseBranch = getBaseBranch;
 exports.getBashrcDetails = getBashrcDetails;
@@ -4082,6 +4547,7 @@ exports.getOctokitGraphql = getOctokitGraphql;
 exports.getOrgSlugs = getOrgSlugs;
 exports.getOutputKind = getOutputKind;
 exports.getPackageFilesForScan = getPackageFilesForScan;
+exports.getPnpmBinPath = getPnpmBinPath;
 exports.getPublicApiToken = getPublicApiToken;
 exports.getPurlObject = getPurlObject;
 exports.getRepoInfo = getRepoInfo;
@@ -4090,6 +4556,7 @@ exports.getSocketDevPackageOverviewUrlFromPurl = getSocketDevPackageOverviewUrlF
 exports.getSupportedConfigEntries = getSupportedConfigEntries;
 exports.getSupportedConfigKeys = getSupportedConfigKeys;
 exports.getVisibleTokenPrefix = getVisibleTokenPrefix;
+exports.getYarnBinPath = getYarnBinPath;
 exports.gitBranch = gitBranch;
 exports.gitCheckoutBranch = gitCheckoutBranch;
 exports.gitCommit = gitCommit;
@@ -4108,10 +4575,13 @@ exports.idToNpmPurl = idToNpmPurl;
 exports.isHelpFlag = isHelpFlag;
 exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
 exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
+exports.isPnpmBinPathShadowed = isPnpmBinPathShadowed;
 exports.isReadOnlyConfig = isReadOnlyConfig;
 exports.isReportSupportedFile = isReportSupportedFile;
 exports.isSensitiveConfigKey = isSensitiveConfigKey;
 exports.isSupportedConfigKey = isSupportedConfigKey;
+exports.isYarnBerry = isYarnBerry;
+exports.isYarnBinPathShadowed = isYarnBinPathShadowed;
 exports.logAlertsMap = logAlertsMap;
 exports.mapToObject = mapToObject;
 exports.mdTable = mdTable;
@@ -4122,9 +4592,12 @@ exports.meowWithSubcommands = meowWithSubcommands;
 exports.msAtHome = msAtHome;
 exports.normalizePurl = normalizePurl;
 exports.npa = npa;
+exports.parsePnpmLockfile = parsePnpmLockfile;
 exports.queryApiSafeJson = queryApiSafeJson;
 exports.queryApiSafeText = queryApiSafeText;
 exports.readOrDefaultSocketJson = readOrDefaultSocketJson;
+exports.readOrDefaultSocketJsonUp = readOrDefaultSocketJsonUp;
+exports.readPnpmLockfile = readPnpmLockfile;
 exports.readSocketJsonSync = readSocketJsonSync;
 exports.runAgentInstall = runAgentInstall;
 exports.sendApiRequest = sendApiRequest;
@@ -4138,5 +4611,5 @@ exports.toFilterConfig = toFilterConfig;
 exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=737faea9-c80e-4b25-92fc-cf5802905b27
+//# debugId=1da7b4a0-f584-4be9-bf6b-9269a66c830
 //# sourceMappingURL=utils.js.map