@socketsecurity/cli-with-sentry 1.1.8 → 1.1.12

package/dist/cli.js

@@ -7,7 +7,7 @@ var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
 var logger = require('../external/@socketsecurity/registry/lib/logger');
 var utils = require('./utils.js');
 var fs = require('node:fs/promises');
-var Module = require('node:module');
+var require$$5 = require('node:module');
 var constants = require('./constants.js');
 var flags = require('./flags.js');
 var path = require('node:path');
@@ -68,7 +68,7 @@ async function fetchRepoAnalyticsData(repo, time, options) {
 
 // Note: Widgets does not seem to actually work as code :'(
 
-const require$5 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$8 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const METRICS = ['total_critical_alerts', 'total_high_alerts', 'total_medium_alerts', 'total_low_alerts', 'total_critical_added', 'total_medium_added', 'total_low_added', 'total_high_added', 'total_critical_prevented', 'total_high_prevented', 'total_medium_prevented', 'total_low_prevented'];
 
 // Note: This maps `new Date(date).getMonth()` to English three letters
@@ -147,11 +147,11 @@ ${utils.mdTableStringNumber('Name', 'Counts', data['top_five_alert_types'])}
 `.trim() + '\n';
 }
 function displayAnalyticsScreen(data) {
-  const ScreenWidget = /*@__PURE__*/require$5('../external/blessed/lib/widgets/screen.js');
+  const ScreenWidget = /*@__PURE__*/require$8('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
     ...constants.default.blessedOptions
   });
-  const GridLayout = /*@__PURE__*/require$5('../external/blessed-contrib/lib/layout/grid.js');
+  const GridLayout = /*@__PURE__*/require$8('../external/blessed-contrib/lib/layout/grid.js');
   const grid = new GridLayout({
     rows: 5,
     cols: 4,
@@ -165,7 +165,7 @@ function displayAnalyticsScreen(data) {
   renderLineCharts(grid, screen, 'Total high alerts prevented from the main branch', [2, 2, 1, 2], data['total_high_prevented']);
   renderLineCharts(grid, screen, 'Total medium alerts prevented from the main branch', [3, 0, 1, 2], data['total_medium_prevented']);
   renderLineCharts(grid, screen, 'Total low alerts prevented from the main branch', [3, 2, 1, 2], data['total_low_prevented']);
-  const BarChart = /*@__PURE__*/require$5('../external/blessed-contrib/lib/widget/charts/bar.js');
+  const BarChart = /*@__PURE__*/require$8('../external/blessed-contrib/lib/widget/charts/bar.js');
   const bar = grid.set(4, 0, 1, 2, BarChart, {
     label: 'Top 5 alert types',
     barWidth: 10,
@@ -265,7 +265,7 @@ function formatDate(date) {
   return `${Months[new Date(date).getMonth()]} ${new Date(date).getDate()}`;
 }
 function renderLineCharts(grid, screen, title, coords, data) {
-  const LineChart = /*@__PURE__*/require$5('../external/blessed-contrib/lib/widget/charts/line.js');
+  const LineChart = /*@__PURE__*/require$8('../external/blessed-contrib/lib/widget/charts/line.js');
   const line = grid.set(...coords, LineChart, {
     style: {
       line: 'cyan',
@@ -323,21 +323,21 @@ async function handleAnalytics({
   });
 }
 
-const CMD_NAME$w = 'analytics';
-const description$D = 'Look up analytics data';
-const hidden$v = false;
+const CMD_NAME$y = 'analytics';
+const description$F = 'Look up analytics data';
+const hidden$x = false;
 const cmdAnalytics = {
-  description: description$D,
-  hidden: hidden$v,
-  run: run$Q
+  description: description$F,
+  hidden: hidden$x,
+  run: run$S
 };
-async function run$Q(argv, importMeta, {
+async function run$S(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
-    description: description$D,
-    hidden: hidden$v,
+    commandName: CMD_NAME$y,
+    description: description$F,
+    hidden: hidden$x,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -354,7 +354,7 @@ async function run$Q(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$y}`)}
 
     The scope is either org or repo level, defaults to org.
 
@@ -500,7 +500,7 @@ async function fetchAuditLog(config, options) {
   });
 }
 
-const require$4 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$7 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 async function outputAuditLog(result, {
   logType,
   orgSlug,
@@ -628,7 +628,7 @@ async function outputWithBlessed(data, orgSlug) {
   const headers = [' Event id', ' Created at', ' Event type', ' User email', ' IP address', ' User agent'];
 
   // Note: this temporarily takes over the terminal (just like `man` does).
-  const ScreenWidget = /*@__PURE__*/require$4('../external/blessed/lib/widgets/screen.js');
+  const ScreenWidget = /*@__PURE__*/require$7('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
     ...constants.default.blessedOptions
   });
@@ -637,7 +637,7 @@ async function outputWithBlessed(data, orgSlug) {
   // node process just to exit it. That's very bad UX.
   // eslint-disable-next-line n/no-process-exit
   screen.key(['escape', 'q', 'C-c'], () => process.exit(0));
-  const TableWidget = /*@__PURE__*/require$4('../external/blessed-contrib/lib/widget/table.js');
+  const TableWidget = /*@__PURE__*/require$7('../external/blessed-contrib/lib/widget/table.js');
   const tipsBoxHeight = 1; // 1 row for tips box
   const detailsBoxHeight = 20; // bottom N rows for details box. 20 gives 4 lines for condensed payload before it scrolls out of view
 
@@ -667,7 +667,7 @@ async function outputWithBlessed(data, orgSlug) {
     columnSpacing: 4,
     truncate: '_'
   });
-  const BoxWidget = /*@__PURE__*/require$4('../external/blessed/lib/widgets/box.js');
+  const BoxWidget = /*@__PURE__*/require$7('../external/blessed/lib/widgets/box.js');
   const tipsBox = new BoxWidget({
     bottom: detailsBoxHeight,
     // sits just above the details box
@@ -748,21 +748,21 @@ async function handleAuditLog({
   });
 }
 
-const CMD_NAME$v = 'audit-log';
-const description$C = 'Look up the audit log for an organization';
-const hidden$u = false;
+const CMD_NAME$x = 'audit-log';
+const description$E = 'Look up the audit log for an organization';
+const hidden$w = false;
 const cmdAuditLog = {
-  description: description$C,
-  hidden: hidden$u,
-  run: run$P
+  description: description$E,
+  hidden: hidden$w,
+  run: run$R
 };
-async function run$P(argv, importMeta, {
+async function run$R(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
-    description: description$C,
-    hidden: hidden$u,
+    commandName: CMD_NAME$x,
+    description: description$E,
+    hidden: hidden$w,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -790,7 +790,7 @@ async function run$P(argv, importMeta, {
       $ ${command} [options] [FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit ${constants.default.SOCKET_WEBSITE_URL}/pricing
@@ -1574,7 +1574,7 @@ async function performReachabilityAnalysis(options) {
     return {
       ok: false,
       message: 'Tier 1 Reachability analysis requires an enterprise plan',
-      cause: `Please ${vendor.terminalLinkExports('upgrade your plan', 'https://socket.dev/pricing')}. This feature is only available for organizations with an enterprise plan.`
+      cause: `Please ${vendor.terminalLinkExports('upgrade your plan', `${constants.SOCKET_WEBSITE_URL}/pricing`)}. This feature is only available for organizations with an enterprise plan.`
     };
   }
   const wasSpinning = !!spinner?.isSpinning;
@@ -1671,25 +1671,25 @@ sockJson, cwd = process.cwd()) {
     sbt: false
   };
   if (sockJson?.defaults?.manifest?.sbt?.disabled) {
-    require$$9.debugLog('notice', '[DEBUG] - sbt auto-detection is disabled in socket.json');
+    require$$9.debugLog('notice', `[DEBUG] - sbt auto-detection is disabled in ${constants.SOCKET_JSON}`);
   } else if (fs$1.existsSync(path.join(cwd, 'build.sbt'))) {
     require$$9.debugLog('notice', '[DEBUG] - Detected a Scala sbt build file');
     output.sbt = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.gradle?.disabled) {
-    require$$9.debugLog('notice', '[DEBUG] - gradle auto-detection is disabled in socket.json');
+    require$$9.debugLog('notice', `[DEBUG] - gradle auto-detection is disabled in ${constants.SOCKET_JSON}`);
   } else if (fs$1.existsSync(path.join(cwd, 'gradlew'))) {
     require$$9.debugLog('notice', '[DEBUG] - Detected a gradle build file');
     output.gradle = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.conda?.disabled) {
-    require$$9.debugLog('notice', '[DEBUG] - conda auto-detection is disabled in socket.json');
+    require$$9.debugLog('notice', `[DEBUG] - conda auto-detection is disabled in ${constants.SOCKET_JSON}`);
   } else {
-    const envyml = path.join(cwd, 'environment.yml');
+    const envyml = path.join(cwd, constants.ENVIRONMENT_YML);
     const hasEnvyml = fs$1.existsSync(envyml);
-    const envyaml = path.join(cwd, 'environment.yaml');
+    const envyaml = path.join(cwd, constants.ENVIRONMENT_YAML);
     const hasEnvyaml = !hasEnvyml && fs$1.existsSync(envyaml);
     if (hasEnvyml || hasEnvyaml) {
       require$$9.debugLog('notice', '[DEBUG] - Detected an environment.yml Conda file');
@@ -2057,9 +2057,9 @@ async function outputRequirements(result, outputKind, out) {
     const arr = [];
     arr.push('# Converted Conda file');
     arr.push('');
-    arr.push('This is the Conda `environment.yml` file converted to python `requirements.txt`:');
+    arr.push(`This is the Conda \`environment.yml\` file converted to python \`${constants.REQUIREMENTS_TXT}\`:`);
     arr.push('');
-    arr.push('```file=requirements.txt');
+    arr.push(`\`\`\`file=${constants.REQUIREMENTS_TXT}`);
     arr.push(result.data.pip);
     arr.push('```');
     arr.push('');
@@ -2098,7 +2098,7 @@ async function generateAutoManifest({
 }) {
   const sockJson = utils.readOrDefaultSocketJson(cwd);
   if (verbose) {
-    logger.logger.info('Using this socket.json for defaults:', sockJson);
+    logger.logger.info(`Using this ${constants.SOCKET_JSON} for defaults:`, sockJson);
   }
   if (!sockJson?.defaults?.manifest?.sbt?.disabled && detected.sbt) {
     logger.logger.log('Detected a Scala sbt build, generating pom files with sbt...');
@@ -2129,7 +2129,7 @@ async function generateAutoManifest({
       cwd,
       filename: sockJson.defaults?.manifest?.conda?.infile ?? 'environment.yml',
       outputKind,
-      out: sockJson.defaults?.manifest?.conda?.outfile ?? 'requirements.txt',
+      out: sockJson.defaults?.manifest?.conda?.outfile ?? constants.REQUIREMENTS_TXT,
       verbose: Boolean(sockJson.defaults?.manifest?.conda?.verbose)
     });
   }
@@ -2369,9 +2369,9 @@ const config$k = {
 const cmdCI = {
   description: config$k.description,
   hidden: config$k.hidden,
-  run: run$O
+  run: run$Q
 };
-async function run$O(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2613,21 +2613,21 @@ async function handleConfigAuto({
   await outputConfigAuto(key, result, outputKind);
 }
 
-const CMD_NAME$u = 'auto';
-const description$B = 'Automatically discover and set the correct value config item';
-const hidden$t = false;
+const CMD_NAME$w = 'auto';
+const description$D = 'Automatically discover and set the correct value config item';
+const hidden$v = false;
 const cmdConfigAuto = {
-  description: description$B,
-  hidden: hidden$t,
-  run: run$N
+  description: description$D,
+  hidden: hidden$v,
+  run: run$P
 };
-async function run$N(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
-    description: description$B,
-    hidden: hidden$t,
+    commandName: CMD_NAME$w,
+    description: description$D,
+    hidden: hidden$v,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -2757,9 +2757,9 @@ ${utils.getSupportedConfigEntries().map(({
 const cmdConfigGet = {
   description: config$j.description,
   hidden: config$j.hidden,
-  run: run$M
+  run: run$O
 };
-async function run$M(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2893,9 +2893,9 @@ const config$i = {
 const cmdConfigList = {
   description: config$i.description,
   hidden: config$i.hidden,
-  run: run$L
+  run: run$N
 };
-async function run$L(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2969,21 +2969,21 @@ async function handleConfigSet({
   await outputConfigSet(result, outputKind);
 }
 
-const CMD_NAME$t = 'set';
-const description$A = 'Update the value of a local CLI config item';
-const hidden$s = false;
+const CMD_NAME$v = 'set';
+const description$C = 'Update the value of a local CLI config item';
+const hidden$u = false;
 const cmdConfigSet = {
-  description: description$A,
-  hidden: hidden$s,
-  run: run$K
+  description: description$C,
+  hidden: hidden$u,
+  run: run$M
 };
-async function run$K(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
-    description: description$A,
-    hidden: hidden$s,
+    commandName: CMD_NAME$v,
+    description: description$C,
+    hidden: hidden$u,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -3096,21 +3096,21 @@ async function handleConfigUnset({
   await outputConfigUnset(updateResult, outputKind);
 }
 
-const CMD_NAME$s = 'unset';
-const description$z = 'Clear the value of a local CLI config item';
-const hidden$r = false;
+const CMD_NAME$u = 'unset';
+const description$B = 'Clear the value of a local CLI config item';
+const hidden$t = false;
 const cmdConfigUnset = {
-  description: description$z,
-  hidden: hidden$r,
-  run: run$J
+  description: description$B,
+  hidden: hidden$t,
+  run: run$L
 };
-async function run$J(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$s,
-    description: description$z,
-    hidden: hidden$r,
+    commandName: CMD_NAME$u,
+    description: description$B,
+    hidden: hidden$t,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -3172,9 +3172,9 @@ ${utils.getSupportedConfigEntries().map(({
   });
 }
 
-const description$y = 'Manage Socket CLI configuration';
+const description$A = 'Manage Socket CLI configuration';
 const cmdConfig = {
-  description: description$y,
+  description: description$A,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -3187,7 +3187,7 @@ const cmdConfig = {
       unset: cmdConfigUnset
     }, {
       argv,
-      description: description$y,
+      description: description$A,
       importMeta,
       name: `${parentName} config`
     });
@@ -3263,7 +3263,7 @@ async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
     }
     require$$9.debugFn('error', message);
   }
-  return null;
+  return undefined;
 }
 async function getSocketFixPrs(owner, repo, options) {
   return (await getSocketFixPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3388,7 +3388,7 @@ function ciRepoInfo() {
   const ownerSlashRepo = GITHUB_REPOSITORY;
   const slashIndex = ownerSlashRepo.indexOf('/');
   if (slashIndex === -1) {
-    return null;
+    return undefined;
   }
   return {
     owner: ownerSlashRepo.slice(0, slashIndex),
@@ -3411,7 +3411,7 @@ async function getFixEnv() {
     const envVars = [...(constants.default.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
     require$$9.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
   }
-  let repoInfo = null;
+  let repoInfo;
   if (isCi) {
     repoInfo = ciRepoInfo();
   }
@@ -3710,6 +3710,59 @@ async function outputFixResult(result, outputKind) {
   logger.logger.success('Finished!');
 }
 
+const GHSA_FORMAT_REGEXP = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/;
+const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/;
+/**
+ * Converts mixed CVE/GHSA/PURL IDs to GHSA IDs only.
+ * Filters out invalid IDs and logs conversion results.
+ */
+async function convertIdsToGhsas(ids) {
+  const validGhsas = [];
+  const errors = [];
+  for (const id of ids) {
+    const trimmedId = id.trim();
+    if (trimmedId.startsWith('GHSA-')) {
+      // Already a GHSA ID, validate format
+      if (GHSA_FORMAT_REGEXP.test(trimmedId)) {
+        validGhsas.push(trimmedId);
+      } else {
+        errors.push(`Invalid GHSA format: ${trimmedId}`);
+      }
+    } else if (trimmedId.startsWith('CVE-')) {
+      // Convert CVE to GHSA
+      if (!CVE_FORMAT_REGEXP.test(trimmedId)) {
+        errors.push(`Invalid CVE format: ${trimmedId}`);
+        continue;
+      }
+
+      // eslint-disable-next-line no-await-in-loop
+      const conversionResult = await utils.convertCveToGhsa(trimmedId);
+      if (conversionResult.ok) {
+        validGhsas.push(conversionResult.data);
+        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+      } else {
+        errors.push(`${trimmedId}: ${conversionResult.message}`);
+      }
+    } else if (trimmedId.startsWith('pkg:')) {
+      // Convert PURL to GHSAs
+      // eslint-disable-next-line no-await-in-loop
+      const conversionResult = await utils.convertPurlToGhsas(trimmedId);
+      if (conversionResult.ok && conversionResult.data.length) {
+        validGhsas.push(...conversionResult.data);
+        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${conversionResult.data.join(', ')}`);
+      } else {
+        errors.push(`${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`);
+      }
+    } else {
+      // Neither CVE, GHSA, nor PURL, skip
+      errors.push(`Unsupported ID format (expected CVE, GHSA, or PURL): ${trimmedId}`);
+    }
+  }
+  if (errors.length) {
+    logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+  }
+  return validGhsas;
+}
 async function handleFix({
   autopilot,
   cwd,
@@ -3726,7 +3779,8 @@ async function handleFix({
   await outputFixResult(await coanaFix({
     autopilot,
     cwd,
-    ghsas,
+    // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only
+    ghsas: await convertIdsToGhsas(ghsas),
     limit,
     orgSlug,
     rangeStyle,
@@ -3735,14 +3789,14 @@ async function handleFix({
   }), outputKind);
 }
 
-const CMD_NAME$r = 'fix';
+const CMD_NAME$t = 'fix';
 const DEFAULT_LIMIT = 10;
-const description$x = 'Update dependencies with "fixable" Socket alerts';
-const hidden$q = false;
+const description$z = 'Update dependencies with "fixable" Socket alerts';
+const hidden$s = false;
 const cmdFix = {
-  description: description$x,
-  hidden: hidden$q,
-  run: run$I
+  description: description$z,
+  hidden: hidden$s,
+  run: run$K
 };
 const generalFlags$2 = {
   autopilot: {
@@ -3753,7 +3807,11 @@ const generalFlags$2 = {
   id: {
     type: 'string',
     default: [],
-    description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+    description: `Provide a list of vulnerability identifiers to compute fixes for:
+    - ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} (e.g., GHSA-xxxx-xxxx-xxxx)
+    - ${vendor.terminalLinkExports('CVE IDs', 'https://cve.mitre.org/cve/identifiers/')} (e.g., CVE-${new Date().getFullYear()}-1234) - automatically converted to GHSA
+    - ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec')} (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA
+    Can be provided as comma separated values or as multiple flags`,
     isMultiple: true
   },
   limit: {
@@ -3767,14 +3825,8 @@ const generalFlags$2 = {
     description: `
 Define how dependency version ranges are updated in package.json (default 'preserve').
 Available styles:
-  * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
-  * gt - Use > to allow any newer version (e.g. >1.2.3)
-  * gte - Use >= to allow any newer version (e.g. >=1.2.3)
-  * lt - Use < to allow only lower versions (e.g. <1.2.3)
-  * lte - Use <= to allow only lower versions (e.g. <=1.2.3)
   * pin - Use the exact version (e.g. 1.2.3)
   * preserve - Retain the existing version range style as-is
-  * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
       `.trim()
   }
 };
@@ -3826,13 +3878,13 @@ const hiddenFlags = {
     hidden: true
   }
 };
-async function run$I(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$r,
-    description: description$x,
-    hidden: hidden$q,
+    commandName: CMD_NAME$t,
+    description: description$z,
+    hidden: hidden$s,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -3844,7 +3896,7 @@ async function run$I(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$t}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -3875,23 +3927,6 @@ async function run$I(argv, importMeta, {
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
   const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
-  const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
-  const purls = [];
-  for (const purl of rawPurls) {
-    const version = utils.getPurlObject(purl, {
-      throws: false
-    })?.version;
-    if (version) {
-      purls.push(purl);
-    } else {
-      logger.logger.warn(`--purl ${purl} is missing a version and will be ignored.`);
-    }
-  }
-  if (rawPurls.length !== purls.length && !purls.length) {
-    process.exitCode = 1;
-    logger.logger.fail('No valid --purl values provided.');
-    return;
-  }
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
@@ -3924,7 +3959,7 @@ async function run$I(argv, importMeta, {
   const {
     spinner
   } = constants.default;
-  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
+  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   await handleFix({
     autopilot,
     cwd,
@@ -4020,7 +4055,7 @@ async function setupTabCompletion(targetName) {
   };
 }
 function getTabCompletionScriptRaw() {
-  const sourceDir = path.dirname(require$$0.fileURLToPath(require('node:url').pathToFileURL(__filename).href));
+  const sourceDir = path.dirname(require$$0.fileURLToPath((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href))));
   const sourcePath = path.join(sourceDir, 'socket-completion.bash');
   if (!fs$1.existsSync(sourcePath)) {
     return {
@@ -4093,9 +4128,9 @@ const config$h = {
 const cmdInstallCompletion = {
   description: config$h.description,
   hidden: config$h.hidden,
-  run: run$H
+  run: run$J
 };
-async function run$H(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -4113,9 +4148,9 @@ async function run$H(argv, importMeta, {
   await handleInstallCompletion(String(targetName));
 }
 
-const description$w = 'Install Socket CLI tab completion';
+const description$y = 'Install Socket CLI tab completion';
 const cmdInstall = {
-  description: description$w,
+  description: description$y,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -4124,7 +4159,7 @@ const cmdInstall = {
       completion: cmdInstallCompletion
     }, {
       argv,
-      description: description$w,
+      description: description$y,
       importMeta,
       name: `${parentName} install`
     });
@@ -4133,7 +4168,7 @@ const cmdInstall = {
 
 async function outputCmdJson(cwd) {
   logger.logger.info('Target cwd:', constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
-  const sockJsonPath = path.join(cwd, 'socket.json');
+  const sockJsonPath = path.join(cwd, constants.SOCKET_JSON);
   const tildeSockJsonPath = constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
   if (!fs$1.existsSync(sockJsonPath)) {
     logger.logger.fail(`Not found: ${tildeSockJsonPath}`);
@@ -4157,7 +4192,7 @@ async function handleCmdJson(cwd) {
 
 const config$g = {
   commandName: 'json',
-  description: 'Display the `socket.json` that would be applied for target folder',
+  description: `Display the \`${constants.SOCKET_JSON}\` that would be applied for target folder`,
   hidden: true,
   flags: {
     ...flags.commonFlags
@@ -4166,7 +4201,7 @@ const config$g = {
     Usage
       $ ${command} [options] [CWD=.]
 
-    Display the \`socket.json\` file that would apply when running relevant commands
+    Display the \`${constants.SOCKET_JSON}\` file that would apply when running relevant commands
     in the target directory.
 
     Examples
@@ -4176,9 +4211,9 @@ const config$g = {
 const cmdJson = {
   description: config$g.description,
   hidden: config$g.hidden,
-  run: run$G
+  run: run$I
 };
-async function run$G(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -4332,21 +4367,21 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
 }
 
-const CMD_NAME$q = 'login';
-const description$v = 'Setup Socket CLI with an API token and defaults';
-const hidden$p = false;
+const CMD_NAME$s = 'login';
+const description$x = 'Setup Socket CLI with an API token and defaults';
+const hidden$r = false;
 const cmdLogin = {
-  description: description$v,
-  hidden: hidden$p,
-  run: run$F
+  description: description$x,
+  hidden: hidden$r,
+  run: run$H
 };
-async function run$F(argv, importMeta, {
+async function run$H(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$q,
-    description: description$v,
-    hidden: hidden$p,
+    commandName: CMD_NAME$s,
+    description: description$x,
+    hidden: hidden$r,
     flags: {
       ...flags.commonFlags,
       apiBaseUrl: {
@@ -4365,7 +4400,7 @@ async function run$F(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$s}`)}
 
     Logs into the Socket API by prompting for an API token
 
@@ -4438,9 +4473,9 @@ const config$f = {
 const cmdLogout = {
   description: config$f.description,
   hidden: config$f.hidden,
-  run: run$E
+  run: run$G
 };
-async function run$E(argv, importMeta, {
+async function run$G(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -4457,8 +4492,10 @@ async function run$E(argv, importMeta, {
   attemptLogout();
 }
 
+const require$6 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const {
   PACKAGE_LOCK_JSON,
+  PNPM_LOCK_YAML,
   YARN,
   YARN_LOCK
 } = constants.default;
@@ -4498,7 +4535,6 @@ function argvToArray(argvObj) {
   return result;
 }
 async function runCdxgen(argvObj) {
-  let cleanupPackageLock = false;
   const argvMutable = {
     __proto__: null,
     ...argvObj
@@ -4511,23 +4547,58 @@ async function runCdxgen(argvObj) {
     },
     stdio: 'inherit'
   };
-  if (argvMutable['type'] !== YARN && nodejsPlatformTypes.has(argvMutable['type']) && fs$1.existsSync(`./${YARN_LOCK}`)) {
-    if (fs$1.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
+
+  // Detect package manager based on lockfiles
+  const pnpmLockPath = await utils.findUp(PNPM_LOCK_YAML, {
+    onlyFiles: true
+  });
+  const npmLockPath = pnpmLockPath ? undefined : await utils.findUp(PACKAGE_LOCK_JSON, {
+    onlyFiles: true
+  });
+  const yarnLockPath = pnpmLockPath || npmLockPath ? undefined : await utils.findUp(YARN_LOCK, {
+    onlyFiles: true
+  });
+  let cleanupPackageLock = false;
+  if (argvMutable['type'] !== YARN && nodejsPlatformTypes.has(argvMutable['type']) && yarnLockPath) {
+    if (npmLockPath) {
       argvMutable['type'] = constants.NPM;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
-        const {
-          spawnPromise: synpPromise
-        } = await shadowNpmBin('npx', ['--yes', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`], shadowOpts);
+        const useYarnBerry = utils.isYarnBerry();
+        let args;
+        let synpPromise;
+        if (pnpmLockPath) {
+          args = ['dlx', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`];
+          const shadowPnpmBin = /*@__PURE__*/require$6(constants.default.shadowPnpmBinPath);
+          synpPromise = (await shadowPnpmBin(args, shadowOpts)).spawnPromise;
+        } else if (useYarnBerry) {
+          args = ['dlx', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`];
+          const shadowYarnBin = /*@__PURE__*/require$6(constants.default.shadowYarnBinPath);
+          synpPromise = (await shadowYarnBin(args, shadowOpts)).spawnPromise;
+        } else {
+          args = ['exec', '--yes', `synp@${constants.default.ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`, '--source-file', `./${YARN_LOCK}`];
+          synpPromise = (await shadowNpmBin('npm', args, shadowOpts)).spawnPromise;
+        }
         await synpPromise;
         argvMutable['type'] = constants.NPM;
         cleanupPackageLock = true;
       } catch {}
     }
   }
-  const shadowResult = await shadowNpmBin('npx', ['--yes', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
+
+  // Use appropriate package manager for cdxgen
+  let shadowResult;
+  if (pnpmLockPath) {
+    const shadowPnpmBin = /*@__PURE__*/require$6(constants.default.shadowPnpmBinPath);
+    shadowResult = await shadowPnpmBin(['dlx', '--silent', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
+  } else if (yarnLockPath && utils.isYarnBerry()) {
+    const shadowYarnBin = /*@__PURE__*/require$6(constants.default.shadowYarnBinPath);
+    shadowResult = await shadowYarnBin(['dlx', '--quiet', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, ...argvToArray(argvMutable)], shadowOpts);
+  } else {
+    shadowResult = await shadowNpmBin('npm', ['exec', '--silent', '--yes', `@cyclonedx/cdxgen@${constants.default.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`, '--', ...argvToArray(argvMutable)], shadowOpts);
+  }
   shadowResult.spawnPromise.process.on('exit', () => {
     if (cleanupPackageLock) {
       try {
@@ -4750,11 +4821,15 @@ const config$e = {
 const cmdManifestCdxgen = {
   description: config$e.description,
   hidden: config$e.hidden,
-  run: run$D
+  run: run$F
 };
-async function run$D(argv, importMeta, {
-  parentName
-}) {
+async function run$F(argv, importMeta, context) {
+  const {
+    parentName
+  } = {
+    __proto__: null,
+    ...context
+  };
   const cli = utils.meowOrExit({
     // Don't let meow take over --help.
     argv: argv.filter(a => !utils.isHelpFlag(a)),
@@ -4762,11 +4837,17 @@ async function run$D(argv, importMeta, {
     importMeta,
     parentName
   });
-  const dryRun = !!cli.flags['dryRun'];
+  const {
+    dryRun
+  } = cli.flags;
 
-  // TODO: Convert yargs to meow.
+  // Filter Socket flags from argv but keep --no-banner and --help for cdxgen.
+  const argsToProcess = utils.filterFlags(argv, {
+    ...flags.commonFlags,
+    ...flags.outputFlags
+  }, ['--no-banner', '--help', '-h']);
   const yargv = {
-    ...vendor.yargsParser(argv, yargsConfig)
+    ...vendor.yargsParser(argsToProcess, yargsConfig)
   };
   const pathArgs = [];
   const unknowns = [];
@@ -4860,9 +4941,9 @@ const config$d = {
 const cmdManifestAuto = {
   description: config$d.description,
   hidden: config$d.hidden,
-  run: run$C
+  run: run$E
 };
-async function run$C(argv, importMeta, {
+async function run$E(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -4921,14 +5002,15 @@ async function run$C(argv, importMeta, {
 
 const config$c = {
   commandName: 'conda',
-  description: '[beta] Convert a Conda environment.yml file to a python requirements.txt',
+  description: `[beta] Convert a Conda ${constants.ENVIRONMENT_YML} file to a python ${constants.REQUIREMENTS_TXT}`,
   hidden: false,
   flags: {
     ...flags.commonFlags,
     ...flags.outputFlags,
     file: {
       type: 'string',
-      description: 'Input file name (by default for Conda this is "environment.yml"), relative to cwd'
+      default: '',
+      description: `Input file name (by default for Conda this is "${constants.ENVIRONMENT_YML}"), relative to cwd`
     },
     stdin: {
       type: 'boolean',
@@ -4936,11 +5018,12 @@ const config$c = {
     },
     out: {
       type: 'string',
+      default: '',
       description: 'Output path (relative to cwd)'
     },
     stdout: {
       type: 'boolean',
-      description: 'Print resulting requirements.txt to stdout (supersedes --out)'
+      description: `Print resulting ${constants.REQUIREMENTS_TXT} to stdout (supersedes --out)`
     },
     verbose: {
       type: 'boolean',
@@ -4952,8 +5035,8 @@ const config$c = {
       $ ${command} [options] [CWD=.]
 
     Warning: While we don't support Conda necessarily, this tool extracts the pip
-             block from an environment.yml and outputs it as a requirements.txt
-             which you can scan as if it were a pypi package.
+             block from an ${constants.ENVIRONMENT_YML} and outputs it as a ${constants.REQUIREMENTS_TXT}
+             which you can scan as if it were a PyPI package.
 
     USE AT YOUR OWN RISK
 
@@ -4966,15 +5049,15 @@ const config$c = {
     Examples
 
       $ ${command}
-      $ ${command} ./project/foo --file environment.yaml
+      $ ${command} ./project/foo --file ${constants.ENVIRONMENT_YAML}
   `
 };
 const cmdManifestConda = {
   description: config$c.description,
   hidden: config$c.hidden,
-  run: run$B
+  run: run$D
 };
-async function run$B(argv, importMeta, {
+async function run$D(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -4984,10 +5067,10 @@ async function run$B(argv, importMeta, {
     parentName
   });
   const {
-    json = false,
-    markdown = false
+    dryRun,
+    json,
+    markdown
   } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
   let [cwd = '.'] = cli.input;
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
@@ -5004,35 +5087,35 @@ async function run$B(argv, importMeta, {
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (stdin === undefined && sockJson.defaults?.manifest?.conda?.stdin !== undefined) {
     stdin = sockJson.defaults?.manifest?.conda?.stdin;
-    logger.logger.info('Using default --stdin from socket.json:', stdin);
+    logger.logger.info(`Using default --stdin from ${constants.SOCKET_JSON}:`, stdin);
   }
   if (stdin) {
     filename = '-';
   } else if (!filename) {
     if (sockJson.defaults?.manifest?.conda?.infile) {
       filename = sockJson.defaults?.manifest?.conda?.infile;
-      logger.logger.info('Using default --file from socket.json:', filename);
+      logger.logger.info(`Using default --file from ${constants.SOCKET_JSON}:`, filename);
     } else {
-      filename = 'environment.yml';
+      filename = constants.ENVIRONMENT_YML;
     }
   }
   if (stdout === undefined && sockJson.defaults?.manifest?.conda?.stdout !== undefined) {
     stdout = sockJson.defaults?.manifest?.conda?.stdout;
-    logger.logger.info('Using default --stdout from socket.json:', stdout);
+    logger.logger.info(`Using default --stdout from ${constants.SOCKET_JSON}:`, stdout);
   }
   if (stdout) {
     out = '-';
   } else if (!out) {
     if (sockJson.defaults?.manifest?.conda?.outfile) {
       out = sockJson.defaults?.manifest?.conda?.outfile;
-      logger.logger.info('Using default --out from socket.json:', out);
+      logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
     } else {
-      out = 'requirements.txt';
+      out = constants.REQUIREMENTS_TXT;
     }
   }
   if (verbose === undefined && sockJson.defaults?.manifest?.conda?.verbose !== undefined) {
     verbose = sockJson.defaults?.manifest?.conda?.verbose;
-    logger.logger.info('Using default --verbose from socket.json:', verbose);
+    logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
   } else if (verbose === undefined) {
     verbose = false;
   }
@@ -5066,10 +5149,10 @@ async function run$B(argv, importMeta, {
   }
   await handleManifestConda({
     cwd,
-    filename: String(filename),
-    out: String(out || ''),
+    filename,
+    out,
     outputKind,
-    verbose: Boolean(verbose)
+    verbose
   });
 }
 
@@ -5104,7 +5187,7 @@ const config$b = {
     global \`gradle\` binary but that may not work (hard to predict).
 
     The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-    or requirements.txt for PyPi), but specifically for Maven, which is Java's
+    or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is Java's
     dependency repository. Languages like Kotlin and Scala piggy back on it too.
 
     There are some caveats with the gradle to \`pom.xml\` conversion:
@@ -5128,9 +5211,9 @@ const config$b = {
 const cmdManifestGradle = {
   description: config$b.description,
   hidden: config$b.hidden,
-  run: run$A
+  run: run$C
 };
-async function run$A(argv, importMeta, {
+async function run$C(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5152,7 +5235,7 @@ async function run$A(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = utils.readOrDefaultSocketJson(cwd);
-  require$$9.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
     gradleOpts,
@@ -5163,7 +5246,7 @@ async function run$A(argv, importMeta, {
   if (!bin) {
     if (sockJson.defaults?.manifest?.gradle?.bin) {
       bin = sockJson.defaults?.manifest?.gradle?.bin;
-      logger.logger.info('Using default --bin from socket.json:', bin);
+      logger.logger.info(`Using default --bin from ${constants.SOCKET_JSON}:`, bin);
     } else {
       bin = path.join(cwd, 'gradlew');
     }
@@ -5171,7 +5254,7 @@ async function run$A(argv, importMeta, {
   if (!gradleOpts) {
     if (sockJson.defaults?.manifest?.gradle?.gradleOpts) {
       gradleOpts = sockJson.defaults?.manifest?.gradle?.gradleOpts;
-      logger.logger.info('Using default --gradle-opts from socket.json:', gradleOpts);
+      logger.logger.info(`Using default --gradle-opts from ${constants.SOCKET_JSON}:`, gradleOpts);
     } else {
       gradleOpts = '';
     }
@@ -5179,7 +5262,7 @@ async function run$A(argv, importMeta, {
   if (verbose === undefined) {
     if (sockJson.defaults?.manifest?.gradle?.verbose !== undefined) {
       verbose = sockJson.defaults?.manifest?.gradle?.verbose;
-      logger.logger.info('Using default --verbose from socket.json:', verbose);
+      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
     } else {
       verbose = false;
     }
@@ -5259,7 +5342,7 @@ const config$a = {
     global \`gradle\` binary but that may not work (hard to predict).
 
     The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-    or requirements.txt for PyPi), but specifically for Maven, which is Java's
+    or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is Java's
     dependency repository. Languages like Kotlin and Scala piggy back on it too.
 
     There are some caveats with the gradle to \`pom.xml\` conversion:
@@ -5283,9 +5366,9 @@ const config$a = {
 const cmdManifestKotlin = {
   description: config$a.description,
   hidden: config$a.hidden,
-  run: run$z
+  run: run$B
 };
-async function run$z(argv, importMeta, {
+async function run$B(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5307,7 +5390,7 @@ async function run$z(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = utils.readOrDefaultSocketJson(cwd);
-  require$$9.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
     gradleOpts,
@@ -5318,7 +5401,7 @@ async function run$z(argv, importMeta, {
   if (!bin) {
     if (sockJson.defaults?.manifest?.gradle?.bin) {
       bin = sockJson.defaults?.manifest?.gradle?.bin;
-      logger.logger.info('Using default --bin from socket.json:', bin);
+      logger.logger.info(`Using default --bin from ${constants.SOCKET_JSON}:`, bin);
     } else {
       bin = path.join(cwd, 'gradlew');
     }
@@ -5326,7 +5409,7 @@ async function run$z(argv, importMeta, {
   if (!gradleOpts) {
     if (sockJson.defaults?.manifest?.gradle?.gradleOpts) {
       gradleOpts = sockJson.defaults?.manifest?.gradle?.gradleOpts;
-      logger.logger.info('Using default --gradle-opts from socket.json:', gradleOpts);
+      logger.logger.info(`Using default --gradle-opts from ${constants.SOCKET_JSON}:`, gradleOpts);
     } else {
       gradleOpts = '';
     }
@@ -5334,7 +5417,7 @@ async function run$z(argv, importMeta, {
   if (verbose === undefined) {
     if (sockJson.defaults?.manifest?.gradle?.verbose !== undefined) {
       verbose = sockJson.defaults?.manifest?.gradle?.verbose;
-      logger.logger.info('Using default --verbose from socket.json:', verbose);
+      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
     } else {
       verbose = false;
     }
@@ -5414,7 +5497,7 @@ const config$9 = {
 
     Uses \`sbt makePom\` to generate a \`pom.xml\` from your \`build.sbt\` file.
     This xml file is the dependency manifest (like a package.json
-    for Node.js or requirements.txt for PyPi), but specifically for Scala.
+    for Node.js or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Scala.
 
     There are some caveats with \`build.sbt\` to \`pom.xml\` conversion:
 
@@ -5446,9 +5529,9 @@ const config$9 = {
 const cmdManifestScala = {
   description: config$9.description,
   hidden: config$9.hidden,
-  run: run$y
+  run: run$A
 };
-async function run$y(argv, importMeta, {
+async function run$A(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5470,7 +5553,7 @@ async function run$y(argv, importMeta, {
   // TODO: Implement json/md further.
   const outputKind = utils.getOutputKind(json, markdown);
   const sockJson = utils.readOrDefaultSocketJson(cwd);
-  require$$9.debugFn('inspect', 'override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} sbt`, sockJson?.defaults?.manifest?.sbt);
   let {
     bin,
     out,
@@ -5483,21 +5566,21 @@ async function run$y(argv, importMeta, {
   if (!bin) {
     if (sockJson.defaults?.manifest?.sbt?.bin) {
       bin = sockJson.defaults?.manifest?.sbt?.bin;
-      logger.logger.info('Using default --bin from socket.json:', bin);
+      logger.logger.info(`Using default --bin from ${constants.SOCKET_JSON}:`, bin);
     } else {
       bin = 'sbt';
     }
   }
   if (stdout === undefined && sockJson.defaults?.manifest?.sbt?.stdout !== undefined) {
     stdout = sockJson.defaults?.manifest?.sbt?.stdout;
-    logger.logger.info('Using default --stdout from socket.json:', stdout);
+    logger.logger.info(`Using default --stdout from ${constants.SOCKET_JSON}:`, stdout);
   }
   if (stdout) {
     out = '-';
   } else if (!out) {
     if (sockJson.defaults?.manifest?.sbt?.outfile) {
       out = sockJson.defaults?.manifest?.sbt?.outfile;
-      logger.logger.info('Using default --out from socket.json:', out);
+      logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
     } else {
       out = './socket.pom.xml';
     }
@@ -5505,14 +5588,14 @@ async function run$y(argv, importMeta, {
   if (!sbtOpts) {
     if (sockJson.defaults?.manifest?.sbt?.sbtOpts) {
       sbtOpts = sockJson.defaults?.manifest?.sbt?.sbtOpts;
-      logger.logger.info('Using default --sbt-opts from socket.json:', sbtOpts);
+      logger.logger.info(`Using default --sbt-opts from ${constants.SOCKET_JSON}:`, sbtOpts);
     } else {
       sbtOpts = '';
     }
   }
   if (verbose === undefined && sockJson.defaults?.manifest?.sbt?.verbose !== undefined) {
     verbose = sockJson.defaults?.manifest?.sbt?.verbose;
-    logger.logger.info('Using default --verbose from socket.json:', verbose);
+    logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
   } else if (verbose === undefined) {
     verbose = false;
   }
@@ -5580,18 +5663,18 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
   //   - each target will have its own specific options
   //   - record them to the socket.yml (or socket-cli.yml ? or just socket.json ?)
 
-  const jsonPath = path.join(cwd, `socket.json`);
+  const jsonPath = path.join(cwd, constants.SOCKET_JSON);
   if (fs$1.existsSync(jsonPath)) {
-    logger.logger.info(`Found socket.json at ${jsonPath}`);
+    logger.logger.info(`Found ${constants.SOCKET_JSON} at ${jsonPath}`);
   } else {
-    logger.logger.info(`No socket.json found at ${cwd}, will generate a new one`);
+    logger.logger.info(`No ${constants.SOCKET_JSON} found at ${cwd}, will generate a new one`);
   }
   logger.logger.log('');
   logger.logger.log('Note: This tool will set up flag and argument defaults for certain');
   logger.logger.log('      CLI commands. You can still override them by explicitly');
   logger.logger.log('      setting the flag. It is meant to be a convenience tool.');
   logger.logger.log('');
-  logger.logger.log('This command will generate a socket.json file in the target cwd.');
+  logger.logger.log(`This command will generate a ${constants.SOCKET_JSON} file in the target cwd.`);
   logger.logger.log('You can choose to add this file to your repo (handy for collaboration)');
   logger.logger.log('or to add it to the ignored files, or neither. This file is only');
   logger.logger.log('used in CLI workflows.');
@@ -5599,7 +5682,7 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
   const choices = [{
     name: 'Conda'.padEnd(30, ' '),
     value: 'conda',
-    description: 'Generate requirements.txt from a Conda environment.yml'
+    description: `Generate ${constants.REQUIREMENTS_TXT} from a Conda environment.yml`
   }, {
     name: 'Gradle'.padEnd(30, ' '),
     value: 'gradle',
@@ -5692,7 +5775,7 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
     return result;
   }
   logger.logger.log('');
-  logger.logger.log('Setup complete. Writing socket.json');
+  logger.logger.log(`Setup complete. Writing ${constants.SOCKET_JSON}`);
   logger.logger.log('');
   if (await prompts.select({
     message: `Do you want to write the new config to ${jsonPath} ?`,
@@ -5743,7 +5826,7 @@ async function setupConda(config) {
     delete config.stdout;
   }
   if (!config.stdout) {
-    const out = await askForOutputFile(config.outfile || 'requirements.txt');
+    const out = await askForOutputFile(config.outfile || constants.REQUIREMENTS_TXT);
     if (out === undefined) {
       return canceledByUser$1();
     } else if (out === '-') {
@@ -5970,7 +6053,7 @@ const config$8 = {
     ...flags.commonFlags,
     defaultOnReadError: {
       type: 'boolean',
-      description: 'If reading the socket.json fails, just use a default config? Warning: This might override the existing json file!'
+      description: `If reading the ${constants.SOCKET_JSON} fails, just use a default config? Warning: This might override the existing json file!`
     }
   },
   help: (command, config) => `
@@ -5983,7 +6066,7 @@ const config$8 = {
     This command will try to detect all supported ecosystems in given CWD. Then
     it starts a configurator where you can setup default values for certain flags
     when creating manifest files in that dir. These configuration details are
-    then stored in a local \`socket.json\` file (which you may or may not commit
+    then stored in a local \`${constants.SOCKET_JSON}\` file (which you may or may not commit
     to the repo). Next time you run \`socket manifest ...\` it will load this
     json file and any flags which are not explicitly set in the command but which
     have been registered in the json file will get the default value set to that
@@ -6007,9 +6090,9 @@ const config$8 = {
 const cmdManifestSetup = {
   description: config$8.description,
   hidden: config$8.hidden,
-  run: run$x
+  run: run$z
 };
-async function run$x(argv, importMeta, {
+async function run$z(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6043,9 +6126,9 @@ const config$7 = {
 const cmdManifest = {
   description: config$7.description,
   hidden: config$7.hidden,
-  run: run$w
+  run: run$y
 };
-async function run$w(argv, importMeta, {
+async function run$y(argv, importMeta, {
   parentName
 }) {
   await utils.meowWithSubcommands({
@@ -6072,22 +6155,26 @@ async function run$w(argv, importMeta, {
   });
 }
 
-const require$3 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$p = constants.NPM;
-const description$u = 'Run npm with the Socket wrapper';
-const hidden$o = false;
+const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const CMD_NAME$r = constants.NPM;
+const description$w = 'Run npm with the Socket wrapper';
+const hidden$q = false;
 const cmdNpm = {
-  description: description$u,
-  hidden: hidden$o,
-  run: run$v
+  description: description$w,
+  hidden: hidden$q,
+  run: run$x
 };
-async function run$v(argv, importMeta, {
-  parentName
-}) {
+async function run$x(argv, importMeta, context) {
+  const {
+    parentName
+  } = {
+    __proto__: null,
+    ...context
+  };
   const config = {
-    commandName: CMD_NAME$p,
-    description: description$u,
-    hidden: hidden$o,
+    commandName: CMD_NAME$r,
+    description: description$w,
+    hidden: hidden$q,
     flags: {
       ...flags.commonFlags
     },
@@ -6096,7 +6183,7 @@ async function run$v(argv, importMeta, {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$p}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
 
     Note: Everything after "npm" is passed to the npm command.
           Only the \`--dry-run\` and \`--help\` flags are caught here.
@@ -6106,6 +6193,7 @@ async function run$v(argv, importMeta, {
     Examples
       $ ${command}
       $ ${command} install -g cowsay
+      $ ${command} exec cowsay
     `
   };
   const cli = utils.meowOrExit({
@@ -6119,11 +6207,17 @@ async function run$v(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$3(constants.default.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$5(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
+
+  // Filter Socket flags from argv but keep --json for npm.
+  const argsToForward = utils.filterFlags(argv, {
+    ...flags.commonFlags,
+    ...flags.outputFlags
+  }, ['--json']);
   const {
     spawnPromise
-  } = await shadowBin(constants.NPM, argv, {
+  } = await shadowBin(constants.NPM, argsToForward, {
     stdio: 'inherit'
   });
 
@@ -6139,31 +6233,31 @@ async function run$v(argv, importMeta, {
   await spawnPromise;
 }
 
-const require$2 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-const CMD_NAME$o = constants.NPX;
-const description$t = 'Run npx with the Socket wrapper';
-const hidden$n = false;
+const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const CMD_NAME$q = constants.NPX;
+const description$v = 'Run npx with the Socket wrapper';
+const hidden$p = false;
 const cmdNpx = {
-  description: description$t,
-  hidden: hidden$n,
-  run: run$u
+  description: description$v,
+  hidden: hidden$p,
+  run: run$w
 };
-async function run$u(argv, importMeta, {
+async function run$w(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$o,
-    description: description$t,
-    hidden: hidden$n,
-    flags: {
-      ...flags.commonFlags
+    commandName: CMD_NAME$q,
+    description: description$v,
+    hidden: hidden$p,
+    flags: {
+      ...flags.commonFlags
     },
     help: (command, _config) => `
     Usage
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
 
     Note: Everything after "npx" is passed to the npx command.
           Only the \`--dry-run\` and \`--help\` flags are caught here.
@@ -6172,6 +6266,7 @@ async function run$u(argv, importMeta, {
 
     Examples
       $ ${command} cowsay
+      $ ${command} cowsay@1.6.0 hello
   `
   };
   const cli = utils.meowOrExit({
@@ -6185,7 +6280,7 @@ async function run$u(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const shadowBin = /*@__PURE__*/require$2(constants.default.shadowNpmBinPath);
+  const shadowBin = /*@__PURE__*/require$4(constants.default.shadowNpmBinPath);
   process.exitCode = 1;
   const {
     spawnPromise
@@ -6228,9 +6323,9 @@ const config$6 = {
 const cmdOops = {
   description: config$6.description,
   hidden: config$6.hidden,
-  run: run$t
+  run: run$v
 };
-async function run$t(argv, importMeta, {
+async function run$v(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6262,7 +6357,7 @@ async function run$t(argv, importMeta, {
     logger.logger.fail(utils.failMsgWithBadge('Oops', 'This error was intentionally left blank'));
     return;
   }
-  throw new Error('This error was intentionally left blank');
+  throw new Error('This error was intentionally left blank.');
 }
 
 const {
@@ -6647,7 +6742,7 @@ async function listPackages(pkgEnvDetails, options) {
   }
 }
 
-const CMD_NAME$n = 'socket optimize';
+const CMD_NAME$p = 'socket optimize';
 
 const {
   BUN,
@@ -6819,7 +6914,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   npmExecPath === constants.NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
-    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$n, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
+    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$p, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
     spinner?.start();
   }
   const overridesDataObjects = [];
@@ -7049,7 +7144,7 @@ async function applyOptimization(pkgEnvDetails, {
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
   if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
     const result = await updateLockfile(pkgEnvDetails, {
-      cmdName: CMD_NAME$n,
+      cmdName: CMD_NAME$p,
       logger: logger.logger,
       spinner
     });
@@ -7111,7 +7206,7 @@ async function handleOptimize({
   prod
 }) {
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$n,
+    cmdName: CMD_NAME$p,
     logger: logger.logger,
     prod
   });
@@ -7136,7 +7231,7 @@ async function handleOptimize({
     await outputOptimizeResult({
       ok: false,
       message: 'Unsupported',
-      cause: utils.cmdPrefixMessage(CMD_NAME$n, `${agent} v${agentVersion} does not support overrides.`)
+      cause: utils.cmdPrefixMessage(CMD_NAME$p, `${agent} v${agentVersion} does not support overrides.`)
     }, outputKind);
     return;
   }
@@ -7147,21 +7242,21 @@ async function handleOptimize({
   }), outputKind);
 }
 
-const CMD_NAME$m = 'optimize';
-const description$s = 'Optimize dependencies with @socketregistry overrides';
-const hidden$m = false;
+const CMD_NAME$o = 'optimize';
+const description$u = 'Optimize dependencies with @socketregistry overrides';
+const hidden$o = false;
 const cmdOptimize = {
-  description: description$s,
-  hidden: hidden$m,
-  run: run$s
+  description: description$u,
+  hidden: hidden$o,
+  run: run$u
 };
-async function run$s(argv, importMeta, {
+async function run$u(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$m,
-    description: description$s,
-    hidden: hidden$m,
+    commandName: CMD_NAME$o,
+    description: description$u,
+    hidden: hidden$o,
     flags: {
       ...flags.commonFlags,
       pin: {
@@ -7180,7 +7275,7 @@ async function run$s(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -7323,21 +7418,21 @@ async function handleDependencies({
   });
 }
 
-const CMD_NAME$l = 'dependencies';
-const description$r = 'Search for any dependency that is being used in your organization';
-const hidden$l = false;
+const CMD_NAME$n = 'dependencies';
+const description$t = 'Search for any dependency that is being used in your organization';
+const hidden$n = false;
 const cmdOrganizationDependencies = {
-  description: description$r,
-  hidden: hidden$l,
-  run: run$r
+  description: description$t,
+  hidden: hidden$n,
+  run: run$t
 };
-async function run$r(argv, importMeta, {
+async function run$t(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$l,
-    description: description$r,
-    hidden: hidden$l,
+    commandName: CMD_NAME$n,
+    description: description$t,
+    hidden: hidden$n,
     flags: {
       ...flags.commonFlags,
       limit: {
@@ -7357,7 +7452,7 @@ async function run$r(argv, importMeta, {
       ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -7457,21 +7552,21 @@ async function handleLicensePolicy(orgSlug, outputKind) {
   await outputLicensePolicy(data, outputKind);
 }
 
-const CMD_NAME$k = 'license';
-const description$q = 'Retrieve the license policy of an organization';
-const hidden$k = false;
+const CMD_NAME$m = 'license';
+const description$s = 'Retrieve the license policy of an organization';
+const hidden$m = false;
 const cmdOrganizationPolicyLicense = {
-  description: description$q,
-  hidden: hidden$k,
-  run: run$q
+  description: description$s,
+  hidden: hidden$m,
+  run: run$s
 };
-async function run$q(argv, importMeta, {
+async function run$s(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$k,
-    description: description$q,
-    hidden: hidden$k,
+    commandName: CMD_NAME$m,
+    description: description$s,
+    hidden: hidden$m,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -7490,7 +7585,7 @@ async function run$q(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -7593,21 +7688,21 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
   await outputSecurityPolicy(data, outputKind);
 }
 
-const CMD_NAME$j = 'security';
-const description$p = 'Retrieve the security policy of an organization';
-const hidden$j = true;
+const CMD_NAME$l = 'security';
+const description$r = 'Retrieve the security policy of an organization';
+const hidden$l = true;
 const cmdOrganizationPolicySecurity = {
-  description: description$p,
-  hidden: hidden$j,
-  run: run$p
+  description: description$r,
+  hidden: hidden$l,
+  run: run$r
 };
-async function run$p(argv, importMeta, {
+async function run$r(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$j,
-    description: description$p,
-    hidden: hidden$j,
+    commandName: CMD_NAME$l,
+    description: description$r,
+    hidden: hidden$l,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -7626,7 +7721,7 @@ async function run$p(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -7730,21 +7825,21 @@ async function handleOrganizationList(outputKind = 'text') {
   await outputOrganizationList(data, outputKind);
 }
 
-const CMD_NAME$i = 'list';
-const description$o = 'List organizations associated with the Socket API token';
-const hidden$i = false;
+const CMD_NAME$k = 'list';
+const description$q = 'List organizations associated with the Socket API token';
+const hidden$k = false;
 const cmdOrganizationList = {
-  description: description$o,
-  hidden: hidden$i,
-  run: run$o
+  description: description$q,
+  hidden: hidden$k,
+  run: run$q
 };
-async function run$o(argv, importMeta, {
+async function run$q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$i,
-    description: description$o,
-    hidden: hidden$i,
+    commandName: CMD_NAME$k,
+    description: description$q,
+    hidden: hidden$k,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -7754,7 +7849,7 @@ async function run$o(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -7798,9 +7893,9 @@ async function run$o(argv, importMeta, {
   await handleOrganizationList(outputKind);
 }
 
-const description$n = 'Organization policy details';
+const description$p = 'Organization policy details';
 const cmdOrganizationPolicy = {
-  description: description$n,
+  description: description$p,
   // Hidden because it was broken all this time (nobody could be using it)
   // and we're not sure if it's useful to anyone in its current state.
   // Until we do, we'll hide this to keep the help tidier.
@@ -7814,7 +7909,7 @@ const cmdOrganizationPolicy = {
       license: cmdOrganizationPolicyLicense
     }, {
       argv,
-      description: description$n,
+      description: description$p,
       defaultSub: 'list',
       // Backwards compat
       importMeta,
@@ -7891,9 +7986,9 @@ const config$5 = {
 const cmdOrganizationQuota = {
   description: config$5.description,
   hidden: config$5.hidden,
-  run: run$n
+  run: run$p
 };
-async function run$n(argv, importMeta, {
+async function run$p(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -7928,9 +8023,9 @@ async function run$n(argv, importMeta, {
   await handleQuota(outputKind);
 }
 
-const description$m = 'Manage Socket organization account details';
+const description$o = 'Manage Socket organization account details';
 const cmdOrganization = {
-  description: description$m,
+  description: description$o,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -7959,7 +8054,7 @@ const cmdOrganization = {
         }
       },
       argv,
-      description: description$m,
+      description: description$o,
       importMeta,
       name: `${parentName} organization`
     });
@@ -8184,21 +8279,21 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
   };
 }
 
-const CMD_NAME$h = 'score';
-const description$l = 'Look up score for one package which reflects all of its transitive dependencies as well';
-const hidden$h = false;
+const CMD_NAME$j = 'score';
+const description$n = 'Look up score for one package which reflects all of its transitive dependencies as well';
+const hidden$j = false;
 const cmdPackageScore = {
-  description: description$l,
-  hidden: hidden$h,
-  run: run$m
+  description: description$n,
+  hidden: hidden$j,
+  run: run$o
 };
-async function run$m(argv, importMeta, {
+async function run$o(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$h,
-    description: description$l,
-    hidden: hidden$h,
+    commandName: CMD_NAME$j,
+    description: description$n,
+    hidden: hidden$j,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -8208,7 +8303,7 @@ async function run$m(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <NAME> | <PURL>>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8407,15 +8502,15 @@ function getAlertString(alerts, options) {
 
   // We need to create the no-color string regardless because the actual string
   // contains a bunch of invisible ANSI chars which would screw up length checks.
-  const colorless = `- Alerts (${bad.length}/${mid.length.toString()}/${low.length}):`;
+  const colorless = `- Alerts (${bad.length}/${mid.length}/${low.length}):`;
   const padding = `  ${' '.repeat(Math.max(0, 20 - colorless.length))}`;
   if (colorize) {
-    return `- Alerts (${vendor.yoctocolorsCjsExports.red(bad.length.toString())}/${vendor.yoctocolorsCjsExports.yellow(mid.length.toString())}/${low.length}):` + padding + [bad.map(a => vendor.yoctocolorsCjsExports.red(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)).join(', '), mid.map(a => vendor.yoctocolorsCjsExports.yellow(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)).join(', '), low.map(a => `${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`).join(', ')].filter(Boolean).join(', ');
+    return `- Alerts (${vendor.yoctocolorsCjsExports.red(bad.length)}/${vendor.yoctocolorsCjsExports.yellow(mid.length)}/${low.length}):${padding}${arrays.joinAnd([...bad.map(a => vendor.yoctocolorsCjsExports.red(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)), ...mid.map(a => vendor.yoctocolorsCjsExports.yellow(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)), ...low.map(a => `${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)])}`;
   }
-  return colorless + padding + [bad.map(a => `[${a.severity}] ${a.type}`).join(', '), mid.map(a => `[${a.severity}] ${a.type}`).join(', '), low.map(a => `[${a.severity}] ${a.type}`).join(', ')].filter(Boolean).join(', ');
+  return `${colorless}${padding}${arrays.joinAnd([...bad.map(a => `[${a.severity}] ${a.type}`), ...mid.map(a => `[${a.severity}] ${a.type}`), ...low.map(a => `[${a.severity}] ${a.type}`)])}`;
 }
 function preProcess(artifacts, requestedPurls) {
-  // Dedupe results (for example, pypi will emit one package for each system release (win/mac/cpu) even if it's
+  // Dedupe results (for example, PyPI will emit one package for each system release (win/mac/cpu) even if it's
   // the same package version with same results. The duplication is irrelevant and annoying to the user.
 
   // Make some effort to match the requested data with the response
@@ -8566,28 +8661,28 @@ async function handlePurlsShallowScore({
   outputPurlsShallowScore(purls, packageData, outputKind);
 }
 
-const CMD_NAME$g = 'shallow';
-const description$k = 'Look up info regarding one or more packages but not their transitives';
-const hidden$g = false;
+const CMD_NAME$i = 'shallow';
+const description$m = 'Look up info regarding one or more packages but not their transitives';
+const hidden$i = false;
 const cmdPackageShallow = {
-  description: description$k,
-  hidden: hidden$g,
+  description: description$m,
+  hidden: hidden$i,
   alias: {
     shallowScore: {
-      description: description$k,
+      description: description$m,
       hidden: true,
       argv: []
     }
   },
-  run: run$l
+  run: run$n
 };
-async function run$l(argv, importMeta, {
+async function run$n(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$g,
-    description: description$k,
-    hidden: hidden$g,
+    commandName: CMD_NAME$i,
+    description: description$m,
+    hidden: hidden$i,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -8597,7 +8692,7 @@ async function run$l(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <PKGNAME> [<PKGNAME> ...] | <PURL> [<PURL> ...]>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$g}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8671,9 +8766,9 @@ async function run$l(argv, importMeta, {
   });
 }
 
-const description$j = 'Look up published package details';
+const description$l = 'Look up published package details';
 const cmdPackage = {
-  description: description$j,
+  description: description$l,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -8684,13 +8779,13 @@ const cmdPackage = {
     }, {
       aliases: {
         deep: {
-          description: description$j,
+          description: description$l,
           hidden: true,
           argv: ['score']
         }
       },
       argv,
-      description: description$j,
+      description: description$l,
       importMeta,
       name: `${parentName} package`
     });
@@ -8744,7 +8839,7 @@ async function outputPatchResult(result, outputKind) {
     }
     logger.logger.groupEnd();
   } else {
-    logger.logger.warn('No packages found requiring patches');
+    logger.logger.warn('No packages found requiring patches.');
   }
   logger.logger.log('');
   logger.logger.success('Patch command completed!');
@@ -8845,14 +8940,26 @@ async function applyNpmPatches(socketDir, patches, options) {
   }
   return result;
 }
+
+/**
+ * Compute SHA256 hash of file contents.
+ */
 async function computeSHA256(filepath) {
   try {
     const content = await fs$1.promises.readFile(filepath);
     const hash = require$$0$1.createHash('sha256');
     hash.update(content);
-    return hash.digest('hex');
-  } catch {}
-  return null;
+    return {
+      ok: true,
+      data: hash.digest('hex')
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: 'Failed to compute file hash',
+      cause: `Unable to read file ${filepath}: ${e instanceof Error ? e.message : 'Unknown error'}`
+    };
+  }
 }
 async function findNodeModulesPaths(cwd) {
   const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
@@ -8888,29 +8995,29 @@ async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options)
     }
     return false;
   }
-  const currentHash = await computeSHA256(filepath);
-  if (!currentHash) {
-    logger.logger.log(`Failed to compute hash for: ${fileName}`);
+  const currentHashResult = await computeSHA256(filepath);
+  if (!currentHashResult.ok) {
+    logger.logger.log(`Failed to compute hash for: ${fileName}: ${currentHashResult.cause || currentHashResult.message}`);
     if (wasSpinning) {
       spinner?.start();
     }
     return false;
   }
-  if (currentHash === fileInfo.afterHash) {
+  if (currentHashResult.data === fileInfo.afterHash) {
     logger.logger.success(`File already patched: ${fileName}`);
     logger.logger.group();
-    logger.logger.log(`Current hash: ${currentHash}`);
+    logger.logger.log(`Current hash: ${currentHashResult.data}`);
     logger.logger.groupEnd();
     if (wasSpinning) {
       spinner?.start();
     }
     return true;
   }
-  if (currentHash !== fileInfo.beforeHash) {
+  if (currentHashResult.data !== fileInfo.beforeHash) {
     logger.logger.fail(`File hash mismatch: ${fileName}`);
     logger.logger.group();
     logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
-    logger.logger.log(`Current:  ${currentHash}`);
+    logger.logger.log(`Current:  ${currentHashResult.data}`);
     logger.logger.log(`Target:   ${fileInfo.afterHash}`);
     logger.logger.groupEnd();
     if (wasSpinning) {
@@ -8920,7 +9027,7 @@ async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options)
   }
   logger.logger.success(`File matches expected hash: ${fileName}`);
   logger.logger.group();
-  logger.logger.log(`Current hash: ${currentHash}`);
+  logger.logger.log(`Current hash: ${currentHashResult.data}`);
   logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
   logger.logger.group();
   if (dryRun) {
@@ -9048,21 +9155,21 @@ async function handlePatch({
   }
 }
 
-const CMD_NAME$f = 'patch';
-const description$i = 'Apply CVE patches to dependencies';
-const hidden$f = true;
+const CMD_NAME$h = 'patch';
+const description$k = 'Apply CVE patches to dependencies';
+const hidden$h = true;
 const cmdPatch = {
-  description: description$i,
-  hidden: hidden$f,
-  run: run$k
+  description: description$k,
+  hidden: hidden$h,
+  run: run$m
 };
-async function run$k(argv, importMeta, {
+async function run$m(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$f,
-    description: description$i,
-    hidden: hidden$f,
+    commandName: CMD_NAME$h,
+    description: description$k,
+    hidden: hidden$h,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -9079,7 +9186,7 @@ async function run$k(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$f}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9118,13 +9225,11 @@ async function run$k(argv, importMeta, {
   cwd = path.resolve(process.cwd(), cwd);
   const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
   if (!fs$1.existsSync(dotSocketDirPath)) {
-    logger.logger.error(`Error: No ${constants.DOT_SOCKET} directory found in current directory`);
-    return;
+    throw new utils.InputError(`No ${constants.DOT_SOCKET} directory found in current directory`);
   }
   const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
   if (!fs$1.existsSync(manifestPath)) {
-    logger.logger.error(`Error: No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
-    return;
+    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
   }
   const {
     spinner
@@ -9141,6 +9246,71 @@ async function run$k(argv, importMeta, {
   });
 }
 
+const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const CMD_NAME$g = constants.PNPM;
+const description$j = 'Run pnpm with the Socket wrapper';
+const hidden$g = true;
+const cmdPnpm = {
+  description: description$j,
+  hidden: hidden$g,
+  run: run$l
+};
+async function run$l(argv, importMeta, context) {
+  const {
+    parentName
+  } = {
+    __proto__: null,
+    ...context
+  };
+  const config = {
+    commandName: CMD_NAME$g,
+    description: description$j,
+    hidden: hidden$g,
+    flags: {
+      ...flags.commonFlags
+    },
+    help: command => `
+    Usage
+      $ ${command} ...
+
+    API Token Requirements
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$g}`)}
+
+    Note: Everything after "pnpm" is passed to the pnpm command.
+          Only the \`--dry-run\` and \`--help\` flags are caught here.
+
+    Use \`socket wrapper on\` to alias this command as \`pnpm\`.
+
+    Examples
+      $ ${command}
+      $ ${command} install
+      $ ${command} add package-name
+      $ ${command} dlx package-name
+    `
+  };
+  const cli = utils.meowOrExit({
+    argv,
+    config,
+    importMeta,
+    parentName
+  });
+  const dryRun = !!cli.flags['dryRun'];
+  if (dryRun) {
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
+    return;
+  }
+  const shadowBin = /*@__PURE__*/require$3(constants.default.shadowPnpmBinPath);
+  process.exitCode = 1;
+
+  // Filter Socket flags from argv.
+  const filteredArgv = utils.filterFlags(argv, config.flags);
+  const {
+    spawnPromise
+  } = await shadowBin(filteredArgv);
+  await spawnPromise;
+  process.exitCode = 0;
+}
+
 async function runRawNpm(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpmBinPath(), argv, {
@@ -9185,9 +9355,9 @@ const config$4 = {
 const cmdRawNpm = {
   description: config$4.description,
   hidden: config$4.hidden,
-  run: run$j
+  run: run$k
 };
-async function run$j(argv, importMeta, {
+async function run$k(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -9248,9 +9418,9 @@ const config$3 = {
 const cmdRawNpx = {
   description: config$3.description,
   hidden: config$3.hidden,
-  run: run$i
+  run: run$j
 };
-async function run$i(argv, importMeta, {
+async function run$j(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -9335,21 +9505,21 @@ async function handleCreateRepo({
   outputCreateRepo(data, repoName, outputKind);
 }
 
-const CMD_NAME$e = 'create';
-const description$h = 'Create a repository in an organization';
-const hidden$e = false;
+const CMD_NAME$f = 'create';
+const description$i = 'Create a repository in an organization';
+const hidden$f = false;
 const cmdRepositoryCreate = {
-  description: description$h,
-  hidden: hidden$e,
-  run: run$h
+  description: description$i,
+  hidden: hidden$f,
+  run: run$i
 };
-async function run$h(argv, importMeta, {
+async function run$i(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$e,
-    description: description$h,
-    hidden: hidden$e,
+    commandName: CMD_NAME$f,
+    description: description$i,
+    hidden: hidden$f,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -9388,7 +9558,7 @@ async function run$h(argv, importMeta, {
       $ ${command} [options] <REPO>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$e}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$f}`)}
 
     The REPO name should be a "slug". Follows the same naming convention as GitHub.
 
@@ -9494,21 +9664,21 @@ async function handleDeleteRepo(orgSlug, repoName, outputKind) {
   await outputDeleteRepo(data, repoName, outputKind);
 }
 
-const CMD_NAME$d = 'del';
-const description$g = 'Delete a repository in an organization';
-const hidden$d = false;
+const CMD_NAME$e = 'del';
+const description$h = 'Delete a repository in an organization';
+const hidden$e = false;
 const cmdRepositoryDel = {
-  description: description$g,
-  hidden: hidden$d,
-  run: run$g
+  description: description$h,
+  hidden: hidden$e,
+  run: run$h
 };
-async function run$g(argv, importMeta, {
+async function run$h(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$d,
-    description: description$g,
-    hidden: hidden$d,
+    commandName: CMD_NAME$e,
+    description: description$h,
+    hidden: hidden$e,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -9527,7 +9697,7 @@ async function run$g(argv, importMeta, {
       $ ${command} [options] <REPO>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$d}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$e}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9757,21 +9927,21 @@ async function handleListRepos({
   }
 }
 
-const CMD_NAME$c = 'list';
-const description$f = 'List repositories in an organization';
-const hidden$c = false;
+const CMD_NAME$d = 'list';
+const description$g = 'List repositories in an organization';
+const hidden$d = false;
 const cmdRepositoryList = {
-  description: description$f,
-  hidden: hidden$c,
-  run: run$f
+  description: description$g,
+  hidden: hidden$d,
+  run: run$g
 };
-async function run$f(argv, importMeta, {
+async function run$g(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$c,
-    description: description$f,
-    hidden: hidden$c,
+    commandName: CMD_NAME$d,
+    description: description$g,
+    hidden: hidden$d,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -9792,25 +9962,26 @@ async function run$f(argv, importMeta, {
       },
       org: {
         type: 'string',
+        default: '',
         description: 'Force override the organization slug, overrides the default org from config'
       },
       perPage: {
         type: 'number',
-        shortFlag: 'pp',
         default: 30,
-        description: 'Number of results per page'
+        description: 'Number of results per page',
+        shortFlag: 'pp'
       },
       page: {
         type: 'number',
-        shortFlag: 'p',
         default: 1,
-        description: 'Page number'
+        description: 'Page number',
+        shortFlag: 'p'
       },
       sort: {
         type: 'string',
-        shortFlag: 's',
         default: 'created_at',
-        description: 'Sorting option'
+        description: 'Sorting option',
+        shortFlag: 's'
       }
     },
     help: (command, config) => `
@@ -9818,7 +9989,7 @@ async function run$f(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$c}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$d}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9837,16 +10008,19 @@ async function run$f(argv, importMeta, {
   const {
     all,
     direction = 'desc',
+    dryRun,
+    interactive,
     json,
     markdown,
-    org: orgFlag
+    org: orgFlag,
+    page,
+    perPage,
+    sort
   } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
-  const interactive = !!cli.flags['interactive'];
   const hasApiToken = utils.hasDefaultApiToken();
   const {
     0: orgSlug
-  } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
+  } = await utils.determineOrgSlug(orgFlag, interactive, dryRun);
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -9877,13 +10051,13 @@ async function run$f(argv, importMeta, {
     return;
   }
   await handleListRepos({
-    all: Boolean(all),
-    direction: direction === 'asc' ? 'asc' : 'desc',
+    all,
+    direction,
     orgSlug,
     outputKind,
-    page: Number(cli.flags['page']) || 1,
-    perPage: Number(cli.flags['perPage']) || 30,
-    sort: String(cli.flags['sort'] || 'created_at')
+    page,
+    perPage,
+    sort
   });
 }
 
@@ -9956,21 +10130,21 @@ async function handleUpdateRepo({
   await outputUpdateRepo(data, repoName, outputKind);
 }
 
-const CMD_NAME$b = 'update';
-const description$e = 'Update a repository in an organization';
-const hidden$b = false;
+const CMD_NAME$c = 'update';
+const description$f = 'Update a repository in an organization';
+const hidden$c = false;
 const cmdRepositoryUpdate = {
-  description: description$e,
-  hidden: hidden$b,
-  run: run$e
+  description: description$f,
+  hidden: hidden$c,
+  run: run$f
 };
-async function run$e(argv, importMeta, {
+async function run$f(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$b,
-    description: description$e,
-    hidden: hidden$b,
+    commandName: CMD_NAME$c,
+    description: description$f,
+    hidden: hidden$c,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -10013,7 +10187,7 @@ async function run$e(argv, importMeta, {
       $ ${command} [options] <REPO>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$b}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$c}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -10142,21 +10316,21 @@ async function handleViewRepo(orgSlug, repoName, outputKind) {
   await outputViewRepo(data, outputKind);
 }
 
-const CMD_NAME$a = 'view';
-const description$d = 'View repositories in an organization';
-const hidden$a = false;
+const CMD_NAME$b = 'view';
+const description$e = 'View repositories in an organization';
+const hidden$b = false;
 const cmdRepositoryView = {
-  description: description$d,
-  hidden: hidden$a,
-  run: run$d
+  description: description$e,
+  hidden: hidden$b,
+  run: run$e
 };
-async function run$d(argv, importMeta, {
+async function run$e(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$a,
-    description: description$d,
-    hidden: hidden$a,
+    commandName: CMD_NAME$b,
+    description: description$e,
+    hidden: hidden$b,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -10175,7 +10349,7 @@ async function run$d(argv, importMeta, {
       $ ${command} [options] <REPO>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$a}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$b}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -10240,9 +10414,9 @@ async function run$d(argv, importMeta, {
   await handleViewRepo(orgSlug, String(repoName), outputKind);
 }
 
-const description$c = 'Manage registered repositories';
+const description$d = 'Manage registered repositories';
 const cmdRepository = {
-  description: description$c,
+  description: description$d,
   async run(argv, importMeta, {
     parentName
   }) {
@@ -10254,7 +10428,7 @@ const cmdRepository = {
       update: cmdRepositoryUpdate
     }, {
       argv,
-      description: description$c,
+      description: description$d,
       importMeta,
       name: `${parentName} repository`
     });
@@ -10312,9 +10486,9 @@ async function suggestTarget() {
   return proceed ? ['.'] : [];
 }
 
-const CMD_NAME$9 = 'create';
-const description$b = 'Create a new Socket scan and report';
-const hidden$9 = false;
+const CMD_NAME$a = 'create';
+const description$c = 'Create a new Socket scan and report';
+const hidden$a = false;
 const generalFlags$1 = {
   ...flags.commonFlags,
   ...flags.outputFlags,
@@ -10410,17 +10584,17 @@ const generalFlags$1 = {
   }
 };
 const cmdScanCreate = {
-  description: description$b,
-  hidden: hidden$9,
-  run: run$c
+  description: description$c,
+  hidden: hidden$a,
+  run: run$d
 };
-async function run$c(argv, importMeta, {
+async function run$d(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$9,
-    description: description$b,
-    hidden: hidden$9,
+    commandName: CMD_NAME$a,
+    description: description$c,
+    hidden: hidden$a,
     flags: {
       ...generalFlags$1,
       ...reachabilityFlags
@@ -10431,7 +10605,7 @@ async function run$c(argv, importMeta, {
       $ ${command} [options] [TARGET...]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$9}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$a}`)}
 
     Options
       ${utils.getFlagListOutput(generalFlags$1)}
@@ -10440,7 +10614,7 @@ async function run$c(argv, importMeta, {
       ${utils.getFlagListOutput(reachabilityFlags)}
 
     Uploads the specified dependency manifest files for Go, Gradle, JavaScript,
-    Kotlin, Python, and Scala. Files like "package.json" and "requirements.txt".
+    Kotlin, Python, and Scala. Files like "package.json" and "${constants.REQUIREMENTS_TXT}".
     If any folder is specified, the ones found in there recursively are uploaded.
 
     Details on TARGET:
@@ -10450,7 +10624,7 @@ async function run$c(argv, importMeta, {
     - If a target is a file, only that file is checked
     - If it is a dir, the dir is scanned for any supported manifest files
     - Dirs MUST be within the current dir (cwd), you can use --cwd to change it
-    - Supports globbing such as "**/package.json", "**/requirements.txt", etc.
+    - Supports globbing such as "**/package.json", "**/${constants.REQUIREMENTS_TXT}", etc.
     - Ignores any file specified in your project's ".gitignore"
     - Also a sensible set of default ignores from the "ignore-by-default" module
 
@@ -10525,13 +10699,13 @@ async function run$c(argv, importMeta, {
   } = await utils.determineOrgSlug(String(orgFlag || ''), interactive, dryRun);
   const processCwd = process.cwd();
   const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
-  const sockJson = utils.readOrDefaultSocketJson(cwd);
+  const sockJson = await utils.readOrDefaultSocketJsonUp(cwd);
 
   // Note: This needs meow booleanDefault=undefined.
   if (typeof autoManifest !== 'boolean') {
     if (sockJson.defaults?.scan?.create?.autoManifest !== undefined) {
       autoManifest = sockJson.defaults.scan.create.autoManifest;
-      logger.logger.info('Using default --auto-manifest from socket.json:', autoManifest);
+      logger.logger.info(`Using default --auto-manifest from ${constants.SOCKET_JSON}:`, autoManifest);
     } else {
       autoManifest = false;
     }
@@ -10539,7 +10713,7 @@ async function run$c(argv, importMeta, {
   if (!branchName) {
     if (sockJson.defaults?.scan?.create?.branch) {
       branchName = sockJson.defaults.scan.create.branch;
-      logger.logger.info('Using default --branch from socket.json:', branchName);
+      logger.logger.info(`Using default --branch from ${constants.SOCKET_JSON}:`, branchName);
     } else {
       branchName = (await utils.gitBranch(cwd)) || (await utils.detectDefaultBranch(cwd));
     }
@@ -10547,7 +10721,7 @@ async function run$c(argv, importMeta, {
   if (!repoName) {
     if (sockJson.defaults?.scan?.create?.repo) {
       repoName = sockJson.defaults.scan.create.repo;
-      logger.logger.info('Using default --repo from socket.json:', repoName);
+      logger.logger.info(`Using default --repo from ${constants.SOCKET_JSON}:`, repoName);
     } else {
       repoName = await utils.getRepoName(cwd);
     }
@@ -10555,7 +10729,7 @@ async function run$c(argv, importMeta, {
   if (typeof report !== 'boolean') {
     if (sockJson.defaults?.scan?.create?.report !== undefined) {
       report = sockJson.defaults.scan.create.report;
-      logger.logger.info('Using default --report from socket.json:', report);
+      logger.logger.info(`Using default --report from ${constants.SOCKET_JSON}:`, report);
     } else {
       report = false;
     }
@@ -10612,7 +10786,7 @@ async function run$c(argv, importMeta, {
     logger.logger.error(`    socket scan create [other flags...] ${orgSlug} ${targets.join(' ')}`);
     logger.logger.error('```');
     logger.logger.error('');
-    logger.logger.info('You can also run `socket scan setup` to persist these flag defaults to a socket.json file.');
+    logger.logger.info(`You can also run \`socket scan setup\` to persist these flag defaults to a ${constants.SOCKET_JSON} file.`);
     logger.logger.error('');
   }
   const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
@@ -10734,21 +10908,21 @@ async function handleDeleteScan(orgSlug, scanId, outputKind) {
   await outputDeleteScan(data, outputKind);
 }
 
-const CMD_NAME$8 = 'del';
-const description$a = 'Delete a scan';
-const hidden$8 = false;
+const CMD_NAME$9 = 'del';
+const description$b = 'Delete a scan';
+const hidden$9 = false;
 const cmdScanDel = {
-  description: description$a,
-  hidden: hidden$8,
-  run: run$b
+  description: description$b,
+  hidden: hidden$9,
+  run: run$c
 };
-async function run$b(argv, importMeta, {
+async function run$c(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$8,
-    description: description$a,
-    hidden: hidden$8,
+    commandName: CMD_NAME$9,
+    description: description$b,
+    hidden: hidden$9,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -10767,7 +10941,7 @@ async function run$b(argv, importMeta, {
       $ ${command} [options] <SCAN_ID>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$8}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$9}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -11011,21 +11185,21 @@ async function handleDiffScan({
   });
 }
 
-const CMD_NAME$7 = 'diff';
-const description$9 = 'See what changed between two Scans';
-const hidden$7 = false;
+const CMD_NAME$8 = 'diff';
+const description$a = 'See what changed between two Scans';
+const hidden$8 = false;
 const cmdScanDiff = {
-  description: description$9,
-  hidden: hidden$7,
-  run: run$a
+  description: description$a,
+  hidden: hidden$8,
+  run: run$b
 };
-async function run$a(argv, importMeta, {
+async function run$b(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$7,
-    description: description$9,
-    hidden: hidden$7,
+    commandName: CMD_NAME$8,
+    description: description$a,
+    hidden: hidden$8,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -11055,7 +11229,7 @@ async function run$a(argv, importMeta, {
       $ ${command} [options] <SCAN_ID1> <SCAN_ID2>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$7}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$8}`)}
 
     This command displays the package changes between two scans. The full output
     can be pretty large depending on the size of your repo and time range. It is
@@ -11083,12 +11257,12 @@ async function run$a(argv, importMeta, {
   const SOCKET_SBOM_URL_PREFIX_LENGTH = SOCKET_SBOM_URL_PREFIX.length;
   const {
     depth,
+    dryRun,
     file,
     json,
     markdown,
     org: orgFlag
   } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
   const interactive = !!cli.flags['interactive'];
   let [id1 = '', id2 = ''] = cli.input;
   // Support dropping in full socket urls to an sbom.
@@ -11131,12 +11305,12 @@ async function run$a(argv, importMeta, {
     return;
   }
   await handleDiffScan({
-    id1: String(id1 || ''),
-    id2: String(id2 || ''),
-    depth: Number(depth),
+    id1,
+    id2,
+    depth,
     orgSlug,
     outputKind,
-    file: String(file || '')
+    file
   });
 }
 
@@ -11151,7 +11325,7 @@ async function createScanFromGithub({
   repos
 }) {
   let targetRepos = repos.trim().split(',').map(r => r.trim()).filter(Boolean);
-  if (all || targetRepos.length === 0) {
+  if (all || !targetRepos.length) {
     // Fetch from Socket API
     const result = await fetchListAllRepos(orgSlug, {
       direction: 'asc',
@@ -11522,10 +11696,10 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       ok: true,
       data: localPath
     };
-  } catch (error) {
+  } catch (e) {
     logger.logger.fail('An error was thrown while trying to download a manifest file... url:', downloadUrl);
     require$$9.debugDir('inspect', {
-      error
+      error: e
     });
 
     // If an error occurs and fileStream was created, attempt to clean up.
@@ -11539,10 +11713,10 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       });
     }
     // Construct a more informative error message
-    let detailedError = `Error during download of ${downloadUrl}: ${error.message}`;
-    if (error.cause) {
+    let detailedError = `Error during download of ${downloadUrl}: ${e.message}`;
+    if (e.cause) {
       // Include cause if available (e.g., from network errors)
-      detailedError += `\nCause: ${error.cause}`;
+      detailedError += `\nCause: ${e.cause}`;
     }
     if (response && !response.ok) {
       // If error was due to bad HTTP status
@@ -11799,22 +11973,22 @@ async function handleCreateGithubScan({
   await outputScanGithub(ghScanCResult, outputKind);
 }
 
-const CMD_NAME$6 = 'github';
+const CMD_NAME$7 = 'github';
 const DEFAULT_GITHUB_URL = 'https://api.github.com';
-const description$8 = 'Create a scan for given GitHub repo';
-const hidden$6 = true;
+const description$9 = 'Create a scan for given GitHub repo';
+const hidden$7 = true;
 const cmdScanGithub = {
-  description: description$8,
-  hidden: hidden$6,
-  run: run$9
+  description: description$9,
+  hidden: hidden$7,
+  run: run$a
 };
-async function run$9(argv, importMeta, {
+async function run$a(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$6,
-    description: description$8,
-    hidden: hidden$6,
+    commandName: CMD_NAME$7,
+    description: description$9,
+    hidden: hidden$7,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -11858,7 +12032,7 @@ async function run$9(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$6}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$7}`)}
 
     This is similar to the \`socket scan create\` command except it pulls the files
     from GitHub. See the help for that command for more details.
@@ -12115,21 +12289,21 @@ async function handleListScans({
   await outputListScans(data, outputKind);
 }
 
-const CMD_NAME$5 = 'list';
-const description$7 = 'List the scans for an organization';
-const hidden$5 = false;
+const CMD_NAME$6 = 'list';
+const description$8 = 'List the scans for an organization';
+const hidden$6 = false;
 const cmdScanList = {
-  description: description$7,
-  hidden: hidden$5,
-  run: run$8
+  description: description$8,
+  hidden: hidden$6,
+  run: run$9
 };
-async function run$8(argv, importMeta, {
+async function run$9(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$5,
-    description: description$7,
-    hidden: hidden$5,
+    commandName: CMD_NAME$6,
+    description: description$8,
+    hidden: hidden$6,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -12188,7 +12362,7 @@ async function run$8(argv, importMeta, {
       $ ${command} [options] [REPO [BRANCH]]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$5}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$6}`)}
 
     Optionally filter by REPO. If you specify a repo, you can also specify a
     branch to filter by. (Note: If you don't specify a repo then you must use
@@ -12324,21 +12498,21 @@ async function handleOrgScanMetadata(orgSlug, scanId, outputKind) {
   await outputScanMetadata(data, scanId, outputKind);
 }
 
-const CMD_NAME$4 = 'metadata';
-const description$6 = "Get a scan's metadata";
-const hidden$4 = false;
+const CMD_NAME$5 = 'metadata';
+const description$7 = "Get a scan's metadata";
+const hidden$5 = false;
 const cmdScanMetadata = {
-  description: description$6,
-  hidden: hidden$4,
-  run: run$7
+  description: description$7,
+  hidden: hidden$5,
+  run: run$8
 };
-async function run$7(argv, importMeta, {
+async function run$8(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$4,
-    description: description$6,
-    hidden: hidden$4,
+    commandName: CMD_NAME$5,
+    description: description$7,
+    hidden: hidden$5,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -12357,7 +12531,7 @@ async function run$7(argv, importMeta, {
       $ ${command} [options] <SCAN_ID>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$4}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$5}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -12491,9 +12665,9 @@ async function handleScanReach({
   });
 }
 
-const CMD_NAME$3 = 'reach';
-const description$5 = 'Compute tier 1 reachability';
-const hidden$3 = true;
+const CMD_NAME$4 = 'reach';
+const description$6 = 'Compute tier 1 reachability';
+const hidden$4 = true;
 const generalFlags = {
   ...flags.commonFlags,
   ...flags.outputFlags,
@@ -12509,17 +12683,17 @@ const generalFlags = {
   }
 };
 const cmdScanReach = {
-  description: description$5,
-  hidden: hidden$3,
-  run: run$6
+  description: description$6,
+  hidden: hidden$4,
+  run: run$7
 };
-async function run$6(argv, importMeta, {
+async function run$7(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$3,
-    description: description$5,
-    hidden: hidden$3,
+    commandName: CMD_NAME$4,
+    description: description$6,
+    hidden: hidden$4,
     flags: {
       ...generalFlags,
       ...reachabilityFlags
@@ -12529,7 +12703,7 @@ async function run$6(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$3}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$4}`)}
 
     Options
       ${utils.getFlagListOutput(generalFlags)}
@@ -12637,21 +12811,21 @@ async function run$6(argv, importMeta, {
   });
 }
 
-const CMD_NAME$2 = 'report';
-const description$4 = 'Check whether a scan result passes the organizational policies (security, license)';
-const hidden$2 = false;
+const CMD_NAME$3 = 'report';
+const description$5 = 'Check whether a scan result passes the organizational policies (security, license)';
+const hidden$3 = false;
 const cmdScanReport = {
-  description: description$4,
-  hidden: hidden$2,
-  run: run$5
+  description: description$5,
+  hidden: hidden$3,
+  run: run$6
 };
-async function run$5(argv, importMeta, {
+async function run$6(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$2,
-    description: description$4,
-    hidden: hidden$2,
+    commandName: CMD_NAME$3,
+    description: description$5,
+    hidden: hidden$3,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -12690,7 +12864,7 @@ async function run$5(argv, importMeta, {
       $ ${command} [options] <SCAN_ID> [OUTPUT_PATH]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$2}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$3}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -12801,18 +12975,18 @@ async function outputScanConfigResult(result) {
 }
 
 async function setupScanConfig(cwd, defaultOnReadError = false) {
-  const jsonPath = path.join(cwd, `socket.json`);
+  const jsonPath = path.join(cwd, constants.SOCKET_JSON);
   if (fs$1.existsSync(jsonPath)) {
-    logger.logger.info(`Found socket.json at ${jsonPath}`);
+    logger.logger.info(`Found ${constants.SOCKET_JSON} at ${jsonPath}`);
   } else {
-    logger.logger.info(`No socket.json found at ${cwd}, will generate a new one`);
+    logger.logger.info(`No ${constants.SOCKET_JSON} found at ${cwd}, will generate a new one`);
   }
   logger.logger.log('');
   logger.logger.log('Note: This tool will set up flag and argument defaults for certain');
   logger.logger.log('      CLI commands. You can still override them by explicitly');
   logger.logger.log('      setting the flag. It is meant to be a convenience tool.');
   logger.logger.log('');
-  logger.logger.log('This command will generate a `socket.json` file in the target cwd.');
+  logger.logger.log(`This command will generate a \`${constants.SOCKET_JSON}\` file in the target cwd.`);
   logger.logger.log('You can choose to add this file to your repo (handy for collab)');
   logger.logger.log('or to add it to the ignored files, or neither. This file is only');
   logger.logger.log('used in CLI workflows.');
@@ -12873,7 +13047,7 @@ async function setupScanConfig(cwd, defaultOnReadError = false) {
       }
   }
   logger.logger.log('');
-  logger.logger.log('Setup complete. Writing socket.json');
+  logger.logger.log(`Setup complete. Writing ${constants.SOCKET_JSON}`);
   logger.logger.log('');
   if (await prompts.select({
     message: `Do you want to write the new config to ${jsonPath} ?`,
@@ -13089,7 +13263,7 @@ const config$2 = {
     ...flags.commonFlags,
     defaultOnReadError: {
       type: 'boolean',
-      description: 'If reading the socket.json fails, just use a default config? Warning: This might override the existing json file!'
+      description: `If reading the ${constants.SOCKET_JSON} fails, just use a default config? Warning: This might override the existing json file!`
     }
   },
   help: (command, config) => `
@@ -13119,9 +13293,9 @@ const config$2 = {
 const cmdScanSetup = {
   description: config$2.description,
   hidden: config$2.hidden,
-  run: run$4
+  run: run$5
 };
-async function run$4(argv, importMeta, {
+async function run$5(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -13165,7 +13339,7 @@ async function fetchScan(orgSlug, scanId) {
         error: e,
         line
       });
-      return null;
+      return undefined;
     }
   });
   if (ok) {
@@ -13277,21 +13451,21 @@ async function streamScan(orgSlug, scanId, options) {
   });
 }
 
-const CMD_NAME$1 = 'view';
-const description$3 = 'View the raw results of a scan';
-const hidden$1 = false;
+const CMD_NAME$2 = 'view';
+const description$4 = 'View the raw results of a scan';
+const hidden$2 = false;
 const cmdScanView = {
-  description: description$3,
-  hidden: hidden$1,
-  run: run$3
+  description: description$4,
+  hidden: hidden$2,
+  run: run$4
 };
-async function run$3(argv, importMeta, {
+async function run$4(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$1,
-    description: description$3,
-    hidden: hidden$1,
+    commandName: CMD_NAME$2,
+    description: description$4,
+    hidden: hidden$2,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -13315,7 +13489,7 @@ async function run$3(argv, importMeta, {
       $ ${command} [options] <SCAN_ID> [OUTPUT_FILE]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$1}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$2}`)}
 
     When no output path is given the contents is sent to stdout.
 
@@ -13388,9 +13562,9 @@ async function run$3(argv, importMeta, {
   }
 }
 
-const description$2 = 'Manage Socket scans';
+const description$3 = 'Manage Socket scans';
 const cmdScan = {
-  description: description$2,
+  description: description$3,
   async run(argv, importMeta, {
     parentName
   }) {
@@ -13419,7 +13593,7 @@ const cmdScan = {
         }
       },
       argv,
-      description: description$2,
+      description: description$3,
       importMeta,
       name: `${parentName} scan`
     });
@@ -13440,7 +13614,7 @@ async function fetchThreatFeed({
   return await utils.queryApiSafeJson(`orgs/${orgSlug}/threat-feed?${queryParams}`, 'the Threat Feed data');
 }
 
-const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 async function outputThreatFeed(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -13454,14 +13628,14 @@ async function outputThreatFeed(result, outputKind) {
     return;
   }
   if (!result.data?.results?.length) {
-    logger.logger.warn('Did not receive any data to display...');
+    logger.logger.warn('Did not receive any data to display.');
     return;
   }
   const formattedOutput = formatResults(result.data.results);
   const descriptions = result.data.results.map(d => d.description);
 
   // Note: this temporarily takes over the terminal (just like `man` does).
-  const ScreenWidget = /*@__PURE__*/require$1('../external/blessed/lib/widgets/screen.js');
+  const ScreenWidget = /*@__PURE__*/require$2('../external/blessed/lib/widgets/screen.js');
   const screen = new ScreenWidget({
     ...constants.default.blessedOptions
   });
@@ -13470,7 +13644,7 @@ async function outputThreatFeed(result, outputKind) {
   // node process just to exit it. That's very bad UX.
   // eslint-disable-next-line n/no-process-exit
   screen.key(['escape', 'q', 'C-c'], () => process.exit(0));
-  const TableWidget = /*@__PURE__*/require$1('../external/blessed-contrib/lib/widget/table.js');
+  const TableWidget = /*@__PURE__*/require$2('../external/blessed-contrib/lib/widget/table.js');
   const detailsBoxHeight = 20; // bottom N rows for details box
   const tipsBoxHeight = 1; // 1 row for tips box
 
@@ -13494,7 +13668,7 @@ async function outputThreatFeed(result, outputKind) {
     columnSpacing: 1,
     truncate: '_'
   });
-  const BoxWidget = /*@__PURE__*/require$1('../external/blessed/lib/widgets/box.js');
+  const BoxWidget = /*@__PURE__*/require$2('../external/blessed/lib/widgets/box.js');
   const tipsBox = new BoxWidget({
     bottom: detailsBoxHeight,
     // sits just above the details box
@@ -13601,23 +13775,23 @@ async function handleThreatFeed({
   await outputThreatFeed(data, outputKind);
 }
 
-const CMD_NAME = 'threat-feed';
+const CMD_NAME$1 = 'threat-feed';
 const ECOSYSTEMS = new Set(['gem', 'golang', 'maven', constants.NPM, 'nuget', 'pypi']);
 const TYPE_FILTERS = new Set(['anom', 'c', 'fp', 'joke', 'mal', 'secret', 'spy', 'tp', 'typo', 'u', 'vuln']);
-const description$1 = '[Beta] View the threat-feed';
-const hidden = false;
+const description$2 = '[Beta] View the threat-feed';
+const hidden$1 = false;
 const cmdThreatFeed = {
-  description: description$1,
-  hidden,
-  run: run$2
+  description: description$2,
+  hidden: hidden$1,
+  run: run$3
 };
-async function run$2(argv, importMeta, {
+async function run$3(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME,
-    description: description$1,
-    hidden,
+    commandName: CMD_NAME$1,
+    description: description$2,
+    hidden: hidden$1,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -13672,7 +13846,7 @@ async function run$2(argv, importMeta, {
       $ ${command} [options] [ECOSYSTEM] [TYPE_FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$1}`)}
       - Special access
 
     This feature requires a Threat Feed license. Please contact
@@ -13938,9 +14112,9 @@ const config$1 = {
 const cmdUninstallCompletion = {
   description: config$1.description,
   hidden: config$1.hidden,
-  run: run$1
+  run: run$2
 };
-async function run$1(argv, importMeta, {
+async function run$2(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -13958,9 +14132,9 @@ async function run$1(argv, importMeta, {
   await handleUninstallCompletion(String(targetName));
 }
 
-const description = 'Uninstall Socket CLI tab completion';
+const description$1 = 'Uninstall Socket CLI tab completion';
 const cmdUninstall = {
-  description,
+  description: description$1,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -13969,7 +14143,7 @@ const cmdUninstall = {
       completion: cmdUninstallCompletion
     }, {
       argv,
-      description,
+      description: description$1,
       importMeta,
       name: `${parentName} uninstall`
     });
@@ -14134,9 +14308,9 @@ const config = {
 const cmdWrapper = {
   description: config.description,
   hidden: config.hidden,
-  run
+  run: run$1
 };
-async function run(argv, importMeta, {
+async function run$1(argv, importMeta, {
   parentName
 }) {
   // I don't think meow would mess with this but ...
@@ -14209,6 +14383,71 @@ async function run(argv, importMeta, {
   }
 }
 
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const CMD_NAME = constants.YARN;
+const description = 'Run yarn with the Socket wrapper';
+const hidden = true;
+const cmdYarn = {
+  description,
+  hidden,
+  run
+};
+async function run(argv, importMeta, context) {
+  const {
+    parentName
+  } = {
+    __proto__: null,
+    ...context
+  };
+  const config = {
+    commandName: CMD_NAME,
+    description,
+    hidden,
+    flags: {
+      ...flags.commonFlags
+    },
+    help: command => `
+    Usage
+      $ ${command} ...
+
+    API Token Requirements
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME}`)}
+
+    Note: Everything after "yarn" is passed to the yarn command.
+          Only the \`--dry-run\` and \`--help\` flags are caught here.
+
+    Use \`socket wrapper on\` to alias this command as \`yarn\`.
+
+    Examples
+      $ ${command}
+      $ ${command} install
+      $ ${command} add package-name
+      $ ${command} dlx package-name
+    `
+  };
+  const cli = utils.meowOrExit({
+    argv,
+    config,
+    importMeta,
+    parentName
+  });
+  const dryRun = !!cli.flags['dryRun'];
+  if (dryRun) {
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
+    return;
+  }
+  const shadowBin = /*@__PURE__*/require$1(constants.default.shadowYarnBinPath);
+  process.exitCode = 1;
+
+  // Filter Socket flags from argv.
+  const filteredArgv = utils.filterFlags(argv, config.flags);
+  const {
+    spawnPromise
+  } = await shadowBin(filteredArgv);
+  await spawnPromise;
+  process.exitCode = 0;
+}
+
 const rootCommands = {
   analytics: cmdAnalytics,
   'audit-log': cmdAuditLog,
@@ -14225,6 +14464,7 @@ const rootCommands = {
   manifest: cmdManifest,
   npm: cmdNpm,
   npx: cmdNpx,
+  pnpm: cmdPnpm,
   oops: cmdOops,
   optimize: cmdOptimize,
   organization: cmdOrganization,
@@ -14237,7 +14477,8 @@ const rootCommands = {
   security: cmdOrganizationPolicySecurity,
   'threat-feed': cmdThreatFeed,
   uninstall: cmdUninstall,
-  wrapper: cmdWrapper
+  wrapper: cmdWrapper,
+  yarn: cmdYarn
 };
 const rootAliases = {
   audit: {
@@ -14317,7 +14558,7 @@ const rootAliases = {
   }
 };
 
-const __filename$1 = require$$0.fileURLToPath(require('node:url').pathToFileURL(__filename).href);
+const __filename$1 = require$$0.fileURLToPath((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 void (async () => {
   const registryUrl = vendor.registryUrl();
   await vendor.updater({
@@ -14327,7 +14568,11 @@ void (async () => {
     name: constants.default.SOCKET_CLI_BIN_NAME,
     registryUrl,
     ttl: 86_400_000 /* 24 hours in milliseconds */,
-    version: constants.default.ENV.INLINED_SOCKET_CLI_VERSION
+    version: constants.default.ENV.INLINED_SOCKET_CLI_VERSION,
+    logCallback: (name, version, latest) => {
+      logger.logger.log(`\n\n📦 Update available for ${vendor.yoctocolorsCjsExports.cyan(name)}: ${vendor.yoctocolorsCjsExports.gray(version)} → ${vendor.yoctocolorsCjsExports.green(latest)}`);
+      logger.logger.log(`📝 ${vendor.terminalLinkExports('View changelog', `https://socket.dev/npm/package/${name}/files/${latest}/CHANGELOG.md`)}`);
+    }
   });
   try {
     await utils.meowWithSubcommands(rootCommands, {
@@ -14395,5 +14640,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=ac9751e6-2458-4e89-9ffb-14171de230d0
+//# debugId=daab38d0-ec51-45c9-a27a-928a16433b42
 //# sourceMappingURL=cli.js.map