@socketsecurity/cli-with-sentry 1.1.93 → 1.1.95

package/dist/utils.js

@@ -4320,6 +4320,256 @@ function parseGitRemoteUrl(remoteUrl) {
   } : result;
 }
 
+const DEFAULT_IGNORE_FOR_GIT_IGNORE = globs.defaultIgnore.filter(p => !p.endsWith('.gitignore'));
+const IGNORED_DIRS = [
+// Taken from ignore-by-default:
+// https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
+'.git',
+// Git repository files, see <https://git-scm.com/>
+'.log',
+// Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
+'.nyc_output',
+// Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
+'.sass-cache',
+// Cache folder for node-sass, see <https://github.com/sass/node-sass>
+'.yarn',
+// Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
+'bower_components',
+// Where Bower packages are installed, see <http://bower.io/>
+'coverage',
+// Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
+constants.NODE_MODULES,
+// Where Node modules are installed, see <https://nodejs.org/>
+// Taken from globby:
+// https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
+'flow-typed'];
+const IGNORED_DIR_PATTERNS = IGNORED_DIRS.map(i => `**/${i}`);
+async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
+  let workspacePatterns;
+  if (agent === constants.PNPM) {
+    const workspacePath = path.join(cwd, 'pnpm-workspace.yaml');
+    const yml = await fs$1.safeReadFile(workspacePath);
+    if (yml) {
+      try {
+        workspacePatterns = vendor.distExports$1.parse(yml)?.packages;
+      } catch {}
+    }
+  } else {
+    workspacePatterns = (await packages.readPackageJson(cwd, {
+      throws: false
+    }))?.['workspaces'];
+  }
+  return Array.isArray(workspacePatterns) ? workspacePatterns.filter(strings.isNonEmptyString).map(workspacePatternToGlobPattern) : [];
+}
+function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
+  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/');
+  const patterns = [];
+  for (let i = 0, {
+      length
+    } = lines; i < length; i += 1) {
+    const pattern = lines[i].trim();
+    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
+      patterns.push(ignorePatternToMinimatch(pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/ ? `!${path.posix.join(base, pattern.slice(1))}` : path.posix.join(base, pattern)));
+    }
+  }
+  return patterns;
+}
+function ignoreFileToGlobPatterns(content, filepath, cwd) {
+  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd);
+}
+
+// Based on `@eslint/compat` convertIgnorePatternToMinimatch.
+// Apache v2.0 licensed
+// Copyright Nicholas C. Zakas
+// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
+function ignorePatternToMinimatch(pattern) {
+  const isNegated = pattern.startsWith('!');
+  const negatedPrefix = isNegated ? '!' : '';
+  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd();
+  // Special cases.
+  if (patternToTest === '' || patternToTest === '**' || patternToTest === '/**' || patternToTest === '**') {
+    return `${negatedPrefix}${patternToTest}`;
+  }
+  const firstIndexOfSlash = patternToTest.indexOf('/');
+  const matchEverywherePrefix = firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1 ? '**/' : '';
+  const patternWithoutLeadingSlash = firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest;
+  // Escape `{` and `(` because in gitignore patterns they are just
+  // literal characters without any specific syntactic meaning,
+  // while in minimatch patterns they can form brace expansion or extglob syntax.
+  //
+  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
+  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
+  // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
+  const escapedPatternWithoutLeadingSlash = patternWithoutLeadingSlash.replaceAll(/(?=((?:\\.|[^{(])*))\1([{(])/guy, '$1\\$2');
+  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : '';
+  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`;
+}
+
+// fast-glob silently discards `ignore` entries that end in `/` (it
+// treats them as literal directory paths, not glob patterns). The
+// gitignore convention of writing directory entries as `dist/` lands
+// here as `**/dist/` after `ignorePatternToMinimatch`, which fast-glob
+// then drops — defeating the entire ignore. Strip the trailing slash
+// so fast-glob actually honors the pattern.
+function stripTrailingSlash(pattern) {
+  if (pattern.length > 1 && pattern.charCodeAt(pattern.length - 1) === 47 /*'/'*/) {
+    return pattern.slice(0, -1);
+  }
+  return pattern;
+}
+function workspacePatternToGlobPattern(workspace) {
+  const {
+    length
+  } = workspace;
+  if (!length) {
+    return '';
+  }
+  // If the workspace ends with "/"
+  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
+    return `${workspace}/*/package.json`;
+  }
+  // If the workspace ends with "/**"
+  if (workspace.charCodeAt(length - 1) === 42 /*'*'*/ && workspace.charCodeAt(length - 2) === 42 /*'*'*/ && workspace.charCodeAt(length - 3) === 47 /*'/'*/) {
+    return `${workspace}/*/**/package.json`;
+  }
+  // Things like "packages/a" or "packages/*"
+  return `${workspace}/package.json`;
+}
+function createSupportedFilesFilter(supportedFiles) {
+  const patterns = getSupportedFilePatterns(supportedFiles);
+  return filepath => vendor.micromatchExports.some(filepath, patterns, {
+    dot: true,
+    nocase: true
+  });
+}
+function getSupportedFilePatterns(supportedFiles) {
+  const patterns = [];
+  for (const key of Object.keys(supportedFiles)) {
+    const supported = supportedFiles[key];
+    if (supported) {
+      patterns.push(...Object.values(supported).map(p => `**/${p.pattern}`));
+    }
+  }
+  return patterns;
+}
+async function globWithGitIgnore(patterns, options) {
+  const {
+    additionalIgnores,
+    cwd = process.cwd(),
+    filter,
+    socketConfig,
+    ...additionalOptions
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const ignores = new Set(IGNORED_DIR_PATTERNS);
+  const projectIgnorePaths = socketConfig?.projectIgnorePaths;
+  if (Array.isArray(projectIgnorePaths)) {
+    const ignorePatterns = ignoreFileLinesToGlobPatterns(projectIgnorePaths, path.join(cwd, '.gitignore'), cwd);
+    for (const pattern of ignorePatterns) {
+      ignores.add(pattern);
+    }
+  }
+  const gitIgnoreStream = vendor.outExports.globStream(['**/.gitignore'], {
+    absolute: true,
+    cwd,
+    dot: true,
+    ignore: DEFAULT_IGNORE_FOR_GIT_IGNORE
+  });
+  for await (const ignorePatterns of streams.transform(gitIgnoreStream, async filepath => ignoreFileToGlobPatterns((await fs$1.safeReadFile(filepath)) ?? '', filepath, cwd), {
+    concurrency: 8
+  })) {
+    for (const p of ignorePatterns) {
+      ignores.add(p);
+    }
+  }
+  let hasNegatedPattern = false;
+  for (const p of ignores) {
+    if (p.charCodeAt(0) === 33 /*'!'*/) {
+      hasNegatedPattern = true;
+      break;
+    }
+  }
+
+  // CLI-supplied `additionalIgnores` are already anchored minimatch — they
+  // must not pass through the `ignore` package (whose gitignore "match
+  // anywhere" semantics would re-interpret a bare `tests` to match
+  // `subdir/tests/foo.json`). Keep them in fast-glob's ignore list across
+  // both paths; only gitignore-translated entries go into the `ig` matcher.
+  const cliMinimatchIgnores = additionalIgnores ?? [];
+  const globOptions = {
+    __proto__: null,
+    absolute: true,
+    cwd,
+    dot: true,
+    ignore: hasNegatedPattern ? [...globs.defaultIgnore, ...cliMinimatchIgnores] : [...ignores, ...cliMinimatchIgnores].map(stripTrailingSlash),
+    ...additionalOptions
+  };
+
+  // When no filter is provided and no negated patterns exist, use the fast path.
+  if (!hasNegatedPattern && !filter) {
+    return await vendor.outExports.glob(patterns, globOptions);
+  }
+  // Add support for negated "ignore" patterns which many globbing libraries,
+  // including 'fast-glob', 'globby', and 'tinyglobby', lack support for.
+  // Use streaming to avoid unbounded memory accumulation.
+  // This is critical for large monorepos with 100k+ files.
+  const results = [];
+  const ig = hasNegatedPattern ? vendor.ignoreExports().add([...ignores]) : null;
+  const stream = vendor.outExports.globStream(patterns, globOptions);
+  for await (const p of stream) {
+    // Check gitignore patterns with negation support.
+    if (ig) {
+      // Note: the input files must be INSIDE the cwd. If you get strange looking
+      // relative path errors here, most likely your path is outside the given cwd.
+      const relPath = globOptions.absolute ? path.relative(cwd, p) : p;
+      if (ig.ignores(relPath)) {
+        continue;
+      }
+    }
+    // Apply the optional filter to reduce memory usage.
+    // When scanning large monorepos, this filters early (e.g., to manifest files only)
+    // instead of accumulating all 100k+ files and filtering later.
+    if (filter && !filter(p)) {
+      continue;
+    }
+    results.push(p);
+  }
+  return results;
+}
+async function globWorkspace(agent, cwd = process.cwd()) {
+  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd);
+  return workspaceGlobs.length ? await vendor.outExports.glob(workspaceGlobs, {
+    absolute: true,
+    cwd,
+    dot: true,
+    ignore: globs.defaultIgnore
+  }) : [];
+}
+function isReportSupportedFile(filepath, supportedFiles) {
+  const patterns = getSupportedFilePatterns(supportedFiles);
+  return vendor.micromatchExports.some(filepath, patterns, {
+    dot: true,
+    nocase: true
+  });
+}
+function pathsToGlobPatterns(paths, cwd) {
+  // TODO: Does not support `~/` paths.
+  return paths.map(p => {
+    // Convert current directory references to glob patterns.
+    if (p === '.' || p === './') {
+      return '**/*';
+    }
+    const absolutePath = path.isAbsolute(p) ? p : path.resolve(cwd ?? process.cwd(), p);
+    // If the path is a directory, scan it recursively for all files.
+    if (fs$1.isDirSync(absolutePath)) {
+      return `${p}/**/*`;
+    }
+    return p;
+  });
+}
+
 /**
  * Package URL (PURL) utilities for Socket CLI.
  * Implements the PURL specification for universal package identification.
@@ -4585,248 +4835,6 @@ async function findUp(name, options) {
   return undefined;
 }
 
-const DEFAULT_IGNORE_FOR_GIT_IGNORE = globs.defaultIgnore.filter(p => !p.endsWith('.gitignore'));
-const IGNORED_DIRS = [
-// Taken from ignore-by-default:
-// https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
-'.git',
-// Git repository files, see <https://git-scm.com/>
-'.log',
-// Log files emitted by tools such as `tsserver`, see <https://github.com/Microsoft/TypeScript/wiki/Standalone-Server-%28tsserver%29>
-'.nyc_output',
-// Temporary directory where nyc stores coverage data, see <https://github.com/bcoe/nyc>
-'.sass-cache',
-// Cache folder for node-sass, see <https://github.com/sass/node-sass>
-'.yarn',
-// Where node modules are installed when using Yarn, see <https://yarnpkg.com/>
-'bower_components',
-// Where Bower packages are installed, see <http://bower.io/>
-'coverage',
-// Standard output directory for code coverage reports, see <https://github.com/gotwarlost/istanbul>
-constants.NODE_MODULES,
-// Where Node modules are installed, see <https://nodejs.org/>
-// Taken from globby:
-// https://github.com/sindresorhus/globby/blob/v14.0.2/ignore.js#L11-L16
-'flow-typed'];
-const IGNORED_DIR_PATTERNS = IGNORED_DIRS.map(i => `**/${i}`);
-async function getWorkspaceGlobs(agent, cwd = process.cwd()) {
-  let workspacePatterns;
-  if (agent === constants.PNPM) {
-    const workspacePath = path.join(cwd, 'pnpm-workspace.yaml');
-    const yml = await fs$1.safeReadFile(workspacePath);
-    if (yml) {
-      try {
-        workspacePatterns = vendor.distExports$1.parse(yml)?.packages;
-      } catch {}
-    }
-  } else {
-    workspacePatterns = (await packages.readPackageJson(cwd, {
-      throws: false
-    }))?.['workspaces'];
-  }
-  return Array.isArray(workspacePatterns) ? workspacePatterns.filter(strings.isNonEmptyString).map(workspacePatternToGlobPattern) : [];
-}
-function ignoreFileLinesToGlobPatterns(lines, filepath, cwd) {
-  const base = path.relative(cwd, path.dirname(filepath)).replace(/\\/g, '/');
-  const patterns = [];
-  for (let i = 0, {
-      length
-    } = lines; i < length; i += 1) {
-    const pattern = lines[i].trim();
-    if (pattern.length > 0 && pattern.charCodeAt(0) !== 35 /*'#'*/) {
-      patterns.push(ignorePatternToMinimatch(pattern.length && pattern.charCodeAt(0) === 33 /*'!'*/ ? `!${path.posix.join(base, pattern.slice(1))}` : path.posix.join(base, pattern)));
-    }
-  }
-  return patterns;
-}
-function ignoreFileToGlobPatterns(content, filepath, cwd) {
-  return ignoreFileLinesToGlobPatterns(content.split(/\r?\n/), filepath, cwd);
-}
-
-// Based on `@eslint/compat` convertIgnorePatternToMinimatch.
-// Apache v2.0 licensed
-// Copyright Nicholas C. Zakas
-// https://github.com/eslint/rewrite/blob/compat-v1.2.1/packages/compat/src/ignore-file.js#L28
-function ignorePatternToMinimatch(pattern) {
-  const isNegated = pattern.startsWith('!');
-  const negatedPrefix = isNegated ? '!' : '';
-  const patternToTest = (isNegated ? pattern.slice(1) : pattern).trimEnd();
-  // Special cases.
-  if (patternToTest === '' || patternToTest === '**' || patternToTest === '/**' || patternToTest === '**') {
-    return `${negatedPrefix}${patternToTest}`;
-  }
-  const firstIndexOfSlash = patternToTest.indexOf('/');
-  const matchEverywherePrefix = firstIndexOfSlash === -1 || firstIndexOfSlash === patternToTest.length - 1 ? '**/' : '';
-  const patternWithoutLeadingSlash = firstIndexOfSlash === 0 ? patternToTest.slice(1) : patternToTest;
-  // Escape `{` and `(` because in gitignore patterns they are just
-  // literal characters without any specific syntactic meaning,
-  // while in minimatch patterns they can form brace expansion or extglob syntax.
-  //
-  // For example, gitignore pattern `src/{a,b}.js` ignores file `src/{a,b}.js`.
-  // But, the same minimatch pattern `src/{a,b}.js` ignores files `src/a.js` and `src/b.js`.
-  // Minimatch pattern `src/\{a,b}.js` is equivalent to gitignore pattern `src/{a,b}.js`.
-  const escapedPatternWithoutLeadingSlash = patternWithoutLeadingSlash.replaceAll(/(?=((?:\\.|[^{(])*))\1([{(])/guy, '$1\\$2');
-  const matchInsideSuffix = patternToTest.endsWith('/**') ? '/*' : '';
-  return `${negatedPrefix}${matchEverywherePrefix}${escapedPatternWithoutLeadingSlash}${matchInsideSuffix}`;
-}
-
-// fast-glob silently discards `ignore` entries that end in `/` (it
-// treats them as literal directory paths, not glob patterns). The
-// gitignore convention of writing directory entries as `dist/` lands
-// here as `**/dist/` after `ignorePatternToMinimatch`, which fast-glob
-// then drops — defeating the entire ignore. Strip the trailing slash
-// so fast-glob actually honors the pattern.
-function stripTrailingSlash(pattern) {
-  if (pattern.length > 1 && pattern.charCodeAt(pattern.length - 1) === 47 /*'/'*/) {
-    return pattern.slice(0, -1);
-  }
-  return pattern;
-}
-function workspacePatternToGlobPattern(workspace) {
-  const {
-    length
-  } = workspace;
-  if (!length) {
-    return '';
-  }
-  // If the workspace ends with "/"
-  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
-    return `${workspace}/*/package.json`;
-  }
-  // If the workspace ends with "/**"
-  if (workspace.charCodeAt(length - 1) === 42 /*'*'*/ && workspace.charCodeAt(length - 2) === 42 /*'*'*/ && workspace.charCodeAt(length - 3) === 47 /*'/'*/) {
-    return `${workspace}/*/**/package.json`;
-  }
-  // Things like "packages/a" or "packages/*"
-  return `${workspace}/package.json`;
-}
-function createSupportedFilesFilter(supportedFiles) {
-  const patterns = getSupportedFilePatterns(supportedFiles);
-  return filepath => vendor.micromatchExports.some(filepath, patterns, {
-    dot: true,
-    nocase: true
-  });
-}
-function getSupportedFilePatterns(supportedFiles) {
-  const patterns = [];
-  for (const key of Object.keys(supportedFiles)) {
-    const supported = supportedFiles[key];
-    if (supported) {
-      patterns.push(...Object.values(supported).map(p => `**/${p.pattern}`));
-    }
-  }
-  return patterns;
-}
-async function globWithGitIgnore(patterns, options) {
-  const {
-    cwd = process.cwd(),
-    filter,
-    socketConfig,
-    ...additionalOptions
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const ignores = new Set(IGNORED_DIR_PATTERNS);
-  const projectIgnorePaths = socketConfig?.projectIgnorePaths;
-  if (Array.isArray(projectIgnorePaths)) {
-    const ignorePatterns = ignoreFileLinesToGlobPatterns(projectIgnorePaths, path.join(cwd, '.gitignore'), cwd);
-    for (const pattern of ignorePatterns) {
-      ignores.add(pattern);
-    }
-  }
-  const gitIgnoreStream = vendor.outExports.globStream(['**/.gitignore'], {
-    absolute: true,
-    cwd,
-    dot: true,
-    ignore: DEFAULT_IGNORE_FOR_GIT_IGNORE
-  });
-  for await (const ignorePatterns of streams.transform(gitIgnoreStream, async filepath => ignoreFileToGlobPatterns((await fs$1.safeReadFile(filepath)) ?? '', filepath, cwd), {
-    concurrency: 8
-  })) {
-    for (const p of ignorePatterns) {
-      ignores.add(p);
-    }
-  }
-  let hasNegatedPattern = false;
-  for (const p of ignores) {
-    if (p.charCodeAt(0) === 33 /*'!'*/) {
-      hasNegatedPattern = true;
-      break;
-    }
-  }
-  const globOptions = {
-    __proto__: null,
-    absolute: true,
-    cwd,
-    dot: true,
-    ignore: hasNegatedPattern ? globs.defaultIgnore : [...ignores].map(stripTrailingSlash),
-    ...additionalOptions
-  };
-
-  // When no filter is provided and no negated patterns exist, use the fast path.
-  if (!hasNegatedPattern && !filter) {
-    return await vendor.outExports.glob(patterns, globOptions);
-  }
-  // Add support for negated "ignore" patterns which many globbing libraries,
-  // including 'fast-glob', 'globby', and 'tinyglobby', lack support for.
-  // Use streaming to avoid unbounded memory accumulation.
-  // This is critical for large monorepos with 100k+ files.
-  const results = [];
-  const ig = hasNegatedPattern ? vendor.ignoreExports().add([...ignores]) : null;
-  const stream = vendor.outExports.globStream(patterns, globOptions);
-  for await (const p of stream) {
-    // Check gitignore patterns with negation support.
-    if (ig) {
-      // Note: the input files must be INSIDE the cwd. If you get strange looking
-      // relative path errors here, most likely your path is outside the given cwd.
-      const relPath = globOptions.absolute ? path.relative(cwd, p) : p;
-      if (ig.ignores(relPath)) {
-        continue;
-      }
-    }
-    // Apply the optional filter to reduce memory usage.
-    // When scanning large monorepos, this filters early (e.g., to manifest files only)
-    // instead of accumulating all 100k+ files and filtering later.
-    if (filter && !filter(p)) {
-      continue;
-    }
-    results.push(p);
-  }
-  return results;
-}
-async function globWorkspace(agent, cwd = process.cwd()) {
-  const workspaceGlobs = await getWorkspaceGlobs(agent, cwd);
-  return workspaceGlobs.length ? await vendor.outExports.glob(workspaceGlobs, {
-    absolute: true,
-    cwd,
-    dot: true,
-    ignore: globs.defaultIgnore
-  }) : [];
-}
-function isReportSupportedFile(filepath, supportedFiles) {
-  const patterns = getSupportedFilePatterns(supportedFiles);
-  return vendor.micromatchExports.some(filepath, patterns, {
-    dot: true,
-    nocase: true
-  });
-}
-function pathsToGlobPatterns(paths, cwd) {
-  // TODO: Does not support `~/` paths.
-  return paths.map(p => {
-    // Convert current directory references to glob patterns.
-    if (p === '.' || p === './') {
-      return '**/*';
-    }
-    const absolutePath = path.isAbsolute(p) ? p : path.resolve(cwd ?? process.cwd(), p);
-    // If the path is a directory, scan it recursively for all files.
-    if (fs$1.isDirSync(absolutePath)) {
-      return `${p}/**/*`;
-    }
-    return p;
-  });
-}
-
 function findBinPathDetailsSync(binName) {
   const rawBinPaths = bin.whichBinSync(binName, {
     all: true,
@@ -4905,8 +4913,26 @@ function findNpmDirPathSync(npmBinPath) {
     thePath = parent;
   }
 }
+/**
+ * Converts absolute scan targets inside cwd back to cwd-relative paths before
+ * glob expansion. SCA excludes passed through `additionalIgnores` are anchored
+ * to cwd, so package discovery needs target globs in the same coordinate
+ * system for fast-glob to apply those ignores consistently.
+ */
+function normalizeScanInputPath(pathToNormalize, cwd) {
+  if (!path.isAbsolute(pathToNormalize)) {
+    return pathToNormalize;
+  }
+  const relativePath = path.relative(cwd, pathToNormalize);
+  const isInsideCwd = relativePath === '' || !relativePath.startsWith('..') && !path.isAbsolute(relativePath);
+  if (!isInsideCwd) {
+    return pathToNormalize;
+  }
+  return stripTrailingSlash(relativePath.replaceAll('\\', '/')) || '.';
+}
 async function getPackageFilesForScan(inputPaths, supportedFiles, options) {
   const {
+    additionalIgnores,
     config: socketConfig,
     cwd = process.cwd()
   } = {
@@ -4918,7 +4944,9 @@ async function getPackageFilesForScan(inputPaths, supportedFiles, options) {
   // all files in memory. This is critical for large monorepos with 100k+ files
   // where accumulating all paths before filtering causes OOM errors.
   const filter = createSupportedFilesFilter(supportedFiles);
-  return await globWithGitIgnore(pathsToGlobPatterns(inputPaths, options?.cwd), {
+  const normalizedInputPaths = inputPaths.map(p => normalizeScanInputPath(p, cwd));
+  return await globWithGitIgnore(pathsToGlobPatterns(normalizedInputPaths, cwd), {
+    additionalIgnores,
     cwd,
     filter,
     socketConfig
@@ -7905,6 +7933,7 @@ exports.socketPackageLink = socketPackageLink;
 exports.spawnCdxgenDlx = spawnCdxgenDlx;
 exports.spawnCoanaDlx = spawnCoanaDlx;
 exports.spawnSynpDlx = spawnSynpDlx;
+exports.stripTrailingSlash = stripTrailingSlash;
 exports.suggestOrgSlug = suggestOrgSlug;
 exports.tildify = tildify;
 exports.toFilterConfig = toFilterConfig;
@@ -7917,5 +7946,5 @@ exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.webLink = webLink;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=1376ca2b-1ca3-4d1d-8c29-09378ce0da4a
+//# debugId=2070e850-060e-4077-8aaa-c4564f5f74e5
 //# sourceMappingURL=utils.js.map