@socketsecurity/cli 0.14.102 → 0.14.104

package/dist/module-sync/cli.js

@@ -12,7 +12,7 @@ function _socketInterop(e) {
 }
 
 const process$1 = require('node:process')
-const require$$0$2 = require('node:url')
+const require$$0$1 = require('node:url')
 const vendor = require('./vendor.js')
 const debug = require('@socketsecurity/registry/lib/debug')
 const logger = require('@socketsecurity/registry/lib/logger')
@@ -26,11 +26,11 @@ const objects = require('@socketsecurity/registry/lib/objects')
 const path = require('@socketsecurity/registry/lib/path')
 const regexps = require('@socketsecurity/registry/lib/regexps')
 const words = require('@socketsecurity/registry/lib/words')
-const require$$0 = require('node:fs')
+const fs$1 = require('node:fs')
 const shadowBin = require('./shadow-bin.js')
 const prompts = require('@socketsecurity/registry/lib/prompts')
 const shadowNpmPaths = require('./shadow-npm-paths.js')
-const require$$0$1 = require('node:util')
+const require$$0 = require('node:util')
 const arrays = require('@socketsecurity/registry/lib/arrays')
 const registry = require('@socketsecurity/registry')
 const npm = require('@socketsecurity/registry/lib/npm')
@@ -347,7 +347,7 @@ function renderJson(data) {
   }
 }
 function renderMarkdown(data, days, repoSlug) {
-  return vendor.stripIndents`
+  return vendor.html`
 # Socket Alert Analytics
 
 These are the Socket.dev stats are analytics for the ${repoSlug ? `${repoSlug} repo` : 'org'} of the past ${days} days
@@ -387,7 +387,7 @@ ${[
   ]
 ]
   .map(
-    ([title, table]) => vendor.stripIndents`
+    ([title, table]) => vendor.html`
 ## ${title}
 
 ${table}
@@ -900,7 +900,7 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.102:51e000d:d5838d89:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.104:da4a527:c0794558:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
   const apiToken = shadowNpmInject.getDefaultToken()
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no'
@@ -923,8 +923,8 @@ function getAsciiHeader(command) {
   return `   ${body}\n`
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$H } = constants
-const config$K = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$I } = constants
+const config$L = {
   commandName: 'analytics',
   description: `Look up analytics data`,
   hidden: false,
@@ -979,14 +979,14 @@ const config$K = {
   `
 }
 const cmdAnalytics = {
-  description: config$K.description,
-  hidden: config$K.hidden,
-  run: run$K
+  description: config$L.description,
+  hidden: config$L.hidden,
+  run: run$L
 }
-async function run$K(argv, importMeta, { parentName }) {
+async function run$L(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$K,
+    config: config$L,
     importMeta,
     parentName
   })
@@ -1041,7 +1041,7 @@ async function run$K(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$H)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$I)
     return
   }
   assert(assertScope(scope))
@@ -1216,8 +1216,8 @@ async function handleAuditLog({ logType, orgSlug, outputKind, page, perPage }) {
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$G } = constants
-const config$J = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$H } = constants
+const config$K = {
   commandName: 'audit-log',
   description: 'Look up the audit log for an organization',
   hidden: false,
@@ -1262,14 +1262,14 @@ const config$J = {
   `
 }
 const cmdAuditLog = {
-  description: config$J.description,
-  hidden: config$J.hidden,
-  run: run$J
+  description: config$K.description,
+  hidden: config$K.hidden,
+  run: run$K
 }
-async function run$J(argv, importMeta, { parentName }) {
+async function run$K(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$J,
+    config: config$K,
     importMeta,
     parentName
   })
@@ -1306,7 +1306,7 @@ async function run$J(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$G)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$H)
     return
   }
   await handleAuditLog({
@@ -1322,7 +1322,7 @@ const {
   NPM: NPM$g,
   NPX: NPX$3,
   PACKAGE_LOCK_JSON,
-  PNPM: PNPM$b,
+  PNPM: PNPM$a,
   YARN: YARN$1,
   YARN_LOCK
 } = constants
@@ -1331,7 +1331,7 @@ const nodejsPlatformTypes = new Set([
   'js',
   'nodejs',
   NPM$g,
-  PNPM$b,
+  PNPM$a,
   'ts',
   'tsx',
   'typescript'
@@ -1346,9 +1346,9 @@ async function runCycloneDX(yargvWithYes) {
   if (
     yargv.type !== YARN$1 &&
     nodejsPlatformTypes.has(yargv.type) &&
-    require$$0.existsSync(`./${YARN_LOCK}`)
+    fs$1.existsSync(`./${YARN_LOCK}`)
   ) {
-    if (require$$0.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
+    if (fs$1.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
       yargv.type = NPM$g
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
@@ -1369,16 +1369,16 @@ async function runCycloneDX(yargvWithYes) {
   await shadowBin(NPX$3, [
     ...yesArgs,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']".
-    `@cyclonedx/cdxgen@${'11.2.3'}`,
+    `@cyclonedx/cdxgen@${'11.2.4'}`,
     ...argvToArray(yargv)
   ])
   if (cleanupPackageLock) {
     try {
-      await require$$0.promises.rm(`./${PACKAGE_LOCK_JSON}`)
+      await fs$1.promises.rm(`./${PACKAGE_LOCK_JSON}`)
     } catch {}
   }
   const fullOutputPath = path$1.join(process$1.cwd(), yargv.output)
-  if (require$$0.existsSync(fullOutputPath)) {
+  if (fs$1.existsSync(fullOutputPath)) {
     logger.logger.log(
       vendor.yoctocolorsCjsExports.cyanBright(`${yargv.output} created!`)
     )
@@ -1436,7 +1436,7 @@ function isHelpFlag(cmdArg) {
 }
 
 // import { meowOrExit } from '../../utils/meow-with-subcommands'
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$F } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$G } = constants
 
 // TODO: convert yargs to meow. Or convert all the other things to yargs.
 const toLower = arg => arg.toLowerCase()
@@ -1552,7 +1552,7 @@ const yargsConfig = {
     'spec-version'
   ]
 }
-const config$I = {
+const config$J = {
   commandName: 'cdxgen',
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: false,
@@ -1568,16 +1568,16 @@ const config$I = {
   `
 }
 const cmdCdxgen = {
-  description: config$I.description,
-  hidden: config$I.hidden,
-  run: run$I
+  description: config$J.description,
+  hidden: config$J.hidden,
+  run: run$J
 }
-async function run$I(argv, importMeta, { parentName }) {
+async function run$J(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     // Don't let meow take over --help.
     argv: argv.filter(a => !isHelpFlag(a)),
-    config: config$I,
+    config: config$J,
     importMeta,
     parentName
   })
@@ -1599,7 +1599,7 @@ async function run$I(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$F)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$G)
     return
   }
   if (yargv.output === undefined) {
@@ -2447,8 +2447,8 @@ async function handleCI() {
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$E } = constants
-const config$H = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$F } = constants
+const config$I = {
   commandName: 'ci',
   description:
     'Create a new scan and report whether it passes your security policy',
@@ -2468,19 +2468,19 @@ const config$H = {
   `
 }
 const cmdCI = {
-  description: config$H.description,
-  hidden: config$H.hidden,
-  run: run$H
+  description: config$I.description,
+  hidden: config$I.hidden,
+  run: run$I
 }
-async function run$H(argv, importMeta, { parentName }) {
+async function run$I(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$H,
+    config: config$I,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$E)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$F)
     return
   }
   await handleCI()
@@ -2727,8 +2727,8 @@ async function handleConfigAuto({ key, outputKind }) {
   await outputConfigAuto(key, result, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$D } = constants
-const config$G = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$E } = constants
+const config$H = {
   commandName: 'auto',
   description: 'Automatically discover and set the correct value config item',
   hidden: false,
@@ -2759,14 +2759,14 @@ ${Array.from(shadowNpmInject.supportedConfigKeys.entries())
   `
 }
 const cmdConfigAuto = {
-  description: config$G.description,
-  hidden: config$G.hidden,
-  run: run$G
+  description: config$H.description,
+  hidden: config$H.hidden,
+  run: run$H
 }
-async function run$G(argv, importMeta, { parentName }) {
+async function run$H(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$G,
+    config: config$H,
     importMeta,
     parentName
   })
@@ -2792,7 +2792,7 @@ async function run$G(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$D)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$E)
     return
   }
   await handleConfigAuto({
@@ -2846,8 +2846,8 @@ async function handleConfigGet({ key, outputKind }) {
   await outputConfigGet(key, value, readOnly, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$C } = constants
-const config$F = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$D } = constants
+const config$G = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
   hidden: false,
@@ -2873,14 +2873,14 @@ ${Array.from(shadowNpmInject.supportedConfigKeys.entries())
   `
 }
 const cmdConfigGet = {
-  description: config$F.description,
-  hidden: config$F.hidden,
-  run: run$F
+  description: config$G.description,
+  hidden: config$G.hidden,
+  run: run$G
 }
-async function run$F(argv, importMeta, { parentName }) {
+async function run$G(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$F,
+    config: config$G,
     importMeta,
     parentName
   })
@@ -2906,7 +2906,7 @@ async function run$F(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$C)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$D)
     return
   }
   await handleConfigGet({
@@ -2968,8 +2968,8 @@ async function outputConfigList({ full, outputKind }) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$B } = constants
-const config$E = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$C } = constants
+const config$F = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
   hidden: false,
@@ -3000,14 +3000,14 @@ ${Array.from(shadowNpmInject.supportedConfigKeys.entries())
   `
 }
 const cmdConfigList = {
-  description: config$E.description,
-  hidden: config$E.hidden,
-  run: run$E
+  description: config$F.description,
+  hidden: config$F.hidden,
+  run: run$F
 }
-async function run$E(argv, importMeta, { parentName }) {
+async function run$F(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$E,
+    config: config$F,
     importMeta,
     parentName
   })
@@ -3024,7 +3024,7 @@ async function run$E(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$B)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$C)
     return
   }
   await outputConfigList({
@@ -3069,8 +3069,8 @@ async function handleConfigSet({ key, outputKind, value }) {
   await outputConfigSet(key, value, readOnly, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$A } = constants
-const config$D = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$B } = constants
+const config$E = {
   commandName: 'set',
   description: 'Update the value of a local CLI config item',
   hidden: false,
@@ -3101,14 +3101,14 @@ ${Array.from(shadowNpmInject.supportedConfigKeys.entries())
   `
 }
 const cmdConfigSet = {
-  description: config$D.description,
-  hidden: config$D.hidden,
-  run: run$D
+  description: config$E.description,
+  hidden: config$E.hidden,
+  run: run$E
 }
-async function run$D(argv, importMeta, { parentName }) {
+async function run$E(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$D,
+    config: config$E,
     importMeta,
     parentName
   })
@@ -3143,7 +3143,7 @@ async function run$D(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$A)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$B)
     return
   }
   await handleConfigSet({
@@ -3175,8 +3175,8 @@ async function handleConfigUnset({ key, outputKind }) {
   await outputConfigUnset(key, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$z } = constants
-const config$C = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$A } = constants
+const config$D = {
   commandName: 'unset',
   description: 'Clear the value of a local CLI config item',
   hidden: false,
@@ -3202,14 +3202,14 @@ ${Array.from(shadowNpmInject.supportedConfigKeys.entries())
   `
 }
 const cmdConfigUnset = {
-  description: config$C.description,
-  hidden: config$C.hidden,
-  run: run$C
+  description: config$D.description,
+  hidden: config$D.hidden,
+  run: run$D
 }
-async function run$C(argv, importMeta, { parentName }) {
+async function run$D(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$C,
+    config: config$D,
     importMeta,
     parentName
   })
@@ -3235,7 +3235,7 @@ async function run$C(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$z)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$A)
     return
   }
   await handleConfigUnset({
@@ -3362,8 +3362,8 @@ async function handleDependencies({ limit, offset, outputKind }) {
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y } = constants
-const config$B = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$z } = constants
+const config$C = {
   commandName: 'dependencies',
   description:
     'Search for any dependency that is being used in your organization',
@@ -3400,14 +3400,14 @@ const config$B = {
   `
 }
 const cmdScanCreate$1 = {
-  description: config$B.description,
-  hidden: config$B.hidden,
-  run: run$B
+  description: config$C.description,
+  hidden: config$C.hidden,
+  run: run$C
 }
-async function run$B(argv, importMeta, { parentName }) {
+async function run$C(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$B,
+    config: config$C,
     importMeta,
     parentName
   })
@@ -3435,7 +3435,7 @@ async function run$B(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$y)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$z)
     return
   }
   await handleDependencies({
@@ -3445,7 +3445,7 @@ async function run$B(argv, importMeta, { parentName }) {
   })
 }
 
-async function fetchDiffScan({ after, before, orgSlug }) {
+async function fetchDiffScan$1({ after, before, orgSlug }) {
   const apiToken = shadowNpmInject.getDefaultToken()
 
   // Lazily access constants.spinner.
@@ -3468,7 +3468,7 @@ async function fetchDiffScan({ after, before, orgSlug }) {
   return result
 }
 
-async function outputDiffScan(result, { depth, file, outputKind }) {
+async function outputDiffScan$1(result, { depth, file, outputKind }) {
   const dashboardUrl = result.diff_report_url
   const dashboardMessage = dashboardUrl
     ? `\n View this diff scan in the Socket dashboard: ${vendor.yoctocolorsCjsExports.cyan(dashboardUrl)}`
@@ -3490,7 +3490,7 @@ async function outputDiffScan(result, { depth, file, outputKind }) {
     }
     if (file && file !== '-') {
       logger.logger.log(`Writing json to \`${file}\``)
-      require$$0.writeFile(file, JSON.stringify(result, null, 2), err => {
+      fs$1.writeFile(file, JSON.stringify(result, null, 2), err => {
         if (err) {
           logger.logger.fail(`Writing to \`${file}\` failed...`)
           logger.logger.error(err)
@@ -3513,7 +3513,7 @@ async function outputDiffScan(result, { depth, file, outputKind }) {
 
   logger.logger.log('Diff scan result:')
   logger.logger.log(
-    require$$0$1.inspect(result, {
+    require$$0.inspect(result, {
       showHidden: false,
       depth: depth > 0 ? depth : null,
       colors: true,
@@ -3526,7 +3526,7 @@ async function outputDiffScan(result, { depth, file, outputKind }) {
   logger.logger.log(dashboardMessage)
 }
 
-async function handleDiffScan({
+async function handleDiffScan$1({
   after,
   before,
   depth,
@@ -3534,7 +3534,7 @@ async function handleDiffScan({
   orgSlug,
   outputKind
 }) {
-  const data = await fetchDiffScan({
+  const data = await fetchDiffScan$1({
     after,
     before,
     orgSlug
@@ -3542,15 +3542,15 @@ async function handleDiffScan({
   if (!data) {
     return
   }
-  await outputDiffScan(data, {
+  await outputDiffScan$1(data, {
     depth,
     file,
     outputKind
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x } = constants
-const config$A = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y } = constants
+const config$B = {
   commandName: 'get',
   description: 'Get a diff scan for an organization',
   hidden: false,
@@ -3609,14 +3609,14 @@ const config$A = {
   `
 }
 const cmdDiffScanGet = {
-  description: config$A.description,
-  hidden: config$A.hidden,
-  run: run$A
+  description: config$B.description,
+  hidden: config$B.hidden,
+  run: run$B
 }
-async function run$A(argv, importMeta, { parentName }) {
+async function run$B(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$A,
+    config: config$B,
     importMeta,
     parentName
   })
@@ -3664,11 +3664,14 @@ async function run$A(argv, importMeta, { parentName }) {
   if (wasBadInput) {
     return
   }
+  logger.logger.fail(
+    'Warning: this command is deprecated in favor of `socket scan diff` and will be removed in the next major bump.'
+  )
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$x)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$y)
     return
   }
-  await handleDiffScan({
+  await handleDiffScan$1({
     before: String(before || ''),
     after: String(after || ''),
     depth: Number(depth),
@@ -3708,7 +3711,45 @@ function formatBranchName(str) {
 function getPkgNameFromPurlObj(purlObj) {
   return `${purlObj.namespace ? `${purlObj.namespace}/` : ''}${purlObj.name}`
 }
-async function branchExists(branch, cwd = process.cwd()) {
+function getBaseGitBranch() {
+  // Lazily access constants.ENV[GITHUB_REF_NAME].
+  return (
+    constants.ENV[GITHUB_REF_NAME] ??
+    // GitHub defaults to branch name "main"
+    // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
+    'main'
+  )
+}
+function getSocketBranchName(purl, newVersion, workspaceName) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const maybeWorkspaceName = workspaceName
+    ? `${formatBranchName(workspaceName)}-`
+    : ''
+  const maybeNamespace = purlObj.namespace
+    ? `${formatBranchName(purlObj.namespace)}-`
+    : ''
+  const fullName = `${maybeWorkspaceName}${maybeNamespace}${formatBranchName(purlObj.name)}`
+  return `socket-fix-${fullName}-${formatBranchName(newVersion)}`
+}
+function getSocketPullRequestTitle(purl, newVersion, workspaceName) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
+  return `Bump ${pkgName} from ${purlObj.version} to ${newVersion}${workspaceDetails}`
+}
+function getSocketPullRequestBody(purl, newVersion, workspaceName) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
+  return `Bumps [${pkgName}](https://socket.dev/${purlObj.type}/package/${pkgName}) from ${purlObj.version} to ${newVersion}${workspaceDetails}.`
+}
+function getSocketCommitMessage(purl, newVersion, workspaceName) {
+  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const pkgName = getPkgNameFromPurlObj(purlObj)
+  const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
+  return `socket: Bump ${pkgName} from ${purlObj.version} to ${newVersion}${workspaceDetails}`
+}
+async function gitBranchExists(branch, cwd = process.cwd()) {
   try {
     await spawn.spawn(
       'git',
@@ -3722,8 +3763,12 @@ async function branchExists(branch, cwd = process.cwd()) {
   } catch {}
   return false
 }
-async function checkoutBaseBranchIfAvailable(baseBranch, cwd = process.cwd()) {
+async function gitCheckoutBaseBranchIfAvailable(
+  baseBranch,
+  cwd = process.cwd()
+) {
   try {
+    await gitHardReset()
     await spawn.spawn('git', ['fetch', '--depth=1', 'origin', baseBranch], {
       cwd
     })
@@ -3741,12 +3786,12 @@ async function checkoutBaseBranchIfAvailable(baseBranch, cwd = process.cwd()) {
     debug.debugLog(e)
   }
 }
-async function createAndPushBranchIfNeeded(
+async function gitCreateAndPushBranchIfNeeded(
   branch,
   commitMsg,
   cwd = process.cwd()
 ) {
-  if (await branchExists(branch, cwd)) {
+  if (await gitBranchExists(branch, cwd)) {
     logger.logger.warn(`Branch "${branch}" already exists. Skipping creation.`)
     return false
   }
@@ -3764,37 +3809,20 @@ async function createAndPushBranchIfNeeded(
   })
   return true
 }
-function getBaseBranch() {
-  // Lazily access constants.ENV[GITHUB_REF_NAME].
-  return (
-    constants.ENV[GITHUB_REF_NAME] ??
-    // GitHub defaults to branch name "main"
-    // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
-    'main'
-  )
-}
-function getSocketBranchName(purl, toVersion) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
-  const namespace = formatBranchName(purlObj.namespace ?? '')
-  const name = formatBranchName(purlObj.name)
-  const version = formatBranchName(toVersion)
-  const fullName = `${namespace ? `${namespace}-` : ''}${name}`
-  return `socket-fix-${fullName}-${version}`
-}
-function getSocketPullRequestTitle(purl, toVersion) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
-  const pkgName = getPkgNameFromPurlObj(purlObj)
-  return `Bump ${pkgName} from ${purlObj.version} to ${toVersion}`
-}
-function getSocketPullRequestBody(purl, toVersion) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
-  const pkgName = getPkgNameFromPurlObj(purlObj)
-  return `Bumps [${pkgName}](https://socket.dev/${purlObj.type}/package/${pkgName}) from ${purlObj.version} to ${toVersion}.`
+async function gitHardReset(cwd = process.cwd()) {
+  await spawn.spawn('git', ['reset', '--hard'], {
+    cwd
+  })
 }
-function getSocketCommitMessage(purl, toVersion) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
-  const pkgName = getPkgNameFromPurlObj(purlObj)
-  return `socket: Bump ${pkgName} from ${purlObj.version} to ${toVersion}`
+async function isInGitRepo(cwd = process.cwd()) {
+  try {
+    await spawn.spawn('git', ['rev-parse', '--is-inside-work-tree'], {
+      cwd,
+      stdio: 'ignore'
+    })
+    return true
+  } catch {}
+  return false
 }
 
 const { GITHUB_ACTIONS, GITHUB_REPOSITORY, SOCKET_SECURITY_GITHUB_PAT } =
@@ -3835,7 +3863,7 @@ async function enableAutoMerge({ node_id: prId, number: prNumber }) {
   const octokitGraphql = getOctokitGraphql()
   try {
     await octokitGraphql(
-      `
+      vendor.html`
       mutation EnableAutoMerge($pullRequestId: ID!) {
         enablePullRequestAutoMerge(input: {
           pullRequestId: $pullRequestId,
@@ -3859,7 +3887,9 @@ async function enableAutoMerge({ node_id: prId, number: prNumber }) {
   } catch (e) {
     let message = `Failed to enable auto-merge for PR #${prNumber}`
     if (e instanceof vendor.GraphqlResponseError && e.errors) {
-      const details = e.errors.map(({ message }) => ` - ${message}`).join('\n')
+      const details = e.errors
+        .map(({ message }) => ` - ${message.trim()}`)
+        .join('\n')
       message += `:\n${details}`
     }
     logger.logger.error(message)
@@ -3884,9 +3914,13 @@ async function openGitHubPullRequest(
   baseBranch,
   branch,
   purl,
-  toVersion,
-  cwd = process.cwd()
+  newVersion,
+  options
 ) {
+  const { cwd = process.cwd(), workspaceName } = {
+    __proto__: null,
+    ...options
+  }
   // Lazily access constants.ENV[GITHUB_ACTIONS].
   if (constants.ENV[GITHUB_ACTIONS]) {
     // Lazily access constants.ENV[SOCKET_SECURITY_GITHUB_PAT].
@@ -3903,10 +3937,10 @@ async function openGitHubPullRequest(
       return await octokit.pulls.create({
         owner,
         repo,
-        title: getSocketPullRequestTitle(purl, toVersion),
+        title: getSocketPullRequestTitle(purl, newVersion, workspaceName),
         head: branch,
         base: baseBranch,
-        body: getSocketPullRequestBody(purl, toVersion)
+        body: getSocketPullRequestBody(purl, newVersion, workspaceName)
       })
     } catch (e) {
       let message = `Failed to open pull request`
@@ -3916,7 +3950,7 @@ async function openGitHubPullRequest(
           const details = restErrors
             .map(
               restErr =>
-                `- ${restErr.message ?? `${restErr.resource}.${restErr.field} (${restErr.code})`}`
+                `- ${restErr.message?.trim() ?? `${restErr.resource}.${restErr.field} (${restErr.code})`}`
             )
             .join('\n')
           message += `:\n${details}`
@@ -3942,17 +3976,17 @@ async function install$1(idealTree, options) {
   await arb2.reify()
 }
 async function npmFix(
-  _pkgEnvDetails,
-  { autoMerge, cwd, rangeStyle, spinner, test, testScript }
+  pkgEnvDetails,
+  { autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
 ) {
   spinner?.start()
   const arb = new shadowNpmInject.SafeArborist({
-    path: cwd,
+    path: pkgEnvDetails.pkgPath,
     ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
   })
   // Calling arb.reify() creates the arb.diff object and nulls-out arb.idealTree.
   await arb.reify()
-  const alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, {
+  const alertMapOptions = {
     consolidate: true,
     include: {
       existing: true,
@@ -3960,17 +3994,27 @@ async function npmFix(
       upgradable: false
     },
     nothrow: true
-  })
+  }
+  const alertsMap = purls.length
+    ? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
+    : await shadowNpmInject.getAlertsMapFromArborist(arb, alertMapOptions)
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
     spinner?.stop()
     return
   }
-  const editablePkgJson = await packages.readPackageJson(cwd, {
-    editable: true
-  })
+
   // Lazily access constants.ENV[CI].
   const isCi = constants.ENV[CI$1]
+  const { pkgPath: rootPath } = pkgEnvDetails
+  const { 0: isRepo, 1: workspacePkgJsonPaths } = await Promise.all([
+    isInGitRepo(cwd),
+    shadowNpmPaths.globWorkspace(pkgEnvDetails)
+  ])
+  const pkgJsonPaths = [
+    pkgEnvDetails.editablePkgJson.filename,
+    ...workspacePkgJsonPaths
+  ]
   await arb.buildIdealTree()
   for (const { 0: name, 1: infos } of infoByPkg) {
     const hasUpgrade = !!registry.getManifestData(NPM$f, name)
@@ -3978,25 +4022,26 @@ async function npmFix(
       spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
       continue
     }
-    const specs = arrays.arrayUnique(
-      shadowNpmInject
-        .findPackageNodes(arb.idealTree, name)
-        .map(n => `${n.name}@${n.version}`)
+    const oldVersions = arrays.arrayUnique(
+      shadowNpmInject.findPackageNodes(arb.idealTree, name).map(n => n.version)
     )
     const packument =
-      specs.length && infos.length
+      oldVersions.length && infos.length
         ? // eslint-disable-next-line no-await-in-loop
           await packages.fetchPackagePackument(name)
         : null
     if (!packument) {
       continue
     }
-    for (const spec of specs) {
-      const lastAtSignIndex = spec.lastIndexOf('@')
-      const name = spec.slice(0, lastAtSignIndex)
-      const fromVersion = spec.slice(lastAtSignIndex + 1)
-      const fromSpec = `${name}@${fromVersion}`
-      const fromPurl = `pkg:npm/${fromSpec}`
+    const failedSpecs = new Set()
+    const fixedSpecs = new Set()
+    const installedSpecs = new Set()
+    const testedSpecs = new Set()
+    const unavailableSpecs = new Set()
+    const revertedSpecs = new Set()
+    for (const oldVersion of oldVersions) {
+      const oldSpec = `${name}@${oldVersion}`
+      const oldPurl = `pkg:npm/${oldSpec}`
       for (const {
         firstPatchedVersionIdentifier,
         vulnerableVersionRange
@@ -4008,7 +4053,7 @@ async function npmFix(
         const node = shadowNpmInject.findPackageNode(
           arb.idealTree,
           name,
-          fromVersion
+          oldVersion
         )
         if (!node) {
           continue
@@ -4016,124 +4061,170 @@ async function npmFix(
         if (
           !shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
         ) {
-          spinner?.fail(`Could not patch ${fromSpec}`)
+          if (!unavailableSpecs.has(oldSpec)) {
+            unavailableSpecs.add(oldSpec)
+            spinner?.fail(`No update available for ${oldSpec}`)
+          }
           continue
         }
-        const toVersion = node.package.version
-        const toVersionRange = shadowNpmInject.applyRange(
-          fromVersion,
-          toVersion,
-          rangeStyle
-        )
-        const toSpec = `${name}@${toVersionRange}`
-        const branch = isCi ? getSocketBranchName(fromPurl, toVersion) : ''
-        const { owner, repo } = isCi
-          ? getGitHubEnvRepoInfo()
-          : {
-              owner: '',
-              repo: ''
-            }
-        const shouldOpenPr = isCi
-          ? // eslint-disable-next-line no-await-in-loop
-            !(await doesPullRequestExistForBranch(owner, repo, branch))
-          : false
-        const revertData = {
-          ...(editablePkgJson.content.dependencies
-            ? {
-                dependencies: editablePkgJson.content.dependencies
-              }
-            : undefined),
-          ...(editablePkgJson.content.optionalDependencies
-            ? {
-                optionalDependencies:
-                  editablePkgJson.content.optionalDependencies
-              }
-            : undefined),
-          ...(editablePkgJson.content.peerDependencies
-            ? {
-                peerDependencies: editablePkgJson.content.peerDependencies
-              }
-            : undefined)
-        }
-        spinner?.info(`Installing ${toSpec}`)
-        const baseBranch = getBaseBranch()
-
-        // eslint-disable-next-line no-await-in-loop
-        await checkoutBaseBranchIfAvailable(baseBranch, cwd)
-        let error
-        let errored = false
-        let installed = false
-        let saved = false
-        try {
-          shadowNpmInject.updatePackageJsonFromNode(
-            editablePkgJson,
-            arb.idealTree,
-            node,
-            toVersion,
+        for (const pkgJsonPath of pkgJsonPaths) {
+          const isWorkspaceRoot =
+            pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
+          const workspaceName = isWorkspaceRoot
+            ? ''
+            : path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
+          const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
+          const editablePkgJson = isWorkspaceRoot
+            ? pkgEnvDetails.editablePkgJson
+            : // eslint-disable-next-line no-await-in-loop
+              await packages.readPackageJson(pkgJsonPath, {
+                editable: true
+              })
+          const newVersion = node.package.version
+          const newVersionRange = shadowNpmInject.applyRange(
+            oldVersion,
+            newVersion,
             rangeStyle
           )
-          // eslint-disable-next-line no-await-in-loop
-          await editablePkgJson.save()
-          saved = true
-
-          // eslint-disable-next-line no-await-in-loop
-          await install$1(arb.idealTree, {
-            cwd
-          })
-          installed = true
-          if (test) {
-            spinner?.info(`Testing ${toSpec}`)
-            // eslint-disable-next-line no-await-in-loop
-            await npm.runScript(testScript, [], {
-              spinner,
-              stdio: 'ignore'
-            })
+          const newSpec = `${name}@${newVersionRange}`
+          const newSpecKey = `${workspaceName ? `${workspaceName}>` : ''}${newSpec}`
+          const branch = isCi
+            ? getSocketBranchName(oldPurl, newVersion, workspaceName)
+            : ''
+          const { owner, repo } = isCi
+            ? getGitHubEnvRepoInfo()
+            : {
+                owner: '',
+                repo: ''
+              }
+          const shouldOpenPr = isCi
+            ? // eslint-disable-next-line no-await-in-loop
+              !(await doesPullRequestExistForBranch(owner, repo, branch))
+            : false
+          const revertData = {
+            ...(editablePkgJson.content.dependencies
+              ? {
+                  dependencies: editablePkgJson.content.dependencies
+                }
+              : undefined),
+            ...(editablePkgJson.content.optionalDependencies
+              ? {
+                  optionalDependencies:
+                    editablePkgJson.content.optionalDependencies
+                }
+              : undefined),
+            ...(editablePkgJson.content.peerDependencies
+              ? {
+                  peerDependencies: editablePkgJson.content.peerDependencies
+                }
+              : undefined)
           }
-          spinner?.successAndStop(`Fixed ${name}`)
-          spinner?.start()
-        } catch (e) {
-          error = e
-          errored = true
-        }
-        if (!errored && shouldOpenPr) {
-          // eslint-disable-next-line no-await-in-loop
-          await createAndPushBranchIfNeeded(
-            branch,
-            getSocketCommitMessage(fromPurl, toVersion),
-            cwd
-          )
+          if (!installedSpecs.has(newSpecKey)) {
+            testedSpecs.add(newSpecKey)
+            spinner?.info(`Installing ${newSpec}${workspaceDetails}`)
+          }
+          const baseBranch = getBaseGitBranch()
+
           // eslint-disable-next-line no-await-in-loop
-          const prResponse = await openGitHubPullRequest(
-            owner,
-            repo,
-            baseBranch,
-            branch,
-            fromPurl,
-            toVersion,
-            cwd
-          )
-          if (prResponse && autoMerge) {
+          await gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)
+          let error
+          let errored = false
+          let installed = false
+          let saved = false
+          try {
+            shadowNpmInject.updatePackageJsonFromNode(
+              editablePkgJson,
+              arb.idealTree,
+              node,
+              newVersion,
+              rangeStyle
+            )
             // eslint-disable-next-line no-await-in-loop
-            await enableAutoMerge(prResponse.data)
-          }
-        }
-        if (errored || isCi) {
-          if (errored) {
-            spinner?.error(`Reverting ${toSpec}`, error)
-          }
-          if (saved) {
-            editablePkgJson.update(revertData)
+            if (await editablePkgJson.save()) {
+              saved = true
+            }
             // eslint-disable-next-line no-await-in-loop
-            await editablePkgJson.save()
+            await install$1(arb.idealTree, {
+              cwd
+            })
+            installed = true
+            if (test) {
+              if (!testedSpecs.has(newSpecKey)) {
+                testedSpecs.add(newSpecKey)
+                spinner?.info(`Testing ${newSpec}${workspaceDetails}`)
+              }
+              // eslint-disable-next-line no-await-in-loop
+              await npm.runScript(testScript, [], {
+                spinner,
+                stdio: 'ignore'
+              })
+            }
+            if (!fixedSpecs.has(newSpecKey)) {
+              fixedSpecs.add(newSpecKey)
+              spinner?.successAndStop(`Fixed ${name}${workspaceDetails}`)
+              spinner?.start()
+            }
+          } catch (e) {
+            error = e
+            errored = true
           }
-          if (installed) {
+          if (!errored && shouldOpenPr) {
             // eslint-disable-next-line no-await-in-loop
-            await install$1(revertTree, {
+            await gitCreateAndPushBranchIfNeeded(
+              branch,
+              getSocketCommitMessage(oldPurl, newVersion, workspaceName),
               cwd
-            })
+            )
+            // eslint-disable-next-line no-await-in-loop
+            const prResponse = await openGitHubPullRequest(
+              owner,
+              repo,
+              baseBranch,
+              branch,
+              oldPurl,
+              newVersion,
+              {
+                cwd,
+                workspaceName
+              }
+            )
+            if (prResponse && autoMerge) {
+              // eslint-disable-next-line no-await-in-loop
+              await enableAutoMerge(prResponse.data)
+            }
           }
-          if (errored) {
-            spinner?.failAndStop(`Failed to fix ${fromSpec}`)
+          if (errored || isCi) {
+            if (errored) {
+              if (!revertedSpecs.has(newSpecKey)) {
+                revertedSpecs.add(newSpecKey)
+                spinner?.error(`Reverting ${newSpec}${workspaceDetails}`, error)
+              }
+            }
+            if (isRepo) {
+              // eslint-disable-next-line no-await-in-loop
+              await gitHardReset(cwd)
+            }
+            if (saved) {
+              editablePkgJson.update(revertData)
+              if (!isRepo) {
+                // eslint-disable-next-line no-await-in-loop
+                await editablePkgJson.save()
+              }
+            }
+            if (!isRepo && installed) {
+              // eslint-disable-next-line no-await-in-loop
+              await install$1(revertTree, {
+                cwd
+              })
+            }
+            if (errored) {
+              if (!failedSpecs.has(newSpecKey)) {
+                failedSpecs.add(newSpecKey)
+                spinner?.failAndStop(
+                  `Update failed for ${oldSpec}${workspaceDetails}`
+                )
+              }
+            }
           }
         }
       }
@@ -4142,78 +4233,6 @@ async function npmFix(
   spinner?.stop()
 }
 
-async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
-  const options = {
-    __proto__: null,
-    consolidate: false,
-    nothrow: false,
-    ...options_
-  }
-  const include = {
-    __proto__: null,
-    actions: undefined,
-    blocked: true,
-    critical: true,
-    cve: true,
-    existing: false,
-    unfixable: true,
-    upgradable: false,
-    ...options.include
-  }
-  const { spinner } = options
-  const depTypes = vendor.libExports$2.detectDepTypes(lockfile)
-  const pkgIds = Object.keys(depTypes)
-  let { length: remaining } = pkgIds
-  const alertsByPkgId = new Map()
-  if (!remaining) {
-    return alertsByPkgId
-  }
-  const getText = () => `Looking up data for ${remaining} packages`
-  spinner?.start(getText())
-  const sockSdk = await shadowNpmInject.setupSdk(
-    shadowNpmInject.getPublicToken()
-  )
-  const toAlertsMapOptions = {
-    overrides: lockfile.overrides,
-    consolidate: options.consolidate,
-    include,
-    spinner
-  }
-  for await (const batchResult of sockSdk.batchPackageStream(
-    {
-      alerts: 'true',
-      compact: 'true',
-      fixable: include.unfixable ? 'false' : 'true'
-    },
-    {
-      components: pkgIds.map(id => ({
-        purl: `pkg:npm/${id}`
-      }))
-    }
-  )) {
-    if (batchResult.success) {
-      await shadowNpmInject.addArtifactToAlertsMap(
-        batchResult.data,
-        alertsByPkgId,
-        toAlertsMapOptions
-      )
-    } else if (!options.nothrow) {
-      const statusCode = batchResult.status ?? 'unknown'
-      const statusMessage = batchResult.error ?? 'No status message'
-      throw new Error(
-        `Socket API server error (${statusCode}): ${statusMessage}`
-      )
-    }
-    remaining -= 1
-    if (spinner && remaining > 0) {
-      spinner.start()
-      spinner.setText(getText())
-    }
-  }
-  spinner?.stop()
-  return alertsByPkgId
-}
-
 const {
   NPM: NPM$e,
   SOCKET_CLI_SAFE_BIN,
@@ -4300,7 +4319,7 @@ function safeNpmInstall(options) {
   return spawnPromise
 }
 
-const { NPM: NPM$d, PNPM: PNPM$a } = constants
+const { NPM: NPM$d, PNPM: PNPM$9 } = constants
 function runAgentInstall(pkgEnvDetails, options) {
   const { agent, agentExecPath } = pkgEnvDetails
   // All package managers support the "install" command.
@@ -4319,7 +4338,7 @@ function runAgentInstall(pkgEnvDetails, options) {
     ...options
   }
   const skipNodeHardenFlags =
-    agent === PNPM$a && pkgEnvDetails.agentVersion.major < 11
+    agent === PNPM$9 && pkgEnvDetails.agentVersion.major < 11
   return spawn.spawn(agentExecPath, ['install', ...args], {
     spinner,
     stdio: 'inherit',
@@ -4339,7 +4358,7 @@ function runAgentInstall(pkgEnvDetails, options) {
   })
 }
 
-const { CI, NPM: NPM$c, OVERRIDES: OVERRIDES$2, PNPM: PNPM$9 } = constants
+const { CI, NPM: NPM$c, OVERRIDES: OVERRIDES$2, PNPM: PNPM$8 } = constants
 async function getActualTree(cwd = process.cwd()) {
   const arb = new shadowNpmInject.SafeArborist({
     path: cwd,
@@ -4361,15 +4380,18 @@ async function install(pkgEnvDetails, options) {
 }
 async function pnpmFix(
   pkgEnvDetails,
-  { autoMerge, cwd, rangeStyle, spinner, test, testScript }
+  { autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
 ) {
-  const lockfile = await vendor.libExports$3.readWantedLockfile(cwd, {
-    ignoreIncompatible: false
-  })
+  const lockfile = await vendor.libExports$3.readWantedLockfile(
+    pkgEnvDetails.pkgPath,
+    {
+      ignoreIncompatible: false
+    }
+  )
   if (!lockfile) {
     return
   }
-  const alertsMap = await getAlertsMapFromPnpmLockfile(lockfile, {
+  const alertMapOptions = {
     consolidate: true,
     include: {
       existing: true,
@@ -4377,42 +4399,61 @@ async function pnpmFix(
       upgradable: false
     },
     nothrow: true
-  })
+  }
+  const alertsMap = purls.length
+    ? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
+    : await shadowNpmInject.getAlertsMapFromPnpmLockfile(
+        lockfile,
+        alertMapOptions
+      )
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
     return
   }
   spinner?.start()
-  const editablePkgJson = await packages.readPackageJson(cwd, {
-    editable: true
-  })
+
   // Lazily access constants.ENV[CI].
   const isCi = constants.ENV[CI]
-  let actualTree = await getActualTree(cwd)
+  const { pkgPath: rootPath } = pkgEnvDetails
+  const {
+    0: isRepo,
+    1: workspacePkgJsonPaths,
+    2: initialTree
+  } = await Promise.all([
+    isInGitRepo(cwd),
+    shadowNpmPaths.globWorkspace(pkgEnvDetails),
+    getActualTree(cwd)
+  ])
+  const pkgJsonPaths = [
+    pkgEnvDetails.editablePkgJson.filename,
+    ...workspacePkgJsonPaths
+  ]
+  let actualTree = initialTree
   for (const { 0: name, 1: infos } of infoByPkg) {
     if (registry.getManifestData(NPM$c, name)) {
       spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
       continue
     }
-    const specs = arrays.arrayUnique(
-      shadowNpmInject
-        .findPackageNodes(actualTree, name)
-        .map(n => `${n.name}@${n.version}`)
+    const oldVersions = arrays.arrayUnique(
+      shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version)
     )
     const packument =
-      specs.length && infos.length
+      oldVersions.length && infos.length
         ? // eslint-disable-next-line no-await-in-loop
           await packages.fetchPackagePackument(name)
         : null
     if (!packument) {
       continue
     }
-    for (const spec of specs) {
-      const lastAtSignIndex = spec.lastIndexOf('@')
-      const name = spec.slice(0, lastAtSignIndex)
-      const fromVersion = spec.slice(lastAtSignIndex + 1)
-      const fromSpec = `${name}@${fromVersion}`
-      const fromPurl = `pkg:npm/${fromSpec}`
+    const failedSpecs = new Set()
+    const fixedSpecs = new Set()
+    const installedSpecs = new Set()
+    const testedSpecs = new Set()
+    const unavailableSpecs = new Set()
+    const revertedSpecs = new Set()
+    for (const oldVersion of oldVersions) {
+      const oldSpec = `${name}@${oldVersion}`
+      const oldPurl = `pkg:npm/${oldSpec}`
       for (const {
         firstPatchedVersionIdentifier,
         vulnerableVersionRange
@@ -4420,167 +4461,224 @@ async function pnpmFix(
         const node = shadowNpmInject.findPackageNode(
           actualTree,
           name,
-          fromVersion
+          oldVersion
         )
         if (!node) {
           continue
         }
         const availableVersions = Object.keys(packument.versions)
-        const toVersion = shadowNpmInject.findBestPatchVersion(
+        const newVersion = shadowNpmInject.findBestPatchVersion(
           node,
           availableVersions,
           vulnerableVersionRange
         )
-        const targetPackument = toVersion
-          ? packument.versions[toVersion]
+        const newVersionPackument = newVersion
+          ? packument.versions[newVersion]
           : undefined
-        if (!(toVersion && targetPackument)) {
-          spinner?.fail(`Could not patch ${fromSpec}`)
-          continue
-        }
-        const oldPnpm = editablePkgJson.content[PNPM$9]
-        const oldPnpmKeyCount = oldPnpm ? Object.keys(oldPnpm).length : 0
-        const oldOverrides = oldPnpm?.[OVERRIDES$2]
-        const oldOverridesCount = oldOverrides
-          ? Object.keys(oldOverrides).length
-          : 0
-        const overrideKey = `${name}@${vulnerableVersionRange}`
-        const toVersionRange = shadowNpmInject.applyRange(
-          oldOverrides?.[overrideKey] ?? fromVersion,
-          toVersion,
-          rangeStyle
-        )
-        const toSpec = `${name}@${toVersionRange}`
-        const branch = isCi ? getSocketBranchName(fromPurl, toVersion) : ''
-        const { owner, repo } = isCi
-          ? getGitHubEnvRepoInfo()
-          : {
-              owner: '',
-              repo: ''
-            }
-        const shouldOpenPr = isCi
-          ? // eslint-disable-next-line no-await-in-loop
-            !(await doesPullRequestExistForBranch(owner, repo, branch))
-          : false
-        const updateData = {
-          [PNPM$9]: {
-            ...oldPnpm,
-            [OVERRIDES$2]: {
-              [overrideKey]: toVersionRange,
-              ...oldOverrides
-            }
+        if (!(newVersion && newVersionPackument)) {
+          if (!unavailableSpecs.has(oldSpec)) {
+            unavailableSpecs.add(oldSpec)
+            spinner?.fail(`No update available for ${oldSpec}`)
           }
+          continue
         }
-        const revertData = {
-          [PNPM$9]: oldPnpmKeyCount
-            ? {
-                ...oldPnpm,
-                [OVERRIDES$2]:
-                  oldOverridesCount === 1
-                    ? undefined
-                    : {
-                        [overrideKey]: undefined,
-                        ...oldOverrides
-                      }
-              }
-            : undefined,
-          ...(editablePkgJson.content.dependencies
-            ? {
-                dependencies: editablePkgJson.content.dependencies
-              }
-            : undefined),
-          ...(editablePkgJson.content.optionalDependencies
-            ? {
-                optionalDependencies:
-                  editablePkgJson.content.optionalDependencies
+        for (const pkgJsonPath of pkgJsonPaths) {
+          const isWorkspaceRoot =
+            pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
+          const workspaceName = isWorkspaceRoot
+            ? ''
+            : path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
+          const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
+          const editablePkgJson = isWorkspaceRoot
+            ? pkgEnvDetails.editablePkgJson
+            : // eslint-disable-next-line no-await-in-loop
+              await packages.readPackageJson(pkgJsonPath, {
+                editable: true
+              })
+          const oldPnpm = editablePkgJson.content[PNPM$8]
+          const oldPnpmKeyCount = oldPnpm ? Object.keys(oldPnpm).length : 0
+          const oldOverrides = oldPnpm?.[OVERRIDES$2]
+          const oldOverridesCount = oldOverrides
+            ? Object.keys(oldOverrides).length
+            : 0
+          const overrideKey = `${name}@${vulnerableVersionRange}`
+          const newVersionRange = shadowNpmInject.applyRange(
+            oldOverrides?.[overrideKey] ?? oldVersion,
+            newVersion,
+            rangeStyle
+          )
+          const newSpec = `${name}@${newVersionRange}`
+          const newSpecKey = `${workspaceName ? `${workspaceName}>` : ''}${newSpec}`
+          const branch = isCi
+            ? getSocketBranchName(oldPurl, newVersion, workspaceName)
+            : ''
+          const baseBranch = isCi ? getBaseGitBranch() : ''
+          const { owner, repo } = isCi
+            ? getGitHubEnvRepoInfo()
+            : {
+                owner: '',
+                repo: ''
               }
-            : undefined),
-          ...(editablePkgJson.content.peerDependencies
+          const shouldOpenPr = isCi
+            ? // eslint-disable-next-line no-await-in-loop
+              !(await doesPullRequestExistForBranch(owner, repo, branch))
+            : false
+          const updateData = isWorkspaceRoot
             ? {
-                peerDependencies: editablePkgJson.content.peerDependencies
+                [PNPM$8]: {
+                  ...oldPnpm,
+                  [OVERRIDES$2]: {
+                    [overrideKey]: newVersionRange,
+                    ...oldOverrides
+                  }
+                }
               }
-            : undefined)
-        }
-        spinner?.info(`Installing ${toSpec}`)
-        const baseBranch = getBaseBranch()
-
-        // eslint-disable-next-line no-await-in-loop
-        await checkoutBaseBranchIfAvailable(baseBranch, cwd)
-        let error
-        let errored = false
-        let installed = false
-        let saved = false
-        try {
-          editablePkgJson.update(updateData)
-          shadowNpmInject.updatePackageJsonFromNode(
-            editablePkgJson,
-            actualTree,
-            node,
-            toVersion,
-            rangeStyle
-          )
-          // eslint-disable-next-line no-await-in-loop
-          await editablePkgJson.save()
-          saved = true
-
-          // eslint-disable-next-line no-await-in-loop
-          actualTree = await install(pkgEnvDetails, {
-            spinner
-          })
-          installed = true
-          if (test) {
-            spinner?.info(`Testing ${toSpec}`)
-            // eslint-disable-next-line no-await-in-loop
-            await npm.runScript(testScript, [], {
-              spinner,
-              stdio: 'ignore'
-            })
-          }
-          spinner?.successAndStop(`Fixed ${name}`)
-          spinner?.start()
-        } catch (e) {
-          error = e
-          errored = true
-        }
-        if (!errored && shouldOpenPr) {
-          // eslint-disable-next-line no-await-in-loop
-          await createAndPushBranchIfNeeded(
-            branch,
-            getSocketCommitMessage(fromPurl, toVersion),
-            cwd
-          )
-          // eslint-disable-next-line no-await-in-loop
-          const prResponse = await openGitHubPullRequest(
-            owner,
-            repo,
-            baseBranch,
-            branch,
-            fromPurl,
-            toVersion,
-            cwd
-          )
-          if (prResponse && autoMerge) {
-            // eslint-disable-next-line no-await-in-loop
-            await enableAutoMerge(prResponse.data)
+            : {}
+          const revertData = {
+            ...(isWorkspaceRoot
+              ? {
+                  [PNPM$8]: oldPnpmKeyCount
+                    ? {
+                        ...oldPnpm,
+                        [OVERRIDES$2]:
+                          oldOverridesCount === 1
+                            ? undefined
+                            : {
+                                [overrideKey]: undefined,
+                                ...oldOverrides
+                              }
+                      }
+                    : undefined
+                }
+              : {}),
+            ...(editablePkgJson.content.dependencies
+              ? {
+                  dependencies: editablePkgJson.content.dependencies
+                }
+              : undefined),
+            ...(editablePkgJson.content.optionalDependencies
+              ? {
+                  optionalDependencies:
+                    editablePkgJson.content.optionalDependencies
+                }
+              : undefined),
+            ...(editablePkgJson.content.peerDependencies
+              ? {
+                  peerDependencies: editablePkgJson.content.peerDependencies
+                }
+              : undefined)
           }
-        }
-        if (errored || isCi) {
-          if (errored) {
-            spinner?.error(`Reverting ${toSpec}`, error)
+          if (!installedSpecs.has(newSpecKey)) {
+            installedSpecs.add(newSpecKey)
+            spinner?.info(`Installing ${newSpec}${workspaceDetails}`)
           }
-          if (saved) {
-            editablePkgJson.update(revertData)
+          if (isCi) {
             // eslint-disable-next-line no-await-in-loop
-            await editablePkgJson.save()
+            await gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)
           }
-          if (installed) {
+          let error
+          let errored = false
+          let installed = false
+          let saved = false
+          try {
+            editablePkgJson.update(updateData)
+            shadowNpmInject.updatePackageJsonFromNode(
+              editablePkgJson,
+              actualTree,
+              node,
+              newVersion,
+              rangeStyle
+            )
+            // eslint-disable-next-line no-await-in-loop
+            if (!(await editablePkgJson.save())) {
+              continue
+            }
+            saved = true
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
               spinner
             })
+            installed = true
+            if (test) {
+              if (!testedSpecs.has(newSpecKey)) {
+                testedSpecs.add(newSpecKey)
+                spinner?.info(`Testing ${newSpec}${workspaceDetails}`)
+              }
+              // eslint-disable-next-line no-await-in-loop
+              await npm.runScript(testScript, [], {
+                spinner,
+                stdio: 'ignore'
+              })
+            }
+            if (!fixedSpecs.has(newSpecKey)) {
+              fixedSpecs.add(newSpecKey)
+              spinner?.successAndStop(`Fixed ${name}${workspaceDetails}`)
+              spinner?.start()
+            }
+          } catch (e) {
+            error = e
+            errored = true
+          }
+          if (!errored && shouldOpenPr) {
+            // eslint-disable-next-line no-await-in-loop
+            await gitCreateAndPushBranchIfNeeded(
+              branch,
+              getSocketCommitMessage(oldPurl, newVersion, workspaceName),
+              cwd
+            )
+            // eslint-disable-next-line no-await-in-loop
+            const prResponse = await openGitHubPullRequest(
+              owner,
+              repo,
+              baseBranch,
+              branch,
+              oldPurl,
+              newVersion,
+              {
+                cwd,
+                workspaceName
+              }
+            )
+            if (prResponse && autoMerge) {
+              // eslint-disable-next-line no-await-in-loop
+              await enableAutoMerge(prResponse.data)
+            }
           }
-          if (errored) {
-            spinner?.failAndStop(`Failed to fix ${fromSpec}`)
+          if (errored || isCi) {
+            if (errored) {
+              if (!revertedSpecs.has(newSpecKey)) {
+                revertedSpecs.add(newSpecKey)
+                spinner?.error(`Reverting ${newSpec}${workspaceDetails}`, error)
+              }
+            }
+            if (isRepo) {
+              // eslint-disable-next-line no-await-in-loop
+              await gitHardReset(cwd)
+            }
+            if (saved) {
+              editablePkgJson.update(revertData)
+              if (!isRepo) {
+                // eslint-disable-next-line no-await-in-loop
+                await editablePkgJson.save()
+              }
+            }
+            if (isRepo) {
+              // eslint-disable-next-line no-await-in-loop
+              actualTree = await getActualTree(cwd)
+            } else if (installed) {
+              // eslint-disable-next-line no-await-in-loop
+              actualTree = await install(pkgEnvDetails, {
+                spinner
+              })
+            }
+            if (errored) {
+              if (!failedSpecs.has(newSpecKey)) {
+                failedSpecs.add(newSpecKey)
+                spinner?.failAndStop(
+                  `Update failed for ${oldSpec}${workspaceDetails}`
+                )
+              }
+            }
           }
         }
       }
@@ -4589,6 +4687,29 @@ async function pnpmFix(
   spinner?.stop()
 }
 
+const CMD_NAME$1 = 'socket fix'
+function assignDefaultFixOptions(options) {
+  if (options.autoPilot === undefined) {
+    options.autoPilot = false
+  }
+  if (options.autoMerge === undefined) {
+    options.autoMerge = !!options.autoPilot
+  }
+  if (options.cwd === undefined) {
+    options.cwd = process.cwd()
+  }
+  if (options.rangeStyle === undefined) {
+    options.rangeStyle = 'preserve'
+  }
+  if (options.test === undefined) {
+    options.test = !!options.autoPilot || !!options.testScript
+  }
+  if (options.testScript === undefined) {
+    options.testScript = 'test'
+  }
+  return options
+}
+
 const {
   BINARY_LOCK_EXT,
   BUN: BUN$5,
@@ -4597,7 +4718,7 @@ const {
   NPM: NPM$b,
   NPM_BUGGY_OVERRIDES_PATCHED_VERSION: NPM_BUGGY_OVERRIDES_PATCHED_VERSION$1,
   PACKAGE_JSON,
-  PNPM: PNPM$8,
+  PNPM: PNPM$7,
   VLT: VLT$5,
   YARN,
   YARN_BERRY: YARN_BERRY$5,
@@ -4606,7 +4727,7 @@ const {
 const AGENTS = new Set([
   BUN$5,
   NPM$b,
-  PNPM$8,
+  PNPM$7,
   YARN_BERRY$5,
   YARN_CLASSIC$6,
   VLT$5
@@ -4614,7 +4735,7 @@ const AGENTS = new Set([
 const binByAgent = new Map([
   [BUN$5, BUN$5],
   [NPM$b, NPM$b],
-  [PNPM$8, PNPM$8],
+  [PNPM$7, PNPM$7],
   [YARN_BERRY$5, YARN],
   [YARN_CLASSIC$6, YARN],
   [VLT$5, VLT$5]
@@ -4622,7 +4743,7 @@ const binByAgent = new Map([
 async function getAgentExecPath(agent) {
   const binName = binByAgent.get(agent)
   return (
-    (await vendor.libExports$1(binName, {
+    (await vendor.libExports$2(binName, {
       nothrow: true
     })) ?? binName
   )
@@ -4656,8 +4777,8 @@ const LOCKS = {
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
   'npm-shrinkwrap.json': NPM$b,
   'package-lock.json': NPM$b,
-  'pnpm-lock.yaml': PNPM$8,
-  'pnpm-lock.yml': PNPM$8,
+  'pnpm-lock.yaml': PNPM$7,
+  'pnpm-lock.yml': PNPM$7,
   [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$6,
   'vlt-lock.json': VLT$5,
   // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
@@ -4704,7 +4825,7 @@ const readLockFileByAgent = (() => {
       })
     ],
     [NPM$b, defaultReader],
-    [PNPM$8, defaultReader],
+    [PNPM$7, defaultReader],
     [VLT$5, defaultReader],
     [YARN_BERRY$5, defaultReader],
     [YARN_CLASSIC$6, defaultReader]
@@ -4728,7 +4849,7 @@ async function detectPackageEnvironment({
         cwd
       })
   const pkgPath =
-    pkgJsonPath && require$$0.existsSync(pkgJsonPath)
+    pkgJsonPath && fs$1.existsSync(pkgJsonPath)
       ? path$1.dirname(pkgJsonPath)
       : undefined
   const editablePkgJson = pkgPath
@@ -4856,6 +4977,7 @@ async function detectPackageEnvironment({
     agentExecPath,
     agentSupported,
     agentVersion,
+    editablePkgJson,
     features: {
       npmBuggyOverrides
     },
@@ -4865,7 +4987,6 @@ async function detectPackageEnvironment({
     nodeSupported,
     nodeVersion,
     npmExecPath,
-    pkgJson: editablePkgJson,
     pkgPath,
     pkgRequirements: {
       agent: pkgAgentRange ?? `>=${pkgMinAgentVersion}`,
@@ -4989,15 +5110,14 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
   return details
 }
 
-const { NPM: NPM$a, PNPM: PNPM$7 } = constants
-const CMD_NAME$2 = 'socket fix'
+const { NPM: NPM$a, PNPM: PNPM$6 } = constants
 async function runFix(options_) {
-  const options = shadowNpmInject.assignDefaultFixOptions({
+  const options = assignDefaultFixOptions({
     __proto__: null,
     ...options_
   })
   const pkgEnvDetails = await detectAndValidatePackageEnvironment(options.cwd, {
-    cmdName: CMD_NAME$2,
+    cmdName: CMD_NAME$1,
     logger: logger.logger
   })
   if (!pkgEnvDetails) {
@@ -5007,13 +5127,13 @@ async function runFix(options_) {
   const { agent } = pkgEnvDetails
   if (agent === NPM$a) {
     await npmFix(pkgEnvDetails, options)
-  } else if (agent === PNPM$7) {
+  } else if (agent === PNPM$6) {
     await pnpmFix(pkgEnvDetails, options)
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w } = constants
-const config$z = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x } = constants
+const config$A = {
   commandName: 'fix',
   description: 'Fix "fixable" Socket alerts',
   hidden: true,
@@ -5029,10 +5149,17 @@ const config$z = {
       default: false,
       description: `Enable auto-merge for pull requests that Socket opens.\n                        See ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
     },
+    purl: {
+      type: 'string',
+      default: [],
+      description: `User provided PURL to fix`,
+      isMultiple: true,
+      shortFlag: 'p'
+    },
     rangeStyle: {
       type: 'string',
       default: 'preserve',
-      description: vendor.stripIndent`
+      description: vendor.html`
       Define how updated dependency versions should be written in package.json.
       Available styles:
         *	caret - Use ^ range for compatible updates (e.g. ^1.2.3)
@@ -5063,14 +5190,14 @@ const config$z = {
   `
 }
 const cmdFix = {
-  description: config$z.description,
-  hidden: config$z.hidden,
-  run: run$z
+  description: config$A.description,
+  hidden: config$A.hidden,
+  run: run$A
 }
-async function run$z(argv, importMeta, { parentName }) {
+async function run$A(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$z,
+    config: config$A,
     importMeta,
     parentName
   })
@@ -5084,7 +5211,7 @@ async function run$z(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$w)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$x)
     return
   }
 
@@ -5093,6 +5220,7 @@ async function run$z(argv, importMeta, { parentName }) {
   await runFix({
     autoMerge: Boolean(cli.flags['autoMerge']),
     autoPilot: Boolean(cli.flags['autoPilot']),
+    purls: Array.isArray(cli.flags['purl']) ? cli.flags['purl'] : [],
     spinner,
     rangeStyle: cli.flags['rangeStyle'] ?? undefined,
     test: Boolean(cli.flags['test']),
@@ -5193,7 +5321,7 @@ function outputPackageInfo(
     return
   }
   if (outputKind === 'markdown') {
-    logger.logger.log(vendor.stripIndents`
+    logger.logger.log(vendor.html`
       # Package report for ${pkgName}
 
       Package report card:
@@ -5286,11 +5414,12 @@ async function handlePackageInfo({
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v } = constants
-const config$y = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w } = constants
+const config$z = {
   commandName: 'info',
   description: 'Look up info regarding a package',
-  hidden: false,
+  hidden: true,
+  // Deprecated
   flags: {
     ...commonFlags,
     ...outputFlags,
@@ -5311,14 +5440,14 @@ const config$y = {
   `
 }
 const cmdInfo = {
-  description: config$y.description,
-  hidden: config$y.hidden,
-  run: run$y
+  description: config$z.description,
+  hidden: config$z.hidden,
+  run: run$z
 }
-async function run$y(argv, importMeta, { parentName }) {
+async function run$z(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$y,
+    config: config$z,
     importMeta,
     parentName
   })
@@ -5356,11 +5485,11 @@ async function run$y(argv, importMeta, { parentName }) {
   const pkgVersion =
     versionSeparator < 1 ? 'latest' : rawPkgName.slice(versionSeparator + 1)
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$v)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$w)
     return
   }
   await handlePackageInfo({
-    commandName: `${parentName} ${config$y.commandName}`,
+    commandName: `${parentName} ${config$z.commandName}`,
     includeAllIssues: Boolean(all),
     outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
     pkgName,
@@ -5436,7 +5565,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
     logger.logger.success(
       `API credentials ${previousPersistedToken === apiToken ? 'refreshed' : previousPersistedToken ? 'updated' : 'set'}`
     )
-    if (!shadowNpmInject.isReadOnlyConfig()) {
+    if (shadowNpmInject.isReadOnlyConfig()) {
       logger.logger.log('')
       logger.logger.warn(
         'Note: config is in read-only mode, at least one key was overridden through flag/env, so the login was not persisted!'
@@ -5447,8 +5576,8 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u } = constants
-const config$x = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v } = constants
+const config$y = {
   commandName: 'login',
   description: 'Socket API login',
   hidden: false,
@@ -5481,21 +5610,21 @@ const config$x = {
   `
 }
 const cmdLogin = {
-  description: config$x.description,
-  hidden: config$x.hidden,
-  run: run$x
+  description: config$y.description,
+  hidden: config$y.hidden,
+  run: run$y
 }
-async function run$x(argv, importMeta, { parentName }) {
+async function run$y(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$x,
+    config: config$y,
     importMeta,
     parentName
   })
   const apiBaseUrl = cli.flags['apiBaseUrl']
   const apiProxy = cli.flags['apiProxy']
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$u)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$v)
     return
   }
   if (!isInteractive()) {
@@ -5517,7 +5646,7 @@ function attemptLogout() {
   try {
     applyLogout()
     logger.logger.success('Successfully logged out')
-    if (!shadowNpmInject.isReadOnlyConfig()) {
+    if (shadowNpmInject.isReadOnlyConfig()) {
       logger.logger.log('')
       logger.logger.warn(
         'Note: config is in read-only mode, at least one key was overridden through flag/env, so the logout was not persisted!'
@@ -5528,8 +5657,8 @@ function attemptLogout() {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t } = constants
-const config$w = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u } = constants
+const config$x = {
   commandName: 'logout',
   description: 'Socket API logout',
   hidden: false,
@@ -5544,42 +5673,60 @@ const config$w = {
   `
 }
 const cmdLogout = {
-  description: config$w.description,
-  hidden: config$w.hidden,
-  run: run$w
+  description: config$x.description,
+  hidden: config$x.hidden,
+  run: run$x
 }
-async function run$w(argv, importMeta, { parentName }) {
+async function run$x(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$w,
+    config: config$x,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$t)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$u)
     return
   }
   attemptLogout()
 }
 
-async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  const rbin = path$1.resolve(bin)
-  const rtarget = path$1.resolve(target)
+async function convertGradleToMaven(target, bin, cwd, verbose, gradleOpts) {
   if (verbose) {
-    logger.logger.group('gradle2maven:')
-    logger.logger.log(`[VERBOSE] - Absolute bin path: \`${rbin}\``)
-    logger.logger.log(`[VERBOSE] - Absolute target path: \`${rtarget}\``)
-    logger.logger.groupEnd()
+    logger.logger.log('[VERBOSE] Resolving:', [cwd, bin])
+  }
+  const rbin = path$1.resolve(cwd, bin)
+  if (verbose) {
+    logger.logger.log('[VERBOSE] Resolving:', [cwd, target])
+  }
+  const rtarget = path$1.resolve(cwd, target)
+  const binExists = fs$1.existsSync(rbin)
+  const targetExists = fs$1.existsSync(rtarget)
+  logger.logger.group('gradle2maven:')
+  if (verbose || debug.isDebug()) {
+    logger.logger.log(
+      `[VERBOSE] - Absolute bin path: \`${rbin}\` (${binExists ? 'found' : vendor.yoctocolorsCjsExports.red('not found!')})`
+    )
+    logger.logger.log(
+      `[VERBOSE] - Absolute target path: \`${rtarget}\` (${targetExists ? 'found' : vendor.yoctocolorsCjsExports.red('not found!')})`
+    )
   } else {
-    logger.logger.group('gradle2maven:')
-    logger.logger.log(`- executing: \`${bin}\``)
-    logger.logger.log(`- src dir: \`${target}\``)
-    logger.logger.groupEnd()
+    logger.logger.log(`- executing: \`${rbin}\``)
+    if (!binExists) {
+      logger.logger.warn(
+        'Warning: It appears the executable could not be found at this location. An error might be printed later because of that.'
+      )
+    }
+    logger.logger.log(`- src dir: \`${rtarget}\``)
+    if (!targetExists) {
+      logger.logger.warn(
+        'Warning: It appears the src dir could not be found at this location. An error might be printed later because of that.'
+      )
+    }
   }
+  logger.logger.groupEnd()
   try {
-    // Run sbt with the init script we provide which should yield zero or more
+    // Run gradlew with the init script we provide which should yield zero or more
     // pom files. We have to figure out where to store those pom files such that
     // we can upload them and predict them through the GitHub API. We could do a
     // .socket folder. We could do a socket.pom.gz with all the poms, although
@@ -5589,26 +5736,23 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
     const initLocation = path$1.join(constants.rootDistPath, 'init.gradle')
     const commandArgs = ['--init-script', initLocation, ...gradleOpts, 'pom']
     if (verbose) {
-      logger.logger.log('[VERBOSE] Executing:', bin, commandArgs)
+      logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs)
     }
-    spinner.start(
-      `Converting gradle to maven from \`${bin}\` on \`${target}\`...`
+    logger.logger.log(
+      `Converting gradle to maven from \`${bin}\` on \`${target}\` ...`
     )
-    const output = await spawn.spawn(bin, commandArgs, {
-      cwd: target || '.'
-    })
-    spinner.stop()
+    const output = await execGradleWithSpinner(rbin, commandArgs, rtarget, cwd)
     if (verbose) {
       logger.logger.group('[VERBOSE] gradle stdout:')
       logger.logger.log(output)
       logger.logger.groupEnd()
     }
-    if (output.stderr) {
+    if (output.code !== 0) {
       process.exitCode = 1
-      logger.logger.fail('There were errors while running gradle')
+      logger.logger.fail(`Gradle exited with exit code ${output.code}`)
       // (In verbose mode, stderr was printed above, no need to repeat it)
       if (!verbose) {
-        logger.logger.group('[VERBOSE] stderr:')
+        logger.logger.group('stderr:')
         logger.logger.error(output.stderr)
         logger.logger.groupEnd()
       }
@@ -5620,41 +5764,15 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
       logger.logger.log('- ', fn)
       return fn
     })
-
-    // const loc = output.stdout?.match(/Wrote (.*?.pom)\n/)?.[1]?.trim()
-    // if (!loc) {
-    //   logger.fail(
-    //     'There were no errors from sbt but could not find the location of resulting .pom file either'
-    //   )
-    //   // eslint-disable-next-line n/no-process-exit
-    //   process.exit(1)
-    // }
-    //
-    // // Move the pom file to ...? initial cwd? loc will be an absolute path, or dump to stdout
-    // if (out === '-') {
-    //   spinner.start('Result:\n```')
-    //   spinner.log(await safeReadFile(loc))
-    //   spinner.log('```')
-    //   spinner.successAndStop(`OK`)
-    // } else {
-    //   spinner.start()
-    //   if (verbose) {
-    //     spinner.log(
-    //       `Moving manifest file from \`${loc.replace(/^\/home\/[^/]*?\//, '~/')}\` to \`${out}\``
-    //     )
-    //   } else {
-    //     spinner.log('Moving output pom file')
-    //   }
-    //   // TODO: do we prefer fs-extra? renaming can be gnarly on windows and fs-extra's version is better
-    //   await renamep(loc, out)
-    //   spinner.successAndStop(`OK. File should be available in \`${out}\``)
-    // }
+    logger.logger.log('')
+    logger.logger.log(
+      'Next step is to generate a Scan by running the `socket scan create` command on the same directory'
+    )
   } catch (e) {
     process.exitCode = 1
-    spinner.stop()
     logger.logger.fail(
-      'There was an unexpected error while running this' +
-        (verbose ? '' : ' (use --verbose for details)')
+      'There was an unexpected error while generating manifests' +
+        (verbose ? '' : '  (use --verbose for details)')
     )
     if (verbose) {
       logger.logger.group('[VERBOSE] error:')
@@ -5663,9 +5781,39 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
     }
   }
 }
+async function execGradleWithSpinner(bin, commandArgs, target, cwd) {
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  let pass = false
+  try {
+    spinner.start(
+      `Running gradlew... (this can take a while, it depends on how long gradlew has to run)`
+    )
+    const output = await spawn.spawn(bin, commandArgs, {
+      // We can pipe the output through to have the user see the result
+      // of running gradlew, but then we can't (easily) gather the output
+      // to discover the generated files... probably a flag we should allow?
+      // stdio: isDebug() ? 'inherit' : undefined,
+      cwd: target || cwd
+    })
+    pass = true
+    const { code, stderr, stdout } = output
+    return {
+      code,
+      stdout,
+      stderr
+    }
+  } finally {
+    if (pass) {
+      spinner.successAndStop('Completed gradlew execution')
+    } else {
+      spinner.failAndStop('There was an error while trying to run gradlew.')
+    }
+  }
+}
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s } = constants
-const config$v = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t } = constants
+const config$w = {
   commandName: 'gradle',
   description:
     '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Gradle/Java/Kotlin/etc project',
@@ -5686,16 +5834,6 @@ const config$v = {
       description:
         'Additional options to pass on to ./gradlew, see `./gradlew --help`'
     },
-    out: {
-      type: 'string',
-      default: './socket.pom.xml',
-      description:
-        'Path of output file; where to store the resulting manifest, see also --stdout'
-    },
-    stdout: {
-      type: 'boolean',
-      description: 'Print resulting pom.xml to stdout (supersedes --out)'
-    },
     task: {
       type: 'string',
       default: 'all',
@@ -5740,20 +5878,20 @@ const config$v = {
   `
 }
 const cmdManifestGradle = {
-  description: config$v.description,
-  hidden: config$v.hidden,
-  run: run$v
+  description: config$w.description,
+  hidden: config$w.hidden,
+  run: run$w
 }
-async function run$v(argv, importMeta, { parentName }) {
+async function run$w(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$v,
+    config: config$w,
     importMeta,
     parentName
   })
   const verbose = Boolean(cli.flags['verbose'])
   if (verbose) {
-    logger.logger.group('- ', parentName, config$v.commandName, ':')
+    logger.logger.group('- ', parentName, config$w.commandName, ':')
     logger.logger.group('- flags:', cli.flags)
     logger.logger.groupEnd()
     logger.logger.log('- input:', cli.input)
@@ -5774,7 +5912,7 @@ async function run$v(argv, importMeta, { parentName }) {
     },
     {
       nook: true,
-      test: cli.input.length === 1,
+      test: cli.input.length <= 1,
       message: 'Can only accept one DIR (make sure to escape spaces!)',
       pass: 'ok',
       fail: 'received ' + cli.input.length
@@ -5783,24 +5921,12 @@ async function run$v(argv, importMeta, { parentName }) {
   if (wasBadInput) {
     return
   }
-  let bin
-  if (cli.flags['bin']) {
-    bin = cli.flags['bin']
-  } else {
-    bin = path$1.join(target, 'gradlew')
-  }
-  let out = './socket.pom.xml'
-  if (cli.flags['out']) {
-    out = cli.flags['out']
-  }
-  if (cli.flags['stdout']) {
-    out = '-'
-  }
+  const { bin = path$1.join(target, 'gradlew'), cwd = process.cwd() } =
+    cli.flags
   if (verbose) {
     logger.logger.group()
     logger.logger.log('- target:', target)
     logger.logger.log('- gradle bin:', bin)
-    logger.logger.log('- out:', out)
     logger.logger.groupEnd()
   }
   let gradleOpts = []
@@ -5811,10 +5937,16 @@ async function run$v(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$t)
     return
   }
-  await convertGradleToMaven(target, bin, out, verbose, gradleOpts)
+  await convertGradleToMaven(
+    target,
+    String(bin),
+    String(cwd),
+    verbose,
+    gradleOpts
+  )
 }
 
 async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
@@ -5920,8 +6052,8 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r } = constants
-const config$u = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s } = constants
+const config$v = {
   commandName: 'scala',
   description:
     "[beta] Generate a manifest file (`pom.xml`) from Scala's `build.sbt` file",
@@ -5996,20 +6128,20 @@ const config$u = {
   `
 }
 const cmdManifestScala = {
-  description: config$u.description,
-  hidden: config$u.hidden,
-  run: run$u
+  description: config$v.description,
+  hidden: config$v.hidden,
+  run: run$v
 }
-async function run$u(argv, importMeta, { parentName }) {
+async function run$v(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$u,
+    config: config$v,
     importMeta,
     parentName
   })
   const verbose = Boolean(cli.flags['verbose'])
   if (verbose) {
-    logger.logger.group('- ', parentName, config$u.commandName, ':')
+    logger.logger.group('- ', parentName, config$v.commandName, ':')
     logger.logger.group('- flags:', cli.flags)
     logger.logger.groupEnd()
     logger.logger.log('- input:', cli.input)
@@ -6030,7 +6162,7 @@ async function run$u(argv, importMeta, { parentName }) {
     },
     {
       nook: true,
-      test: cli.input.length === 1,
+      test: cli.input.length <= 1,
       message: 'Can only accept one DIR (make sure to escape spaces!)',
       pass: 'ok',
       fail: 'received ' + cli.input.length
@@ -6065,14 +6197,14 @@ async function run$u(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$r)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s)
     return
   }
   await convertSbtToMaven(target, bin, out, verbose, sbtOpts)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q } = constants
-const config$t = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r } = constants
+const config$u = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
   hidden: false,
@@ -6102,21 +6234,21 @@ const config$t = {
   `
 }
 const cmdManifestAuto = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
+  description: config$u.description,
+  hidden: config$u.hidden,
+  run: run$u
 }
-async function run$t(argv, importMeta, { parentName }) {
+async function run$u(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$t,
+    config: config$u,
     importMeta,
     parentName
   })
   const verbose = !!cli.flags['verbose']
   const cwd = cli.flags['cwd'] ?? process.cwd()
   if (verbose) {
-    logger.logger.group('- ', parentName, config$t.commandName, ':')
+    logger.logger.group('- ', parentName, config$u.commandName, ':')
     logger.logger.group('- flags:', cli.flags)
     logger.logger.groupEnd()
     logger.logger.log('- input:', cli.input)
@@ -6128,7 +6260,7 @@ async function run$t(argv, importMeta, { parentName }) {
     subArgs.push('--verbose')
   }
   const dir = cwd
-  if (require$$0.existsSync(path$1.join(dir, 'build.sbt'))) {
+  if (fs$1.existsSync(path$1.join(dir, 'build.sbt'))) {
     logger.logger.log(
       'Detected a Scala sbt build, running default Scala generator...'
     )
@@ -6137,7 +6269,7 @@ async function run$t(argv, importMeta, { parentName }) {
     }
     subArgs.push(dir)
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$q)
+      logger.logger.log(DRY_RUN_BAIL_TEXT$r)
       return
     }
     await cmdManifestScala.run(subArgs, importMeta, {
@@ -6145,7 +6277,7 @@ async function run$t(argv, importMeta, { parentName }) {
     })
     return
   }
-  if (require$$0.existsSync(path$1.join(dir, 'gradlew'))) {
+  if (fs$1.existsSync(path$1.join(dir, 'gradlew'))) {
     logger.logger.log(
       'Detected a gradle build, running default gradle generator...'
     )
@@ -6154,7 +6286,7 @@ async function run$t(argv, importMeta, { parentName }) {
       subArgs.push(cwd)
     }
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$q)
+      logger.logger.log(DRY_RUN_BAIL_TEXT$r)
       return
     }
     await cmdManifestGradle.run(subArgs, importMeta, {
@@ -6163,7 +6295,7 @@ async function run$t(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$q)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$r)
     return
   }
 
@@ -6171,7 +6303,7 @@ async function run$t(argv, importMeta, { parentName }) {
   vendor
     .meow(
       `
-    $ ${parentName} ${config$t.commandName}
+    $ ${parentName} ${config$u.commandName}
 
     Unfortunately this script did not discover a supported language in the
     current folder.
@@ -6185,21 +6317,21 @@ async function run$t(argv, importMeta, { parentName }) {
   `,
       {
         argv: [],
-        description: config$t.description,
+        description: config$u.description,
         importMeta
       }
     )
     .showHelp()
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q } = constants
 
 // TODO: we may want to dedupe some pieces for all gradle languages. I think it
 //       makes sense to have separate commands for them and I think it makes
 //       sense for the help panels to note the requested language, rather than
 //       `socket manifest kotlin` to print help screens with `gradle` as the
 //       command. Room for improvement.
-const config$s = {
+const config$t = {
   commandName: 'kotlin',
   description:
     '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Kotlin project',
@@ -6220,16 +6352,6 @@ const config$s = {
       description:
         'Additional options to pass on to ./gradlew, see `./gradlew --help`'
     },
-    out: {
-      type: 'string',
-      default: './socket.pom.xml',
-      description:
-        'Path of output file; where to store the resulting manifest, see also --stdout'
-    },
-    stdout: {
-      type: 'boolean',
-      description: 'Print resulting pom.xml to stdout (supersedes --out)'
-    },
     task: {
       type: 'string',
       default: 'all',
@@ -6274,20 +6396,20 @@ const config$s = {
   `
 }
 const cmdManifestKotlin = {
-  description: config$s.description,
-  hidden: config$s.hidden,
-  run: run$s
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
 }
-async function run$s(argv, importMeta, { parentName }) {
+async function run$t(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$s,
+    config: config$t,
     importMeta,
     parentName
   })
   const verbose = Boolean(cli.flags['verbose'])
   if (verbose) {
-    logger.logger.group('- ', parentName, config$s.commandName, ':')
+    logger.logger.group('- ', parentName, config$t.commandName, ':')
     logger.logger.group('- flags:', cli.flags)
     logger.logger.groupEnd()
     logger.logger.log('- input:', cli.input)
@@ -6308,7 +6430,7 @@ async function run$s(argv, importMeta, { parentName }) {
     },
     {
       nook: true,
-      test: cli.input.length === 1,
+      test: cli.input.length <= 1,
       message: 'Can only accept one DIR (make sure to escape spaces!)',
       pass: 'ok',
       fail: 'received ' + cli.input.length
@@ -6317,24 +6439,12 @@ async function run$s(argv, importMeta, { parentName }) {
   if (wasBadInput) {
     return
   }
-  let bin
-  if (cli.flags['bin']) {
-    bin = cli.flags['bin']
-  } else {
-    bin = path$1.join(target, 'gradlew')
-  }
-  let out = './socket.pom.xml'
-  if (cli.flags['out']) {
-    out = cli.flags['out']
-  }
-  if (cli.flags['stdout']) {
-    out = '-'
-  }
+  const { bin = path$1.join(target, 'gradlew'), cwd = process.cwd() } =
+    cli.flags
   if (verbose) {
     logger.logger.group()
     logger.logger.log('- target:', target)
     logger.logger.log('- gradle bin:', bin)
-    logger.logger.log('- out:', out)
     logger.logger.groupEnd()
   }
   let gradleOpts = []
@@ -6345,13 +6455,19 @@ async function run$s(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$p)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$q)
     return
   }
-  await convertGradleToMaven(target, bin, out, verbose, gradleOpts)
+  await convertGradleToMaven(
+    target,
+    String(bin),
+    String(cwd),
+    verbose,
+    gradleOpts
+  )
 }
 
-const config$r = {
+const config$s = {
   commandName: 'manifest',
   description: 'Generate a dependency manifest for given file or dir',
   hidden: false,
@@ -6360,11 +6476,11 @@ const config$r = {
   }
 }
 const cmdManifest = {
-  description: config$r.description,
-  hidden: config$r.hidden,
-  run: run$r
+  description: config$s.description,
+  hidden: config$s.hidden,
+  run: run$s
 }
-async function run$r(argv, importMeta, { parentName }) {
+async function run$s(argv, importMeta, { parentName }) {
   await meowWithSubcommands(
     {
       auto: cmdManifestAuto,
@@ -6376,15 +6492,15 @@ async function run$r(argv, importMeta, { parentName }) {
       argv,
       aliases: {
         yolo: {
-          description: config$r.description,
+          description: config$s.description,
           hidden: true,
           argv: ['auto']
         }
       },
-      description: config$r.description,
+      description: config$s.description,
       importMeta,
-      flags: config$r.flags,
-      name: `${parentName} ${config$r.commandName}`
+      flags: config$s.flags,
+      name: `${parentName} ${config$s.commandName}`
     }
   )
 }
@@ -6396,8 +6512,8 @@ async function wrapNpm(argv) {
   await shadowBin(NPM$8, argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o, NPM: NPM$7 } = constants
-const config$q = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p, NPM: NPM$7 } = constants
+const config$r = {
   commandName: 'npm',
   description: `${NPM$7} wrapper functionality`,
   hidden: false,
@@ -6410,20 +6526,20 @@ const config$q = {
   `
 }
 const cmdNpm = {
-  description: config$q.description,
-  hidden: config$q.hidden,
-  run: run$q
+  description: config$r.description,
+  hidden: config$r.hidden,
+  run: run$r
 }
-async function run$q(argv, importMeta, { parentName }) {
+async function run$r(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$q,
+    config: config$r,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$o)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$p)
     return
   }
   await wrapNpm(argv)
@@ -6436,8 +6552,8 @@ async function wrapNpx(argv) {
   await shadowBin(NPX$2, argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n, NPX: NPX$1 } = constants
-const config$p = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o, NPX: NPX$1 } = constants
+const config$q = {
   commandName: 'npx',
   description: `${NPX$1} wrapper functionality`,
   hidden: false,
@@ -6450,27 +6566,27 @@ const config$p = {
   `
 }
 const cmdNpx = {
-  description: config$p.description,
-  hidden: config$p.hidden,
-  run: run$p
+  description: config$q.description,
+  hidden: config$q.hidden,
+  run: run$q
 }
-async function run$p(argv, importMeta, { parentName }) {
+async function run$q(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$p,
+    config: config$q,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$n)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$o)
     return
   }
   await wrapNpx(argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m } = constants
-const config$o = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n } = constants
+const config$p = {
   commandName: 'oops',
   description: 'Trigger an intentional error (for development)',
   hidden: true,
@@ -6485,19 +6601,19 @@ const config$o = {
   `
 }
 const cmdOops = {
-  description: config$o.description,
-  hidden: config$o.hidden,
-  run: run$o
+  description: config$p.description,
+  hidden: config$p.hidden,
+  run: run$p
 }
-async function run$o(argv, importMeta, { parentName }) {
+async function run$p(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$o,
+    config: config$p,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$m)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$n)
     return
   }
   throw new Error('This error was intentionally left blank')
@@ -6506,7 +6622,7 @@ async function run$o(argv, importMeta, { parentName }) {
 const {
   BUN: BUN$4,
   NPM: NPM$6,
-  PNPM: PNPM$6,
+  PNPM: PNPM$5,
   VLT: VLT$4,
   YARN_BERRY: YARN_BERRY$4,
   YARN_CLASSIC: YARN_CLASSIC$5
@@ -6520,19 +6636,19 @@ function matchQueryCmdStdout(stdout, name) {
 const depsIncludesByAgent = new Map([
   [BUN$4, matchLsCmdViewHumanStdout],
   [NPM$6, matchQueryCmdStdout],
-  [PNPM$6, matchQueryCmdStdout],
+  [PNPM$5, matchQueryCmdStdout],
   [VLT$4, matchQueryCmdStdout],
   [YARN_BERRY$4, matchLsCmdViewHumanStdout],
   [YARN_CLASSIC$5, matchLsCmdViewHumanStdout]
 ])
 
-function getDependencyEntries(editablePkgJson) {
+function getDependencyEntries(pkgEnvDetails) {
   const {
     dependencies,
     devDependencies,
     optionalDependencies,
     peerDependencies
-  } = editablePkgJson.content
+  } = pkgEnvDetails.editablePkgJson.content
   return [
     [
       'dependencies',
@@ -6577,14 +6693,14 @@ const {
   BUN: BUN$3,
   NPM: NPM$5,
   OVERRIDES: OVERRIDES$1,
-  PNPM: PNPM$5,
+  PNPM: PNPM$4,
   RESOLUTIONS: RESOLUTIONS$1,
   VLT: VLT$3,
   YARN_BERRY: YARN_BERRY$3,
   YARN_CLASSIC: YARN_CLASSIC$4
 } = constants
-function getOverridesDataBun(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
+function getOverridesDataBun(pkgEnvDetails) {
+  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
   return {
     type: YARN_BERRY$3,
     overrides
@@ -6593,8 +6709,8 @@ function getOverridesDataBun(editablePkgJson) {
 
 // npm overrides documentation:
 // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-function getOverridesDataNpm(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[OVERRIDES$1] ?? {}
+function getOverridesDataNpm(pkgEnvDetails) {
+  const overrides = pkgEnvDetails.editablePkgJson.content?.[OVERRIDES$1] ?? {}
   return {
     type: NPM$5,
     overrides
@@ -6603,15 +6719,16 @@ function getOverridesDataNpm(editablePkgJson) {
 
 // pnpm overrides documentation:
 // https://pnpm.io/package_json#pnpmoverrides
-function getOverridesDataPnpm(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[PNPM$5]?.[OVERRIDES$1] ?? {}
+function getOverridesDataPnpm(pkgEnvDetails) {
+  const overrides =
+    pkgEnvDetails.editablePkgJson.content?.[PNPM$4]?.[OVERRIDES$1] ?? {}
   return {
-    type: PNPM$5,
+    type: PNPM$4,
     overrides
   }
 }
-function getOverridesDataVlt(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[OVERRIDES$1] ?? {}
+function getOverridesDataVlt(pkgEnvDetails) {
+  const overrides = pkgEnvDetails.editablePkgJson.content?.[OVERRIDES$1] ?? {}
   return {
     type: VLT$3,
     overrides
@@ -6620,8 +6737,8 @@ function getOverridesDataVlt(editablePkgJson) {
 
 // Yarn resolutions documentation:
 // https://yarnpkg.com/configuration/manifest#resolutions
-function getOverridesDataYarn(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
+function getOverridesDataYarn(pkgEnvDetails) {
+  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
   return {
     type: YARN_BERRY$3,
     overrides
@@ -6630,8 +6747,8 @@ function getOverridesDataYarn(editablePkgJson) {
 
 // Yarn resolutions documentation:
 // https://classic.yarnpkg.com/en/docs/selective-version-resolutions
-function getOverridesDataYarnClassic(editablePkgJson) {
-  const overrides = editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
+function getOverridesDataYarnClassic(pkgEnvDetails) {
+  const overrides = pkgEnvDetails.editablePkgJson.content?.[RESOLUTIONS$1] ?? {}
   return {
     type: YARN_CLASSIC$4,
     overrides
@@ -6640,62 +6757,12 @@ function getOverridesDataYarnClassic(editablePkgJson) {
 const overridesDataByAgent = new Map([
   [BUN$3, getOverridesDataBun],
   [NPM$5, getOverridesDataNpm],
-  [PNPM$5, getOverridesDataPnpm],
+  [PNPM$4, getOverridesDataPnpm],
   [VLT$3, getOverridesDataVlt],
   [YARN_BERRY$3, getOverridesDataYarn],
   [YARN_CLASSIC$4, getOverridesDataYarnClassic]
 ])
 
-const { PNPM: PNPM$4 } = constants
-const PNPM_WORKSPACE = `${PNPM$4}-workspace`
-async function getWorkspaceGlobs(agent, pkgPath, editablePkgJson) {
-  let workspacePatterns
-  if (agent === PNPM$4) {
-    for (const workspacePath of [
-      path$1.join(pkgPath, `${PNPM_WORKSPACE}.yaml`),
-      path$1.join(pkgPath, `${PNPM_WORKSPACE}.yml`)
-    ]) {
-      // eslint-disable-next-line no-await-in-loop
-      const yml = await shadowNpmInject.safeReadFile(workspacePath)
-      if (yml) {
-        try {
-          workspacePatterns = vendor.distExports$1.parse(yml)?.packages
-        } catch {}
-        if (workspacePatterns) {
-          break
-        }
-      }
-    }
-  } else {
-    workspacePatterns = editablePkgJson.content['workspaces']
-  }
-  return Array.isArray(workspacePatterns)
-    ? workspacePatterns
-        .filter(strings.isNonEmptyString)
-        .map(workspacePatternToGlobPattern)
-    : undefined
-}
-function workspacePatternToGlobPattern(workspace) {
-  const { length } = workspace
-  if (!length) {
-    return ''
-  }
-  // If the workspace ends with "/"
-  if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
-    return `${workspace}/*/package.json`
-  }
-  // If the workspace ends with "/**"
-  if (
-    workspace.charCodeAt(length - 1) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 2) === 42 /*'*'*/ &&
-    workspace.charCodeAt(length - 3) === 47 /*'/'*/
-  ) {
-    return `${workspace}/*/**/package.json`
-  }
-  // Things like "packages/a" or "packages/*"
-  return `${workspace}/package.json`
-}
-
 const {
   BUN: BUN$2,
   LOCK_EXT,
@@ -6813,22 +6880,22 @@ async function npmQuery(npmExecPath, cwd) {
   } catch {}
   return cleanupQueryStdout(stdout)
 }
-async function lsBun(agentExecPath, cwd) {
+async function lsBun(pkgEnvDetails, cwd) {
   try {
     // Bun does not support filtering by production packages yet.
     // https://github.com/oven-sh/bun/issues/8283
     return (
-      await spawn.spawn(agentExecPath, ['pm', 'ls', '--all'], {
+      await spawn.spawn(pkgEnvDetails.agentExecPath, ['pm', 'ls', '--all'], {
         cwd
       })
     ).stdout
   } catch {}
   return ''
 }
-async function lsNpm(agentExecPath, cwd) {
-  return await npmQuery(agentExecPath, cwd)
+async function lsNpm(pkgEnvDetails, cwd) {
+  return await npmQuery(pkgEnvDetails.agentExecPath, cwd)
 }
-async function lsPnpm(agentExecPath, cwd, options) {
+async function lsPnpm(pkgEnvDetails, cwd, options) {
   const npmExecPath = options?.npmExecPath
   if (npmExecPath && npmExecPath !== NPM$3) {
     const result = await npmQuery(npmExecPath, cwd)
@@ -6840,7 +6907,7 @@ async function lsPnpm(agentExecPath, cwd, options) {
   try {
     stdout = (
       await spawn.spawn(
-        agentExecPath,
+        pkgEnvDetails.agentExecPath,
         // Pnpm uses the alternative spelling of parsable.
         // https://en.wiktionary.org/wiki/parsable
         ['ls', '--parseable', '--prod', '--depth', 'Infinity'],
@@ -6852,13 +6919,13 @@ async function lsPnpm(agentExecPath, cwd, options) {
   } catch {}
   return parsableToQueryStdout(stdout)
 }
-async function lsVlt(agentExecPath, cwd) {
+async function lsVlt(pkgEnvDetails, cwd) {
   let stdout = ''
   try {
     // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (
       await spawn.spawn(
-        agentExecPath,
+        pkgEnvDetails.agentExecPath,
         ['ls', '--view', 'human', ':not(.dev)'],
         {
           cwd
@@ -6868,14 +6935,14 @@ async function lsVlt(agentExecPath, cwd) {
   } catch {}
   return cleanupQueryStdout(stdout)
 }
-async function lsYarnBerry(agentExecPath, cwd) {
+async function lsYarnBerry(pkgEnvDetails, cwd) {
   try {
     return (
       // Yarn Berry does not support filtering by production packages yet.
       // https://github.com/yarnpkg/berry/issues/5117
       (
         await spawn.spawn(
-          agentExecPath,
+          pkgEnvDetails.agentExecPath,
           ['info', '--recursive', '--name-only'],
           {
             cwd
@@ -6886,14 +6953,14 @@ async function lsYarnBerry(agentExecPath, cwd) {
   } catch {}
   return ''
 }
-async function lsYarnClassic(agentExecPath, cwd) {
+async function lsYarnClassic(pkgEnvDetails, cwd) {
   try {
     // However, Yarn Classic does support it.
     // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
     // > Fix: Excludes dev dependencies from the yarn list output when the
     //   environment is production
     return (
-      await spawn.spawn(agentExecPath, ['list', '--prod'], {
+      await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', '--prod'], {
         cwd
       })
     ).stdout.trim()
@@ -6909,6 +6976,8 @@ const lsByAgent = new Map([
   [YARN_CLASSIC$2, lsYarnClassic]
 ])
 
+const CMD_NAME = 'socket optimize'
+
 const {
   BUN,
   NPM: NPM$2,
@@ -7038,14 +7107,14 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     `${JSON.stringify(Object.fromEntries(entries), null, 2)}\n`
   )
 }
-function updateOverridesField(editablePkgJson, overrides) {
-  updatePkgJsonField(editablePkgJson, OVERRIDES, overrides)
+function updateOverridesField(pkgEnvDetails, overrides) {
+  updatePkgJsonField(pkgEnvDetails.editablePkgJson, OVERRIDES, overrides)
 }
-function updateResolutionsField(editablePkgJson, overrides) {
-  updatePkgJsonField(editablePkgJson, RESOLUTIONS, overrides)
+function updateResolutionsField(pkgEnvDetails, overrides) {
+  updatePkgJsonField(pkgEnvDetails.editablePkgJson, RESOLUTIONS, overrides)
 }
-function updatePnpmField(editablePkgJson, overrides) {
-  updatePkgJsonField(editablePkgJson, PNPM$1, overrides)
+function updatePnpmField(pkgEnvDetails, overrides) {
+  updatePkgJsonField(pkgEnvDetails.editablePkgJson, PNPM$1, overrides)
 }
 const updateManifestByAgent = new Map([
   [BUN, updateResolutionsField],
@@ -7057,12 +7126,10 @@ const updateManifestByAgent = new Map([
 ])
 
 const { NPM: NPM$1, PNPM, YARN_CLASSIC } = constants
-const CMD_NAME$1 = 'socket optimize'
 const manifestNpmOverrides = registry.getManifestData(NPM$1)
-async function addOverrides(pkgPath, pkgEnvDetails, options) {
+async function addOverrides(pkgEnvDetails, pkgPath, options) {
   const {
     agent,
-    agentExecPath,
     lockName,
     lockSrc,
     npmExecPath,
@@ -7078,27 +7145,19 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
       addedInWorkspaces: new Set(),
       updated: new Set(),
       updatedInWorkspaces: new Set(),
-      warnedPnpmWorkspaceRequiresNpm: false
+      warnedPnpmWorkspaceRequiresNpm: false,
+      workspacePkgJsonPaths: await shadowNpmPaths.globWorkspace(pkgEnvDetails)
     }
   } = {
     __proto__: null,
     ...options
   }
-  let { pkgJson: editablePkgJson } = pkgEnvDetails
-  if (editablePkgJson === undefined) {
-    editablePkgJson = await packages.readPackageJson(pkgPath, {
-      editable: true
-    })
-  }
-  const workspaceName = path$1.relative(rootPath, pkgPath)
-  const workspaceGlobs = await getWorkspaceGlobs(
-    agent,
-    pkgPath,
-    editablePkgJson
-  )
-  const isRoot = pkgPath === rootPath
-  const isLockScanned = isRoot && !prod
-  const isWorkspace = !!workspaceGlobs
+  const isWorkspace = state.workspacePkgJsonPaths.length > 0
+  const isWorkspaceRoot = pkgPath === rootPath
+  const isLockScanned = isWorkspaceRoot && !prod
+  const workspaceName = isWorkspaceRoot
+    ? ''
+    : path$1.relative(rootPath, pkgPath)
   if (
     isWorkspace &&
     agent === PNPM &&
@@ -7109,25 +7168,25 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
     state.warnedPnpmWorkspaceRequiresNpm = true
     logger?.warn(
       cmdPrefixMessage(
-        CMD_NAME$1,
+        CMD_NAME,
         `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``
       )
     )
   }
   const overridesDataObjects = []
-  if (editablePkgJson.content['private'] || isWorkspace) {
-    overridesDataObjects.push(overridesDataByAgent.get(agent)(editablePkgJson))
+  if (isWorkspace || pkgEnvDetails.editablePkgJson.content['private']) {
+    overridesDataObjects.push(overridesDataByAgent.get(agent)(pkgEnvDetails))
   } else {
     overridesDataObjects.push(
-      overridesDataByAgent.get(NPM$1)(editablePkgJson),
-      overridesDataByAgent.get(YARN_CLASSIC)(editablePkgJson)
+      overridesDataByAgent.get(NPM$1)(pkgEnvDetails),
+      overridesDataByAgent.get(YARN_CLASSIC)(pkgEnvDetails)
     )
   }
   spinner?.setText(
     `Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`
   )
   const depAliasMap = new Map()
-  const depEntries = getDependencyEntries(editablePkgJson)
+  const depEntries = getDependencyEntries(pkgEnvDetails)
   const manifestEntries = manifestNpmOverrides.filter(({ 1: data }) =>
     vendor.semverExports.satisfies(
       // Roughly check Node range as semver.coerce will strip leading
@@ -7178,7 +7237,7 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
         depAliasMap.set(origPkgName, thisSpec)
       }
     }
-    if (isRoot) {
+    if (isWorkspaceRoot) {
       // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
       // first two parameters. AgentLockIncludesFn accepts an optional third
       // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
@@ -7188,7 +7247,7 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
         : depsIncludesByAgent.get(agent)
       const thingToScan = isLockScanned
         ? lockSrc
-        : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
+        : await lsByAgent.get(agent)(pkgEnvDetails, pkgPath, {
             npmExecPath
           })
       // Chunk package names to process them in parallel 3 at a time.
@@ -7254,28 +7313,21 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
       )
     }
   })
-  if (workspaceGlobs) {
-    const workspacePkgJsonPaths = await vendor.distExports.glob(
-      workspaceGlobs,
-      {
-        absolute: true,
-        cwd: pkgPath,
-        ignore: ['**/node_modules/**', '**/bower_components/**']
-      }
-    )
+  if (isWorkspace) {
     // Chunk package names to process them in parallel 3 at a time.
     await promises.pEach(
-      workspacePkgJsonPaths,
+      state.workspacePkgJsonPaths,
       3,
       async workspacePkgJsonPath => {
         const otherState = await addOverrides(
-          path$1.dirname(workspacePkgJsonPath),
           pkgEnvDetails,
+          path$1.dirname(workspacePkgJsonPath),
           {
             logger,
             pin,
             prod,
-            spinner
+            spinner,
+            state
           }
         )
         for (const key of [
@@ -7292,14 +7344,14 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
     )
   }
   if (state.added.size > 0 || state.updated.size > 0) {
-    editablePkgJson.update(Object.fromEntries(depEntries))
+    pkgEnvDetails.editablePkgJson.update(Object.fromEntries(depEntries))
     for (const { overrides, type } of overridesDataObjects) {
       updateManifestByAgent.get(type)(
-        editablePkgJson,
+        pkgEnvDetails,
         objects.toSortedObject(overrides)
       )
     }
-    await editablePkgJson.save()
+    await pkgEnvDetails.editablePkgJson.save()
   }
   return state
 }
@@ -7345,7 +7397,6 @@ async function updateLockfile(pkgEnvDetails, options) {
   }
 }
 
-const CMD_NAME = 'socket optimize'
 function createActionMessage(verb, overrideCount, workspaceCount) {
   return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`
 }
@@ -7361,7 +7412,7 @@ async function applyOptimization(cwd, pin, prod) {
   // Lazily access constants.spinner.
   const { spinner } = constants
   spinner.start('Socket optimizing...')
-  const state = await addOverrides(pkgEnvDetails.pkgPath, pkgEnvDetails, {
+  const state = await addOverrides(pkgEnvDetails, pkgEnvDetails.pkgPath, {
     logger: logger.logger,
     pin,
     prod,
@@ -7394,8 +7445,8 @@ async function applyOptimization(cwd, pin, prod) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l } = constants
-const config$n = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m } = constants
+const config$o = {
   commandName: 'optimize',
   description: 'Optimize dependencies with @socketregistry overrides',
   hidden: false,
@@ -7425,20 +7476,20 @@ const config$n = {
   `
 }
 const cmdOptimize = {
-  description: config$n.description,
-  hidden: config$n.hidden,
-  run: run$n
+  description: config$o.description,
+  hidden: config$o.hidden,
+  run: run$o
 }
-async function run$n(argv, importMeta, { parentName }) {
+async function run$o(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$n,
+    config: config$o,
     importMeta,
     parentName
   })
   const cwd = process.cwd()
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$l)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$m)
     return
   }
   await applyOptimization(
@@ -7539,8 +7590,8 @@ async function handleOrganizationList(outputKind = 'text') {
   await outputOrganizationList(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k } = constants
-const config$m = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l } = constants
+const config$n = {
   commandName: 'list',
   description: 'List organizations associated with the API key used',
   hidden: false,
@@ -7557,18 +7608,18 @@ const config$m = {
       - Permissions: none (does need a token)
 
     Options
-      ${getFlagListOutput(config$m.flags, 6)}
+      ${getFlagListOutput(config$n.flags, 6)}
   `
 }
 const cmdOrganizationList = {
-  description: config$m.description,
-  hidden: config$m.hidden,
-  run: run$m
+  description: config$n.description,
+  hidden: config$n.hidden,
+  run: run$n
 }
-async function run$m(argv, importMeta, { parentName }) {
+async function run$n(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$m,
+    config: config$n,
     importMeta,
     parentName
   })
@@ -7596,7 +7647,7 @@ async function run$m(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$k)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$l)
     return
   }
   await handleOrganizationList(json ? 'json' : markdown ? 'markdown' : 'text')
@@ -7640,8 +7691,7 @@ async function outputLicensePolicy(data, outputKind) {
   logger.logger.log('This is the license policy for your organization:')
   logger.logger.log('')
   const rules = data.license_policy
-  // @ts-ignore -- not sure what it's complaining about
-  const entries = Object.entries(rules)
+  const entries = rules ? Object.entries(rules) : []
   const mapped = entries.map(([key, value]) => [
     key,
     value.allowed ? ' yes' : ' no'
@@ -7659,10 +7709,10 @@ async function handleLicensePolicy(orgSlug, outputKind) {
   await outputLicensePolicy(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k } = constants
 
 // TODO: secret toplevel alias `socket license policy`?
-const config$l = {
+const config$m = {
   commandName: 'license',
   description: 'Retrieve the license policy of an organization',
   hidden: true,
@@ -7679,7 +7729,7 @@ const config$l = {
       - Permissions: license-policy:read
 
     Options
-      ${getFlagListOutput(config$l.flags, 6)}
+      ${getFlagListOutput(config$m.flags, 6)}
 
     Your API token will need the \`license-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -7690,14 +7740,14 @@ const config$l = {
   `
 }
 const cmdOrganizationPolicyLicense = {
-  description: config$l.description,
-  hidden: config$l.hidden,
-  run: run$l
+  description: config$m.description,
+  hidden: config$m.hidden,
+  run: run$m
 }
-async function run$l(argv, importMeta, { parentName }) {
+async function run$m(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$l,
+    config: config$m,
     importMeta,
     parentName
   })
@@ -7734,7 +7784,7 @@ async function run$l(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$j)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$k)
     return
   }
   await handleLicensePolicy(
@@ -7786,7 +7836,7 @@ async function outputSecurityPolicy(data, outputKind) {
   )
   logger.logger.log('')
   const rules = data.securityPolicyRules
-  const entries = Object.entries(rules)
+  const entries = rules ? Object.entries(rules) : []
   const mapped = entries.map(([key, value]) => [key, value.action])
   mapped.sort(([a], [b]) => (a < b ? -1 : a > b ? 1 : 0))
   logger.logger.log(mdTableOfPairs(mapped, ['name', 'action']))
@@ -7801,10 +7851,10 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
   await outputSecurityPolicy(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j } = constants
 
 // TODO: secret toplevel alias `socket security policy`?
-const config$k = {
+const config$l = {
   commandName: 'security',
   description: 'Retrieve the security policy of an organization',
   hidden: true,
@@ -7821,7 +7871,7 @@ const config$k = {
       - Permissions: security-policy:read
 
     Options
-      ${getFlagListOutput(config$k.flags, 6)}
+      ${getFlagListOutput(config$l.flags, 6)}
 
     Your API token will need the \`security-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -7832,14 +7882,14 @@ const config$k = {
   `
 }
 const cmdOrganizationPolicyPolicy = {
-  description: config$k.description,
-  hidden: config$k.hidden,
-  run: run$k
+  description: config$l.description,
+  hidden: config$l.hidden,
+  run: run$l
 }
-async function run$k(argv, importMeta, { parentName }) {
+async function run$l(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$k,
+    config: config$l,
     importMeta,
     parentName
   })
@@ -7876,7 +7926,7 @@ async function run$k(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$i)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$j)
     return
   }
   await handleSecurityPolicy(
@@ -7962,8 +8012,8 @@ async function handleQuota(outputKind = 'text') {
   await outputQuota(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h } = constants
-const config$j = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i } = constants
+const config$k = {
   commandName: 'quota',
   description: 'List organizations associated with the API key used',
   hidden: true,
@@ -7976,18 +8026,18 @@ const config$j = {
       $ ${command}
 
     Options
-      ${getFlagListOutput(config$j.flags, 6)}
+      ${getFlagListOutput(config$k.flags, 6)}
   `
 }
 const cmdOrganizationQuota = {
-  description: config$j.description,
-  hidden: config$j.hidden,
-  run: run$j
+  description: config$k.description,
+  hidden: config$k.hidden,
+  run: run$k
 }
-async function run$j(argv, importMeta, { parentName }) {
+async function run$k(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$j,
+    config: config$k,
     importMeta,
     parentName
   })
@@ -8015,7 +8065,7 @@ async function run$j(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$h)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$i)
     return
   }
   await handleQuota(json ? 'json' : markdown ? 'markdown' : 'text')
@@ -8356,8 +8406,8 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g } = constants
-const config$i = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h } = constants
+const config$j = {
   commandName: 'score',
   description:
     '[beta] Look up score for one package which reflects all of its transitive dependencies as well',
@@ -8400,14 +8450,14 @@ const config$i = {
   `
 }
 const cmdPackageScore = {
-  description: config$i.description,
-  hidden: config$i.hidden,
-  run: run$i
+  description: config$j.description,
+  hidden: config$j.hidden,
+  run: run$j
 }
-async function run$i(argv, importMeta, { parentName }) {
+async function run$j(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$i,
+    config: config$j,
     importMeta,
     parentName
   })
@@ -8448,7 +8498,7 @@ async function run$i(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$g)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$h)
     return
   }
   await handlePurlDeepScore(
@@ -8513,7 +8563,7 @@ function outputPurlsShallowScore(purls, packageData, outputKind) {
     return true // not found
   })
   if (outputKind === 'markdown') {
-    logger.logger.log(vendor.stripIndents`
+    logger.logger.log(vendor.html`
       # Shallow Package Report
 
       This report contains the response for requesting data on some package url(s).
@@ -8654,8 +8704,8 @@ async function handlePurlsShallowScore({ outputKind, purls }) {
   outputPurlsShallowScore(purls, packageData.data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f } = constants
-const config$h = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g } = constants
+const config$i = {
   commandName: 'shallow',
   description:
     '[beta] Look up info regarding one or more packages but not their transitives',
@@ -8698,21 +8748,21 @@ const config$h = {
   `
 }
 const cmdPackageShallow = {
-  description: config$h.description,
-  hidden: config$h.hidden,
+  description: config$i.description,
+  hidden: config$i.hidden,
   alias: {
     shallowScore: {
-      description: config$h.description,
+      description: config$i.description,
       hidden: true,
       argv: []
     }
   },
-  run: run$h
+  run: run$i
 }
-async function run$h(argv, importMeta, { parentName }) {
+async function run$i(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$h,
+    config: config$i,
     importMeta,
     parentName
   })
@@ -8745,7 +8795,7 @@ async function run$h(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$f)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$g)
     return
   }
   await handlePurlsShallowScore({
@@ -8797,8 +8847,8 @@ async function runRawNpm(argv) {
   await spawnPromise
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e, NPM } = constants
-const config$g = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f, NPM } = constants
+const config$h = {
   commandName: 'raw-npm',
   description: `Temporarily disable the Socket ${NPM} wrapper`,
   hidden: false,
@@ -8812,20 +8862,20 @@ const config$g = {
   `
 }
 const cmdRawNpm = {
-  description: config$g.description,
-  hidden: config$g.hidden,
-  run: run$g
+  description: config$h.description,
+  hidden: config$h.hidden,
+  run: run$h
 }
-async function run$g(argv, importMeta, { parentName }) {
+async function run$h(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$g,
+    config: config$h,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$e)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$f)
     return
   }
   await runRawNpm(argv)
@@ -8847,8 +8897,8 @@ async function runRawNpx(argv) {
   await spawnPromise
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d, NPX } = constants
-const config$f = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e, NPX } = constants
+const config$g = {
   commandName: 'raw-npx',
   description: `Temporarily disable the Socket ${NPX} wrapper`,
   hidden: false,
@@ -8862,26 +8912,26 @@ const config$f = {
   `
 }
 const cmdRawNpx = {
-  description: config$f.description,
-  hidden: config$f.hidden,
-  run: run$f
+  description: config$g.description,
+  hidden: config$g.hidden,
+  run: run$g
 }
-async function run$f(argv, importMeta, { parentName }) {
+async function run$g(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$f,
+    config: config$g,
     importMeta,
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$d)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$e)
     return
   }
   await runRawNpx(argv)
 }
 
-const config$e = {
+const config$f = {
   commandName: 'create',
   description: '[Deprecated] Create a project report',
   hidden: false,
@@ -8895,14 +8945,14 @@ const config$e = {
   `
 }
 const cmdReportCreate = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$e
+  description: config$f.description,
+  hidden: config$f.hidden,
+  run: run$f
 }
-async function run$e(argv, importMeta, { parentName }) {
+async function run$f(argv, importMeta, { parentName }) {
   meowOrExit({
     argv,
-    config: config$e,
+    config: config$f,
     importMeta,
     parentName
   })
@@ -8912,7 +8962,7 @@ async function run$e(argv, importMeta, { parentName }) {
   process.exitCode = 1
 }
 
-const config$d = {
+const config$e = {
   commandName: 'view',
   description: '[Deprecated] View a project report',
   hidden: false,
@@ -8926,14 +8976,14 @@ const config$d = {
   `
 }
 const cmdReportView = {
-  description: config$d.description,
-  hidden: config$d.hidden,
-  run: run$d
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$e
 }
-async function run$d(argv, importMeta, { parentName }) {
+async function run$e(argv, importMeta, { parentName }) {
   meowOrExit({
     argv,
-    config: config$d,
+    config: config$e,
     importMeta,
     parentName
   })
@@ -9020,8 +9070,8 @@ async function handleCreateRepo({
   await outputCreateRepo()
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$c } = constants
-const config$c = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d } = constants
+const config$d = {
   commandName: 'create',
   description: 'Create a repository in an organization',
   hidden: false,
@@ -9074,14 +9124,14 @@ const config$c = {
   `
 }
 const cmdReposCreate = {
-  description: config$c.description,
-  hidden: config$c.hidden,
-  run: run$c
+  description: config$d.description,
+  hidden: config$d.hidden,
+  run: run$d
 }
-async function run$c(argv, importMeta, { parentName }) {
+async function run$d(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$c,
+    config: config$d,
     importMeta,
     parentName
   })
@@ -9116,7 +9166,7 @@ async function run$c(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$c)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$d)
     return
   }
   await handleCreateRepo({
@@ -9145,8 +9195,8 @@ async function handleDeleteRepo(orgSlug, repoName) {
   spinner.successAndStop('Repository deleted successfully')
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$b } = constants
-const config$b = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$c } = constants
+const config$c = {
   commandName: 'del',
   description: 'Delete a repository in an organization',
   hidden: false,
@@ -9169,14 +9219,14 @@ const config$b = {
   `
 }
 const cmdReposDel = {
-  description: config$b.description,
-  hidden: config$b.hidden,
-  run: run$b
+  description: config$c.description,
+  hidden: config$c.hidden,
+  run: run$c
 }
-async function run$b(argv, importMeta, { parentName }) {
+async function run$c(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$b,
+    config: config$c,
     importMeta,
     parentName
   })
@@ -9211,7 +9261,7 @@ async function run$b(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$b)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$c)
     return
   }
   await handleDeleteRepo(orgSlug, repoName)
@@ -9300,8 +9350,8 @@ async function handleListRepos({
   await outputListRepos(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$a } = constants
-const config$a = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$b } = constants
+const config$b = {
   commandName: 'list',
   description: 'List repositories in an organization',
   hidden: false,
@@ -9348,14 +9398,14 @@ const config$a = {
   `
 }
 const cmdReposList = {
-  description: config$a.description,
-  hidden: config$a.hidden,
-  run: run$a
+  description: config$b.description,
+  hidden: config$b.hidden,
+  run: run$b
 }
-async function run$a(argv, importMeta, { parentName }) {
+async function run$b(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$a,
+    config: config$b,
     importMeta,
     parentName
   })
@@ -9392,7 +9442,7 @@ async function run$a(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$a)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$b)
     return
   }
   await handleListRepos({
@@ -9462,8 +9512,8 @@ async function handleUpdateRepo({
   await outputUpdateRepo()
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$9 } = constants
-const config$9 = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$a } = constants
+const config$a = {
   commandName: 'update',
   description: 'Update a repository in an organization',
   hidden: false,
@@ -9516,14 +9566,14 @@ const config$9 = {
   `
 }
 const cmdReposUpdate = {
-  description: config$9.description,
-  hidden: config$9.hidden,
-  run: run$9
+  description: config$a.description,
+  hidden: config$a.hidden,
+  run: run$a
 }
-async function run$9(argv, importMeta, { parentName }) {
+async function run$a(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$9,
+    config: config$a,
     importMeta,
     parentName
   })
@@ -9558,7 +9608,7 @@ async function run$9(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$9)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$a)
     return
   }
   await handleUpdateRepo({
@@ -9660,8 +9710,8 @@ async function handleViewRepo(orgSlug, repoName, outputKind) {
   await outputViewRepo(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$8 } = constants
-const config$8 = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$9 } = constants
+const config$9 = {
   commandName: 'view',
   description: 'View repositories in an organization',
   hidden: false,
@@ -9690,14 +9740,14 @@ const config$8 = {
   `
 }
 const cmdReposView = {
-  description: config$8.description,
-  hidden: config$8.hidden,
-  run: run$8
+  description: config$9.description,
+  hidden: config$9.hidden,
+  run: run$9
 }
-async function run$8(argv, importMeta, { parentName }) {
+async function run$9(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$8,
+    config: config$9,
     importMeta,
     parentName
   })
@@ -9740,7 +9790,7 @@ async function run$8(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$8)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$9)
     return
   }
   await handleViewRepo(
@@ -9835,8 +9885,8 @@ async function suggestTarget() {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$7 } = constants
-const config$7 = {
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$8 } = constants
+const config$8 = {
   commandName: 'create',
   description: 'Create a scan',
   hidden: false,
@@ -9942,6 +9992,9 @@ const config$7 = {
     When a FILE is given only that FILE is targeted. Otherwise any eligible
     files in the given DIR will be considered.
 
+    The --repo and --branch flags tell Socket to associate this Scan with that
+    repo/branch. The names will show up on your dashboard on the Socket website.
+
     Note: for a first run you probably want to set --defaultBranch to indicate
           the default branch name, like "main" or "master".
 
@@ -9956,14 +10009,14 @@ const config$7 = {
   `
 }
 const cmdScanCreate = {
-  description: config$7.description,
-  hidden: config$7.hidden,
-  run: run$7
+  description: config$8.description,
+  hidden: config$8.hidden,
+  run: run$8
 }
-async function run$7(argv, importMeta, { parentName }) {
+async function run$8(argv, importMeta, { parentName }) {
   const cli = meowOrExit({
     argv,
-    config: config$7,
+    config: config$8,
     importMeta,
     parentName
   })
@@ -10015,154 +10068,484 @@ async function run$7(argv, importMeta, { parentName }) {
       if (suggestion) {
         orgSlug = suggestion
       }
-      updatedInput = true
+      updatedInput = true
+    }
+  }
+  if (updatedInput && orgSlug && targets?.length) {
+    logger.logger.error(
+      'Note: You can invoke this command next time to skip the interactive questions:'
+    )
+    logger.logger.error('```')
+    logger.logger.error(
+      `    socket scan create [other flags...] ${defaultOrgSlug ? '' : orgSlug} ${targets.join(' ')}`
+    )
+    logger.logger.error('```\n')
+  }
+  const wasBadInput = handleBadInput(
+    {
+      nook: !!defaultOrgSlug,
+      test: !!orgSlug && orgSlug !== '.',
+      message: 'Org name as the first argument',
+      pass: 'ok',
+      fail:
+        orgSlug === '.'
+          ? 'dot is an invalid org, most likely you forgot the org name here?'
+          : 'missing'
+    },
+    {
+      test: !!targets.length,
+      message: 'At least one TARGET (e.g. `.` or `./package.json`)',
+      pass: 'ok',
+      fail: 'missing (or perhaps you forgot the org slug?)'
+    },
+    {
+      nook: true,
+      test: !json || !markdown,
+      message: 'The json and markdown flags cannot be both set, pick one',
+      pass: 'ok',
+      fail: 'omit one'
+    },
+    {
+      nook: true,
+      test: !!apiToken,
+      message: 'This command requires an API token for access',
+      pass: 'ok',
+      fail: 'missing (try `socket login`)'
+    },
+    {
+      nook: true,
+      test: !pendingHead || !tmp,
+      message: 'Can not use --pendingHead and --tmp at the same time',
+      pass: 'ok',
+      fail: 'remove at least one flag'
+    },
+    {
+      nook: true,
+      test: !pendingHead || !!branchName,
+      message: 'When --pendingHead is set, --branch is mandatory',
+      pass: 'ok',
+      fail: 'missing branch name'
+    },
+    {
+      nook: true,
+      test: !defaultBranch || !!branchName,
+      message: 'When --defaultBranch is set, --branch is mandatory',
+      pass: 'ok',
+      fail: 'missing branch name'
+    }
+  )
+  if (wasBadInput) {
+    return
+  }
+
+  // Note exiting earlier to skirt a hidden auth requirement
+  if (dryRun) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$8)
+    return
+  }
+  await handleCreateNewScan({
+    branchName: branchName,
+    commitHash: (commitHash && String(commitHash)) || '',
+    commitMessage: (commitMessage && String(commitMessage)) || '',
+    committers: (committers && String(committers)) || '',
+    cwd,
+    defaultBranch: Boolean(defaultBranch),
+    orgSlug,
+    outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
+    pendingHead: Boolean(pendingHead),
+    pullRequest: Number(pullRequest),
+    readOnly: Boolean(readOnly),
+    repoName: repoName,
+    report,
+    targets,
+    tmp: Boolean(tmp)
+  })
+}
+
+async function fetchDeleteOrgFullScan(orgSlug, scanId) {
+  const sockSdk = await shadowNpmInject.setupSdk()
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  spinner.start('Requesting the scan to be deleted...')
+  const result = await handleApiCall(
+    sockSdk.deleteOrgFullScan(orgSlug, scanId),
+    'Deleting scan'
+  )
+  spinner.successAndStop('Received response for deleting a scan.')
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('deleteOrgFullScan', result)
+  }
+  return result.data
+}
+
+async function outputDeleteScan(_data) {
+  logger.logger.success('Scan deleted successfully')
+}
+
+async function handleDeleteScan(orgSlug, scanId) {
+  const data = await fetchDeleteOrgFullScan(orgSlug, scanId)
+  if (!data) {
+    return
+  }
+  await outputDeleteScan()
+}
+
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$7 } = constants
+const config$7 = {
+  commandName: 'del',
+  description: 'Delete a scan',
+  hidden: false,
+  flags: {
+    ...commonFlags,
+    ...outputFlags
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} <org slug> <scan ID>
+
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:delete
+
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+
+    Examples
+      $ ${command} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0
+  `
+}
+const cmdScanDel = {
+  description: config$7.description,
+  hidden: config$7.hidden,
+  run: run$7
+}
+async function run$7(argv, importMeta, { parentName }) {
+  const cli = meowOrExit({
+    argv,
+    config: config$7,
+    importMeta,
+    parentName
+  })
+  const defaultOrgSlug = shadowNpmInject.getConfigValue('defaultOrg')
+  const orgSlug = defaultOrgSlug || cli.input[0] || ''
+  const scanId = (defaultOrgSlug ? cli.input[0] : cli.input[1]) || ''
+  const apiToken = shadowNpmInject.getDefaultToken()
+  const wasBadInput = handleBadInput(
+    {
+      nook: !!defaultOrgSlug,
+      test: !!orgSlug && orgSlug !== '.',
+      message: 'Org name as the first argument',
+      pass: 'ok',
+      fail:
+        orgSlug === '.'
+          ? 'dot is an invalid org, most likely you forgot the org name here?'
+          : 'missing'
+    },
+    {
+      test: !!scanId,
+      message: 'Scan ID to delete',
+      pass: 'ok',
+      fail: 'missing'
+    },
+    {
+      nook: true,
+      test: !!apiToken,
+      message:
+        'You need to be logged in to use this command. See `socket login`.',
+      pass: 'ok',
+      fail: 'missing API token'
+    }
+  )
+  if (wasBadInput) {
+    return
+  }
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$7)
+    return
+  }
+  await handleDeleteScan(orgSlug, scanId)
+}
+
+async function fetchDiffScan({ id1, id2, orgSlug }) {
+  const apiToken = shadowNpmInject.getDefaultToken()
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  logger.logger.error('Scan ID 1:', id1)
+  logger.logger.error('Scan ID 2:', id2)
+  spinner.start('Fetching scan diff... (this may take a while)')
+  const response = await queryApi(
+    `orgs/${orgSlug}/full-scans/diff?before=${encodeURIComponent(id1)}&after=${encodeURIComponent(id2)}`,
+    apiToken || ''
+  )
+  spinner.successAndStop('Received scan diff response')
+  if (!response.ok) {
+    const err = await handleApiError(response.status)
+    logger.logger.fail(failMsgWithBadge(response.statusText, err))
+    return
+  }
+  const result = await handleApiCall(
+    await response.json(),
+    'Deserializing json'
+  )
+  return result
+}
+
+const SOCKET_SBOM_URL_PREFIX$1 =
+  'https://socket.dev/dashboard/org/SocketDev/sbom/'
+async function outputDiffScan(result, { depth, file, outputKind }) {
+  const dashboardUrl = result.diff_report_url
+  const dashboardMessage = dashboardUrl
+    ? `\n View this diff scan in the Socket dashboard: ${vendor.yoctocolorsCjsExports.cyan(dashboardUrl)}`
+    : ''
+
+  // When forcing json, or dumping to file, serialize to string such that it
+  // won't get truncated. The only way to dump the full raw JSON to stdout is
+  // to use `--json --file -` (the dash is a standard notation for stdout)
+  if (outputKind === 'json' || file) {
+    let json
+    try {
+      json = JSON.stringify(result, null, 2)
+    } catch (e) {
+      process.exitCode = 1
+      // Most likely caused by a circular reference (or OOM)
+      logger.logger.fail('There was a problem converting the data to JSON')
+      logger.logger.error(e)
+      return
+    }
+    if (file && file !== '-') {
+      logger.logger.log(`Writing json to \`${file}\``)
+      fs$1.writeFile(file, JSON.stringify(result, null, 2), err => {
+        if (err) {
+          logger.logger.fail(`Writing to \`${file}\` failed...`)
+          logger.logger.error(err)
+        } else {
+          logger.logger.log(`Data successfully written to \`${file}\``)
+        }
+        logger.logger.error(dashboardMessage)
+      })
+    } else {
+      // TODO: expose different method for writing to stderr when simply dodging stdout
+      logger.logger.error(`\n Diff scan result: \n`)
+      logger.logger.log(json)
+      logger.logger.error(dashboardMessage)
+    }
+    return
+  }
+  if (outputKind === 'markdown') {
+    logger.logger.log('# Scan diff result')
+    logger.logger.log('')
+    logger.logger.log(
+      'This Socket.dev report shows the changes between two scans:'
+    )
+    logger.logger.log(
+      `- [${result.before.id}](${SOCKET_SBOM_URL_PREFIX$1}${result.before.id})`
+    )
+    logger.logger.log(
+      `- [${result.after.id}](${SOCKET_SBOM_URL_PREFIX$1}${result.after.id})`
+    )
+    logger.logger.log('')
+    logger.logger.log(
+      `You can [view this report in your dashboard](${result.diff_report_url})`
+    )
+    logger.logger.log('')
+    logger.logger.log('## Changes')
+    logger.logger.log('')
+    logger.logger.log(
+      `- directDependenciesChanged: ${result.directDependenciesChanged}`
+    )
+    logger.logger.log(`- Added packages: ${result.artifacts.added.length}`)
+    if (result.artifacts.added.length > 0) {
+      result.artifacts.added.slice(0, 10).forEach(artifact => {
+        logger.logger.log(
+          `  - ${artifact.type} ${artifact.name}@${artifact.version}`
+        )
+      })
+      if (result.artifacts.added.length > 10) {
+        logger.logger.log(
+          `  ... and ${result.artifacts.added.length - 10} more`
+        )
+      }
+    }
+    logger.logger.log(`- Removed packages: ${result.artifacts.removed.length}`)
+    if (result.artifacts.removed.length > 0) {
+      result.artifacts.removed.slice(0, 10).forEach(artifact => {
+        logger.logger.log(
+          `  - ${artifact.type} ${artifact.name}@${artifact.version}`
+        )
+      })
+      if (result.artifacts.removed.length > 10) {
+        logger.logger.log(
+          `  ... and ${result.artifacts.removed.length - 10} more`
+        )
+      }
+    }
+    logger.logger.log(
+      `- Replaced packages: ${result.artifacts.replaced.length}`
+    )
+    if (result.artifacts.replaced.length > 0) {
+      result.artifacts.replaced.slice(0, 10).forEach(artifact => {
+        logger.logger.log(
+          `  - ${artifact.type} ${artifact.name}@${artifact.version}`
+        )
+      })
+      if (result.artifacts.replaced.length > 10) {
+        logger.logger.log(
+          `  ... and ${result.artifacts.replaced.length - 10} more`
+        )
+      }
+    }
+    logger.logger.log(`- Updated packages: ${result.artifacts.updated.length}`)
+    if (result.artifacts.updated.length > 0) {
+      result.artifacts.updated.slice(0, 10).forEach(artifact => {
+        logger.logger.log(
+          `  - ${artifact.type} ${artifact.name}@${artifact.version}`
+        )
+      })
+      if (result.artifacts.updated.length > 10) {
+        logger.logger.log(
+          `  ... and ${result.artifacts.updated.length - 10} more`
+        )
+      }
+    }
+    logger.logger.log(
+      `- Unchanged packages: ${result.artifacts.unchanged.length}`
+    )
+    if (result.artifacts.unchanged.length > 0) {
+      result.artifacts.unchanged.slice(0, 10).forEach(artifact => {
+        logger.logger.log(
+          `  - ${artifact.type} ${artifact.name}@${artifact.version}`
+        )
+      })
+      if (result.artifacts.unchanged.length > 10) {
+        logger.logger.log(
+          `  ... and ${result.artifacts.unchanged.length - 10} more`
+        )
+      }
     }
-  }
-  if (updatedInput && orgSlug && targets?.length) {
-    logger.logger.error(
-      'Note: You can invoke this command next time to skip the interactive questions:'
+    logger.logger.log('')
+    logger.logger.log(`## Scan ${result.before.id}`)
+    logger.logger.log('')
+    logger.logger.log(
+      'This Scan was considered to be the "base" / "from" / "before" Scan.'
     )
-    logger.logger.error('```')
-    logger.logger.error(
-      `    socket scan create [other flags...] ${defaultOrgSlug ? '' : orgSlug} ${targets.join(' ')}`
+    logger.logger.log('')
+    for (const [key, value] of Object.entries(result.before)) {
+      if (key === 'pull_request' && !value) {
+        continue
+      }
+      if (!['id', 'organization_id', 'repository_id'].includes(key)) {
+        logger.logger.group(
+          `- ${key === 'repository_slug' ? 'repo' : key === 'organization_slug' ? 'org' : key}: ${value}`
+        )
+        logger.logger.groupEnd()
+      }
+    }
+    logger.logger.log('')
+    logger.logger.log(`## Scan ${result.after.id}`)
+    logger.logger.log('')
+    logger.logger.log(
+      'This Scan was considered to be the "head" / "to" / "after" Scan.'
     )
-    logger.logger.error('```\n')
-  }
-  const wasBadInput = handleBadInput(
-    {
-      nook: !!defaultOrgSlug,
-      test: !!orgSlug && orgSlug !== '.',
-      message: 'Org name as the first argument',
-      pass: 'ok',
-      fail:
-        orgSlug === '.'
-          ? 'dot is an invalid org, most likely you forgot the org name here?'
-          : 'missing'
-    },
-    {
-      test: !!targets.length,
-      message: 'At least one TARGET (e.g. `.` or `./package.json`)',
-      pass: 'ok',
-      fail: 'missing (or perhaps you forgot the org slug?)'
-    },
-    {
-      nook: true,
-      test: !json || !markdown,
-      message: 'The json and markdown flags cannot be both set, pick one',
-      pass: 'ok',
-      fail: 'omit one'
-    },
-    {
-      nook: true,
-      test: !!apiToken,
-      message: 'This command requires an API token for access',
-      pass: 'ok',
-      fail: 'missing (try `socket login`)'
-    },
-    {
-      nook: true,
-      test: !pendingHead || !tmp,
-      message: 'Can not use --pendingHead and --tmp at the same time',
-      pass: 'ok',
-      fail: 'remove at least one flag'
-    },
-    {
-      nook: true,
-      test: !pendingHead || !!branchName,
-      message: 'When --pendingHead is set, --branch is mandatory',
-      pass: 'ok',
-      fail: 'missing branch name'
-    },
-    {
-      nook: true,
-      test: !defaultBranch || !!branchName,
-      message: 'When --defaultBranch is set, --branch is mandatory',
-      pass: 'ok',
-      fail: 'missing branch name'
+    logger.logger.log('')
+    for (const [key, value] of Object.entries(result.after)) {
+      if (key === 'pull_request' && !value) {
+        continue
+      }
+      if (!['id', 'organization_id', 'repository_id'].includes(key)) {
+        logger.logger.group(
+          `- ${key === 'repository_slug' ? 'repo' : key === 'organization_slug' ? 'org' : key}: ${value}`
+        )
+        logger.logger.groupEnd()
+      }
     }
-  )
-  if (wasBadInput) {
-    return
-  }
-
-  // Note exiting earlier to skirt a hidden auth requirement
-  if (dryRun) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$7)
+    logger.logger.log('')
     return
   }
-  await handleCreateNewScan({
-    branchName: branchName,
-    commitHash: (commitHash && String(commitHash)) || '',
-    commitMessage: (commitMessage && String(commitMessage)) || '',
-    committers: (committers && String(committers)) || '',
-    cwd,
-    defaultBranch: Boolean(defaultBranch),
-    orgSlug,
-    outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
-    pendingHead: Boolean(pendingHead),
-    pullRequest: Number(pullRequest),
-    readOnly: Boolean(readOnly),
-    repoName: repoName,
-    report,
-    targets,
-    tmp: Boolean(tmp)
-  })
-}
 
-async function fetchDeleteOrgFullScan(orgSlug, scanId) {
-  const sockSdk = await shadowNpmInject.setupSdk()
+  // In this case neither the --json nor the --file flag was passed
+  // Dump the JSON to CLI and let NodeJS deal with truncation
 
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  spinner.start('Requesting the scan to be deleted...')
-  const result = await handleApiCall(
-    sockSdk.deleteOrgFullScan(orgSlug, scanId),
-    'Deleting scan'
+  logger.logger.log('Diff scan result:')
+  logger.logger.log(
+    require$$0.inspect(result, {
+      showHidden: false,
+      depth: depth > 0 ? depth : null,
+      colors: true,
+      maxArrayLength: null
+    })
   )
-  spinner.successAndStop('Received response for deleting a scan.')
-  if (!result.success) {
-    handleUnsuccessfulApiResponse('deleteOrgFullScan', result)
-  }
-  return result.data
-}
-
-async function outputDeleteScan(_data) {
-  logger.logger.success('Scan deleted successfully')
+  logger.logger.error(
+    `\n 📝 To display the detailed report in the terminal, use the --json flag. For a friendlier report, use the --markdown flag.\n`
+  )
+  logger.logger.log(dashboardMessage)
 }
 
-async function handleDeleteScan(orgSlug, scanId) {
-  const data = await fetchDeleteOrgFullScan(orgSlug, scanId)
+async function handleDiffScan({ depth, file, id1, id2, orgSlug, outputKind }) {
+  const data = await fetchDiffScan({
+    id1,
+    id2,
+    orgSlug
+  })
   if (!data) {
     return
   }
-  await outputDeleteScan()
+  await outputDiffScan(data, {
+    depth,
+    file,
+    outputKind
+  })
 }
 
 const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$6 } = constants
+const SOCKET_SBOM_URL_PREFIX =
+  'https://socket.dev/dashboard/org/SocketDev/sbom/'
 const config$6 = {
-  commandName: 'del',
-  description: 'Delete a scan',
+  commandName: 'diff',
+  description: 'See what changed between two Scans',
   hidden: false,
   flags: {
     ...commonFlags,
-    ...outputFlags
+    ...outputFlags,
+    depth: {
+      type: 'number',
+      default: 2,
+      description:
+        'Max depth of JSON to display before truncating, use zero for no limit (without --json/--file)'
+    },
+    file: {
+      type: 'string',
+      shortFlag: 'f',
+      default: '',
+      description:
+        'Path to a local file where the output should be saved. Use `-` to force stdout.'
+    }
   },
   help: (command, config) => `
     Usage
-      $ ${command} <org slug> <scan ID>
+      $ ${command} <org slug> <ID1> <ID2>
 
     API Token Requirements
       - Quota: 1 unit
-      - Permissions: full-scans:delete
+      - Permissions: full-scans:list
+
+    This command displays the package changes between two scans. The full output
+    can be pretty large depending on the size of your repo and time range. It is
+    best stored to disk (with --json) to be further analyzed by other tools.
+
+    Note: First Scan ID is assumed to be the older ID. This is only relevant for
+          the added/removed list (similar to diffing two files with git).
 
     Options
       ${getFlagListOutput(config.flags, 6)}
 
     Examples
-      $ ${command} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0
+      $ ${command} FakeCorp aaa0aa0a-aaaa-0000-0a0a-0000000a00a0 aaa1aa1a-aaaa-1111-1a1a-1111111a11a1
+      $ ${command} FakeCorp aaa0aa0a-aaaa-0000-0a0a-0000000a00a0 aaa1aa1a-aaaa-1111-1a1a-1111111a11a1 --json
   `
 }
-const cmdScanDel = {
+const cmdScanDiff = {
   description: config$6.description,
   hidden: config$6.hidden,
   run: run$6
@@ -10174,27 +10557,46 @@ async function run$6(argv, importMeta, { parentName }) {
     importMeta,
     parentName
   })
+  const { depth, file, json, markdown } = cli.flags
   const defaultOrgSlug = shadowNpmInject.getConfigValue('defaultOrg')
   const orgSlug = defaultOrgSlug || cli.input[0] || ''
-  const scanId = (defaultOrgSlug ? cli.input[0] : cli.input[1]) || ''
+  let id1 = cli.input[defaultOrgSlug ? 0 : 1] || ''
+  let id2 = cli.input[defaultOrgSlug ? 1 : 2] || ''
+  if (id1.startsWith(SOCKET_SBOM_URL_PREFIX)) {
+    id1 = id1.slice(SOCKET_SBOM_URL_PREFIX.length)
+  }
+  if (id2.startsWith(SOCKET_SBOM_URL_PREFIX)) {
+    id2 = id2.slice(SOCKET_SBOM_URL_PREFIX.length)
+  }
   const apiToken = shadowNpmInject.getDefaultToken()
   const wasBadInput = handleBadInput(
     {
-      nook: !!defaultOrgSlug,
-      test: !!orgSlug && orgSlug !== '.',
-      message: 'Org name as the first argument',
+      test: !!(id1 && id2),
+      message:
+        'Specify two Scan IDs.\nA Scan ID looks like `aaa0aa0a-aaaa-0000-0a0a-0000000a00a0`.',
       pass: 'ok',
       fail:
-        orgSlug === '.'
-          ? 'dot is an invalid org, most likely you forgot the org name here?'
-          : 'missing'
+        !id1 && !id2
+          ? 'missing both Scan IDs'
+          : !id2
+            ? 'missing second Scan ID'
+            : 'missing first Scan ID' // Not sure how this can happen but ok.
     },
     {
-      test: !!scanId,
-      message: 'Scan ID to delete',
+      test: !!orgSlug,
+      nook: true,
+      message: 'Org name as the first argument',
       pass: 'ok',
       fail: 'missing'
     },
+    {
+      nook: true,
+      test: !json || !markdown,
+      message:
+        'The `--json` and `--markdown` flags can not be used at the same time',
+      pass: 'ok',
+      fail: 'bad'
+    },
     {
       nook: true,
       test: !!apiToken,
@@ -10211,15 +10613,24 @@ async function run$6(argv, importMeta, { parentName }) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$6)
     return
   }
-  await handleDeleteScan(orgSlug, scanId)
+  await handleDiffScan({
+    id1: String(id1 || ''),
+    id2: String(id2 || ''),
+    depth: Number(depth),
+    orgSlug,
+    outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
+    file: String(file || '')
+  })
 }
 
 async function fetchListScans({
+  branch,
   direction,
   from_time,
   orgSlug,
   page,
   per_page,
+  repo,
   sort
 }) {
   const sockSdk = await shadowNpmInject.setupSdk()
@@ -10229,6 +10640,16 @@ async function fetchListScans({
   spinner.start('Fetching list of scans...')
   const result = await handleApiCall(
     sockSdk.getOrgFullScanList(orgSlug, {
+      ...(branch
+        ? {
+            branch
+          }
+        : {}),
+      ...(repo
+        ? {
+            repo
+          }
+        : {}),
       sort,
       direction,
       per_page: String(per_page),
@@ -10260,6 +10681,10 @@ async function outputListScans(data, outputKind) {
         field: 'report_url',
         name: vendor.yoctocolorsCjsExports.magenta('Scan URL')
       },
+      {
+        field: 'repo',
+        name: vendor.yoctocolorsCjsExports.magenta('Repo')
+      },
       {
         field: 'branch',
         name: vendor.yoctocolorsCjsExports.magenta('Branch')
@@ -10283,6 +10708,7 @@ async function outputListScans(data, outputKind) {
             day: 'numeric'
           })
         : '',
+      repo: d.repo,
       branch: d.branch
     }
   })
@@ -10290,20 +10716,24 @@ async function outputListScans(data, outputKind) {
 }
 
 async function handleListScans({
+  branch,
   direction,
   from_time,
   orgSlug,
   outputKind,
   page,
   per_page,
+  repo,
   sort
 }) {
   const data = await fetchListScans({
+    branch,
     direction,
     from_time,
     orgSlug,
     page,
     per_page,
+    repo,
     sort
   })
   if (!data) {
@@ -10320,12 +10750,9 @@ const config$5 = {
   flags: {
     ...commonFlags,
     ...outputFlags,
-    sort: {
+    branch: {
       type: 'string',
-      shortFlag: 's',
-      default: 'created_at',
-      description:
-        'Sorting option (`name` or `created_at`) - default is `created_at`'
+      description: 'Filter to show only scans with this branch name'
     },
     direction: {
       type: 'string',
@@ -10333,11 +10760,11 @@ const config$5 = {
       default: 'desc',
       description: 'Direction option (`desc` or `asc`) - Default is `desc`'
     },
-    perPage: {
-      type: 'number',
-      shortFlag: 'pp',
-      default: 30,
-      description: 'Results per page - Default is 30'
+    fromTime: {
+      type: 'string',
+      shortFlag: 'f',
+      default: '',
+      description: 'From time - as a unix timestamp'
     },
     page: {
       type: 'number',
@@ -10345,11 +10772,22 @@ const config$5 = {
       default: 1,
       description: 'Page number - Default is 1'
     },
-    fromTime: {
+    perPage: {
+      type: 'number',
+      shortFlag: 'pp',
+      default: 30,
+      description: 'Results per page - Default is 30'
+    },
+    repo: {
       type: 'string',
-      shortFlag: 'f',
-      default: '',
-      description: 'From time - as a unix timestamp'
+      description: 'Filter to show only scans with this repository name'
+    },
+    sort: {
+      type: 'string',
+      shortFlag: 's',
+      default: 'created_at',
+      description:
+        'Sorting option (`name` or `created_at`) - default is `created_at`'
     },
     untilTime: {
       type: 'string',
@@ -10385,7 +10823,7 @@ async function run$5(argv, importMeta, { parentName }) {
     importMeta,
     parentName
   })
-  const { json, markdown } = cli.flags
+  const { branch, json, markdown, repo } = cli.flags
   const defaultOrgSlug = shadowNpmInject.getConfigValue('defaultOrg')
   const orgSlug = defaultOrgSlug || cli.input[0] || ''
   const apiToken = shadowNpmInject.getDefaultToken()
@@ -10424,12 +10862,14 @@ async function run$5(argv, importMeta, { parentName }) {
     return
   }
   await handleListScans({
+    branch: branch ? String(branch) : '',
     direction: String(cli.flags['direction'] || ''),
     from_time: String(cli.flags['fromTime'] || ''),
     orgSlug,
     outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
     page: Number(cli.flags['page'] || 1),
     per_page: Number(cli.flags['perPage'] || 30),
+    repo: repo ? String(repo) : '',
     sort: String(cli.flags['sort'] || '')
   })
 }
@@ -10919,6 +11359,7 @@ const cmdScan = {
         create: cmdScanCreate,
         list: cmdScanList,
         del: cmdScanDel,
+        diff: cmdScanDiff,
         metadata: cmdScanMetadata,
         report: cmdScanReport,
         view: cmdScanView
@@ -11287,7 +11728,7 @@ async function run$1(argv, importMeta, { parentName }) {
 }
 
 function addSocketWrapper(file) {
-  return require$$0.appendFile(
+  return fs$1.appendFile(
     file,
     'alias npm="socket npm"\nalias npx="socket npx"\n',
     err => {
@@ -11296,7 +11737,7 @@ function addSocketWrapper(file) {
       }
       // TODO: pretty sure you need to source the file or restart
       //       any terminal session before changes are reflected.
-      logger.logger.log(vendor.stripIndents`
+      logger.logger.log(vendor.html`
 The alias was added to ${file}. Running 'npm install' will now be wrapped in Socket's "safe npm" 🎉
 If you want to disable it at any time, run \`socket wrapper --disable\`
 `)
@@ -11305,7 +11746,7 @@ If you want to disable it at any time, run \`socket wrapper --disable\`
 }
 
 function checkSocketWrapperSetup(file) {
-  const fileContent = require$$0.readFileSync(file, 'utf8')
+  const fileContent = fs$1.readFileSync(file, 'utf8')
   const linesWithSocketAlias = fileContent
     .split('\n')
     .filter(
@@ -11324,11 +11765,10 @@ async function postinstallWrapper() {
   // Lazily access constants.bashRcPath and constants.zshRcPath.
   const { bashRcPath, zshRcPath } = constants
   const socketWrapperEnabled =
-    (require$$0.existsSync(bashRcPath) &&
-      checkSocketWrapperSetup(bashRcPath)) ||
-    (require$$0.existsSync(zshRcPath) && checkSocketWrapperSetup(zshRcPath))
+    (fs$1.existsSync(bashRcPath) && checkSocketWrapperSetup(bashRcPath)) ||
+    (fs$1.existsSync(zshRcPath) && checkSocketWrapperSetup(zshRcPath))
   if (!socketWrapperEnabled) {
-    await installSafeNpm(vendor.stripIndents`
+    await installSafeNpm(vendor.html`
       The Socket CLI is now successfully installed! 🎉
 
       To better protect yourself against supply-chain attacks, our "safe npm" wrapper can warn you about malicious packages whenever you run 'npm install'.
@@ -11353,10 +11793,10 @@ async function installSafeNpm(query) {
     // Lazily access constants.bashRcPath and constants.zshRcPath.
     const { bashRcPath, zshRcPath } = constants
     try {
-      if (require$$0.existsSync(bashRcPath)) {
+      if (fs$1.existsSync(bashRcPath)) {
         addSocketWrapper(bashRcPath)
       }
-      if (require$$0.existsSync(zshRcPath)) {
+      if (fs$1.existsSync(zshRcPath)) {
         addSocketWrapper(zshRcPath)
       }
     } catch (e) {
@@ -11368,7 +11808,7 @@ async function installSafeNpm(query) {
 }
 
 function removeSocketWrapper(file) {
-  return require$$0.readFile(file, 'utf8', function (err, data) {
+  return fs$1.readFile(file, 'utf8', function (err, data) {
     if (err) {
       logger.logger.fail('There was an error removing the alias:')
       logger.logger.error(err)
@@ -11380,7 +11820,7 @@ function removeSocketWrapper(file) {
         l => l !== 'alias npm="socket npm"' && l !== 'alias npx="socket npx"'
       )
     const updatedFileContent = linesWithoutSocketAlias.join('\n')
-    require$$0.writeFile(file, updatedFileContent, function (err) {
+    fs$1.writeFile(file, updatedFileContent, function (err) {
       if (err) {
         logger.logger.error(err)
         return
@@ -11468,27 +11908,21 @@ async function run(argv, importMeta, { parentName }) {
   // Lazily access constants.bashRcPath and constants.zshRcPath.
   const { bashRcPath, zshRcPath } = constants
   if (enable) {
-    if (
-      require$$0.existsSync(bashRcPath) &&
-      !checkSocketWrapperSetup(bashRcPath)
-    ) {
+    if (fs$1.existsSync(bashRcPath) && !checkSocketWrapperSetup(bashRcPath)) {
       addSocketWrapper(bashRcPath)
     }
-    if (
-      require$$0.existsSync(zshRcPath) &&
-      !checkSocketWrapperSetup(zshRcPath)
-    ) {
+    if (fs$1.existsSync(zshRcPath) && !checkSocketWrapperSetup(zshRcPath)) {
       addSocketWrapper(zshRcPath)
     }
   } else {
-    if (require$$0.existsSync(bashRcPath)) {
+    if (fs$1.existsSync(bashRcPath)) {
       removeSocketWrapper(bashRcPath)
     }
-    if (require$$0.existsSync(zshRcPath)) {
+    if (fs$1.existsSync(zshRcPath)) {
       removeSocketWrapper(zshRcPath)
     }
   }
-  if (!require$$0.existsSync(bashRcPath) && !require$$0.existsSync(zshRcPath)) {
+  if (!fs$1.existsSync(bashRcPath) && !fs$1.existsSync(zshRcPath)) {
     logger.logger.fail(
       'There was an issue setting up the alias in your bash profile'
     )
@@ -11502,7 +11936,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.102',
+    version: '0.14.104',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -11539,7 +11973,7 @@ void (async () => {
         argv: process$1.argv.slice(2),
         name: SOCKET_CLI_BIN_NAME,
         importMeta: {
-          url: `${require$$0$2.pathToFileURL(__filename)}`
+          url: `${require$$0$1.pathToFileURL(__filename)}`
         }
       }
     )
@@ -11570,5 +12004,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=984cfa2c-d022-400b-b6cb-a91395f63be5
+//# debugId=35cb6fe4-28c3-408a-9222-5359160941e5
 //# sourceMappingURL=cli.js.map