@socketsecurity/cli 0.14.129 → 0.14.131

package/dist/{module-sync/cli.js → cli.js}

@@ -1,18 +1,7 @@
 'use strict'
 
-function _socketInterop(e) {
-  let c = 0
-  for (const k in e ?? {}) {
-    c = c === 0 && k === 'default' ? 1 : 0
-    if (!c && k !== '__esModule') {
-      break
-    }
-  }
-  return c ? e.default : e
-}
-
 const process$1 = require('node:process')
-const require$$0$1 = require('node:url')
+const require$$0 = require('node:url')
 const vendor = require('./vendor.js')
 const debug = require('@socketsecurity/registry/lib/debug')
 const logger = require('@socketsecurity/registry/lib/logger')
@@ -30,18 +19,50 @@ const fs$1 = require('node:fs')
 const shadowBin = require('./shadow-bin.js')
 const prompts = require('@socketsecurity/registry/lib/prompts')
 const shadowNpmPaths = require('./shadow-npm-paths.js')
-const require$$0 = require('node:util')
+const util = require('node:util')
 const arrays = require('@socketsecurity/registry/lib/arrays')
 const registry = require('@socketsecurity/registry')
 const npm = require('@socketsecurity/registry/lib/npm')
 const packages = require('@socketsecurity/registry/lib/packages')
-const packageurlJs = require('@socketregistry/packageurl-js')
 const spawn = require('@socketsecurity/registry/lib/spawn')
-const index_cjs = require('@socketregistry/hyrious__bun.lockb/index.cjs')
 const sorts = require('@socketsecurity/registry/lib/sorts')
 const registryConstants = require('@socketsecurity/registry/lib/constants')
-const isInteractive = require('@socketregistry/is-interactive/index.cjs')
 const promises = require('@socketsecurity/registry/lib/promises')
+require('node:os')
+require('node:buffer')
+require('node:util')
+require('node:path')
+require('node:fs')
+require('node:tty')
+require('node:https')
+require('node:http')
+require('node:url')
+require('node:process')
+require('node:events')
+require('node:http')
+require('node:https')
+require('node:readline')
+require('@socketsecurity/registry/lib/constants/abort-signal')
+require('node:fs/promises')
+require('node:child_process')
+require('node:os')
+require('node:tty')
+require('node:crypto')
+require('node:constants')
+require('node:stream')
+require('node:assert')
+require('node:stream')
+require('node:string_decoder')
+require('node:path/win32')
+require('node:module')
+require('node:events')
+require('node:buffer')
+require('node:string_decoder')
+require('node:child_process')
+require('@socketsecurity/registry/lib/fs')
+require('node:timers/promises')
+require('node:module')
+require('@socketsecurity/registry/lib/env')
 
 function failMsgWithBadge(badge, msg) {
   return `${vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}: `)))} ${vendor.yoctocolorsCjsExports.bold(msg)}`
@@ -401,12 +422,12 @@ ${mdTableStringNumber('Name', 'Counts', data['top_five_alert_types'])}
 `
 }
 function displayAnalyticsScreen(data) {
-  const ScreenWidget = _socketInterop(require('blessed/lib/widgets/screen'))
+  const ScreenWidget = require('blessed/lib/widgets/screen')
   // Lazily access constants.blessedOptions.
   const screen = new ScreenWidget({
     ...constants.blessedOptions
   })
-  const contrib = _socketInterop(require('blessed-contrib'))
+  const contrib = require('blessed-contrib')
   const grid = new contrib.grid({
     rows: 5,
     cols: 4,
@@ -564,7 +585,7 @@ function formatDate(date) {
   return `${Months[new Date(date).getMonth()]} ${new Date(date).getDate()}`
 }
 function renderLineCharts(grid, screen, title, coords, data) {
-  const contrib = _socketInterop(require('blessed-contrib'))
+  const contrib = require('blessed-contrib')
   const line = grid.set(...coords, contrib.line, {
     style: {
       line: 'cyan',
@@ -917,7 +938,7 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.129:a3be3d1:0b51011a:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.131:fb1cc4f:325534ec:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
   const apiToken = shadowNpmInject.getDefaultToken()
   const defaultOrg = shadowNpmInject.getConfigValue('defaultOrg')
@@ -3535,7 +3556,7 @@ async function outputDiffScan$1(result, { depth, file, outputKind }) {
 
   logger.logger.log('Diff scan result:')
   logger.logger.log(
-    require$$0.inspect(result, {
+    util.inspect(result, {
       showHidden: false,
       depth: depth > 0 ? depth : null,
       colors: true,
@@ -3746,7 +3767,7 @@ function getBaseGitBranch() {
   )
 }
 function getSocketBranchName(purl, newVersion, workspaceName) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl)
   const maybeWorkspaceName = workspaceName
     ? `${formatBranchName(workspaceName)}-`
     : ''
@@ -3757,19 +3778,19 @@ function getSocketBranchName(purl, newVersion, workspaceName) {
   return `socket-fix-${fullName}-${formatBranchName(newVersion)}`
 }
 function getSocketPullRequestTitle(purl, newVersion, workspaceName) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl)
   const pkgName = getPkgNameFromPurlObj(purlObj)
   const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
   return `Bump ${pkgName} from ${purlObj.version} to ${newVersion}${workspaceDetails}`
 }
 function getSocketPullRequestBody(purl, newVersion, workspaceName) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl)
   const pkgName = getPkgNameFromPurlObj(purlObj)
   const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
   return `Bumps [${pkgName}](https://socket.dev/${purlObj.type}/package/${pkgName}) from ${purlObj.version} to ${newVersion}${workspaceDetails}.`
 }
 function getSocketCommitMessage(purl, newVersion, workspaceName) {
-  const purlObj = packageurlJs.PackageURL.fromString(purl)
+  const purlObj = vendor.packageurlJsExports.PackageURL.fromString(purl)
   const pkgName = getPkgNameFromPurlObj(purlObj)
   const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
   return `socket: Bump ${pkgName} from ${purlObj.version} to ${newVersion}${workspaceDetails}`
@@ -3788,29 +3809,6 @@ async function gitBranchExists(branch, cwd = process.cwd()) {
   } catch {}
   return false
 }
-async function gitCheckoutBaseBranchIfAvailable(
-  baseBranch,
-  cwd = process.cwd()
-) {
-  try {
-    await gitHardReset()
-    await spawn.spawn('git', ['fetch', '--depth=1', 'origin', baseBranch], {
-      cwd
-    })
-    await spawn.spawn('git', ['checkout', baseBranch], {
-      cwd
-    })
-    await spawn.spawn('git', ['reset', '--hard', `origin/${baseBranch}`], {
-      cwd
-    })
-    logger.logger.info(`Checked out and reset to ${baseBranch}`)
-  } catch (e) {
-    logger.logger.warn(
-      `Could not switch to ${baseBranch}. Proceeding with HEAD.`
-    )
-    debug.debugLog(e)
-  }
-}
 async function gitCleanFdx(cwd = process.cwd()) {
   await spawn.spawn('git', ['clean', '-fdx'], {
     cwd
@@ -4005,45 +4003,69 @@ async function openGitHubPullRequest(
   throw new Error('Missing GITHUB_ACTIONS environment variable')
 }
 
+const CMD_NAME$1 = 'socket fix'
+const alertMapOptions = Object.freeze({
+  consolidate: true,
+  include: {
+    existing: true,
+    unfixable: false,
+    upgradable: false
+  },
+  nothrow: true
+})
+function assignDefaultFixOptions(options) {
+  if (options.autoPilot === undefined) {
+    options.autoPilot = false
+  }
+  if (options.autoMerge === undefined) {
+    options.autoMerge = !!options.autoPilot
+  }
+  if (options.cwd === undefined) {
+    options.cwd = process.cwd()
+  }
+  if (options.rangeStyle === undefined) {
+    options.rangeStyle = 'preserve'
+  }
+  if (options.test === undefined) {
+    options.test = !!options.autoPilot || !!options.testScript
+  }
+  if (options.testScript === undefined) {
+    options.testScript = 'test'
+  }
+  return options
+}
+
 const { CI: CI$1, NPM: NPM$f } = constants
 async function install$1(idealTree, options) {
   const { cwd = process.cwd() } = {
     __proto__: null,
     ...options
   }
-  const arb2 = new shadowNpmInject.Arborist({
+  const arb = new shadowNpmInject.Arborist({
     path: cwd
   })
-  arb2.idealTree = idealTree
-  await arb2.reify()
+  arb.idealTree = idealTree
+  await arb.reify()
 }
 async function npmFix(
   pkgEnvDetails,
   { autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
 ) {
-  const { pkgPath: rootPath } = pkgEnvDetails
   spinner?.start()
+  const { pkgPath: rootPath } = pkgEnvDetails
   const arb = new shadowNpmInject.SafeArborist({
     path: rootPath,
     ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
   })
   // Calling arb.reify() creates the arb.diff object and nulls-out arb.idealTree.
   await arb.reify()
-  const alertMapOptions = {
-    consolidate: true,
-    include: {
-      existing: true,
-      unfixable: false,
-      upgradable: false
-    },
-    nothrow: true
-  }
   const alertsMap = purls.length
     ? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
     : await shadowNpmInject.getAlertsMapFromArborist(arb, alertMapOptions)
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
     spinner?.stop()
+    logger.logger.info('No fixable vulnerabilities found.')
     return
   }
 
@@ -4059,123 +4081,104 @@ async function npmFix(
     pkgEnvDetails.editablePkgJson.filename
   ]
   for (const { 0: name, 1: infos } of infoByPkg) {
-    const hasUpgrade = !!registry.getManifestData(NPM$f, name)
-    if (hasUpgrade) {
-      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
+    debug.debugLog(`Processing vulnerable package: ${name}`)
+    if (registry.getManifestData(NPM$f, name)) {
+      spinner?.info(`Socket Optimize package for ${name} exists, skipping`)
+      continue
+    }
+    if (!infos.length) {
+      debug.debugLog(`No vulnerability info found for ${name}`)
       continue
     }
-    arb.idealTree = null
     // eslint-disable-next-line no-await-in-loop
-    await arb.buildIdealTree()
-    const oldVersions = arrays.arrayUnique(
-      shadowNpmInject
-        .findPackageNodes(arb.idealTree, name)
-        .map(n => n.target?.version ?? n.version)
-        .filter(Boolean)
-    )
-    const packument =
-      oldVersions.length && infos.length
-        ? // eslint-disable-next-line no-await-in-loop
-          await packages.fetchPackagePackument(name)
-        : null
+    const packument = await packages.fetchPackagePackument(name)
     if (!packument) {
+      debug.debugLog(`No packument found for ${name}`)
       continue
     }
-    const failedSpecs = new Set()
+    const availableVersions = Object.keys(packument.versions)
     const fixedSpecs = new Set()
-    const installedSpecs = new Set()
-    const testedSpecs = new Set()
-    const unavailableSpecs = new Set()
-    const revertedSpecs = new Set()
     for (const pkgJsonPath of pkgJsonPaths) {
+      const pkgPath = path$1.dirname(pkgJsonPath)
+      const isWorkspaceRoot =
+        pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
+      const workspaceName = isWorkspaceRoot
+        ? 'root'
+        : path$1.relative(rootPath, pkgPath)
+      debug.debugLog(`Checking workspace: ${workspaceName}`)
+      arb.idealTree = null
+      // eslint-disable-next-line no-await-in-loop
+      await arb.buildIdealTree()
+      const oldVersions = arrays.arrayUnique(
+        shadowNpmInject
+          .findPackageNodes(arb.idealTree, name)
+          .map(n => n.target?.version ?? n.version)
+          .filter(Boolean)
+      )
+      if (!oldVersions.length) {
+        debug.debugLog(`Lockfile entries not found for ${name}`)
+        continue
+      }
+
+      // Always re-read the editable package.json to avoid stale mutations
+      // across iterations.
+      // eslint-disable-next-line no-await-in-loop
+      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
+        editable: true
+      })
       for (const oldVersion of oldVersions) {
         const oldSpec = `${name}@${oldVersion}`
         const oldPurl = `pkg:npm/${oldSpec}`
+        const node = shadowNpmInject.findPackageNode(
+          arb.idealTree,
+          name,
+          oldVersion
+        )
+        if (!node) {
+          debug.debugLog(`Arborist node not found, skipping ${oldSpec}`)
+          continue
+        }
         for (const {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
         } of infos) {
-          const revertTree = arb.idealTree
-          arb.idealTree = null
-          // eslint-disable-next-line no-await-in-loop
-          await arb.buildIdealTree()
-          const node = shadowNpmInject.findPackageNode(
-            arb.idealTree,
-            name,
-            oldVersion
+          const newVersion = shadowNpmInject.findBestPatchVersion(
+            node,
+            availableVersions,
+            vulnerableVersionRange
           )
-          if (!node) {
-            debug.debugLog(
-              `Skipping ${oldSpec}, no node found in arborist.idealTree`,
-              pkgJsonPath
-            )
-            continue
-          }
-          if (
-            !shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
-          ) {
-            if (!unavailableSpecs.has(oldSpec)) {
-              unavailableSpecs.add(oldSpec)
-              spinner?.fail(`No update available for ${oldSpec}`)
-            }
+          const newVersionPackument = newVersion
+            ? packument.versions[newVersion]
+            : undefined
+          if (!(newVersion && newVersionPackument)) {
+            spinner?.fail(`No update found for ${oldSpec}.`)
             continue
           }
-          const isWorkspaceRoot =
-            pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
-          const workspaceName = isWorkspaceRoot
-            ? ''
-            : path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
-          const workspaceDetails = workspaceName ? ` in ${workspaceName}` : ''
-          const editablePkgJson = isWorkspaceRoot
-            ? pkgEnvDetails.editablePkgJson
-            : // eslint-disable-next-line no-await-in-loop
-              await packages.readPackageJson(pkgJsonPath, {
-                editable: true
-              })
-          const newVersion = node.package.version
           const newVersionRange = shadowNpmInject.applyRange(
             oldVersion,
             newVersion,
             rangeStyle
           )
           const newSpec = `${name}@${newVersionRange}`
-          const newSpecKey = `${workspaceName ? `${workspaceName}>` : ''}${newSpec}`
-          const revertData = {
-            ...(editablePkgJson.content.dependencies
-              ? {
-                  dependencies: editablePkgJson.content.dependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.optionalDependencies
-              ? {
-                  optionalDependencies:
-                    editablePkgJson.content.optionalDependencies
-                }
-              : undefined),
-            ...(editablePkgJson.content.peerDependencies
-              ? {
-                  peerDependencies: editablePkgJson.content.peerDependencies
-                }
-              : undefined)
+          const newSpecKey = `${workspaceName}:${newSpec}`
+          if (fixedSpecs.has(newSpecKey)) {
+            debug.debugLog(
+              `Already fixed ${newSpec} in ${workspaceName}, skipping`
+            )
+            continue
           }
-          const branch = isCi
-            ? getSocketBranchName(oldPurl, newVersion, workspaceName)
-            : ''
-          const baseBranch = isCi ? getBaseGitBranch() : ''
-          const { owner, repo } = isCi
-            ? getGitHubEnvRepoInfo()
-            : {
-                owner: '',
-                repo: ''
-              }
-          const shouldOpenPr = isCi
-            ? // eslint-disable-next-line no-await-in-loop
-              !(await doesPullRequestExistForBranch(owner, repo, branch))
-            : false
-          if (isCi) {
-            // eslint-disable-next-line no-await-in-loop
-            await gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)
+          const revertData = {
+            ...(editablePkgJson.content.dependencies && {
+              dependencies: editablePkgJson.content.dependencies
+            }),
+            ...(editablePkgJson.content.optionalDependencies && {
+              optionalDependencies: editablePkgJson.content.optionalDependencies
+            }),
+            ...(editablePkgJson.content.peerDependencies && {
+              peerDependencies: editablePkgJson.content.peerDependencies
+            })
           }
+          shadowNpmInject.updateNode(node, newVersion, newVersionPackument)
           shadowNpmInject.updatePackageJsonFromNode(
             editablePkgJson,
             arb.idealTree,
@@ -4183,105 +4186,110 @@ async function npmFix(
             newVersion,
             rangeStyle
           )
-          let error
-          let errored = false
-          let saved = false
-
           // eslint-disable-next-line no-await-in-loop
-          if (await editablePkgJson.save()) {
-            saved = true
-          }
-          if (!installedSpecs.has(newSpecKey)) {
-            testedSpecs.add(newSpecKey)
-            spinner?.info(`Installing ${newSpec}${workspaceDetails}`)
+          if (!(await editablePkgJson.save())) {
+            debug.debugLog(
+              `Nothing changed for ${workspaceName}, skipping install`
+            )
+            continue
           }
+          spinner?.info(`Installing ${newSpec} in ${workspaceName}`)
+          let error
+          let errored = false
           try {
             // eslint-disable-next-line no-await-in-loop
             await install$1(arb.idealTree, {
               cwd
             })
             if (test) {
-              if (!testedSpecs.has(newSpecKey)) {
-                testedSpecs.add(newSpecKey)
-                spinner?.info(`Testing ${newSpec}${workspaceDetails}`)
-              }
+              spinner?.info(`Testing ${newSpec} in ${workspaceName}`)
               // eslint-disable-next-line no-await-in-loop
               await npm.runScript(testScript, [], {
                 spinner,
                 stdio: 'ignore'
               })
             }
-            if (!fixedSpecs.has(newSpecKey)) {
-              fixedSpecs.add(newSpecKey)
-              spinner?.successAndStop(`Fixed ${name}${workspaceDetails}`)
-              spinner?.start()
-            }
+            fixedSpecs.add(newSpecKey)
+            spinner?.successAndStop(`Fixed ${name} in ${workspaceName}`)
+            spinner?.start()
           } catch (e) {
-            error = e
             errored = true
+            error = e
           }
-          if (
-            !errored &&
-            shouldOpenPr &&
-            // eslint-disable-next-line no-await-in-loop
-            (await gitCreateAndPushBranchIfNeeded(
-              branch,
-              getSocketCommitMessage(oldPurl, newVersion, workspaceName),
-              cwd
-            ))
-          ) {
-            // eslint-disable-next-line no-await-in-loop
-            const prResponse = await openGitHubPullRequest(
-              owner,
-              repo,
-              baseBranch,
-              branch,
+          const baseBranch = isCi ? getBaseGitBranch() : ''
+          if (!errored && isCi) {
+            const branch = getSocketBranchName(
               oldPurl,
               newVersion,
-              {
-                cwd,
-                workspaceName
-              }
+              workspaceName
             )
-            if (prResponse) {
-              const { data } = prResponse
-              spinner?.info(`PR #${data.number} opened.`)
-              if (autoMerge) {
+            try {
+              const { owner, repo } = getGitHubEnvRepoInfo()
+              if (
+                // eslint-disable-next-line no-await-in-loop
+                (await doesPullRequestExistForBranch(owner, repo, branch)) ||
                 // eslint-disable-next-line no-await-in-loop
-                await enableAutoMerge(data)
+                !(await gitCreateAndPushBranchIfNeeded(
+                  branch,
+                  getSocketCommitMessage(oldPurl, newVersion, workspaceName),
+                  cwd
+                ))
+              ) {
+                continue
               }
-            }
-          }
-          if (errored || isCi) {
-            if (errored) {
-              if (!revertedSpecs.has(newSpecKey)) {
-                revertedSpecs.add(newSpecKey)
-                spinner?.error(`Reverting ${newSpec}${workspaceDetails}`, error)
+              // eslint-disable-next-line no-await-in-loop
+              const prResponse = await openGitHubPullRequest(
+                owner,
+                repo,
+                baseBranch,
+                branch,
+                oldPurl,
+                newVersion,
+                {
+                  cwd,
+                  workspaceName
+                }
+              )
+              if (prResponse) {
+                const { data } = prResponse
+                spinner?.info(`Opened PR #${data.number}.`)
+                if (autoMerge) {
+                  // eslint-disable-next-line no-await-in-loop
+                  await enableAutoMerge(data)
+                }
               }
+            } catch (e) {
+              error = e
+              errored = true
             }
-            if (saved) {
-              editablePkgJson.update(revertData)
-            }
+          }
+          if (isCi) {
             // eslint-disable-next-line no-await-in-loop
-            await Promise.all([
-              shadowNpmInject.removeNodeModules(cwd),
-              ...(isCi
-                ? [gitCheckoutBaseBranchIfAvailable(baseBranch, cwd)]
-                : []),
-              ...(saved && !isCi ? [editablePkgJson.save()] : [])
-            ])
+            await gitHardReset(baseBranch, cwd)
             // eslint-disable-next-line no-await-in-loop
-            await install$1(revertTree, {
+            await gitCleanFdx(cwd)
+            // eslint-disable-next-line no-await-in-loop
+            await install$1(arb.idealTree, {
               cwd
             })
-            if (errored) {
-              if (!failedSpecs.has(newSpecKey)) {
-                failedSpecs.add(newSpecKey)
-                spinner?.failAndStop(
-                  `Update failed for ${oldSpec}${workspaceDetails}`
-                )
-              }
+          }
+          if (errored) {
+            if (!isCi) {
+              editablePkgJson.update(revertData)
+              // eslint-disable-next-line no-await-in-loop
+              await Promise.all([
+                shadowNpmInject.removeNodeModules(cwd),
+                editablePkgJson.save()
+              ])
+              // eslint-disable-next-line no-await-in-loop
+              await install$1(arb.idealTree, {
+                cwd
+              })
             }
+            spinner?.failAndStop(
+              `Update failed for ${oldSpec} in ${workspaceName}`,
+              error
+            )
           }
         }
       }
@@ -4435,25 +4443,29 @@ async function install(pkgEnvDetails, options) {
   })
   return await getActualTree(cwd)
 }
+async function readLockfile(pkgPath) {
+  return await vendor.libExports$3.readWantedLockfile(pkgPath, {
+    ignoreIncompatible: false
+  })
+}
 async function pnpmFix(
   pkgEnvDetails,
   { autoMerge, cwd, purls, rangeStyle, spinner, test, testScript }
 ) {
+  spinner?.start()
   const { pkgPath: rootPath } = pkgEnvDetails
-  const lockfile = await vendor.libExports$3.readWantedLockfile(rootPath, {
-    ignoreIncompatible: false
-  })
+  let lockfile = await readLockfile(rootPath)
   if (!lockfile) {
-    return
-  }
-  const alertMapOptions = {
-    consolidate: true,
-    include: {
-      existing: true,
-      unfixable: false,
-      upgradable: false
-    },
-    nothrow: true
+    await install(pkgEnvDetails, {
+      cwd,
+      spinner
+    })
+    lockfile = await readLockfile(rootPath)
+    if (!lockfile) {
+      spinner?.stop()
+      logger.logger.error('Required pnpm-lock.yaml not found.')
+      return
+    }
   }
   const alertsMap = purls.length
     ? await shadowNpmInject.getAlertsMapFromPurls(purls, alertMapOptions)
@@ -4463,9 +4475,10 @@ async function pnpmFix(
       )
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
+    spinner?.stop()
+    logger.logger.info('No fixable vulnerabilities found.')
     return
   }
-  spinner?.start()
 
   // Lazily access constants.ENV[CI].
   const isCi = constants.ENV[CI]
@@ -4473,13 +4486,6 @@ async function pnpmFix(
     pkgEnvDetails.agent,
     rootPath
   )
-  const baseBranch = isCi ? getBaseGitBranch() : ''
-  const { owner, repo } = isCi
-    ? getGitHubEnvRepoInfo()
-    : {
-        owner: '',
-        repo: ''
-      }
   const pkgJsonPaths = [
     ...workspacePkgJsonPaths,
     // Process the workspace root last since it will add an override to package.json.
@@ -4488,44 +4494,52 @@ async function pnpmFix(
   for (const { 0: name, 1: infos } of infoByPkg) {
     debug.debugLog(`Processing vulnerable package: ${name}`)
     if (registry.getManifestData(NPM$c, name)) {
-      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
+      spinner?.info(`Socket Optimize package for ${name} exists, skipping`)
+      continue
+    }
+    if (!infos.length) {
+      debug.debugLog(`No vulnerability info found for ${name}`)
       continue
     }
+    // eslint-disable-next-line no-await-in-loop
+    const packument = await packages.fetchPackagePackument(name)
+    if (!packument) {
+      debug.debugLog(`No packument found for ${name}`)
+      continue
+    }
+    const availableVersions = Object.keys(packument.versions)
     const fixedSpecs = new Set()
     for (const pkgJsonPath of pkgJsonPaths) {
-      debug.debugLog(`Checking workspace: ${pkgJsonPath}`)
-
-      // eslint-disable-next-line no-await-in-loop
-      let actualTree = await getActualTree(cwd)
+      const pkgPath = path$1.dirname(pkgJsonPath)
       const isWorkspaceRoot =
         pkgJsonPath === pkgEnvDetails.editablePkgJson.filename
       const workspaceName = isWorkspaceRoot
         ? 'root'
-        : path$1.relative(rootPath, path$1.dirname(pkgJsonPath))
+        : path$1.relative(rootPath, pkgPath)
+      debug.debugLog(`Checking workspace: ${workspaceName}`)
 
-      // Always re-read the editable package.json to avoid stale mutations across iterations
       // eslint-disable-next-line no-await-in-loop
-      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
-        editable: true
-      })
-
-      // Get current overrides for revert logic
-      const oldPnpmSection = editablePkgJson.content[PNPM$8]
-      const oldOverrides = oldPnpmSection?.[OVERRIDES$2]
+      let actualTree = await getActualTree(cwd)
       const oldVersions = arrays.arrayUnique(
         shadowNpmInject
           .findPackageNodes(actualTree, name)
           .map(n => n.target?.version ?? n.version)
           .filter(Boolean)
       )
-      const packument =
-        oldVersions.length && infos.length
-          ? // eslint-disable-next-line no-await-in-loop
-            await packages.fetchPackagePackument(name)
-          : null
-      if (!packument) {
+      if (!oldVersions.length) {
+        debug.debugLog(`Lockfile entries not found for ${name}`)
         continue
       }
+
+      // Always re-read the editable package.json to avoid stale mutations
+      // across iterations.
+      // eslint-disable-next-line no-await-in-loop
+      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
+        editable: true
+      })
+      // Get current overrides for revert logic
+      const oldPnpmSection = editablePkgJson.content[PNPM$8]
+      const oldOverrides = oldPnpmSection?.[OVERRIDES$2]
       for (const oldVersion of oldVersions) {
         const oldSpec = `${name}@${oldVersion}`
         const oldPurl = `pkg:npm/${oldSpec}`
@@ -4535,14 +4549,13 @@ async function pnpmFix(
           oldVersion
         )
         if (!node) {
-          debug.debugLog(`Skipping ${oldSpec}, no node found in ${pkgJsonPath}`)
+          debug.debugLog(`Arborist node not found, skipping ${oldSpec}`)
           continue
         }
         for (const {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
         } of infos) {
-          const availableVersions = Object.keys(packument.versions)
           const newVersion = shadowNpmInject.findBestPatchVersion(
             node,
             availableVersions,
@@ -4552,7 +4565,7 @@ async function pnpmFix(
             ? packument.versions[newVersion]
             : undefined
           if (!(newVersion && newVersionPackument)) {
-            spinner?.fail(`No update available for ${oldSpec}`)
+            spinner?.fail(`No update found for ${oldSpec}.`)
             continue
           }
           const overrideKey = `${name}@${vulnerableVersionRange}`
@@ -4608,28 +4621,27 @@ async function pnpmFix(
           if (updateData) {
             editablePkgJson.update(updateData)
           }
-          const modded = shadowNpmInject.updatePackageJsonFromNode(
+          shadowNpmInject.updatePackageJsonFromNode(
             editablePkgJson,
             actualTree,
             node,
             newVersion,
             rangeStyle
           )
-          debug.debugLog(`Updated package.json from node: ${modded}`)
-
           // eslint-disable-next-line no-await-in-loop
           if (!(await editablePkgJson.save())) {
             debug.debugLog(
-              `No changes saved for ${pkgJsonPath}, skipping install`
+              `Nothing changed for ${workspaceName}, skipping install`
             )
             continue
           }
           spinner?.info(`Installing ${newSpec} in ${workspaceName}`)
-          let errored = false
           let error
+          let errored = false
           try {
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
+              cwd,
               spinner
             })
             if (test) {
@@ -4643,25 +4655,31 @@ async function pnpmFix(
             fixedSpecs.add(newSpecKey)
             spinner?.successAndStop(`Fixed ${name} in ${workspaceName}`)
             spinner?.start()
+          } catch (e) {
+            error = e
+            errored = true
+          }
+          const baseBranch = isCi ? getBaseGitBranch() : ''
+          if (!errored && isCi) {
             const branch = getSocketBranchName(
               oldPurl,
               newVersion,
               workspaceName
             )
-            const shouldOpenPr = isCi
-              ? // eslint-disable-next-line no-await-in-loop
-                !(await doesPullRequestExistForBranch(owner, repo, branch))
-              : false
-            if (
-              isCi &&
-              shouldOpenPr &&
-              // eslint-disable-next-line no-await-in-loop
-              (await gitCreateAndPushBranchIfNeeded(
-                branch,
-                getSocketCommitMessage(oldPurl, newVersion, workspaceName),
-                cwd
-              ))
-            ) {
+            try {
+              const { owner, repo } = getGitHubEnvRepoInfo()
+              if (
+                // eslint-disable-next-line no-await-in-loop
+                (await doesPullRequestExistForBranch(owner, repo, branch)) ||
+                // eslint-disable-next-line no-await-in-loop
+                !(await gitCreateAndPushBranchIfNeeded(
+                  branch,
+                  getSocketCommitMessage(oldPurl, newVersion, workspaceName),
+                  cwd
+                ))
+              ) {
+                continue
+              }
               // eslint-disable-next-line no-await-in-loop
               const prResponse = await openGitHubPullRequest(
                 owner,
@@ -4677,41 +4695,46 @@ async function pnpmFix(
               )
               if (prResponse) {
                 const { data } = prResponse
-                spinner?.info(`PR #${data.number} opened.`)
+                spinner?.info(`Opened PR #${data.number}.`)
                 if (autoMerge) {
                   // eslint-disable-next-line no-await-in-loop
                   await enableAutoMerge(data)
                 }
               }
+            } catch (e) {
+              error = e
+              errored = true
             }
-          } catch (e) {
-            error = e
-            errored = true
           }
-          if (errored) {
-            editablePkgJson.update(revertData)
+          if (isCi) {
             // eslint-disable-next-line no-await-in-loop
-            await Promise.all([
-              shadowNpmInject.removeNodeModules(cwd),
-              editablePkgJson.save()
-            ])
+            await gitHardReset(baseBranch, cwd)
+            // eslint-disable-next-line no-await-in-loop
+            await gitCleanFdx(cwd)
             // eslint-disable-next-line no-await-in-loop
             actualTree = await install(pkgEnvDetails, {
+              cwd,
               spinner
             })
+          }
+          if (errored) {
+            if (!isCi) {
+              editablePkgJson.update(revertData)
+              // eslint-disable-next-line no-await-in-loop
+              await Promise.all([
+                shadowNpmInject.removeNodeModules(cwd),
+                editablePkgJson.save()
+              ])
+              // eslint-disable-next-line no-await-in-loop
+              actualTree = await install(pkgEnvDetails, {
+                cwd,
+                spinner
+              })
+            }
             spinner?.failAndStop(
               `Update failed for ${oldSpec} in ${workspaceName}`,
               error
             )
-          } else if (isCi) {
-            // eslint-disable-next-line no-await-in-loop
-            await gitHardReset(baseBranch, cwd)
-            // eslint-disable-next-line no-await-in-loop
-            await gitCleanFdx(cwd)
-            // eslint-disable-next-line no-await-in-loop
-            actualTree = await install(pkgEnvDetails, {
-              spinner
-            })
           }
         }
       }
@@ -4720,29 +4743,6 @@ async function pnpmFix(
   spinner?.stop()
 }
 
-const CMD_NAME$1 = 'socket fix'
-function assignDefaultFixOptions(options) {
-  if (options.autoPilot === undefined) {
-    options.autoPilot = false
-  }
-  if (options.autoMerge === undefined) {
-    options.autoMerge = !!options.autoPilot
-  }
-  if (options.cwd === undefined) {
-    options.cwd = process.cwd()
-  }
-  if (options.rangeStyle === undefined) {
-    options.rangeStyle = 'preserve'
-  }
-  if (options.test === undefined) {
-    options.test = !!options.autoPilot || !!options.testScript
-  }
-  if (options.testScript === undefined) {
-    options.testScript = 'test'
-  }
-  return options
-}
-
 const {
   BINARY_LOCK_EXT,
   BUN: BUN$5,
@@ -4846,7 +4846,7 @@ const readLockFileByAgent = (() => {
           const lockBuffer = await binaryReader(lockPath)
           if (lockBuffer) {
             try {
-              return index_cjs.parse(lockBuffer)
+              return vendor.hyrious__bun_lockbExports.parse(lockBuffer)
             } catch {}
           }
           // To print a Yarn lockfile to your console without writing it to disk
@@ -5661,7 +5661,7 @@ async function run$z(argv, importMeta, { parentName }) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$w)
     return
   }
-  if (!isInteractive()) {
+  if (!vendor.isInteractiveExports()) {
     throw new shadowNpmInject.InputError(
       'Cannot prompt for credentials in a non-interactive shell'
     )
@@ -10818,7 +10818,7 @@ async function outputDiffScan(result, { depth, file, outputKind }) {
 
   logger.logger.log('Diff scan result:')
   logger.logger.log(
-    require$$0.inspect(result, {
+    util.inspect(result, {
       showHidden: false,
       depth: depth > 0 ? depth : null,
       colors: true,
@@ -11774,7 +11774,7 @@ async function outputThreatFeed(data, { outputKind }) {
   const descriptions = data.results.map(d => d.description)
 
   // Note: this temporarily takes over the terminal (just like `man` does).
-  const ScreenWidget = _socketInterop(require('blessed/lib/widgets/screen'))
+  const ScreenWidget = require('blessed/lib/widgets/screen')
   // Lazily access constants.blessedOptions.
   const screen = new ScreenWidget({
     ...constants.blessedOptions
@@ -11784,9 +11784,7 @@ async function outputThreatFeed(data, { outputKind }) {
   // node process just to exit it. That's very bad UX.
   // eslint-disable-next-line n/no-process-exit
   screen.key(['escape', 'q', 'C-c'], () => process.exit(0))
-  const TableWidget = _socketInterop(
-    require('blessed-contrib/lib/widget/table')
-  )
+  const TableWidget = require('blessed-contrib/lib/widget/table')
   const table = new TableWidget({
     keys: 'true',
     fg: 'white',
@@ -11809,7 +11807,7 @@ async function outputThreatFeed(data, { outputKind }) {
   })
 
   // Create details box at the bottom
-  const BoxWidget = _socketInterop(require('blessed/lib/widgets/box'))
+  const BoxWidget = require('blessed/lib/widgets/box')
   const detailsBox = new BoxWidget({
     bottom: 0,
     height: '30%',
@@ -12285,7 +12283,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.129',
+    version: '0.14.131',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -12322,7 +12320,7 @@ void (async () => {
         argv: process$1.argv.slice(2),
         name: SOCKET_CLI_BIN_NAME,
         importMeta: {
-          url: `${require$$0$1.pathToFileURL(__filename)}`
+          url: `${require$$0.pathToFileURL(__filename)}`
         }
       }
     )
@@ -12353,5 +12351,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=90dbfa83-8aa6-411e-b2ce-33af95fa70c1
+//# debugId=a84f4ae7-7eb2-48c7-b03a-37504c364d76
 //# sourceMappingURL=cli.js.map