@socketsecurity/cli 0.14.20 → 0.14.22

package/dist/cli.js

@@ -14,24 +14,23 @@ var require$$1$4 = require('node:fs/promises');
 var require$$1$3 = require('@npmcli/package-json');
 var require$$5$1 = require('@socketsecurity/registry');
 var require$$7 = require('npm-package-arg');
-var require$$0$1 = require('pacote');
 var require$$3 = require('semver');
-var require$$11 = require('tinyglobby');
-var require$$12 = require('yaml');
+var require$$10$1 = require('tinyglobby');
+var require$$11 = require('yaml');
 var require$$2 = require('@socketregistry/hyrious__bun.lockb');
-var require$$4 = require('browserslist');
-var require$$6$1 = require('which');
+var require$$10 = require('browserslist');
+var require$$8 = require('which');
 var require$$2$1 = require('@apideck/better-ajv-errors');
 var require$$3$1 = require('@socketsecurity/config');
 var pathResolve = require('./path-resolve.js');
 var require$$2$2 = require('node:os');
 var require$$3$2 = require('node:readline');
-var require$$0$2 = require('node:process');
+var require$$0$1 = require('node:process');
 var require$$2$3 = require('node:readline/promises');
 var require$$2$4 = require('chalk-table');
 var require$$2$5 = require('blessed');
 var require$$3$3 = require('blessed-contrib');
-var require$$0$3 = require('node:util');
+var require$$0$2 = require('node:util');
 
 var cli$1 = {};
 
@@ -325,13 +324,36 @@ async function queryAPI(path, apiKey) {
 
 var formatIssues = {};
 
+var objects = {};
+
+Object.defineProperty(objects, "__esModule", {
+  value: true
+});
+objects.objectSome = objectSome;
+objects.pick = pick;
+function objectSome(obj) {
+  for (const key in obj) {
+    if (obj[key]) {
+      return true;
+    }
+  }
+  return false;
+}
+function pick(input, keys) {
+  const result = {};
+  for (const key of keys) {
+    result[key] = input[key];
+  }
+  return result;
+}
+
 Object.defineProperty(formatIssues, "__esModule", {
   value: true
 });
 formatIssues.formatSeverityCount = formatSeverityCount;
 formatIssues.getSeverityCount = getSeverityCount;
 var _misc$2 = sdk.misc;
-var _objects$3 = sdk.objects;
+var _objects$4 = objects;
 const SEVERITIES_BY_ORDER = ['critical', 'high', 'middle', 'low'];
 function getDesiredSeverities(lowestToInclude) {
   const result = [];
@@ -353,7 +375,7 @@ function formatSeverityCount(severityCount) {
   return (0, _misc$2.stringJoinWithSeparateFinalSeparator)(summary);
 }
 function getSeverityCount(issues, lowestToInclude) {
-  const severityCount = (0, _objects$3.pick)({
+  const severityCount = (0, _objects$4.pick)({
     low: 0,
     middle: 0,
     high: 0,
@@ -417,7 +439,7 @@ var _chalkMarkdown$3 = sdk.chalkMarkdown;
 var _errors$k = sdk.errors;
 var _formatIssues$1 = formatIssues;
 var _formatting$m = formatting;
-var _objects$2 = sdk.objects;
+var _objects$3 = objects;
 var _sdk$j = sdk.sdk;
 const info = info$1.info = {
   description: 'Look up info regarding a package',
@@ -511,8 +533,8 @@ async function fetchPackageData(pkgName, pkgVersion, {
 }
 function formatPackageDataOutput({
   data,
-  severityCount,
-  score
+  score,
+  severityCount
 }, {
   name,
   outputJson,
@@ -533,7 +555,7 @@ function formatPackageDataOutput({
       License: Math.floor(score.license.score * 100)
     };
     Object.entries(scoreResult).map(score => console.log(`- ${score[0]}: ${formatScore(score[1])}`));
-    if ((0, _objects$2.objectSome)(severityCount)) {
+    if ((0, _objects$3.objectSome)(severityCount)) {
       const issueSummary = (0, _formatIssues$1.formatSeverityCount)(severityCount);
       console.log('\n');
       spinner[strict ? 'fail' : 'succeed'](`Package has these issues: ${issueSummary}`);
@@ -557,7 +579,7 @@ function formatPackageDataOutput({
       console.log(_chalk$h.default.dim('\nOr rerun', _chalk$h.default.italic(name), 'using the', _chalk$h.default.italic('--json'), 'flag to get full JSON output'));
     }
   }
-  if (strict && (0, _objects$2.objectSome)(severityCount)) {
+  if (strict && (0, _objects$3.objectSome)(severityCount)) {
     process.exit(1);
   }
 }
@@ -890,16 +912,6 @@ async function readFileUtf8(filepath, options) {
 
 var packageManagerDetector = {};
 
-var strings = {};
-
-Object.defineProperty(strings, "__esModule", {
-  value: true
-});
-strings.isNonEmptyString = isNonEmptyString;
-function isNonEmptyString(value) {
-  return typeof value === 'string' && value.length > 0;
-}
-
 Object.defineProperty(packageManagerDetector, "__esModule", {
   value: true
 });
@@ -909,56 +921,48 @@ var _nodePath$3 = require$$1;
 var _packageJson$1 = require$$1$3;
 var _hyrious__bun = require$$2;
 var _promiseSpawn$3 = require$$1$1;
-var _browserslist = require$$4;
+var _browserslist = require$$10;
 var _semver$1 = require$$3;
-var _which = require$$6$1;
+var _which = require$$8;
+var _constants = vendor.constants_1;
+var _objects$2 = vendor.objects;
+var _strings$1 = vendor.strings;
 var _fs$1 = fs;
-var _objects$1 = sdk.objects;
-var _strings$1 = strings;
-const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn/berry', 'yarn/classic'];
-const numericCollator = new Intl.Collator(undefined, {
+const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn/berry', 'yarn/classic', 'vlt'];
+const {
+  compare: alphaNumericComparator
+} = new Intl.Collator(undefined, {
   numeric: true,
   sensitivity: 'base'
 });
-const {
-  compare: alphaNumericComparator
-} = numericCollator;
-const maintainedNodeVersions = (() => {
-  // Under the hood browserlist uses the node-releases package which is out of date:
-  // https://github.com/chicoxyzzy/node-releases/issues/37
-  // So we maintain a manual version list for now.
-  // https://nodejs.org/en/about/previous-releases#looking-for-latest-release-of-a-version-branch
-  const manualPrev = '18.20.4';
-  const manualCurr = '20.18.0';
-  const manualNext = '22.10.0';
-  const query = _browserslist('maintained node versions')
-  // Trim value, e.g. 'node 22.5.0' to '22.5.0'.
-  .map(s => s.slice(5 /*'node '.length*/))
-  // Sort ascending.
-  .toSorted(alphaNumericComparator);
-  const queryPrev = query.at(0) ?? manualPrev;
-  const queryCurr = query.at(1) ?? manualCurr;
-  const queryNext = query.at(2) ?? manualNext;
-  const previous = _semver$1.maxSatisfying([queryPrev, manualPrev], `^${_semver$1.major(queryPrev)}`);
-  const current = _semver$1.maxSatisfying([queryCurr, manualCurr], `^${_semver$1.major(queryCurr)}`);
-  const next = _semver$1.maxSatisfying([queryNext, manualNext], `^${_semver$1.major(queryNext)}`);
-  return Object.freeze(Object.assign([previous, current, next], {
-    previous,
-    current,
-    next
-  }));
-})();
+async function getAgentExecPath(agent) {
+  return (await _which(agent, {
+    nothrow: true
+  })) ?? agent;
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result;
+  try {
+    result = _semver$1.coerce(
+    // All package managers support the "--version" flag.
+    (await _promiseSpawn$3(agentExecPath, ['--version'], {
+      cwd
+    })).stdout) ?? undefined;
+  } catch {}
+  return result;
+}
 const LOCKS = {
   'bun.lockb': 'bun',
-  'pnpm-lock.yaml': 'pnpm',
-  'pnpm-lock.yml': 'pnpm',
-  'yarn.lock': 'yarn/classic',
   // If both package-lock.json and npm-shrinkwrap.json are present in the root
   // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
   // will be ignored.
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
   'npm-shrinkwrap.json': 'npm',
   'package-lock.json': 'npm',
+  'pnpm-lock.yaml': 'pnpm',
+  'pnpm-lock.yml': 'pnpm',
+  'yarn.lock': 'yarn/classic',
+  'vlt-lock.json': 'vlt',
   // Look for a hidden lock file if .npmrc has package-lock=false:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
   //
@@ -975,6 +979,7 @@ const readLockFileByAgent = (() => {
       return undefined;
     };
   }
+  const defaultReader = wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath));
   return {
     bun: wrapReader(async (lockPath, agentExecPath) => {
       let lockBuffer;
@@ -986,14 +991,16 @@ const readLockFileByAgent = (() => {
       try {
         return (0, _hyrious__bun.parse)(lockBuffer);
       } catch {}
-      // To print a Yarn lockfile to your console without writing it to disk use `bun bun.lockb`.
+      // To print a Yarn lockfile to your console without writing it to disk
+      // use `bun bun.lockb`.
       // https://bun.sh/guides/install/yarnlock
       return (await _promiseSpawn$3(agentExecPath, [lockPath])).stdout.trim();
     }),
-    npm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
-    pnpm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
-    'yarn/berry': wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
-    'yarn/classic': wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath))
+    npm: defaultReader,
+    pnpm: defaultReader,
+    vlt: defaultReader,
+    'yarn/berry': defaultReader,
+    'yarn/classic': defaultReader
   };
 })();
 async function detect({
@@ -1033,17 +1040,10 @@ async function detect({
     agent = 'npm';
     onUnknown?.(pkgManager);
   }
-  const agentExecPath = (await _which(agent, {
-    nothrow: true
-  })) ?? agent;
+  const agentExecPath = await getAgentExecPath(agent);
+  const npmExecPath = agent === 'npm' ? agentExecPath : await getAgentExecPath('npm');
   if (agentVersion === undefined) {
-    try {
-      agentVersion = _semver$1.coerce(
-      // All package managers support the "--version" flag.
-      (await _promiseSpawn$3(agentExecPath, ['--version'], {
-        cwd
-      })).stdout) ?? undefined;
-    } catch {}
+    agentVersion = await getAgentVersion(agentExecPath, cwd);
   }
   if (agent === 'yarn/classic' && (agentVersion?.major ?? 0) > 1) {
     agent = 'yarn/berry';
@@ -1053,10 +1053,11 @@ async function detect({
     node: true
   };
   let lockSrc;
-  let minimumNodeVersion = maintainedNodeVersions.previous;
+  // Lazily access constants.maintainedNodeVersions.
+  let minimumNodeVersion = _constants.maintainedNodeVersions.previous;
   if (pkgJson) {
     const browserField = pkgJson.browser;
-    if ((0, _strings$1.isNonEmptyString)(browserField) || (0, _objects$1.isObjectObject)(browserField)) {
+    if ((0, _strings$1.isNonEmptyString)(browserField) || (0, _objects$2.isObjectObject)(browserField)) {
       targets.browser = true;
     }
     const nodeRange = pkgJson.engines?.['node'];
@@ -1080,7 +1081,8 @@ async function detect({
         }
       }
     }
-    targets.node = maintainedNodeVersions.some(v => _semver$1.satisfies(v, `>=${minimumNodeVersion}`));
+    // Lazily access constants.maintainedNodeVersions.
+    targets.node = _constants.maintainedNodeVersions.some(v => _semver$1.satisfies(v, `>=${minimumNodeVersion}`));
     lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
   } else {
     lockPath = undefined;
@@ -1092,6 +1094,7 @@ async function detect({
     lockPath,
     lockSrc,
     minimumNodeVersion,
+    npmExecPath,
     pkgJson: editablePkgJson,
     pkgPath,
     supported: targets.browser || targets.node,
@@ -1099,88 +1102,6 @@ async function detect({
   };
 }
 
-var promises = {};
-
-var arrays = {};
-
-Object.defineProperty(arrays, "__esModule", {
-  value: true
-});
-arrays.arrayChunk = arrayChunk;
-arrays.arrayUnique = arrayUnique;
-function arrayChunk(arr, size = 2) {
-  const {
-    length
-  } = arr;
-  const chunkSize = Math.min(length, size);
-  const chunks = [];
-  for (let i = 0; i < length; i += chunkSize) {
-    chunks.push(arr.slice(i, i + chunkSize));
-  }
-  return chunks;
-}
-function arrayUnique(arr) {
-  return [...new Set(arr)];
-}
-
-Object.defineProperty(promises, "__esModule", {
-  value: true
-});
-promises.pEach = pEach;
-promises.pEachChunk = pEachChunk;
-var _arrays = arrays;
-async function pEach(array, concurrency, callbackFn, options) {
-  await pEachChunk((0, _arrays.arrayChunk)(array, concurrency), callbackFn, options);
-}
-async function pEachChunk(chunks, callbackFn, options) {
-  const {
-    signal
-  } = {
-    __proto__: null,
-    ...options
-  };
-  for (const chunk of chunks) {
-    if (signal?.aborted) {
-      return;
-    }
-    // eslint-disable-next-line no-await-in-loop
-    await Promise.all(chunk.map(value => signal?.aborted ? undefined : callbackFn(value, {
-      signal
-    })));
-  }
-}
-
-var regexps = {};
-
-Object.defineProperty(regexps, "__esModule", {
-  value: true
-});
-regexps.escapeRegExp = escapeRegExp;
-// Inlined "escape-string-regexp":
-// https://socket.dev/npm/package/escape-string-regexp/overview/5.0.0
-// MIT License
-// Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
-function escapeRegExp(string) {
-  // Escape characters with special meaning either inside or outside character sets.
-  // Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler form would be disallowed by Unicode patterns’ stricter grammar.
-  return string.replace(/[|\\{}()[\]^$+*?.]/g, '\\$&').replace(/-/g, '\\x2d');
-}
-
-var sorts = {};
-
-Object.defineProperty(sorts, "__esModule", {
-  value: true
-});
-sorts.localeCompare = void 0;
-sorts.toSortedObject = toSortedObject;
-const {
-  compare: localeCompare
-} = new Intl.Collator();
-sorts.localeCompare = localeCompare;
-function toSortedObject(object, comparator = localeCompare) {
-  return Object.fromEntries(Object.entries(object).sort((a, b) => comparator(a[0], b[0])));
-}
-
 var _interopRequireDefault$n = vendor.interopRequireDefault.default;
 Object.defineProperty(optimize$1, "__esModule", {
   value: true
@@ -1194,24 +1115,20 @@ var _registry = require$$5$1;
 var _meow$m = _interopRequireDefault$n(vendor.build);
 var _npmPackageArg = require$$7;
 var _ora$i = _interopRequireDefault$n(vendor.ora);
-var _pacote = require$$0$1;
 var _semver = require$$3;
-var _tinyglobby = require$$11;
-var _yaml = require$$12;
-var _constants = sdk.constants;
+var _tinyglobby = require$$10$1;
+var _yaml = require$$11;
+var _packages = vendor.packages;
 var _flags$j = flags$1;
 var _formatting$k = formatting;
 var _fs = fs;
-var _objects = sdk.objects;
+var _objects$1 = vendor.objects;
 var _packageManagerDetector = packageManagerDetector;
-var _promises2 = promises;
-var _regexps = regexps;
-var _sorts$1 = sorts;
-var _strings = strings;
+var _promises2 = vendor.promises;
+var _regexps = vendor.regexps;
+var _strings = vendor.strings;
 //import cacache from 'cacache'
 
-//import { packumentCache, pacoteCachePath } from '../constants'
-
 const COMMAND_TITLE = 'Socket Optimize';
 const OVERRIDES_FIELD_NAME = 'overrides';
 const PNPM_WORKSPACE = 'pnpm-workspace';
@@ -1244,6 +1161,13 @@ const getOverridesDataByAgent = {
       overrides
     };
   },
+  vlt(pkgJson) {
+    const overrides = pkgJson?.overrides ?? {};
+    return {
+      type: 'vlt',
+      overrides
+    };
+  },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
   'yarn/berry'(pkgJson) {
@@ -1264,7 +1188,7 @@ const getOverridesDataByAgent = {
   }
 };
 const lockIncludesByAgent = (() => {
-  const yarn = (lockSrc, name) => {
+  function yarnLockIncludes(lockSrc, name) {
     const escapedName = (0, _regexps.escapeRegExp)(name);
     return new RegExp(
     // Detects the package name in the following cases:
@@ -1273,9 +1197,9 @@ const lockIncludesByAgent = (() => {
     //   name@
     //   , name@
     `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
-  };
+  }
   return {
-    bun: yarn,
+    bun: yarnLockIncludes,
     npm(lockSrc, name) {
       // Detects the package name in the following cases:
       //   "name":
@@ -1291,111 +1215,181 @@ const lockIncludesByAgent = (() => {
       //   name@
       `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
     },
-    'yarn/berry': yarn,
-    'yarn/classic': yarn
+    vlt(lockSrc, name) {
+      // Detects the package name in the following cases:
+      //   "name"
+      return lockSrc.includes(`"${name}"`);
+    },
+    'yarn/berry': yarnLockIncludes,
+    'yarn/classic': yarnLockIncludes
   };
 })();
-const updateManifestByAgent = {
-  bun(pkgJson, overrides) {
-    pkgJson.update({
-      [RESOLUTIONS_FIELD_NAME]: overrides
-    });
-  },
-  npm(pkgJson, overrides) {
+const updateManifestByAgent = (() => {
+  function updateOverrides(pkgJson, overrides) {
     pkgJson.update({
       [OVERRIDES_FIELD_NAME]: overrides
     });
-  },
-  pnpm(pkgJson, overrides) {
-    pkgJson.update({
-      pnpm: {
-        ...pkgJson.content['pnpm'],
-        [OVERRIDES_FIELD_NAME]: overrides
-      }
-    });
-  },
-  'yarn/berry'(pkgJson, overrides) {
-    pkgJson.update({
-      [RESOLUTIONS_FIELD_NAME]: overrides
-    });
-  },
-  'yarn/classic'(pkgJson, overrides) {
+  }
+  function updateResolutions(pkgJson, overrides) {
     pkgJson.update({
       [RESOLUTIONS_FIELD_NAME]: overrides
     });
   }
-};
-const lsByAgent = {
-  async bun(agentExecPath, cwd, _rootPath) {
-    try {
-      // Bun does not support filtering by production packages yet.
-      // https://github.com/oven-sh/bun/issues/8283
-      return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
-        cwd
-      })).stdout;
-    } catch {}
-    return '';
-  },
-  async npm(agentExecPath, cwd, rootPath) {
-    try {
-      let {
-        stdout
-      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--omit', 'dev', '--all'], {
-        cwd
-      });
-      stdout = stdout.trim();
-      stdout = stdout.replaceAll(cwd, '');
-      stdout = rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
-      return stdout.replaceAll('\\', '/');
-    } catch {}
-    return '';
-  },
-  async pnpm(agentExecPath, cwd, rootPath) {
-    try {
-      let {
-        stdout
-      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
-        cwd
+  return {
+    bun: updateResolutions,
+    npm: updateOverrides,
+    pnpm(pkgJson, overrides) {
+      pkgJson.update({
+        pnpm: {
+          ...pkgJson.content['pnpm'],
+          [OVERRIDES_FIELD_NAME]: overrides
+        }
       });
-      stdout = stdout.trim();
-      stdout = stdout.replaceAll(cwd, '');
-      stdout = rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
-      return stdout.replaceAll('\\', '/');
-    } catch {}
-    return '';
-  },
-  async 'yarn/berry'(agentExecPath, cwd, _rootPath) {
+    },
+    vlt: updateOverrides,
+    'yarn/berry': updateResolutions,
+    'yarn/classic': updateResolutions
+  };
+})();
+const lsByAgent = (() => {
+  function cleanupQueryStdout(stdout) {
+    if (stdout === '') {
+      return '';
+    }
+    let pkgs;
     try {
-      return (
-        // Yarn Berry does not support filtering by production packages yet.
-        // https://github.com/yarnpkg/berry/issues/5117
-        (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
-          cwd
-        })).stdout.trim()
-      );
+      pkgs = JSON.parse(stdout);
     } catch {}
-    return '';
-  },
-  async 'yarn/classic'(agentExecPath, cwd, _rootPath) {
+    if (!Array.isArray(pkgs)) {
+      return '';
+    }
+    const names = new Set();
+    for (const {
+      _id,
+      name,
+      pkgid
+    } of pkgs) {
+      // `npm query` results may not have a "name" property, in which case we
+      // fallback to "_id" and then "pkgid".
+      // `vlt ls --view json` results always have a "name" property.
+      const fallback = _id ?? pkgid ?? '';
+      const resolvedName = name ?? fallback.slice(0, fallback.indexOf('@', 1));
+      // Add package names, except for those under the `@types` scope as those
+      // are known to only be dev dependencies.
+      if (resolvedName && !resolvedName.startsWith('@types/')) {
+        names.add(resolvedName);
+      }
+    }
+    return JSON.stringify([...names], null, 2);
+  }
+  function parseableToQueryStdout(stdout) {
+    if (stdout === '') {
+      return '';
+    }
+    // Convert the parseable stdout into a json array of unique names.
+    // The matchAll regexp looks for a forward (posix) or backward (win32) slash
+    // and matches one or more non-slashes until the newline.
+    const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
+    return JSON.stringify([...names], null, 2);
+  }
+  async function npmQuery(npmExecPath, cwd) {
+    let stdout = '';
     try {
-      // However, Yarn Classic does support it.
-      // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
-      // > Fix: Excludes dev dependencies from the yarn list output when the
-      //   environment is production
-      return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+      stdout = (await _promiseSpawn$2(npmExecPath, ['query', ':not(.dev)'], {
         cwd
-      })).stdout.trim();
+      })).stdout;
     } catch {}
-    return '';
+    return cleanupQueryStdout(stdout);
   }
-};
-const depsIncludesByAgent = {
-  bun: (stdout, name) => stdout.includes(` ${name}@`),
-  npm: (stdout, name) => stdout.includes(`/${name}\n`),
-  pnpm: (stdout, name) => stdout.includes(`/${name}\n`),
-  'yarn/berry': (stdout, name) => stdout.includes(` ${name}@`),
-  'yarn/classic': (stdout, name) => stdout.includes(` ${name}@`)
-};
+  return {
+    async bun(agentExecPath, cwd) {
+      try {
+        // Bun does not support filtering by production packages yet.
+        // https://github.com/oven-sh/bun/issues/8283
+        return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return '';
+    },
+    async npm(agentExecPath, cwd) {
+      return await npmQuery(agentExecPath, cwd);
+    },
+    async pnpm(agentExecPath, cwd, options) {
+      const {
+        npmExecPath
+      } = {
+        __proto__: null,
+        ...options
+      };
+      if (npmExecPath && npmExecPath !== 'npm') {
+        const result = await npmQuery(npmExecPath, cwd);
+        if (result) {
+          return result;
+        }
+      }
+      let stdout = '';
+      try {
+        stdout = (await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return parseableToQueryStdout(stdout);
+    },
+    async vlt(agentExecPath, cwd) {
+      let stdout = '';
+      try {
+        stdout = (await _promiseSpawn$2(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return cleanupQueryStdout(stdout);
+    },
+    async 'yarn/berry'(agentExecPath, cwd) {
+      try {
+        return (
+          // Yarn Berry does not support filtering by production packages yet.
+          // https://github.com/yarnpkg/berry/issues/5117
+          (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
+            cwd
+          })).stdout.trim()
+        );
+      } catch {}
+      return '';
+    },
+    async 'yarn/classic'(agentExecPath, cwd) {
+      try {
+        // However, Yarn Classic does support it.
+        // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
+        // > Fix: Excludes dev dependencies from the yarn list output when the
+        //   environment is production
+        return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+          cwd
+        })).stdout.trim();
+      } catch {}
+      return '';
+    }
+  };
+})();
+const depsIncludesByAgent = (() => {
+  function matchHumanStdout(stdout, name) {
+    return stdout.includes(` ${name}@`);
+  }
+  function matchQueryStdout(stdout, name) {
+    return stdout.includes(`"${name}"`);
+  }
+  return {
+    bun: matchHumanStdout,
+    npm: matchQueryStdout,
+    pnpm: matchQueryStdout,
+    vlt: matchQueryStdout,
+    'yarn/berry': matchHumanStdout,
+    'yarn/classic': matchHumanStdout
+  };
+})();
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized overrides${workspaceCount ? ` in ${workspaceCount} workspace${workspaceCount > 1 ? 's' : ''}` : ''}`;
+}
 function getDependencyEntries(pkgJson) {
   const {
     dependencies,
@@ -1419,28 +1413,33 @@ function getDependencyEntries(pkgJson) {
     1: o
   }) => o);
 }
-async function getWorkspaces(agent, pkgPath, pkgJson) {
-  if (agent !== 'pnpm') {
-    return Array.isArray(pkgJson['workspaces']) ? pkgJson['workspaces'].filter(_strings.isNonEmptyString) : undefined;
-  }
-  for (const workspacePath of [_nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), _nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
-    if ((0, _fs.existsSync)(workspacePath)) {
-      let packages;
-      try {
-        // eslint-disable-next-line no-await-in-loop
-        packages = (0, _yaml.parse)(await _promises$2.readFile(workspacePath, 'utf8'))?.packages;
-      } catch {}
-      if (Array.isArray(packages)) {
-        return packages.filter(_strings.isNonEmptyString);
+async function getWorkspaceGlobs(agent, pkgPath, pkgJson) {
+  let workspacePatterns;
+  if (agent === 'pnpm') {
+    for (const workspacePath of [_nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), _nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
+      if ((0, _fs.existsSync)(workspacePath)) {
+        try {
+          workspacePatterns = (0, _yaml.parse)(
+          // eslint-disable-next-line no-await-in-loop
+          await _promises$2.readFile(workspacePath, 'utf8'))?.packages;
+        } catch {}
+        if (workspacePatterns) {
+          break;
+        }
       }
     }
+  } else {
+    workspacePatterns = pkgJson['workspaces'];
   }
-  return undefined;
+  return Array.isArray(workspacePatterns) ? workspacePatterns.filter(_strings.isNonEmptyString).map(workspacePatternToGlobPattern) : undefined;
 }
-function workspaceToGlobPattern(workspace) {
+function workspacePatternToGlobPattern(workspace) {
   const {
     length
   } = workspace;
+  if (!length) {
+    return '';
+  }
   // If the workspace ends with "/"
   if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
     return `${workspace}/*/package.json`;
@@ -1452,21 +1451,29 @@ function workspaceToGlobPattern(workspace) {
   // Things like "packages/a" or "packages/*"
   return `${workspace}/package.json`;
 }
+function createAddOverridesState(initials) {
+  return {
+    added: new Set(),
+    addedInWorkspaces: new Set(),
+    spinner: undefined,
+    updated: new Set(),
+    updatedInWorkspaces: new Set(),
+    warnedPnpmWorkspaceRequiresNpm: false,
+    ...initials
+  };
+}
 async function addOverrides({
   agent,
   agentExecPath,
   lockSrc,
   manifestEntries,
+  npmExecPath,
   pin,
   pkgJson: editablePkgJson,
   pkgPath,
   prod,
   rootPath
-}, state = {
-  added: new Set(),
-  spinner: undefined,
-  updated: new Set()
-}) {
+}, state = createAddOverridesState()) {
   if (editablePkgJson === undefined) {
     editablePkgJson = await _packageJson.load(pkgPath);
   }
@@ -1476,19 +1483,26 @@ async function addOverrides({
   const pkgJson = editablePkgJson.content;
   const isRoot = pkgPath === rootPath;
   const isLockScanned = isRoot && !prod;
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, rootPath);
+  const workspaceName = _nodePath$2.relative(rootPath, pkgPath);
+  const workspaceGlobs = await getWorkspaceGlobs(agent, pkgPath, pkgJson);
+  const isWorkspace = !!workspaceGlobs;
+  if (isWorkspace && agent === 'pnpm' && npmExecPath === 'npm' && !state.warnedPnpmWorkspaceRequiresNpm) {
+    state.warnedPnpmWorkspaceRequiresNpm = true;
+    console.log(`⚠️ ${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
+  }
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
+    npmExecPath
+  });
   const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
   const depEntries = getDependencyEntries(pkgJson);
-  const workspaces = await getWorkspaces(agent, pkgPath, pkgJson);
-  const isWorkspace = !!workspaces;
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
     overridesDataObjects.push(getOverridesDataByAgent[agent](pkgJson));
   } else {
-    overridesDataObjects.push(getOverridesDataByAgent['npm'](pkgJson), getOverridesDataByAgent['yarn/classic'](pkgJson));
+    overridesDataObjects.push(getOverridesDataByAgent.npm(pkgJson), getOverridesDataByAgent['yarn/classic'](pkgJson));
   }
   if (spinner) {
-    spinner.text = `Adding overrides${isRoot ? '' : ` to ${_nodePath$2.relative(rootPath, pkgPath)}`}...`;
+    spinner.text = `Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`;
   }
   const depAliasMap = new Map();
   // Chunk package names to process them in parallel 3 at a time.
@@ -1517,6 +1531,7 @@ async function addOverrides({
           pkgSpec = `${regSpecStartsLike}^${version}`;
           depObj[origPkgName] = pkgSpec;
           state.added.add(regPkgName);
+          state.addedInWorkspaces.add(workspaceName);
         }
         depAliasMap.set(origPkgName, {
           id: pkgSpec,
@@ -1529,7 +1544,7 @@ async function addOverrides({
       overrides,
       type
     }) => {
-      const overrideExists = (0, _objects.hasOwn)(overrides, origPkgName);
+      const overrideExists = (0, _objects$1.hasOwn)(overrides, origPkgName);
       if (overrideExists || thingScanner(thingToScan, origPkgName)) {
         const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
         const depAlias = depAliasMap.get(origPkgName);
@@ -1549,7 +1564,7 @@ async function addOverrides({
           const thisSpec = oldSpec.startsWith('$') ? depAlias?.id ?? newSpec : oldSpec ?? newSpec;
           if (thisSpec.startsWith(regSpecStartsLike)) {
             if (pin) {
-              thisVersion = _semver.major(_semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version) === major ? version : (await fetchPackageManifest(thisSpec))?.version ?? version;
+              thisVersion = _semver.major(_semver.coerce(_npmPackageArg(thisSpec).rawSpec)?.version ?? version) === major ? version : (await (0, _packages.fetchPackageManifest)(thisSpec))?.version ?? version;
             }
             newSpec = `${regSpecStartsLike}^${pin ? thisVersion : _semver.major(thisVersion)}`;
           } else {
@@ -1557,46 +1572,43 @@ async function addOverrides({
           }
         }
         if (newSpec !== oldSpec) {
+          overrides[origPkgName] = newSpec;
           if (overrideExists) {
             state.updated.add(regPkgName);
+            state.updatedInWorkspaces.add(workspaceName);
           } else {
             state.added.add(regPkgName);
+            state.addedInWorkspaces.add(workspaceName);
           }
-          overrides[origPkgName] = newSpec;
         }
       }
     });
   });
-  if (workspaces) {
-    const wsPkgJsonPaths = await (0, _tinyglobby.glob)(workspaces.map(workspaceToGlobPattern), {
+  if (workspaceGlobs) {
+    const workspacePkgJsonPaths = await (0, _tinyglobby.glob)(workspaceGlobs, {
       absolute: true,
       cwd: pkgPath,
       ignore: ['**/node_modules/**', '**/bower_components/**']
     });
     // Chunk package names to process them in parallel 3 at a time.
-    await (0, _promises2.pEach)(wsPkgJsonPaths, 3, async wsPkgJsonPath => {
-      const {
-        added,
-        updated
-      } = await addOverrides({
+    await (0, _promises2.pEach)(workspacePkgJsonPaths, 3, async workspacePkgJsonPath => {
+      const otherState = await addOverrides({
         agent,
         agentExecPath,
         lockSrc,
         manifestEntries,
+        npmExecPath,
         pin,
-        pkgPath: _nodePath$2.dirname(wsPkgJsonPath),
+        pkgPath: _nodePath$2.dirname(workspacePkgJsonPath),
         prod,
         rootPath
-      }, {
-        added: new Set(),
-        spinner,
-        updated: new Set()
-      });
-      for (const regPkgName of added) {
-        state.added.add(regPkgName);
-      }
-      for (const regPkgName of updated) {
-        state.updated.add(regPkgName);
+      }, createAddOverridesState({
+        spinner
+      }));
+      for (const key of ['added', 'addedInWorkspaces', 'updated', 'updatedInWorkspaces']) {
+        for (const value of otherState[key]) {
+          state[key].add(value);
+        }
       }
     });
   }
@@ -1606,62 +1618,12 @@ async function addOverrides({
       overrides,
       type
     } of overridesDataObjects) {
-      updateManifestByAgent[type](editablePkgJson, (0, _sorts$1.toSortedObject)(overrides));
+      updateManifestByAgent[type](editablePkgJson, (0, _objects$1.toSortedObject)(overrides));
     }
     await editablePkgJson.save();
   }
   return state;
 }
-
-// type ExtractOptions = pacote.Options & {
-//   tmpPrefix?: string
-//   [key: string]: any
-// }
-
-// async function extractPackage(pkgNameOrId: string, options: ExtractOptions | undefined, callback: (tmpDirPath: string) => any) {
-//   if (arguments.length === 2 && typeof options === 'function') {
-//     callback = options
-//     options = undefined
-//   }
-//   const { tmpPrefix, ...extractOptions } = { __proto__: null, ...options }
-//   // cacache.tmp.withTmp DOES return a promise.
-//   await cacache.tmp.withTmp(
-//     pacoteCachePath,
-//     { tmpPrefix },
-//     // eslint-disable-next-line @typescript-eslint/no-misused-promises
-//     async tmpDirPath => {
-//       await pacote.extract(pkgNameOrId, tmpDirPath, {
-//         __proto__: null,
-//         packumentCache,
-//         preferOffline: true,
-//         ...<Omit<typeof extractOptions, '__proto__'>>extractOptions
-//       })
-//       await callback(tmpDirPath)
-//     }
-//   )
-// }
-
-async function fetchPackageManifest(pkgNameOrId, options) {
-  const pacoteOptions = {
-    ...options,
-    packumentCache: _constants.packumentCache,
-    preferOffline: true
-  };
-  const {
-    signal
-  } = pacoteOptions;
-  if (signal?.aborted) {
-    return null;
-  }
-  let result;
-  try {
-    result = await _pacote.manifest(pkgNameOrId, pacoteOptions);
-  } catch {}
-  if (signal?.aborted) {
-    return null;
-  }
-  return result;
-}
 const optimize = optimize$1.optimize = {
   description: 'Optimize dependencies with @socketregistry overrides',
   async run(argv, importMeta, {
@@ -1680,9 +1642,10 @@ const optimize = optimize$1.optimize = {
       agent,
       agentExecPath,
       agentVersion,
-      lockSrc,
       lockPath,
+      lockSrc,
       minimumNodeVersion,
+      npmExecPath,
       pkgJson,
       pkgPath,
       supported
@@ -1696,6 +1659,10 @@ const optimize = optimize$1.optimize = {
       console.log(`✘ ${COMMAND_TITLE}: No supported Node or browser range detected`);
       return;
     }
+    if (agent === 'vlt') {
+      console.log(`✘ ${COMMAND_TITLE}: ${agent} does not support overrides. Soon, though ⚡`);
+      return;
+    }
     const lockName = lockPath ? _nodePath$2.basename(lockPath) : 'lock file';
     if (lockSrc === undefined) {
       console.log(`✘ ${COMMAND_TITLE}: No ${lockName} found`);
@@ -1717,11 +1684,9 @@ const optimize = optimize$1.optimize = {
       console.log(`⚠️ ${COMMAND_TITLE}: Package ${lockName} found at ${lockPath}`);
     }
     const spinner = (0, _ora$i.default)('Socket optimizing...');
-    const state = {
-      added: new Set(),
-      spinner,
-      updated: new Set()
-    };
+    const state = createAddOverridesState({
+      spinner
+    });
     spinner.start();
     const nodeRange = `>=${minimumNodeVersion}`;
     const manifestEntries = manifestNpmOverrides.filter(({
@@ -1732,6 +1697,7 @@ const optimize = optimize$1.optimize = {
       agentExecPath,
       lockSrc,
       manifestEntries,
+      npmExecPath,
       pin,
       pkgJson,
       pkgPath,
@@ -1739,13 +1705,15 @@ const optimize = optimize$1.optimize = {
       rootPath: pkgPath
     }, state);
     spinner.stop();
-    const pkgJsonChanged = state.added.size > 0 || state.updated.size > 0;
+    const addedCount = state.added.size;
+    const updatedCount = state.updated.size;
+    const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
     if (pkgJsonChanged) {
-      if (state.updated.size > 0) {
-        console.log(`Updated ${state.updated.size} Socket.dev optimized overrides ${state.added.size ? '.' : '🚀'}`);
+      if (updatedCount > 0) {
+        console.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
       }
-      if (state.added.size > 0) {
-        console.log(`Added ${state.added.size} Socket.dev optimized overrides 🚀`);
+      if (addedCount > 0) {
+        console.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
       }
     } else {
       console.log('Congratulations! Already Socket.dev optimized 🎉');
@@ -1759,7 +1727,7 @@ const optimize = optimize$1.optimize = {
         if (isNpm) {
           const wrapperPath = _nodePath$2.join(distPath$1, 'npm-cli.js');
           await _promiseSpawn$2(process.execPath, [wrapperPath, 'install', '--no-audit', '--no-fund'], {
-            stdio: 'pipe',
+            stdio: 'ignore',
             env: {
               ...process.env,
               UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: '1'
@@ -1768,7 +1736,7 @@ const optimize = optimize$1.optimize = {
         } else {
           // All package managers support the "install" command.
           await _promiseSpawn$2(agentExecPath, ['install'], {
-            stdio: 'pipe'
+            stdio: 'ignore'
           });
         }
         spinner.stop();
@@ -2391,14 +2359,14 @@ Object.defineProperty(meowWithSubcommands$1, "__esModule", {
 meowWithSubcommands$1.meowWithSubcommands = meowWithSubcommands;
 var _meow$g = _interopRequireDefault$h(vendor.build);
 var _formatting$f = formatting;
-var _sorts = sorts;
+var _objects = vendor.objects;
 var _flags$e = flags$1;
 async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
     argv,
-    name,
     importMeta,
+    name,
     ...additionalOptions
   } = {
     __proto__: null,
@@ -2430,8 +2398,8 @@ async function meowWithSubcommands(subcommands, options) {
 
     Commands
       ${(0, _formatting$f.printHelpList)({
-    ...(0, _sorts.toSortedObject)(subcommands),
-    ...(0, _sorts.toSortedObject)(aliases)
+    ...(0, _objects.toSortedObject)(subcommands),
+    ...(0, _objects.toSortedObject)(aliases)
   }, 6)}
 
     Options
@@ -2526,8 +2494,8 @@ function setupCommand$f(name, description, argv, importMeta) {
     return;
   }
   const {
-    enable,
-    disable
+    disable,
+    enable
   } = cli.flags;
   let showHelp = cli.flags['help'];
   if (!enable && !disable) {
@@ -2641,7 +2609,7 @@ Object.defineProperty(create$3, "__esModule", {
   value: true
 });
 create$3.create = void 0;
-var _nodeProcess = require$$0$2;
+var _nodeProcess = require$$0$1;
 var _promises$1 = require$$2$3;
 var _chalk$e = _interopRequireDefault$f(vendor.source);
 var _meow$e = _interopRequireDefault$f(vendor.build);
@@ -2774,8 +2742,8 @@ async function setupCommand$e(name, description, argv, importMeta) {
   const debugLog = (0, _misc.createDebugLogger)(false);
   const packagePaths = await (0, _pathResolve.getPackageFilesFullScans)(cwd, cli.input, supportedFiles, debugLog);
   const {
-    repo: repoName,
-    branch: branchName
+    branch: branchName,
+    repo: repoName
   } = cli.flags;
   if (!repoName || !branchName || !packagePaths.length) {
     showHelp = true;
@@ -2805,14 +2773,14 @@ async function setupCommand$e(name, description, argv, importMeta) {
 async function createFullScan(input, spinner, apiKey) {
   const socketSdk = await (0, _sdk$e.setupSdk)(apiKey);
   const {
-    orgSlug,
-    repoName,
     branchName,
     commitMessage,
     defaultBranch,
+    orgSlug,
+    packagePaths,
     pendingHead,
-    tmp,
-    packagePaths
+    repoName,
+    tmp
   } = input;
   const result = await (0, _apiHelpers$e.handleApiCall)(socketSdk.createOrgFullScan(orgSlug, {
     repo: repoName,
@@ -4117,8 +4085,8 @@ function setupCommand$3(name, description, argv, importMeta) {
   });
   const {
     json: outputJson,
-    markdown: outputMarkdown,
     limit,
+    markdown: outputMarkdown,
     offset
   } = cli.flags;
   return {
@@ -4510,7 +4478,7 @@ Object.defineProperty(get$1, "__esModule", {
 });
 get$1.get = void 0;
 var _nodeFs$1 = require$$0;
-var _nodeUtil = require$$0$3;
+var _nodeUtil = require$$0$2;
 var _chalk$1 = _interopRequireDefault$2(vendor.source);
 var _meow$1 = _interopRequireDefault$2(vendor.build);
 var _ora$1 = _interopRequireDefault$2(vendor.ora);
@@ -4588,8 +4556,8 @@ function setupCommand$1(name, description, argv, importMeta) {
     flags
   });
   const {
-    before,
-    after
+    after,
+    before
   } = cli.flags;
   let showHelp = cli.flags['help'];
   if (!before || !after) {
@@ -4615,10 +4583,10 @@ function setupCommand$1(name, description, argv, importMeta) {
   };
 }
 async function getDiffScan({
-  before,
   after,
-  orgSlug,
+  before,
   file,
+  orgSlug,
   outputJson
 }, spinner, apiKey) {
   const response = await (0, _apiHelpers$1.queryAPI)(`${orgSlug}/full-scans/diff?before=${before}&after=${after}&preview`, apiKey);
@@ -4764,12 +4732,12 @@ function setupCommand(name, description, argv, importMeta) {
     flags
   });
   const {
+    direction,
+    filter,
     json: outputJson,
     markdown: outputMarkdown,
-    perPage: per_page,
     page,
-    direction,
-    filter
+    perPage: per_page
   } = cli.flags;
   return {
     outputJson,
@@ -4781,11 +4749,11 @@ function setupCommand(name, description, argv, importMeta) {
   };
 }
 async function fetchThreatFeed({
-  per_page,
-  page,
   direction,
   filter,
-  outputJson
+  outputJson,
+  page,
+  per_page
 }, spinner, apiKey) {
   const formattedQueryParams = formatQueryParams({
     per_page,