@socketsecurity/cli 0.14.28 → 0.14.30

package/dist/module-sync/npm-injection.js

@@ -0,0 +1,1609 @@
+'use strict';
+
+var constants = require('./constants.js');
+var require$$0$2 = require('@babel/runtime/helpers/interopRequireWildcard');
+var require$$0$1 = require('@babel/runtime/helpers/interopRequireDefault');
+var require$$1$2 = require('node:events');
+var require$$0 = require('node:fs');
+var require$$3$3 = require('node:https');
+var require$$1 = require('node:path');
+var require$$3 = require('node:readline');
+var require$$5 = require('node:stream');
+var require$$7$1 = require('node:timers/promises');
+var require$$3$1 = require('is-interactive');
+var require$$5$1 = require('npm-package-arg');
+var require$$3$2 = require('@socketregistry/yocto-spinner');
+var require$$4 = require('semver');
+var require$$6$1 = require('@socketsecurity/config');
+var require$$7 = require('@socketsecurity/registry/lib/objects');
+var require$$1$1 = require('node:net');
+var require$$2 = require('node:os');
+var require$$6 = require('../../package.json');
+var sdk = require('./sdk.js');
+var pathResolve = require('./path-resolve.js');
+var link = require('./link.js');
+
+var npmInjection$2 = {};
+
+var npmInjection$1 = {};
+
+var arborist = {};
+
+var ttyServer$1 = {};
+
+Object.defineProperty(ttyServer$1, "__esModule", {
+  value: true
+});
+ttyServer$1.createTTYServer = createTTYServer;
+var _nodeFs$1 = require$$0;
+var _nodeNet = require$$1$1;
+var _nodeOs = require$$2;
+var _nodePath$1 = require$$1;
+var _nodeReadline$1 = require$$3;
+var _nodeStream$1 = require$$5;
+var _package = require$$6;
+var _misc$1 = sdk.misc;
+const NEWLINE_CHAR_CODE = 10; /*'\n'*/
+
+const TTY_IPC = process.env['SOCKET_SECURITY_TTY_IPC'];
+const sock = _nodePath$1.join(_nodeOs.tmpdir(), `socket-security-tty-${process.pid}.sock`);
+process.env['SOCKET_SECURITY_TTY_IPC'] = sock;
+function createNonStandardTTYServer() {
+  return {
+    async captureTTY(mutexFn) {
+      return await new Promise((resolve, reject) => {
+        const conn = _nodeNet.createConnection({
+          path: TTY_IPC
+        }).on('error', reject);
+        let captured = false;
+        const buffs = [];
+        conn.on('data', function awaitCapture(chunk) {
+          buffs.push(chunk);
+          let lineBuff = Buffer.concat(buffs);
+          if (captured) return;
+          try {
+            const eolIndex = lineBuff.indexOf(NEWLINE_CHAR_CODE);
+            if (eolIndex !== -1) {
+              conn.removeListener('data', awaitCapture);
+              conn.push(lineBuff.slice(eolIndex + 1));
+              const {
+                capabilities: {
+                  input: hasInput,
+                  output: hasOutput
+                },
+                ipc_version: remote_ipc_version
+              } = JSON.parse(lineBuff.subarray(0, eolIndex).toString('utf-8'));
+              lineBuff = null;
+              captured = true;
+              if (remote_ipc_version !== _package.version) {
+                throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.');
+              }
+              const input = hasInput ? new _nodeStream$1.PassThrough() : null;
+              input?.pause();
+              if (input) conn.pipe(input);
+              const output = hasOutput ? new _nodeStream$1.PassThrough() : null;
+              if (output) {
+                output.pipe(conn)
+                // Make ora happy
+                ;
+                output.isTTY = true;
+                output.cursorTo = function cursorTo(x, y, callback) {
+                  _nodeReadline$1.cursorTo(this, x, y, callback);
+                };
+                output.clearLine = function clearLine(dir, callback) {
+                  _nodeReadline$1.clearLine(this, dir, callback);
+                };
+              }
+              mutexFn(hasInput ? input : undefined, hasOutput ? output : undefined).then(resolve, reject).finally(() => {
+                conn.unref();
+                conn.end();
+                input?.end();
+                output?.end();
+                // process.exit(13)
+              });
+            }
+          } catch (e) {
+            reject(e);
+          }
+        });
+      });
+    }
+  };
+}
+function createIPCServer(captureState, npmlog) {
+  const input = process.stdin;
+  const output = process.stderr;
+  return new Promise((resolve, reject) => {
+    const server = _nodeNet
+    // eslint-disable-next-line @typescript-eslint/no-misused-promises
+    .createServer(async conn => {
+      if (captureState.captured) {
+        await new Promise(resolve => {
+          captureState.pendingCaptures.push({
+            resolve() {
+              resolve();
+            }
+          });
+        });
+      } else {
+        captureState.captured = true;
+      }
+      const wasProgressEnabled = npmlog.progressEnabled;
+      npmlog.pause();
+      if (wasProgressEnabled) {
+        npmlog.disableProgress();
+      }
+      conn.write(`${JSON.stringify({
+        ipc_version: _package.version,
+        capabilities: {
+          input: Boolean(input),
+          output: true
+        }
+      })}\n`);
+      conn.on('data', data => {
+        output.write(data);
+      }).on('error', e => {
+        output.write(`there was an error prompting from a sub shell (${e?.message}), socket npm closing`);
+        process.exit(1);
+      });
+      input.on('data', data => {
+        conn.write(data);
+      }).on('end', () => {
+        conn.unref();
+        conn.end();
+        if (wasProgressEnabled) {
+          npmlog.enableProgress();
+        }
+        npmlog.resume();
+        captureState.nextCapture();
+      });
+    }).listen(sock, () => resolve(server)).on('error', reject).unref();
+    process.on('exit', () => {
+      server.close();
+      tryUnlinkSync(sock);
+    });
+    resolve(server);
+  });
+}
+function createStandardTTYServer(isInteractive, npmlog) {
+  const captureState = {
+    captured: false,
+    nextCapture: () => {
+      if (captureState.pendingCaptures.length > 0) {
+        const pendingCapture = captureState.pendingCaptures.shift();
+        pendingCapture?.resolve();
+      } else {
+        captureState.captured = false;
+      }
+    },
+    pendingCaptures: []
+  };
+  tryUnlinkSync(sock);
+  const input = isInteractive ? process.stdin : undefined;
+  const output = process.stderr;
+  let ipcServerPromise;
+  if (input) {
+    ipcServerPromise = createIPCServer(captureState, npmlog);
+  }
+  return {
+    async captureTTY(mutexFn) {
+      await ipcServerPromise;
+      if (captureState.captured) {
+        const captured = new Promise(resolve => {
+          captureState.pendingCaptures.push({
+            resolve() {
+              resolve();
+            }
+          });
+        });
+        await captured;
+      } else {
+        captureState.captured = true;
+      }
+      const wasProgressEnabled = npmlog.progressEnabled;
+      try {
+        npmlog.pause();
+        if (wasProgressEnabled) {
+          npmlog.disableProgress();
+        }
+        return await mutexFn(input, output);
+      } finally {
+        if (wasProgressEnabled) {
+          npmlog.enableProgress();
+        }
+        npmlog.resume();
+        captureState.nextCapture();
+      }
+    }
+  };
+}
+function tryUnlinkSync(filepath) {
+  try {
+    (0, _nodeFs$1.unlinkSync)(filepath);
+  } catch (e) {
+    if ((0, _misc$1.isErrnoException)(e) && e.code !== 'ENOENT') {
+      throw e;
+    }
+  }
+}
+function createTTYServer(isInteractive, npmlog) {
+  return !isInteractive && TTY_IPC ? createNonStandardTTYServer() : createStandardTTYServer(isInteractive, npmlog);
+}
+
+var issueRules = {};
+
+Object.defineProperty(issueRules, "__esModule", {
+  value: true
+});
+issueRules.createIssueUXLookup = createIssueUXLookup;
+//#region UX Constants
+
+const IGNORE_UX = {
+  block: false,
+  display: false
+};
+const WARN_UX = {
+  block: false,
+  display: true
+};
+const ERROR_UX = {
+  block: true,
+  display: true
+};
+//#endregion
+//#region utils
+
+/**
+ * Iterates over all entries with ordered issue rule for deferral.  Iterates over
+ * all issue rules and finds the first defined value that does not defer otherwise
+ * uses the defaultValue. Takes the value and converts into a UX workflow
+ */
+function resolveIssueRuleUX(entriesOrderedIssueRules, defaultValue) {
+  if (defaultValue === true || defaultValue == null) {
+    defaultValue = {
+      action: 'error'
+    };
+  } else if (defaultValue === false) {
+    defaultValue = {
+      action: 'ignore'
+    };
+  }
+  let block = false;
+  let display = false;
+  let needDefault = true;
+  iterate_entries: for (const issueRuleArr of entriesOrderedIssueRules) {
+    for (const rule of issueRuleArr) {
+      if (issueRuleValueDoesNotDefer(rule)) {
+        needDefault = false;
+        const narrowingFilter = uxForDefinedNonDeferValue(rule);
+        block = block || narrowingFilter.block;
+        display = display || narrowingFilter.display;
+        continue iterate_entries;
+      }
+    }
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  if (needDefault) {
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue);
+    block = block || narrowingFilter.block;
+    display = display || narrowingFilter.display;
+  }
+  return {
+    block,
+    display
+  };
+}
+
+/**
+ * Negative form because it is narrowing the type
+ */
+function issueRuleValueDoesNotDefer(issueRule) {
+  if (issueRule === undefined) {
+    return false;
+  } else if (typeof issueRule === 'object' && issueRule) {
+    const {
+      action
+    } = issueRule;
+    if (action === undefined || action === 'defer') {
+      return false;
+    }
+  }
+  return true;
+}
+
+/**
+ * Handles booleans for backwards compatibility
+ */
+function uxForDefinedNonDeferValue(issueRuleValue) {
+  if (typeof issueRuleValue === 'boolean') {
+    return issueRuleValue ? ERROR_UX : IGNORE_UX;
+  }
+  const {
+    action
+  } = issueRuleValue;
+  if (action === 'warn') {
+    return WARN_UX;
+  } else if (action === 'ignore') {
+    return IGNORE_UX;
+  }
+  return ERROR_UX;
+}
+//#endregion
+
+//#region exports
+
+function createIssueUXLookup(settings) {
+  const cachedUX = new Map();
+  return context => {
+    const key = context.issue.type;
+    let ux = cachedUX.get(key);
+    if (ux) {
+      return ux;
+    }
+    const entriesOrderedIssueRules = [];
+    for (const settingsEntry of settings.entries) {
+      const orderedIssueRules = [];
+      let target = settingsEntry.start;
+      while (target !== null) {
+        const resolvedTarget = settingsEntry.settings[target];
+        if (!resolvedTarget) {
+          break;
+        }
+        const issueRuleValue = resolvedTarget.issueRules?.[key];
+        if (typeof issueRuleValue !== 'undefined') {
+          orderedIssueRules.push(issueRuleValue);
+        }
+        target = resolvedTarget.deferTo ?? null;
+      }
+      entriesOrderedIssueRules.push(orderedIssueRules);
+    }
+    const defaultValue = settings.defaults.issueRules[key];
+    let resolvedDefaultValue = {
+      action: 'error'
+    };
+    if (defaultValue === false) {
+      resolvedDefaultValue = {
+        action: 'ignore'
+      };
+    } else if (defaultValue && defaultValue !== true) {
+      resolvedDefaultValue = {
+        action: defaultValue.action ?? 'error'
+      };
+    }
+    ux = resolveIssueRuleUX(entriesOrderedIssueRules, resolvedDefaultValue);
+    cachedUX.set(key, ux);
+    return ux;
+  };
+}
+
+var _interopRequireDefault = require$$0$1.default;
+Object.defineProperty(arborist, "__esModule", {
+  value: true
+});
+arborist.SafeArborist = void 0;
+arborist.installSafeArborist = installSafeArborist;
+var _nodeEvents = require$$1$2;
+var _nodeFs = require$$0;
+var _nodeHttps = require$$3$3;
+var _nodePath = require$$1;
+var _nodeReadline = require$$3;
+var _nodeStream = require$$5;
+var _promises = require$$7$1;
+var _isInteractive = _interopRequireDefault(require$$3$1);
+var _npmPackageArg = require$$5$1;
+var _yoctoSpinner = require$$3$2;
+var _semver = require$$4;
+var _config = require$$6$1;
+var _objects = require$$7;
+var _ttyServer = ttyServer$1;
+var _constants$1 = constants.constants;
+var _colorOrMarkdown = sdk.colorOrMarkdown;
+var _issueRules = issueRules;
+var _misc = sdk.misc;
+var _pathResolve = pathResolve.pathResolve;
+var _sdk = sdk.sdk;
+var _settings = sdk.settings;
+const POTENTIAL_BUG_ERROR_MESSAGE = `This is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${_constants$1.SOCKET_CLI_ISSUES_URL}.`;
+const npmEntrypoint = (0, _nodeFs.realpathSync)(process.argv[1]);
+const npmRootPath = (0, _pathResolve.findRoot)(_nodePath.dirname(npmEntrypoint));
+function tryRequire(...ids) {
+  for (const data of ids) {
+    let id;
+    let transformer;
+    if (Array.isArray(data)) {
+      id = data[0];
+      transformer = data[1];
+    } else {
+      id = data;
+      transformer = mod => mod;
+    }
+    try {
+      // Check that the transformed value isn't `undefined` because older
+      // versions of packages like 'proc-log' may not export a `log` method.
+      const exported = transformer(require(id));
+      if (exported !== undefined) {
+        return exported;
+      }
+    } catch {}
+  }
+  return undefined;
+}
+if (npmRootPath === undefined) {
+  console.error(`Unable to find npm CLI install directory.\nSearched parent directories of ${npmEntrypoint}.\n\n${POTENTIAL_BUG_ERROR_MESSAGE}`);
+  process.exit(127);
+}
+const npmNmPath = _nodePath.join(npmRootPath, 'node_modules');
+const arboristPkgPath = _nodePath.join(npmNmPath, '@npmcli/arborist');
+const arboristClassPath = _nodePath.join(arboristPkgPath, 'lib/arborist/index.js');
+const arboristDepValidPath = _nodePath.join(arboristPkgPath, 'lib/dep-valid.js');
+const arboristEdgeClassPath = _nodePath.join(arboristPkgPath, 'lib/edge.js');
+const arboristNodeClassPath = _nodePath.join(arboristPkgPath, 'lib/node.js');
+const arboristOverrideSetClassPatch = _nodePath.join(arboristPkgPath, 'lib/override-set.js');
+const log = tryRequire([_nodePath.join(npmNmPath, 'proc-log/lib/index.js'),
+// The proc-log DefinitelyTyped definition is incorrect. The type definition
+// is really that of its export log.
+mod => mod.log], _nodePath.join(npmNmPath, 'npmlog/lib/log.js'));
+if (log === undefined) {
+  console.error(`Unable to integrate with npm CLI logging infrastructure.\n\n${POTENTIAL_BUG_ERROR_MESSAGE}.`);
+  process.exit(127);
+}
+const pacote = tryRequire(_nodePath.join(npmNmPath, 'pacote'), 'pacote');
+const {
+  tarball
+} = pacote;
+const translations = require(_nodePath.join(_constants$1.rootPath, 'translations.json'));
+const abortController = new AbortController();
+const {
+  signal: abortSignal
+} = abortController;
+const Arborist = require(arboristClassPath);
+const depValid = require(arboristDepValidPath);
+const Edge = require(arboristEdgeClassPath);
+const Node = require(arboristNodeClassPath);
+const OverrideSet = require(arboristOverrideSetClassPatch);
+const kCtorArgs = Symbol('ctorArgs');
+const kRiskyReify = Symbol('riskyReify');
+const formatter = new _colorOrMarkdown.ColorOrMarkdown(false);
+const pubToken = (0, _sdk.getDefaultKey)() ?? _sdk.FREE_API_KEY;
+const ttyServer = (0, _ttyServer.createTTYServer)((0, _isInteractive.default)({
+  stream: process.stdin
+}), log);
+let _uxLookup;
+async function uxLookup(settings) {
+  while (_uxLookup === undefined) {
+    // eslint-disable-next-line no-await-in-loop
+    await (0, _promises.setTimeout)(1, {
+      signal: abortSignal
+    });
+  }
+  return _uxLookup(settings);
+}
+async function* batchScan(pkgIds) {
+  const query = {
+    packages: pkgIds.map(id => {
+      const {
+        name,
+        version
+      } = pkgidParts(id);
+      return {
+        eco: 'npm',
+        pkg: name,
+        ver: version,
+        top: true
+      };
+    })
+  };
+  // TODO: Migrate to SDK.
+  const pkgDataReq = _nodeHttps.request(`${_constants$1.API_V0_URL}/scan/batch`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${pubToken}:`).toString('base64url')}`
+    },
+    signal: abortSignal
+  }).end(JSON.stringify(query));
+  const {
+    0: res
+  } = await _nodeEvents.once(pkgDataReq, 'response');
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = _nodeReadline.createInterface(res);
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
+}
+
+// Patch adding doOverrideSetsConflict is based on
+// https://github.com/npm/cli/pull/7025.
+function doOverrideSetsConflict(first, second) {
+  // If override sets contain one another then we can try to use the more specific
+  // one. However, if neither one is more specific, then we consider them to be
+  // in conflict.
+  return findSpecificOverrideSet(first, second) === undefined;
+}
+function findSocketYmlSync() {
+  let prevDir = null;
+  let dir = process.cwd();
+  while (dir !== prevDir) {
+    let ymlPath = _nodePath.join(dir, 'socket.yml');
+    let yml = maybeReadfileSync(ymlPath);
+    if (yml === undefined) {
+      ymlPath = _nodePath.join(dir, 'socket.yaml');
+      yml = maybeReadfileSync(ymlPath);
+    }
+    if (typeof yml === 'string') {
+      try {
+        return {
+          path: ymlPath,
+          parsed: _config.parseSocketConfig(yml)
+        };
+      } catch {
+        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+      }
+    }
+    prevDir = dir;
+    dir = _nodePath.join(dir, '..');
+  }
+  return null;
+}
+
+// Patch adding findSpecificOverrideSet is based on
+// https://github.com/npm/cli/pull/7025.
+function findSpecificOverrideSet(first, second) {
+  let overrideSet = second;
+  while (overrideSet) {
+    if (overrideSet.isEqual(first)) {
+      return second;
+    }
+    overrideSet = overrideSet.parent;
+  }
+  overrideSet = first;
+  while (overrideSet) {
+    if (overrideSet.isEqual(second)) {
+      return first;
+    }
+    overrideSet = overrideSet.parent;
+  }
+  // The override sets are incomparable. Neither one contains the other.
+  log.silly('Conflicting override sets', first, second);
+  return undefined;
+}
+function maybeReadfileSync(filepath) {
+  try {
+    return (0, _nodeFs.readFileSync)(filepath, 'utf8');
+  } catch {}
+  return undefined;
+}
+async function packagesHaveRiskyIssues(safeArb, _registry, pkgs, output) {
+  const spinner = _yoctoSpinner({
+    stream: output
+  });
+  let result = false;
+  let {
+    length: remaining
+  } = pkgs;
+  if (!remaining) {
+    spinner.success('No changes detected');
+    return result;
+  }
+  const getText = () => `Looking up data for ${remaining} packages`;
+  spinner.start(getText());
+  try {
+    for await (const pkgData of batchScan(pkgs.map(p => p.pkgid))) {
+      const {
+        pkg: name,
+        ver: version
+      } = pkgData;
+      const id = `${name}@${version}`;
+      let displayWarning = false;
+      let failures = [];
+      if (pkgData.type === 'missing') {
+        result = true;
+        failures.push({
+          type: 'missingDependency',
+          block: false,
+          raw: undefined
+        });
+      } else {
+        let blocked = false;
+        for (const failure of pkgData.value.issues) {
+          const {
+            type
+          } = failure;
+          // eslint-disable-next-line no-await-in-loop
+          const ux = await uxLookup({
+            package: {
+              name,
+              version
+            },
+            issue: {
+              type
+            }
+          });
+          if (ux.block) {
+            result = true;
+            blocked = true;
+          }
+          if (ux.display) {
+            displayWarning = true;
+          }
+          if (ux.block || ux.display) {
+            failures.push({
+              type,
+              block: ux.block,
+              raw: failure
+            });
+            // Before we ask about problematic issues, check to see if they
+            // already existed in the old version if they did, be quiet.
+            const pkg = pkgs.find(p => p.pkgid === id && p.existing?.startsWith(`${name}@`));
+            if (pkg?.existing) {
+              const oldPkgData =
+              // eslint-disable-next-line no-await-in-loop
+              (await batchScan([pkg.existing]).next()).value;
+              if (oldPkgData.type === 'success') {
+                failures = failures.filter(issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.type) === undefined);
+              }
+            }
+          }
+        }
+        if (!blocked) {
+          const pkg = pkgs.find(p => p.pkgid === id);
+          if (pkg) {
+            await tarball.stream(id, stream => {
+              stream.resume();
+              return stream.promise();
+            }, {
+              ...safeArb[kCtorArgs][0]
+            });
+          }
+        }
+      }
+      if (displayWarning) {
+        spinner.stop(`(socket) ${formatter.hyperlink(id, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:`);
+        // Filter issues for blessed packages.
+        if (name === 'socket' || name.startsWith('@socketregistry/') || name.startsWith('@socketsecurity/')) {
+          failures = failures.filter(({
+            type
+          }) => type !== 'unpopularPackage' && type !== 'unstableOwnership');
+        }
+        failures.sort((a, b) => a.type < b.type ? -1 : 1);
+        const lines = new Set();
+        for (const failure of failures) {
+          const {
+            type
+          } = failure;
+          // Based data from { pageProps: { alertTypes } } of:
+          // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
+          const info = translations.issues[type];
+          const title = info?.title ?? type;
+          const maybeBlocking = failure.block ? '' : ' (non-blocking)';
+          const maybeDesc = info?.description ? ` - ${info.description}` : '';
+          // TODO: emoji seems to mis-align terminals sometimes
+          lines.add(`  ${title}${maybeBlocking}${maybeDesc}\n`);
+        }
+        for (const line of lines) {
+          output?.write(line);
+        }
+        spinner.start();
+      }
+      remaining -= 1;
+      spinner.text = remaining > 0 ? getText() : '';
+    }
+    return result;
+  } finally {
+    spinner.stop();
+  }
+}
+function pkgidParts(pkgid) {
+  const delimiter = pkgid.lastIndexOf('@');
+  const name = pkgid.slice(0, delimiter);
+  const version = pkgid.slice(delimiter + 1);
+  return {
+    name,
+    version
+  };
+}
+function toRepoUrl(resolved) {
+  return resolved.replace(/#[\s\S]*$/, '').replace(/\?[\s\S]*$/, '').replace(/\/[^/]*\/-\/[\s\S]*$/, '');
+}
+function walk(diff_, needInfoOn = []) {
+  const queue = [diff_];
+  let pos = 0;
+  let {
+    length: queueLength
+  } = queue;
+  while (pos < queueLength) {
+    if (pos === _constants$1.LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop while walking Arborist diff');
+    }
+    const diff = queue[pos++];
+    if (!diff) {
+      continue;
+    }
+    if (diff.action) {
+      const sameVersion = diff.actual?.package.version === diff.ideal?.package.version;
+      let keep = false;
+      let existing = null;
+      if (diff.action === 'CHANGE') {
+        if (!sameVersion) {
+          existing = diff.actual.pkgid;
+          keep = true;
+        }
+      } else {
+        keep = diff.action !== 'REMOVE';
+      }
+      if (keep && diff.ideal?.pkgid && diff.ideal.resolved && (!diff.actual || diff.actual.resolved)) {
+        needInfoOn.push({
+          existing,
+          pkgid: diff.ideal.pkgid,
+          repository_url: toRepoUrl(diff.ideal.resolved)
+        });
+      }
+    }
+    if (diff.children) {
+      for (const child of diff.children) {
+        queue[queueLength++] = child;
+      }
+    }
+  }
+  return needInfoOn;
+}
+
+// The Edge class makes heavy use of private properties which subclasses do NOT
+// have access to. So we have to recreate any functionality that relies on those
+// private properties and use our own "safe" prefixed non-conflicting private
+// properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/edge.js.
+//
+// The npm application
+// Copyright (c) npm, Inc. and Contributors
+// Licensed on the terms of The Artistic License 2.0
+//
+// An edge in the dependency graph.
+// Represents a dependency relationship of some kind.
+class SafeEdge extends Edge {
+  #safeAccept;
+  #safeError;
+  #safeExplanation;
+  #safeFrom;
+  #safeName;
+  #safeTo;
+  constructor(options) {
+    const {
+      accept,
+      from,
+      name
+    } = options;
+    // Defer to supper to validate options and assign non-private values.
+    super(options);
+    if (accept !== undefined) {
+      this.#safeAccept = accept || '*';
+    }
+    this.#safeError = null;
+    this.#safeExplanation = null;
+    this.#safeFrom = from;
+    this.#safeName = name;
+    this.#safeTo = null;
+    this.reload(true);
+  }
+  get accept() {
+    return this.#safeAccept;
+  }
+  get bundled() {
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  }
+  get error() {
+    if (!this.#safeError) {
+      if (!this.#safeTo) {
+        if (this.optional) {
+          this.#safeError = null;
+        } else {
+          this.#safeError = 'MISSING';
+        }
+      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
+        this.#safeError = 'PEER LOCAL';
+      } else if (!this.satisfiedBy(this.#safeTo)) {
+        this.#safeError = 'INVALID';
+      }
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      else if (this.overrides && this.#safeTo.edgesOut.size && doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
+      } else {
+        this.#safeError = 'OK';
+      }
+    }
+    if (this.#safeError === 'OK') {
+      return null;
+    }
+    return this.#safeError;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get from() {
+    return this.#safeFrom;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get spec() {
+    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+      // Patch adding "if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      //
+      // If this edge has the same overrides field as the source, then we're not
+      // applying an override for this edge.
+      if (this.overrides === this.#safeFrom?.overrides) {
+        // The Edge rawSpec getter will retrieve the private Edge #spec property.
+        return this.rawSpec;
+      }
+      if (this.overrides.value.startsWith('$')) {
+        const ref = this.overrides.value.slice(1);
+        // We may be a virtual root, if we are we want to resolve reference
+        // overrides from the real root, not the virtual one.
+        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root?.package;
+        if (pkg?.devDependencies?.[ref]) {
+          return pkg.devDependencies[ref];
+        }
+        if (pkg?.optionalDependencies?.[ref]) {
+          return pkg.optionalDependencies[ref];
+        }
+        if (pkg?.dependencies?.[ref]) {
+          return pkg.dependencies[ref];
+        }
+        if (pkg?.peerDependencies?.[ref]) {
+          return pkg.peerDependencies[ref];
+        }
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
+      }
+      return this.overrides.value;
+    }
+    return this.rawSpec;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get to() {
+    return this.#safeTo;
+  }
+  detach() {
+    this.#safeExplanation = null;
+    // Patch replacing
+    // if (this.#safeTo) {
+    //   this.#safeTo.edgesIn.delete(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    this.#safeTo?.deleteEdgeIn(this);
+    this.#safeFrom?.edgesOut.delete(this.name);
+    this.#safeTo = null;
+    this.#safeError = 'DETACHED';
+    this.#safeFrom = null;
+  }
+
+  // Return the edge data, and an explanation of how that edge came to be here.
+  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
+  explain() {
+    if (!this.#safeExplanation) {
+      const explanation = {
+        type: this.type,
+        name: this.name,
+        spec: this.spec,
+        bundled: false,
+        overridden: false,
+        error: undefined,
+        from: undefined,
+        rawSpec: undefined
+      };
+      if (this.rawSpec !== this.spec) {
+        explanation.rawSpec = this.rawSpec;
+        explanation.overridden = true;
+      }
+      if (this.bundled) {
+        explanation.bundled = this.bundled;
+      }
+      if (this.error) {
+        explanation.error = this.error;
+      }
+      if (this.#safeFrom) {
+        explanation.from = this.#safeFrom.explain();
+      }
+      this.#safeExplanation = explanation;
+    }
+    return this.#safeExplanation;
+  }
+  reload(hard = false) {
+    this.#safeExplanation = null;
+
+    // Patch adding newOverrideSet and oldOverrideSet is based on
+    // https://github.com/npm/cli/pull/7025.
+    let newOverrideSet;
+    let oldOverrideSet;
+    if (this.#safeFrom?.overrides) {
+      // Patch replacing
+      // this.overrides = this.#safeFrom.overrides.getEdgeRule(this)
+      // is based on https://github.com/npm/cli/pull/7025.
+      const newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
+        // If there's a new different override set we need to propagate it to
+        // the nodes. If we're deleting the override set then there's no point
+        // propagating it right now since it will be filled with another value
+        // later.
+        oldOverrideSet = this.overrides;
+        this.overrides = newOverrideSet;
+      }
+    } else {
+      this.overrides = undefined;
+    }
+    const newTo = this.#safeFrom?.resolve(this.name);
+    if (newTo !== this.#safeTo) {
+      if (this.#safeTo) {
+        // Patch replacing
+        // this.#safeTo.edgesIn.delete(this)
+        // is based on https://github.com/npm/cli/pull/7025.
+        this.#safeTo.deleteEdgeIn(this);
+      }
+      this.#safeTo = newTo ?? null;
+      this.#safeError = null;
+      if (this.#safeTo) {
+        this.#safeTo.addEdgeIn(this);
+      }
+    } else if (hard) {
+      this.#safeError = null;
+    }
+    // Patch adding "else if" condition based on
+    // https://github.com/npm/cli/pull/7025
+    else if (oldOverrideSet) {
+      // Propagate the new override set to the target node.
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+    }
+  }
+  satisfiedBy(node) {
+    // Patch replacing
+    // if (node.name !== this.#name) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (node.name !== this.#safeName || !this.#safeFrom) {
+      return false;
+    }
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+      return depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom);
+    }
+    // Patch replacing
+    // return depValid(node, this.spec, this.#accept, this.#from)
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If there's no override we just use the spec.
+    if (!this.overrides?.keySpec) {
+      return depValid(node, this.spec, this.#safeAccept, this.#safeFrom);
+    }
+    // There's some override. If the target node satisfies the overriding spec
+    // then it's okay.
+    if (depValid(node, this.spec, this.#safeAccept, this.#safeFrom)) {
+      return true;
+    }
+    // If it doesn't, then it should at least satisfy the original spec.
+    if (!depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom)) {
+      return false;
+    }
+    // It satisfies the original spec, not the overriding spec. We need to make
+    // sure it doesn't use the overridden spec.
+    // For example, we might have an ^8.0.0 rawSpec, and an override that makes
+    // keySpec=8.23.0 and the override value spec=9.0.0.
+    // If the node is 9.0.0, then it's okay because it's consistent with spec.
+    // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
+    // If the node is 8.23.0, then it's not okay because even though it's consistent
+    // with the rawSpec, it's also consistent with the keySpec.
+    // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
+    return !depValid(node, this.overrides.keySpec, this.#safeAccept, this.#safeFrom);
+  }
+}
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/node.js:
+class SafeNode extends Node {
+  // Return true if it's safe to remove this node, because anything that is
+  // depending on it would be fine with the thing that they would resolve to if
+  // it was removed, or nothing is depending on it in the first place.
+  canDedupe(preferDedupe = false) {
+    // Not allowed to mess with shrinkwraps or bundles.
+    if (this.inDepBundle || this.inShrinkwrap) {
+      return false;
+    }
+    // It's a top level pkg, or a dep of one.
+    if (!this.resolveParent?.resolveParent) {
+      return false;
+    }
+    // No one wants it, remove it.
+    if (this.edgesIn.size === 0) {
+      return true;
+    }
+    const other = this.resolveParent.resolveParent.resolve(this.name);
+    // Nothing else, need this one.
+    if (!other) {
+      return false;
+    }
+    // If it's the same thing, then always fine to remove.
+    if (other.matches(this)) {
+      return true;
+    }
+    // If the other thing can't replace this, then skip it.
+    if (!other.canReplace(this)) {
+      return false;
+    }
+    // Patch replacing
+    // if (preferDedupe || semver.gte(other.version, this.version)) {
+    //   return true
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If we prefer dedupe, or if the version is equal, take the other.
+    if (preferDedupe || _semver.eq(other.version, this.version)) {
+      return true;
+    }
+    // If our current version isn't the result of an override, then prefer to
+    // take the greater version.
+    if (!this.overridden && _semver.gt(other.version, this.version)) {
+      return true;
+    }
+    return false;
+  }
+
+  // Is it safe to replace one node with another?  check the edges to
+  // make sure no one will get upset.  Note that the node might end up
+  // having its own unmet dependencies, if the new node has new deps.
+  // Note that there are cases where Arborist will opt to insert a node
+  // into the tree even though this function returns false!  This is
+  // necessary when a root dependency is added or updated, or when a
+  // root dependency brings peer deps along with it.  In that case, we
+  // will go ahead and create the invalid state, and then try to resolve
+  // it with more tree construction, because it's a user request.
+  canReplaceWith(node, ignorePeers) {
+    if (this.name !== node.name || this.packageName !== node.packageName) {
+      return false;
+    }
+    // Patch replacing
+    // if (node.overrides !== this.overrides) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If this node has no dependencies, then it's irrelevant to check the
+    // override rules of the replacement node.
+    if (this.edgesOut.size) {
+      // XXX need to check for two root nodes?
+      if (node.overrides) {
+        if (!node.overrides.isEqual(this.overrides)) {
+          return false;
+        }
+      } else {
+        if (this.overrides) {
+          return false;
+        }
+      }
+    }
+    // To satisfy the patch we ensure `node.overrides === this.overrides`
+    // so that the condition we want to replace,
+    // if (this.overrides !== node.overrides) {
+    // , is not hit.`
+    const oldOverrideSet = this.overrides;
+    let result = true;
+    if (oldOverrideSet !== node.overrides) {
+      this.overrides = node.overrides;
+    }
+    try {
+      result = super.canReplaceWith(node, ignorePeers);
+      this.overrides = oldOverrideSet;
+    } catch (e) {
+      this.overrides = oldOverrideSet;
+      throw e;
+    }
+    return result;
+  }
+  deleteEdgeIn(edge) {
+    this.edgesIn.delete(edge);
+    const {
+      overrides
+    } = edge;
+    if (overrides) {
+      this.updateOverridesEdgeInRemoved(overrides);
+    }
+  }
+  addEdgeIn(edge) {
+    // Patch replacing
+    // if (edge.overrides) {
+    //   this.overrides = edge.overrides
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // We need to handle the case where the new edge in has an overrides field
+    // which is different from the current value.
+    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
+      this.updateOverridesEdgeInAdded(edge.overrides);
+    }
+    this.edgesIn.add(edge);
+    // Try to get metadata from the yarn.lock file.
+    this.root.meta?.addEdge(edge);
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get overridden() {
+    // Patch replacing
+    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+      return false;
+    }
+    // The overrides rule is for a package with this name, but some override rules
+    // only apply to specific versions. To make sure this package was actually
+    // overridden, we check whether any edge going in had the rule applied to it,
+    // in which case its overrides set is different than its source node.
+    for (const edge of this.edgesIn) {
+      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
+        if (!edge.overrides?.isEqual(edge.from?.overrides)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  // Patch adding recalculateOutEdgesOverrides is based on
+  // https://github.com/npm/cli/pull/7025.
+  recalculateOutEdgesOverrides() {
+    // For each edge out propagate the new overrides through.
+    for (const edge of this.edgesOut.values()) {
+      edge.reload(true);
+      if (edge.to) {
+        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+      }
+    }
+  }
+
+  // @ts-ignore: Incorrectly typed to accept null.
+  set root(newRoot) {
+    // Patch removing
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    //   this.overrides = this.parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // The "root" setter is a really large and complex function. To satisfy the
+    // patch we add a dummy value to `this.overrides` so that the condition we
+    // want to remove,
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    // , is not hit.
+    if (!this.overrides) {
+      this.overrides = new OverrideSet({
+        overrides: ''
+      });
+    }
+    try {
+      super.root = newRoot;
+      this.overrides = undefined;
+    } catch (e) {
+      this.overrides = undefined;
+      throw e;
+    }
+  }
+
+  // Patch adding updateOverridesEdgeInAdded is based on
+  // https://github.com/npm/cli/pull/7025.
+  //
+  // This logic isn't perfect either. When we have two edges in that have
+  // different override sets, then we have to decide which set is correct. This
+  // function assumes the more specific override set is applicable, so if we have
+  // dependencies A->B->C and A->C and an override set that specifies what happens
+  // for C under A->B, this will work even if the new A->C edge comes along and
+  // tries to change the override set. The strictly correct logic is not to allow
+  // two edges with different overrides to point to the same node, because even
+  // if this node can satisfy both, one of its dependencies might need to be
+  // different depending on the edge leading to it. However, this might cause a
+  // lot of duplication, because the conflict in the dependencies might never
+  // actually happen.
+  updateOverridesEdgeInAdded(otherOverrideSet) {
+    if (!otherOverrideSet) {
+      // Assuming there are any overrides at all, the overrides field is never
+      // undefined for any node at the end state of the tree. So if the new edge's
+      // overrides is undefined it will be updated later. So we can wait with
+      // updating the node's overrides field.
+      return false;
+    }
+    if (!this.overrides) {
+      this.overrides = otherOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    if (this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    const newOverrideSet = findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    if (newOverrideSet) {
+      if (this.overrides.isEqual(newOverrideSet)) {
+        return false;
+      }
+      this.overrides = newOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    // This is an error condition. We can only get here if the new override set
+    // is in conflict with the existing.
+    log.silly('Conflicting override sets', this.name);
+    return false;
+  }
+
+  // Patch adding updateOverridesEdgeInRemoved is based on
+  // https://github.com/npm/cli/pull/7025.
+  updateOverridesEdgeInRemoved(otherOverrideSet) {
+    // If this edge's overrides isn't equal to this node's overrides,
+    // then removing it won't change newOverrideSet later.
+    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    let newOverrideSet;
+    for (const edge of this.edgesIn) {
+      const {
+        overrides: edgeOverrides
+      } = edge;
+      if (newOverrideSet && edgeOverrides) {
+        newOverrideSet = findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+      } else {
+        newOverrideSet = edgeOverrides;
+      }
+    }
+    if (this.overrides.isEqual(newOverrideSet)) {
+      return false;
+    }
+    this.overrides = newOverrideSet;
+    if (newOverrideSet) {
+      // Optimization: If there's any override set at all, then no non-extraneous
+      // node has an empty override set. So if we temporarily have no override set
+      // (for example, we removed all the edges in), there's no use updating all
+      // the edges out right now. Let's just wait until we have an actual override
+      // set later.
+      this.recalculateOutEdgesOverrides();
+    }
+    return true;
+  }
+}
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/override-set.js:
+class SafeOverrideSet extends OverrideSet {
+  // Patch adding childrenAreEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  childrenAreEqual(otherOverrideSet) {
+    const queue = [[this, otherOverrideSet]];
+    let pos = 0;
+    let {
+      length: queueLength
+    } = queue;
+    while (pos < queueLength) {
+      if (pos === _constants$1.LOOP_SENTINEL) {
+        throw new Error('Detected infinite loop while comparing override sets');
+      }
+      const {
+        0: currSet,
+        1: currOtherSet
+      } = queue[pos++];
+      const {
+        children
+      } = currSet;
+      const {
+        children: otherChildren
+      } = currOtherSet;
+      if (children.size !== otherChildren.size) {
+        return false;
+      }
+      for (const key of children.keys()) {
+        if (!otherChildren.has(key)) {
+          return false;
+        }
+        const child = children.get(key);
+        const otherChild = otherChildren.get(key);
+        if (child.value !== otherChild.value) {
+          return false;
+        }
+        queue[queueLength++] = [child, otherChild];
+      }
+    }
+    return true;
+  }
+  getEdgeRule(edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue;
+      }
+      // If keySpec is * we found our override.
+      if (rule.keySpec === '*') {
+        return rule;
+      }
+      // Patch replacing
+      // let spec = npa(`${edge.name}@${edge.spec}`)
+      // is based on https://github.com/npm/cli/pull/7025.
+      //
+      // We need to use the rawSpec here, because the spec has the overrides
+      // applied to it already.
+      let spec = _npmPackageArg(`${edge.name}@${edge.rawSpec}`);
+      if (spec.type === 'alias') {
+        spec = spec.subSpec;
+      }
+      if (spec.type === 'git') {
+        if (spec.gitRange && rule.keySpec && _semver.intersects(spec.gitRange, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      if (spec.type === 'range' || spec.type === 'version') {
+        if (rule.keySpec && _semver.intersects(spec.fetchSpec, rule.keySpec)) {
+          return rule;
+        }
+        continue;
+      }
+      // If we got this far, the spec type is one of tag, directory or file
+      // which means we have no real way to make version comparisons, so we
+      // just accept the override.
+      return rule;
+    }
+    return this;
+  }
+
+  // Patch adding isEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  isEqual(otherOverrideSet) {
+    if (this === otherOverrideSet) {
+      return true;
+    }
+    if (!otherOverrideSet) {
+      return false;
+    }
+    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
+      return false;
+    }
+    if (!this.childrenAreEqual(otherOverrideSet)) {
+      return false;
+    }
+    if (!this.parent) {
+      return !otherOverrideSet.parent;
+    }
+    return this.parent.isEqual(otherOverrideSet.parent);
+  }
+}
+
+// Implementation code not related to our custom behavior is based on
+// https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/arborist/index.js:
+class SafeArborist extends Arborist {
+  constructor(...ctorArgs) {
+    const mutedArguments = [{
+      ...ctorArgs[0],
+      audit: true,
+      dryRun: true,
+      ignoreScripts: true,
+      save: false,
+      saveBundle: false,
+      // progress: false,
+      fund: false
+    }, ctorArgs.slice(1)];
+    super(...mutedArguments);
+    this[kCtorArgs] = ctorArgs;
+  }
+  async [kRiskyReify](...args) {
+    // SafeArborist has suffered side effects and must be rebuilt from scratch.
+    const arb = new Arborist(...this[kCtorArgs]);
+    const ret = await arb.reify(...args);
+    Object.assign(this, arb);
+    return ret;
+  }
+
+  // @ts-ignore Incorrectly typed.
+  async reify(...args) {
+    const options = args[0] ? {
+      ...args[0]
+    } : {};
+    if (options.dryRun) {
+      return await this[kRiskyReify](...args);
+    }
+    const old = {
+      ...options,
+      dryRun: false,
+      save: Boolean(options['save'] ?? true),
+      saveBundle: Boolean(options['saveBundle'] ?? false)
+    };
+    args[0] = options;
+    options.dryRun = true;
+    options['save'] = false;
+    options['saveBundle'] = false;
+    // TODO: Make this deal w/ any refactor to private fields by punching the
+    // class itself.
+    await super.reify(...args);
+    const diff = walk(this['diff']);
+    options.dryRun = old.dryRun;
+    options['save'] = old.save;
+    options['saveBundle'] = old.saveBundle;
+    // Nothing to check, mmm already installed or all private?
+    if (diff.findIndex(c => c.repository_url === _constants$1.NPM_REGISTRY_URL) === -1) {
+      return await this[kRiskyReify](...args);
+    }
+    let proceed = _constants$1.ENV[_constants$1.UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE];
+    if (!proceed) {
+      proceed = await ttyServer.captureTTY(async (input, output) => {
+        if (input && output) {
+          const risky = await packagesHaveRiskyIssues(this, this['registry'], diff, output);
+          if (!risky) {
+            return true;
+          }
+          const rlin = new _nodeStream.PassThrough();
+          input.pipe(rlin);
+          const rlout = new _nodeStream.PassThrough();
+          rlout.pipe(output, {
+            end: false
+          });
+          const rli = _nodeReadline.createInterface(rlin, rlout);
+          try {
+            while (true) {
+              // eslint-disable-next-line no-await-in-loop
+              const answer = await new Promise(resolve => {
+                rli.question('Accept risks of installing these packages (y/N)?\n', {
+                  signal: abortSignal
+                }, resolve);
+              });
+              if (/^\s*y(?:es)?\s*$/i.test(answer)) {
+                return true;
+              }
+              if (/^(?:\s*no?\s*|)$/i.test(answer)) {
+                return false;
+              }
+            }
+          } finally {
+            rli.close();
+          }
+        } else if (await packagesHaveRiskyIssues(this, this['registry'], diff, output)) {
+          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so');
+        }
+        return true;
+      });
+    }
+    if (proceed) {
+      return await this[kRiskyReify](...args);
+    } else {
+      throw new Error('Socket npm exiting due to risks');
+    }
+  }
+}
+arborist.SafeArborist = SafeArborist;
+function installSafeArborist() {
+  const cache = require.cache;
+  cache[arboristClassPath] = {
+    exports: SafeArborist
+  };
+  cache[arboristEdgeClassPath] = {
+    exports: SafeEdge
+  };
+  cache[arboristNodeClassPath] = {
+    exports: SafeNode
+  };
+  cache[arboristOverrideSetClassPatch] = {
+    exports: SafeOverrideSet
+  };
+}
+void (async () => {
+  const remoteSettings = await (async () => {
+    try {
+      const socketSdk = await (0, _sdk.setupSdk)(pubToken);
+      const orgResult = await socketSdk.getOrganizations();
+      if (!orgResult.success) {
+        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
+      }
+      const orgs = [];
+      for (const org of Object.values(orgResult.data.organizations)) {
+        if (org) {
+          orgs.push(org);
+        }
+      }
+      const result = await socketSdk.postSettings(orgs.map(org => ({
+        organization: org.id
+      })));
+      if (!result.success) {
+        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
+      }
+      return {
+        orgs,
+        settings: result.data
+      };
+    } catch (e) {
+      if ((0, _objects.isObject)(e) && 'cause' in e) {
+        const {
+          cause
+        } = e;
+        if ((0, _misc.isErrnoException)(cause)) {
+          if (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED') {
+            throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
+              cause: e
+            });
+          }
+        }
+      }
+      throw e;
+    }
+  })();
+  const {
+    orgs,
+    settings
+  } = remoteSettings;
+  const enforcedOrgs = (0, _settings.getSetting)('enforcedOrgs') ?? [];
+
+  // Remove any organizations not being enforced.
+  for (const {
+    0: i,
+    1: org
+  } of orgs.entries()) {
+    if (!enforcedOrgs.includes(org.id)) {
+      settings.entries.splice(i, 1);
+    }
+  }
+  const socketYml = findSocketYmlSync();
+  if (socketYml) {
+    settings.entries.push({
+      start: socketYml.path,
+      settings: {
+        [socketYml.path]: {
+          deferTo: null,
+          // TODO: TypeScript complains about the type not matching. We should
+          // figure out why are providing
+          // issueRules: { [issueName: string]: boolean }
+          // but expecting
+          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
+          issueRules: socketYml.parsed.issueRules
+        }
+      }
+    });
+  }
+  _uxLookup = (0, _issueRules.createIssueUXLookup)(settings);
+})();
+
+var _constants = constants.constants;
+var _arborist = arborist;
+var _link = link.link;
+// Shadow `npm` and `npx` to mitigate subshells.
+(0, _link.installLinks)(_constants.shadowBinPath, 'npm');
+(0, _arborist.installSafeArborist)();
+
+(function (exports) {
+
+	var _interopRequireWildcard = require$$0$2.default;
+	Object.defineProperty(exports, "__esModule", {
+	  value: true
+	});
+	var _exportNames = {};
+	Object.defineProperty(exports, "default", {
+	  enumerable: true,
+	  get: function () {
+	    return _npmInjection.default;
+	  }
+	});
+	var _npmInjection = _interopRequireWildcard(npmInjection$1, true);
+	Object.keys(_npmInjection).forEach(function (key) {
+	  if (key === "default" || key === "__esModule") return;
+	  if (Object.prototype.hasOwnProperty.call(_exportNames, key)) return;
+	  if (key in exports && exports[key] === _npmInjection[key]) return;
+	  Object.defineProperty(exports, key, {
+	    enumerable: true,
+	    get: function () {
+	      return _npmInjection[key];
+	    }
+	  });
+	}); 
+} (npmInjection$2));
+
+var npmInjection = /*@__PURE__*/constants.getDefaultExportFromCjs(npmInjection$2);
+
+module.exports = npmInjection;