@socketsecurity/cli 0.14.35 → 0.14.37

package/dist/require/cli.js

@@ -23,8 +23,8 @@ var constants = require('./constants.js');
 var yoctoSpinner = require('@socketregistry/yocto-spinner');
 var sdk = require('./sdk.js');
 var prompts = require('@socketsecurity/registry/lib/prompts');
-var spawn = _socketInterop(require('@npmcli/promise-spawn'));
 var fs$1 = require('node:fs/promises');
+var spawn = _socketInterop(require('@npmcli/promise-spawn'));
 var npa = _socketInterop(require('npm-package-arg'));
 var semver = _socketInterop(require('semver'));
 var tinyglobby = _socketInterop(require('tinyglobby'));
@@ -38,10 +38,9 @@ var strings = require('@socketsecurity/registry/lib/strings');
 var browserslist = _socketInterop(require('browserslist'));
 var which = _socketInterop(require('which'));
 var hyrious__bun_lockb = require('@socketregistry/hyrious__bun.lockb');
-var registryConstants = require('@socketsecurity/registry/lib/constants');
+var pathResolve = require('./path-resolve.js');
 var betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'));
 var config = require('@socketsecurity/config');
-var pathResolve = require('./path-resolve.js');
 var os = require('node:os');
 var readline = require('node:readline');
 var process$1 = require('node:process');
@@ -55,6 +54,8 @@ var require$$0$1 = require('node:util');
 var TableWidget = _socketInterop(require('blessed-contrib/lib/widget/table'));
 
 const {
+  NPM: NPM$4,
+  PNPM: PNPM$2,
   cdxgenBinPath,
   synpBinPath
 } = constants;
@@ -67,7 +68,7 @@ const {
 } = process.env;
 const toLower = arg => arg.toLowerCase();
 const arrayToLower = arg => arg.map(toLower);
-const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', 'npm', 'pnpm', 'ts', 'tsx', 'typescript']);
+const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$4, PNPM$2, 'ts', 'tsx', 'typescript']);
 const yargsConfig = {
   configuration: {
     'camel-case-expansion': false,
@@ -178,13 +179,13 @@ const cdxgen = {
     let cleanupPackageLock = false;
     if (yargv.type !== 'yarn' && nodejsPlatformTypes.has(yargv.type) && fs.existsSync('./yarn.lock')) {
       if (fs.existsSync('./package-lock.json')) {
-        yargv.type = 'npm';
+        yargv.type = NPM$4;
       } else {
         // Use synp to create a package-lock.json from the yarn.lock,
         // based on the node_modules folder, for a more accurate SBOM.
         try {
           await npm$1.runBin(await fs.promises.realpath(synpBinPath), ['--source-file', './yarn.lock']);
-          yargv.type = 'npm';
+          yargv.type = NPM$4;
           cleanupPackageLock = true;
         } catch {}
       }
@@ -569,7 +570,7 @@ function formatScore(score) {
 const {
   SOCKET_PUBLIC_API_KEY
 } = constants;
-const description$7 = 'Socket API login';
+const description$5 = 'Socket API login';
 const flags = {
   apiBaseUrl: {
     type: 'string',
@@ -584,7 +585,7 @@ function nonNullish(value) {
   return value !== null && value !== undefined;
 }
 const login = {
-  description: description$7,
+  description: description$5,
   async run(argv, importMeta, {
     parentName
   }) {
@@ -605,7 +606,7 @@ const login = {
         $ ${name}
     `, {
       argv,
-      description: description$7,
+      description: description$5,
       importMeta,
       flags
     });
@@ -681,9 +682,9 @@ const login = {
   }
 };
 
-const description$6 = 'Socket API logout';
+const description$4 = 'Socket API logout';
 const logout = {
-  description: description$6,
+  description: description$4,
   async run(argv, importMeta, {
     parentName
   }) {
@@ -698,7 +699,7 @@ const logout = {
         $ ${name}
     `, {
       argv,
-      description: description$6,
+      description: description$4,
       importMeta
     });
     let showHelp = cli.flags['help'];
@@ -718,58 +719,26 @@ const logout = {
 };
 
 const {
-  abortSignal: abortSignal$4,
-  execPath: execPath$2,
-  rootBinPath: rootBinPath$2
+  NPM: NPM$3
 } = constants;
-const description$5 = 'npm wrapper functionality';
 const npm = {
-  description: description$5,
-  async run(argv, _importMeta, _ctx) {
-    const wrapperPath = path.join(rootBinPath$2, 'npm-cli.js');
-    process.exitCode = 1;
-    const spawnPromise = spawn(execPath$2, [
-    // Lazily access constants.nodeNoWarningsFlags.
-    ...constants.nodeNoWarningsFlags, wrapperPath, ...argv], {
-      signal: abortSignal$4,
-      stdio: 'inherit'
-    });
-    spawnPromise.process.on('exit', (code, signal) => {
-      if (signal) {
-        process.kill(process.pid, signal);
-      } else if (code !== null) {
-        process.exit(code);
-      }
-    });
-    await spawnPromise;
+  description: `${NPM$3} wrapper functionality`,
+  async run(argv) {
+    // Lazily access constants.distPath.
+    const shadowBin = require(`${constants.distPath}/shadow-bin.js`);
+    await shadowBin(NPM$3, argv);
   }
 };
 
 const {
-  abortSignal: abortSignal$3,
-  execPath: execPath$1,
-  rootBinPath: rootBinPath$1
+  NPX: NPX$1
 } = constants;
-const description$4 = 'npx wrapper functionality';
 const npx = {
-  description: description$4,
-  async run(argv, _importMeta, _ctx) {
-    const wrapperPath = path.join(rootBinPath$1, 'npx-cli.js');
-    process.exitCode = 1;
-    const spawnPromise = spawn(execPath$1, [
-    // Lazily access constants.nodeNoWarningsFlags.
-    ...constants.nodeNoWarningsFlags, wrapperPath, ...argv], {
-      abortSignal: abortSignal$3,
-      stdio: 'inherit'
-    });
-    spawnPromise.process.on('exit', (code, signal) => {
-      if (signal) {
-        process.kill(process.pid, signal);
-      } else if (code !== null) {
-        process.exit(code);
-      }
-    });
-    await spawnPromise;
+  description: `${NPX$1} wrapper functionality`,
+  async run(argv) {
+    // Lazily access constants.distPath.
+    const shadowBin = require(`${constants.distPath}/shadow-bin.js`);
+    await shadowBin(NPX$1, argv);
   }
 };
 
@@ -815,7 +784,17 @@ async function readFileUtf8(filepath, options) {
   });
 }
 
-const AGENTS = ['bun', 'npm', 'pnpm', 'yarn/berry', 'yarn/classic', 'vlt'];
+const {
+  BINARY_LOCK_EXT,
+  BUN: BUN$1,
+  LOCK_EXT: LOCK_EXT$1,
+  NPM: NPM$2,
+  PNPM: PNPM$1,
+  VLT: VLT$1,
+  YARN_BERRY: YARN_BERRY$1,
+  YARN_CLASSIC: YARN_CLASSIC$1
+} = constants;
+const AGENTS = [BUN$1, NPM$2, PNPM$1, YARN_BERRY$1, YARN_CLASSIC$1, VLT$1];
 const {
   compare: alphanumericComparator
 } = new Intl.Collator(undefined, {
@@ -838,56 +817,64 @@ async function getAgentVersion(agentExecPath, cwd) {
   } catch {}
   return result;
 }
+
+// The order of LOCKS properties IS significant as it affects iteration order.
 const LOCKS = {
-  'bun.lockb': 'bun',
+  [`bun${LOCK_EXT$1}`]: BUN$1,
+  [`bun${BINARY_LOCK_EXT}`]: BUN$1,
   // If both package-lock.json and npm-shrinkwrap.json are present in the root
   // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
   // will be ignored.
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
-  'npm-shrinkwrap.json': 'npm',
-  'package-lock.json': 'npm',
-  'pnpm-lock.yaml': 'pnpm',
-  'pnpm-lock.yml': 'pnpm',
-  'yarn.lock': 'yarn/classic',
-  'vlt-lock.json': 'vlt',
-  // Look for a hidden lock file if .npmrc has package-lock=false:
+  'npm-shrinkwrap.json': NPM$2,
+  'package-lock.json': NPM$2,
+  'pnpm-lock.yaml': PNPM$1,
+  'pnpm-lock.yml': PNPM$1,
+  [`yarn${LOCK_EXT$1}`]: YARN_CLASSIC$1,
+  'vlt-lock.json': VLT$1,
+  // Lastly, look for a hidden lock file which is present if .npmrc has package-lock=false:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
   //
   // Unlike the other LOCKS keys this key contains a directory AND filename so
   // it has to be handled differently.
-  'node_modules/.package-lock.json': 'npm'
+  'node_modules/.package-lock.json': NPM$2
 };
 const readLockFileByAgent = (() => {
   function wrapReader(reader) {
-    return async (lockPath, agentExecPath) => {
+    return async (...args) => {
       try {
-        return await reader(lockPath, agentExecPath);
+        return await reader(...args);
       } catch {}
       return undefined;
     };
   }
+  const binaryReader = wrapReader(readFileBinary);
   const defaultReader = wrapReader(async lockPath => await readFileUtf8(lockPath));
   return {
-    bun: wrapReader(async (lockPath, agentExecPath) => {
-      let lockBuffer;
-      try {
-        lockBuffer = await readFileBinary(lockPath);
-      } catch {
-        return undefined;
+    [BUN$1]: wrapReader(async (lockPath, agentExecPath) => {
+      const ext = path.extname(lockPath);
+      if (ext === LOCK_EXT$1) {
+        return await defaultReader(lockPath);
       }
-      try {
-        return hyrious__bun_lockb.parse(lockBuffer);
-      } catch {}
-      // To print a Yarn lockfile to your console without writing it to disk
-      // use `bun bun.lockb`.
-      // https://bun.sh/guides/install/yarnlock
-      return (await spawn(agentExecPath, [lockPath])).stdout.trim();
+      if (ext === BINARY_LOCK_EXT) {
+        const lockBuffer = await binaryReader(lockPath);
+        if (lockBuffer) {
+          try {
+            return hyrious__bun_lockb.parse(lockBuffer);
+          } catch {}
+        }
+        // To print a Yarn lockfile to your console without writing it to disk
+        // use `bun bun.lockb`.
+        // https://bun.sh/guides/install/yarnlock
+        return (await spawn(agentExecPath, [lockPath])).stdout.trim();
+      }
+      return undefined;
     }),
-    npm: defaultReader,
-    pnpm: defaultReader,
-    vlt: defaultReader,
-    'yarn/berry': defaultReader,
-    'yarn/classic': defaultReader
+    [NPM$2]: defaultReader,
+    [PNPM$1]: defaultReader,
+    [VLT$1]: defaultReader,
+    [YARN_BERRY$1]: defaultReader,
+    [YARN_CLASSIC$1]: defaultReader
   };
 })();
 async function detect({
@@ -897,7 +884,8 @@ async function detect({
   let lockPath = await findUp(Object.keys(LOCKS), {
     cwd
   });
-  const isHiddenLockFile = lockPath?.endsWith('.package-lock.json') ?? false;
+  let lockBasename = lockPath ? path.basename(lockPath) : undefined;
+  const isHiddenLockFile = lockBasename === '.package-lock.json';
   const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await findUp('package.json', {
     cwd
   });
@@ -922,20 +910,20 @@ async function detect({
       }
     }
   }
-  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockPath === 'string') {
-    agent = LOCKS[path.basename(lockPath)];
+  if (agent === undefined && !isHiddenLockFile && typeof pkgJsonPath === 'string' && typeof lockBasename === 'string') {
+    agent = LOCKS[lockBasename];
   }
   if (agent === undefined) {
-    agent = 'npm';
+    agent = NPM$2;
     onUnknown?.(pkgManager);
   }
   const agentExecPath = await getAgentExecPath(agent);
-  const npmExecPath = agent === 'npm' ? agentExecPath : await getAgentExecPath('npm');
+  const npmExecPath = agent === NPM$2 ? agentExecPath : await getAgentExecPath(NPM$2);
   if (agentVersion === undefined) {
     agentVersion = await getAgentVersion(agentExecPath, cwd);
   }
-  if (agent === 'yarn/classic' && (agentVersion?.major ?? 0) > 1) {
-    agent = 'yarn/berry';
+  if (agent === YARN_CLASSIC$1 && (agentVersion?.major ?? 0) > 1) {
+    agent = YARN_BERRY$1;
   }
   const targets = {
     browser: false,
@@ -943,7 +931,7 @@ async function detect({
   };
   let lockSrc;
   // Lazily access constants.maintainedNodeVersions.
-  let minimumNodeVersion = registryConstants.maintainedNodeVersions.previous;
+  let minimumNodeVersion = constants.maintainedNodeVersions.previous;
   if (pkgJson) {
     const browserField = pkgJson.browser;
     if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
@@ -971,15 +959,17 @@ async function detect({
       }
     }
     // Lazily access constants.maintainedNodeVersions.
-    targets.node = registryConstants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
+    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
     lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
   } else {
+    lockBasename = undefined;
     lockPath = undefined;
   }
   return {
     agent,
     agentExecPath,
     agentVersion,
+    lockBasename,
     lockPath,
     lockSrc,
     minimumNodeVersion,
@@ -992,7 +982,14 @@ async function detect({
 }
 
 const {
+  BUN,
+  LOCK_EXT,
+  NPM: NPM$1,
+  PNPM,
   UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE,
+  VLT,
+  YARN_BERRY,
+  YARN_CLASSIC,
   abortSignal: abortSignal$2,
   execPath,
   rootBinPath
@@ -1000,63 +997,68 @@ const {
 const COMMAND_TITLE = 'Socket Optimize';
 const OVERRIDES_FIELD_NAME = 'overrides';
 const NPM_OVERRIDE_PR_URL = 'https://github.com/npm/cli/pull/7025';
-const PNPM_FIELD_NAME = 'pnpm';
-const PNPM_WORKSPACE = 'pnpm-workspace';
+const PNPM_FIELD_NAME = PNPM;
+const PNPM_WORKSPACE = `${PNPM}-workspace`;
 const RESOLUTIONS_FIELD_NAME = 'resolutions';
-const manifestNpmOverrides = registry.getManifestData('npm');
+const manifestNpmOverrides = registry.getManifestData(NPM$1);
 const getOverridesDataByAgent = {
-  bun(pkgJson) {
+  [BUN](pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
-      type: 'yarn/berry',
+      type: YARN_BERRY,
       overrides
     };
   },
   // npm overrides documentation:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-  npm(pkgJson) {
+  [NPM$1](pkgJson) {
     const overrides = pkgJson?.overrides ?? {};
     return {
-      type: 'npm',
+      type: NPM$1,
       overrides
     };
   },
   // pnpm overrides documentation:
   // https://pnpm.io/package_json#pnpmoverrides
-  pnpm(pkgJson) {
+  [PNPM](pkgJson) {
     const overrides = pkgJson?.pnpm?.overrides ?? {};
     return {
-      type: 'pnpm',
+      type: PNPM,
       overrides
     };
   },
-  vlt(pkgJson) {
+  [VLT](pkgJson) {
     const overrides = pkgJson?.overrides ?? {};
     return {
-      type: 'vlt',
+      type: VLT,
       overrides
     };
   },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
-  'yarn/berry'(pkgJson) {
+  [YARN_BERRY](pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
-      type: 'yarn/berry',
+      type: YARN_BERRY,
       overrides
     };
   },
   // Yarn resolutions documentation:
   // https://classic.yarnpkg.com/en/docs/selective-version-resolutions
-  'yarn/classic'(pkgJson) {
+  [YARN_CLASSIC](pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
-      type: 'yarn/classic',
+      type: YARN_CLASSIC,
       overrides
     };
   }
 };
 const lockIncludesByAgent = (() => {
+  function npmLockIncludes(lockSrc, name) {
+    // Detects the package name in the following cases:
+    //   "name":
+    return lockSrc.includes(`"${name}":`);
+  }
   function yarnLockIncludes(lockSrc, name) {
     const escapedName = regexps.escapeRegExp(name);
     return new RegExp(
@@ -1068,13 +1070,16 @@ const lockIncludesByAgent = (() => {
     `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
   }
   return {
-    bun: yarnLockIncludes,
-    npm(lockSrc, name) {
-      // Detects the package name in the following cases:
-      //   "name":
-      return lockSrc.includes(`"${name}":`);
+    [BUN](lockSrc, name, lockBasename) {
+      // This is a bit counterintuitive. When lockBasename ends with a .lockb
+      // we treat it as a yarn.lock. When lockBasename ends with a .lock we
+      // treat it as a package-lock.json. The bun.lock format is not identical
+      // package-lock.json, however it close enough for npmLockIncludes to work.
+      const lockScanner = lockBasename?.endsWith(LOCK_EXT) ? npmLockIncludes : yarnLockIncludes;
+      return lockScanner(lockSrc, name);
     },
-    pnpm(lockSrc, name) {
+    [NPM$1]: npmLockIncludes,
+    [PNPM](lockSrc, name) {
       const escapedName = regexps.escapeRegExp(name);
       return new RegExp(
       // Detects the package name in the following cases:
@@ -1084,13 +1089,13 @@ const lockIncludesByAgent = (() => {
       //   name@
       `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
     },
-    vlt(lockSrc, name) {
+    [VLT](lockSrc, name) {
       // Detects the package name in the following cases:
       //   "name"
       return lockSrc.includes(`"${name}"`);
     },
-    'yarn/berry': yarnLockIncludes,
-    'yarn/classic': yarnLockIncludes
+    [YARN_BERRY]: yarnLockIncludes,
+    [YARN_CLASSIC]: yarnLockIncludes
   };
 })();
 const updateManifestByAgent = (() => {
@@ -1150,16 +1155,16 @@ const updateManifestByAgent = (() => {
     let insertIndex = -1;
     let isPlacingHigher = false;
     if (field === OVERRIDES_FIELD_NAME) {
-      insertIndex = getLowestEntryIndex(entries, ['resolutions']);
+      insertIndex = getLowestEntryIndex(entries, [RESOLUTIONS_FIELD_NAME]);
       if (insertIndex === -1) {
         isPlacingHigher = true;
-        insertIndex = getHighestEntryIndex(entries, [...depFields, 'pnpm']);
+        insertIndex = getHighestEntryIndex(entries, [...depFields, PNPM]);
       }
     } else if (field === RESOLUTIONS_FIELD_NAME) {
       isPlacingHigher = true;
-      insertIndex = getHighestEntryIndex(entries, [...depFields, 'overrides', 'pnpm']);
+      insertIndex = getHighestEntryIndex(entries, [...depFields, OVERRIDES_FIELD_NAME, PNPM]);
     } else if (field === PNPM_FIELD_NAME) {
-      insertIndex = getLowestEntryIndex(entries, ['overrides', 'resolutions']);
+      insertIndex = getLowestEntryIndex(entries, [OVERRIDES_FIELD_NAME, RESOLUTIONS_FIELD_NAME]);
       if (insertIndex === -1) {
         isPlacingHigher = true;
         insertIndex = getHighestEntryIndex(entries, depFields);
@@ -1187,14 +1192,14 @@ const updateManifestByAgent = (() => {
     updatePkgJson(editablePkgJson, RESOLUTIONS_FIELD_NAME, overrides);
   }
   return {
-    bun: updateResolutions,
-    npm: updateOverrides,
-    pnpm(editablePkgJson, overrides) {
+    [BUN]: updateResolutions,
+    [NPM$1]: updateOverrides,
+    [PNPM](editablePkgJson, overrides) {
       updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
     },
-    vlt: updateOverrides,
-    'yarn/berry': updateResolutions,
-    'yarn/classic': updateResolutions
+    [VLT]: updateOverrides,
+    [YARN_BERRY]: updateResolutions,
+    [YARN_CLASSIC]: updateResolutions
   };
 })();
 const lsByAgent = (() => {
@@ -1248,7 +1253,7 @@ const lsByAgent = (() => {
     return cleanupQueryStdout(stdout);
   }
   return {
-    async bun(agentExecPath, cwd) {
+    async [BUN](agentExecPath, cwd) {
       try {
         // Bun does not support filtering by production packages yet.
         // https://github.com/oven-sh/bun/issues/8283
@@ -1258,17 +1263,17 @@ const lsByAgent = (() => {
       } catch {}
       return '';
     },
-    async npm(agentExecPath, cwd) {
+    async [NPM$1](agentExecPath, cwd) {
       return await npmQuery(agentExecPath, cwd);
     },
-    async pnpm(agentExecPath, cwd, options) {
+    async [PNPM](agentExecPath, cwd, options) {
       const {
         npmExecPath
       } = {
         __proto__: null,
         ...options
       };
-      if (npmExecPath && npmExecPath !== 'npm') {
+      if (npmExecPath && npmExecPath !== NPM$1) {
         const result = await npmQuery(npmExecPath, cwd);
         if (result) {
           return result;
@@ -1282,7 +1287,7 @@ const lsByAgent = (() => {
       } catch {}
       return parseableToQueryStdout(stdout);
     },
-    async vlt(agentExecPath, cwd) {
+    async [VLT](agentExecPath, cwd) {
       let stdout = '';
       try {
         stdout = (await spawn(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
@@ -1291,7 +1296,7 @@ const lsByAgent = (() => {
       } catch {}
       return cleanupQueryStdout(stdout);
     },
-    async 'yarn/berry'(agentExecPath, cwd) {
+    async [YARN_BERRY](agentExecPath, cwd) {
       try {
         return (
           // Yarn Berry does not support filtering by production packages yet.
@@ -1303,7 +1308,7 @@ const lsByAgent = (() => {
       } catch {}
       return '';
     },
-    async 'yarn/classic'(agentExecPath, cwd) {
+    async [YARN_CLASSIC](agentExecPath, cwd) {
       try {
         // However, Yarn Classic does support it.
         // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
@@ -1325,12 +1330,12 @@ const depsIncludesByAgent = (() => {
     return stdout.includes(`"${name}"`);
   }
   return {
-    bun: matchHumanStdout,
-    npm: matchQueryStdout,
-    pnpm: matchQueryStdout,
-    vlt: matchQueryStdout,
-    'yarn/berry': matchHumanStdout,
-    'yarn/classic': matchHumanStdout
+    [BUN]: matchHumanStdout,
+    [NPM$1]: matchQueryStdout,
+    [PNPM]: matchQueryStdout,
+    [VLT]: matchQueryStdout,
+    [YARN_BERRY]: matchHumanStdout,
+    [YARN_CLASSIC]: matchHumanStdout
   };
 })();
 function createActionMessage(verb, overrideCount, workspaceCount) {
@@ -1361,7 +1366,7 @@ function getDependencyEntries(pkgJson) {
 }
 async function getWorkspaceGlobs(agent, pkgPath, pkgJson) {
   let workspacePatterns;
-  if (agent === 'pnpm') {
+  if (agent === PNPM) {
     for (const workspacePath of [path.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), path.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
       if (existsSync(workspacePath)) {
         try {
@@ -1411,6 +1416,7 @@ function createAddOverridesState(initials) {
 async function addOverrides({
   agent,
   agentExecPath,
+  lockBasename,
   lockSrc,
   manifestEntries,
   npmExecPath,
@@ -1436,20 +1442,24 @@ async function addOverrides({
   const workspaceName = path.relative(rootPath, pkgPath);
   const workspaceGlobs = await getWorkspaceGlobs(agent, pkgPath, pkgJson);
   const isWorkspace = !!workspaceGlobs;
-  if (isWorkspace && agent === 'pnpm' && npmExecPath === 'npm' && !state.warnedPnpmWorkspaceRequiresNpm) {
+  if (isWorkspace && agent === PNPM && npmExecPath === NPM$1 && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     console.warn(`⚠️ ${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
   }
   const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
     npmExecPath
   });
+  // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
+  // first two parameters. AgentLockIncludesFn accepts an optional third
+  // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
+  // as an AgentLockIncludesFn type.
   const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
   const depEntries = getDependencyEntries(pkgJson);
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
     overridesDataObjects.push(getOverridesDataByAgent[agent](pkgJson));
   } else {
-    overridesDataObjects.push(getOverridesDataByAgent.npm(pkgJson), getOverridesDataByAgent['yarn/classic'](pkgJson));
+    overridesDataObjects.push(getOverridesDataByAgent[NPM$1](pkgJson), getOverridesDataByAgent[YARN_CLASSIC](pkgJson));
   }
   if (spinner) {
     spinner.text = `Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`;
@@ -1498,13 +1508,13 @@ async function addOverrides({
         type
       }) => {
         const overrideExists = objects.hasOwn(overrides, origPkgName);
-        if (overrideExists || thingScanner(thingToScan, origPkgName)) {
+        if (overrideExists || thingScanner(thingToScan, origPkgName, lockBasename)) {
           const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
           const depAlias = depAliasMap.get(origPkgName);
-          const regSpecStartsLike = `npm:${regPkgName}@`;
+          const regSpecStartsLike = `${NPM$1}:${regPkgName}@`;
           let newSpec = `${regSpecStartsLike}^${pin ? version : major}`;
           let thisVersion = version;
-          if (depAlias && type === 'npm') {
+          if (depAlias && type === NPM$1) {
             // With npm one may not set an override for a package that one directly
             // depends on unless both the dependency and the override itself share
             // the exact same spec. To make this limitation easier to deal with,
@@ -1528,10 +1538,6 @@ async function addOverrides({
             overrides[origPkgName] = newSpec;
             const addedOrUpdated = overrideExists ? 'updated' : 'added';
             state[addedOrUpdated].add(regPkgName);
-            if (workspaceName) {
-              const addedOrUpdatedIn = overrideExists ? 'updatedInWorkspaces' : 'addedInWorkspaces';
-              state[addedOrUpdatedIn].add(workspaceName);
-            }
           }
         }
       });
@@ -1548,6 +1554,7 @@ async function addOverrides({
       const otherState = await addOverrides({
         agent,
         agentExecPath,
+        lockBasename,
         lockSrc,
         manifestEntries,
         npmExecPath,
@@ -1595,6 +1602,7 @@ const optimize = {
       agent,
       agentExecPath,
       agentVersion,
+      lockBasename,
       lockPath,
       lockSrc,
       minimumNodeVersion,
@@ -1612,12 +1620,12 @@ const optimize = {
       console.error(`✖️ ${COMMAND_TITLE}: No supported Node or browser range detected`);
       return;
     }
-    if (agent === 'vlt') {
+    if (agent === VLT) {
       console.error(`✖️ ${COMMAND_TITLE}: ${agent} does not support overrides. Soon, though ⚡`);
       return;
     }
-    const lockName = lockPath ? path.basename(lockPath) : 'lock file';
-    if (lockSrc === undefined) {
+    const lockName = lockPath ? lockBasename : 'lock file';
+    if (lockBasename === undefined || lockSrc === undefined) {
       console.error(`✖️ ${COMMAND_TITLE}: No ${lockName} found`);
       return;
     }
@@ -1629,7 +1637,7 @@ const optimize = {
       console.error(`✖️ ${COMMAND_TITLE}: No package.json found`);
       return;
     }
-    if (prod && (agent === 'bun' || agent === 'yarn/berry')) {
+    if (prod && (agent === BUN || agent === YARN_BERRY)) {
       console.error(`✖️ ${COMMAND_TITLE}: --prod not supported for ${agent}${agentVersion ? `@${agentVersion.toString()}` : ''}`);
       return;
     }
@@ -1650,6 +1658,7 @@ const optimize = {
     await addOverrides({
       agent,
       agentExecPath,
+      lockBasename,
       lockSrc,
       manifestEntries,
       npmExecPath,
@@ -1673,7 +1682,7 @@ const optimize = {
     } else {
       console.log('Congratulations! Already Socket.dev optimized 🎉');
     }
-    const isNpm = agent === 'npm';
+    const isNpm = agent === NPM$1;
     if (isNpm || pkgJsonChanged) {
       // Always update package-lock.json until the npm overrides PR lands:
       // https://github.com/npm/cli/pull/7025
@@ -1806,14 +1815,16 @@ Plan: ${o?.plan}
 }
 
 const {
+  NPM,
   abortSignal: abortSignal$1
 } = constants;
+const binName$1 = NPM;
 const rawNpm = {
-  description: 'Temporarily disable the Socket npm wrapper',
+  description: `Temporarily disable the Socket ${binName$1} wrapper`,
   async run(argv, importMeta, {
     parentName
   }) {
-    await setupCommand$j(`${parentName} raw-npm`, rawNpm.description, argv, importMeta);
+    await setupCommand$j(`${parentName} raw-${binName$1}`, rawNpm.description, argv, importMeta);
   }
 };
 async function setupCommand$j(name, description, argv, importMeta) {
@@ -1823,7 +1834,7 @@ async function setupCommand$j(name, description, argv, importMeta) {
   };
   const cli = vendor.meow(`
     Usage
-      $ ${name} <npm command>
+      $ ${name} <${binName$1} command>
 
     Options
       ${printFlagList(flags, 6)}
@@ -1844,13 +1855,26 @@ async function setupCommand$j(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const spawnPromise = spawn('npm', argv, {
+  const {
+    path: binPath
+  } = await pathResolve.findBinPathDetails(binName$1);
+  if (!binPath) {
+    // The exit code 127 indicates that the command or binary being executed
+    // could not be found.
+    console.error(`Socket unable to locate ${binName$1}; ensure it is available in the PATH environment variable.`);
+    process.exit(127);
+  }
+  const spawnPromise = spawn(binPath, argv, {
     signal: abortSignal$1,
     stdio: 'inherit'
   });
-  spawnPromise.process.on('exit', (code, signal) => {
-    if (signal) {
-      process.kill(process.pid, signal);
+  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (abortSignal$1.aborted) {
+      return;
+    }
+    if (signalName) {
+      process.kill(process.pid, signalName);
     } else if (code !== null) {
       process.exit(code);
     }
@@ -1859,14 +1883,16 @@ async function setupCommand$j(name, description, argv, importMeta) {
 }
 
 const {
+  NPX,
   abortSignal
 } = constants;
+const binName = NPX;
 const rawNpx = {
-  description: 'Temporarily disable the Socket npm/npx wrapper',
+  description: `Temporarily disable the Socket ${binName} wrapper`,
   async run(argv, importMeta, {
     parentName
   }) {
-    await setupCommand$i(`${parentName} raw-npx`, rawNpx.description, argv, importMeta);
+    await setupCommand$i(`${parentName} raw-${binName}`, rawNpx.description, argv, importMeta);
   }
 };
 async function setupCommand$i(name, description, argv, importMeta) {
@@ -1876,7 +1902,7 @@ async function setupCommand$i(name, description, argv, importMeta) {
   };
   const cli = vendor.meow(`
     Usage
-      $ ${name} <npx command>
+      $ ${name} <${binName} command>
 
     Options
       ${printFlagList(flags, 6)}
@@ -1897,13 +1923,26 @@ async function setupCommand$i(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const spawnPromise = spawn('npx', [argv.join(' ')], {
+  const {
+    path: binPath
+  } = await pathResolve.findBinPathDetails(binName);
+  if (!binPath) {
+    // The exit code 127 indicates that the command or binary being executed
+    // could not be found.
+    console.error(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`);
+    process.exit(127);
+  }
+  const spawnPromise = spawn(binPath, argv, {
     signal: abortSignal,
     stdio: 'inherit'
   });
-  spawnPromise.process.on('exit', (code, signal) => {
-    if (signal) {
-      process.kill(process.pid, signal);
+  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (abortSignal.aborted) {
+      return;
+    }
+    if (signalName) {
+      process.kill(process.pid, signalName);
     } else if (code !== null) {
       process.exit(code);
     }
@@ -3693,7 +3732,7 @@ const dependencies = {
   }) {
     const name = parentName + ' dependencies';
     const input = setupCommand$3(name, dependencies.description, argv, importMeta);
-    if (input) {
+    {
       await searchDeps(input);
     }
   }
@@ -4262,7 +4301,7 @@ const threatFeed = {
   }) {
     const name = `${parentName} threat-feed`;
     const input = setupCommand(name, threatFeed.description, argv, importMeta);
-    if (input) {
+    {
       const apiKey = sdk.getDefaultKey();
       if (!apiKey) {
         throw new sdk.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');