@socketsecurity/cli 0.14.38 → 0.14.40

package/dist/module-sync/npm-injection.js

@@ -9,218 +9,154 @@ function _socketInterop(e) {
   return c ? e.default : e
 }
 
-var events = require('node:events');
-var fs = require('node:fs');
-var https = require('node:https');
 var path = require('node:path');
-var readline = require('node:readline');
-var promises = require('node:timers/promises');
-var prompts = require('@socketsecurity/registry/lib/prompts');
-var yoctoSpinner = require('@socketregistry/yocto-spinner');
-var isInteractive = _socketInterop(require('is-interactive'));
-var npa = _socketInterop(require('npm-package-arg'));
+var process = require('node:process');
 var semver = _socketInterop(require('semver'));
-var config = require('@socketsecurity/config');
+var registry = require('@socketsecurity/registry');
 var objects = require('@socketsecurity/registry/lib/objects');
 var packages = require('@socketsecurity/registry/lib/packages');
-var net = require('node:net');
-var homedir = require('node:os');
-var node_stream = require('node:stream');
-var sdk = require('./sdk.js');
+var prompts = require('@socketsecurity/registry/lib/prompts');
+var spinner = require('@socketsecurity/registry/lib/spinner');
+var events = require('node:events');
+var https = require('node:https');
+var readline = require('node:readline');
 var constants = require('./constants.js');
+var socketUrl = require('./socket-url.js');
+var fs = require('node:fs');
+var promises = require('node:timers/promises');
+var config = require('@socketsecurity/config');
 var pathResolve = require('./path-resolve.js');
+var npa = _socketInterop(require('npm-package-arg'));
 
-var version = "0.14.38";
-
-const NEWLINE_CHAR_CODE = 10; /*'\n'*/
-
-const TTY_IPC = process.env['SOCKET_SECURITY_TTY_IPC'];
-const sock = path.join(homedir.tmpdir(), `socket-security-tty-${process.pid}.sock`);
-process.env['SOCKET_SECURITY_TTY_IPC'] = sock;
-function createNonStandardTTYServer() {
-  return {
-    async captureTTY(mutexFn) {
-      return await new Promise((resolve, reject) => {
-        const conn = net.createConnection({
-          path: TTY_IPC
-        }).on('error', reject);
-        let captured = false;
-        const buffs = [];
-        conn.on('data', function awaitCapture(chunk) {
-          buffs.push(chunk);
-          let lineBuff = Buffer.concat(buffs);
-          if (captured) return;
-          try {
-            const eolIndex = lineBuff.indexOf(NEWLINE_CHAR_CODE);
-            if (eolIndex !== -1) {
-              conn.removeListener('data', awaitCapture);
-              conn.push(lineBuff.slice(eolIndex + 1));
-              const {
-                capabilities: {
-                  input: hasInput,
-                  output: hasOutput
-                },
-                ipc_version: remote_ipc_version
-              } = JSON.parse(lineBuff.subarray(0, eolIndex).toString('utf8'));
-              lineBuff = null;
-              captured = true;
-              if (remote_ipc_version !== version) {
-                throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.');
-              }
-              const input = hasInput ? new node_stream.PassThrough() : null;
-              input?.pause();
-              if (input) conn.pipe(input);
-              const output = hasOutput ? new node_stream.PassThrough() : null;
-              if (output) {
-                output.pipe(conn)
-                // Make ora happy
-                ;
-                output.isTTY = true;
-                output.cursorTo = function cursorTo(x, y, callback) {
-                  readline.cursorTo(this, x, y, callback);
-                };
-                output.clearLine = function clearLine(dir, callback) {
-                  readline.clearLine(this, dir, callback);
-                };
-              }
-              mutexFn(hasInput ? input : undefined, hasOutput ? output : undefined).then(resolve, reject).finally(() => {
-                conn.unref();
-                conn.end();
-                input?.end();
-                output?.end();
-                // process.exit(13)
-              });
-            }
-          } catch (e) {
-            reject(e);
-          }
-        });
-      });
-    }
-  };
+const {
+  API_V0_URL,
+  LOOP_SENTINEL: LOOP_SENTINEL$2,
+  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1,
+  abortSignal: abortSignal$2
+} = constants;
+async function* batchScan(pkgIds) {
+  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${socketUrl.getPublicToken()}:`).toString('base64url')}`
+    },
+    signal: abortSignal$2
+  }).end(JSON.stringify({
+    components: pkgIds.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  }));
+  const {
+    0: res
+  } = await events.once(req, 'response');
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = readline.createInterface(res);
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
 }
-function createIPCServer(captureState, npmlog) {
-  const input = process.stdin;
-  const output = process.stderr;
-  return new Promise((resolve, reject) => {
-    const server = net
-    // eslint-disable-next-line @typescript-eslint/no-misused-promises
-    .createServer(async conn => {
-      if (captureState.captured) {
-        await new Promise(resolve => {
-          captureState.pendingCaptures.push({
-            resolve() {
-              resolve();
-            }
-          });
-        });
-      } else {
-        captureState.captured = true;
-      }
-      const wasProgressEnabled = npmlog.progressEnabled;
-      npmlog.pause();
-      if (wasProgressEnabled) {
-        npmlog.disableProgress();
-      }
-      conn.write(`${JSON.stringify({
-        ipc_version: version,
-        capabilities: {
-          input: Boolean(input),
-          output: true
-        }
-      })}\n`);
-      conn.on('data', data => {
-        output.write(data);
-      }).on('error', e => {
-        output.write(`there was an error prompting from a sub shell (${e?.message}), socket npm closing`);
-        process.exit(1);
-      });
-      input.on('data', data => {
-        conn.write(data);
-      }).on('end', () => {
-        conn.unref();
-        conn.end();
-        if (wasProgressEnabled) {
-          npmlog.enableProgress();
-        }
-        npmlog.resume();
-        captureState.nextCapture();
-      });
-    }).listen(sock, () => resolve(server)).on('error', reject).unref();
-    process.on('exit', () => {
-      server.close();
-      tryUnlinkSync(sock);
-    });
-    resolve(server);
-  });
+function isAlertFixable(alert) {
+  return alert.type === 'socketUpgradeAvailable' || isAlertFixableCve(alert);
 }
-function createStandardTTYServer(isInteractive, npmlog) {
-  const captureState = {
-    captured: false,
-    nextCapture: () => {
-      if (captureState.pendingCaptures.length > 0) {
-        const pendingCapture = captureState.pendingCaptures.shift();
-        pendingCapture?.resolve();
-      } else {
-        captureState.captured = false;
-      }
-    },
-    pendingCaptures: []
+function isAlertFixableCve(alert) {
+  const {
+    type
+  } = alert;
+  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
+}
+function toRepoUrl(resolved) {
+  try {
+    return URL.parse(resolved)?.origin ?? '';
+  } catch {}
+  return '';
+}
+function walk(diff_, options) {
+  const {
+    // Lazily access constants.IPC.
+    fix = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1]
+  } = {
+    __proto__: null,
+    ...options
   };
-  tryUnlinkSync(sock);
-  const input = isInteractive ? process.stdin : undefined;
-  const output = process.stderr;
-  let ipcServerPromise;
-  if (input) {
-    ipcServerPromise = createIPCServer(captureState, npmlog);
+  const needInfoOn = [];
+  // `diff_` is `null` when `npm install --package-lock-only` is passed.
+  if (!diff_) {
+    return needInfoOn;
   }
-  return {
-    async captureTTY(mutexFn) {
-      await ipcServerPromise;
-      if (captureState.captured) {
-        const captured = new Promise(resolve => {
-          captureState.pendingCaptures.push({
-            resolve() {
-              resolve();
-            }
-          });
-        });
-        await captured;
+  const queue = [...diff_.children];
+  let pos = 0;
+  let {
+    length: queueLength
+  } = queue;
+  while (pos < queueLength) {
+    if (pos === LOOP_SENTINEL$2) {
+      throw new Error('Detected infinite loop while walking Arborist diff');
+    }
+    const diff = queue[pos++];
+    const {
+      action
+    } = diff;
+    if (action) {
+      // The `pkgNode`, i.e. the `ideal` node, will be `undefined` if the diff
+      // action is 'REMOVE'
+      // The `oldNode`, i.e. the `actual` node, will be `undefined` if the diff
+      // action is 'ADD'.
+      const {
+        actual: oldNode,
+        ideal: pkgNode
+      } = diff;
+      let existing;
+      let keep = false;
+      if (action === 'CHANGE') {
+        if (pkgNode?.package.version !== oldNode?.package.version) {
+          keep = true;
+          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
+            existing = oldNode.pkgid;
+          }
+        }
       } else {
-        captureState.captured = true;
+        keep = action !== 'REMOVE';
       }
-      const wasProgressEnabled = npmlog.progressEnabled;
-      try {
-        npmlog.pause();
-        if (wasProgressEnabled) {
-          npmlog.disableProgress();
-        }
-        return await mutexFn(input, output);
-      } finally {
-        if (wasProgressEnabled) {
-          npmlog.enableProgress();
-        }
-        npmlog.resume();
-        captureState.nextCapture();
+      if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
+        needInfoOn.push({
+          existing,
+          pkgid: pkgNode.pkgid,
+          repository_url: toRepoUrl(pkgNode.resolved)
+        });
       }
     }
-  };
-}
-function tryUnlinkSync(filepath) {
-  try {
-    fs.unlinkSync(filepath);
-  } catch (e) {
-    if (sdk.isErrnoException(e) && e.code !== 'ENOENT') {
-      throw e;
+    for (const child of diff.children) {
+      queue[queueLength++] = child;
     }
   }
-}
-function createTTYServer(isInteractive, npmlog) {
-  return !isInteractive && TTY_IPC ? createNonStandardTTYServer() : createStandardTTYServer(isInteractive, npmlog);
+  if (fix) {
+    const {
+      unchanged
+    } = diff_;
+    for (let i = 0, {
+        length
+      } = unchanged; i < length; i += 1) {
+      const pkgNode = unchanged[i];
+      needInfoOn.push({
+        existing: pkgNode.pkgid,
+        pkgid: pkgNode.pkgid,
+        repository_url: toRepoUrl(pkgNode.resolved)
+      });
+    }
+  }
+  return needInfoOn;
 }
 
-//#region UX Constants
-
+const {
+  abortSignal: abortSignal$1
+} = constants;
+const ERROR_UX = {
+  block: true,
+  display: true
+};
 const IGNORE_UX = {
   block: false,
   display: false
@@ -229,20 +165,43 @@ const WARN_UX = {
   block: false,
   display: true
 };
-const ERROR_UX = {
-  block: true,
-  display: true
-};
-//#endregion
-//#region utils
+function findSocketYmlSync() {
+  let prevDir = null;
+  let dir = process.cwd();
+  while (dir !== prevDir) {
+    let ymlPath = path.join(dir, 'socket.yml');
+    let yml = maybeReadfileSync(ymlPath);
+    if (yml === undefined) {
+      ymlPath = path.join(dir, 'socket.yaml');
+      yml = maybeReadfileSync(ymlPath);
+    }
+    if (typeof yml === 'string') {
+      try {
+        return {
+          path: ymlPath,
+          parsed: config.parseSocketConfig(yml)
+        };
+      } catch {
+        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+      }
+    }
+    prevDir = dir;
+    dir = path.join(dir, '..');
+  }
+  return null;
+}
+function maybeReadfileSync(filepath) {
+  try {
+    return fs.readFileSync(filepath, 'utf8');
+  } catch {}
+  return undefined;
+}
 
-/**
- * Iterates over all entries with ordered issue rule for deferral.  Iterates over
- * all issue rules and finds the first defined value that does not defer otherwise
- * uses the defaultValue. Takes the value and converts into a UX workflow
- */
+// Iterates over all entries with ordered issue rule for deferral.  Iterates over
+// all issue rules and finds the first defined value that does not defer otherwise
+// uses the defaultValue. Takes the value and converts into a UX workflow.
 function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
-  if (defaultValue === true || defaultValue == null) {
+  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
     defaultValue = {
       action: 'error'
     };
@@ -279,13 +238,12 @@ function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
   };
 }
 
-/**
- * Negative form because it is narrowing the type
- */
+// Negative form because it is narrowing the type.
 function ruleValueDoesNotDefer(rule) {
   if (rule === undefined) {
     return false;
-  } else if (rule !== null && typeof rule === 'object') {
+  }
+  if (objects.isObject(rule)) {
     const {
       action
     } = rule;
@@ -296,9 +254,7 @@ function ruleValueDoesNotDefer(rule) {
   return true;
 }
 
-/**
- * Handles booleans for backwards compatibility
- */
+// Handles booleans for backwards compatibility.
 function uxForDefinedNonDeferValue(ruleValue) {
   if (typeof ruleValue === 'boolean') {
     return ruleValue ? ERROR_UX : IGNORE_UX;
@@ -313,10 +269,6 @@ function uxForDefinedNonDeferValue(ruleValue) {
   }
   return ERROR_UX;
 }
-//#endregion
-
-//#region exports
-
 function createAlertUXLookup(settings) {
   const cachedUX = new Map();
   return context => {
@@ -362,22 +314,116 @@ function createAlertUXLookup(settings) {
     return ux;
   };
 }
-//#endregion
+let _uxLookup;
+async function uxLookup(settings) {
+  while (_uxLookup === undefined) {
+    // eslint-disable-next-line no-await-in-loop
+    await promises.setTimeout(1, {
+      signal: abortSignal$1
+    });
+  }
+  return _uxLookup(settings);
+}
+
+// Start initializing the AlertUxLookupResult immediately.
+void (async () => {
+  const {
+    orgs,
+    settings
+  } = await (async () => {
+    try {
+      const socketSdk = await socketUrl.setupSdk(socketUrl.getPublicToken());
+      const orgResult = await socketSdk.getOrganizations();
+      if (!orgResult.success) {
+        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
+      }
+      const orgs = [];
+      for (const org of Object.values(orgResult.data.organizations)) {
+        if (org) {
+          orgs.push(org);
+        }
+      }
+      const result = await socketSdk.postSettings(orgs.map(org => ({
+        organization: org.id
+      })));
+      if (!result.success) {
+        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
+      }
+      return {
+        orgs,
+        settings: result.data
+      };
+    } catch (e) {
+      const cause = objects.isObject(e) && 'cause' in e ? e.cause : undefined;
+      if (socketUrl.isErrnoException(cause) && (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED')) {
+        throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
+          cause: e
+        });
+      }
+      throw e;
+    }
+  })();
+
+  // Remove any organizations not being enforced.
+  const enforcedOrgs = socketUrl.getSetting('enforcedOrgs') ?? [];
+  for (const {
+    0: i,
+    1: org
+  } of orgs.entries()) {
+    if (!enforcedOrgs.includes(org.id)) {
+      settings.entries.splice(i, 1);
+    }
+  }
+  const socketYml = findSocketYmlSync();
+  if (socketYml) {
+    settings.entries.push({
+      start: socketYml.path,
+      settings: {
+        [socketYml.path]: {
+          deferTo: null,
+          // TODO: TypeScript complains about the type not matching. We should
+          // figure out why are providing
+          // issueRules: { [issueName: string]: boolean }
+          // but expecting
+          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
+          issueRules: socketYml.parsed.issueRules
+        }
+      }
+    });
+  }
+  _uxLookup = createAlertUXLookup(settings);
+})();
 
 const {
-  API_V0_URL,
-  ENV,
-  LOOP_SENTINEL,
-  NPM_REGISTRY_URL,
-  SOCKET_CLI_ISSUES_URL,
-  SOCKET_PUBLIC_API_KEY,
-  UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE,
-  abortSignal,
-  rootPath
+  NODE_MODULES,
+  SOCKET_CLI_ISSUES_URL
 } = constants;
-const POTENTIAL_BUG_ERROR_MESSAGE = `This is may be a bug with socket-npm related to changes to the npm CLI.\nPlease report to ${SOCKET_CLI_ISSUES_URL}.`;
-const npmEntrypoint = fs.realpathSync(process.argv[1]);
+const npmEntrypoint = fs.realpathSync.native(process.argv[1]);
 const npmRootPath = pathResolve.findRoot(path.dirname(npmEntrypoint));
+if (npmRootPath === undefined) {
+  console.error(`Unable to find npm CLI install directory.
+Searched parent directories of ${npmEntrypoint}.
+
+This is may be a bug with socket-npm related to changes to the npm CLI.
+Please report to ${SOCKET_CLI_ISSUES_URL}.`);
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  process.exit(127);
+}
+const npmNmPath = path.join(npmRootPath, NODE_MODULES);
+const arboristPkgPath = path.join(npmNmPath, '@npmcli/arborist');
+const arboristClassPath = path.join(arboristPkgPath, 'lib/arborist/index.js');
+const arboristDepValidPath = path.join(arboristPkgPath, 'lib/dep-valid.js');
+const arboristEdgeClassPath = path.join(arboristPkgPath, 'lib/edge.js');
+const arboristNodeClassPath = path.join(arboristPkgPath, 'lib/node.js');
+const arboristOverrideSetClassPath = path.join(arboristPkgPath, 'lib/override-set.js');
+const pacotePath = path.join(npmNmPath, 'pacote');
+
+const depValid = require(arboristDepValidPath);
+
+const {
+  UNDEFINED_TOKEN
+} = constants;
 function tryRequire(...ids) {
   for (const data of ids) {
     let id;
@@ -400,573 +446,161 @@ function tryRequire(...ids) {
   }
   return undefined;
 }
-if (npmRootPath === undefined) {
-  console.error(`Unable to find npm CLI install directory.\nSearched parent directories of ${npmEntrypoint}.\n\n${POTENTIAL_BUG_ERROR_MESSAGE}`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  process.exit(127);
-}
-const npmNmPath = path.join(npmRootPath, 'node_modules');
-const arboristPkgPath = path.join(npmNmPath, '@npmcli/arborist');
-const arboristClassPath = path.join(arboristPkgPath, 'lib/arborist/index.js');
-const arboristDepValidPath = path.join(arboristPkgPath, 'lib/dep-valid.js');
-const arboristEdgeClassPath = path.join(arboristPkgPath, 'lib/edge.js');
-const arboristNodeClassPath = path.join(arboristPkgPath, 'lib/node.js');
-const arboristOverrideSetClassPatch = path.join(arboristPkgPath, 'lib/override-set.js');
-const log = tryRequire([path.join(npmNmPath, 'proc-log/lib/index.js'),
-// The proc-log DefinitelyTyped definition is incorrect. The type definition
-// is really that of its export log.
-mod => mod.log], path.join(npmNmPath, 'npmlog/lib/log.js'));
-if (log === undefined) {
-  console.error(`Unable to integrate with npm CLI logging infrastructure.\n\n${POTENTIAL_BUG_ERROR_MESSAGE}.`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  process.exit(127);
-}
-const pacote = tryRequire(path.join(npmNmPath, 'pacote'), 'pacote');
-const {
-  tarball
-} = pacote;
-const translations = require(path.join(rootPath, 'translations.json'));
-const Arborist = require(arboristClassPath);
-const depValid = require(arboristDepValidPath);
-const Edge = require(arboristEdgeClassPath);
-const Node = require(arboristNodeClassPath);
-const OverrideSet = require(arboristOverrideSetClassPatch);
-const kCtorArgs = Symbol('ctorArgs');
-const kRiskyReify = Symbol('riskyReify');
-const formatter = new sdk.ColorOrMarkdown(false);
-const pubToken = sdk.getDefaultKey() ?? SOCKET_PUBLIC_API_KEY;
-const ttyServer = createTTYServer(isInteractive({
-  stream: process.stdin
-}), log);
-let _uxLookup;
-async function uxLookup(settings) {
-  while (_uxLookup === undefined) {
-    // eslint-disable-next-line no-await-in-loop
-    await promises.setTimeout(1, {
-      signal: abortSignal
-    });
+let _log = UNDEFINED_TOKEN;
+function getLogger() {
+  if (_log === UNDEFINED_TOKEN) {
+    _log = tryRequire([path.join(npmNmPath, 'proc-log/lib/index.js'),
+    // The proc-log DefinitelyTyped definition is incorrect. The type definition
+    // is really that of its export log.
+    mod => mod.log], path.join(npmNmPath, 'npmlog/lib/log.js'));
   }
-  return _uxLookup(settings);
+  return _log;
 }
-async function* batchScan(pkgIds) {
-  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
-    method: 'POST',
-    headers: {
-      Authorization: `Basic ${Buffer.from(`${pubToken}:`).toString('base64url')}`
-    },
-    signal: abortSignal
-  }).end(JSON.stringify({
-    components: pkgIds.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  }));
-  const {
-    0: res
-  } = await events.once(req, 'response');
-  const ok = res.statusCode >= 200 && res.statusCode <= 299;
-  if (!ok) {
-    throw new Error(`Socket API Error: ${res.statusCode}`);
-  }
-  const rli = readline.createInterface(res);
-  for await (const line of rli) {
-    yield JSON.parse(line);
+
+const {
+  LOOP_SENTINEL: LOOP_SENTINEL$1
+} = constants;
+const OverrideSet = require(arboristOverrideSetClassPath);
+
+// Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
+class SafeOverrideSet extends OverrideSet {
+  // Patch adding doOverrideSetsConflict is based on
+  // https://github.com/npm/cli/pull/7025.
+  static doOverrideSetsConflict(first, second) {
+    // If override sets contain one another then we can try to use the more specific
+    // one. However, if neither one is more specific, then we consider them to be
+    // in conflict.
+    return this.findSpecificOverrideSet(first, second) === undefined;
   }
-}
 
-// Patch adding doOverrideSetsConflict is based on
-// https://github.com/npm/cli/pull/7025.
-function doOverrideSetsConflict(first, second) {
-  // If override sets contain one another then we can try to use the more specific
-  // one. However, if neither one is more specific, then we consider them to be
-  // in conflict.
-  return findSpecificOverrideSet(first, second) === undefined;
-}
-function findSocketYmlSync() {
-  let prevDir = null;
-  let dir = process.cwd();
-  while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml');
-    let yml = maybeReadfileSync(ymlPath);
-    if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml');
-      yml = maybeReadfileSync(ymlPath);
+  // Patch adding findSpecificOverrideSet is based on
+  // https://github.com/npm/cli/pull/7025.
+  static findSpecificOverrideSet(first, second) {
+    let overrideSet = second;
+    while (overrideSet) {
+      if (overrideSet.isEqual(first)) {
+        return second;
+      }
+      overrideSet = overrideSet.parent;
     }
-    if (typeof yml === 'string') {
-      try {
-        return {
-          path: ymlPath,
-          parsed: config.parseSocketConfig(yml)
-        };
-      } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+    overrideSet = first;
+    while (overrideSet) {
+      if (overrideSet.isEqual(second)) {
+        return first;
       }
+      overrideSet = overrideSet.parent;
     }
-    prevDir = dir;
-    dir = path.join(dir, '..');
+    // The override sets are incomparable. Neither one contains the other.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', first, second);
+    return undefined;
   }
-  return null;
-}
 
-// Patch adding findSpecificOverrideSet is based on
-// https://github.com/npm/cli/pull/7025.
-function findSpecificOverrideSet(first, second) {
-  let overrideSet = second;
-  while (overrideSet) {
-    if (overrideSet.isEqual(first)) {
-      return second;
-    }
-    overrideSet = overrideSet.parent;
-  }
-  overrideSet = first;
-  while (overrideSet) {
-    if (overrideSet.isEqual(second)) {
-      return first;
-    }
-    overrideSet = overrideSet.parent;
-  }
-  // The override sets are incomparable. Neither one contains the other.
-  log.silly('Conflicting override sets', first, second);
-  return undefined;
-}
-function isAlertFixable(alert) {
-  const {
-    type
-  } = alert;
-  if (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') {
-    return !!alert.props?.['firstPatchedVersionIdentifier'];
-  }
-  return type === 'socketUpgradeAvailable';
-}
-function maybeReadfileSync(filepath) {
-  try {
-    return fs.readFileSync(filepath, 'utf8');
-  } catch {}
-  return undefined;
-}
-async function getPackagesAlerts(safeArb, _registry, pkgs, output) {
-  const spinner = yoctoSpinner({
-    stream: output
-  });
-  let {
-    length: remaining
-  } = pkgs;
-  const packageAlerts = [];
-  if (!remaining) {
-    spinner.success('No changes detected');
-    return packageAlerts;
-  }
-  const getText = () => `Looking up data for ${remaining} packages`;
-  spinner.start(getText());
-  try {
-    for await (const artifact of batchScan(pkgs.map(p => p.pkgid))) {
-      if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
-        continue;
+  // Patch adding childrenAreEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  childrenAreEqual(otherOverrideSet) {
+    const queue = [[this, otherOverrideSet]];
+    let pos = 0;
+    let {
+      length: queueLength
+    } = queue;
+    while (pos < queueLength) {
+      if (pos === LOOP_SENTINEL$1) {
+        throw new Error('Detected infinite loop while comparing override sets');
       }
       const {
-        version
-      } = artifact;
-      const name = packages.resolvePackageName(artifact);
-      const id = `${name}@${artifact.version}`;
-      let blocked = false;
-      let displayWarning = false;
-      let alerts = [];
-      for (const alert of artifact.alerts) {
-        // eslint-disable-next-line no-await-in-loop
-        const ux = await uxLookup({
-          package: {
-            name,
-            version
-          },
-          alert: {
-            type: alert.type
-          }
-        });
-        if (ux.block) {
-          blocked = true;
-        }
-        if (ux.display) {
-          displayWarning = true;
-        }
-        if (ux.block || ux.display) {
-          alerts.push({
-            name,
-            version,
-            type: alert.type,
-            block: ux.block,
-            raw: alert,
-            fixable: isAlertFixable(alert)
-          });
-          // Before we ask about problematic issues, check to see if they
-          // already existed in the old version if they did, be quiet.
-          const existing = pkgs.find(p => p.existing?.startsWith(`${name}@`))?.existing;
-          if (existing) {
-            const oldArtifact =
-            // eslint-disable-next-line no-await-in-loop
-            (await batchScan([existing]).next()).value;
-            if (oldArtifact?.alerts?.length) {
-              alerts = alerts.filter(({
-                type
-              }) => !oldArtifact.alerts?.find(a => a.type === type));
-            }
-          }
-        }
-      }
-      if (!blocked) {
-        const pkg = pkgs.find(p => p.pkgid === id);
-        if (pkg) {
-          await tarball.stream(id, stream => {
-            stream.resume();
-            return stream.promise();
-          }, {
-            ...safeArb[kCtorArgs][0]
-          });
-        }
+        0: currSet,
+        1: currOtherSet
+      } = queue[pos++];
+      const {
+        children
+      } = currSet;
+      const {
+        children: otherChildren
+      } = currOtherSet;
+      if (children.size !== otherChildren.size) {
+        return false;
       }
-      if (displayWarning) {
-        spinner.stop(`(socket) ${formatter.hyperlink(id, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:`);
-        alerts.sort((a, b) => a.type < b.type ? -1 : 1);
-        const lines = new Set();
-        for (const alert of alerts) {
-          // Based data from { pageProps: { alertTypes } } of:
-          // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
-          const info = translations.alerts[alert.type];
-          const title = info?.title ?? alert.type;
-          const attributes = [...(alert.fixable ? ['fixable'] : []), ...(alert.block ? [] : ['non-blocking'])];
-          const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
-          const maybeDesc = info?.description ? ` - ${info.description}` : '';
-          // TODO: emoji seems to mis-align terminals sometimes
-          lines.add(`  ${title}${maybeAttributes}${maybeDesc}\n`);
-        }
-        for (const line of lines) {
-          output?.write(line);
+      for (const key of children.keys()) {
+        if (!otherChildren.has(key)) {
+          return false;
         }
-        spinner.start();
-      }
-      remaining -= 1;
-      spinner.text = remaining > 0 ? getText() : '';
-      packageAlerts.push(...alerts);
-    }
-  } catch (e) {
-    console.log('error', e);
-  } finally {
-    spinner.stop();
-  }
-  return packageAlerts;
-}
-function toRepoUrl(resolved) {
-  return resolved.replace(/#[\s\S]*$/, '').replace(/\?[\s\S]*$/, '').replace(/\/[^/]*\/-\/[\s\S]*$/, '');
-}
-function walk(diff_, needInfoOn = []) {
-  const queue = [diff_];
-  let pos = 0;
-  let {
-    length: queueLength
-  } = queue;
-  while (pos < queueLength) {
-    if (pos === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop while walking Arborist diff');
-    }
-    const diff = queue[pos++];
-    if (!diff) {
-      continue;
-    }
-    const {
-      action
-    } = diff;
-    if (action) {
-      const oldNode = diff.actual;
-      const oldPkgid = oldNode?.pkgid;
-      const pkgNode = diff.ideal;
-      const pkgid = pkgNode?.pkgid;
-      let existing;
-      let keep = false;
-      if (action === 'CHANGE') {
-        if (pkgNode?.package.version !== oldNode?.package.version) {
-          keep = true;
-          if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
-            existing = oldPkgid;
-          }
+        const child = children.get(key);
+        const otherChild = otherChildren.get(key);
+        if (child.value !== otherChild.value) {
+          return false;
         }
-      } else {
-        keep = action !== 'REMOVE';
-      }
-      if (keep && pkgid && pkgNode.resolved && (!oldNode || oldNode.resolved)) {
-        needInfoOn.push({
-          existing,
-          pkgid,
-          repository_url: toRepoUrl(pkgNode.resolved)
-        });
-      }
-    }
-    if (diff.children) {
-      for (const child of diff.children) {
-        queue[queueLength++] = child;
+        queue[queueLength++] = [child, otherChild];
       }
     }
+    return true;
   }
-  return needInfoOn;
-}
-
-// The Edge class makes heavy use of private properties which subclasses do NOT
-// have access to. So we have to recreate any functionality that relies on those
-// private properties and use our own "safe" prefixed non-conflicting private
-// properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/edge.js.
-//
-// The npm application
-// Copyright (c) npm, Inc. and Contributors
-// Licensed on the terms of The Artistic License 2.0
-//
-// An edge in the dependency graph.
-// Represents a dependency relationship of some kind.
-class SafeEdge extends Edge {
-  #safeAccept;
-  #safeError;
-  #safeExplanation;
-  #safeFrom;
-  #safeName;
-  #safeTo;
-  constructor(options) {
-    const {
-      accept,
-      from,
-      name
-    } = options;
-    // Defer to supper to validate options and assign non-private values.
-    super(options);
-    if (accept !== undefined) {
-      this.#safeAccept = accept || '*';
-    }
-    this.#safeError = null;
-    this.#safeExplanation = null;
-    this.#safeFrom = from;
-    this.#safeName = name;
-    this.#safeTo = null;
-    this.reload(true);
-  }
-  get accept() {
-    return this.#safeAccept;
-  }
-  get bundled() {
-    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
-  }
-  get error() {
-    if (!this.#safeError) {
-      if (!this.#safeTo) {
-        if (this.optional) {
-          this.#safeError = null;
-        } else {
-          this.#safeError = 'MISSING';
-        }
-      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
-        this.#safeError = 'PEER LOCAL';
-      } else if (!this.satisfiedBy(this.#safeTo)) {
-        this.#safeError = 'INVALID';
+  getEdgeRule(edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue;
       }
-      // Patch adding "else if" condition is based on
-      // https://github.com/npm/cli/pull/7025.
-      else if (this.overrides && this.#safeTo.edgesOut.size && doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
-        // Any inconsistency between the edge's override set and the target's
-        // override set is potentially problematic. But we only say the edge is
-        // in error if the override sets are plainly conflicting. Note that if
-        // the target doesn't have any dependencies of their own, then this
-        // inconsistency is irrelevant.
-        this.#safeError = 'INVALID';
-      } else {
-        this.#safeError = 'OK';
+      // If keySpec is * we found our override.
+      if (rule.keySpec === '*') {
+        return rule;
       }
-    }
-    if (this.#safeError === 'OK') {
-      return null;
-    }
-    return this.#safeError;
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get from() {
-    return this.#safeFrom;
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get spec() {
-    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
-      // Patch adding "if" condition is based on
-      // https://github.com/npm/cli/pull/7025.
+      // Patch replacing
+      // let spec = npa(`${edge.name}@${edge.spec}`)
+      // is based on https://github.com/npm/cli/pull/7025.
       //
-      // If this edge has the same overrides field as the source, then we're not
-      // applying an override for this edge.
-      if (this.overrides === this.#safeFrom?.overrides) {
-        // The Edge rawSpec getter will retrieve the private Edge #spec property.
-        return this.rawSpec;
+      // We need to use the rawSpec here, because the spec has the overrides
+      // applied to it already.
+      let spec = npa(`${edge.name}@${edge.rawSpec}`);
+      if (spec.type === 'alias') {
+        spec = spec.subSpec;
       }
-      if (this.overrides.value.startsWith('$')) {
-        const ref = this.overrides.value.slice(1);
-        // We may be a virtual root, if we are we want to resolve reference
-        // overrides from the real root, not the virtual one.
-        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root?.package;
-        if (pkg?.devDependencies?.[ref]) {
-          return pkg.devDependencies[ref];
-        }
-        if (pkg?.optionalDependencies?.[ref]) {
-          return pkg.optionalDependencies[ref];
-        }
-        if (pkg?.dependencies?.[ref]) {
-          return pkg.dependencies[ref];
-        }
-        if (pkg?.peerDependencies?.[ref]) {
-          return pkg.peerDependencies[ref];
+      if (spec.type === 'git') {
+        if (spec.gitRange && rule.keySpec && semver.intersects(spec.gitRange, rule.keySpec)) {
+          return rule;
         }
-        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
-      }
-      return this.overrides.value;
-    }
-    return this.rawSpec;
-  }
-
-  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get to() {
-    return this.#safeTo;
-  }
-  detach() {
-    this.#safeExplanation = null;
-    // Patch replacing
-    // if (this.#safeTo) {
-    //   this.#safeTo.edgesIn.delete(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/7025.
-    this.#safeTo?.deleteEdgeIn(this);
-    this.#safeFrom?.edgesOut.delete(this.name);
-    this.#safeTo = null;
-    this.#safeError = 'DETACHED';
-    this.#safeFrom = null;
-  }
-
-  // Return the edge data, and an explanation of how that edge came to be here.
-  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
-  explain() {
-    if (!this.#safeExplanation) {
-      const explanation = {
-        type: this.type,
-        name: this.name,
-        spec: this.spec,
-        bundled: false,
-        overridden: false,
-        error: undefined,
-        from: undefined,
-        rawSpec: undefined
-      };
-      if (this.rawSpec !== this.spec) {
-        explanation.rawSpec = this.rawSpec;
-        explanation.overridden = true;
-      }
-      if (this.bundled) {
-        explanation.bundled = this.bundled;
-      }
-      if (this.error) {
-        explanation.error = this.error;
+        continue;
       }
-      if (this.#safeFrom) {
-        explanation.from = this.#safeFrom.explain();
+      if (spec.type === 'range' || spec.type === 'version') {
+        if (rule.keySpec && semver.intersects(spec.fetchSpec, rule.keySpec)) {
+          return rule;
+        }
+        continue;
       }
-      this.#safeExplanation = explanation;
+      // If we got this far, the spec type is one of tag, directory or file
+      // which means we have no real way to make version comparisons, so we
+      // just accept the override.
+      return rule;
     }
-    return this.#safeExplanation;
+    return this;
   }
-  reload(hard = false) {
-    this.#safeExplanation = null;
 
-    // Patch adding newOverrideSet and oldOverrideSet is based on
-    // https://github.com/npm/cli/pull/7025.
-    let newOverrideSet;
-    let oldOverrideSet;
-    if (this.#safeFrom?.overrides) {
-      // Patch replacing
-      // this.overrides = this.#safeFrom.overrides.getEdgeRule(this)
-      // is based on https://github.com/npm/cli/pull/7025.
-      const newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
-      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
-        // If there's a new different override set we need to propagate it to
-        // the nodes. If we're deleting the override set then there's no point
-        // propagating it right now since it will be filled with another value
-        // later.
-        oldOverrideSet = this.overrides;
-        this.overrides = newOverrideSet;
-      }
-    } else {
-      this.overrides = undefined;
-    }
-    const newTo = this.#safeFrom?.resolve(this.name);
-    if (newTo !== this.#safeTo) {
-      if (this.#safeTo) {
-        // Patch replacing
-        // this.#safeTo.edgesIn.delete(this)
-        // is based on https://github.com/npm/cli/pull/7025.
-        this.#safeTo.deleteEdgeIn(this);
-      }
-      this.#safeTo = newTo ?? null;
-      this.#safeError = null;
-      if (this.#safeTo) {
-        this.#safeTo.addEdgeIn(this);
-      }
-    } else if (hard) {
-      this.#safeError = null;
-    }
-    // Patch adding "else if" condition based on
-    // https://github.com/npm/cli/pull/7025
-    else if (oldOverrideSet) {
-      // Propagate the new override set to the target node.
-      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
-      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
+  // Patch adding isEqual is based on
+  // https://github.com/npm/cli/pull/7025.
+  isEqual(otherOverrideSet) {
+    if (this === otherOverrideSet) {
+      return true;
     }
-  }
-  satisfiedBy(node) {
-    // Patch replacing
-    // if (node.name !== this.#name) {
-    //   return false
-    // }
-    // is based on https://github.com/npm/cli/pull/7025.
-    if (node.name !== this.#safeName || !this.#safeFrom) {
+    if (!otherOverrideSet) {
       return false;
     }
-    // NOTE: this condition means we explicitly do not support overriding
-    // bundled or shrinkwrapped dependencies
-    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
-      return depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom);
-    }
-    // Patch replacing
-    // return depValid(node, this.spec, this.#accept, this.#from)
-    // is based on https://github.com/npm/cli/pull/7025.
-    //
-    // If there's no override we just use the spec.
-    if (!this.overrides?.keySpec) {
-      return depValid(node, this.spec, this.#safeAccept, this.#safeFrom);
-    }
-    // There's some override. If the target node satisfies the overriding spec
-    // then it's okay.
-    if (depValid(node, this.spec, this.#safeAccept, this.#safeFrom)) {
-      return true;
+    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
+      return false;
     }
-    // If it doesn't, then it should at least satisfy the original spec.
-    if (!depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom)) {
+    if (!this.childrenAreEqual(otherOverrideSet)) {
       return false;
     }
-    // It satisfies the original spec, not the overriding spec. We need to make
-    // sure it doesn't use the overridden spec.
-    // For example, we might have an ^8.0.0 rawSpec, and an override that makes
-    // keySpec=8.23.0 and the override value spec=9.0.0.
-    // If the node is 9.0.0, then it's okay because it's consistent with spec.
-    // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
-    // If the node is 8.23.0, then it's not okay because even though it's consistent
-    // with the rawSpec, it's also consistent with the keySpec.
-    // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
-    return !depValid(node, this.overrides.keySpec, this.#safeAccept, this.#safeFrom);
+    if (!this.parent) {
+      return !otherOverrideSet.parent;
+    }
+    return this.parent.isEqual(otherOverrideSet.parent);
   }
 }
 
+const Node = require(arboristNodeClassPath);
+
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/node.js:
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
 class SafeNode extends Node {
   // Return true if it's safe to remove this node, because anything that is
   // depending on it would be fine with the thing that they would resolve to if
@@ -1066,6 +700,8 @@ class SafeNode extends Node {
     }
     return result;
   }
+
+  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/7025.
   deleteEdgeIn(edge) {
     this.edgesIn.delete(edge);
     const {
@@ -1087,260 +723,801 @@ class SafeNode extends Node {
     if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
       this.updateOverridesEdgeInAdded(edge.overrides);
     }
-    this.edgesIn.add(edge);
-    // Try to get metadata from the yarn.lock file.
-    this.root.meta?.addEdge(edge);
+    this.edgesIn.add(edge);
+    // Try to get metadata from the yarn.lock file.
+    this.root.meta?.addEdge(edge);
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get overridden() {
+    // Patch replacing
+    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
+      return false;
+    }
+    // The overrides rule is for a package with this name, but some override rules
+    // only apply to specific versions. To make sure this package was actually
+    // overridden, we check whether any edge going in had the rule applied to it,
+    // in which case its overrides set is different than its source node.
+    for (const edge of this.edgesIn) {
+      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
+        if (!edge.overrides?.isEqual(edge.from?.overrides)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  // Patch adding recalculateOutEdgesOverrides is based on
+  // https://github.com/npm/cli/pull/7025.
+  recalculateOutEdgesOverrides() {
+    // For each edge out propagate the new overrides through.
+    for (const edge of this.edgesOut.values()) {
+      edge.reload(true);
+      if (edge.to) {
+        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+      }
+    }
+  }
+
+  // @ts-ignore: Incorrectly typed to accept null.
+  set root(newRoot) {
+    // Patch removing
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    //   this.overrides = this.parent.overrides.getNodeRule(this)
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // The "root" setter is a really large and complex function. To satisfy the
+    // patch we add a dummy value to `this.overrides` so that the condition we
+    // want to remove,
+    // if (!this.overrides && this.parent && this.parent.overrides) {
+    // , is not hit.
+    if (!this.overrides) {
+      this.overrides = new SafeOverrideSet({
+        overrides: ''
+      });
+    }
+    try {
+      super.root = newRoot;
+      this.overrides = undefined;
+    } catch (e) {
+      this.overrides = undefined;
+      throw e;
+    }
+  }
+
+  // Patch adding updateOverridesEdgeInAdded is based on
+  // https://github.com/npm/cli/pull/7025.
+  //
+  // This logic isn't perfect either. When we have two edges in that have
+  // different override sets, then we have to decide which set is correct. This
+  // function assumes the more specific override set is applicable, so if we have
+  // dependencies A->B->C and A->C and an override set that specifies what happens
+  // for C under A->B, this will work even if the new A->C edge comes along and
+  // tries to change the override set. The strictly correct logic is not to allow
+  // two edges with different overrides to point to the same node, because even
+  // if this node can satisfy both, one of its dependencies might need to be
+  // different depending on the edge leading to it. However, this might cause a
+  // lot of duplication, because the conflict in the dependencies might never
+  // actually happen.
+  updateOverridesEdgeInAdded(otherOverrideSet) {
+    if (!otherOverrideSet) {
+      // Assuming there are any overrides at all, the overrides field is never
+      // undefined for any node at the end state of the tree. So if the new edge's
+      // overrides is undefined it will be updated later. So we can wait with
+      // updating the node's overrides field.
+      return false;
+    }
+    if (!this.overrides) {
+      this.overrides = otherOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    if (this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    const newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(this.overrides, otherOverrideSet);
+    if (newOverrideSet) {
+      if (this.overrides.isEqual(newOverrideSet)) {
+        return false;
+      }
+      this.overrides = newOverrideSet;
+      this.recalculateOutEdgesOverrides();
+      return true;
+    }
+    // This is an error condition. We can only get here if the new override set
+    // is in conflict with the existing.
+    const log = getLogger();
+    log?.silly('Conflicting override sets', this.name);
+    return false;
+  }
+
+  // Patch adding updateOverridesEdgeInRemoved is based on
+  // https://github.com/npm/cli/pull/7025.
+  updateOverridesEdgeInRemoved(otherOverrideSet) {
+    // If this edge's overrides isn't equal to this node's overrides,
+    // then removing it won't change newOverrideSet later.
+    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+      return false;
+    }
+    let newOverrideSet;
+    for (const edge of this.edgesIn) {
+      const {
+        overrides: edgeOverrides
+      } = edge;
+      if (newOverrideSet && edgeOverrides) {
+        newOverrideSet = SafeOverrideSet.findSpecificOverrideSet(edgeOverrides, newOverrideSet);
+      } else {
+        newOverrideSet = edgeOverrides;
+      }
+    }
+    if (this.overrides.isEqual(newOverrideSet)) {
+      return false;
+    }
+    this.overrides = newOverrideSet;
+    if (newOverrideSet) {
+      // Optimization: If there's any override set at all, then no non-extraneous
+      // node has an empty override set. So if we temporarily have no override set
+      // (for example, we removed all the edges in), there's no use updating all
+      // the edges out right now. Let's just wait until we have an actual override
+      // set later.
+      this.recalculateOutEdgesOverrides();
+    }
+    return true;
+  }
+}
+
+const Edge = require(arboristEdgeClassPath);
+
+// The Edge class makes heavy use of private properties which subclasses do NOT
+// have access to. So we have to recreate any functionality that relies on those
+// private properties and use our own "safe" prefixed non-conflicting private
+// properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
+//
+// The npm application
+// Copyright (c) npm, Inc. and Contributors
+// Licensed on the terms of The Artistic License 2.0
+//
+// An edge in the dependency graph.
+// Represents a dependency relationship of some kind.
+const initializedSafeEdges = new WeakSet();
+class SafeEdge extends Edge {
+  #safeAccept;
+  #safeError;
+  #safeExplanation;
+  #safeFrom;
+  #safeName;
+  #safeTo;
+  constructor(options) {
+    const {
+      accept,
+      from,
+      name
+    } = options;
+    // Defer to supper to validate options and assign non-private values.
+    super(options);
+    if (accept !== undefined) {
+      this.#safeAccept = accept || '*';
+    }
+    if (from.constructor !== SafeNode) {
+      Reflect.setPrototypeOf(from, SafeNode.prototype);
+    }
+    this.#safeError = null;
+    this.#safeExplanation = null;
+    this.#safeFrom = from;
+    this.#safeName = name;
+    this.#safeTo = null;
+    initializedSafeEdges.add(this);
+    this.reload(true);
+  }
+  get accept() {
+    return this.#safeAccept;
+  }
+  get bundled() {
+    return !!this.#safeFrom?.package?.bundleDependencies?.includes(this.name);
+  }
+  get error() {
+    if (!this.#safeError) {
+      if (!this.#safeTo) {
+        if (this.optional) {
+          this.#safeError = null;
+        } else {
+          this.#safeError = 'MISSING';
+        }
+      } else if (this.peer && this.#safeFrom === this.#safeTo.parent && !this.#safeFrom?.isTop) {
+        this.#safeError = 'PEER LOCAL';
+      } else if (!this.satisfiedBy(this.#safeTo)) {
+        this.#safeError = 'INVALID';
+      }
+      // Patch adding "else if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      else if (this.overrides && this.#safeTo.edgesOut.size && SafeOverrideSet.doOverrideSetsConflict(this.overrides, this.#safeTo.overrides)) {
+        // Any inconsistency between the edge's override set and the target's
+        // override set is potentially problematic. But we only say the edge is
+        // in error if the override sets are plainly conflicting. Note that if
+        // the target doesn't have any dependencies of their own, then this
+        // inconsistency is irrelevant.
+        this.#safeError = 'INVALID';
+      } else {
+        this.#safeError = 'OK';
+      }
+    }
+    if (this.#safeError === 'OK') {
+      return null;
+    }
+    return this.#safeError;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get from() {
+    return this.#safeFrom;
+  }
+
+  // @ts-ignore: Incorrectly typed as a property instead of an accessor.
+  get spec() {
+    if (this.overrides?.value && this.overrides.value !== '*' && this.overrides.name === this.name) {
+      // Patch adding "if" condition is based on
+      // https://github.com/npm/cli/pull/7025.
+      //
+      // If this edge has the same overrides field as the source, then we're not
+      // applying an override for this edge.
+      if (this.overrides === this.#safeFrom?.overrides) {
+        // The Edge rawSpec getter will retrieve the private Edge #spec property.
+        return this.rawSpec;
+      }
+      if (this.overrides.value.startsWith('$')) {
+        const ref = this.overrides.value.slice(1);
+        // We may be a virtual root, if we are we want to resolve reference
+        // overrides from the real root, not the virtual one.
+        const pkg = this.#safeFrom?.sourceReference ? this.#safeFrom.sourceReference.root.package : this.#safeFrom?.root?.package;
+        if (pkg?.devDependencies?.[ref]) {
+          return pkg.devDependencies[ref];
+        }
+        if (pkg?.optionalDependencies?.[ref]) {
+          return pkg.optionalDependencies[ref];
+        }
+        if (pkg?.dependencies?.[ref]) {
+          return pkg.dependencies[ref];
+        }
+        if (pkg?.peerDependencies?.[ref]) {
+          return pkg.peerDependencies[ref];
+        }
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`);
+      }
+      return this.overrides.value;
+    }
+    return this.rawSpec;
   }
 
   // @ts-ignore: Incorrectly typed as a property instead of an accessor.
-  get overridden() {
+  get to() {
+    return this.#safeTo;
+  }
+  detach() {
+    this.#safeExplanation = null;
     // Patch replacing
-    // return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+    // if (this.#safeTo) {
+    //   this.#safeTo.edgesIn.delete(this)
+    // }
     // is based on https://github.com/npm/cli/pull/7025.
-    if (!this.overrides || !this.overrides.value || this.overrides.name !== this.name) {
-      return false;
-    }
-    // The overrides rule is for a package with this name, but some override rules
-    // only apply to specific versions. To make sure this package was actually
-    // overridden, we check whether any edge going in had the rule applied to it,
-    // in which case its overrides set is different than its source node.
-    for (const edge of this.edgesIn) {
-      if (edge.overrides && edge.overrides.name === this.name && edge.overrides.value === this.version) {
-        if (!edge.overrides?.isEqual(edge.from?.overrides)) {
-          return true;
-        }
-      }
-    }
-    return false;
+    this.#safeTo?.deleteEdgeIn(this);
+    this.#safeFrom?.edgesOut.delete(this.name);
+    this.#safeTo = null;
+    this.#safeError = 'DETACHED';
+    this.#safeFrom = null;
   }
 
-  // Patch adding recalculateOutEdgesOverrides is based on
-  // https://github.com/npm/cli/pull/7025.
-  recalculateOutEdgesOverrides() {
-    // For each edge out propagate the new overrides through.
-    for (const edge of this.edgesOut.values()) {
-      edge.reload(true);
-      if (edge.to) {
-        edge.to.updateOverridesEdgeInAdded(edge.overrides);
+  // Return the edge data, and an explanation of how that edge came to be here.
+  // @ts-ignore: Edge#explain is defined with an unused `seen = []` param.
+  explain() {
+    if (!this.#safeExplanation) {
+      const explanation = {
+        type: this.type,
+        name: this.name,
+        spec: this.spec,
+        bundled: false,
+        overridden: false,
+        error: undefined,
+        from: undefined,
+        rawSpec: undefined
+      };
+      if (this.rawSpec !== this.spec) {
+        explanation.rawSpec = this.rawSpec;
+        explanation.overridden = true;
+      }
+      if (this.bundled) {
+        explanation.bundled = this.bundled;
+      }
+      if (this.error) {
+        explanation.error = this.error;
+      }
+      if (this.#safeFrom) {
+        explanation.from = this.#safeFrom.explain();
       }
+      this.#safeExplanation = explanation;
     }
+    return this.#safeExplanation;
   }
-
-  // @ts-ignore: Incorrectly typed to accept null.
-  set root(newRoot) {
-    // Patch removing
-    // if (!this.overrides && this.parent && this.parent.overrides) {
-    //   this.overrides = this.parent.overrides.getNodeRule(this)
-    // }
-    // is based on https://github.com/npm/cli/pull/7025.
-    //
-    // The "root" setter is a really large and complex function. To satisfy the
-    // patch we add a dummy value to `this.overrides` so that the condition we
-    // want to remove,
-    // if (!this.overrides && this.parent && this.parent.overrides) {
-    // , is not hit.
-    if (!this.overrides) {
-      this.overrides = new OverrideSet({
-        overrides: ''
-      });
+  reload(hard = false) {
+    if (!initializedSafeEdges.has(this)) {
+      // Skip if called during super constructor.
+      return;
     }
-    try {
-      super.root = newRoot;
-      this.overrides = undefined;
-    } catch (e) {
+    this.#safeExplanation = null;
+    // Patch adding newOverrideSet and oldOverrideSet is based on
+    // https://github.com/npm/cli/pull/7025.
+    let newOverrideSet;
+    let oldOverrideSet;
+    if (this.#safeFrom?.overrides) {
+      // Patch replacing
+      // this.overrides = this.#safeFrom.overrides.getEdgeRule(this)
+      // is based on https://github.com/npm/cli/pull/7025.
+      const newOverrideSet = this.#safeFrom.overrides.getEdgeRule(this);
+      if (newOverrideSet && !newOverrideSet.isEqual(this.overrides)) {
+        // If there's a new different override set we need to propagate it to
+        // the nodes. If we're deleting the override set then there's no point
+        // propagating it right now since it will be filled with another value
+        // later.
+        oldOverrideSet = this.overrides;
+        this.overrides = newOverrideSet;
+      }
+    } else {
       this.overrides = undefined;
-      throw e;
+    }
+    const newTo = this.#safeFrom?.resolve(this.name);
+    if (newTo !== this.#safeTo) {
+      // Patch replacing
+      // if (this.#safeTo) {
+      //   this.#safeTo.edgesIn.delete(this)
+      // }
+      // is based on https://github.com/npm/cli/pull/7025.
+      this.#safeTo?.deleteEdgeIn(this);
+      this.#safeTo = newTo ?? null;
+      this.#safeError = null;
+      this.#safeTo?.addEdgeIn(this);
+    } else if (hard) {
+      this.#safeError = null;
+    }
+    // Patch adding "else if" condition based on
+    // https://github.com/npm/cli/pull/7025
+    else if (oldOverrideSet) {
+      // Propagate the new override set to the target node.
+      this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
+      this.#safeTo.updateOverridesEdgeInAdded(newOverrideSet);
     }
   }
-
-  // Patch adding updateOverridesEdgeInAdded is based on
-  // https://github.com/npm/cli/pull/7025.
-  //
-  // This logic isn't perfect either. When we have two edges in that have
-  // different override sets, then we have to decide which set is correct. This
-  // function assumes the more specific override set is applicable, so if we have
-  // dependencies A->B->C and A->C and an override set that specifies what happens
-  // for C under A->B, this will work even if the new A->C edge comes along and
-  // tries to change the override set. The strictly correct logic is not to allow
-  // two edges with different overrides to point to the same node, because even
-  // if this node can satisfy both, one of its dependencies might need to be
-  // different depending on the edge leading to it. However, this might cause a
-  // lot of duplication, because the conflict in the dependencies might never
-  // actually happen.
-  updateOverridesEdgeInAdded(otherOverrideSet) {
-    if (!otherOverrideSet) {
-      // Assuming there are any overrides at all, the overrides field is never
-      // undefined for any node at the end state of the tree. So if the new edge's
-      // overrides is undefined it will be updated later. So we can wait with
-      // updating the node's overrides field.
+  satisfiedBy(node) {
+    // Patch replacing
+    // if (node.name !== this.#name) {
+    //   return false
+    // }
+    // is based on https://github.com/npm/cli/pull/7025.
+    if (node.name !== this.#safeName || !this.#safeFrom) {
       return false;
     }
-    if (!this.overrides) {
-      this.overrides = otherOverrideSet;
-      this.recalculateOutEdgesOverrides();
-      return true;
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+      return depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom);
     }
-    if (this.overrides.isEqual(otherOverrideSet)) {
-      return false;
+    // Patch replacing
+    // return depValid(node, this.spec, this.#accept, this.#from)
+    // is based on https://github.com/npm/cli/pull/7025.
+    //
+    // If there's no override we just use the spec.
+    if (!this.overrides?.keySpec) {
+      return depValid(node, this.spec, this.#safeAccept, this.#safeFrom);
     }
-    const newOverrideSet = findSpecificOverrideSet(this.overrides, otherOverrideSet);
-    if (newOverrideSet) {
-      if (this.overrides.isEqual(newOverrideSet)) {
-        return false;
-      }
-      this.overrides = newOverrideSet;
-      this.recalculateOutEdgesOverrides();
+    // There's some override. If the target node satisfies the overriding spec
+    // then it's okay.
+    if (depValid(node, this.spec, this.#safeAccept, this.#safeFrom)) {
       return true;
     }
-    // This is an error condition. We can only get here if the new override set
-    // is in conflict with the existing.
-    log.silly('Conflicting override sets', this.name);
-    return false;
-  }
-
-  // Patch adding updateOverridesEdgeInRemoved is based on
-  // https://github.com/npm/cli/pull/7025.
-  updateOverridesEdgeInRemoved(otherOverrideSet) {
-    // If this edge's overrides isn't equal to this node's overrides,
-    // then removing it won't change newOverrideSet later.
-    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+    // If it doesn't, then it should at least satisfy the original spec.
+    if (!depValid(node, this.rawSpec, this.#safeAccept, this.#safeFrom)) {
       return false;
     }
-    let newOverrideSet;
-    for (const edge of this.edgesIn) {
-      const {
-        overrides: edgeOverrides
-      } = edge;
-      if (newOverrideSet && edgeOverrides) {
-        newOverrideSet = findSpecificOverrideSet(edgeOverrides, newOverrideSet);
-      } else {
-        newOverrideSet = edgeOverrides;
-      }
+    // It satisfies the original spec, not the overriding spec. We need to make
+    // sure it doesn't use the overridden spec.
+    // For example, we might have an ^8.0.0 rawSpec, and an override that makes
+    // keySpec=8.23.0 and the override value spec=9.0.0.
+    // If the node is 9.0.0, then it's okay because it's consistent with spec.
+    // If the node is 8.24.0, then it's okay because it's consistent with the rawSpec.
+    // If the node is 8.23.0, then it's not okay because even though it's consistent
+    // with the rawSpec, it's also consistent with the keySpec.
+    // So we're looking for ^8.0.0 or 9.0.0 and not 8.23.0.
+    return !depValid(node, this.overrides.keySpec, this.#safeAccept, this.#safeFrom);
+  }
+}
+
+const pacote = require(pacotePath);
+const {
+  LOOP_SENTINEL,
+  NPM,
+  NPM_REGISTRY_URL,
+  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE,
+  SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
+  abortSignal
+} = constants;
+const formatter = new socketUrl.ColorOrMarkdown(false);
+function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableRange) {
+  const manifestVersion = registry.getManifestData(NPM, name)?.version;
+  // Filter versions that are within the current major version and are not in the vulnerable range
+  const eligibleVersions = availableVersions.filter(version => {
+    const isSameMajor = semver.major(version) === currentMajorVersion;
+    const isNotVulnerable = !semver.satisfies(version, vulnerableRange);
+    if (isSameMajor && isNotVulnerable) {
+      return true;
     }
-    if (this.overrides.isEqual(newOverrideSet)) {
-      return false;
+    return !!manifestVersion;
+  });
+  if (eligibleVersions.length === 0) {
+    return null;
+  }
+  // Use semver to find the max satisfying version.
+  return semver.maxSatisfying(eligibleVersions, '*');
+}
+function findPackage(tree, packageName) {
+  const queue = [{
+    node: tree
+  }];
+  let sentinel = 0;
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackage');
     }
-    this.overrides = newOverrideSet;
-    if (newOverrideSet) {
-      // Optimization: If there's any override set at all, then no non-extraneous
-      // node has an empty override set. So if we temporarily have no override set
-      // (for example, we removed all the edges in), there's no use updating all
-      // the edges out right now. Let's just wait until we have an actual override
-      // set later.
-      this.recalculateOutEdgesOverrides();
+    const {
+      node: currentNode
+    } = queue.pop();
+    const node = currentNode.children.get(packageName);
+    if (node) {
+      // Found package.
+      return node;
+    }
+    const children = [...currentNode.children.values()];
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push({
+        node: children[i]
+      });
     }
-    return true;
   }
-}
-
-// Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/override-set.js:
-class SafeOverrideSet extends OverrideSet {
-  // Patch adding childrenAreEqual is based on
-  // https://github.com/npm/cli/pull/7025.
-  childrenAreEqual(otherOverrideSet) {
-    const queue = [[this, otherOverrideSet]];
-    let pos = 0;
-    let {
-      length: queueLength
-    } = queue;
-    while (pos < queueLength) {
-      if (pos === LOOP_SENTINEL) {
-        throw new Error('Detected infinite loop while comparing override sets');
+  return null;
+}
+async function getPackagesAlerts(safeArb, pkgs, options) {
+  let {
+    length: remaining
+  } = pkgs;
+  const packageAlerts = [];
+  if (!remaining) {
+    return packageAlerts;
+  }
+  const {
+    fixable,
+    output
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const spinner$1 = output ? new spinner.Spinner({
+    stream: output
+  }) : undefined;
+  const getText = spinner$1 ? () => `Looking up data for ${remaining} packages` : () => '';
+  spinner$1?.start(getText());
+  try {
+    for await (const artifact of batchScan(pkgs.map(p => p.pkgid))) {
+      if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
+        continue;
       }
       const {
-        0: currSet,
-        1: currOtherSet
-      } = queue[pos++];
-      const {
-        children
-      } = currSet;
-      const {
-        children: otherChildren
-      } = currOtherSet;
-      if (children.size !== otherChildren.size) {
-        return false;
+        version
+      } = artifact;
+      const name = packages.resolvePackageName(artifact);
+      const id = `${name}@${artifact.version}`;
+      let blocked = false;
+      let displayWarning = false;
+      let alerts = [];
+      for (const alert of artifact.alerts) {
+        // eslint-disable-next-line no-await-in-loop
+        const ux = await uxLookup({
+          package: {
+            name,
+            version
+          },
+          alert: {
+            type: alert.type
+          }
+        });
+        if (ux.block) {
+          blocked = true;
+        }
+        if (ux.display && output) {
+          displayWarning = true;
+        }
+        if (ux.block || ux.display) {
+          const isFixable = isAlertFixable(alert);
+          if (!fixable || isFixable) {
+            alerts.push({
+              name,
+              version,
+              key: alert.key,
+              type: alert.type,
+              block: ux.block,
+              raw: alert,
+              fixable: isFixable
+            });
+          }
+          // Lazily access constants.IPC.
+          if (!fixable && !constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
+            // Before we ask about problematic issues, check to see if they
+            // already existed in the old version if they did, be quiet.
+            const existing = pkgs.find(p => p.existing?.startsWith(`${name}@`))?.existing;
+            if (existing) {
+              const oldArtifact =
+              // eslint-disable-next-line no-await-in-loop
+              (await batchScan([existing]).next()).value;
+              if (oldArtifact?.alerts?.length) {
+                alerts = alerts.filter(({
+                  type
+                }) => !oldArtifact.alerts?.find(a => a.type === type));
+              }
+            }
+          }
+        }
       }
-      for (const key of children.keys()) {
-        if (!otherChildren.has(key)) {
-          return false;
+      if (!blocked) {
+        const pkg = pkgs.find(p => p.pkgid === id);
+        if (pkg) {
+          await pacote.tarball.stream(id, stream => {
+            stream.resume();
+            return stream.promise();
+          }, {
+            ...safeArb[kCtorArgs][0]
+          });
         }
-        const child = children.get(key);
-        const otherChild = otherChildren.get(key);
-        if (child.value !== otherChild.value) {
-          return false;
+      }
+      if (displayWarning && spinner$1) {
+        spinner$1.stop(`(socket) ${formatter.hyperlink(id, socketUrl.getSocketDevPackageOverviewUrl(NPM, name, version))} contains risks:`);
+      }
+      alerts.sort((a, b) => a.type < b.type ? -1 : 1);
+      if (output) {
+        const lines = new Set();
+        const translations = getTranslations();
+        for (const alert of alerts) {
+          const attributes = [...(alert.fixable ? ['fixable'] : []), ...(alert.block ? [] : ['non-blocking'])];
+          const maybeAttributes = attributes.length ? ` (${attributes.join('; ')})` : '';
+          // Based data from { pageProps: { alertTypes } } of:
+          // https://socket.dev/_next/data/94666139314b6437ee4491a0864e72b264547585/en-US.json
+          const info = translations.alerts[alert.type];
+          const title = info?.title ?? alert.type;
+          const maybeDesc = info?.description ? ` - ${info.description}` : '';
+          // TODO: emoji seems to mis-align terminals sometimes
+          lines.add(`  ${title}${maybeAttributes}${maybeDesc}\n`);
         }
-        queue[queueLength++] = [child, otherChild];
+        for (const line of lines) {
+          output?.write(line);
+        }
+      }
+      spinner$1?.start();
+      remaining -= 1;
+      if (spinner$1) {
+        spinner$1.text = remaining > 0 ? getText() : '';
       }
+      packageAlerts.push(...alerts);
     }
-    return true;
+  } catch (e) {
+    pathResolve.debugLog(e);
+  } finally {
+    spinner$1?.stop();
   }
-  getEdgeRule(edge) {
-    for (const rule of this.ruleset.values()) {
-      if (rule.name !== edge.name) {
+  return packageAlerts;
+}
+let _translations;
+function getTranslations() {
+  if (_translations === undefined) {
+    _translations = require(
+    // Lazily access constants.rootPath.
+    path.join(constants.rootPath, 'translations.json'));
+  }
+  return _translations;
+}
+function packageAlertsToReport(alerts) {
+  let report = null;
+  for (const alert of alerts) {
+    if (!isAlertFixableCve(alert.raw)) {
+      continue;
+    }
+    const {
+      name
+    } = alert;
+    if (!report) {
+      report = {};
+    }
+    if (!report[name]) {
+      report[name] = [];
+    }
+    const props = alert.raw?.props;
+    report[name].push({
+      id: -1,
+      url: props?.url,
+      title: props?.title,
+      severity: alert.raw?.severity?.toLowerCase(),
+      vulnerable_versions: props?.vulnerableVersionRange,
+      cwe: props?.cwes,
+      cvss: props?.csvs,
+      name
+    });
+  }
+  return report;
+}
+async function updateAdvisoryDependencies(arb, alerts) {
+  const report = packageAlertsToReport(alerts);
+  if (!report) {
+    // No advisories to process.
+    return;
+  }
+  await arb.buildIdealTree();
+  const tree = arb.idealTree;
+  for (const name of Object.keys(report)) {
+    const advisories = report[name];
+    const node = findPackage(tree, name);
+    if (!node) {
+      // Package not found in the tree.
+      continue;
+    }
+    const {
+      version
+    } = node;
+    const majorVerNum = semver.major(version);
+
+    // Fetch packument to get available versions.
+    // eslint-disable-next-line no-await-in-loop
+    const packument = await packages.fetchPackagePackument(name);
+    const availableVersions = packument ? Object.keys(packument.versions) : [];
+    for (const advisory of advisories) {
+      const {
+        vulnerable_versions
+      } = advisory;
+      // Find the highest non-vulnerable version within the same major range
+      const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
+      const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+      // Check !targetVersion to make TypeScript happy.
+      if (!targetVersion || !targetPackument) {
+        // No suitable patch version found.
         continue;
       }
-      // If keySpec is * we found our override.
-      if (rule.keySpec === '*') {
-        return rule;
+
+      // Use Object.defineProperty to override the version.
+      Object.defineProperty(node, 'version', {
+        configurable: true,
+        enumerable: true,
+        get: () => targetVersion
+      });
+      node.package.version = targetVersion;
+      // Update resolved and clear integrity for the new version.
+      node.resolved = `${NPM_REGISTRY_URL}/${name}/-/${name}-${targetVersion}.tgz`;
+      if (node.integrity) {
+        delete node.integrity;
       }
-      // Patch replacing
-      // let spec = npa(`${edge.name}@${edge.spec}`)
-      // is based on https://github.com/npm/cli/pull/7025.
-      //
-      // We need to use the rawSpec here, because the spec has the overrides
-      // applied to it already.
-      let spec = npa(`${edge.name}@${edge.rawSpec}`);
-      if (spec.type === 'alias') {
-        spec = spec.subSpec;
+      if ('deprecated' in targetPackument) {
+        node.package['deprecated'] = targetPackument.deprecated;
+      } else {
+        delete node.package['deprecated'];
       }
-      if (spec.type === 'git') {
-        if (spec.gitRange && rule.keySpec && semver.intersects(spec.gitRange, rule.keySpec)) {
-          return rule;
+      const newDeps = {
+        ...targetPackument.dependencies
+      };
+      const {
+        dependencies: oldDeps
+      } = node.package;
+      node.package.dependencies = newDeps;
+      if (oldDeps) {
+        for (const oldDepName of Object.keys(oldDeps)) {
+          if (!objects.hasOwn(newDeps, oldDepName)) {
+            node.edgesOut.get(oldDepName)?.detach();
+          }
         }
-        continue;
       }
-      if (spec.type === 'range' || spec.type === 'version') {
-        if (rule.keySpec && semver.intersects(spec.fetchSpec, rule.keySpec)) {
-          return rule;
+      for (const newDepName of Object.keys(newDeps)) {
+        if (!objects.hasOwn(oldDeps, newDepName)) {
+          node.addEdgeOut(new Edge({
+            from: node,
+            name: newDepName,
+            spec: newDeps[newDepName],
+            type: 'prod'
+          }));
         }
-        continue;
       }
-      // If we got this far, the spec type is one of tag, directory or file
-      // which means we have no real way to make version comparisons, so we
-      // just accept the override.
-      return rule;
     }
-    return this;
   }
-
-  // Patch adding isEqual is based on
-  // https://github.com/npm/cli/pull/7025.
-  isEqual(otherOverrideSet) {
-    if (this === otherOverrideSet) {
+}
+async function reify(...args) {
+  const needInfoOn = await walk(this.diff);
+  if (!needInfoOn.length || needInfoOn.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1) {
+    // Nothing to check, hmmm already installed or all private?
+    return await this[kRiskyReify](...args);
+  }
+  // Lazily access constants.IPC.
+  const {
+    [SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]: bypassConfirms,
+    [SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE]: bypassAlerts
+  } = constants.IPC;
+  const {
+    stderr: output,
+    stdin: input
+  } = process;
+  let alerts;
+  const proceed = bypassAlerts || (await (async () => {
+    alerts = await getPackagesAlerts(this, needInfoOn, {
+      output
+    });
+    if (bypassConfirms || !alerts.length) {
       return true;
     }
-    if (!otherOverrideSet) {
-      return false;
-    }
-    if (this.key !== otherOverrideSet.key || this.value !== otherOverrideSet.value) {
-      return false;
-    }
-    if (!this.childrenAreEqual(otherOverrideSet)) {
-      return false;
-    }
-    if (!this.parent) {
-      return !otherOverrideSet.parent;
+    return await prompts.confirm({
+      message: 'Accept risks of installing these packages?',
+      default: false
+    }, {
+      input,
+      output,
+      signal: abortSignal
+    });
+  })());
+  if (proceed) {
+    const fix = !!alerts?.length && (bypassConfirms || (await prompts.confirm({
+      message: 'Try to fix alerts?',
+      default: true
+    }, {
+      input,
+      output,
+      signal: abortSignal
+    })));
+    if (fix) {
+      let ret;
+      const prev = new Set(alerts?.map(a => a.key));
+      /* eslint-disable no-await-in-loop */
+      while (alerts.length > 0) {
+        await updateAdvisoryDependencies(this, alerts);
+        ret = await this[kRiskyReify](...args);
+        await this.loadActual();
+        await this.buildIdealTree();
+        alerts = await getPackagesAlerts(this, await walk(this.diff, {
+          fix: true
+        }), {
+          fixable: true
+        });
+        alerts = alerts.filter(a => {
+          const {
+            key
+          } = a;
+          if (prev.has(key)) {
+            return false;
+          }
+          prev.add(key);
+          return true;
+        });
+      }
+      /* eslint-enable no-await-in-loop */
+      return ret;
     }
-    return this.parent.isEqual(otherOverrideSet.parent);
+    return await this[kRiskyReify](...args);
+  } else {
+    throw new Error('Socket npm exiting due to risks');
   }
 }
 
+const Arborist = require(arboristClassPath);
+const kCtorArgs = Symbol('ctorArgs');
+const kRiskyReify = Symbol('riskyReify');
+
 // Implementation code not related to our custom behavior is based on
-// https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/arborist/index.js:
+// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
 class SafeArborist extends Arborist {
   constructor(...ctorArgs) {
-    const mutedArguments = [{
+    super({
       ...ctorArgs[0],
       audit: true,
       dryRun: true,
@@ -1349,13 +1526,13 @@ class SafeArborist extends Arborist {
       saveBundle: false,
       // progress: false,
       fund: false
-    }, ctorArgs.slice(1)];
-    super(...mutedArguments);
+    }, ...ctorArgs.slice(1));
     this[kCtorArgs] = ctorArgs;
   }
   async [kRiskyReify](...args) {
     // SafeArborist has suffered side effects and must be rebuilt from scratch.
     const arb = new Arborist(...this[kCtorArgs]);
+    arb.idealTree = this.idealTree;
     const ret = await arb.reify(...args);
     Object.assign(this, arb);
     return ret;
@@ -1372,53 +1549,23 @@ class SafeArborist extends Arborist {
     const old = {
       ...options,
       dryRun: false,
-      save: Boolean(options['save'] ?? true),
-      saveBundle: Boolean(options['saveBundle'] ?? false)
+      save: Boolean(options.save ?? true),
+      saveBundle: Boolean(options.saveBundle ?? false)
     };
     args[0] = options;
     options.dryRun = true;
-    options['save'] = false;
-    options['saveBundle'] = false;
-    // TODO: Make this deal w/ any refactor to private fields by punching the
+    options.save = false;
+    options.saveBundle = false;
+    // TODO: Make this deal with any refactor to private fields by punching the
     // class itself.
     await super.reify(...args);
-    const diff = walk(this['diff']);
     options.dryRun = old.dryRun;
-    options['save'] = old.save;
-    options['saveBundle'] = old.saveBundle;
-    // Nothing to check, mmm already installed or all private?
-    if (diff.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1) {
-      return await this[kRiskyReify](...args);
-    }
-    let proceed = ENV[UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE];
-    if (!proceed) {
-      proceed = await ttyServer.captureTTY(async (input, output) => {
-        if (input && output) {
-          const alerts = await getPackagesAlerts(this, this['registry'], diff, output);
-          if (!alerts.length) {
-            return true;
-          }
-          return await prompts.confirm({
-            message: 'Accept risks of installing these packages?',
-            default: false
-          }, {
-            input,
-            output,
-            signal: abortSignal
-          });
-        } else if ((await getPackagesAlerts(this, this['registry'], diff, output)).length > 0) {
-          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so');
-        }
-        return true;
-      });
-    }
-    if (proceed) {
-      return await this[kRiskyReify](...args);
-    } else {
-      throw new Error('Socket npm exiting due to risks');
-    }
+    options.save = old.save;
+    options.saveBundle = old.saveBundle;
+    return await Reflect.apply(reify, this, args);
   }
 }
+
 function installSafeArborist() {
   const cache = require.cache;
   cache[arboristClassPath] = {
@@ -1430,83 +1577,9 @@ function installSafeArborist() {
   cache[arboristNodeClassPath] = {
     exports: SafeNode
   };
-  cache[arboristOverrideSetClassPatch] = {
+  cache[arboristOverrideSetClassPath] = {
     exports: SafeOverrideSet
   };
 }
-void (async () => {
-  const remoteSettings = await (async () => {
-    try {
-      const socketSdk = await sdk.setupSdk(pubToken);
-      const orgResult = await socketSdk.getOrganizations();
-      if (!orgResult.success) {
-        throw new Error(`Failed to fetch Socket organization info: ${orgResult.error.message}`);
-      }
-      const orgs = [];
-      for (const org of Object.values(orgResult.data.organizations)) {
-        if (org) {
-          orgs.push(org);
-        }
-      }
-      const result = await socketSdk.postSettings(orgs.map(org => ({
-        organization: org.id
-      })));
-      if (!result.success) {
-        throw new Error(`Failed to fetch API key settings: ${result.error.message}`);
-      }
-      return {
-        orgs,
-        settings: result.data
-      };
-    } catch (e) {
-      if (objects.isObject(e) && 'cause' in e) {
-        const {
-          cause
-        } = e;
-        if (sdk.isErrnoException(cause)) {
-          if (cause.code === 'ENOTFOUND' || cause.code === 'ECONNREFUSED') {
-            throw new Error('Unable to connect to socket.dev, ensure internet connectivity before retrying', {
-              cause: e
-            });
-          }
-        }
-      }
-      throw e;
-    }
-  })();
-  const {
-    orgs,
-    settings
-  } = remoteSettings;
-  const enforcedOrgs = sdk.getSetting('enforcedOrgs') ?? [];
-
-  // Remove any organizations not being enforced.
-  for (const {
-    0: i,
-    1: org
-  } of orgs.entries()) {
-    if (!enforcedOrgs.includes(org.id)) {
-      settings.entries.splice(i, 1);
-    }
-  }
-  const socketYml = findSocketYmlSync();
-  if (socketYml) {
-    settings.entries.push({
-      start: socketYml.path,
-      settings: {
-        [socketYml.path]: {
-          deferTo: null,
-          // TODO: TypeScript complains about the type not matching. We should
-          // figure out why are providing
-          // issueRules: { [issueName: string]: boolean }
-          // but expecting
-          // issueRules: { [issueName: string]: { action: 'defer' | 'error' | 'ignore' | 'monitor' | 'warn' } }
-          issueRules: socketYml.parsed.issueRules
-        }
-      }
-    });
-  }
-  _uxLookup = createAlertUXLookup(settings);
-})();
 
 installSafeArborist();