@socketsecurity/cli 0.14.40 → 0.14.42

package/dist/module-sync/npm-injection.js

@@ -13,78 +13,42 @@ var path = require('node:path');
 var process = require('node:process');
 var semver = _socketInterop(require('semver'));
 var registry = require('@socketsecurity/registry');
+var arrays = require('@socketsecurity/registry/lib/arrays');
 var objects = require('@socketsecurity/registry/lib/objects');
 var packages = require('@socketsecurity/registry/lib/packages');
 var prompts = require('@socketsecurity/registry/lib/prompts');
 var spinner = require('@socketsecurity/registry/lib/spinner');
+var constants = require('./constants.js');
 var events = require('node:events');
 var https = require('node:https');
 var readline = require('node:readline');
-var constants = require('./constants.js');
 var socketUrl = require('./socket-url.js');
-var fs = require('node:fs');
 var promises = require('node:timers/promises');
-var config = require('@socketsecurity/config');
-var pathResolve = require('./path-resolve.js');
+var npmPaths = require('./npm-paths.js');
 var npa = _socketInterop(require('npm-package-arg'));
 
 const {
-  API_V0_URL,
   LOOP_SENTINEL: LOOP_SENTINEL$2,
-  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1,
-  abortSignal: abortSignal$2
+  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1
 } = constants;
-async function* batchScan(pkgIds) {
-  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
-    method: 'POST',
-    headers: {
-      Authorization: `Basic ${Buffer.from(`${socketUrl.getPublicToken()}:`).toString('base64url')}`
-    },
-    signal: abortSignal$2
-  }).end(JSON.stringify({
-    components: pkgIds.map(id => ({
-      purl: `pkg:npm/${id}`
-    }))
-  }));
-  const {
-    0: res
-  } = await events.once(req, 'response');
-  const ok = res.statusCode >= 200 && res.statusCode <= 299;
-  if (!ok) {
-    throw new Error(`Socket API Error: ${res.statusCode}`);
-  }
-  const rli = readline.createInterface(res);
-  for await (const line of rli) {
-    yield JSON.parse(line);
-  }
-}
-function isAlertFixable(alert) {
-  return alert.type === 'socketUpgradeAvailable' || isAlertFixableCve(alert);
-}
-function isAlertFixableCve(alert) {
-  const {
-    type
-  } = alert;
-  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
-}
-function toRepoUrl(resolved) {
+function getUrlOrigin(input) {
   try {
-    return URL.parse(resolved)?.origin ?? '';
+    return URL.parse(input)?.origin ?? '';
   } catch {}
   return '';
 }
-function walk(diff_, options) {
+function getPackagesToQueryFromDiff(diff_, options) {
   const {
-    // Lazily access constants.IPC.
-    fix = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1]
+    includeUnchanged = false,
+    includeUnknownOrigin = false
   } = {
     __proto__: null,
     ...options
   };
-  const needInfoOn = [];
+  const details = [];
   // `diff_` is `null` when `npm install --package-lock-only` is passed.
   if (!diff_) {
-    return needInfoOn;
+    return details;
   }
   const queue = [...diff_.children];
   let pos = 0;
@@ -114,25 +78,28 @@ function walk(diff_, options) {
         if (pkgNode?.package.version !== oldNode?.package.version) {
           keep = true;
           if (oldNode?.package.name && oldNode.package.name === pkgNode?.package.name) {
-            existing = oldNode.pkgid;
+            existing = oldNode;
           }
         }
       } else {
         keep = action !== 'REMOVE';
       }
       if (keep && pkgNode?.resolved && (!oldNode || oldNode.resolved)) {
-        needInfoOn.push({
-          existing,
-          pkgid: pkgNode.pkgid,
-          repository_url: toRepoUrl(pkgNode.resolved)
-        });
+        const origin = getUrlOrigin(pkgNode.resolved);
+        if (includeUnknownOrigin || origin === NPM_REGISTRY_URL$1) {
+          details.push({
+            node: pkgNode,
+            origin,
+            existing
+          });
+        }
       }
     }
     for (const child of diff.children) {
       queue[queueLength++] = child;
     }
   }
-  if (fix) {
+  if (includeUnchanged) {
     const {
       unchanged
     } = diff_;
@@ -140,14 +107,55 @@ function walk(diff_, options) {
         length
       } = unchanged; i < length; i += 1) {
       const pkgNode = unchanged[i];
-      needInfoOn.push({
-        existing: pkgNode.pkgid,
-        pkgid: pkgNode.pkgid,
-        repository_url: toRepoUrl(pkgNode.resolved)
-      });
+      const origin = getUrlOrigin(pkgNode.resolved);
+      if (includeUnknownOrigin || origin === NPM_REGISTRY_URL$1) {
+        details.push({
+          node: pkgNode,
+          origin,
+          existing: pkgNode
+        });
+      }
     }
   }
-  return needInfoOn;
+  return details;
+}
+
+const {
+  API_V0_URL,
+  abortSignal: abortSignal$2
+} = constants;
+async function* batchScan(pkgIds) {
+  const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${socketUrl.getPublicToken()}:`).toString('base64url')}`
+    },
+    signal: abortSignal$2
+  }).end(JSON.stringify({
+    components: pkgIds.map(id => ({
+      purl: `pkg:npm/${id}`
+    }))
+  }));
+  const {
+    0: res
+  } = await events.once(req, 'response');
+  const ok = res.statusCode >= 200 && res.statusCode <= 299;
+  if (!ok) {
+    throw new Error(`Socket API Error: ${res.statusCode}`);
+  }
+  const rli = readline.createInterface(res);
+  for await (const line of rli) {
+    yield JSON.parse(line);
+  }
+}
+function isArtifactAlertCveFixable(alert) {
+  const {
+    type
+  } = alert;
+  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'] && !!alert.props?.['vulnerableVersionRange'];
+}
+function isArtifactAlertFixable(alert) {
+  return alert.type === 'socketUpgradeAvailable' || isArtifactAlertCveFixable(alert);
 }
 
 const {
@@ -165,37 +173,6 @@ const WARN_UX = {
   block: false,
   display: true
 };
-function findSocketYmlSync() {
-  let prevDir = null;
-  let dir = process.cwd();
-  while (dir !== prevDir) {
-    let ymlPath = path.join(dir, 'socket.yml');
-    let yml = maybeReadfileSync(ymlPath);
-    if (yml === undefined) {
-      ymlPath = path.join(dir, 'socket.yaml');
-      yml = maybeReadfileSync(ymlPath);
-    }
-    if (typeof yml === 'string') {
-      try {
-        return {
-          path: ymlPath,
-          parsed: config.parseSocketConfig(yml)
-        };
-      } catch {
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
-      }
-    }
-    prevDir = dir;
-    dir = path.join(dir, '..');
-  }
-  return null;
-}
-function maybeReadfileSync(filepath) {
-  try {
-    return fs.readFileSync(filepath, 'utf8');
-  } catch {}
-  return undefined;
-}
 
 // Iterates over all entries with ordered issue rule for deferral.  Iterates over
 // all issue rules and finds the first defined value that does not defer otherwise
@@ -374,7 +351,7 @@ void (async () => {
       settings.entries.splice(i, 1);
     }
   }
-  const socketYml = findSocketYmlSync();
+  const socketYml = socketUrl.findSocketYmlSync();
   if (socketYml) {
     settings.entries.push({
       start: socketYml.path,
@@ -394,32 +371,7 @@ void (async () => {
   _uxLookup = createAlertUXLookup(settings);
 })();
 
-const {
-  NODE_MODULES,
-  SOCKET_CLI_ISSUES_URL
-} = constants;
-const npmEntrypoint = fs.realpathSync.native(process.argv[1]);
-const npmRootPath = pathResolve.findRoot(path.dirname(npmEntrypoint));
-if (npmRootPath === undefined) {
-  console.error(`Unable to find npm CLI install directory.
-Searched parent directories of ${npmEntrypoint}.
-
-This is may be a bug with socket-npm related to changes to the npm CLI.
-Please report to ${SOCKET_CLI_ISSUES_URL}.`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  process.exit(127);
-}
-const npmNmPath = path.join(npmRootPath, NODE_MODULES);
-const arboristPkgPath = path.join(npmNmPath, '@npmcli/arborist');
-const arboristClassPath = path.join(arboristPkgPath, 'lib/arborist/index.js');
-const arboristDepValidPath = path.join(arboristPkgPath, 'lib/dep-valid.js');
-const arboristEdgeClassPath = path.join(arboristPkgPath, 'lib/edge.js');
-const arboristNodeClassPath = path.join(arboristPkgPath, 'lib/node.js');
-const arboristOverrideSetClassPath = path.join(arboristPkgPath, 'lib/override-set.js');
-const pacotePath = path.join(npmNmPath, 'pacote');
-
-const depValid = require(arboristDepValidPath);
+const depValid = require(npmPaths.getArboristDepValidPath());
 
 const {
   UNDEFINED_TOKEN
@@ -449,6 +401,7 @@ function tryRequire(...ids) {
 let _log = UNDEFINED_TOKEN;
 function getLogger() {
   if (_log === UNDEFINED_TOKEN) {
+    const npmNmPath = npmPaths.getNpmNodeModulesPath();
     _log = tryRequire([path.join(npmNmPath, 'proc-log/lib/index.js'),
     // The proc-log DefinitelyTyped definition is incorrect. The type definition
     // is really that of its export log.
@@ -460,7 +413,7 @@ function getLogger() {
 const {
   LOOP_SENTINEL: LOOP_SENTINEL$1
 } = constants;
-const OverrideSet = require(arboristOverrideSetClassPath);
+const OverrideSet = require(npmPaths.getArboristOverrideSetClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
@@ -597,7 +550,7 @@ class SafeOverrideSet extends OverrideSet {
   }
 }
 
-const Node = require(arboristNodeClassPath);
+const Node = require(npmPaths.getArboristNodeClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
@@ -870,7 +823,7 @@ class SafeNode extends Node {
   }
 }
 
-const Edge = require(arboristEdgeClassPath);
+const Edge = require(npmPaths.getArboristEdgeClassPath());
 
 // The Edge class makes heavy use of private properties which subclasses do NOT
 // have access to. So we have to recreate any functionality that relies on those
@@ -1083,7 +1036,7 @@ class SafeEdge extends Edge {
       this.#safeError = null;
     }
     // Patch adding "else if" condition based on
-    // https://github.com/npm/cli/pull/7025
+    // https://github.com/npm/cli/pull/7025.
     else if (oldOverrideSet) {
       // Propagate the new override set to the target node.
       this.#safeTo.updateOverridesEdgeInRemoved(oldOverrideSet);
@@ -1134,22 +1087,25 @@ class SafeEdge extends Edge {
   }
 }
 
-const pacote = require(pacotePath);
 const {
   LOOP_SENTINEL,
   NPM,
   NPM_REGISTRY_URL,
   SOCKET_CLI_FIX_PACKAGE_LOCK_FILE,
   SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
-  abortSignal
+  abortSignal,
+  kInternalsSymbol,
+  [kInternalsSymbol]: {
+    getIPC
+  }
 } = constants;
 const formatter = new socketUrl.ColorOrMarkdown(false);
-function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableRange) {
+function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableVersionRange, _firstPatchedVersionIdentifier) {
   const manifestVersion = registry.getManifestData(NPM, name)?.version;
   // Filter versions that are within the current major version and are not in the vulnerable range
   const eligibleVersions = availableVersions.filter(version => {
     const isSameMajor = semver.major(version) === currentMajorVersion;
-    const isNotVulnerable = !semver.satisfies(version, vulnerableRange);
+    const isNotVulnerable = !semver.satisfies(version, vulnerableVersionRange);
     if (isSameMajor && isNotVulnerable) {
       return true;
     }
@@ -1161,22 +1117,22 @@ function findBestPatchVersion(name, availableVersions, currentMajorVersion, vuln
   // Use semver to find the max satisfying version.
   return semver.maxSatisfying(eligibleVersions, '*');
 }
-function findPackage(tree, packageName) {
+function findPackageNodes(tree, packageName) {
   const queue = [{
     node: tree
   }];
+  const matches = [];
   let sentinel = 0;
   while (queue.length) {
     if (sentinel++ === LOOP_SENTINEL) {
-      throw new Error('Detected infinite loop in findPackage');
+      throw new Error('Detected infinite loop in findPackageNodes');
     }
     const {
       node: currentNode
     } = queue.pop();
     const node = currentNode.children.get(packageName);
     if (node) {
-      // Found package.
-      return node;
+      matches.push(node);
     }
     const children = [...currentNode.children.values()];
     for (let i = children.length - 1; i >= 0; i -= 1) {
@@ -1185,18 +1141,19 @@ function findPackage(tree, packageName) {
       });
     }
   }
-  return null;
+  return matches;
 }
-async function getPackagesAlerts(safeArb, pkgs, options) {
+async function getPackagesAlerts(details, options) {
   let {
     length: remaining
-  } = pkgs;
+  } = details;
   const packageAlerts = [];
   if (!remaining) {
     return packageAlerts;
   }
   const {
-    fixable,
+    includeExisting = false,
+    includeUnfixable = true,
     output
   } = {
     __proto__: null,
@@ -1208,7 +1165,7 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
   const getText = spinner$1 ? () => `Looking up data for ${remaining} packages` : () => '';
   spinner$1?.start(getText());
   try {
-    for await (const artifact of batchScan(pkgs.map(p => p.pkgid))) {
+    for await (const artifact of batchScan(arrays.arrayUnique(details.map(d => d.node.pkgid)))) {
       if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
         continue;
       }
@@ -1217,7 +1174,6 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
       } = artifact;
       const name = packages.resolvePackageName(artifact);
       const id = `${name}@${artifact.version}`;
-      let blocked = false;
       let displayWarning = false;
       let alerts = [];
       for (const alert of artifact.alerts) {
@@ -1231,15 +1187,12 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
             type: alert.type
           }
         });
-        if (ux.block) {
-          blocked = true;
-        }
         if (ux.display && output) {
           displayWarning = true;
         }
         if (ux.block || ux.display) {
-          const isFixable = isAlertFixable(alert);
-          if (!fixable || isFixable) {
+          const fixable = isArtifactAlertFixable(alert);
+          if (includeUnfixable || fixable) {
             alerts.push({
               name,
               version,
@@ -1247,38 +1200,27 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
               type: alert.type,
               block: ux.block,
               raw: alert,
-              fixable: isFixable
+              fixable
             });
           }
           // Lazily access constants.IPC.
-          if (!fixable && !constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
+          if (includeExisting && !constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
             // Before we ask about problematic issues, check to see if they
             // already existed in the old version if they did, be quiet.
-            const existing = pkgs.find(p => p.existing?.startsWith(`${name}@`))?.existing;
+            const existing = details.find(d => d.existing?.pkgid.startsWith(`${name}@`))?.existing;
             if (existing) {
               const oldArtifact =
               // eslint-disable-next-line no-await-in-loop
-              (await batchScan([existing]).next()).value;
+              (await batchScan([existing.pkgid]).next()).value;
               if (oldArtifact?.alerts?.length) {
                 alerts = alerts.filter(({
                   type
-                }) => !oldArtifact.alerts?.find(a => a.type === type));
+                }) => !oldArtifact.alerts.find(a => a.type === type));
               }
             }
           }
         }
       }
-      if (!blocked) {
-        const pkg = pkgs.find(p => p.pkgid === id);
-        if (pkg) {
-          await pacote.tarball.stream(id, stream => {
-            stream.resume();
-            return stream.promise();
-          }, {
-            ...safeArb[kCtorArgs][0]
-          });
-        }
-      }
       if (displayWarning && spinner$1) {
         spinner$1.stop(`(socket) ${formatter.hyperlink(id, socketUrl.getSocketDevPackageOverviewUrl(NPM, name, version))} contains risks:`);
       }
@@ -1309,7 +1251,7 @@ async function getPackagesAlerts(safeArb, pkgs, options) {
       packageAlerts.push(...alerts);
     }
   } catch (e) {
-    pathResolve.debugLog(e);
+    npmPaths.debugLog(e);
   } finally {
     spinner$1?.stop();
   }
@@ -1324,194 +1266,181 @@ function getTranslations() {
   }
   return _translations;
 }
-function packageAlertsToReport(alerts) {
-  let report = null;
+async function updateAdvisoryDependencies(arb, alerts) {
+  let patchDataByPkg;
   for (const alert of alerts) {
-    if (!isAlertFixableCve(alert.raw)) {
+    if (!isArtifactAlertCveFixable(alert.raw)) {
       continue;
     }
+    if (!patchDataByPkg) {
+      patchDataByPkg = {};
+    }
     const {
       name
     } = alert;
-    if (!report) {
-      report = {};
-    }
-    if (!report[name]) {
-      report[name] = [];
-    }
-    const props = alert.raw?.props;
-    report[name].push({
-      id: -1,
-      url: props?.url,
-      title: props?.title,
-      severity: alert.raw?.severity?.toLowerCase(),
-      vulnerable_versions: props?.vulnerableVersionRange,
-      cwe: props?.cwes,
-      cvss: props?.csvs,
-      name
+    if (!patchDataByPkg[name]) {
+      patchDataByPkg[name] = [];
+    }
+    const {
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
+    } = alert.raw.props;
+    patchDataByPkg[name].push({
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
     });
   }
-  return report;
-}
-async function updateAdvisoryDependencies(arb, alerts) {
-  const report = packageAlertsToReport(alerts);
-  if (!report) {
+  if (!patchDataByPkg) {
     // No advisories to process.
     return;
   }
   await arb.buildIdealTree();
   const tree = arb.idealTree;
-  for (const name of Object.keys(report)) {
-    const advisories = report[name];
-    const node = findPackage(tree, name);
-    if (!node) {
-      // Package not found in the tree.
+  for (const name of Object.keys(patchDataByPkg)) {
+    const nodes = findPackageNodes(tree, name);
+    if (!nodes.length) {
       continue;
     }
-    const {
-      version
-    } = node;
-    const majorVerNum = semver.major(version);
-
     // Fetch packument to get available versions.
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
-    const availableVersions = packument ? Object.keys(packument.versions) : [];
-    for (const advisory of advisories) {
+    for (const node of nodes) {
       const {
-        vulnerable_versions
-      } = advisory;
-      // Find the highest non-vulnerable version within the same major range
-      const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
-      const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
-      // Check !targetVersion to make TypeScript happy.
-      if (!targetVersion || !targetPackument) {
-        // No suitable patch version found.
-        continue;
-      }
-
-      // Use Object.defineProperty to override the version.
-      Object.defineProperty(node, 'version', {
-        configurable: true,
-        enumerable: true,
-        get: () => targetVersion
-      });
-      node.package.version = targetVersion;
-      // Update resolved and clear integrity for the new version.
-      node.resolved = `${NPM_REGISTRY_URL}/${name}/-/${name}-${targetVersion}.tgz`;
-      if (node.integrity) {
-        delete node.integrity;
-      }
-      if ('deprecated' in targetPackument) {
-        node.package['deprecated'] = targetPackument.deprecated;
-      } else {
-        delete node.package['deprecated'];
-      }
-      const newDeps = {
-        ...targetPackument.dependencies
-      };
-      const {
-        dependencies: oldDeps
-      } = node.package;
-      node.package.dependencies = newDeps;
-      if (oldDeps) {
-        for (const oldDepName of Object.keys(oldDeps)) {
-          if (!objects.hasOwn(newDeps, oldDepName)) {
-            node.edgesOut.get(oldDepName)?.detach();
+        version
+      } = node;
+      const majorVerNum = semver.major(version);
+      const availableVersions = packument ? Object.keys(packument.versions) : [];
+      const patchData = patchDataByPkg[name];
+      for (const {
+        firstPatchedVersionIdentifier,
+        vulnerableVersionRange
+      } of patchData) {
+        // Find the highest non-vulnerable version within the same major range
+        const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerableVersionRange);
+        const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+        // Check !targetVersion to make TypeScript happy.
+        if (!targetVersion || !targetPackument) {
+          // No suitable patch version found.
+          continue;
+        }
+        // Use Object.defineProperty to override the version.
+        Object.defineProperty(node, 'version', {
+          configurable: true,
+          enumerable: true,
+          get: () => targetVersion
+        });
+        node.package.version = targetVersion;
+        // Update resolved and clear integrity for the new version.
+        node.resolved = `${NPM_REGISTRY_URL}/${name}/-/${name}-${targetVersion}.tgz`;
+        if (node.integrity) {
+          delete node.integrity;
+        }
+        if ('deprecated' in targetPackument) {
+          node.package['deprecated'] = targetPackument.deprecated;
+        } else {
+          delete node.package['deprecated'];
+        }
+        const newDeps = {
+          ...targetPackument.dependencies
+        };
+        const {
+          dependencies: oldDeps
+        } = node.package;
+        node.package.dependencies = newDeps;
+        if (oldDeps) {
+          for (const oldDepName of Object.keys(oldDeps)) {
+            if (!objects.hasOwn(newDeps, oldDepName)) {
+              node.edgesOut.get(oldDepName)?.detach();
+            }
           }
         }
-      }
-      for (const newDepName of Object.keys(newDeps)) {
-        if (!objects.hasOwn(oldDeps, newDepName)) {
-          node.addEdgeOut(new Edge({
-            from: node,
-            name: newDepName,
-            spec: newDeps[newDepName],
-            type: 'prod'
-          }));
+        for (const newDepName of Object.keys(newDeps)) {
+          if (!objects.hasOwn(oldDeps, newDepName)) {
+            node.addEdgeOut(new Edge({
+              from: node,
+              name: newDepName,
+              spec: newDeps[newDepName],
+              type: 'prod'
+            }));
+          }
         }
       }
     }
   }
 }
+const kRiskyReify = Symbol('riskyReify');
 async function reify(...args) {
-  const needInfoOn = await walk(this.diff);
-  if (!needInfoOn.length || needInfoOn.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1) {
+  const IPC = await getIPC();
+  // We are assuming `this[_diffTrees]()` has been called by `super.reify(...)`:
+  // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/reify.js#L141
+  let needInfoOn = getPackagesToQueryFromDiff(this.diff, {
+    includeUnchanged: !!IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]
+  });
+  if (!needInfoOn.length) {
     // Nothing to check, hmmm already installed or all private?
     return await this[kRiskyReify](...args);
   }
-  // Lazily access constants.IPC.
   const {
     [SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]: bypassConfirms,
     [SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE]: bypassAlerts
-  } = constants.IPC;
+  } = IPC;
   const {
     stderr: output,
     stdin: input
   } = process;
-  let alerts;
-  const proceed = bypassAlerts || (await (async () => {
-    alerts = await getPackagesAlerts(this, needInfoOn, {
-      output
-    });
-    if (bypassConfirms || !alerts.length) {
-      return true;
-    }
-    return await prompts.confirm({
-      message: 'Accept risks of installing these packages?',
-      default: false
-    }, {
-      input,
-      output,
-      signal: abortSignal
+  let alerts = bypassAlerts ? [] : await getPackagesAlerts(needInfoOn, {
+    output
+  });
+  if (alerts.length && !bypassConfirms && !(await prompts.confirm({
+    message: 'Accept risks of installing these packages?',
+    default: false
+  }, {
+    input,
+    output,
+    signal: abortSignal
+  }))) {
+    throw new Error('Socket npm exiting due to risks');
+  }
+  if (!alerts.length || !bypassConfirms && !(await prompts.confirm({
+    message: 'Try to fix alerts?',
+    default: true
+  }, {
+    input,
+    output,
+    signal: abortSignal
+  }))) {
+    return await this[kRiskyReify](...args);
+  }
+  const prev = new Set(alerts.map(a => a.key));
+  let ret;
+  /* eslint-disable no-await-in-loop */
+  while (alerts.length > 0) {
+    await updateAdvisoryDependencies(this, alerts);
+    ret = await this[kRiskyReify](...args);
+    await this.loadActual();
+    await this.buildIdealTree();
+    needInfoOn = getPackagesToQueryFromDiff(this.diff, {
+      includeUnchanged: true
     });
-  })());
-  if (proceed) {
-    const fix = !!alerts?.length && (bypassConfirms || (await prompts.confirm({
-      message: 'Try to fix alerts?',
-      default: true
-    }, {
-      input,
-      output,
-      signal: abortSignal
-    })));
-    if (fix) {
-      let ret;
-      const prev = new Set(alerts?.map(a => a.key));
-      /* eslint-disable no-await-in-loop */
-      while (alerts.length > 0) {
-        await updateAdvisoryDependencies(this, alerts);
-        ret = await this[kRiskyReify](...args);
-        await this.loadActual();
-        await this.buildIdealTree();
-        alerts = await getPackagesAlerts(this, await walk(this.diff, {
-          fix: true
-        }), {
-          fixable: true
-        });
-        alerts = alerts.filter(a => {
-          const {
-            key
-          } = a;
-          if (prev.has(key)) {
-            return false;
-          }
-          prev.add(key);
-          return true;
-        });
+    alerts = (await getPackagesAlerts(needInfoOn, {
+      includeExisting: true,
+      includeUnfixable: true
+    })).filter(({
+      key
+    }) => {
+      const unseen = !prev.has(key);
+      if (unseen) {
+        prev.add(key);
       }
-      /* eslint-enable no-await-in-loop */
-      return ret;
-    }
-    return await this[kRiskyReify](...args);
-  } else {
-    throw new Error('Socket npm exiting due to risks');
+      return unseen;
+    });
   }
+  /* eslint-enable no-await-in-loop */
+  return ret;
 }
 
-const Arborist = require(arboristClassPath);
+const Arborist = require(npmPaths.getArboristClassPath());
 const kCtorArgs = Symbol('ctorArgs');
-const kRiskyReify = Symbol('riskyReify');
 
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
@@ -1556,8 +1485,6 @@ class SafeArborist extends Arborist {
     options.dryRun = true;
     options.save = false;
     options.saveBundle = false;
-    // TODO: Make this deal with any refactor to private fields by punching the
-    // class itself.
     await super.reify(...args);
     options.dryRun = old.dryRun;
     options.save = old.save;
@@ -1567,17 +1494,19 @@ class SafeArborist extends Arborist {
 }
 
 function installSafeArborist() {
+  // Override '@npmcli/arborist' module exports with patched variants based on
+  // https://github.com/npm/cli/pull/7025.
   const cache = require.cache;
-  cache[arboristClassPath] = {
+  cache[npmPaths.getArboristClassPath()] = {
     exports: SafeArborist
   };
-  cache[arboristEdgeClassPath] = {
+  cache[npmPaths.getArboristEdgeClassPath()] = {
     exports: SafeEdge
   };
-  cache[arboristNodeClassPath] = {
+  cache[npmPaths.getArboristNodeClassPath()] = {
     exports: SafeNode
   };
-  cache[arboristOverrideSetClassPath] = {
+  cache[npmPaths.getArboristOverrideSetClassPath()] = {
     exports: SafeOverrideSet
   };
 }