@socketsecurity/cli 0.14.59 → 0.14.60

package/dist/module-sync/cli.js

@@ -903,19 +903,20 @@ class GitHub {
       case 'push':
         return this.prNumber ? 'diff' : 'main';
       case 'pull_request':
-        // This env variable needs to be set in the GitHub action.
-        // Add this code below to GitHub action:
-        // - steps:
-        //   - name: Get PR State
-        //     if: github.event_name == 'pull_request'
-        //     run: echo "EVENT_ACTION=${{ github.event.action }}" >> $GITHUB_ENV
-        const eventAction = process.env['EVENT_ACTION'];
-        if (!eventAction) {
-          throw new Error('Missing event action');
-        }
-        if (['opened', 'synchronize'].includes(eventAction)) {
-          return 'diff';
-        } else {
+        {
+          // This env variable needs to be set in the GitHub action.
+          // Add this code below to GitHub action:
+          // - steps:
+          //   - name: Get PR State
+          //     if: github.event_name == 'pull_request'
+          //     run: echo "EVENT_ACTION=${{ github.event.action }}" >> $GITHUB_ENV
+          const eventAction = process.env['EVENT_ACTION'];
+          if (eventAction === 'opened' || eventAction === 'synchronize') {
+            return 'diff';
+          }
+          if (!eventAction) {
+            throw new Error('Missing event action');
+          }
           logger.logger.log(`Pull request action: ${eventAction} is not supported`);
           process.exit();
         }
@@ -1518,14 +1519,14 @@ function emitBanner(name) {
   // It also helps with debugging since it contains version and command details.
   // Note: print over stderr to preserve stdout for flags like --json and
   //       --markdown. If we don't do this, you can't use --json in particular
-  //       and pipe the result to other tools. By emiting the banner over stderr
+  //       and pipe the result to other tools. By emitting the banner over stderr
   //       you can do something like `socket scan view xyz | jq | process`.
   //       The spinner also emits over stderr for example.
   logger.logger.error(getAsciiHeader(name));
 }
 function getAsciiHeader(command) {
-  const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['SOCKET_CLI_VERSION_HASH']".
-  "0.14.59:e40b009:b94d46f9:pub";
+  const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  "0.14.60:48319f6:78cf0eae:pub";
   const nodeVersion = process.version;
   const apiToken = shadowNpmInject.getSetting('apiToken');
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no';
@@ -2260,28 +2261,43 @@ async function run$x(argv, importMeta, {
 const {
   NPM: NPM$f,
   NPX: NPX$3,
-  PNPM: PNPM$a
+  PACKAGE_LOCK_JSON,
+  PNPM: PNPM$a,
+  YARN: YARN$1,
+  YARN_LOCK
 } = constants;
 const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', NPM$f, PNPM$a, 'ts', 'tsx', 'typescript']);
-async function runCycloneDX(yargv) {
+async function runCycloneDX(yargvWithYes) {
   let cleanupPackageLock = false;
-  if (yargv.type !== 'yarn' && nodejsPlatformTypes.has(yargv.type) && fs.existsSync('./yarn.lock')) {
-    if (fs.existsSync('./package-lock.json')) {
+  const {
+    yes,
+    ...yargv
+  } = {
+    __proto__: null,
+    ...yargvWithYes
+  };
+  const yesArgs = yes ? ['--yes'] : [];
+  if (yargv.type !== YARN$1 && nodejsPlatformTypes.has(yargv.type) && fs.existsSync(`./${YARN_LOCK}`)) {
+    if (fs.existsSync(`./${PACKAGE_LOCK_JSON}`)) {
       yargv.type = NPM$f;
     } else {
       // Use synp to create a package-lock.json from the yarn.lock,
       // based on the node_modules folder, for a more accurate SBOM.
       try {
-        await shadowBin(NPX$3, ['synp@1.9.14', '--', '--source-file', './yarn.lock'], 2);
+        await shadowBin(NPX$3, [...yesArgs,
+        // The '@rollup/plugin-replace' will replace "process.env['INLINED_SYNP_VERSION']".
+        `synp@${"^1.9.14"}`, '--source-file', `./${YARN_LOCK}`]);
         yargv.type = NPM$f;
         cleanupPackageLock = true;
       } catch {}
     }
   }
-  await shadowBin(NPX$3, ['@cyclonedx/cdxgen@11.2.0', '--', ...argvToArray(yargv)], 2);
+  await shadowBin(NPX$3, [...yesArgs,
+  // The '@rollup/plugin-replace' will replace "process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']".
+  `@cyclonedx/cdxgen@${"^11.2.1"}`, ...argvToArray(yargv)]);
   if (cleanupPackageLock) {
     try {
-      await fs.promises.rm('./package-lock.json');
+      await fs.promises.rm(`./${PACKAGE_LOCK_JSON}`);
     } catch {}
   }
   const fullOutputPath = path.join(process$1.cwd(), yargv.output);
@@ -2290,13 +2306,17 @@ async function runCycloneDX(yargv) {
   }
 }
 function argvToArray(argv) {
-  if (argv['help']) return ['--help'];
+  if (argv['help']) {
+    return ['--help'];
+  }
   const result = [];
   for (const {
     0: key,
     1: value
   } of Object.entries(argv)) {
-    if (key === '_' || key === '--') continue;
+    if (key === '_' || key === '--') {
+      continue;
+    }
     if (key === 'babel' || key === 'install-deps' || key === 'validate') {
       // cdxgen documents no-babel, no-install-deps, and no-validate flags so
       // use them when relevant.
@@ -2315,6 +2335,32 @@ function argvToArray(argv) {
   return result;
 }
 
+const helpFlags = new Set(['--help', '-h']);
+function cmdFlagsToString(args) {
+  const result = [];
+  for (let i = 0, {
+      length
+    } = args; i < length; i += 1) {
+    if (args[i].startsWith('--')) {
+      // Check if the next item exists and is NOT another flag.
+      if (i + 1 < length && !args[i + 1].startsWith('--')) {
+        result.push(`${args[i]}=${args[i + 1]}`);
+        i += 1;
+      } else {
+        result.push(args[i]);
+      }
+    }
+  }
+  return result.join(' ');
+}
+function cmdPrefixMessage(cmdName, text) {
+  const cmdPrefix = cmdName ? `${cmdName}: ` : '';
+  return `${cmdPrefix}${text}`;
+}
+function isHelpFlag(cmdArg) {
+  return helpFlags.has(cmdArg);
+}
+
 // import { meowOrExit } from '../../utils/meow-with-subcommands'
 const {
   DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v
@@ -2369,7 +2415,8 @@ const yargsConfig = {
     recurse: ['r'],
     'resolve-class': ['c'],
     type: ['t'],
-    version: ['v']
+    version: ['v'],
+    yes: ['y']
   },
   array: [{
     key: 'author',
@@ -2387,7 +2434,10 @@ const yargsConfig = {
     key: 'standard',
     type: 'string'
   }],
-  boolean: ['auto-compositions', 'babel', 'deep', 'evidence', 'fail-on-error', 'generate-key-and-sign', 'help', 'include-formulation', 'include-crypto', 'install-deps', 'print', 'required-only', 'server', 'validate', 'version'],
+  boolean: ['auto-compositions', 'babel', 'deep', 'evidence', 'fail-on-error', 'generate-key-and-sign', 'help', 'include-formulation', 'include-crypto', 'install-deps', 'print', 'required-only', 'server', 'validate', 'version',
+  // The --yes flag and -y alias map to the corresponding flag and alias of npx.
+  // https://docs.npmjs.com/cli/v7/commands/npx#compatibility-with-older-npx-versions
+  'yes'],
   string: ['api-key', 'lifecycle', 'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'server-host', 'server-port', 'server-url', 'spec-version']
 };
 const config$w = {
@@ -2415,14 +2465,12 @@ async function run$w(argv, importMeta, {
 }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
-    argv: argv.filter(s => s !== '--help' && s !== '-h'),
-    // Don't let meow take over --help
+    // Don't let meow take over --help.
+    argv: argv.filter(a => !isHelpFlag(a)),
     config: config$w,
     importMeta,
     parentName
   });
-  //
-  //
   // if (cli.input.length)
   //   logger.fail(
   //     stripIndents`
@@ -2434,11 +2482,10 @@ async function run$w(argv, importMeta, {
   //   return
   // }
 
-  // TODO: convert to meow
+  // TODO: Convert to meow.
   const yargv = {
     ...yargsParse(argv, yargsConfig)
-  }; // as Record<string, unknown>;
-
+  };
   const unknown = yargv._;
   const {
     length: unknownLength
@@ -2451,13 +2498,13 @@ async function run$w(argv, importMeta, {
     logger.logger.fail(`Unknown ${words.pluralize('argument', unknownLength)}: ${yargv._.join(', ')}`);
     return;
   }
-  if (yargv.output === undefined) {
-    yargv.output = 'socket-cdx.json';
-  }
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAIL_TEXT$v);
     return;
   }
+  if (yargv.output === undefined) {
+    yargv.output = 'socket-cdx.json';
+  }
   await runCycloneDX(yargv);
 }
 
@@ -2938,30 +2985,7 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options) {
   return alertsByPkgId;
 }
 
-function cmdFlagsToString(args) {
-  const result = [];
-  for (let i = 0, {
-      length
-    } = args; i < length; i += 1) {
-    if (args[i].startsWith('--')) {
-      // Check if the next item exists and is NOT another flag.
-      if (i + 1 < length && !args[i + 1].startsWith('--')) {
-        result.push(`${args[i]}=${args[i + 1]}`);
-        i += 1;
-      } else {
-        result.push(args[i]);
-      }
-    }
-  }
-  return result.join(' ');
-}
-function cmdPrefixMessage(cmdName, text) {
-  const cmdPrefix = cmdName ? `${cmdName}: ` : '';
-  return `${cmdPrefix}${text}`;
-}
-
 const {
-  SOCKET_CLI_SENTRY_BUILD,
   SOCKET_IPC_HANDSHAKE
 } = constants;
 function safeNpmInstall(options) {
@@ -2978,10 +3002,10 @@ function safeNpmInstall(options) {
   const useIpc = objects.isObject(ipc);
   const useDebug = debug.isDebug();
   const terminatorPos = args.indexOf('--');
-  const npmArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
+  const binArgs = (terminatorPos === -1 ? args : args.slice(0, terminatorPos)).filter(a => !npm.isAuditFlag(a) && !npm.isFundFlag(a) && !npm.isProgressFlag(a));
   const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos);
-  const isSilent = !useDebug && !npmArgs.some(npm.isLoglevelFlag);
-  const logLevelArgs = isSilent ? ['--loglevel', 'error'] : [];
+  const isSilent = !useDebug && !binArgs.some(npm.isLoglevelFlag);
+  const logLevelArgs = isSilent ? ['--loglevel', 'silent'] : [];
   const spawnPromise = spawn.spawn(
   // Lazily access constants.execPath.
   constants.execPath, [
@@ -2989,20 +3013,17 @@ function safeNpmInstall(options) {
   ...constants.nodeHardenFlags,
   // Lazily access constants.nodeNoWarningsFlags.
   ...constants.nodeNoWarningsFlags,
-  // Lazily access constants.ENV[SOCKET_CLI_SENTRY_BUILD].
-  ...(constants.ENV[SOCKET_CLI_SENTRY_BUILD] ? ['--require',
-  // Lazily access constants.distInstrumentWithSentryPath.
-  constants.distInstrumentWithSentryPath] : []), '--require',
+  // Lazily access false.
+  ...([]), '--require',
   // Lazily access constants.distShadowNpmInjectPath.
   constants.distShadowNpmInjectPath, agentExecPath, 'install',
   // Avoid code paths for 'audit' and 'fund'.
   '--no-audit', '--no-fund',
-  // Add `--no-progress` flag to fix input being swallowed by the spinner
-  // when running the command with recent versions of npm.
+  // Add '--no-progress' to fix input being swallowed by the npm spinner.
   '--no-progress',
-  // Add '--loglevel=error' if a loglevel flag is not provided and the
+  // Add '--loglevel=silent' if a loglevel flag is not provided and the
   // SOCKET_CLI_DEBUG environment variable is not truthy.
-  ...logLevelArgs, ...npmArgs, ...otherArgs], {
+  ...logLevelArgs, ...binArgs, ...otherArgs], {
     spinner,
     // Set stdio to include 'ipc'.
     // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
@@ -3176,9 +3197,11 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
 const {
   BINARY_LOCK_EXT,
   BUN: BUN$5,
+  HIDDEN_PACKAGE_LOCK_JSON,
   LOCK_EXT: LOCK_EXT$1,
   NPM: NPM$b,
   NPM_BUGGY_OVERRIDES_PATCHED_VERSION: NPM_BUGGY_OVERRIDES_PATCHED_VERSION$1,
+  PACKAGE_JSON,
   PNPM: PNPM$8,
   VLT: VLT$5,
   YARN,
@@ -3280,8 +3303,8 @@ async function detectPackageEnvironment({
     cwd
   });
   let lockName = lockPath ? path.basename(lockPath) : undefined;
-  const isHiddenLockFile = lockName === '.package-lock.json';
-  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../package.json`) : await shadowNpmInject.findUp('package.json', {
+  const isHiddenLockFile = lockName === HIDDEN_PACKAGE_LOCK_JSON;
+  const pkgJsonPath = lockPath ? path.resolve(lockPath, `${isHiddenLockFile ? '../' : ''}../${PACKAGE_JSON}`) : await shadowNpmInject.findUp(PACKAGE_JSON, {
     cwd
   });
   const pkgPath = pkgJsonPath && fs.existsSync(pkgJsonPath) ? path.dirname(pkgJsonPath) : undefined;
@@ -3413,7 +3436,7 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
     return;
   }
   if (details.pkgPath === undefined) {
-    logger?.fail(cmdPrefixMessage(cmdName, 'No package.json found'));
+    logger?.fail(cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`));
     return;
   }
   if (prod && (details.agent === BUN$5 || details.agent === YARN_BERRY$5)) {
@@ -3430,7 +3453,7 @@ const {
   NPM: NPM$a,
   PNPM: PNPM$7
 } = constants;
-const CMD_NAME$1 = 'socket fix';
+const CMD_NAME$2 = 'socket fix';
 async function runFix() {
   // Lazily access constants.spinner.
   const {
@@ -3439,7 +3462,7 @@ async function runFix() {
   spinner.start();
   const cwd = process.cwd();
   const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$1,
+    cmdName: CMD_NAME$2,
     logger: logger.logger
   });
   if (!pkgEnvDetails) {
@@ -3930,9 +3953,11 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
     logger.logger.groupEnd();
   }
   try {
-    // Run sbt with the init script we provide which should yield zero or more pom files.
-    // We have to figure out where to store those pom files such that we can upload them and predict them through the GitHub API.
-    // We could do a .socket folder. We could do a socket.pom.gz with all the poms, although I'd prefer something plain-text if it is to be committed.
+    // Run sbt with the init script we provide which should yield zero or more
+    // pom files. We have to figure out where to store those pom files such that
+    // we can upload them and predict them through the GitHub API. We could do a
+    // .socket folder. We could do a socket.pom.gz with all the poms, although
+    // I'd prefer something plain-text if it is to be committed.
 
     // Note: init.gradle will be exported by .config/rollup.dist.config.mjs
     const initLocation = path.join(constants.rootDistPath, 'init.gradle');
@@ -3979,7 +4004,7 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
     // // Move the pom file to ...? initial cwd? loc will be an absolute path, or dump to stdout
     // if (out === '-') {
     //   spinner.start('Result:\n```')
-    //   spinner.log(await safeReadFile(loc, 'utf8'))
+    //   spinner.log(await safeReadFile(loc))
     //   spinner.log('```')
     //   spinner.successAndStop(`OK`)
     // } else {
@@ -4214,7 +4239,7 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
     // TODO: maybe we can add an option to target a specific file to dump to stdout
     if (out === '-' && poms.length === 1) {
       logger.logger.log('Result:\n```');
-      logger.logger.log(await shadowNpmInject.safeReadFile(poms[0], 'utf8'));
+      logger.logger.log(await shadowNpmInject.safeReadFile(poms[0]));
       logger.logger.log('```');
       logger.logger.success(`OK`);
     } else if (out === '-') {
@@ -4933,7 +4958,7 @@ async function getWorkspaceGlobs(agent, pkgPath, pkgJson) {
   if (agent === PNPM$4) {
     for (const workspacePath of [path.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), path.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
       // eslint-disable-next-line no-await-in-loop
-      const yml = await shadowNpmInject.safeReadFile(workspacePath, 'utf8');
+      const yml = await shadowNpmInject.safeReadFile(workspacePath);
       if (yml) {
         try {
           workspacePatterns = yaml.parse(yml)?.packages;
@@ -5141,34 +5166,6 @@ async function lsYarnClassic(agentExecPath, cwd) {
 }
 const lsByAgent = new Map([[BUN$1, lsBun], [NPM$3, lsNpm], [PNPM$2, lsPnpm], [VLT$1, lsVlt], [YARN_BERRY$1, lsYarnBerry], [YARN_CLASSIC$2, lsYarnClassic]]);
 
-const {
-  NPM_BUGGY_OVERRIDES_PATCHED_VERSION
-} = constants;
-async function updateLockfile(pkgEnvDetails, options) {
-  const {
-    cmdName = '',
-    logger,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  spinner?.start(`Updating ${pkgEnvDetails.lockName}...`);
-  try {
-    await runAgentInstall(pkgEnvDetails, {
-      spinner
-    });
-    spinner?.stop();
-    if (pkgEnvDetails.features.npmBuggyOverrides) {
-      logger?.log(`💡 Re-run ${cmdName ? `${cmdName} ` : ''}whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped for ${pkgEnvDetails.agent} >=${NPM_BUGGY_OVERRIDES_PATCHED_VERSION}.`);
-    }
-  } catch (e) {
-    spinner?.stop();
-    logger?.fail(cmdPrefixMessage(cmdName, `${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`));
-    logger?.error(e);
-  }
-}
-
 const {
   BUN,
   NPM: NPM$2,
@@ -5179,7 +5176,6 @@ const {
   YARN_BERRY,
   YARN_CLASSIC: YARN_CLASSIC$1
 } = constants;
-const PNPM_FIELD_NAME = PNPM$1;
 const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'peerDependenciesMeta', 'optionalDependencies', 'bundleDependencies'];
 function getEntryIndexes(entries, keys) {
   return keys.map(n => entries.findIndex(p => p[0] === n)).filter(n => n !== -1).sort((a, b) => a - b);
@@ -5190,26 +5186,30 @@ function getLowestEntryIndex(entries, keys) {
 function getHighestEntryIndex(entries, keys) {
   return getEntryIndexes(entries, keys).at(-1) ?? -1;
 }
-function updatePkgJson(editablePkgJson, field, value) {
+function updatePkgJsonField(editablePkgJson, field, value) {
   const {
     content: pkgJson
   } = editablePkgJson;
   const oldValue = pkgJson[field];
   if (oldValue) {
     // The field already exists so we simply update the field value.
-    if (field === PNPM_FIELD_NAME) {
+    if (field === PNPM$1) {
+      const isPnpmObj = objects.isObject(oldValue);
       if (objects.hasKeys(value)) {
         editablePkgJson.update({
           [field]: {
-            ...(objects.isObject(oldValue) ? oldValue : {}),
-            overrides: value
+            ...(isPnpmObj ? oldValue : {}),
+            overrides: {
+              ...(isPnpmObj ? oldValue[OVERRIDES] : {}),
+              ...value
+            }
           }
         });
       } else {
         // Properties with undefined values are omitted when saved as JSON.
-        editablePkgJson.update(objects.hasKeys(pkgJson[field]) ? {
+        editablePkgJson.update(objects.hasKeys(oldValue) ? {
           [field]: {
-            ...(objects.isObject(oldValue) ? oldValue : {}),
+            ...(isPnpmObj ? oldValue : {}),
             overrides: undefined
           }
         } : {
@@ -5228,7 +5228,7 @@ function updatePkgJson(editablePkgJson, field, value) {
     }
     return;
   }
-  if ((field === OVERRIDES || field === PNPM_FIELD_NAME || field === RESOLUTIONS) && !objects.hasKeys(value)) {
+  if ((field === OVERRIDES || field === PNPM$1 || field === RESOLUTIONS) && !objects.hasKeys(value)) {
     return;
   }
   // Since the field doesn't exist we want to insert it into the package.json
@@ -5246,7 +5246,7 @@ function updatePkgJson(editablePkgJson, field, value) {
   } else if (field === RESOLUTIONS) {
     isPlacingHigher = true;
     insertIndex = getHighestEntryIndex(entries, [...depFields, OVERRIDES, PNPM$1]);
-  } else if (field === PNPM_FIELD_NAME) {
+  } else if (field === PNPM$1) {
     insertIndex = getLowestEntryIndex(entries, [OVERRIDES, RESOLUTIONS]);
     if (insertIndex === -1) {
       isPlacingHigher = true;
@@ -5265,26 +5265,28 @@ function updatePkgJson(editablePkgJson, field, value) {
   } else if (isPlacingHigher) {
     insertIndex += 1;
   }
-  entries.splice(insertIndex, 0, [field, value]);
+  entries.splice(insertIndex, 0, [field, field === PNPM$1 ? {
+    [OVERRIDES]: value
+  } : value]);
   editablePkgJson.fromJSON(`${JSON.stringify(Object.fromEntries(entries), null, 2)}\n`);
 }
-function updateOverrides(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, OVERRIDES, overrides);
+function updateOverridesField(editablePkgJson, overrides) {
+  updatePkgJsonField(editablePkgJson, OVERRIDES, overrides);
 }
-function updateResolutions(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, RESOLUTIONS, overrides);
+function updateResolutionsField(editablePkgJson, overrides) {
+  updatePkgJsonField(editablePkgJson, RESOLUTIONS, overrides);
 }
-function pnpmUpdatePkgJson(editablePkgJson, overrides) {
-  updatePkgJson(editablePkgJson, PNPM_FIELD_NAME, overrides);
+function updatePnpmField(editablePkgJson, overrides) {
+  updatePkgJsonField(editablePkgJson, PNPM$1, overrides);
 }
-const updateManifestByAgent = new Map([[BUN, updateResolutions], [NPM$2, updateOverrides], [PNPM$1, pnpmUpdatePkgJson], [VLT, updateOverrides], [YARN_BERRY, updateResolutions], [YARN_CLASSIC$1, updateResolutions]]);
+const updateManifestByAgent = new Map([[BUN, updateResolutionsField], [NPM$2, updateOverridesField], [PNPM$1, updatePnpmField], [VLT, updateOverridesField], [YARN_BERRY, updateResolutionsField], [YARN_CLASSIC$1, updateResolutionsField]]);
 
 const {
   NPM: NPM$1,
   PNPM,
   YARN_CLASSIC
 } = constants;
-const CMD_NAME = 'socket optimize';
+const CMD_NAME$1 = 'socket optimize';
 const manifestNpmOverrides = registry.getManifestData(NPM$1);
 async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const {
@@ -5322,24 +5324,17 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   const {
     content: pkgJson
   } = editablePkgJson;
-  const isRoot = pkgPath === rootPath;
-  const isLockScanned = isRoot && !prod;
   const workspaceName = path.relative(rootPath, pkgPath);
   const workspaceGlobs = await getWorkspaceGlobs(agent, pkgPath, pkgJson);
+  const isRoot = pkgPath === rootPath;
+  const isLockScanned = isRoot && !prod;
   const isWorkspace = !!workspaceGlobs;
-  if (isWorkspace && agent === PNPM && npmExecPath === NPM$1 && !state.warnedPnpmWorkspaceRequiresNpm) {
+  if (isWorkspace && agent === PNPM &&
+  // npmExecPath will === the agent name IF it CANNOT be resolved.
+  npmExecPath === NPM$1 && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
-    logger?.warn(cmdPrefixMessage(CMD_NAME, 'pnpm workspace support requires `npm ls`, falling back to `pnpm list`'));
+    logger?.warn(cmdPrefixMessage(CMD_NAME$1, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
   }
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
-    npmExecPath
-  });
-  // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
-  // first two parameters. AgentLockIncludesFn accepts an optional third
-  // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
-  // as an AgentLockIncludesFn type.
-  const thingScanner = isLockScanned ? lockfileIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
-  const depEntries = getDependencyEntries(pkgJson);
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
     overridesDataObjects.push(overridesDataByAgent.get(agent)(pkgJson));
@@ -5348,10 +5343,12 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   }
   spinner?.setText(`Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`);
   const depAliasMap = new Map();
+  const depEntries = getDependencyEntries(pkgJson);
   const nodeRange = `>=${pkgEnvDetails.minimumNodeVersion}`;
   const manifestEntries = manifestNpmOverrides.filter(({
     1: data
   }) => semver.satisfies(semver.coerce(data.engines.node), nodeRange));
+
   // Chunk package names to process them in parallel 3 at a time.
   await promises.pEach(manifestEntries, 3, async ({
     1: data
@@ -5388,6 +5385,14 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
       }
     }
     if (isRoot) {
+      // The AgentDepsIncludesFn and AgentLockIncludesFn types overlap in their
+      // first two parameters. AgentLockIncludesFn accepts an optional third
+      // parameter which AgentDepsIncludesFn will ignore so we cast thingScanner
+      // as an AgentLockIncludesFn type.
+      const thingScanner = isLockScanned ? lockfileIncludesByAgent.get(agent) : depsIncludesByAgent.get(agent);
+      const thingToScan = isLockScanned ? lockSrc : await lsByAgent.get(agent)(agentExecPath, pkgPath, {
+        npmExecPath
+      });
       // Chunk package names to process them in parallel 3 at a time.
       await promises.pEach(overridesDataObjects, 3, async ({
         overrides,
@@ -5464,6 +5469,44 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   }
   return state;
 }
+
+const {
+  NPM_BUGGY_OVERRIDES_PATCHED_VERSION
+} = constants;
+async function updateLockfile(pkgEnvDetails, options) {
+  const {
+    cmdName = '',
+    logger,
+    spinner
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const isSpinning = !!spinner?.isSpinning;
+  if (!isSpinning) {
+    spinner?.start();
+  }
+  spinner?.setText(`Updating ${pkgEnvDetails.lockName}...`);
+  try {
+    await runAgentInstall(pkgEnvDetails, {
+      spinner
+    });
+    if (pkgEnvDetails.features.npmBuggyOverrides) {
+      logger?.log(`💡 Re-run ${cmdName ? `${cmdName} ` : ''}whenever ${pkgEnvDetails.lockName} changes.\n   This can be skipped for ${pkgEnvDetails.agent} >=${NPM_BUGGY_OVERRIDES_PATCHED_VERSION}.`);
+    }
+  } catch (e) {
+    spinner?.stop();
+    logger?.fail(cmdPrefixMessage(cmdName, `${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`));
+    logger?.error(e);
+  }
+  if (isSpinning) {
+    spinner?.start();
+  } else {
+    spinner?.stop();
+  }
+}
+
+const CMD_NAME = 'socket optimize';
 function createActionMessage(verb, overrideCount, workspaceCount) {
   return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
 }
@@ -5487,10 +5530,17 @@ async function applyOptimization(cwd, pin, prod) {
     prod,
     spinner
   });
-  spinner.stop();
   const addedCount = state.added.size;
   const updatedCount = state.updated.size;
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
+  if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
+    await updateLockfile(pkgEnvDetails, {
+      cmdName: CMD_NAME,
+      logger: logger.logger,
+      spinner
+    });
+  }
+  spinner.stop();
   if (pkgJsonChanged) {
     if (updatedCount > 0) {
       logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
@@ -5501,13 +5551,6 @@ async function applyOptimization(cwd, pin, prod) {
   } else {
     logger.logger?.log('Congratulations! Already Socket.dev optimized 🎉');
   }
-  if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
-    await updateLockfile(pkgEnvDetails, {
-      cmdName: CMD_NAME,
-      logger: logger.logger,
-      spinner
-    });
-  }
 }
 
 const {
@@ -8240,15 +8283,15 @@ async function run(argv, importMeta, {
 }
 
 const {
-  SOCKET_CLI_BIN_NAME,
-  rootPkgJsonPath
+  SOCKET_CLI_BIN_NAME
 } = constants;
 
 // TODO: Add autocompletion using https://socket.dev/npm/package/omelette
 void (async () => {
   await updateNotifier({
     name: SOCKET_CLI_BIN_NAME,
-    version: require(rootPkgJsonPath).version,
+    // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
+    version: "0.14.60",
     ttl: 86_400_000 /* 24 hours in milliseconds */
   });
   try {
@@ -8315,5 +8358,5 @@ void (async () => {
     await shadowNpmInject.captureException(e);
   }
 })();
-//# debugId=aafa02ce-920d-4523-bbc8-0474f11ed037
+//# debugId=ff887726-fbdd-4b6c-8ffd-41246bf58990
 //# sourceMappingURL=cli.js.map