npm - socket - Versions diffs - 0.14.19 → 0.14.21 - Mend

socket 0.14.19 → 0.14.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli.js CHANGED Viewed

@@ -14,7 +14,7 @@ var require$$1$4 = require('node:fs/promises');
 var require$$1$3 = require('@npmcli/package-json');
 var require$$5$1 = require('@socketsecurity/registry');
 var require$$7 = require('npm-package-arg');
-var require$$9 = require('pacote');
+var require$$0$1 = require('pacote');
 var require$$3 = require('semver');
 var require$$11 = require('tinyglobby');
 var require$$12 = require('yaml');
@@ -26,12 +26,12 @@ var require$$3$1 = require('@socketsecurity/config');
 var pathResolve = require('./path-resolve.js');
 var require$$2$2 = require('node:os');
 var require$$3$2 = require('node:readline');
-var require$$0$1 = require('node:process');
+var require$$0$2 = require('node:process');
 var require$$2$3 = require('node:readline/promises');
 var require$$2$4 = require('chalk-table');
 var require$$2$5 = require('blessed');
 var require$$3$3 = require('blessed-contrib');
-var require$$0$2 = require('node:util');
+var require$$0$3 = require('node:util');
 var cli$1 = {};
@@ -285,7 +285,7 @@ apiHelpers.queryAPI = queryAPI;
 var _chalk$i = _interopRequireDefault$r(vendor.source);
 var _ponyCause$4 = require$$6;
 var _errors$l = sdk.errors;
-var _constants = sdk.constants;
+var _constants$1 = sdk.constants;
 function handleUnsuccessfulApiResponse(_name, result, spinner) {
   const resultError = 'error' in result && result.error && typeof result.error === 'object' ? result.error : {};
   const message = 'message' in resultError && typeof resultError.message === 'string' ? resultError.message : 'No error message returned';
@@ -315,7 +315,7 @@ async function handleAPIError(code) {
   }
 }
 async function queryAPI(path, apiKey) {
-  return await fetch(`${_constants.API_V0_URL}/${path}`, {
+  return await fetch(`${_constants$1.API_V0_URL}/${path}`, {
     method: 'GET',
     headers: {
       Authorization: 'Basic ' + btoa(`${apiKey}:${apiKey}`)
@@ -511,8 +511,8 @@ async function fetchPackageData(pkgName, pkgVersion, {
 }
 function formatPackageDataOutput({
   data,
-  severityCount,
-  score
+  score,
+  severityCount
 }, {
   name,
   outputJson,
@@ -915,7 +915,7 @@ var _which = require$$6$1;
 var _fs$1 = fs;
 var _objects$1 = sdk.objects;
 var _strings$1 = strings;
-const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn'];
+const AGENTS = packageManagerDetector.AGENTS = ['bun', 'npm', 'pnpm', 'yarn/berry', 'yarn/classic', 'vlt'];
 const numericCollator = new Intl.Collator(undefined, {
   numeric: true,
   sensitivity: 'base'
@@ -923,6 +923,22 @@ const numericCollator = new Intl.Collator(undefined, {
 const {
   compare: alphaNumericComparator
 } = numericCollator;
+async function getAgentExecPath(agent) {
+  return (await _which(agent, {
+    nothrow: true
+  })) ?? agent;
+}
+async function getAgentVersion(agentExecPath, cwd) {
+  let result;
+  try {
+    result = _semver$1.coerce(
+    // All package managers support the "--version" flag.
+    (await _promiseSpawn$3(agentExecPath, ['--version'], {
+      cwd
+    })).stdout) ?? undefined;
+  } catch {}
+  return result;
+}
 const maintainedNodeVersions = (() => {
   // Under the hood browserlist uses the node-releases package which is out of date:
   // https://github.com/chicoxyzzy/node-releases/issues/37
@@ -950,15 +966,16 @@ const maintainedNodeVersions = (() => {
 })();
 const LOCKS = {
   'bun.lockb': 'bun',
-  'pnpm-lock.yaml': 'pnpm',
-  'pnpm-lock.yml': 'pnpm',
-  'yarn.lock': 'yarn',
   // If both package-lock.json and npm-shrinkwrap.json are present in the root
   // of a project, npm-shrinkwrap.json will take precedence and package-lock.json
   // will be ignored.
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson
   'npm-shrinkwrap.json': 'npm',
   'package-lock.json': 'npm',
+  'pnpm-lock.yaml': 'pnpm',
+  'pnpm-lock.yml': 'pnpm',
+  'yarn.lock': 'yarn/classic',
+  'vlt-lock.json': 'vlt',
   // Look for a hidden lock file if .npmrc has package-lock=false:
   // https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#hidden-lockfiles
   //
@@ -975,6 +992,7 @@ const readLockFileByAgent = (() => {
       return undefined;
     };
   }
+  const defaultReader = wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath));
   return {
     bun: wrapReader(async (lockPath, agentExecPath) => {
       let lockBuffer;
@@ -986,13 +1004,16 @@ const readLockFileByAgent = (() => {
       try {
         return (0, _hyrious__bun.parse)(lockBuffer);
       } catch {}
-      // To print a Yarn lockfile to your console without writing it to disk use `bun bun.lockb`.
+      // To print a Yarn lockfile to your console without writing it to disk
+      // use `bun bun.lockb`.
       // https://bun.sh/guides/install/yarnlock
-      return (await _promiseSpawn$3(agentExecPath, [lockPath])).stdout;
+      return (await _promiseSpawn$3(agentExecPath, [lockPath])).stdout.trim();
     }),
-    npm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
-    pnpm: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath)),
-    yarn: wrapReader(async lockPath => await (0, _fs$1.readFileUtf8)(lockPath))
+    npm: defaultReader,
+    pnpm: defaultReader,
+    vlt: defaultReader,
+    'yarn/berry': defaultReader,
+    'yarn/classic': defaultReader
   };
 })();
 async function detect({
@@ -1007,10 +1028,11 @@ async function detect({
     cwd
   });
   const pkgPath = (0, _fs$1.existsSync)(pkgJsonPath) ? _nodePath$3.dirname(pkgJsonPath) : undefined;
-  const pkgJson = pkgPath ? await _packageJson$1.load(pkgPath) : undefined;
+  const editablePkgJson = pkgPath ? await _packageJson$1.load(pkgPath) : undefined;
+  const pkgJson = editablePkgJson?.content;
   // Read Corepack `packageManager` field in package.json:
   // https://nodejs.org/api/packages.html#packagemanager
-  const pkgManager = (0, _strings$1.isNonEmptyString)(pkgJson?.content?.packageManager) ? pkgJson.content.packageManager : undefined;
+  const pkgManager = (0, _strings$1.isNonEmptyString)(pkgJson?.packageManager) ? pkgJson.packageManager : undefined;
   let agent;
   let agentVersion;
   if (pkgManager) {
@@ -1020,7 +1042,7 @@ async function detect({
       const version = pkgManager.slice(atSignIndex + 1);
       if (version && AGENTS.includes(name)) {
         agent = name;
-        agentVersion = version;
+        agentVersion = _semver$1.coerce(version) ?? undefined;
       }
     }
   }
@@ -1031,9 +1053,14 @@ async function detect({
     agent = 'npm';
     onUnknown?.(pkgManager);
   }
-  const agentExecPath = (await _which(agent, {
-    nothrow: true
-  })) ?? agent;
+  const agentExecPath = await getAgentExecPath(agent);
+  const npmExecPath = agent === 'npm' ? agentExecPath : await getAgentExecPath('npm');
+  if (agentVersion === undefined) {
+    agentVersion = await getAgentVersion(agentExecPath, cwd);
+  }
+  if (agent === 'yarn/classic' && (agentVersion?.major ?? 0) > 1) {
+    agent = 'yarn/berry';
+  }
   const targets = {
     browser: false,
     node: true
@@ -1041,18 +1068,18 @@ async function detect({
   let lockSrc;
   let minimumNodeVersion = maintainedNodeVersions.previous;
   if (pkgJson) {
-    const browserField = pkgJson.content.browser;
+    const browserField = pkgJson.browser;
     if ((0, _strings$1.isNonEmptyString)(browserField) || (0, _objects$1.isObjectObject)(browserField)) {
       targets.browser = true;
     }
-    const nodeRange = pkgJson.content.engines?.['node'];
+    const nodeRange = pkgJson.engines?.['node'];
     if ((0, _strings$1.isNonEmptyString)(nodeRange)) {
       const coerced = _semver$1.coerce(nodeRange);
       if (coerced && _semver$1.lt(coerced, minimumNodeVersion)) {
         minimumNodeVersion = coerced.version;
       }
     }
-    const browserslistQuery = pkgJson.content['browserslist'];
+    const browserslistQuery = pkgJson['browserslist'];
     if (Array.isArray(browserslistQuery)) {
       const browserslistTargets = _browserslist(browserslistQuery).map(s => s.toLowerCase()).toSorted(alphaNumericComparator);
       const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
@@ -1078,7 +1105,8 @@ async function detect({
     lockPath,
     lockSrc,
     minimumNodeVersion,
-    pkgJson,
+    npmExecPath,
+    pkgJson: editablePkgJson,
     pkgPath,
     supported: targets.browser || targets.node,
     targets
@@ -1180,10 +1208,11 @@ var _registry = require$$5$1;
 var _meow$m = _interopRequireDefault$n(vendor.build);
 var _npmPackageArg = require$$7;
 var _ora$i = _interopRequireDefault$n(vendor.ora);
-var _pacote = require$$9;
+var _pacote = require$$0$1;
 var _semver = require$$3;
 var _tinyglobby = require$$11;
 var _yaml = require$$12;
+var _constants = sdk.constants;
 var _flags$j = flags$1;
 var _formatting$k = formatting;
 var _fs = fs;
@@ -1193,18 +1222,21 @@ var _promises2 = promises;
 var _regexps = regexps;
 var _sorts$1 = sorts;
 var _strings = strings;
+//import cacache from 'cacache'
+//import { packumentCache, pacoteCachePath } from '../constants'
 const COMMAND_TITLE = 'Socket Optimize';
 const OVERRIDES_FIELD_NAME = 'overrides';
 const PNPM_WORKSPACE = 'pnpm-workspace';
 const RESOLUTIONS_FIELD_NAME = 'resolutions';
 const distPath$1 = __dirname;
 const manifestNpmOverrides = (0, _registry.getManifestData)('npm');
-const packumentCache = new Map();
 const getOverridesDataByAgent = {
   bun(pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
-      type: 'yarn',
+      type: 'yarn/berry',
       overrides
     };
   },
@@ -1226,18 +1258,34 @@ const getOverridesDataByAgent = {
       overrides
     };
   },
+  vlt(pkgJson) {
+    const overrides = pkgJson?.overrides ?? {};
+    return {
+      type: 'vlt',
+      overrides
+    };
+  },
   // Yarn resolutions documentation:
   // https://yarnpkg.com/configuration/manifest#resolutions
-  yarn(pkgJson) {
+  'yarn/berry'(pkgJson) {
+    const overrides = pkgJson?.resolutions ?? {};
+    return {
+      type: 'yarn/berry',
+      overrides
+    };
+  },
+  // Yarn resolutions documentation:
+  // https://classic.yarnpkg.com/en/docs/selective-version-resolutions
+  'yarn/classic'(pkgJson) {
     const overrides = pkgJson?.resolutions ?? {};
     return {
-      type: 'yarn',
+      type: 'yarn/classic',
       overrides
     };
   }
 };
 const lockIncludesByAgent = (() => {
-  const yarn = (lockSrc, name) => {
+  function yarnLockIncludes(lockSrc, name) {
     const escapedName = (0, _regexps.escapeRegExp)(name);
     return new RegExp(
     // Detects the package name in the following cases:
@@ -1246,9 +1294,9 @@ const lockIncludesByAgent = (() => {
     //   name@
     //   , name@
     `(?<=(?:^\\s*|,\\s*)"?)${escapedName}(?=@)`, 'm').test(lockSrc);
-  };
+  }
   return {
-    bun: yarn,
+    bun: yarnLockIncludes,
     npm(lockSrc, name) {
       // Detects the package name in the following cases:
       //   "name":
@@ -1264,94 +1312,179 @@ const lockIncludesByAgent = (() => {
       //   name@
       `(?<=^\\s*)(?:(['/])${escapedName}\\1|${escapedName}(?=[:@]))`, 'm').test(lockSrc);
     },
-    yarn
+    vlt(lockSrc, name) {
+      // Detects the package name in the following cases:
+      //   "name"
+      return lockSrc.includes(`"${name}"`);
+    },
+    'yarn/berry': yarnLockIncludes,
+    'yarn/classic': yarnLockIncludes
   };
 })();
-const updateManifestByAgent = {
-  bun(pkgJson, overrides) {
-    pkgJson.update({
-      [RESOLUTIONS_FIELD_NAME]: overrides
-    });
-  },
-  npm(pkgJson, overrides) {
+const updateManifestByAgent = (() => {
+  function updateOverrides(pkgJson, overrides) {
     pkgJson.update({
       [OVERRIDES_FIELD_NAME]: overrides
     });
-  },
-  pnpm(pkgJson, overrides) {
-    pkgJson.update({
-      pnpm: {
-        ...pkgJson.content['pnpm'],
-        [OVERRIDES_FIELD_NAME]: overrides
-      }
-    });
-  },
-  yarn(pkgJson, overrides) {
+  }
+  function updateResolutions(pkgJson, overrides) {
     pkgJson.update({
       [RESOLUTIONS_FIELD_NAME]: overrides
     });
   }
-};
-const lsByAgent = {
-  async bun(agentExecPath, cwd, _rootPath) {
-    try {
-      // Bun does not support filtering by production packages yet.
-      // https://github.com/oven-sh/bun/issues/8283
-      return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
-        cwd
-      })).stdout;
-    } catch {}
-    return '';
-  },
-  async npm(agentExecPath, cwd, rootPath) {
-    try {
-      let {
-        stdout
-      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--omit', 'dev', '--all'], {
-        cwd
-      });
-      stdout = stdout.replaceAll(cwd, '');
-      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
-    } catch {}
-    return '';
-  },
-  async pnpm(agentExecPath, cwd, rootPath) {
-    try {
-      let {
-        stdout
-      } = await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
-        cwd
+  return {
+    bun: updateResolutions,
+    npm: updateOverrides,
+    pnpm(pkgJson, overrides) {
+      pkgJson.update({
+        pnpm: {
+          ...pkgJson.content['pnpm'],
+          [OVERRIDES_FIELD_NAME]: overrides
+        }
       });
-      stdout = stdout.replaceAll(cwd, '');
-      return rootPath === cwd ? stdout : stdout.replaceAll(rootPath, '');
-    } catch {}
-    return '';
-  },
-  async yarn(agentExecPath, cwd, _rootPath) {
+    },
+    vlt: updateOverrides,
+    'yarn/berry': updateResolutions,
+    'yarn/classic': updateResolutions
+  };
+})();
+const lsByAgent = (() => {
+  function cleanupQueryStdout(stdout) {
+    if (stdout === '') {
+      return '';
+    }
+    let pkgs;
     try {
-      return (
-        // Yarn Berry does not support filtering by production packages yet.
-        // https://github.com/yarnpkg/berry/issues/5117
-        (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
-          cwd
-        })).stdout
-      );
+      pkgs = JSON.parse(stdout);
     } catch {}
+    if (!Array.isArray(pkgs)) {
+      return '';
+    }
+    const names = new Set();
+    for (const {
+      _id,
+      name,
+      pkgid
+    } of pkgs) {
+      // `npm query` results may not have a "name" property, in which case we
+      // fallback to "_id" and then "pkgid".
+      // `vlt ls --view json` results always have a "name" property.
+      const fallback = _id ?? pkgid ?? '';
+      const resolvedName = name ?? fallback.slice(0, fallback.indexOf('@', 1));
+      if (resolvedName) {
+        names.add(resolvedName);
+      }
+    }
+    return JSON.stringify([...names], null, 2);
+  }
+  function parseableToQueryStdout(stdout) {
+    if (stdout === '') {
+      return '';
+    }
+    // Convert the parseable stdout into a json array of unique names.
+    // The matchAll regexp looks for a forward (posix) or backward (win32) slash
+    // and matches one or more non-slashes until the newline.
+    const names = new Set(stdout.matchAll(/(?<=[/\\])[^/\\]+(?=\n)/g));
+    return JSON.stringify([...names], null, 2);
+  }
+  async function npmQuery(npmExecPath, cwd) {
+    let stdout = '';
     try {
-      // However, Yarn Classic does support it.
-      return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+      stdout = (await _promiseSpawn$2(npmExecPath, ['query', ':not(.dev)'], {
         cwd
       })).stdout;
     } catch {}
-    return '';
+    return cleanupQueryStdout(stdout);
   }
-};
-const depsIncludesByAgent = {
-  bun: (stdout, name) => stdout.includes(name),
-  npm: (stdout, name) => stdout.includes(name),
-  pnpm: (stdout, name) => stdout.includes(name),
-  yarn: (stdout, name) => stdout.includes(name)
-};
+  return {
+    async bun(agentExecPath, cwd) {
+      try {
+        // Bun does not support filtering by production packages yet.
+        // https://github.com/oven-sh/bun/issues/8283
+        return (await _promiseSpawn$2(agentExecPath, ['pm', 'ls', '--all'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return '';
+    },
+    async npm(agentExecPath, cwd) {
+      return await npmQuery(agentExecPath, cwd);
+    },
+    async pnpm(agentExecPath, cwd, options) {
+      const {
+        npmExecPath
+      } = {
+        __proto__: null,
+        ...options
+      };
+      if (npmExecPath && npmExecPath !== 'npm') {
+        const result = await npmQuery(npmExecPath, cwd);
+        if (result) {
+          return result;
+        }
+      }
+      let stdout = '';
+      try {
+        stdout = (await _promiseSpawn$2(agentExecPath, ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return parseableToQueryStdout(stdout);
+    },
+    async vlt(agentExecPath, cwd) {
+      let stdout = '';
+      try {
+        stdout = (await _promiseSpawn$2(agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
+          cwd
+        })).stdout;
+      } catch {}
+      return cleanupQueryStdout(stdout);
+    },
+    async 'yarn/berry'(agentExecPath, cwd) {
+      try {
+        return (
+          // Yarn Berry does not support filtering by production packages yet.
+          // https://github.com/yarnpkg/berry/issues/5117
+          (await _promiseSpawn$2(agentExecPath, ['info', '--recursive', '--name-only'], {
+            cwd
+          })).stdout.trim()
+        );
+      } catch {}
+      return '';
+    },
+    async 'yarn/classic'(agentExecPath, cwd) {
+      try {
+        // However, Yarn Classic does support it.
+        // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
+        // > Fix: Excludes dev dependencies from the yarn list output when the
+        //   environment is production
+        return (await _promiseSpawn$2(agentExecPath, ['list', '--prod'], {
+          cwd
+        })).stdout.trim();
+      } catch {}
+      return '';
+    }
+  };
+})();
+const depsIncludesByAgent = (() => {
+  function matchHumanStdout(stdout, name) {
+    return stdout.includes(` ${name}@`);
+  }
+  function matchQueryStdout(stdout, name) {
+    return stdout.includes(`"${name}"`);
+  }
+  return {
+    bun: matchHumanStdout,
+    npm: matchQueryStdout,
+    pnpm: matchQueryStdout,
+    vlt: matchQueryStdout,
+    'yarn/berry': matchHumanStdout,
+    'yarn/classic': matchHumanStdout
+  };
+})();
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized overrides${workspaceCount ? ` in ${workspaceCount} workspace${workspaceCount > 1 ? 's' : ''}` : ''}`;
+}
 function getDependencyEntries(pkgJson) {
   const {
     dependencies,
@@ -1375,28 +1508,33 @@ function getDependencyEntries(pkgJson) {
     1: o
   }) => o);
 }
-async function getWorkspaces(agent, pkgPath, pkgJson) {
-  if (agent !== 'pnpm') {
-    return Array.isArray(pkgJson['workspaces']) ? pkgJson['workspaces'].filter(_strings.isNonEmptyString) : undefined;
-  }
-  for (const workspacePath of [_nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), _nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
-    if ((0, _fs.existsSync)(workspacePath)) {
-      let packages;
-      try {
-        // eslint-disable-next-line no-await-in-loop
-        packages = (0, _yaml.parse)(await _promises$2.readFile(workspacePath, 'utf8'))?.packages;
-      } catch {}
-      if (Array.isArray(packages)) {
-        return packages.filter(_strings.isNonEmptyString);
+async function getWorkspaceGlobs(agent, pkgPath, pkgJson) {
+  let workspacePatterns;
+  if (agent === 'pnpm') {
+    for (const workspacePath of [_nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yaml`), _nodePath$2.join(pkgPath, `${PNPM_WORKSPACE}.yml`)]) {
+      if ((0, _fs.existsSync)(workspacePath)) {
+        try {
+          workspacePatterns = (0, _yaml.parse)(
+          // eslint-disable-next-line no-await-in-loop
+          await _promises$2.readFile(workspacePath, 'utf8'))?.packages;
+        } catch {}
+        if (workspacePatterns) {
+          break;
+        }
       }
     }
+  } else {
+    workspacePatterns = pkgJson['workspaces'];
   }
-  return undefined;
+  return Array.isArray(workspacePatterns) ? workspacePatterns.filter(_strings.isNonEmptyString).map(workspacePatternToGlobPattern) : undefined;
 }
-function workspaceToGlobPattern(workspace) {
+function workspacePatternToGlobPattern(workspace) {
   const {
     length
   } = workspace;
+  if (!length) {
+    return '';
+  }
   // If the workspace ends with "/"
   if (workspace.charCodeAt(length - 1) === 47 /*'/'*/) {
     return `${workspace}/*/package.json`;
@@ -1408,38 +1546,59 @@ function workspaceToGlobPattern(workspace) {
   // Things like "packages/a" or "packages/*"
   return `${workspace}/package.json`;
 }
+function createAddOverridesState(initials) {
+  return {
+    added: new Set(),
+    addedInWorkspaces: new Set(),
+    spinner: undefined,
+    updated: new Set(),
+    updatedInWorkspaces: new Set(),
+    warnedPnpmWorkspaceRequiresNpm: false,
+    ...initials
+  };
+}
 async function addOverrides({
   agent,
   agentExecPath,
   lockSrc,
   manifestEntries,
+  npmExecPath,
   pin,
   pkgJson: editablePkgJson,
   pkgPath,
   prod,
   rootPath
-}, state = {
-  added: new Set(),
-  updated: new Set()
-}) {
+}, state = createAddOverridesState()) {
   if (editablePkgJson === undefined) {
     editablePkgJson = await _packageJson.load(pkgPath);
   }
+  const {
+    spinner
+  } = state;
   const pkgJson = editablePkgJson.content;
   const isRoot = pkgPath === rootPath;
   const isLockScanned = isRoot && !prod;
-  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, rootPath);
+  const workspaceName = _nodePath$2.relative(rootPath, pkgPath);
+  const workspaceGlobs = await getWorkspaceGlobs(agent, pkgPath, pkgJson);
+  const isWorkspace = !!workspaceGlobs;
+  if (isWorkspace && agent === 'pnpm' && npmExecPath === 'npm' && !state.warnedPnpmWorkspaceRequiresNpm) {
+    state.warnedPnpmWorkspaceRequiresNpm = true;
+    console.log(`⚠️ ${COMMAND_TITLE}: pnpm workspace support requires \`npm ls\`, falling back to \`pnpm list\``);
+  }
+  const thingToScan = isLockScanned ? lockSrc : await lsByAgent[agent](agentExecPath, pkgPath, {
+    npmExecPath
+  });
   const thingScanner = isLockScanned ? lockIncludesByAgent[agent] : depsIncludesByAgent[agent];
   const depEntries = getDependencyEntries(pkgJson);
-  const workspaces = await getWorkspaces(agent, pkgPath, pkgJson);
-  const isWorkspace = !!workspaces;
   const overridesDataObjects = [];
   if (pkgJson['private'] || isWorkspace) {
     overridesDataObjects.push(getOverridesDataByAgent[agent](pkgJson));
   } else {
-    overridesDataObjects.push(getOverridesDataByAgent['npm'](pkgJson), getOverridesDataByAgent['yarn'](pkgJson));
+    overridesDataObjects.push(getOverridesDataByAgent.npm(pkgJson), getOverridesDataByAgent['yarn/classic'](pkgJson));
+  }
+  if (spinner) {
+    spinner.text = `Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`;
   }
-  const spinner = isRoot ? (0, _ora$i.default)('Fetching override manifests...').start() : undefined;
   const depAliasMap = new Map();
   // Chunk package names to process them in parallel 3 at a time.
   await (0, _promises2.pEach)(manifestEntries, 3, async ({
@@ -1467,6 +1626,7 @@ async function addOverrides({
           pkgSpec = `${regSpecStartsLike}^${version}`;
           depObj[origPkgName] = pkgSpec;
           state.added.add(regPkgName);
+          state.addedInWorkspaces.add(workspaceName);
         }
         depAliasMap.set(origPkgName, {
           id: pkgSpec,
@@ -1507,46 +1667,47 @@ async function addOverrides({
           }
         }
         if (newSpec !== oldSpec) {
+          overrides[origPkgName] = newSpec;
           if (overrideExists) {
             state.updated.add(regPkgName);
+            state.updatedInWorkspaces.add(workspaceName);
           } else {
             state.added.add(regPkgName);
+            state.addedInWorkspaces.add(workspaceName);
           }
-          overrides[origPkgName] = newSpec;
         }
       }
     });
   });
-  if (workspaces) {
-    const wsPkgJsonPaths = await (0, _tinyglobby.glob)(workspaces.map(workspaceToGlobPattern), {
+  if (workspaceGlobs) {
+    const workspacePkgJsonPaths = await (0, _tinyglobby.glob)(workspaceGlobs, {
       absolute: true,
-      cwd: pkgPath
+      cwd: pkgPath,
+      ignore: ['**/node_modules/**', '**/bower_components/**']
     });
     // Chunk package names to process them in parallel 3 at a time.
-    await (0, _promises2.pEach)(wsPkgJsonPaths, 3, async wsPkgJsonPath => {
-      const {
-        added,
-        updated
-      } = await addOverrides({
+    await (0, _promises2.pEach)(workspacePkgJsonPaths, 3, async workspacePkgJsonPath => {
+      const otherState = await addOverrides({
         agent,
         agentExecPath,
         lockSrc,
         manifestEntries,
+        npmExecPath,
         pin,
-        pkgPath: _nodePath$2.dirname(wsPkgJsonPath),
+        pkgPath: _nodePath$2.dirname(workspacePkgJsonPath),
         prod,
         rootPath
-      });
-      for (const regPkgName of added) {
-        state.added.add(regPkgName);
-      }
-      for (const regPkgName of updated) {
-        state.updated.add(regPkgName);
+      }, createAddOverridesState({
+        spinner
+      }));
+      for (const key of ['added', 'addedInWorkspaces', 'updated', 'updatedInWorkspaces']) {
+        for (const value of otherState[key]) {
+          state[key].add(value);
+        }
       }
     });
   }
-  spinner?.stop();
-  if (state.added.size || state.updated.size) {
+  if (state.added.size > 0 || state.updated.size > 0) {
     editablePkgJson.update(Object.fromEntries(depEntries));
     for (const {
       overrides,
@@ -1558,10 +1719,39 @@ async function addOverrides({
   }
   return state;
 }
+// type ExtractOptions = pacote.Options & {
+//   tmpPrefix?: string
+//   [key: string]: any
+// }
+// async function extractPackage(pkgNameOrId: string, options: ExtractOptions | undefined, callback: (tmpDirPath: string) => any) {
+//   if (arguments.length === 2 && typeof options === 'function') {
+//     callback = options
+//     options = undefined
+//   }
+//   const { tmpPrefix, ...extractOptions } = { __proto__: null, ...options }
+//   // cacache.tmp.withTmp DOES return a promise.
+//   await cacache.tmp.withTmp(
+//     pacoteCachePath,
+//     { tmpPrefix },
+//     // eslint-disable-next-line @typescript-eslint/no-misused-promises
+//     async tmpDirPath => {
+//       await pacote.extract(pkgNameOrId, tmpDirPath, {
+//         __proto__: null,
+//         packumentCache,
+//         preferOffline: true,
+//         ...<Omit<typeof extractOptions, '__proto__'>>extractOptions
+//       })
+//       await callback(tmpDirPath)
+//     }
+//   )
+// }
 async function fetchPackageManifest(pkgNameOrId, options) {
   const pacoteOptions = {
     ...options,
-    packumentCache,
+    packumentCache: _constants.packumentCache,
     preferOffline: true
   };
   const {
@@ -1596,9 +1786,11 @@ const optimize = optimize$1.optimize = {
     const {
       agent,
       agentExecPath,
-      lockSrc,
+      agentVersion,
       lockPath,
+      lockSrc,
       minimumNodeVersion,
+      npmExecPath,
       pkgJson,
       pkgPath,
       supported
@@ -1612,67 +1804,84 @@ const optimize = optimize$1.optimize = {
       console.log(`✘ ${COMMAND_TITLE}: No supported Node or browser range detected`);
       return;
     }
+    if (agent === 'vlt') {
+      console.log(`✘ ${COMMAND_TITLE}: ${agent} does not support overrides. Soon, though ⚡`);
+      return;
+    }
     const lockName = lockPath ? _nodePath$2.basename(lockPath) : 'lock file';
     if (lockSrc === undefined) {
       console.log(`✘ ${COMMAND_TITLE}: No ${lockName} found`);
       return;
     }
+    if (lockSrc.trim() === '') {
+      console.log(`✘ ${COMMAND_TITLE}: ${lockName} is empty`);
+      return;
+    }
     if (pkgPath === undefined) {
       console.log(`✘ ${COMMAND_TITLE}: No package.json found`);
       return;
     }
+    if (prod && (agent === 'bun' || agent === 'yarn/berry')) {
+      console.log(`✘ ${COMMAND_TITLE}: --prod not supported for ${agent}${agentVersion ? `@${agentVersion.toString()}` : ''}`);
+      return;
+    }
     if (lockPath && _nodePath$2.relative(cwd, lockPath).startsWith('.')) {
       console.log(`⚠️ ${COMMAND_TITLE}: Package ${lockName} found at ${lockPath}`);
     }
-    const state = {
-      added: new Set(),
-      updated: new Set()
-    };
-    if (lockSrc) {
-      const nodeRange = `>=${minimumNodeVersion}`;
-      const manifestEntries = manifestNpmOverrides.filter(({
-        1: data
-      }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
-      await addOverrides({
-        agent,
-        agentExecPath,
-        lockSrc,
-        manifestEntries,
-        pin,
-        pkgJson,
-        pkgPath,
-        prod,
-        rootPath: pkgPath
-      }, state);
-    }
-    const pkgJsonChanged = state.added.size > 0 || state.updated.size > 0;
-    if (state.updated.size > 0) {
-      console.log(`Updated ${state.updated.size} Socket.dev optimized overrides ${state.added.size ? '.' : '🚀'}`);
-    }
-    if (state.added.size > 0) {
-      console.log(`Added ${state.added.size} Socket.dev optimized overrides 🚀`);
-    }
-    if (!pkgJsonChanged) {
+    const spinner = (0, _ora$i.default)('Socket optimizing...');
+    const state = createAddOverridesState({
+      spinner
+    });
+    spinner.start();
+    const nodeRange = `>=${minimumNodeVersion}`;
+    const manifestEntries = manifestNpmOverrides.filter(({
+      1: data
+    }) => _semver.satisfies(_semver.coerce(data.engines.node), nodeRange));
+    await addOverrides({
+      agent,
+      agentExecPath,
+      lockSrc,
+      manifestEntries,
+      npmExecPath,
+      pin,
+      pkgJson,
+      pkgPath,
+      prod,
+      rootPath: pkgPath
+    }, state);
+    spinner.stop();
+    const addedCount = state.added.size;
+    const updatedCount = state.updated.size;
+    const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
+    if (pkgJsonChanged) {
+      if (updatedCount > 0) {
+        console.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
+      }
+      if (addedCount > 0) {
+        console.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+      }
+    } else {
       console.log('Congratulations! Already Socket.dev optimized 🎉');
     }
     const isNpm = agent === 'npm';
     if (isNpm || pkgJsonChanged) {
       // Always update package-lock.json until the npm overrides PR lands:
       // https://github.com/npm/cli/pull/7025
-      const spinner = (0, _ora$i.default)(`Updating ${lockName}...`).start();
+      spinner.start(`Updating ${lockName}...`);
       try {
         if (isNpm) {
           const wrapperPath = _nodePath$2.join(distPath$1, 'npm-cli.js');
-          await _promiseSpawn$2(process.execPath, [wrapperPath, 'install'], {
-            stdio: 'pipe',
+          await _promiseSpawn$2(process.execPath, [wrapperPath, 'install', '--no-audit', '--no-fund'], {
+            stdio: 'ignore',
             env: {
               ...process.env,
               UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE: '1'
             }
           });
         } else {
+          // All package managers support the "install" command.
           await _promiseSpawn$2(agentExecPath, ['install'], {
-            stdio: 'pipe'
+            stdio: 'ignore'
           });
         }
         spinner.stop();
@@ -2301,8 +2510,8 @@ async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
     argv,
-    name,
     importMeta,
+    name,
     ...additionalOptions
   } = {
     __proto__: null,
@@ -2430,8 +2639,8 @@ function setupCommand$f(name, description, argv, importMeta) {
     return;
   }
   const {
-    enable,
-    disable
+    disable,
+    enable
   } = cli.flags;
   let showHelp = cli.flags['help'];
   if (!enable && !disable) {
@@ -2545,7 +2754,7 @@ Object.defineProperty(create$3, "__esModule", {
   value: true
 });
 create$3.create = void 0;
-var _nodeProcess = require$$0$1;
+var _nodeProcess = require$$0$2;
 var _promises$1 = require$$2$3;
 var _chalk$e = _interopRequireDefault$f(vendor.source);
 var _meow$e = _interopRequireDefault$f(vendor.build);
@@ -2678,8 +2887,8 @@ async function setupCommand$e(name, description, argv, importMeta) {
   const debugLog = (0, _misc.createDebugLogger)(false);
   const packagePaths = await (0, _pathResolve.getPackageFilesFullScans)(cwd, cli.input, supportedFiles, debugLog);
   const {
-    repo: repoName,
-    branch: branchName
+    branch: branchName,
+    repo: repoName
   } = cli.flags;
   if (!repoName || !branchName || !packagePaths.length) {
     showHelp = true;
@@ -2709,14 +2918,14 @@ async function setupCommand$e(name, description, argv, importMeta) {
 async function createFullScan(input, spinner, apiKey) {
   const socketSdk = await (0, _sdk$e.setupSdk)(apiKey);
   const {
-    orgSlug,
-    repoName,
     branchName,
     commitMessage,
     defaultBranch,
+    orgSlug,
+    packagePaths,
     pendingHead,
-    tmp,
-    packagePaths
+    repoName,
+    tmp
   } = input;
   const result = await (0, _apiHelpers$e.handleApiCall)(socketSdk.createOrgFullScan(orgSlug, {
     repo: repoName,
@@ -4021,8 +4230,8 @@ function setupCommand$3(name, description, argv, importMeta) {
   });
   const {
     json: outputJson,
-    markdown: outputMarkdown,
     limit,
+    markdown: outputMarkdown,
     offset
   } = cli.flags;
   return {
@@ -4414,7 +4623,7 @@ Object.defineProperty(get$1, "__esModule", {
 });
 get$1.get = void 0;
 var _nodeFs$1 = require$$0;
-var _nodeUtil = require$$0$2;
+var _nodeUtil = require$$0$3;
 var _chalk$1 = _interopRequireDefault$2(vendor.source);
 var _meow$1 = _interopRequireDefault$2(vendor.build);
 var _ora$1 = _interopRequireDefault$2(vendor.ora);
@@ -4492,8 +4701,8 @@ function setupCommand$1(name, description, argv, importMeta) {
     flags
   });
   const {
-    before,
-    after
+    after,
+    before
   } = cli.flags;
   let showHelp = cli.flags['help'];
   if (!before || !after) {
@@ -4519,10 +4728,10 @@ function setupCommand$1(name, description, argv, importMeta) {
   };
 }
 async function getDiffScan({
-  before,
   after,
-  orgSlug,
+  before,
   file,
+  orgSlug,
   outputJson
 }, spinner, apiKey) {
   const response = await (0, _apiHelpers$1.queryAPI)(`${orgSlug}/full-scans/diff?before=${before}&after=${after}&preview`, apiKey);
@@ -4668,12 +4877,12 @@ function setupCommand(name, description, argv, importMeta) {
     flags
   });
   const {
+    direction,
+    filter,
     json: outputJson,
     markdown: outputMarkdown,
-    perPage: per_page,
     page,
-    direction,
-    filter
+    perPage: per_page
   } = cli.flags;
   return {
     outputJson,
@@ -4685,11 +4894,11 @@ function setupCommand(name, description, argv, importMeta) {
   };
 }
 async function fetchThreatFeed({
-  per_page,
-  page,
   direction,
   filter,
-  outputJson
+  outputJson,
+  page,
+  per_page
 }, spinner, apiKey) {
   const formattedQueryParams = formatQueryParams({
     per_page,