socket 0.14.39 → 0.14.40-alpha.0

package/dist/module-sync/npm-injection.js

@@ -15,210 +15,18 @@ var https = require('node:https');
 var path = require('node:path');
 var readline = require('node:readline');
 var promises = require('node:timers/promises');
-var prompts = require('@socketsecurity/registry/lib/prompts');
 var yoctoSpinner = require('@socketregistry/yocto-spinner');
-var isInteractive = _socketInterop(require('is-interactive'));
-var npa = _socketInterop(require('npm-package-arg'));
-var semver = _socketInterop(require('semver'));
 var config = require('@socketsecurity/config');
+var registry = require('@socketsecurity/registry');
 var objects = require('@socketsecurity/registry/lib/objects');
 var packages = require('@socketsecurity/registry/lib/packages');
-var net = require('node:net');
-var homedir = require('node:os');
-var node_stream = require('node:stream');
-var sdk = require('./sdk.js');
+var prompts = require('@socketsecurity/registry/lib/prompts');
+var npa = _socketInterop(require('npm-package-arg'));
+var semver = _socketInterop(require('semver'));
 var constants = require('./constants.js');
+var sdk = require('./sdk.js');
 var pathResolve = require('./path-resolve.js');
 
-var version = "0.14.39";
-
-const NEWLINE_CHAR_CODE = 10; /*'\n'*/
-
-const TTY_IPC = process.env['SOCKET_SECURITY_TTY_IPC'];
-const sock = path.join(homedir.tmpdir(), `socket-security-tty-${process.pid}.sock`);
-process.env['SOCKET_SECURITY_TTY_IPC'] = sock;
-function createNonStandardTTYServer() {
-  return {
-    async captureTTY(mutexFn) {
-      return await new Promise((resolve, reject) => {
-        const conn = net.createConnection({
-          path: TTY_IPC
-        }).on('error', reject);
-        let captured = false;
-        const buffs = [];
-        conn.on('data', function awaitCapture(chunk) {
-          buffs.push(chunk);
-          let lineBuff = Buffer.concat(buffs);
-          if (captured) return;
-          try {
-            const eolIndex = lineBuff.indexOf(NEWLINE_CHAR_CODE);
-            if (eolIndex !== -1) {
-              conn.removeListener('data', awaitCapture);
-              conn.push(lineBuff.slice(eolIndex + 1));
-              const {
-                capabilities: {
-                  input: hasInput,
-                  output: hasOutput
-                },
-                ipc_version: remote_ipc_version
-              } = JSON.parse(lineBuff.subarray(0, eolIndex).toString('utf8'));
-              lineBuff = null;
-              captured = true;
-              if (remote_ipc_version !== version) {
-                throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.');
-              }
-              const input = hasInput ? new node_stream.PassThrough() : null;
-              input?.pause();
-              if (input) conn.pipe(input);
-              const output = hasOutput ? new node_stream.PassThrough() : null;
-              if (output) {
-                output.pipe(conn)
-                // Make ora happy
-                ;
-                output.isTTY = true;
-                output.cursorTo = function cursorTo(x, y, callback) {
-                  readline.cursorTo(this, x, y, callback);
-                };
-                output.clearLine = function clearLine(dir, callback) {
-                  readline.clearLine(this, dir, callback);
-                };
-              }
-              mutexFn(hasInput ? input : undefined, hasOutput ? output : undefined).then(resolve, reject).finally(() => {
-                conn.unref();
-                conn.end();
-                input?.end();
-                output?.end();
-                // process.exit(13)
-              });
-            }
-          } catch (e) {
-            reject(e);
-          }
-        });
-      });
-    }
-  };
-}
-function createIPCServer(captureState, npmlog) {
-  const input = process.stdin;
-  const output = process.stderr;
-  return new Promise((resolve, reject) => {
-    const server = net
-    // eslint-disable-next-line @typescript-eslint/no-misused-promises
-    .createServer(async conn => {
-      if (captureState.captured) {
-        await new Promise(resolve => {
-          captureState.pendingCaptures.push({
-            resolve() {
-              resolve();
-            }
-          });
-        });
-      } else {
-        captureState.captured = true;
-      }
-      const wasProgressEnabled = npmlog.progressEnabled;
-      npmlog.pause();
-      if (wasProgressEnabled) {
-        npmlog.disableProgress();
-      }
-      conn.write(`${JSON.stringify({
-        ipc_version: version,
-        capabilities: {
-          input: Boolean(input),
-          output: true
-        }
-      })}\n`);
-      conn.on('data', data => {
-        output.write(data);
-      }).on('error', e => {
-        output.write(`there was an error prompting from a sub shell (${e?.message}), socket npm closing`);
-        process.exit(1);
-      });
-      input.on('data', data => {
-        conn.write(data);
-      }).on('end', () => {
-        conn.unref();
-        conn.end();
-        if (wasProgressEnabled) {
-          npmlog.enableProgress();
-        }
-        npmlog.resume();
-        captureState.nextCapture();
-      });
-    }).listen(sock, () => resolve(server)).on('error', reject).unref();
-    process.on('exit', () => {
-      server.close();
-      tryUnlinkSync(sock);
-    });
-    resolve(server);
-  });
-}
-function createStandardTTYServer(isInteractive, npmlog) {
-  const captureState = {
-    captured: false,
-    nextCapture: () => {
-      if (captureState.pendingCaptures.length > 0) {
-        const pendingCapture = captureState.pendingCaptures.shift();
-        pendingCapture?.resolve();
-      } else {
-        captureState.captured = false;
-      }
-    },
-    pendingCaptures: []
-  };
-  tryUnlinkSync(sock);
-  const input = isInteractive ? process.stdin : undefined;
-  const output = process.stderr;
-  let ipcServerPromise;
-  if (input) {
-    ipcServerPromise = createIPCServer(captureState, npmlog);
-  }
-  return {
-    async captureTTY(mutexFn) {
-      await ipcServerPromise;
-      if (captureState.captured) {
-        const captured = new Promise(resolve => {
-          captureState.pendingCaptures.push({
-            resolve() {
-              resolve();
-            }
-          });
-        });
-        await captured;
-      } else {
-        captureState.captured = true;
-      }
-      const wasProgressEnabled = npmlog.progressEnabled;
-      try {
-        npmlog.pause();
-        if (wasProgressEnabled) {
-          npmlog.disableProgress();
-        }
-        return await mutexFn(input, output);
-      } finally {
-        if (wasProgressEnabled) {
-          npmlog.enableProgress();
-        }
-        npmlog.resume();
-        captureState.nextCapture();
-      }
-    }
-  };
-}
-function tryUnlinkSync(filepath) {
-  try {
-    fs.unlinkSync(filepath);
-  } catch (e) {
-    if (sdk.isErrnoException(e) && e.code !== 'ENOENT') {
-      throw e;
-    }
-  }
-}
-function createTTYServer(isInteractive, npmlog) {
-  return !isInteractive && TTY_IPC ? createNonStandardTTYServer() : createStandardTTYServer(isInteractive, npmlog);
-}
-
 //#region UX Constants
 
 const IGNORE_UX = {
@@ -239,10 +47,10 @@ const ERROR_UX = {
 /**
  * Iterates over all entries with ordered issue rule for deferral.  Iterates over
  * all issue rules and finds the first defined value that does not defer otherwise
- * uses the defaultValue. Takes the value and converts into a UX workflow
+ * uses the defaultValue. Takes the value and converts into a UX workflow.
  */
 function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
-  if (defaultValue === true || defaultValue == null) {
+  if (defaultValue === true || defaultValue === null || defaultValue === undefined) {
     defaultValue = {
       action: 'error'
     };
@@ -280,12 +88,13 @@ function resolveAlertRuleUX(orderedRulesCollection, defaultValue) {
 }
 
 /**
- * Negative form because it is narrowing the type
+ * Negative form because it is narrowing the type.
  */
 function ruleValueDoesNotDefer(rule) {
   if (rule === undefined) {
     return false;
-  } else if (rule !== null && typeof rule === 'object') {
+  }
+  if (objects.isObject(rule)) {
     const {
       action
     } = rule;
@@ -297,7 +106,7 @@ function ruleValueDoesNotDefer(rule) {
 }
 
 /**
- * Handles booleans for backwards compatibility
+ * Handles booleans for backwards compatibility.
  */
 function uxForDefinedNonDeferValue(ruleValue) {
   if (typeof ruleValue === 'boolean') {
@@ -368,10 +177,12 @@ const {
   API_V0_URL,
   ENV,
   LOOP_SENTINEL,
+  NPM,
   NPM_REGISTRY_URL,
+  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE,
   SOCKET_CLI_ISSUES_URL,
+  SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
   SOCKET_PUBLIC_API_KEY,
-  UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE,
   abortSignal,
   rootPath
 } = constants;
@@ -417,16 +228,7 @@ const log = tryRequire([path.join(npmNmPath, 'proc-log/lib/index.js'),
 // The proc-log DefinitelyTyped definition is incorrect. The type definition
 // is really that of its export log.
 mod => mod.log], path.join(npmNmPath, 'npmlog/lib/log.js'));
-if (log === undefined) {
-  console.error(`Unable to integrate with npm CLI logging infrastructure.\n\n${POTENTIAL_BUG_ERROR_MESSAGE}.`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  process.exit(127);
-}
-const pacote = tryRequire(path.join(npmNmPath, 'pacote'), 'pacote');
-const {
-  tarball
-} = pacote;
+const pacote = require(path.join(npmNmPath, 'pacote'));
 const translations = require(path.join(rootPath, 'translations.json'));
 const Arborist = require(arboristClassPath);
 const depValid = require(arboristDepValidPath);
@@ -437,9 +239,6 @@ const kCtorArgs = Symbol('ctorArgs');
 const kRiskyReify = Symbol('riskyReify');
 const formatter = new sdk.ColorOrMarkdown(false);
 const pubToken = sdk.getDefaultKey() ?? SOCKET_PUBLIC_API_KEY;
-const ttyServer = createTTYServer(isInteractive({
-  stream: process.stdin
-}), log);
 let _uxLookup;
 async function uxLookup(settings) {
   while (_uxLookup === undefined) {
@@ -450,6 +249,35 @@ async function uxLookup(settings) {
   }
   return _uxLookup(settings);
 }
+function packageAlertsToReport(alerts) {
+  let report = null;
+  for (const alert of alerts) {
+    if (!isAlertFixableCve(alert.raw)) {
+      continue;
+    }
+    const {
+      name
+    } = alert;
+    if (!report) {
+      report = {};
+    }
+    if (!report[name]) {
+      report[name] = [];
+    }
+    const props = alert.raw?.props;
+    report[name].push({
+      id: -1,
+      url: props?.url,
+      title: props?.title,
+      severity: alert.raw?.severity?.toLowerCase(),
+      vulnerable_versions: props?.vulnerableVersionRange,
+      cwe: props?.cwes,
+      cvss: props?.csvs,
+      name
+    });
+  }
+  return report;
+}
 async function* batchScan(pkgIds) {
   const req = https.request(`${API_V0_URL}/purl?alerts=true`, {
     method: 'POST',
@@ -527,17 +355,17 @@ function findSpecificOverrideSet(first, second) {
     overrideSet = overrideSet.parent;
   }
   // The override sets are incomparable. Neither one contains the other.
-  log.silly('Conflicting override sets', first, second);
+  log?.silly('Conflicting override sets', first, second);
   return undefined;
 }
 function isAlertFixable(alert) {
+  return alert.type === 'socketUpgradeAvailable' || isAlertFixableCve(alert);
+}
+function isAlertFixableCve(alert) {
   const {
     type
   } = alert;
-  if (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') {
-    return !!alert.props?.['firstPatchedVersionIdentifier'];
-  }
-  return type === 'socketUpgradeAvailable';
+  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
 }
 function maybeReadfileSync(filepath) {
   try {
@@ -545,7 +373,7 @@ function maybeReadfileSync(filepath) {
   } catch {}
   return undefined;
 }
-async function getPackagesAlerts(safeArb, _registry, pkgs, output) {
+async function getPackagesAlerts(safeArb, pkgs, output) {
   const spinner = yoctoSpinner({
     stream: output
   });
@@ -616,7 +444,7 @@ async function getPackagesAlerts(safeArb, _registry, pkgs, output) {
       if (!blocked) {
         const pkg = pkgs.find(p => p.pkgid === id);
         if (pkg) {
-          await tarball.stream(id, stream => {
+          await pacote.tarball.stream(id, stream => {
             stream.resume();
             return stream.promise();
           }, {
@@ -648,8 +476,6 @@ async function getPackagesAlerts(safeArb, _registry, pkgs, output) {
       spinner.text = remaining > 0 ? getText() : '';
       packageAlerts.push(...alerts);
     }
-  } catch (e) {
-    console.log('error', e);
   } finally {
     spinner.stop();
   }
@@ -713,7 +539,7 @@ function walk(diff_, needInfoOn = []) {
 // have access to. So we have to recreate any functionality that relies on those
 // private properties and use our own "safe" prefixed non-conflicting private
 // properties. Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/edge.js.
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/edge.js.
 //
 // The npm application
 // Copyright (c) npm, Inc. and Contributors
@@ -721,6 +547,7 @@ function walk(diff_, needInfoOn = []) {
 //
 // An edge in the dependency graph.
 // Represents a dependency relationship of some kind.
+const initializedSafeEdges = new WeakSet();
 class SafeEdge extends Edge {
   #safeAccept;
   #safeError;
@@ -739,11 +566,15 @@ class SafeEdge extends Edge {
     if (accept !== undefined) {
       this.#safeAccept = accept || '*';
     }
+    if (from.constructor !== SafeNode) {
+      Reflect.setPrototypeOf(from, SafeNode.prototype);
+    }
     this.#safeError = null;
     this.#safeExplanation = null;
     this.#safeFrom = from;
     this.#safeName = name;
     this.#safeTo = null;
+    initializedSafeEdges.add(this);
     this.reload(true);
   }
   get accept() {
@@ -875,8 +706,11 @@ class SafeEdge extends Edge {
     return this.#safeExplanation;
   }
   reload(hard = false) {
+    if (!initializedSafeEdges.has(this)) {
+      // Skip if called during super constructor.
+      return;
+    }
     this.#safeExplanation = null;
-
     // Patch adding newOverrideSet and oldOverrideSet is based on
     // https://github.com/npm/cli/pull/7025.
     let newOverrideSet;
@@ -899,17 +733,15 @@ class SafeEdge extends Edge {
     }
     const newTo = this.#safeFrom?.resolve(this.name);
     if (newTo !== this.#safeTo) {
-      if (this.#safeTo) {
-        // Patch replacing
-        // this.#safeTo.edgesIn.delete(this)
-        // is based on https://github.com/npm/cli/pull/7025.
-        this.#safeTo.deleteEdgeIn(this);
-      }
+      // Patch replacing
+      // if (this.#safeTo) {
+      //   this.#safeTo.edgesIn.delete(this)
+      // }
+      // is based on https://github.com/npm/cli/pull/7025.
+      this.#safeTo?.deleteEdgeIn(this);
       this.#safeTo = newTo ?? null;
       this.#safeError = null;
-      if (this.#safeTo) {
-        this.#safeTo.addEdgeIn(this);
-      }
+      this.#safeTo?.addEdgeIn(this);
     } else if (hard) {
       this.#safeError = null;
     }
@@ -966,7 +798,7 @@ class SafeEdge extends Edge {
 }
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/node.js:
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
 class SafeNode extends Node {
   // Return true if it's safe to remove this node, because anything that is
   // depending on it would be fine with the thing that they would resolve to if
@@ -1066,6 +898,8 @@ class SafeNode extends Node {
     }
     return result;
   }
+
+  // Patch adding deleteEdgeIn is based on https://github.com/npm/cli/pull/7025.
   deleteEdgeIn(edge) {
     this.edgesIn.delete(edge);
     const {
@@ -1194,7 +1028,7 @@ class SafeNode extends Node {
     }
     // This is an error condition. We can only get here if the new override set
     // is in conflict with the existing.
-    log.silly('Conflicting override sets', this.name);
+    log?.silly('Conflicting override sets', this.name);
     return false;
   }
 
@@ -1234,7 +1068,7 @@ class SafeNode extends Node {
 }
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
-// is based on https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/override-set.js:
+// is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
 class SafeOverrideSet extends OverrideSet {
   // Patch adding childrenAreEqual is based on
   // https://github.com/npm/cli/pull/7025.
@@ -1337,7 +1171,7 @@ class SafeOverrideSet extends OverrideSet {
 }
 
 // Implementation code not related to our custom behavior is based on
-// https://github.com/npm/cli/blob/v10.9.0/workspaces/arborist/lib/arborist/index.js:
+// https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
 class SafeArborist extends Arborist {
   constructor(...ctorArgs) {
     const mutedArguments = [{
@@ -1356,6 +1190,7 @@ class SafeArborist extends Arborist {
   async [kRiskyReify](...args) {
     // SafeArborist has suffered side effects and must be rebuilt from scratch.
     const arb = new Arborist(...this[kCtorArgs]);
+    arb.idealTree = this.idealTree;
     const ret = await arb.reify(...args);
     Object.assign(this, arb);
     return ret;
@@ -1379,46 +1214,179 @@ class SafeArborist extends Arborist {
     options.dryRun = true;
     options['save'] = false;
     options['saveBundle'] = false;
-    // TODO: Make this deal w/ any refactor to private fields by punching the
+    // TODO: Make this deal with any refactor to private fields by punching the
     // class itself.
     await super.reify(...args);
-    const diff = walk(this['diff']);
     options.dryRun = old.dryRun;
     options['save'] = old.save;
     options['saveBundle'] = old.saveBundle;
-    // Nothing to check, mmm already installed or all private?
+    // Nothing to check, hmmm already installed or all private?
+    const diff = walk(this['diff']);
     if (diff.findIndex(c => c.repository_url === NPM_REGISTRY_URL) === -1) {
       return await this[kRiskyReify](...args);
     }
-    let proceed = ENV[UPDATE_SOCKET_OVERRIDES_IN_PACKAGE_LOCK_FILE];
-    if (!proceed) {
-      proceed = await ttyServer.captureTTY(async (input, output) => {
-        if (input && output) {
-          const alerts = await getPackagesAlerts(this, this['registry'], diff, output);
-          if (!alerts.length) {
-            return true;
-          }
-          return await prompts.confirm({
-            message: 'Accept risks of installing these packages?',
-            default: false
-          }, {
-            input,
-            output,
-            signal: abortSignal
-          });
-        } else if ((await getPackagesAlerts(this, this['registry'], diff, output)).length > 0) {
-          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so');
-        }
+    const input = process.stdin;
+    const output = process.stderr;
+    let alerts;
+    const proceed = ENV[SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE] || (await (async () => {
+      alerts = await getPackagesAlerts(this, diff, output);
+      if (!alerts.length || ENV[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]) {
         return true;
+      }
+      return await prompts.confirm({
+        message: 'Accept risks of installing these packages?',
+        default: false
+      }, {
+        input,
+        output,
+        signal: abortSignal
       });
-    }
+    })());
     if (proceed) {
+      const fix = !!alerts?.length && (ENV[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE] || (await prompts.confirm({
+        message: 'Try to fix alerts?',
+        default: true
+      }, {
+        input,
+        output,
+        signal: abortSignal
+      })));
+      if (fix) {
+        await updateAdvisoryDependencies(this, alerts);
+      }
       return await this[kRiskyReify](...args);
     } else {
       throw new Error('Socket npm exiting due to risks');
     }
   }
 }
+async function updateAdvisoryDependencies(arb, alerts) {
+  const report = packageAlertsToReport(alerts);
+  if (!report) {
+    // No advisories to process.
+    return;
+  }
+  await arb.buildIdealTree();
+  const tree = arb.idealTree;
+  for (const name of Object.keys(report)) {
+    const advisories = report[name];
+    const node = findPackageRecursively(tree, name);
+    if (!node) {
+      // Package not found in the tree.
+      continue;
+    }
+    const {
+      version
+    } = node;
+    const majorVerNum = semver.major(version);
+
+    // Fetch packument to get available versions.
+    // eslint-disable-next-line no-await-in-loop
+    const packument = await packages.fetchPackagePackument(name);
+    const availableVersions = packument ? Object.keys(packument.versions) : [];
+    for (const advisory of advisories) {
+      const {
+        vulnerable_versions
+      } = advisory;
+      // Find the highest non-vulnerable version within the same major range
+      const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
+      const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
+      // Check !targetVersion to make TypeScript happy.
+      if (!targetVersion || !targetPackument) {
+        // No suitable patch version found.
+        continue;
+      }
+
+      // Use Object.defineProperty to override the version.
+      Object.defineProperty(node, 'version', {
+        configurable: true,
+        enumerable: true,
+        get: () => targetVersion
+      });
+      node.package.version = targetVersion;
+      // Update resolved and clear integrity for the new version.
+      node.resolved = `https://registry.npmjs.org/${name}/-/${name}-${targetVersion}.tgz`;
+      if (node.integrity) {
+        delete node.integrity;
+      }
+      if ('deprecated' in targetPackument) {
+        node.package['deprecated'] = targetPackument.deprecated;
+      } else {
+        delete node.package['deprecated'];
+      }
+      const newDeps = {
+        ...targetPackument.dependencies
+      };
+      const {
+        dependencies: oldDeps
+      } = node.package;
+      node.package.dependencies = newDeps;
+      if (oldDeps) {
+        for (const oldDepName of Object.keys(oldDeps)) {
+          if (!objects.hasOwn(newDeps, oldDepName)) {
+            node.edgesOut.get(oldDepName)?.detach();
+          }
+        }
+      }
+      for (const newDepName of Object.keys(newDeps)) {
+        if (!objects.hasOwn(oldDeps, newDepName)) {
+          node.addEdgeOut(new Edge({
+            from: node,
+            name: newDepName,
+            spec: newDeps[newDepName],
+            type: 'prod'
+          }));
+        }
+      }
+    }
+  }
+}
+function findPackageRecursively(tree, packageName) {
+  const queue = [{
+    node: tree,
+    depth: 0
+  }];
+  let sentinel = 0;
+  while (queue.length) {
+    if (sentinel++ === LOOP_SENTINEL) {
+      throw new Error('Detected infinite loop in findPackageRecursively');
+    }
+    const {
+      depth,
+      node: currentNode
+    } = queue.pop();
+    const node = currentNode.children.get(packageName);
+    if (node) {
+      // Found package.
+      return node;
+    }
+    const children = [...currentNode.children.values()];
+    for (let i = children.length - 1; i >= 0; i -= 1) {
+      queue.push({
+        node: children[i],
+        depth: depth + 1
+      });
+    }
+  }
+  return null;
+}
+function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableRange) {
+  const manifestVersion = registry.getManifestData(NPM, name)?.version;
+  // Filter versions that are within the current major version and are not in the vulnerable range
+  const eligibleVersions = availableVersions.filter(version => {
+    const isSameMajor = semver.major(version) === currentMajorVersion;
+    const isNotVulnerable = !semver.satisfies(version, vulnerableRange);
+    if (isSameMajor && isNotVulnerable) {
+      return true;
+    }
+    return !!manifestVersion;
+  });
+  if (eligibleVersions.length === 0) {
+    return null;
+  }
+  // Use semver to find the max satisfying version.
+  return semver.maxSatisfying(eligibleVersions, '*');
+}
 function installSafeArborist() {
   const cache = require.cache;
   cache[arboristClassPath] = {
@@ -1435,7 +1403,10 @@ function installSafeArborist() {
   };
 }
 void (async () => {
-  const remoteSettings = await (async () => {
+  const {
+    orgs,
+    settings
+  } = await (async () => {
     try {
       const socketSdk = await sdk.setupSdk(pubToken);
       const orgResult = await socketSdk.getOrganizations();
@@ -1474,13 +1445,9 @@ void (async () => {
       throw e;
     }
   })();
-  const {
-    orgs,
-    settings
-  } = remoteSettings;
-  const enforcedOrgs = sdk.getSetting('enforcedOrgs') ?? [];
 
   // Remove any organizations not being enforced.
+  const enforcedOrgs = sdk.getSetting('enforcedOrgs') ?? [];
   for (const {
     0: i,
     1: org