socket 0.14.41 → 0.14.43

package/dist/constants.d.ts

@@ -1,20 +1,28 @@
 import registryConstants from '@socketsecurity/registry/lib/constants';
 type RegistryEnv = typeof registryConstants.ENV;
-type IPCObject = {
+type RegistryInternals = (typeof registryConstants)['Symbol(kInternalsSymbol)'];
+type Internals = Omit<RegistryInternals, 'getIPC'> & Readonly<{
+    getIPC: {
+        (): Promise<IPC>;
+        <K extends keyof IPC | undefined>(key?: K): Promise<K extends keyof IPC ? IPC[K] : IPC>;
+    };
+}>;
+type ENV = RegistryEnv & Readonly<{
+    SOCKET_CLI_DEBUG: boolean;
+}>;
+type IPC = Readonly<{
     SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: boolean;
     SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE: boolean;
-    [key: string]: any;
-};
-type Constants = {
+}>;
+type Constants = Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {
+    readonly 'Symbol(kInternalsSymbol)': Internals;
     readonly API_V0_URL: 'https://api.socket.dev/v0';
     readonly BABEL_RUNTIME: '@babel/runtime';
     readonly BINARY_LOCK_EXT: '.lockb';
     readonly BUN: 'bun';
-    readonly ENV: RegistryEnv & {
-        SOCKET_CLI_DEBUG: boolean;
-    };
+    readonly ENV: ENV;
     readonly DIST_TYPE: 'module-sync' | 'require';
-    readonly IPC: IPCObject;
+    readonly IPC: IPC;
     readonly LOCK_EXT: '.lock';
     readonly MODULE_SYNC: 'module-sync';
     readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org';
@@ -38,7 +46,7 @@ type Constants = {
     readonly rootPkgJsonPath: string;
     readonly shadowBinPath: string;
     readonly synpBinPath: string;
-} & typeof registryConstants;
+};
 declare const constants: Constants;
 export { constants as default };
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAIA,OAAO,iBAAiB,MAAM,wCAAwC,CAAA;AAGtE,KAAK,WAAW,GAAG,OAAO,iBAAiB,CAAC,GAAG,CAAA;AAE/C,KAAK,SAAS,GAAG;IACf,gCAAgC,EAAE,OAAO,CAAA;IACzC,gDAAgD,EAAE,OAAO,CAAA;IACzD,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CACnB,CAAA;AAED,KAAK,SAAS,GAAG;IACf,QAAQ,CAAC,UAAU,EAAE,2BAA2B,CAAA;IAChD,QAAQ,CAAC,aAAa,EAAE,gBAAgB,CAAA;IACxC,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAA;IAClC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,GAAG,EAAE,WAAW,GAAG;QAC1B,gBAAgB,EAAE,OAAO,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,SAAS,EAAE,aAAa,GAAG,SAAS,CAAA;IAC7C,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAA;IACnC,QAAQ,CAAC,gBAAgB,EAAE,4BAA4B,CAAA;IACvD,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAA;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,kBAAkB,CAAA;IAC7C,QAAQ,CAAC,gCAAgC,EAAE,kCAAkC,CAAA;IAC7E,QAAQ,CAAC,qBAAqB,EAAE,gDAAgD,CAAA;IAChF,QAAQ,CAAC,gDAAgD,EAAE,kDAAkD,CAAA;IAC7G,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAA;IACjC,QAAQ,CAAC,YAAY,EAAE,cAAc,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAA;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAC7B,GAAG,OAAO,iBAAiB,CAAA;AAiF5B,QAAA,MAAM,SAAS,WAiDd,CAAA"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAIA,OAAO,iBAAiB,MAAM,wCAAwC,CAAA;AAWtE,KAAK,WAAW,GAAG,OAAO,iBAAiB,CAAC,GAAG,CAAA;AAE/C,KAAK,iBAAiB,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,0BAA0B,CAAC,CAAA;AAE/E,KAAK,SAAS,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,GAChD,QAAQ,CAAC;IACP,MAAM,EAAE;QACN,IAAI,OAAO,CAAC,GAAG,CAAC,CAAA;QAChB,CAAC,CAAC,SAAS,MAAM,GAAG,GAAG,SAAS,EAC9B,GAAG,CAAC,EAAE,CAAC,GACN,OAAO,CAAC,CAAC,SAAS,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAA;KAC/C,CAAA;CACF,CAAC,CAAA;AAEJ,KAAK,GAAG,GAAG,WAAW,GACpB,QAAQ,CAAC;IACP,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAC,CAAA;AAEJ,KAAK,GAAG,GAAG,QAAQ,CAAC;IAClB,gCAAgC,EAAE,OAAO,CAAA;IACzC,gDAAgD,EAAE,OAAO,CAAA;CAC1D,CAAC,CAAA;AAEF,KAAK,SAAS,GAAG,IAAI,CACnB,OAAO,iBAAiB,EACxB,0BAA0B,GAAG,KAAK,GAAG,KAAK,CAC3C,GAAG;IACF,QAAQ,CAAC,0BAA0B,EAAE,SAAS,CAAA;IAC9C,QAAQ,CAAC,UAAU,EAAE,2BAA2B,CAAA;IAChD,QAAQ,CAAC,aAAa,EAAE,gBAAgB,CAAA;IACxC,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAA;IAClC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAA;IACjB,QAAQ,CAAC,SAAS,EAAE,aAAa,GAAG,SAAS,CAAA;IAC7C,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAA;IACjB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAA;IACnC,QAAQ,CAAC,gBAAgB,EAAE,4BAA4B,CAAA;IACvD,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAA;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,kBAAkB,CAAA;IAC7C,QAAQ,CAAC,gCAAgC,EAAE,kCAAkC,CAAA;IAC7E,QAAQ,CAAC,qBAAqB,EAAE,gDAAgD,CAAA;IAChF,QAAQ,CAAC,gDAAgD,EAAE,kDAAkD,CAAA;IAC7G,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAA;IACnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAA;IACjC,QAAQ,CAAC,YAAY,EAAE,cAAc,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAA;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAC7B,CAAA;AAyED,QAAA,MAAM,SAAS,WAiDd,CAAA"}

package/dist/module-sync/cli.js

@@ -24,7 +24,7 @@ var constants = require('./constants.js');
 var spinner = require('@socketsecurity/registry/lib/spinner');
 var spawn = _socketInterop(require('@npmcli/promise-spawn'));
 var objects = require('@socketsecurity/registry/lib/objects');
-var pathResolve = require('./path-resolve.js');
+var npmPaths = require('./npm-paths.js');
 var meow = _socketInterop(require('meow'));
 var registryConstants = require('@socketsecurity/registry/lib/constants');
 var socketUrl = require('./socket-url.js');
@@ -225,24 +225,36 @@ const {
 } = constants;
 function shadowNpmInstall(opts) {
   const {
-    flags = [],
+    flags: flags_ = [],
     ipc,
     ...spawnOptions
   } = {
     __proto__: null,
     ...opts
   };
+  const flags = flags_.filter(f => f !== '--audit' && f !== '--fund' && f !== '--progress' && f !== '--no-audit' && f !== '--no-fund' && f !== '--no-progress');
   const useIpc = objects.isObject(ipc);
-  const useDebug = pathResolve.isDebug();
-  const promise = spawn(
+  const useDebug = npmPaths.isDebug();
+  const spawnPromise = spawn(
   // Lazily access constants.execPath.
   constants.execPath, [
-  // Lazily access constants.rootBinPath.
-  path.join(constants.rootBinPath, 'npm-cli.js'), 'install',
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags, '--require',
+  // Lazily access constants.distPath.
+  path.join(constants.distPath, 'npm-injection.js'), npmPaths.getNpmBinPath(), 'install',
   // Even though the '--silent' flag is passed npm will still run through
   // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
   // flags are passed.
-  ...(useDebug ? ['--no-audit', '--no-fund'] : ['--silent', '--no-audit', '--no-fund']), ...flags], {
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` flags to fix input being swallowed by the spinner
+  // when running the command with recent versions of npm.
+  '--no-progress', ...(useDebug ||
+  // Detect loglevel flags:
+  flags.some(f =>
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#setting-log-levels
+  f.startsWith('--loglevel') ||
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#aliases
+  f === '-d' || f === '--dd' || f === '--ddd' || f === '-q' || f === '--quiet' || f === '-s' || f === '--silent') ? [] : ['--silent']), ...flags], {
     signal: abortSignal$3,
     // Set stdio to include 'ipc'.
     // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
@@ -259,9 +271,9 @@ function shadowNpmInstall(opts) {
     }
   });
   if (useIpc) {
-    promise.process.send(ipc);
+    spawnPromise.process.send(ipc);
   }
-  return promise;
+  return spawnPromise;
 }
 
 const {
@@ -1918,16 +1930,7 @@ async function setupCommand$j(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const {
-    path: binPath
-  } = await pathResolve.findBinPathDetails(binName$1);
-  if (!binPath) {
-    // The exit code 127 indicates that the command or binary being executed
-    // could not be found.
-    console.error(`Socket unable to locate ${binName$1}; ensure it is available in the PATH environment variable.`);
-    process$1.exit(127);
-  }
-  const spawnPromise = spawn(binPath, argv, {
+  const spawnPromise = spawn(npmPaths.getNpmBinPath(), argv, {
     signal: abortSignal$1,
     stdio: 'inherit'
   });
@@ -1986,16 +1989,7 @@ async function setupCommand$i(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const {
-    path: binPath
-  } = await pathResolve.findBinPathDetails(binName);
-  if (!binPath) {
-    // The exit code 127 indicates that the command or binary being executed
-    // could not be found.
-    console.error(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`);
-    process$1.exit(127);
-  }
-  const spawnPromise = spawn(binPath, argv, {
+  const spawnPromise = spawn(npmPaths.getNpxBinPath(), argv, {
     signal: abortSignal,
     stdio: 'inherit'
   });
@@ -2172,7 +2166,6 @@ const create$2 = {
         }));
         if (reportData) {
           formatReportDataOutput(reportData, {
-            includeAllIssues,
             name,
             outputJson,
             outputMarkdown,
@@ -2284,7 +2277,7 @@ async function setupCommand$g(name, description, argv, importMeta) {
       cause
     });
   });
-  const packagePaths = await pathResolve.getPackageFiles(cwd, cli.input, config$1, supportedFiles);
+  const packagePaths = await npmPaths.getPackageFiles(cwd, cli.input, config$1, supportedFiles);
   return {
     config: config$1,
     cwd,
@@ -2302,7 +2295,7 @@ async function createReport(packagePaths, {
   cwd,
   dryRun
 }) {
-  pathResolve.debugLog('Uploading:', packagePaths.join(`\n${pathResolve.logSymbols.info} Uploading: `));
+  npmPaths.debugLog('Uploading:', packagePaths.join(`\n${npmPaths.logSymbols.info} Uploading: `));
   if (dryRun) {
     return;
   }
@@ -2672,7 +2665,7 @@ async function setupCommand$e(name, description, argv, importMeta) {
       cause
     });
   });
-  const packagePaths = await pathResolve.getPackageFilesFullScans(cwd, cli.input, supportedFiles);
+  const packagePaths = await npmPaths.getPackageFilesFullScans(cwd, cli.input, supportedFiles);
   const {
     branch: branchName,
     repo: repoName
@@ -3787,7 +3780,7 @@ const dependencies = {
   }) {
     const name = parentName + ' dependencies';
     const input = setupCommand$3(name, dependencies.description, argv, importMeta);
-    {
+    if (input) {
       await searchDeps(input);
     }
   }
@@ -4355,7 +4348,7 @@ const threatFeed = {
   }) {
     const name = `${parentName} threat-feed`;
     const input = setupCommand(name, threatFeed.description, argv, importMeta);
-    {
+    if (input) {
       const apiKey = socketUrl.getDefaultToken();
       if (!apiKey) {
         throw new socketUrl.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
@@ -4576,7 +4569,7 @@ void (async () => {
     } else {
       errorTitle = 'Unexpected error with no details';
     }
-    console.error(`${pathResolve.logSymbols.error} ${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
+    console.error(`${npmPaths.logSymbols.error} ${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
     if (errorBody) {
       console.error(`\n${errorBody}`);
     }

package/dist/module-sync/npm-injection.js

@@ -24,14 +24,12 @@ var https = require('node:https');
 var readline = require('node:readline');
 var socketUrl = require('./socket-url.js');
 var promises = require('node:timers/promises');
-var pathResolve = require('./path-resolve.js');
-var fs = require('node:fs');
+var npmPaths = require('./npm-paths.js');
 var npa = _socketInterop(require('npm-package-arg'));
 
 const {
   LOOP_SENTINEL: LOOP_SENTINEL$2,
-  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1,
-  SOCKET_CLI_FIX_PACKAGE_LOCK_FILE: SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1
+  NPM_REGISTRY_URL: NPM_REGISTRY_URL$1
 } = constants;
 function getUrlOrigin(input) {
   try {
@@ -41,8 +39,7 @@ function getUrlOrigin(input) {
 }
 function getPackagesToQueryFromDiff(diff_, options) {
   const {
-    // Lazily access constants.IPC.
-    includeUnchanged = constants.IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE$1],
+    includeUnchanged = false,
     includeUnknownOrigin = false
   } = {
     __proto__: null,
@@ -155,7 +152,7 @@ function isArtifactAlertCveFixable(alert) {
   const {
     type
   } = alert;
-  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'];
+  return (type === 'cve' || type === 'mediumCVE' || type === 'mildCVE' || type === 'criticalCVE') && !!alert.props?.['firstPatchedVersionIdentifier'] && !!alert.props?.['vulnerableVersionRange'];
 }
 function isArtifactAlertFixable(alert) {
   return alert.type === 'socketUpgradeAvailable' || isArtifactAlertCveFixable(alert);
@@ -374,31 +371,7 @@ void (async () => {
   _uxLookup = createAlertUXLookup(settings);
 })();
 
-const {
-  NODE_MODULES,
-  SOCKET_CLI_ISSUES_URL
-} = constants;
-const npmEntrypoint = fs.realpathSync.native(process.argv[1]);
-const npmRootPath = pathResolve.findRoot(path.dirname(npmEntrypoint));
-if (npmRootPath === undefined) {
-  console.error(`Unable to find npm CLI install directory.
-Searched parent directories of ${npmEntrypoint}.
-
-This is may be a bug with socket-npm related to changes to the npm CLI.
-Please report to ${SOCKET_CLI_ISSUES_URL}.`);
-  // The exit code 127 indicates that the command or binary being executed
-  // could not be found.
-  process.exit(127);
-}
-const npmNmPath = path.join(npmRootPath, NODE_MODULES);
-const arboristPkgPath = path.join(npmNmPath, '@npmcli/arborist');
-const arboristClassPath = path.join(arboristPkgPath, 'lib/arborist/index.js');
-const arboristDepValidPath = path.join(arboristPkgPath, 'lib/dep-valid.js');
-const arboristEdgeClassPath = path.join(arboristPkgPath, 'lib/edge.js');
-const arboristNodeClassPath = path.join(arboristPkgPath, 'lib/node.js');
-const arboristOverrideSetClassPath = path.join(arboristPkgPath, 'lib/override-set.js');
-
-const depValid = require(arboristDepValidPath);
+const depValid = require(npmPaths.getArboristDepValidPath());
 
 const {
   UNDEFINED_TOKEN
@@ -428,6 +401,7 @@ function tryRequire(...ids) {
 let _log = UNDEFINED_TOKEN;
 function getLogger() {
   if (_log === UNDEFINED_TOKEN) {
+    const npmNmPath = npmPaths.getNpmNodeModulesPath();
     _log = tryRequire([path.join(npmNmPath, 'proc-log/lib/index.js'),
     // The proc-log DefinitelyTyped definition is incorrect. The type definition
     // is really that of its export log.
@@ -439,7 +413,7 @@ function getLogger() {
 const {
   LOOP_SENTINEL: LOOP_SENTINEL$1
 } = constants;
-const OverrideSet = require(arboristOverrideSetClassPath);
+const OverrideSet = require(npmPaths.getArboristOverrideSetClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/override-set.js:
@@ -576,7 +550,7 @@ class SafeOverrideSet extends OverrideSet {
   }
 }
 
-const Node = require(arboristNodeClassPath);
+const Node = require(npmPaths.getArboristNodeClassPath());
 
 // Implementation code not related to patch https://github.com/npm/cli/pull/7025
 // is based on https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/node.js:
@@ -849,7 +823,7 @@ class SafeNode extends Node {
   }
 }
 
-const Edge = require(arboristEdgeClassPath);
+const Edge = require(npmPaths.getArboristEdgeClassPath());
 
 // The Edge class makes heavy use of private properties which subclasses do NOT
 // have access to. So we have to recreate any functionality that relies on those
@@ -1119,15 +1093,19 @@ const {
   NPM_REGISTRY_URL,
   SOCKET_CLI_FIX_PACKAGE_LOCK_FILE,
   SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE,
-  abortSignal
+  abortSignal,
+  kInternalsSymbol,
+  [kInternalsSymbol]: {
+    getIPC
+  }
 } = constants;
 const formatter = new socketUrl.ColorOrMarkdown(false);
-function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableRange) {
+function findBestPatchVersion(name, availableVersions, currentMajorVersion, vulnerableVersionRange, _firstPatchedVersionIdentifier) {
   const manifestVersion = registry.getManifestData(NPM, name)?.version;
   // Filter versions that are within the current major version and are not in the vulnerable range
   const eligibleVersions = availableVersions.filter(version => {
     const isSameMajor = semver.major(version) === currentMajorVersion;
-    const isNotVulnerable = !semver.satisfies(version, vulnerableRange);
+    const isNotVulnerable = !semver.satisfies(version, vulnerableVersionRange);
     if (isSameMajor && isNotVulnerable) {
       return true;
     }
@@ -1273,7 +1251,7 @@ async function getPackagesAlerts(details, options) {
       packageAlerts.push(...alerts);
     }
   } catch (e) {
-    pathResolve.debugLog(e);
+    npmPaths.debugLog(e);
   } finally {
     spinner$1?.stop();
   }
@@ -1289,39 +1267,36 @@ function getTranslations() {
   return _translations;
 }
 async function updateAdvisoryDependencies(arb, alerts) {
-  let alertsByPkg;
+  let patchDataByPkg;
   for (const alert of alerts) {
     if (!isArtifactAlertCveFixable(alert.raw)) {
       continue;
     }
-    if (!alertsByPkg) {
-      alertsByPkg = {};
+    if (!patchDataByPkg) {
+      patchDataByPkg = {};
     }
     const {
       name
     } = alert;
-    if (!alertsByPkg[name]) {
-      alertsByPkg[name] = [];
-    }
-    const props = alert.raw?.props;
-    alertsByPkg[name].push({
-      id: -1,
-      url: props?.url,
-      title: props?.title,
-      severity: alert.raw?.severity?.toLowerCase(),
-      vulnerable_versions: props?.vulnerableVersionRange,
-      cwe: props?.cwes,
-      cvss: props?.csvs,
-      name
+    if (!patchDataByPkg[name]) {
+      patchDataByPkg[name] = [];
+    }
+    const {
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
+    } = alert.raw.props;
+    patchDataByPkg[name].push({
+      firstPatchedVersionIdentifier,
+      vulnerableVersionRange
     });
   }
-  if (!alertsByPkg) {
+  if (!patchDataByPkg) {
     // No advisories to process.
     return;
   }
   await arb.buildIdealTree();
   const tree = arb.idealTree;
-  for (const name of Object.keys(alertsByPkg)) {
+  for (const name of Object.keys(patchDataByPkg)) {
     const nodes = findPackageNodes(tree, name);
     if (!nodes.length) {
       continue;
@@ -1335,13 +1310,13 @@ async function updateAdvisoryDependencies(arb, alerts) {
       } = node;
       const majorVerNum = semver.major(version);
       const availableVersions = packument ? Object.keys(packument.versions) : [];
-      const pkgAlerts = alertsByPkg[name];
-      for (const alert of pkgAlerts) {
-        const {
-          vulnerable_versions
-        } = alert;
+      const patchData = patchDataByPkg[name];
+      for (const {
+        firstPatchedVersionIdentifier,
+        vulnerableVersionRange
+      } of patchData) {
         // Find the highest non-vulnerable version within the same major range
-        const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerable_versions);
+        const targetVersion = findBestPatchVersion(name, availableVersions, majorVerNum, vulnerableVersionRange);
         const targetPackument = targetVersion ? packument.versions[targetVersion] : undefined;
         // Check !targetVersion to make TypeScript happy.
         if (!targetVersion || !targetPackument) {
@@ -1393,27 +1368,28 @@ async function updateAdvisoryDependencies(arb, alerts) {
     }
   }
 }
+const kRiskyReify = Symbol('riskyReify');
 async function reify(...args) {
+  const IPC = await getIPC();
+  const runningFixCommand = !!IPC[SOCKET_CLI_FIX_PACKAGE_LOCK_FILE];
   // We are assuming `this[_diffTrees]()` has been called by `super.reify(...)`:
   // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/reify.js#L141
-  const needInfoOn = getPackagesToQueryFromDiff(this.diff);
+  let needInfoOn = getPackagesToQueryFromDiff(this.diff, {
+    includeUnchanged: runningFixCommand
+  });
   if (!needInfoOn.length) {
     // Nothing to check, hmmm already installed or all private?
     return await this[kRiskyReify](...args);
   }
-  // Lazily access constants.IPC.
-  const {
-    [SOCKET_CLI_FIX_PACKAGE_LOCK_FILE]: bypassConfirms,
-    [SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE]: bypassAlerts
-  } = constants.IPC;
+  const runningOptimizeCommand = !!IPC[SOCKET_CLI_UPDATE_OVERRIDES_IN_PACKAGE_LOCK_FILE];
   const {
     stderr: output,
     stdin: input
   } = process;
-  let alerts = bypassAlerts ? [] : await getPackagesAlerts(needInfoOn, {
+  let alerts = runningOptimizeCommand ? [] : await getPackagesAlerts(needInfoOn, {
     output
   });
-  if (alerts.length && !bypassConfirms && !(await prompts.confirm({
+  if (alerts.length && !runningFixCommand && !(await prompts.confirm({
     message: 'Accept risks of installing these packages?',
     default: false
   }, {
@@ -1423,14 +1399,7 @@ async function reify(...args) {
   }))) {
     throw new Error('Socket npm exiting due to risks');
   }
-  if (!alerts.length || !bypassConfirms && !(await prompts.confirm({
-    message: 'Try to fix alerts?',
-    default: true
-  }, {
-    input,
-    output,
-    signal: abortSignal
-  }))) {
+  if (!alerts.length || !runningFixCommand) {
     return await this[kRiskyReify](...args);
   }
   const prev = new Set(alerts.map(a => a.key));
@@ -1441,28 +1410,28 @@ async function reify(...args) {
     ret = await this[kRiskyReify](...args);
     await this.loadActual();
     await this.buildIdealTree();
-    alerts = (await getPackagesAlerts(getPackagesToQueryFromDiff(this.diff, {
+    needInfoOn = getPackagesToQueryFromDiff(this.diff, {
       includeUnchanged: true
-    }), {
+    });
+    alerts = (await getPackagesAlerts(needInfoOn, {
       includeExisting: true,
       includeUnfixable: true
     })).filter(({
       key
     }) => {
-      if (prev.has(key)) {
-        return false;
+      const unseen = !prev.has(key);
+      if (unseen) {
+        prev.add(key);
       }
-      prev.add(key);
-      return true;
+      return unseen;
     });
   }
   /* eslint-enable no-await-in-loop */
   return ret;
 }
 
-const Arborist = require(arboristClassPath);
+const Arborist = require(npmPaths.getArboristClassPath());
 const kCtorArgs = Symbol('ctorArgs');
-const kRiskyReify = Symbol('riskyReify');
 
 // Implementation code not related to our custom behavior is based on
 // https://github.com/npm/cli/blob/v11.0.0/workspaces/arborist/lib/arborist/index.js:
@@ -1519,16 +1488,16 @@ function installSafeArborist() {
   // Override '@npmcli/arborist' module exports with patched variants based on
   // https://github.com/npm/cli/pull/7025.
   const cache = require.cache;
-  cache[arboristClassPath] = {
+  cache[npmPaths.getArboristClassPath()] = {
     exports: SafeArborist
   };
-  cache[arboristEdgeClassPath] = {
+  cache[npmPaths.getArboristEdgeClassPath()] = {
     exports: SafeEdge
   };
-  cache[arboristNodeClassPath] = {
+  cache[npmPaths.getArboristNodeClassPath()] = {
     exports: SafeNode
   };
-  cache[arboristOverrideSetClassPath] = {
+  cache[npmPaths.getArboristOverrideSetClassPath()] = {
     exports: SafeOverrideSet
   };
 }

package/dist/module-sync/npm-paths.d.ts

@@ -0,0 +1,14 @@
+declare function directoryPatterns(): string[];
+declare function getNpmBinPath(): string;
+declare function isNpmBinPathShadowed(): boolean;
+declare function getNpxBinPath(): string;
+declare function isNpxBinPathShadowed(): boolean;
+declare function getNpmPath(): string;
+declare function getNpmNodeModulesPath(): string;
+declare function getArboristPackagePath(): string;
+declare function getArboristClassPath(): string;
+declare function getArboristDepValidPath(): string;
+declare function getArboristEdgeClassPath(): string;
+declare function getArboristNodeClassPath(): string;
+declare function getArboristOverrideSetClassPath(): string;
+export { directoryPatterns, getNpmBinPath, isNpmBinPathShadowed, getNpxBinPath, isNpxBinPathShadowed, getNpmPath, getNpmNodeModulesPath, getArboristPackagePath, getArboristClassPath, getArboristDepValidPath, getArboristEdgeClassPath, getArboristNodeClassPath, getArboristOverrideSetClassPath };

package/dist/module-sync/{path-resolve.js → npm-paths.js}

@@ -12,6 +12,7 @@ function _socketInterop(e) {
 var fs = require('node:fs');
 var path = require('node:path');
 var process = require('node:process');
+var constants = require('./constants.js');
 var ignore = _socketInterop(require('ignore'));
 var micromatch = _socketInterop(require('micromatch'));
 var tinyglobby = _socketInterop(require('tinyglobby'));
@@ -19,7 +20,6 @@ var which = _socketInterop(require('which'));
 var colors = _socketInterop(require('yoctocolors-cjs'));
 var isUnicodeSupported = require('@socketregistry/is-unicode-supported/index.cjs');
 var spinner = require('@socketsecurity/registry/lib/spinner');
-var constants = require('./constants.js');
 
 const logSymbols = isUnicodeSupported() ? {
   __proto__: null,
@@ -89,11 +89,11 @@ function directoryPatterns() {
 }
 
 const {
-  NPM,
+  NPM: NPM$1,
   shadowBinPath
 } = constants;
 async function filterGlobResultToSupportedFiles(entries, supportedFiles) {
-  const patterns = ['golang', NPM, 'pypi'].reduce((r, n) => {
+  const patterns = ['golang', NPM$1, 'pypi'].reduce((r, n) => {
     const supported = supportedFiles[n];
     r.push(...(supported ? Object.values(supported).map(p => `**/${p.pattern}`) : []));
     return r;
@@ -181,25 +181,12 @@ function pathsToPatterns(paths) {
   // TODO: Does not support `~/` paths.
   return paths.map(p => p === '.' ? '**/*' : p);
 }
-function findRoot(filepath) {
-  let curPath = filepath;
-  while (true) {
-    if (path.basename(curPath) === NPM) {
-      return curPath;
-    }
-    const parent = path.dirname(curPath);
-    if (parent === curPath) {
-      return undefined;
-    }
-    curPath = parent;
-  }
-}
-async function findBinPathDetails(binName) {
+function findBinPathDetailsSync(binName) {
   let shadowIndex = -1;
-  const bins = (await which(binName, {
+  const bins = which.sync(binName, {
     all: true,
     nothrow: true
-  })) ?? [];
+  }) ?? [];
   const binPath = bins.find((binPath, i) => {
     // Skip our bin directory if it's in the front.
     if (fs.realpathSync(path.dirname(binPath)) === shadowBinPath) {
@@ -214,6 +201,19 @@ async function findBinPathDetails(binName) {
     shadowed: shadowIndex !== -1
   };
 }
+function findNpmPathSync(filepath) {
+  let curPath = filepath;
+  while (true) {
+    if (path.basename(curPath) === NPM$1) {
+      return curPath;
+    }
+    const parent = path.dirname(curPath);
+    if (parent === curPath) {
+      return undefined;
+    }
+    curPath = parent;
+  }
+}
 async function getPackageFiles(cwd, inputPaths, config, supportedFiles) {
   debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths);
   const entries = await globWithGitIgnore(pathsToPatterns(inputPaths), {
@@ -236,11 +236,139 @@ async function getPackageFilesFullScans(cwd, inputPaths, supportedFiles, debugLo
   return packageFiles;
 }
 
+const {
+  NODE_MODULES,
+  NPM,
+  NPX,
+  SOCKET_CLI_ISSUES_URL
+} = constants;
+function exitWithBinPathError(binName) {
+  console.error(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`);
+  // The exit code 127 indicates that the command or binary being executed
+  // could not be found.
+  process.exit(127);
+}
+let _npmBinPathDetails;
+function getNpmBinPathDetails() {
+  if (_npmBinPathDetails === undefined) {
+    _npmBinPathDetails = findBinPathDetailsSync(NPM);
+  }
+  return _npmBinPathDetails;
+}
+let _npxBinPathDetails;
+function getNpxBinPathDetails() {
+  if (_npxBinPathDetails === undefined) {
+    _npxBinPathDetails = findBinPathDetailsSync(NPX);
+  }
+  return _npxBinPathDetails;
+}
+let _npmBinPath;
+function getNpmBinPath() {
+  if (_npmBinPath === undefined) {
+    _npmBinPath = getNpmBinPathDetails().path;
+    if (!_npmBinPath) {
+      exitWithBinPathError(NPM);
+    }
+  }
+  return _npmBinPath;
+}
+function isNpmBinPathShadowed() {
+  return getNpmBinPathDetails().shadowed;
+}
+let _npxBinPath;
+function getNpxBinPath() {
+  if (_npxBinPath === undefined) {
+    _npxBinPath = getNpxBinPathDetails().path;
+    if (!_npxBinPath) {
+      exitWithBinPathError(NPX);
+    }
+  }
+  return _npxBinPath;
+}
+function isNpxBinPathShadowed() {
+  return getNpxBinPathDetails().shadowed;
+}
+let _npmPath;
+function getNpmPath() {
+  if (_npmPath === undefined) {
+    const npmEntrypoint = path.dirname(fs.realpathSync.native(getNpmBinPath()));
+    _npmPath = findNpmPathSync(npmEntrypoint);
+    if (!_npmPath) {
+      console.error(`Unable to find npm CLI install directory.
+    Searched parent directories of ${npmEntrypoint}.
+
+    This is may be a bug with socket-npm related to changes to the npm CLI.
+    Please report to ${SOCKET_CLI_ISSUES_URL}.`);
+      // The exit code 127 indicates that the command or binary being executed
+      // could not be found.
+      process.exit(127);
+    }
+  }
+  return _npmPath;
+}
+let _npmNmPath;
+function getNpmNodeModulesPath() {
+  if (_npmNmPath === undefined) {
+    _npmNmPath = path.join(getNpmPath(), NODE_MODULES);
+  }
+  return _npmNmPath;
+}
+let _arboristPkgPath;
+function getArboristPackagePath() {
+  if (_arboristPkgPath === undefined) {
+    _arboristPkgPath = path.join(getNpmNodeModulesPath(), '@npmcli/arborist');
+  }
+  return _arboristPkgPath;
+}
+let _arboristClassPath;
+function getArboristClassPath() {
+  if (_arboristClassPath === undefined) {
+    _arboristClassPath = path.join(getArboristPackagePath(), 'lib/arborist/index.js');
+  }
+  return _arboristClassPath;
+}
+let _arboristDepValidPath;
+function getArboristDepValidPath() {
+  if (_arboristDepValidPath === undefined) {
+    _arboristDepValidPath = path.join(getArboristPackagePath(), 'lib/dep-valid.js');
+  }
+  return _arboristDepValidPath;
+}
+let _arboristEdgeClassPath;
+function getArboristEdgeClassPath() {
+  if (_arboristEdgeClassPath === undefined) {
+    _arboristEdgeClassPath = path.join(getArboristPackagePath(), 'lib/edge.js');
+  }
+  return _arboristEdgeClassPath;
+}
+let _arboristNodeClassPath;
+function getArboristNodeClassPath() {
+  if (_arboristNodeClassPath === undefined) {
+    _arboristNodeClassPath = path.join(getArboristPackagePath(), 'lib/node.js');
+  }
+  return _arboristNodeClassPath;
+}
+let _arboristOverrideSetClassPath;
+function getArboristOverrideSetClassPath() {
+  if (_arboristOverrideSetClassPath === undefined) {
+    _arboristOverrideSetClassPath = path.join(getArboristPackagePath(), 'lib/override-set.js');
+  }
+  return _arboristOverrideSetClassPath;
+}
+
 exports.debugLog = debugLog;
-exports.findBinPathDetails = findBinPathDetails;
-exports.findRoot = findRoot;
+exports.getArboristClassPath = getArboristClassPath;
+exports.getArboristDepValidPath = getArboristDepValidPath;
+exports.getArboristEdgeClassPath = getArboristEdgeClassPath;
+exports.getArboristNodeClassPath = getArboristNodeClassPath;
+exports.getArboristOverrideSetClassPath = getArboristOverrideSetClassPath;
+exports.getNpmBinPath = getNpmBinPath;
+exports.getNpmNodeModulesPath = getNpmNodeModulesPath;
+exports.getNpxBinPath = getNpxBinPath;
 exports.getPackageFiles = getPackageFiles;
 exports.getPackageFilesFullScans = getPackageFilesFullScans;
 exports.isDebug = isDebug;
+exports.isNpmBinPathShadowed = isNpmBinPathShadowed;
+exports.isNpxBinPathShadowed = isNpxBinPathShadowed;
 exports.logSymbols = logSymbols;
 exports.logger = logger;

package/dist/module-sync/path-resolve.d.ts

@@ -1,13 +1,12 @@
 /// <reference types="node" />
 import { SocketYml } from '@socketsecurity/config';
 import { SocketSdkReturnType } from '@socketsecurity/sdk';
-declare function directoryPatterns(): string[];
-declare function findRoot(filepath: string): string | undefined;
-declare function findBinPathDetails(binName: string): Promise<{
+declare function findBinPathDetailsSync(binName: string): {
     name: string;
     path: string | undefined;
     shadowed: boolean;
-}>;
+};
+declare function findNpmPathSync(filepath: string): string | undefined;
 declare function getPackageFiles(cwd: string, inputPaths: string[], config: SocketYml | undefined, supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data']): Promise<string[]>;
 declare function getPackageFilesFullScans(cwd: string, inputPaths: string[], supportedFiles: SocketSdkReturnType<'getReportSupportedFiles'>['data'], debugLog?: typeof console.error): Promise<string[]>;
-export { directoryPatterns, findRoot, findBinPathDetails, getPackageFiles, getPackageFilesFullScans };
+export { findBinPathDetailsSync, findNpmPathSync, getPackageFiles, getPackageFilesFullScans };

package/dist/module-sync/shadow-bin.js

@@ -13,21 +13,16 @@ var path = require('node:path');
 var process = require('node:process');
 var spawn = _socketInterop(require('@npmcli/promise-spawn'));
 var cmdShim = _socketInterop(require('cmd-shim'));
+var npmPaths = require('./npm-paths.js');
 var constants = require('./constants.js');
-var pathResolve = require('./path-resolve.js');
 
+const {
+  NPX
+} = constants;
 async function installLinks(realBinPath, binName) {
+  const isNpx = binName === NPX;
   // Find package manager being shadowed by this process.
-  const {
-    path: binPath,
-    shadowed
-  } = await pathResolve.findBinPathDetails(binName);
-  if (!binPath) {
-    // The exit code 127 indicates that the command or binary being executed
-    // could not be found.
-    console.error(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`);
-    process.exit(127);
-  }
+  const binPath = isNpx ? npmPaths.getNpxBinPath() : npmPaths.getNpmBinPath();
   // Lazily access constants.WIN32.
   const {
     WIN32
@@ -36,6 +31,7 @@ async function installLinks(realBinPath, binName) {
   if (WIN32 && binPath) {
     return binPath;
   }
+  const shadowed = isNpx ? npmPaths.isNpxBinPathShadowed() : npmPaths.isNpmBinPathShadowed();
   // Move our bin directory to front of PATH so its found first.
   if (!shadowed) {
     if (WIN32) {
@@ -62,10 +58,14 @@ async function shadowBin(binName, binArgs = process.argv.slice(2)) {
   // Lazily access constants.distPath.
   path.join(constants.distPath, 'npm-injection.js'),
   // Lazily access constants.shadowBinPath.
-  await installLinks(constants.shadowBinPath, binName), ...binArgs,
-  // Add the `--quiet` and `--no-progress` flags to fix input being swallowed
-  // by the spinner when running the command with recent versions of npm.
-  ...(binName === NPM && binArgs.includes('install') && !binArgs.includes('--no-progress') && !binArgs.includes('--quiet') ? ['--no-progress', '--quiet'] : [])], {
+  await installLinks(constants.shadowBinPath, binName), ...(binName === NPM && binArgs.includes('install') ? [
+  // Add the `--quiet` and `--no-progress` flags to fix input being
+  // swallowed by the spinner when running the command with recent
+  // versions of npm.
+  ...binArgs.filter(a => a !== '--progress' && a !== '--no-progress'), '--no-progress',
+  // Add the '--quiet' flag if an equivalent flag is not provided.
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#aliases
+  ...(binArgs.includes('-q') || binArgs.includes('--quiet') || binArgs.includes('-s') || binArgs.includes('--silent') ? [] : ['--quiet'])] : binArgs)], {
     signal: abortSignal,
     stdio: 'inherit'
   });

package/dist/module-sync/socket-url.js

@@ -12,7 +12,7 @@ function _socketInterop(e) {
 var terminalLink = _socketInterop(require('terminal-link'));
 var colors = _socketInterop(require('yoctocolors-cjs'));
 var indentString = require('@socketregistry/indent-string/index.cjs');
-var pathResolve = require('./path-resolve.js');
+var npmPaths = require('./npm-paths.js');
 var process = require('node:process');
 var hpagent = _socketInterop(require('hpagent'));
 var isInteractive = require('@socketregistry/is-interactive/index.cjs');
@@ -82,7 +82,7 @@ class ColorOrMarkdown {
     return this.useMarkdown ? `* ${indentedContent.join('\n* ')}\n` : `${indentedContent.join('\n')}\n`;
   }
   get logSymbols() {
-    return this.useMarkdown ? markdownLogSymbols : pathResolve.logSymbols;
+    return this.useMarkdown ? markdownLogSymbols : npmPaths.logSymbols;
   }
 }
 
@@ -146,7 +146,7 @@ function getSettings() {
         try {
           Object.assign(_settings, JSON.parse(Buffer.from(raw, 'base64').toString()));
         } catch {
-          pathResolve.logger.warn(`Failed to parse settings at ${settingsPath}`);
+          npmPaths.logger.warn(`Failed to parse settings at ${settingsPath}`);
         }
       } else {
         fs.mkdirSync(path.dirname(settingsPath), {
@@ -170,7 +170,7 @@ function getSettingsPath() {
       if (WIN32) {
         if (!_warnedSettingPathWin32Missing) {
           _warnedSettingPathWin32Missing = true;
-          pathResolve.logger.warn(`Missing %${LOCALAPPDATA}%`);
+          npmPaths.logger.warn(`Missing %${LOCALAPPDATA}%`);
         }
       } else {
         dataHome = path.join(os.homedir(), ...(process.platform === 'darwin' ? ['Library', 'Application Support'] : ['.local', 'share']));

package/dist/require/cli.js

@@ -24,7 +24,7 @@ var constants = require('./constants.js');
 var spinner = require('@socketsecurity/registry/lib/spinner');
 var spawn = _socketInterop(require('@npmcli/promise-spawn'));
 var objects = require('@socketsecurity/registry/lib/objects');
-var pathResolve = require('./path-resolve.js');
+var npmPaths = require('./npm-paths.js');
 var registryConstants = require('@socketsecurity/registry/lib/constants');
 var socketUrl = require('./socket-url.js');
 var terminalLink = _socketInterop(require('terminal-link'));
@@ -223,24 +223,36 @@ const {
 } = constants;
 function shadowNpmInstall(opts) {
   const {
-    flags = [],
+    flags: flags_ = [],
     ipc,
     ...spawnOptions
   } = {
     __proto__: null,
     ...opts
   };
+  const flags = flags_.filter(f => f !== '--audit' && f !== '--fund' && f !== '--progress' && f !== '--no-audit' && f !== '--no-fund' && f !== '--no-progress');
   const useIpc = objects.isObject(ipc);
-  const useDebug = pathResolve.isDebug();
-  const promise = spawn(
+  const useDebug = npmPaths.isDebug();
+  const spawnPromise = spawn(
   // Lazily access constants.execPath.
   constants.execPath, [
-  // Lazily access constants.rootBinPath.
-  path.join(constants.rootBinPath, 'npm-cli.js'), 'install',
+  // Lazily access constants.nodeNoWarningsFlags.
+  ...constants.nodeNoWarningsFlags, '--require',
+  // Lazily access constants.distPath.
+  path.join(constants.distPath, 'npm-injection.js'), npmPaths.getNpmBinPath(), 'install',
   // Even though the '--silent' flag is passed npm will still run through
   // code paths for 'audit' and 'fund' unless '--no-audit' and '--no-fund'
   // flags are passed.
-  ...(useDebug ? ['--no-audit', '--no-fund'] : ['--silent', '--no-audit', '--no-fund']), ...flags], {
+  '--no-audit', '--no-fund',
+  // Add `--no-progress` flags to fix input being swallowed by the spinner
+  // when running the command with recent versions of npm.
+  '--no-progress', ...(useDebug ||
+  // Detect loglevel flags:
+  flags.some(f =>
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#setting-log-levels
+  f.startsWith('--loglevel') ||
+  // https://docs.npmjs.com/cli/v11/using-npm/logging#aliases
+  f === '-d' || f === '--dd' || f === '--ddd' || f === '-q' || f === '--quiet' || f === '-s' || f === '--silent') ? [] : ['--silent']), ...flags], {
     signal: abortSignal$3,
     // Set stdio to include 'ipc'.
     // See https://github.com/nodejs/node/blob/v23.6.0/lib/child_process.js#L161-L166
@@ -257,9 +269,9 @@ function shadowNpmInstall(opts) {
     }
   });
   if (useIpc) {
-    promise.process.send(ipc);
+    spawnPromise.process.send(ipc);
   }
-  return promise;
+  return spawnPromise;
 }
 
 const {
@@ -1916,16 +1928,7 @@ async function setupCommand$j(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const {
-    path: binPath
-  } = await pathResolve.findBinPathDetails(binName$1);
-  if (!binPath) {
-    // The exit code 127 indicates that the command or binary being executed
-    // could not be found.
-    console.error(`Socket unable to locate ${binName$1}; ensure it is available in the PATH environment variable.`);
-    process$1.exit(127);
-  }
-  const spawnPromise = spawn(binPath, argv, {
+  const spawnPromise = spawn(npmPaths.getNpmBinPath(), argv, {
     signal: abortSignal$1,
     stdio: 'inherit'
   });
@@ -1984,16 +1987,7 @@ async function setupCommand$i(name, description, argv, importMeta) {
     cli.showHelp();
     return;
   }
-  const {
-    path: binPath
-  } = await pathResolve.findBinPathDetails(binName);
-  if (!binPath) {
-    // The exit code 127 indicates that the command or binary being executed
-    // could not be found.
-    console.error(`Socket unable to locate ${binName}; ensure it is available in the PATH environment variable.`);
-    process$1.exit(127);
-  }
-  const spawnPromise = spawn(binPath, argv, {
+  const spawnPromise = spawn(npmPaths.getNpxBinPath(), argv, {
     signal: abortSignal,
     stdio: 'inherit'
   });
@@ -2170,7 +2164,6 @@ const create$2 = {
         }));
         if (reportData) {
           formatReportDataOutput(reportData, {
-            includeAllIssues,
             name,
             outputJson,
             outputMarkdown,
@@ -2282,7 +2275,7 @@ async function setupCommand$g(name, description, argv, importMeta) {
       cause
     });
   });
-  const packagePaths = await pathResolve.getPackageFiles(cwd, cli.input, config$1, supportedFiles);
+  const packagePaths = await npmPaths.getPackageFiles(cwd, cli.input, config$1, supportedFiles);
   return {
     config: config$1,
     cwd,
@@ -2300,7 +2293,7 @@ async function createReport(packagePaths, {
   cwd,
   dryRun
 }) {
-  pathResolve.debugLog('Uploading:', packagePaths.join(`\n${pathResolve.logSymbols.info} Uploading: `));
+  npmPaths.debugLog('Uploading:', packagePaths.join(`\n${npmPaths.logSymbols.info} Uploading: `));
   if (dryRun) {
     return;
   }
@@ -2670,7 +2663,7 @@ async function setupCommand$e(name, description, argv, importMeta) {
       cause
     });
   });
-  const packagePaths = await pathResolve.getPackageFilesFullScans(cwd, cli.input, supportedFiles);
+  const packagePaths = await npmPaths.getPackageFilesFullScans(cwd, cli.input, supportedFiles);
   const {
     branch: branchName,
     repo: repoName
@@ -3785,7 +3778,7 @@ const dependencies = {
   }) {
     const name = parentName + ' dependencies';
     const input = setupCommand$3(name, dependencies.description, argv, importMeta);
-    {
+    if (input) {
       await searchDeps(input);
     }
   }
@@ -4353,7 +4346,7 @@ const threatFeed = {
   }) {
     const name = `${parentName} threat-feed`;
     const input = setupCommand(name, threatFeed.description, argv, importMeta);
-    {
+    if (input) {
       const apiKey = socketUrl.getDefaultToken();
       if (!apiKey) {
         throw new socketUrl.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
@@ -4574,7 +4567,7 @@ void (async () => {
     } else {
       errorTitle = 'Unexpected error with no details';
     }
-    console.error(`${pathResolve.logSymbols.error} ${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
+    console.error(`${npmPaths.logSymbols.error} ${colors.bgRed(colors.white(errorTitle + ':'))} ${errorMessage}`);
     if (errorBody) {
       console.error(`\n${errorBody}`);
     }

package/dist/require/npm-paths.js

@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = require('../module-sync/npm-paths.js')

package/dist/require/vendor.js

@@ -1707,22 +1707,15 @@ function redent(string, count = 0, options = {}) {
 }
 const debug$1 = typeof process === 'object' && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error('SEMVER', ...args) : () => {};
 var debug_1 = debug$1;
-const SEMVER_SPEC_VERSION = '2.0.0';
 const MAX_LENGTH$1 = 256;
 const MAX_SAFE_INTEGER$1 = Number.MAX_SAFE_INTEGER || 9007199254740991;
 const MAX_SAFE_COMPONENT_LENGTH = 16;
 const MAX_SAFE_BUILD_LENGTH = MAX_LENGTH$1 - 6;
-const RELEASE_TYPES = ['major', 'premajor', 'minor', 'preminor', 'patch', 'prepatch', 'prerelease'];
 var constants$1 = {
   MAX_LENGTH: MAX_LENGTH$1,
   MAX_SAFE_COMPONENT_LENGTH,
   MAX_SAFE_BUILD_LENGTH,
-  MAX_SAFE_INTEGER: MAX_SAFE_INTEGER$1,
-  RELEASE_TYPES,
-  SEMVER_SPEC_VERSION,
-  FLAG_INCLUDE_PRERELEASE: 0b001,
-  FLAG_LOOSE: 0b010
-};
+  MAX_SAFE_INTEGER: MAX_SAFE_INTEGER$1};
 var re$1 = {
   exports: {}
 };
@@ -1828,11 +1821,8 @@ const compareIdentifiers$1 = (a, b) => {
   }
   return a === b ? 0 : anum && !bnum ? -1 : bnum && !anum ? 1 : a < b ? -1 : 1;
 };
-const rcompareIdentifiers = (a, b) => compareIdentifiers$1(b, a);
 var identifiers = {
-  compareIdentifiers: compareIdentifiers$1,
-  rcompareIdentifiers
-};
+  compareIdentifiers: compareIdentifiers$1};
 const debug = debug_1;
 const {
   MAX_LENGTH,
@@ -4694,9 +4684,9 @@ function versionIncluded(nodeVersion, specifierValue) {
   if (typeof specifierValue === 'boolean') {
     return specifierValue;
   }
-  var current = typeof nodeVersion === 'undefined' ? process.versions && process.versions.node : nodeVersion;
+  var current = process.versions && process.versions.node ;
   if (typeof current !== 'string') {
-    throw new TypeError(typeof nodeVersion === 'undefined' ? 'Unable to determine current node version' : 'If provided, a valid node version is required');
+    throw new TypeError('Unable to determine current node version' );
   }
   if (specifierValue && typeof specifierValue === 'object') {
     for (var i = 0; i < specifierValue.length; ++i) {
@@ -6765,7 +6755,6 @@ function getSupportLevel$1(stream) {
   return translateLevel$1(level);
 }
 var supportsColor_1$1 = {
-  supportsColor: getSupportLevel$1,
   stdout: getSupportLevel$1(process.stdout),
   stderr: getSupportLevel$1(process.stderr)
 };
@@ -7391,7 +7380,6 @@ function getSupportLevel(stream) {
   return translateLevel(level);
 }
 var supportsColor_1 = {
-  supportsColor: getSupportLevel,
   stdout: getSupportLevel(process.stdout),
   stderr: getSupportLevel(process.stderr)
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.41",
+  "version": "0.14.43",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",
@@ -61,14 +61,14 @@
   },
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
-    "@cyclonedx/cdxgen": "^11.1.5",
+    "@cyclonedx/cdxgen": "^11.1.7",
     "@npmcli/promise-spawn": "^8.0.2",
     "@socketregistry/hyrious__bun.lockb": "^1.0.12",
     "@socketregistry/indent-string": "^1.0.9",
     "@socketregistry/is-interactive": "^1.0.1",
     "@socketregistry/is-unicode-supported": "^1.0.0",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.78",
+    "@socketsecurity/registry": "^1.0.81",
     "@socketsecurity/sdk": "^1.4.5",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",
@@ -102,7 +102,7 @@
     "@babel/preset-env": "^7.26.7",
     "@babel/preset-typescript": "^7.26.0",
     "@babel/runtime": "^7.26.7",
-    "@eslint/compat": "^1.2.5",
+    "@eslint/compat": "^1.2.6",
     "@eslint/js": "^9.19.0",
     "@rollup/plugin-commonjs": "^28.0.2",
     "@rollup/plugin-json": "^6.1.0",
@@ -115,7 +115,7 @@
     "@types/micromatch": "^4.0.9",
     "@types/mocha": "^10.0.10",
     "@types/mock-fs": "^4.13.4",
-    "@types/node": "^22.12.0",
+    "@types/node": "^22.13.0",
     "@types/npmcli__arborist": "^6.3.0",
     "@types/npmcli__promise-spawn": "^6.0.3",
     "@types/proc-log": "^3.0.4",
@@ -141,10 +141,10 @@
     "mock-fs": "^5.4.1",
     "nock": "^14.0.0",
     "npm-run-all2": "^7.0.2",
-    "oxlint": "0.15.8",
+    "oxlint": "0.15.9",
     "prettier": "3.4.2",
     "read-package-up": "^11.0.0",
-    "rollup": "4.32.1",
+    "rollup": "4.34.1",
     "rollup-plugin-ts": "^3.4.5",
     "type-coverage": "^2.29.7",
     "typescript": "5.4.5",
@@ -152,6 +152,7 @@
     "unplugin-purge-polyfills": "^0.0.7"
   },
   "overrides": {
+    "@socketregistry/packageurl-js": "npm:@socketregistry/packageurl-js@^1",
     "aggregate-error": "npm:@socketregistry/aggregate-error@^1",
     "es-define-property": "npm:@socketregistry/es-define-property@^1",
     "function-bind": "npm:@socketregistry/function-bind@^1",
@@ -178,6 +179,7 @@
     "yaml": "$yaml"
   },
   "resolutions": {
+    "@socketregistry/packageurl-js": "npm:@socketregistry/packageurl-js@^1",
     "aggregate-error": "npm:@socketregistry/aggregate-error@^1",
     "es-define-property": "npm:@socketregistry/es-define-property@^1",
     "function-bind": "npm:@socketregistry/function-bind@^1",

package/dist/require/path-resolve.js

@@ -1,3 +0,0 @@
-'use strict'
-
-module.exports = require('../module-sync/path-resolve.js')