socket 0.15.32 → 0.15.34

package/dist/cli.js

@@ -630,7 +630,7 @@ ${table}
     process.exitCode = 1;
     logger.logger.fail('There was a problem converting the logs to Markdown, please try the `--json` flag');
     if (debug.isDebug()) {
-      debug.debugFn('Unexpected error:\n', e);
+      debug.debugFn('catch: unexpected\n', e);
     }
     return '';
   }
@@ -1151,7 +1151,7 @@ async function run$O(argv, importMeta, {
 async function getDefaultOrgSlug() {
   const defaultOrgResult = utils.getConfigValueOrUndef('defaultOrg');
   if (defaultOrgResult) {
-    debug.debugFn('Using default org:', defaultOrgResult);
+    debug.debugFn('use: default org', defaultOrgResult);
     return {
       ok: true,
       data: defaultOrgResult
@@ -1183,7 +1183,7 @@ async function getDefaultOrgSlug() {
       data: `Was unable to determine the default organization for the current API token. Unable to continue.`
     };
   }
-  debug.debugFn('Resolved org to:', slug);
+  debug.debugFn('resolve: org', slug);
   return {
     ok: true,
     message: 'Retrieved default org from server',
@@ -1287,7 +1287,7 @@ async function fetchReportData(orgSlug, scanId, includeLicensePolicy) {
         return JSON.parse(line);
       } catch {
         ok = false;
-        debug.debugFn('NDJSON failed to parse the following line:\n', line);
+        debug.debugFn('fail: parse NDJSON\n', line);
         return;
       }
     });
@@ -3711,6 +3711,7 @@ async function gitCleanFdx(cwd = process.cwd()) {
     cwd,
     stdio: 'ignore'
   };
+  // TODO: propagate CResult?
   await spawn.spawn('git', ['clean', '-fdx'], stdioIgnoreOptions);
 }
 async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
@@ -3736,7 +3737,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn('Unexpected error:\n', e);
+    debug.debugFn('catch: unexpected\n', e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3766,7 +3767,7 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn('Unexpected error:\n', e);
+        debug.debugFn('catch: unexpected\n', e);
       }
     }
   }));
@@ -3795,12 +3796,24 @@ async function gitResetHard(branch = 'HEAD', cwd = process.cwd()) {
   await spawn.spawn('git', ['reset', '--hard', branch], stdioIgnoreOptions);
 }
 async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
-  const stdioPipeOptions = {
-    cwd
-  };
-  const stdout = (await spawn.spawn('git', ['diff', '--name-only'], stdioPipeOptions)).stdout.trim();
-  const rawFiles = stdout.split('\n') ?? [];
-  return rawFiles.map(relPath => path$1.normalizePath(relPath));
+  try {
+    const stdioPipeOptions = {
+      cwd
+    };
+    const stdout = (await spawn.spawn('git', ['diff', '--name-only'], stdioPipeOptions)).stdout.trim();
+    const rawFiles = stdout.split('\n') ?? [];
+    return {
+      ok: true,
+      data: rawFiles.map(relPath => path$1.normalizePath(relPath))
+    };
+  } catch (e) {
+    debug.debugFn('catch: git diff --name-only failed\n', e);
+    return {
+      ok: false,
+      message: 'Git Error',
+      cause: 'Unexpected error while trying to ask git whether repo is dirty'
+    };
+  }
 }
 
 let _octokit;
@@ -3891,14 +3904,14 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
           pull_number: prNum,
           state: 'closed'
         });
-        debug.debugFn(`Closed ${prRef} for older version ${prToVersion}.`);
+        debug.debugFn(`close: ${prRef} for ${prToVersion}`);
         // Remove entry from parent object.
         context.parent.splice(context.index, 1);
         // Mark cache to be saved.
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        debug.debugFn(`Failed to close ${prRef}: ${e?.message || 'Unknown error'}`);
+        debug.debugFn(`fail: close ${prRef}\n`, e?.message || 'unknown error');
       }
     }
     // Update stale PRs.
@@ -3911,7 +3924,7 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
           base: match.headRefName,
           head: match.baseRefName
         });
-        debug.debugFn(`Updated stale ${prRef}.`);
+        debug.debugFn('update: stale', prRef);
         // Update entry entry.
         if (context.apiType === 'graphql') {
           context.entry.mergeStateStatus = 'CLEAN';
@@ -3922,7 +3935,7 @@ async function cleanupOpenPrs(owner, repo, newVersion, options) {
         cachesToSave.set(context.cacheKey, context.data);
       } catch (e) {
         const message = e?.message || 'Unknown error';
-        debug.debugFn(`Failed to update ${prRef}: ${message}`);
+        debug.debugFn(`fail: update ${prRef} - ${message}`);
       }
     }
     return match;
@@ -3989,6 +4002,9 @@ function getGitHubEnvRepoInfo() {
     repo: ownerSlashRepo.slice(slashIndex + 1)
   };
 }
+async function getOpenSocketPrs(owner, repo, options) {
+  return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+}
 async function getOpenSocketPrsWithContext(owner, repo, options_) {
   const options = {
     __proto__: null,
@@ -4111,7 +4127,7 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
   };
   // Lazily access constants.ENV.GITHUB_ACTIONS.
   if (!constants.ENV.GITHUB_ACTIONS) {
-    debug.debugFn('Missing GITHUB_ACTIONS environment variable.');
+    debug.debugFn('miss: GITHUB_ACTIONS env var');
     return null;
   }
   const octokit = getOctokit();
@@ -4160,7 +4176,7 @@ async function setGitRemoteGitHubRepoUrl(owner, repo, token, cwd = process.cwd()
   try {
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
   } catch (e) {
-    debug.debugFn('Unexpected error:\n', e);
+    debug.debugFn('catch: unexpected\n', e);
   }
 }
 
@@ -4215,10 +4231,24 @@ async function npmFix(pkgEnvDetails, {
   const {
     spinner
   } = constants;
-  spinner?.start();
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+
+  // Lazily access constants.ENV properties.
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
+  spinner?.start();
+  let count = 0;
+  let repoInfo = null;
+  if (isCi) {
+    repoInfo = getGitHubEnvRepoInfo();
+    count += (await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
+      author: gitUser
+    })).length;
+  }
   const arb = new shadowInject.Arborist({
     path: rootPath,
     ...shadowInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
@@ -4235,8 +4265,12 @@ async function npmFix(pkgEnvDetails, {
     }));
   } catch (e) {
     spinner?.stop();
-    logger.logger.error(e?.message || 'Unknown Socket batch PURL API error.');
-    return;
+    debug.debugFn('catch: PURL API\n', e);
+    return {
+      ok: false,
+      message: 'API Error',
+      cause: e?.message || 'Unknown Socket batch PURL API error.'
+    };
   }
   const infoByPkgName = utils.getCveInfoFromAlertsMap(alertsMap, {
     limit
@@ -4244,25 +4278,30 @@ async function npmFix(pkgEnvDetails, {
   if (!infoByPkgName) {
     spinner?.stop();
     logger.logger.info('No fixable vulns found.');
-    return;
+    return {
+      ok: true,
+      data: {
+        fixed: false
+      }
+    };
   }
-
-  // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const handleInstallFail = () => {
-    logger.logger.error(`Unexpected condition: ${pkgEnvDetails.agent} install failed.\n`);
+    debug.debugFn(`fail: ${pkgEnvDetails.agent} install\n`);
     logger.logger.dedent();
     spinner?.dedent();
+    return {
+      ok: false,
+      message: 'Installation failure',
+      cause: `Unexpected condition: ${pkgEnvDetails.agent} install failed.`
+    };
   };
   spinner?.stop();
-  let count = 0;
-  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   infoEntriesLoop: for (let i = 0, {
       length
     } = sortedInfoEntries; i < length; i += 1) {
@@ -4275,7 +4314,7 @@ async function npmFix(pkgEnvDetails, {
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$a, name)) {
-      debug.debugFn(`Socket Optimize package exists for ${name}.`);
+      debug.debugFn(`found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -4299,7 +4338,7 @@ async function npmFix(pkgEnvDetails, {
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
       const oldVersions = arrays.arrayUnique(shadowInject.findPackageNodes(actualTree, name).map(n => n.target?.version ?? n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`${name} not found, skipping.\n`);
+        debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
         logger.logger.dedent();
         spinner?.dedent();
@@ -4315,7 +4354,7 @@ async function npmFix(pkgEnvDetails, {
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
-        debug.debugFn(`Checking workspace ${workspace}.`);
+        debug.debugFn(`check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -4324,7 +4363,7 @@ async function npmFix(pkgEnvDetails, {
         const oldPurl = utils.idToPurl(oldId);
         const node = shadowInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`${oldId} not found, skipping.`);
+          debug.debugFn(`skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -4332,7 +4371,7 @@ async function npmFix(pkgEnvDetails, {
           vulnerableVersionRange
         } of infos.values()) {
           if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`${oldId} is >= ${firstPatchedVersionIdentifier}, skipping.`);
+            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
@@ -4368,7 +4407,7 @@ async function npmFix(pkgEnvDetails, {
           if (!(await editablePkgJson.save({
             ignoreWhitespace: true
           }))) {
-            debug.debugFn(`${workspace}/package.json not changed, skipping.`);
+            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
             if (isCi) {
               // eslint-disable-next-line no-await-in-loop
@@ -4410,9 +4449,15 @@ async function npmFix(pkgEnvDetails, {
           spinner?.stop();
           if (!errored && isCi) {
             try {
-              const moddedFilepaths =
               // eslint-disable-next-line no-await-in-loop
-              (await gitUnstagedModifiedFiles(cwd)).filter(p => {
+              const result = await gitUnstagedModifiedFiles(cwd);
+              if (!result.ok) {
+                // Do we fail if this fails? If this git command
+                // fails then probably other git commands do too?
+                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
+                continue infosLoop;
+              }
+              const moddedFilepaths = result.data.filter(p => {
                 const basename = path.basename(p);
                 return basename === 'package.json' || basename === 'package-lock.json';
               });
@@ -4420,23 +4465,24 @@ async function npmFix(pkgEnvDetails, {
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
                 continue infosLoop;
               }
-              const repoInfo = getGitHubEnvRepoInfo();
               const branch = getSocketBranchName(oldPurl, newVersion, workspace);
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
               await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
                 skipPr = true;
-                debug.debugFn(`Branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: branch "${branch}" exists`);
               }
               // eslint-disable-next-line no-await-in-loop
               else if (await gitRemoteBranchExists(branch, cwd)) {
                 skipPr = true;
-                debug.debugFn(`Remote branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: remote branch "${branch}" exists`);
               } else if (
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
-                cwd
+                cwd,
+                email: gitEmail,
+                user: gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
@@ -4450,15 +4496,14 @@ async function npmFix(pkgEnvDetails, {
                 });
                 if (!maybeActualTree) {
                   // Exit early if install fails.
-                  handleInstallFail();
-                  return;
+                  return handleInstallFail();
                 }
                 actualTree = maybeActualTree;
                 continue infosLoop;
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, token, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
+              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
                 purl: oldPurl,
                 workspace
               })]);
@@ -4527,8 +4572,7 @@ async function npmFix(pkgEnvDetails, {
               spinner?.stop();
               if (!maybeActualTree) {
                 // Exit early if install fails.
-                handleInstallFail();
-                return;
+                return handleInstallFail();
               }
               actualTree = maybeActualTree;
             }
@@ -4555,6 +4599,12 @@ async function npmFix(pkgEnvDetails, {
     spinner?.dedent();
   }
   spinner?.stop();
+  return {
+    ok: true,
+    data: {
+      fixed: true
+    }
+  }; // true? did we actually change anything?
 }
 
 const {
@@ -4614,7 +4664,21 @@ async function pnpmFix(pkgEnvDetails, {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+
+  // Lazily access constants.ENV properties.
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
   spinner?.start();
+  let count = 0;
+  let repoInfo = null;
+  if (isCi) {
+    repoInfo = getGitHubEnvRepoInfo();
+    count += (await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
+      author: gitUser
+    })).length;
+  }
   let actualTree;
   const lockfilePath = path.join(rootPath, 'pnpm-lock.yaml');
   let lockfileContent = await utils.readPnpmLockfile(lockfilePath);
@@ -4654,8 +4718,11 @@ async function pnpmFix(pkgEnvDetails, {
   // Check !lockfileContent to make TypeScript happy.
   if (!lockfile || !lockfileContent) {
     spinner?.stop();
-    logger.logger.error('Required pnpm-lock.yaml not found or usable.');
-    return;
+    return {
+      ok: false,
+      message: 'Missing lockfile',
+      cause: 'Required pnpm-lock.yaml not found or usable'
+    };
   }
   let alertsMap;
   try {
@@ -4666,8 +4733,12 @@ async function pnpmFix(pkgEnvDetails, {
     }));
   } catch (e) {
     spinner?.stop();
-    logger.logger.error(e?.message || 'Unknown Socket batch PURL API error.');
-    return;
+    debug.debugFn('catch: PURL API\n', e);
+    return {
+      ok: false,
+      message: 'API Error',
+      cause: e?.message || 'Unknown Socket batch PURL API error.'
+    };
   }
   const infoByPkgName = utils.getCveInfoFromAlertsMap(alertsMap, {
     limit
@@ -4675,25 +4746,29 @@ async function pnpmFix(pkgEnvDetails, {
   if (!infoByPkgName) {
     spinner?.stop();
     logger.logger.info('No fixable vulns found.');
-    return;
+    return {
+      ok: true,
+      data: {
+        fixed: false
+      }
+    };
   }
-
-  // Lazily access constants.ENV properties.
-  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && token);
   const baseBranch = isCi ? getBaseGitBranch() : '';
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
+  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   const handleInstallFail = () => {
-    logger.logger.error(`Unexpected condition: ${pkgEnvDetails.agent} install failed.\n`);
     logger.logger.dedent();
     spinner?.dedent();
+    return {
+      ok: false,
+      message: 'Install failed',
+      cause: `Unexpected condition: ${pkgEnvDetails.agent} install failed`
+    };
   };
   spinner?.stop();
-  let count = 0;
-  const sortedInfoEntries = [...infoByPkgName.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
   infoEntriesLoop: for (let i = 0, {
       length
     } = sortedInfoEntries; i < length; i += 1) {
@@ -4706,7 +4781,7 @@ async function pnpmFix(pkgEnvDetails, {
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(NPM$9, name)) {
-      debug.debugFn(`Socket Optimize package exists for ${name}.`);
+      debug.debugFn(`found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -4731,6 +4806,10 @@ async function pnpmFix(pkgEnvDetails, {
 
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
+        if (!isCi) {
+          // eslint-disable-next-line no-await-in-loop
+          await utils.removeNodeModules(cwd);
+        }
         const maybeActualTree = isCi && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
@@ -4749,12 +4828,11 @@ async function pnpmFix(pkgEnvDetails, {
       }
       if (!actualTree) {
         // Exit early if install fails.
-        handleInstallFail();
-        return;
+        return handleInstallFail();
       }
       const oldVersions = arrays.arrayUnique(shadowInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`${name} not found, skipping.\n`);
+        debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
         logger.logger.dedent();
         spinner?.dedent();
@@ -4773,7 +4851,7 @@ async function pnpmFix(pkgEnvDetails, {
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
-        debug.debugFn(`Checking workspace ${workspace}.`);
+        debug.debugFn(`check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -4782,7 +4860,7 @@ async function pnpmFix(pkgEnvDetails, {
         const oldPurl = utils.idToPurl(oldId);
         const node = shadowInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`${oldId} not found, skipping.`);
+          debug.debugFn(`skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -4790,7 +4868,7 @@ async function pnpmFix(pkgEnvDetails, {
           vulnerableVersionRange
         } of infos.values()) {
           if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`${oldId} is >= ${firstPatchedVersionIdentifier}, skipping.`);
+            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
             continue infosLoop;
           }
           const newVersion = shadowInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
@@ -4848,7 +4926,7 @@ async function pnpmFix(pkgEnvDetails, {
           if (!(await editablePkgJson.save({
             ignoreWhitespace: true
           }))) {
-            debug.debugFn(`${workspace}/package.json unchanged, skipping.`);
+            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
             if (isCi) {
               // eslint-disable-next-line no-await-in-loop
@@ -4909,9 +4987,13 @@ async function pnpmFix(pkgEnvDetails, {
           spinner?.stop();
           if (!errored && isCi) {
             try {
-              const moddedFilepaths =
               // eslint-disable-next-line no-await-in-loop
-              (await gitUnstagedModifiedFiles(cwd)).filter(p => {
+              const result = await gitUnstagedModifiedFiles(cwd);
+              if (!result.ok) {
+                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
+                continue;
+              }
+              const moddedFilepaths = result.data.filter(p => {
                 const basename = path.basename(p);
                 return basename === 'package.json' || basename === 'pnpm-lock.yaml';
               });
@@ -4919,23 +5001,24 @@ async function pnpmFix(pkgEnvDetails, {
                 logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
                 continue infosLoop;
               }
-              const repoInfo = getGitHubEnvRepoInfo();
               const branch = getSocketBranchName(oldPurl, newVersion, workspace);
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
               await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
                 skipPr = true;
-                debug.debugFn(`Branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: branch "${branch}" exists`);
               }
               // eslint-disable-next-line no-await-in-loop
               else if (await gitRemoteBranchExists(branch, cwd)) {
                 skipPr = true;
-                debug.debugFn(`Remote branch "${branch}" exists, skipping PR creation.`);
+                debug.debugFn(`skip: remote branch "${branch}" exists`);
               } else if (
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
-                cwd
+                cwd,
+                email: gitEmail,
+                user: gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
@@ -4957,12 +5040,11 @@ async function pnpmFix(pkgEnvDetails, {
                   continue infosLoop;
                 }
                 // Exit early if install fails.
-                handleInstallFail();
-                return;
+                return handleInstallFail();
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, token, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
+              await Promise.allSettled([setGitRemoteGitHubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, newVersion, {
                 purl: oldPurl,
                 workspace
               })]);
@@ -5043,11 +5125,14 @@ async function pnpmFix(pkgEnvDetails, {
                 lockfileContent = maybeLockfileContent;
               } else {
                 // Exit early if install fails.
-                handleInstallFail();
-                return;
+                return handleInstallFail();
               }
             }
-            logger.logger.fail(`Update failed for ${oldId} in ${workspace}.`, ...(error ? [error] : []));
+            return {
+              ok: false,
+              message: 'Update failed',
+              cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
+            };
           }
           if (++count >= limit) {
             logger.logger.dedent();
@@ -5070,6 +5155,14 @@ async function pnpmFix(pkgEnvDetails, {
     spinner?.dedent();
   }
   spinner?.stop();
+
+  // Or, did we change anything?
+  return {
+    ok: true,
+    data: {
+      fixed: true
+    }
+  };
 }
 
 const {
@@ -5085,11 +5178,14 @@ async function runFix({
   test,
   testScript
 }) {
-  // TODO: make detectAndValidatePackageEnvironment return a CResult<pkgEnvDetails> and propagate it
-  const pkgEnvDetails = await utils.detectAndValidatePackageEnvironment(cwd, {
+  const result = await utils.detectAndValidatePackageEnvironment(cwd, {
     cmdName: CMD_NAME$1,
     logger: logger.logger
   });
+  if (!result.ok) {
+    return result;
+  }
+  const pkgEnvDetails = result.data;
   if (!pkgEnvDetails) {
     return {
       ok: false,
@@ -5102,8 +5198,7 @@ async function runFix({
     agent
   } = pkgEnvDetails;
   if (agent === NPM$8) {
-    // TODO: make npmFix return a CResult and propagate it
-    await npmFix(pkgEnvDetails, {
+    return await npmFix(pkgEnvDetails, {
       autoMerge,
       cwd,
       limit,
@@ -5113,8 +5208,7 @@ async function runFix({
       testScript
     });
   } else if (agent === PNPM$6) {
-    // TODO: make pnpmFix return a CResult and propagate it
-    await pnpmFix(pkgEnvDetails, {
+    return await pnpmFix(pkgEnvDetails, {
       autoMerge,
       cwd,
       limit,
@@ -5130,10 +5224,6 @@ async function runFix({
       cause: `${agent} is not supported by this command at the moment.`
     };
   }
-  return {
-    ok: true,
-    data: undefined
-  };
 }
 
 async function handleFix({
@@ -5218,10 +5308,14 @@ const config$F = {
   },
   help: (command, config) => `
     Usage
-      $ ${command}
+      $ ${command} [options] [CWD=.]
 
     Options
       ${utils.getFlagListOutput(config.flags, 6)}
+
+    Examples
+      $ ${command}
+      $ ${command} ./proj/tree --autoMerge
   `
 };
 const cmdFix = {
@@ -5248,7 +5342,6 @@ async function run$F(argv, importMeta, {
     rangeStyle,
     test
   } = cli.flags;
-  // TODO: impl json/md further
   const outputKind = utils.getOutputKind(json, markdown);
   let [cwd = '.'] = cli.input;
   // Note: path.resolve vs .join:
@@ -5568,9 +5661,9 @@ async function setupTabCompletion(targetName) {
 
   // Target dir is something like ~/.local/share/socket/settings/completion (linux)
   const targetDir = path.dirname(targetPath);
-  debug.debugFn('Target Path:', targetPath, ', Target Dir:', targetDir);
+  debug.debugFn('target: path + dir', targetPath, targetDir);
   if (!fs$1.existsSync(targetDir)) {
-    debug.debugFn('Dir does not exist, creating it now...');
+    debug.debugFn('create: target dir');
     fs$1.mkdirSync(targetDir, {
       recursive: true
     });
@@ -7950,34 +8043,43 @@ async function updateLockfile(pkgEnvDetails, options) {
     }
   } catch (e) {
     spinner?.stop();
-    logger?.fail(utils.cmdPrefixMessage(cmdName, `${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`));
-    logger?.error(e);
+    debug.debugFn('fail: update\n', e);
+    return {
+      ok: false,
+      message: 'Update failed',
+      cause: utils.cmdPrefixMessage(cmdName, `${pkgEnvDetails.agent} install failed to update ${pkgEnvDetails.lockName}`)
+    };
   }
   if (isSpinning) {
     spinner?.start();
   } else {
     spinner?.stop();
   }
+  return {
+    ok: true,
+    data: undefined
+  };
 }
 
 const {
   VLT
 } = constants;
-function createActionMessage(verb, overrideCount, workspaceCount) {
-  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
-}
 async function applyOptimization(cwd, pin, prod) {
-  const pkgEnvDetails = await utils.detectAndValidatePackageEnvironment(cwd, {
+  const result = await utils.detectAndValidatePackageEnvironment(cwd, {
     cmdName: CMD_NAME,
     logger: logger.logger,
     prod
   });
-  if (!pkgEnvDetails) {
-    return;
+  if (!result.ok) {
+    return result;
   }
+  const pkgEnvDetails = result.data;
   if (pkgEnvDetails.agent === VLT) {
-    logger.logger.warn(utils.cmdPrefixMessage(CMD_NAME, `${VLT} does not support overrides. Soon, though ⚡`));
-    return;
+    return {
+      ok: false,
+      message: 'Unsupported',
+      cause: utils.cmdPrefixMessage(CMD_NAME, `${VLT} does not support overrides. Soon, though ⚡`)
+    };
   }
 
   // Lazily access constants.spinner.
@@ -7995,22 +8097,66 @@ async function applyOptimization(cwd, pin, prod) {
   const updatedCount = state.updated.size;
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
   if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
-    await updateLockfile(pkgEnvDetails, {
+    const result = await updateLockfile(pkgEnvDetails, {
       cmdName: CMD_NAME,
       logger: logger.logger,
       spinner
     });
+    if (!result.ok) {
+      return result;
+    }
   }
   spinner.stop();
-  if (updatedCount > 0) {
-    logger.logger?.log(`${createActionMessage('Updated', updatedCount, state.updatedInWorkspaces.size)}${addedCount ? '.' : '🚀'}`);
+  return {
+    ok: true,
+    data: {
+      addedCount,
+      updatedCount,
+      pkgJsonChanged,
+      updatedInWorkspaces: state.updatedInWorkspaces.size,
+      addedInWorkspaces: state.addedInWorkspaces.size
+    }
+  };
+}
+
+async function outputOptimizeResult(result, outputKind) {
+  if (!result.ok) {
+    process.exitCode = result.code ?? 1;
   }
-  if (addedCount > 0) {
-    logger.logger?.log(`${createActionMessage('Added', addedCount, state.addedInWorkspaces.size)} 🚀`);
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
   }
-  if (!pkgJsonChanged) {
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
+  }
+  const data = result.data;
+  if (data.updatedCount > 0) {
+    logger.logger?.log(`${createActionMessage('Updated', data.updatedCount, data.updatedInWorkspaces)}${data.addedCount ? '.' : '🚀'}`);
+  }
+  if (data.addedCount > 0) {
+    logger.logger?.log(`${createActionMessage('Added', data.addedCount, data.addedInWorkspaces)} 🚀`);
+  }
+  if (!data.pkgJsonChanged) {
     logger.logger?.log('Scan complete. No Socket.dev optimized overrides applied.');
   }
+  logger.logger.log('');
+  logger.logger.success('Finished!');
+  logger.logger.log('');
+}
+function createActionMessage(verb, overrideCount, workspaceCount) {
+  return `${verb} ${overrideCount} Socket.dev optimized ${words.pluralize('override', overrideCount)}${workspaceCount ? ` in ${workspaceCount} ${words.pluralize('workspace', workspaceCount)}` : ''}`;
+}
+
+async function handleOptimize({
+  cwd,
+  outputKind,
+  pin,
+  prod
+}) {
+  const result = await applyOptimization(cwd, pin, prod);
+  await outputOptimizeResult(result, outputKind);
 }
 
 const {
@@ -8035,14 +8181,14 @@ const config$q = {
   },
   help: (command, config) => `
     Usage
-      $ ${command}
+      $ ${command} [options] [CWD=.]
 
     Options
       ${utils.getFlagListOutput(config.flags, 6)}
 
     Examples
       $ ${command}
-      $ ${command} --pin
+      $ ${command} ./proj/tree --pin
   `
 };
 const cmdOptimize = {
@@ -8059,15 +8205,29 @@ async function run$q(argv, importMeta, {
     importMeta,
     parentName
   });
-
-  // TODO: impl json/md
-
-  const cwd = process.cwd();
+  const {
+    json,
+    markdown
+  } = cli.flags;
+  const {
+    pin,
+    prod
+  } = cli.flags;
+  const outputKind = utils.getOutputKind(json, markdown);
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAILING_NOW$o);
     return;
   }
-  await applyOptimization(cwd, Boolean(cli.flags['pin']), Boolean(cli.flags['prod']));
+  await handleOptimize({
+    cwd,
+    pin: Boolean(pin),
+    outputKind,
+    prod: Boolean(prod)
+  });
 }
 
 async function fetchOrganization() {
@@ -9726,7 +9886,7 @@ async function fetchListAllRepos({
       page: String(nextPage)
     }), 'list of repositories');
     if (!result.ok) {
-      debug.debugFn('At least one fetch failed, bailing...', result);
+      debug.debugFn('fail: fetch repo\n', result);
       return result;
     }
     result.data.results.forEach(row => rows.push(row));
@@ -11233,7 +11393,7 @@ async function scanOneRepo(repoSlug, {
     };
   }
   const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
-  debug.debugFn('Temp dir for downloaded manifest (serves as scan root):', tmpDir);
+  debug.debugFn('init: temp dir for scan root', tmpDir);
   const downloadResult = await testAndDownloadManifestFiles({
     files,
     tmpDir,
@@ -11346,7 +11506,7 @@ async function testAndDownloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('Testing file:', file);
+  debug.debugFn('test: file', file);
   if (!SUPPORTED_FILE_PATTERNS.some(regex => regex.test(file))) {
     // Not an error.
     return {
@@ -11356,7 +11516,7 @@ async function testAndDownloadManifestFile({
       }
     };
   }
-  debug.debugLog(`[DEBUG] Found a manifest file: \`${file}\`, will download it to temp dir...`);
+  debug.debugFn('found: manifest file', file);
   const result = await downloadManifestFile({
     file,
     tmpDir,
@@ -11364,15 +11524,12 @@ async function testAndDownloadManifestFile({
     repoApiUrl,
     githubToken
   });
-  if (!result.ok) {
-    return result;
-  }
-  return {
+  return result.ok ? {
     ok: true,
     data: {
       isManifest: true
     }
-  };
+  } : result;
 }
 async function downloadManifestFile({
   defaultBranch,
@@ -11381,34 +11538,33 @@ async function downloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugLog(`[DEBUG] Requesting download url from GitHub...`);
+  debug.debugFn('request: download url from GitHub');
   const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
-  debug.debugFn('File url:', fileUrl);
+  debug.debugFn('url: file', fileUrl);
   const downloadUrlResponse = await fetch(fileUrl, {
     method: 'GET',
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
-  debug.debugLog(`[DEBUG] Request completed.`);
+  debug.debugFn('complete: request');
   const downloadUrlText = await downloadUrlResponse.text();
-  debug.debugFn('Raw download url response:', downloadUrlText);
+  debug.debugFn('response: raw download url', downloadUrlText);
   let downloadUrl;
   try {
     downloadUrl = JSON.parse(downloadUrlText).download_url;
   } catch {
     logger.logger.fail(`GitHub response contained invalid JSON for download url for: ${file}`);
-    debug.debugLog(`[DEBUG] The not-json-content:`);
-    debug.debugLog(downloadUrlText);
+    debug.debugFn('content: raw (not JSON)', downloadUrlText);
     return {
       ok: false,
       message: 'Invalid JSON response',
       cause: `Server responded with invalid JSON for download url ${downloadUrl}`
     };
   }
-  debug.debugLog(`[DEBUG] Downloading manifest file...`);
+  debug.debugFn('download: manifest file');
   const localPath = path.join(tmpDir, file);
-  debug.debugFn('Downloading from', downloadUrl, 'to', localPath);
+  debug.debugFn('download:', downloadUrl, '->', localPath);
 
   // Now stream the file to that file...
 
@@ -11495,14 +11651,14 @@ async function getLastCommitDetails({
 }) {
   logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
   const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
-  debug.debugFn('Commit url:', commitApiUrl);
+  debug.debugFn('url: commit', commitApiUrl);
   const commitResponse = await fetch(commitApiUrl, {
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
   const commitText = await commitResponse.text();
-  debug.debugFn('Raw commit response:', commitText);
+  debug.debugFn('response: commit', commitText);
   let lastCommit;
   try {
     lastCommit = JSON.parse(commitText)?.[0];
@@ -11589,7 +11745,7 @@ async function getRepoDetails({
   repoSlug
 }) {
   const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
-  debug.debugFn('Repo URL:', repoApiUrl);
+  debug.debugFn('url: repo', repoApiUrl);
   const repoDetailsResponse = await fetch(repoApiUrl, {
     method: 'GET',
     headers: {
@@ -11598,7 +11754,7 @@ async function getRepoDetails({
   });
   logger.logger.success(`Request completed.`);
   const repoDetailsText = await repoDetailsResponse.text();
-  debug.debugFn('Raw repo response:', repoDetailsText);
+  debug.debugFn('response: repo', repoDetailsText);
   let repoDetails;
   try {
     repoDetails = JSON.parse(repoDetailsText);
@@ -11637,7 +11793,7 @@ async function getRepoBranchTree({
 }) {
   logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
   const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
-  debug.debugFn('Tree URL:', treeApiUrl);
+  debug.debugFn('url: tree', treeApiUrl);
   const treeResponse = await fetch(treeApiUrl, {
     method: 'GET',
     headers: {
@@ -11645,7 +11801,7 @@ async function getRepoBranchTree({
     }
   });
   const treeText = await treeResponse.text();
-  debug.debugFn('Raw tree response:', treeText);
+  debug.debugFn('response: tree', treeText);
   let treeDetails;
   try {
     treeDetails = JSON.parse(treeText);
@@ -12422,7 +12578,7 @@ async function fetchScan(orgSlug, scanId) {
       return JSON.parse(line);
     } catch {
       ok = false;
-      debug.debugFn('NDJSON failed to parse the following line:', line);
+      debug.debugFn('fail: parse NDJSON\n', line);
       return null;
     }
   });
@@ -13207,7 +13363,7 @@ Do you want to install "safe npm" (this will create an alias to the socket-npm c
       }
     }
   } catch (e) {
-    debug.debugFn('Failed to setup tab completion:\n', e);
+    debug.debugFn('fail: setup tab completion\n', e);
     // Ignore. Skip tab completion setup.
   }
   if (!updatedTabCompletion) {
@@ -13449,5 +13605,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=f63b101d-52ad-4179-9782-bc01737be1b3
+//# debugId=7e206930-1632-4ae3-b9bc-0c092c388970
 //# sourceMappingURL=cli.js.map