socket 0.15.54 → 0.15.55

package/dist/cli.js

@@ -305,7 +305,7 @@ async function handleAnalytics({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$O
 } = constants;
-const config$T = {
+const config$U = {
   commandName: 'analytics',
   description: `Look up analytics data`,
   hidden: false,
@@ -367,16 +367,16 @@ const config$T = {
   .replace(/\n(?: *\n)+/g, '\n\n')
 };
 const cmdAnalytics = {
-  description: config$T.description,
-  hidden: config$T.hidden,
-  run: run$T
+  description: config$U.description,
+  hidden: config$U.hidden,
+  run: run$U
 };
-async function run$T(argv, importMeta, {
+async function run$U(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$T,
+    config: config$U,
     importMeta,
     parentName
   });
@@ -663,7 +663,7 @@ const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$N,
   SOCKET_WEBSITE_URL: SOCKET_WEBSITE_URL$3
 } = constants;
-const config$S = {
+const config$T = {
   commandName: 'audit-log',
   description: 'Look up the audit log for an organization',
   hidden: false,
@@ -717,16 +717,16 @@ const config$S = {
   `
 };
 const cmdAuditLog = {
-  description: config$S.description,
-  hidden: config$S.hidden,
-  run: run$S
+  description: config$T.description,
+  hidden: config$T.hidden,
+  run: run$T
 };
-async function run$S(argv, importMeta, {
+async function run$T(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$S,
+    config: config$T,
     importMeta,
     parentName
   });
@@ -1059,7 +1059,7 @@ const yargsConfig = {
   'usages-slices-file' // hidden
   ]
 };
-const config$R = {
+const config$S = {
   commandName: 'cdxgen',
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: false,
@@ -1069,17 +1069,17 @@ const config$R = {
   help: () => ''
 };
 const cmdManifestCdxgen = {
-  description: config$R.description,
-  hidden: config$R.hidden,
-  run: run$R
+  description: config$S.description,
+  hidden: config$S.hidden,
+  run: run$S
 };
-async function run$R(argv, importMeta, {
+async function run$S(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     // Don't let meow take over --help.
     argv: argv.filter(a => !utils.isHelpFlag(a)),
-    config: config$R,
+    config: config$S,
     importMeta,
     parentName
   });
@@ -1130,15 +1130,15 @@ async function handleCdxgen(argv, importMeta, {
   });
 }
 
-const config$Q = {
+const config$R = {
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: true};
 const cmdCdxgen = {
-  description: config$Q.description,
-  hidden: config$Q.hidden,
-  run: run$Q
+  description: config$R.description,
+  hidden: config$R.hidden,
+  run: run$R
 };
-async function run$Q(argv, importMeta, {
+async function run$R(argv, importMeta, {
   parentName
 }) {
   logger.logger.warn('Warning: The `socket cdxgen` command moved to `socket manifest cdxgen` and will be removed as a toplevel command in the next major bump.');
@@ -2373,7 +2373,7 @@ async function handleCI(autoManifest) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$L
 } = constants;
-const config$P = {
+const config$Q = {
   commandName: 'ci',
   description: 'Create a new scan and report whether it passes your security policy',
   hidden: true,
@@ -2391,7 +2391,7 @@ const config$P = {
       $ ${parentName}
 
     Options
-      ${utils.getFlagListOutput(config$P.flags, 6)}
+      ${utils.getFlagListOutput(config$Q.flags, 6)}
 
     This command is intended to use in CI runs to allow automated systems to
     accept or reject a current build. When the scan does not pass your security
@@ -2406,16 +2406,16 @@ const config$P = {
   `
 };
 const cmdCI = {
-  description: config$P.description,
-  hidden: config$P.hidden,
-  run: run$P
+  description: config$Q.description,
+  hidden: config$Q.hidden,
+  run: run$Q
 };
-async function run$P(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$P,
+    config: config$Q,
     importMeta,
     parentName
   });
@@ -2666,7 +2666,7 @@ async function handleConfigAuto({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$K
 } = constants;
-const config$O = {
+const config$P = {
   commandName: 'auto',
   description: 'Automatically discover and set the correct value config item',
   hidden: false,
@@ -2695,16 +2695,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigAuto = {
-  description: config$O.description,
-  hidden: config$O.hidden,
-  run: run$O
+  description: config$P.description,
+  hidden: config$P.hidden,
+  run: run$P
 };
-async function run$O(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$O,
+    config: config$P,
     importMeta,
     parentName
   });
@@ -2780,7 +2780,7 @@ async function handleConfigGet({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$J
 } = constants;
-const config$N = {
+const config$O = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
   hidden: false,
@@ -2804,16 +2804,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigGet = {
-  description: config$N.description,
-  hidden: config$N.hidden,
-  run: run$N
+  description: config$O.description,
+  hidden: config$O.hidden,
+  run: run$O
 };
-async function run$N(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$N,
+    config: config$O,
     importMeta,
     parentName
   });
@@ -2918,7 +2918,7 @@ async function outputConfigList({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$I
 } = constants;
-const config$M = {
+const config$N = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
   hidden: false,
@@ -2947,16 +2947,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigList = {
-  description: config$M.description,
-  hidden: config$M.hidden,
-  run: run$M
+  description: config$N.description,
+  hidden: config$N.hidden,
+  run: run$N
 };
-async function run$M(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$M,
+    config: config$N,
     importMeta,
     parentName
   });
@@ -3028,7 +3028,7 @@ async function handleConfigSet({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$H
 } = constants;
-const config$L = {
+const config$M = {
   commandName: 'set',
   description: 'Update the value of a local CLI config item',
   hidden: false,
@@ -3057,16 +3057,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigSet = {
-  description: config$L.description,
-  hidden: config$L.hidden,
-  run: run$L
+  description: config$M.description,
+  hidden: config$M.hidden,
+  run: run$M
 };
-async function run$L(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$L,
+    config: config$M,
     importMeta,
     parentName
   });
@@ -3150,7 +3150,7 @@ async function handleConfigUnset({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$G
 } = constants;
-const config$K = {
+const config$L = {
   commandName: 'unset',
   description: 'Clear the value of a local CLI config item',
   hidden: false,
@@ -3174,16 +3174,16 @@ ${Array.from(utils.supportedConfigKeys.entries()).map(([key, desc]) => `     - $
   `
 };
 const cmdConfigUnset = {
-  description: config$K.description,
-  hidden: config$K.hidden,
-  run: run$K
+  description: config$L.description,
+  hidden: config$L.hidden,
+  run: run$L
 };
-async function run$K(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$K,
+    config: config$L,
     importMeta,
     parentName
   });
@@ -3320,7 +3320,7 @@ async function handleDependencies({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$F
 } = constants;
-const config$J = {
+const config$K = {
   commandName: 'dependencies',
   description: 'Search for any dependency that is being used in your organization',
   hidden: false,
@@ -3356,16 +3356,16 @@ const config$J = {
   `
 };
 const cmdScanCreate$1 = {
-  description: config$J.description,
-  hidden: config$J.hidden,
-  run: run$J
+  description: config$K.description,
+  hidden: config$K.hidden,
+  run: run$K
 };
-async function run$J(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$J,
+    config: config$K,
     importMeta,
     parentName
   });
@@ -3493,7 +3493,7 @@ async function handleDiffScan$1({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$E
 } = constants;
-const config$I = {
+const config$J = {
   commandName: 'get',
   description: 'Get a diff scan for an organization',
   hidden: false,
@@ -3552,16 +3552,16 @@ const config$I = {
   `
 };
 const cmdDiffScanGet = {
-  description: config$I.description,
-  hidden: config$I.hidden,
-  run: run$I
+  description: config$J.description,
+  hidden: config$J.hidden,
+  run: run$J
 };
-async function run$I(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$I,
+    config: config$J,
     importMeta,
     parentName
   });
@@ -5385,7 +5385,7 @@ async function handleFix({
 const {
   DRY_RUN_NOT_SAVING
 } = constants;
-const config$H = {
+const config$I = {
   commandName: 'fix',
   description: 'Update dependencies with "fixable" Socket alerts',
   hidden: false,
@@ -5453,16 +5453,16 @@ const config$H = {
   `
 };
 const cmdFix = {
-  description: config$H.description,
-  hidden: config$H.hidden,
-  run: run$H
+  description: config$I.description,
+  hidden: config$I.hidden,
+  run: run$I
 };
-async function run$H(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$H,
+    config: config$I,
     importMeta,
     parentName
   });
@@ -5666,7 +5666,7 @@ async function handlePackageInfo({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$D
 } = constants;
-const config$G = {
+const config$H = {
   commandName: 'info',
   description: 'Look up info regarding a package',
   hidden: true,
@@ -5691,16 +5691,16 @@ const config$G = {
   `
 };
 const cmdInfo = {
-  description: config$G.description,
-  hidden: config$G.hidden,
-  run: run$G
+  description: config$H.description,
+  hidden: config$H.hidden,
+  run: run$H
 };
-async function run$G(argv, importMeta, {
+async function run$H(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$G,
+    config: config$H,
     importMeta,
     parentName
   });
@@ -5741,7 +5741,7 @@ async function run$G(argv, importMeta, {
     return;
   }
   await handlePackageInfo({
-    commandName: `${parentName} ${config$G.commandName}`,
+    commandName: `${parentName} ${config$H.commandName}`,
     includeAllIssues: Boolean(all),
     outputKind,
     pkgName,
@@ -5871,7 +5871,7 @@ async function handleInstallCompletion(targetName) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$C
 } = constants;
-const config$F = {
+const config$G = {
   commandName: 'completion',
   description: 'Install bash completion for Socket CLI',
   hidden: true,
@@ -5909,16 +5909,16 @@ const config$F = {
   `
 };
 const cmdInstallCompletion = {
-  description: config$F.description,
-  hidden: config$F.hidden,
-  run: run$F
+  description: config$G.description,
+  hidden: config$G.hidden,
+  run: run$G
 };
-async function run$F(argv, importMeta, {
+async function run$G(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$F,
+    config: config$G,
     importMeta,
     parentName
   });
@@ -5949,6 +5949,67 @@ const cmdInstall = {
   }
 };
 
+async function outputCmdJson(cwd) {
+  logger.logger.info('Target cwd:', constants.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
+  const sjpath = path.join(cwd, 'socket.json');
+  const tildeSjpath = constants.ENV.VITEST ? '<redacted>' : utils.tildify(sjpath);
+  if (!fs$1.existsSync(sjpath)) {
+    logger.logger.fail(`Not found: ${tildeSjpath}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (!fs$1.lstatSync(sjpath).isFile()) {
+    logger.logger.fail(`This is not a regular file (maybe a directory?): ${tildeSjpath}`);
+    process.exitCode = 1;
+    return;
+  }
+  const data = fs$1.readFileSync(sjpath, 'utf8');
+  logger.logger.success(`This is the contents of ${tildeSjpath}:`);
+  logger.logger.error('');
+  logger.logger.log(data);
+}
+
+async function handleCmdJson(cwd) {
+  await outputCmdJson(cwd);
+}
+
+const config$F = {
+  commandName: 'json',
+  description: 'Display the `socket.json` that would be applied for target folder',
+  hidden: true,
+  // This is a power tool. No need to clutter the toplevel.
+  flags: {
+    ...utils.commonFlags
+  },
+  help: parentName => `
+    Usage
+      $ ${parentName} [CWD=.]
+
+    Display the \`socket.json\` file that would apply when running relevant commands
+    in the target directory.
+  `
+};
+const cmdJson = {
+  description: config$F.description,
+  hidden: config$F.hidden,
+  run: run$F
+};
+async function run$F(argv, importMeta, {
+  parentName
+}) {
+  const cli = utils.meowOrExit({
+    argv,
+    config: config$F,
+    importMeta,
+    parentName
+  });
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+  await handleCmdJson(cwd);
+}
+
 function applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy) {
   utils.updateConfigValue('enforcedOrgs', enforcedOrgs);
   utils.updateConfigValue('apiToken', apiToken);
@@ -7504,7 +7565,12 @@ const config$t = {
   hidden: true,
   flags: {
     ...utils.commonFlags,
-    ...utils.outputFlags
+    ...utils.outputFlags,
+    throw: {
+      type: 'boolean',
+      default: false,
+      description: 'Throw an explicit error even if --json or --markdown are set'
+    }
   },
   help: (parentName, config) => `
     Usage
@@ -7529,13 +7595,14 @@ async function run$t(argv, importMeta, {
   });
   const {
     json,
-    markdown
+    markdown,
+    throw: justThrow
   } = cli.flags;
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAILING_NOW$r);
     return;
   }
-  if (json) {
+  if (json && !justThrow) {
     process.exitCode = 1;
     logger.logger.log(utils.serializeResultJson({
       ok: false,
@@ -7543,7 +7610,7 @@ async function run$t(argv, importMeta, {
       cause: 'This error was intentionally left blank'
     }));
   }
-  if (markdown) {
+  if (markdown && !justThrow) {
     process.exitCode = 1;
     logger.logger.fail(utils.failMsgWithBadge('Oops', 'This error was intentionally left blank'));
     return;
@@ -8918,7 +8985,7 @@ async function fetchPurlDeepScore(purl) {
   return await utils.queryApiSafeJson(`purl/score/${encodeURIComponent(purl)}`, 'the deep package scores');
 }
 
-async function outputPurlScore(purl, result, outputKind) {
+async function outputPurlsDeepScore(purl, result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
   }
@@ -8931,151 +8998,156 @@ async function outputPurlScore(purl, result, outputKind) {
     return;
   }
   if (outputKind === 'markdown') {
-    const {
-      purl: requestedPurl,
-      self: {
-        alerts: selfAlerts,
-        capabilities: selfCaps,
-        purl,
-        score: selfScore
-      },
-      transitively: {
-        alerts,
-        capabilities,
-        dependencyCount,
-        func,
-        lowest,
-        score
-      }
-    } = result.data;
-    logger.logger.success(`Score report for "${requestedPurl}" ("${purl}"):\n`);
-    logger.logger.log('# Complete Package Score');
-    logger.logger.log('');
-    if (dependencyCount) {
-      logger.logger.log(`This is a Socket report for the package *"${purl}"* and its *${dependencyCount}* direct/transitive dependencies.`);
-    } else {
-      logger.logger.log(`This is a Socket report for the package *"${purl}"*. It has *no dependencies*.`);
-    }
-    logger.logger.log('');
-    if (dependencyCount) {
-      logger.logger.log(`It will show you the shallow score for just the package itself and a deep score for all the transitives combined. Additionally you can see which capabilities were found and the top alerts as well as a package that was responsible for it.`);
-    } else {
-      logger.logger.log(`It will show you the shallow score for the package itself, which capabilities were found, and its top alerts.`);
-      logger.logger.log('');
-      logger.logger.log('Since it has no dependencies, the shallow score is also the deep score.');
-    }
-    logger.logger.log('');
+    const md = createMarkdownReport(result.data);
+    logger.logger.success(`Score report for "${result.data.purl}" ("${purl}"):\n`);
+    logger.logger.log(md);
+    return;
+  }
+  logger.logger.log(`Score report for "${purl}" (use --json for raw and --markdown for formatted reports):`);
+  logger.logger.log(result.data);
+  logger.logger.log('');
+}
+function createMarkdownReport(data) {
+  const {
+    self: {
+      alerts: selfAlerts,
+      capabilities: selfCaps,
+      purl,
+      score: selfScore
+    },
+    transitively: {
+      alerts,
+      capabilities,
+      dependencyCount,
+      func,
+      lowest,
+      score
+    }
+  } = data;
+  const arr = [];
+  arr.push('# Complete Package Score');
+  arr.push('');
+  if (dependencyCount) {
+    arr.push(`This is a Socket report for the package *"${purl}"* and its *${dependencyCount}* direct/transitive dependencies.`);
+  } else {
+    arr.push(`This is a Socket report for the package *"${purl}"*. It has *no dependencies*.`);
+  }
+  arr.push('');
+  if (dependencyCount) {
+    arr.push(`It will show you the shallow score for just the package itself and a deep score for all the transitives combined. Additionally you can see which capabilities were found and the top alerts as well as a package that was responsible for it.`);
+  } else {
+    arr.push(`It will show you the shallow score for the package itself, which capabilities were found, and its top alerts.`);
+    arr.push('');
+    arr.push('Since it has no dependencies, the shallow score is also the deep score.');
+  }
+  arr.push('');
+  if (dependencyCount) {
+    // This doesn't make much sense if there are no dependencies. Better to omit it.
+    arr.push('The report should give you a good insight into the status of this package.');
+    arr.push('');
+    arr.push('## Package itself');
+    arr.push('');
+    arr.push('Here are results for the package itself (excluding data from dependencies).');
+  } else {
+    arr.push('## Report');
+    arr.push('');
+    arr.push('The report should give you a good insight into the status of this package.');
+  }
+  arr.push('');
+  arr.push('### Shallow Score');
+  arr.push('');
+  arr.push('This score is just for the package itself:');
+  arr.push('');
+  arr.push('- Overall: ' + selfScore.overall);
+  arr.push('- Maintenance: ' + selfScore.maintenance);
+  arr.push('- Quality: ' + selfScore.quality);
+  arr.push('- Supply Chain: ' + selfScore.supplyChain);
+  arr.push('- Vulnerability: ' + selfScore.vulnerability);
+  arr.push('- License: ' + selfScore.license);
+  arr.push('');
+  arr.push('### Capabilities');
+  arr.push('');
+  if (selfCaps.length) {
+    arr.push('These are the capabilities detected in the package itself:');
+    arr.push('');
+    selfCaps.forEach(cap => {
+      arr.push(`- ${cap}`);
+    });
+  } else {
+    arr.push('No capabilities were found in the package.');
+  }
+  arr.push('');
+  arr.push('### Alerts for this package');
+  arr.push('');
+  if (selfAlerts.length) {
     if (dependencyCount) {
-      // This doesn't make much sense if there are no dependencies. Better to omit it.
-      logger.logger.log('The report should give you a good insight into the status of this package.');
-      logger.logger.log('');
-      logger.logger.log('## Package itself');
-      logger.logger.log('');
-      logger.logger.log('Here are results for the package itself (excluding data from dependencies).');
+      arr.push('These are the alerts found for the package itself:');
     } else {
-      logger.logger.log('## Report');
-      logger.logger.log('');
-      logger.logger.log('The report should give you a good insight into the status of this package.');
+      arr.push('These are the alerts found for this package:');
     }
-    logger.logger.log('');
-    logger.logger.log('### Shallow Score');
-    logger.logger.log('');
-    logger.logger.log('This score is just for the package itself:');
-    logger.logger.log('');
-    logger.logger.log('- Overall: ' + selfScore.overall);
-    logger.logger.log('- Maintenance: ' + selfScore.maintenance);
-    logger.logger.log('- Quality: ' + selfScore.quality);
-    logger.logger.log('- Supply Chain: ' + selfScore.supplyChain);
-    logger.logger.log('- Vulnerability: ' + selfScore.vulnerability);
-    logger.logger.log('- License: ' + selfScore.license);
-    logger.logger.log('');
-    logger.logger.log('### Capabilities');
-    logger.logger.log('');
-    if (selfCaps.length) {
-      logger.logger.log('These are the capabilities detected in the package itself:');
-      logger.logger.log('');
-      selfCaps.forEach(cap => {
-        logger.logger.log(`- ${cap}`);
+    arr.push('');
+    arr.push(utils.mdTable(selfAlerts, ['severity', 'name'], ['Severity', 'Alert Name']));
+  } else {
+    arr.push('There are currently no alerts for this package.');
+  }
+  arr.push('');
+  if (dependencyCount) {
+    arr.push('## Transitive Package Results');
+    arr.push('');
+    arr.push('Here are results for the package and its direct/transitive dependencies.');
+    arr.push('');
+    arr.push('### Deep Score');
+    arr.push('');
+    arr.push('This score represents the package and and its direct/transitive dependencies:');
+    arr.push(`The function used to calculate the values in aggregate is: *"${func}"*`);
+    arr.push('');
+    arr.push('- Overall: ' + score.overall);
+    arr.push('- Maintenance: ' + score.maintenance);
+    arr.push('- Quality: ' + score.quality);
+    arr.push('- Supply Chain: ' + score.supplyChain);
+    arr.push('- Vulnerability: ' + score.vulnerability);
+    arr.push('- License: ' + score.license);
+    arr.push('');
+    arr.push('### Capabilities');
+    arr.push('');
+    arr.push('These are the packages with the lowest recorded score. If there is more than one with the lowest score, just one is shown here. This may help you figure out the source of low scores.');
+    arr.push('');
+    arr.push('- Overall: ' + lowest.overall);
+    arr.push('- Maintenance: ' + lowest.maintenance);
+    arr.push('- Quality: ' + lowest.quality);
+    arr.push('- Supply Chain: ' + lowest.supplyChain);
+    arr.push('- Vulnerability: ' + lowest.vulnerability);
+    arr.push('- License: ' + lowest.license);
+    arr.push('');
+    arr.push('### Capabilities');
+    arr.push('');
+    if (capabilities.length) {
+      arr.push('These are the capabilities detected in at least one package:');
+      arr.push('');
+      capabilities.forEach(cap => {
+        arr.push(`- ${cap}`);
       });
     } else {
-      logger.logger.log('No capabilities were found in the package.');
+      arr.push('This package had no capabilities and neither did any of its direct/transitive dependencies.');
     }
-    logger.logger.log('');
-    logger.logger.log('### Alerts for this package');
-    logger.logger.log('');
-    if (selfAlerts.length) {
-      if (dependencyCount) {
-        logger.logger.log('These are the alerts found for the package itself:');
-      } else {
-        logger.logger.log('These are the alerts found for this package:');
-      }
-      logger.logger.log('');
-      logger.logger.log(utils.mdTable(selfAlerts, ['severity', 'name'], ['Severity', 'Alert Name']));
+    arr.push('');
+    arr.push('### Alerts');
+    arr.push('');
+    if (alerts.length) {
+      arr.push('These are the alerts found:');
+      arr.push('');
+      arr.push(utils.mdTable(alerts, ['severity', 'name', 'example'], ['Severity', 'Alert Name', 'Example package reporting it']));
     } else {
-      logger.logger.log('There are currently no alerts for this package.');
+      arr.push('This package had no alerts and neither did any of its direct/transitive dependencies');
     }
-    logger.logger.log('');
-    if (dependencyCount) {
-      logger.logger.log('## Transitive Package Results');
-      logger.logger.log('');
-      logger.logger.log('Here are results for the package and its direct/transitive dependencies.');
-      logger.logger.log('');
-      logger.logger.log('### Deep Score');
-      logger.logger.log('');
-      logger.logger.log('This score represents the package and and its direct/transitive dependencies:');
-      logger.logger.log(`The function used to calculate the values in aggregate is: *"${func}"*`);
-      logger.logger.log('');
-      logger.logger.log('- Overall: ' + score.overall);
-      logger.logger.log('- Maintenance: ' + score.maintenance);
-      logger.logger.log('- Quality: ' + score.quality);
-      logger.logger.log('- Supply Chain: ' + score.supplyChain);
-      logger.logger.log('- Vulnerability: ' + score.vulnerability);
-      logger.logger.log('- License: ' + score.license);
-      logger.logger.log('');
-      logger.logger.log('### Capabilities');
-      logger.logger.log('');
-      logger.logger.log('These are the packages with the lowest recorded score. If there is more than one with the lowest score, just one is shown here. This may help you figure out the source of low scores.');
-      logger.logger.log('');
-      logger.logger.log('- Overall: ' + lowest.overall);
-      logger.logger.log('- Maintenance: ' + lowest.maintenance);
-      logger.logger.log('- Quality: ' + lowest.quality);
-      logger.logger.log('- Supply Chain: ' + lowest.supplyChain);
-      logger.logger.log('- Vulnerability: ' + lowest.vulnerability);
-      logger.logger.log('- License: ' + lowest.license);
-      logger.logger.log('');
-      logger.logger.log('### Capabilities');
-      logger.logger.log('');
-      if (capabilities.length) {
-        logger.logger.log('These are the capabilities detected in at least one package:');
-        logger.logger.log('');
-        capabilities.forEach(cap => {
-          logger.logger.log(`- ${cap}`);
-        });
-      } else {
-        logger.logger.log('This package had no capabilities and neither did any of its direct/transitive dependencies.');
-      }
-      logger.logger.log('');
-      logger.logger.log('### Alerts');
-      logger.logger.log('');
-      if (alerts.length) {
-        logger.logger.log('These are the alerts found:');
-        logger.logger.log('');
-        logger.logger.log(utils.mdTable(alerts, ['severity', 'name', 'example'], ['Severity', 'Alert Name', 'Example package reporting it']));
-      } else {
-        logger.logger.log('This package had no alerts and neither did any of its direct/transitive dependencies');
-      }
-      logger.logger.log('');
-    }
-    return;
+    arr.push('');
+    return arr.join('\n');
   }
-  logger.logger.log(`Score report for "${purl}" (use --json for raw and --markdown for formatted reports):`);
-  logger.logger.log(result.data);
-  logger.logger.log('');
 }
 
 async function handlePurlDeepScore(purl, outputKind) {
   const result = await fetchPurlDeepScore(purl);
-  await outputPurlScore(purl, result, outputKind);
+  await outputPurlsDeepScore(purl, result, outputKind);
 }
 
 // Either an ecosystem was given or all args must be (namespaced) purls
@@ -9255,6 +9327,8 @@ async function fetchPurlsShallowScore(purls) {
   };
 }
 
+// This is a simplified view of an artifact. Potentially merged with other artifacts.
+
 function outputPurlsShallowScore(purls, result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -9267,59 +9341,31 @@ function outputPurlsShallowScore(purls, result, outputKind) {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
-
-  // Make some effort to match the requested data with the response
-
-  const set = new Set();
-  result.data.forEach(data => {
-    set.add('pkg:' + data.type + '/' + data.name + '@' + data.version);
-    set.add('pkg:' + data.type + '/' + data.name);
-  });
-  const missing = purls.filter(purl => {
-    if (set.has(purl)) {
-      return false;
-    }
-    if (purl.endsWith('@latest') && set.has(purl.slice(0, -'@latest'.length))) {
-      return false;
-    }
-    return true; // not found
-  });
+  const {
+    missing,
+    rows
+  } = preProcess(result.data, purls);
   if (outputKind === 'markdown') {
-    logger.logger.log(`
-# Shallow Package Report
-
-This report contains the response for requesting data on some package url(s).
-
-Please note: The listed scores are ONLY for the package itself. It does NOT
-             reflect the scores of any dependencies, transitive or otherwise.
-
-${missing.length ? `\n## Missing response\n\nAt least one package had no response or the purl was not canonical:\n\n${missing.map(purl => '- ' + purl + '\n').join('')}` : ''}
-
-${result.data.map(data => '## ' + formatReportCard(data, false)).join('\n\n\n')}
-    `.trim());
+    const md = generateMarkdownReport(rows, missing);
+    logger.logger.log(md);
     return;
   }
-  logger.logger.log('\n' + vendor.yoctocolorsCjsExports.bold('Shallow Package Score') + '\n');
-  logger.logger.log('Please note: The listed scores are ONLY for the package itself. It does NOT\n' + '             reflect the scores of any dependencies, transitive or otherwise.');
-  if (missing.length) {
-    logger.logger.log(`\nAt least one package had no response or the purl was not canonical:\n${missing.map(purl => '\n- ' + vendor.yoctocolorsCjsExports.bold(purl)).join('')}`);
-  }
-  result.data.forEach(data => {
-    logger.logger.log('\n');
-    logger.logger.log(formatReportCard(data, true));
-  });
-  logger.logger.log('');
+  const txt = generateTextReport(rows, missing);
+  logger.logger.log(txt);
 }
-function formatReportCard(data, color) {
+function formatReportCard(artifact, color) {
   const scoreResult = {
-    'Supply Chain Risk': Math.floor((data.score?.supplyChain ?? 0) * 100),
-    Maintenance: Math.floor((data.score?.maintenance ?? 0) * 100),
-    Quality: Math.floor((data.score?.quality ?? 0) * 100),
-    Vulnerabilities: Math.floor((data.score?.vulnerability ?? 0) * 100),
-    License: Math.floor((data.score?.license ?? 0) * 100)
+    'Supply Chain Risk': Math.floor((artifact.score?.supplyChain ?? 0) * 100),
+    Maintenance: Math.floor((artifact.score?.maintenance ?? 0) * 100),
+    Quality: Math.floor((artifact.score?.quality ?? 0) * 100),
+    Vulnerabilities: Math.floor((artifact.score?.vulnerability ?? 0) * 100),
+    License: Math.floor((artifact.score?.license ?? 0) * 100)
   };
-  const alertString = getAlertString(data.alerts, !color);
-  const purl = 'pkg:' + data.type + '/' + data.name + '@' + data.version;
+  const alertString = getAlertString(artifact.alerts, !color);
+  if (!artifact.ecosystem) {
+    console.log('WTF?', artifact);
+  }
+  const purl = `pkg:${artifact.ecosystem}/${artifact.name}${artifact.version ? '@' + artifact.version : ''}`;
   return ['Package: ' + (color ? vendor.yoctocolorsCjsExports.bold(purl) : purl), '', ...Object.entries(scoreResult).map(score => `- ${score[0]}:`.padEnd(20, ' ') + `  ${formatScore(score[1], !color, true)}`), alertString].join('\n');
 }
 function formatScore(score, noColor = false, pad = false) {
@@ -9336,12 +9382,13 @@ function formatScore(score, noColor = false, pad = false) {
   return vendor.yoctocolorsCjsExports.red(padded);
 }
 function getAlertString(alerts, noColor = false) {
-  if (!alerts?.length) {
+  if (!alerts.size) {
     return noColor ? `- Alerts: none!` : `- Alerts: ${vendor.yoctocolorsCjsExports.green('none')}!`;
   }
-  const bad = alerts.filter(alert => alert.severity !== 'low' && alert.severity !== 'middle').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
-  const mid = alerts.filter(alert => alert.severity === 'middle').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
-  const low = alerts.filter(alert => alert.severity === 'low').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
+  const arr = Array.from(alerts.values());
+  const bad = arr.filter(alert => alert.severity !== 'low' && alert.severity !== 'middle').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
+  const mid = arr.filter(alert => alert.severity === 'middle').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
+  const low = arr.filter(alert => alert.severity === 'low').sort((a, b) => a.type < b.type ? -1 : a.type > b.type ? 1 : 0);
 
   // We need to create the no-color string regardless because the actual string
   // contains a bunch of invisible ANSI chars which would screw up length checks.
@@ -9351,6 +9398,146 @@ function getAlertString(alerts, noColor = false) {
   }
   return `- Alerts (${vendor.yoctocolorsCjsExports.red(bad.length.toString())}/${vendor.yoctocolorsCjsExports.yellow(mid.length.toString())}/${low.length}):` + ' '.repeat(Math.max(0, 20 - colorless.length)) + '  ' + [bad.map(alert => vendor.yoctocolorsCjsExports.red(vendor.yoctocolorsCjsExports.dim(`[${alert.severity}] `) + alert.type)).join(', '), mid.map(alert => vendor.yoctocolorsCjsExports.yellow(vendor.yoctocolorsCjsExports.dim(`[${alert.severity}] `) + alert.type)).join(', '), low.map(alert => vendor.yoctocolorsCjsExports.dim(`[${alert.severity}] `) + alert.type).join(', ')].filter(Boolean).join(', ');
 }
+function preProcess(artifacts, requestedPurls) {
+  // Dedupe results (for example, pypi will emit one package for each system release (win/mac/cpu) even if it's
+  // the same package version with same results. The duplication is irrelevant and annoying to the user.
+
+  // Make some effort to match the requested data with the response
+  // Dedupe and merge results when only the .release value is different
+
+  // API does not tell us which purls were not found.
+  // Generate all purls to try so we can try to match search request.
+  const purls = new Set();
+  artifacts.forEach(data => {
+    purls.add(`pkg:${data.type}/${data.namespace ? `${data.namespace}/` : ''}${data.name}@${data.version}`);
+    purls.add(`pkg:${data.type}/${data.name}@${data.version}`);
+    purls.add(`pkg:${data.type}/${data.name}`);
+    purls.add(`pkg:${data.type}/${data.namespace ? `${data.namespace}/` : ''}${data.name}`);
+  });
+  // Try to match the searched purls against this list
+  const missing = requestedPurls.filter(purl => {
+    if (purls.has(purl)) {
+      return false;
+    }
+    if (purl.endsWith('@latest') && purls.has(purl.slice(0, -'@latest'.length))) {
+      return false;
+    }
+    return true; // not found
+  });
+
+  // Create a unique set of rows which represents each artifact that is returned
+  // while deduping when the artifact (main) meta data only differs due to the
+  // .release field (observed with python, at least).
+  // Merge the alerts for duped packages. Use lowest score between all of them.
+  const rows = new Map();
+  artifacts.forEach(artifact => {
+    const purl = `pkg:${artifact.type}/${artifact.namespace ? `${artifact.namespace}/` : ''}${artifact.name}${artifact.version ? `@${artifact.version}` : ''}`;
+    if (rows.has(purl)) {
+      const row = rows.get(purl);
+      if (!row) {
+        // unreachable; satisfy TS
+        return;
+      }
+      if ((artifact.score?.supplyChain || 100) < row.score.supplyChain) {
+        row.score.supplyChain = artifact.score?.supplyChain || 100;
+      }
+      if ((artifact.score?.maintenance || 100) < row.score.maintenance) {
+        row.score.maintenance = artifact.score?.maintenance || 100;
+      }
+      if ((artifact.score?.quality || 100) < row.score.quality) {
+        row.score.quality = artifact.score?.quality || 100;
+      }
+      if ((artifact.score?.vulnerability || 100) < row.score.vulnerability) {
+        row.score.vulnerability = artifact.score?.vulnerability || 100;
+      }
+      if ((artifact.score?.license || 100) < row.score.license) {
+        row.score.license = artifact.score?.license || 100;
+      }
+      artifact.alerts?.forEach(({
+        severity,
+        type
+      }) => {
+        row.alerts.set(`${type}:${severity}`, {
+          type: type ?? 'unknown',
+          severity: severity ?? 'none'
+        });
+      });
+    } else {
+      const alerts = new Map();
+      artifact.alerts?.forEach(({
+        severity,
+        type
+      }) => {
+        alerts.set(`${type}:${severity}`, {
+          type: type ?? 'unknown',
+          severity: severity ?? 'none'
+        });
+      });
+      rows.set(purl, {
+        ecosystem: artifact.type,
+        namespace: artifact.namespace || '',
+        name: artifact.name,
+        version: artifact.version || '',
+        score: {
+          supplyChain: artifact.score?.supplyChain || 100,
+          maintenance: artifact.score?.maintenance || 100,
+          quality: artifact.score?.quality || 100,
+          vulnerability: artifact.score?.vulnerability || 100,
+          license: artifact.score?.license || 100
+        },
+        alerts
+      });
+    }
+  });
+  return {
+    rows,
+    missing
+  };
+}
+function generateMarkdownReport(artifacts, missing) {
+  const blocks = [];
+  const dupes = new Set();
+  artifacts.forEach(artifact => {
+    const block = '## ' + formatReportCard(artifact, false);
+    if (dupes.has(block)) {
+      return;
+    }
+    dupes.add(block);
+    blocks.push(block);
+  });
+  return `
+# Shallow Package Report
+
+This report contains the response for requesting data on some package url(s).
+
+Please note: The listed scores are ONLY for the package itself. It does NOT
+             reflect the scores of any dependencies, transitive or otherwise.
+
+${missing.length ? `\n## Missing response\n\nAt least one package had no response or the purl was not canonical:\n\n${missing.map(purl => '- ' + purl + '\n').join('')}` : ''}
+
+${blocks.join('\n\n\n')}
+    `.trim();
+}
+function generateTextReport(artifacts, missing) {
+  const arr = [];
+  arr.push('\n' + vendor.yoctocolorsCjsExports.bold('Shallow Package Score') + '\n');
+  arr.push('Please note: The listed scores are ONLY for the package itself. It does NOT\n' + '             reflect the scores of any dependencies, transitive or otherwise.');
+  if (missing.length) {
+    arr.push(`\nAt least one package had no response or the purl was not canonical:\n${missing.map(purl => '\n- ' + vendor.yoctocolorsCjsExports.bold(purl)).join('')}`);
+  }
+  const dupes = new Set(); // Omit dupes when output is identical
+  artifacts.forEach(artifact => {
+    const block = formatReportCard(artifact, true);
+    if (dupes.has(block)) {
+      return;
+    }
+    dupes.add(block);
+    arr.push('\n');
+    arr.push(block);
+  });
+  arr.push('');
+  return arr.join('\n');
+}
 
 async function handlePurlsShallowScore({
   outputKind,
@@ -11777,6 +11964,15 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
         cause: 'Response body is null or undefined.'
       };
     }
+
+    // Make sure the dir exists. It may be nested and we need to construct that
+    // before starting the download.
+    const dir = path.dirname(localPath);
+    if (!fs$1.existsSync(dir)) {
+      fs$1.mkdirSync(dir, {
+        recursive: true
+      });
+    }
     const fileStream = fs$1.createWriteStream(localPath);
 
     // Using stream.pipeline for better error handling and cleanup
@@ -12653,12 +12849,35 @@ async function outputScanReach(result, cwd, outputKind) {
   logger.logger.success('finished on', cwd);
 }
 
+const {
+  DOT_SOCKET_DOT_FACTS_JSON
+} = constants;
 async function scanReachability(cwd) {
-  logger.logger.log('Scanning now... as soon as you implement me! From', cwd);
-  return {
-    ok: true,
-    data: undefined
-  };
+  try {
+    const result = await spawn.spawn(constants.execPath, [
+    // Lazily access constants.nodeNoWarningsFlags.
+    ...constants.nodeNoWarningsFlags,
+    // Lazily access constants.coanaBinPath.
+    constants.coanaBinPath, 'run', cwd, '--output-dir', cwd, '--disable-report-submission', '--socket-mode', DOT_SOCKET_DOT_FACTS_JSON], {
+      cwd,
+      env: {
+        ...process.env,
+        // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN
+        SOCKET_CLI_API_TOKEN: constants.ENV.SOCKET_CLI_API_TOKEN
+      }
+    });
+    return {
+      ok: true,
+      data: result.stdout.trim()
+    };
+  } catch (e) {
+    const message = e?.stdout ?? e?.message;
+    return {
+      ok: false,
+      data: e,
+      message
+    };
+  }
 }
 
 async function handleScanReach(cwd, outputKind) {
@@ -12675,12 +12894,7 @@ const config$6 = {
   hidden: true,
   flags: {
     ...utils.commonFlags,
-    ...utils.outputFlags,
-    interactive: {
-      type: 'boolean',
-      default: true,
-      description: 'Allow for interactive elements, asking for input. Use --no-interactive to prevent any input questions, defaulting them to cancel/no.'
-    }
+    ...utils.outputFlags
   },
   help: (command, config) => `
     Usage
@@ -12710,7 +12924,6 @@ async function run$6(argv, importMeta, {
   });
   const {
     dryRun,
-    interactive,
     json,
     markdown
   } = cli.flags;
@@ -12719,7 +12932,6 @@ async function run$6(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  logger.logger.info('If you dont have any interactive bits then drop the flag', interactive);
   const wasValidInput = utils.checkCommandInput(outputKind);
   if (!wasValidInput) {
     return;
@@ -14247,6 +14459,7 @@ void (async () => {
       fix: cmdFix,
       info: cmdInfo,
       install: cmdInstall,
+      json: cmdJson,
       login: cmdLogin,
       logout: cmdLogout,
       npm: cmdNpm,
@@ -14354,6 +14567,24 @@ void (async () => {
     });
   } catch (e) {
     process.exitCode = 1;
+    debug.debugFn('Uncaught error (BAD!):');
+    debug.debugFn(e);
+
+    // Try to parse the flags, find out if --json or --markdown is set
+    let isJson = false;
+    try {
+      const cli = vendor.meow(``, {
+        argv: process.argv.slice(2),
+        importMeta: {
+          url: `${require$$0.pathToFileURL(__filename$1)}`
+        },
+        flags: {},
+        // Do not strictly check for flags here.
+        allowUnknownFlags: true,
+        autoHelp: false
+      });
+      isJson = !!cli.flags['json'];
+    } catch {}
     let errorBody;
     let errorTitle;
     let errorMessage = '';
@@ -14371,14 +14602,22 @@ void (async () => {
     } else {
       errorTitle = 'Unexpected error with no details';
     }
-    logger.logger.error('\n'); // Any-spinner-newline
-    logger.logger.fail(utils.failMsgWithBadge(errorTitle, errorMessage));
-    if (errorBody) {
-      // Explicitly use debugLog here.
-      debug.debugLog(errorBody);
+    if (isJson) {
+      logger.logger.log(utils.serializeResultJson({
+        ok: false,
+        message: errorTitle,
+        cause: errorMessage
+      }));
+    } else {
+      logger.logger.error('\n'); // Any-spinner-newline
+      logger.logger.fail(utils.failMsgWithBadge(errorTitle, errorMessage));
+      if (errorBody) {
+        // Explicitly use debugLog here.
+        debug.debugLog(errorBody);
+      }
     }
     await utils.captureException(e);
   }
 })();
-//# debugId=c367b9c2-15d4-4650-9e2f-c8866daf46cd
+//# debugId=46cd08dc-8e3e-40e8-bfdb-0a0801cce912
 //# sourceMappingURL=cli.js.map