socket 0.15.60 → 0.15.62

package/dist/cli.js

@@ -3660,29 +3660,64 @@ async function outputFixResult(result, outputKind) {
 function formatBranchName(name) {
   return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
 }
-function getBaseGitBranch() {
-  // Lazily access constants.ENV.GITHUB_REF_NAME.
-  return constants.ENV.GITHUB_REF_NAME ||
+function createSocketBranchParser(options) {
+  const pattern = getSocketBranchPattern(options);
+  return function parse(branch) {
+    const match = pattern.exec(branch);
+    if (!match) {
+      return null;
+    }
+    const {
+      1: type,
+      2: workspace,
+      3: fullName,
+      4: version,
+      5: newVersion
+    } = match;
+    return {
+      fullName,
+      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
+      type,
+      workspace,
+      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
+    };
+  };
+}
+async function getBaseGitBranch(cwd = process.cwd()) {
+  // Lazily access constants.ENV properties.
+  const {
+    GITHUB_BASE_REF,
+    GITHUB_REF_NAME,
+    GITHUB_REF_TYPE
+  } = constants.ENV;
+  // 1. In a pull request, this is always the base branch.
+  if (GITHUB_BASE_REF) {
+    return GITHUB_BASE_REF;
+  }
+  // 2. If it's a branch (not a tag), GITHUB_REF_TYPE should be 'branch'.
+  if (GITHUB_REF_TYPE === 'branch' && GITHUB_REF_NAME) {
+    return GITHUB_REF_NAME;
+  }
+  // 3. Try to resolve the default remote branch using 'git remote show origin'.
+  // This handles detached HEADs or workflows triggered by tags/releases.
+  try {
+    const stdout = (await spawn.spawn('git', ['remote', 'show', 'origin'], {
+      cwd
+    })).stdout.trim();
+    const match = /(?<=HEAD branch: ).+/.exec(stdout);
+    if (match?.[0]) {
+      return match[0].trim();
+    }
+  } catch {}
   // GitHub defaults to branch name "main"
   // https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch
-  'main';
-}
-function getSocketBranchPurlTypeComponent(purl) {
-  const purlObj = utils.getPurlObject(purl);
-  return formatBranchName(purlObj.type);
+  return 'main';
 }
 function getSocketBranchFullNameComponent(pkgName) {
   const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
   const fmtMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
   return `${fmtMaybeNamespace}${formatBranchName(purlObj.name)}`;
 }
-function getSocketBranchPackageVersionComponent(version) {
-  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
-  return formatBranchName(purlObj.version);
-}
-function getSocketBranchWorkspaceComponent(workspace) {
-  return workspace ? formatBranchName(workspace) : 'root';
-}
 function getSocketBranchName(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fmtType = getSocketBranchPurlTypeComponent(purlObj);
@@ -3692,6 +3727,10 @@ function getSocketBranchName(purl, newVersion, workspace) {
   const fmtNewVersion = formatBranchName(newVersion);
   return `socket/${fmtType}/${fmtWorkspace}/${fmtFullName}_${fmtVersion}_${fmtNewVersion}`;
 }
+function getSocketBranchPackageVersionComponent(version) {
+  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
+  return formatBranchName(purlObj.version);
+}
 function getSocketBranchPattern(options) {
   const {
     newVersion,
@@ -3710,33 +3749,17 @@ function getSocketBranchPattern(options) {
   const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
   return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
 }
-function createSocketBranchParser(options) {
-  const pattern = getSocketBranchPattern(options);
-  return function parse(branch) {
-    const match = pattern.exec(branch);
-    if (!match) {
-      return null;
-    }
-    const {
-      1: type,
-      2: workspace,
-      3: fullName,
-      4: version,
-      5: newVersion
-    } = match;
-    return {
-      fullName,
-      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
-      type,
-      workspace,
-      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
-    };
-  };
+function getSocketBranchPurlTypeComponent(purl) {
+  const purlObj = utils.getPurlObject(purl);
+  return formatBranchName(purlObj.type);
 }
-function getSocketPullRequestTitle(purl, newVersion, workspace) {
+function getSocketBranchWorkspaceComponent(workspace) {
+  return workspace ? formatBranchName(workspace) : 'root';
+}
+function getSocketCommitMessage(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
+  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 function getSocketPullRequestBody(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
@@ -3744,10 +3767,10 @@ function getSocketPullRequestBody(purl, newVersion, workspace) {
   const pkgOverviewUrl = utils.getSocketDevPackageOverviewUrlFromPurl(purlObj);
   return `Bump [${fullName}](${pkgOverviewUrl}) from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}.`;
 }
-function getSocketCommitMessage(purl, newVersion, workspace) {
+function getSocketPullRequestTitle(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
   const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
+  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 async function gitCleanFdx(cwd = process.cwd()) {
   const stdioIgnoreOptions = {
@@ -3780,7 +3803,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn(`catch: git push --force --set-upstream origin ${branch} failed\n`, e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3788,6 +3811,38 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
   } catch {}
   return false;
 }
+async function gitRepoInfo(cwd = process.cwd()) {
+  try {
+    const remoteUrl = (await spawn.spawn('git', ['remote', 'get-url', 'origin'], {
+      cwd
+    })).stdout.trim();
+    // 1. Handle SSH-style, e.g. git@github.com:owner/repo.git
+    const sshMatch = /^git@[^:]+:([^/]+)\/(.+?)(?:\.git)?$/.exec(remoteUrl);
+    if (sshMatch) {
+      return {
+        owner: sshMatch[1],
+        repo: sshMatch[2]
+      };
+    }
+    // 2. Handle HTTPS/URL-style, e.g. https://github.com/owner/repo.git
+    try {
+      const parsed = new URL(remoteUrl);
+      const segments = parsed.pathname.split('/');
+      const owner = segments.at(-2);
+      const repo = segments.at(-1)?.replace(/\.git$/, '');
+      if (owner && repo) {
+        return {
+          owner,
+          repo
+        };
+      }
+    } catch {}
+    debug.debugFn('git: unmatched git remote URL format', remoteUrl);
+  } catch (e) {
+    debug.debugFn('catch: git remote get-url origin failed\n', e);
+  }
+  return null;
+}
 async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
   const stdioIgnoreOptions = {
     cwd,
@@ -3810,7 +3865,7 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn('catch: unexpected\n', e);
+        debug.debugFn(`catch: git config ${prop} ${value} failed\n`, e);
       }
     }
   }));
@@ -3859,6 +3914,28 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
   }
 }
 
+function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
+  if (!ciEnv) {
+    return [];
+  }
+  const partialPurlObj = utils.getPurlObject(partialPurl);
+  const activeBranches = [];
+  const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
+  const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
+  for (const pr of openPrs) {
+    const parsedBranch = ciEnv.branchParser(pr.headRefName);
+    if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
+      activeBranches.push(parsedBranch);
+    }
+  }
+  if (activeBranches.length) {
+    debug.debugFn(`found: ${activeBranches.length} active branches\n`, activeBranches);
+  } else if (openPrs.length) {
+    debug.debugFn('miss: 0 active branches found');
+  }
+  return activeBranches;
+}
+
 let _octokit;
 function getOctokit() {
   if (_octokit === undefined) {
@@ -4053,24 +4130,6 @@ async function enablePrAutoMerge({
     enabled: false
   };
 }
-function getGithubEnvRepoInfo() {
-  // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const {
-    GITHUB_REPOSITORY
-  } = constants.ENV;
-  if (!GITHUB_REPOSITORY) {
-    debug.debugFn('miss: GITHUB_REPOSITORY env var');
-  }
-  const ownerSlashRepo = GITHUB_REPOSITORY;
-  const slashIndex = ownerSlashRepo.indexOf('/');
-  if (slashIndex === -1) {
-    return null;
-  }
-  return {
-    owner: ownerSlashRepo.slice(0, slashIndex),
-    repo: ownerSlashRepo.slice(slashIndex + 1)
-  };
-}
 async function getOpenSocketPrs(owner, repo, options) {
   return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
 }
@@ -4196,11 +4255,6 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
     __proto__: null,
     ...options
   };
-  // Lazily access constants.ENV.GITHUB_ACTIONS.
-  if (!constants.ENV.GITHUB_ACTIONS) {
-    debug.debugFn('miss: GITHUB_ACTIONS env var');
-    return null;
-  }
   const purlObj = utils.getPurlObject(purl);
   const octokit = getOctokit();
   try {
@@ -4252,6 +4306,55 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   }
 }
 
+async function getEnvRepoInfo(cwd) {
+  // Lazily access constants.ENV.GITHUB_REPOSITORY.
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('miss: GITHUB_REPOSITORY env var');
+  }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
+  const slashIndex = ownerSlashRepo.indexOf('/');
+  if (slashIndex !== -1) {
+    return {
+      owner: ownerSlashRepo.slice(0, slashIndex),
+      repo: ownerSlashRepo.slice(slashIndex + 1)
+    };
+  }
+  return await gitRepoInfo(cwd);
+}
+async function getCiEnv() {
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  if (!isCi) {
+    return null;
+  }
+  const baseBranch = await getBaseGitBranch();
+  if (!baseBranch) {
+    return null;
+  }
+  const repoInfo = await getEnvRepoInfo();
+  if (!repoInfo) {
+    return null;
+  }
+  return {
+    gitEmail,
+    gitUser,
+    githubToken,
+    repoInfo,
+    baseBranch,
+    branchParser: createSocketBranchParser()
+  };
+}
+async function getOpenPrsForEnvironment(env) {
+  return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
+    author: env.gitUser
+  }) : [];
+}
+
 const CMD_NAME$1 = 'socket fix';
 function getAlertsMapOptions(options = {}) {
   return {
@@ -4303,19 +4406,9 @@ async function npmFix(pkgEnvDetails, {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
-
-  // Lazily access constants.ENV properties.
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
-  const repoInfo = isCi ? getGithubEnvRepoInfo() : null;
   spinner?.start();
-  const openPrs =
-  // Check repoInfo to make TypeScript happy.
-  isCi && repoInfo ? await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
-    author: gitUser
-  }) : [];
+  const ciEnv = await getCiEnv();
+  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let count = 0;
   const arb = new shadowNpmInject.Arborist({
     path: rootPath,
@@ -4353,17 +4446,23 @@ async function npmFix(pkgEnvDetails, {
       }
     };
   }
-  const baseBranch = isCi ? getBaseGitBranch() : '';
-  const branchParser = isCi ? createSocketBranchParser() : null;
+
+  // Lazily access constants.packumentCache.
+  const {
+    packumentCache
+  } = constants;
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
   const sortedInfoEntries = [...infoByPartialPurl.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
-  const handleInstallFail = () => {
-    debug.debugFn(`fail: ${pkgEnvDetails.agent} install\n`);
+  const cleanupInfoEntriesLoop = () => {
     logger.logger.dedent();
     spinner?.dedent();
+    packumentCache.clear();
+  };
+  const handleInstallFail = () => {
+    cleanupInfoEntriesLoop();
     return {
       ok: false,
       message: 'Installation failure',
@@ -4382,22 +4481,7 @@ async function npmFix(pkgEnvDetails, {
     if (!infos.length) {
       continue infoEntriesLoop;
     }
-    const activeBranches = [];
-    if (isCi) {
-      const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
-      const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-      for (const pr of openPrs) {
-        const parsedBranch = branchParser(pr.headRefName);
-        if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-          activeBranches.push(parsedBranch);
-        }
-      }
-      if (activeBranches.length) {
-        debug.debugFn(`found: ${activeBranches.length} active branches\n`, activeBranches);
-      } else if (openPrs.length) {
-        debug.debugFn('miss: 0 active branches found');
-      }
-    }
+    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
@@ -4408,8 +4492,7 @@ async function npmFix(pkgEnvDetails, {
     const packument = await packages.fetchPackagePackument(name);
     if (!packument) {
       logger.logger.warn(`Unexpected condition: No packument found for ${name}.\n`);
-      logger.logger.dedent();
-      spinner?.dedent();
+      cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
     const availableVersions = Object.keys(packument.versions);
@@ -4424,13 +4507,12 @@ async function npmFix(pkgEnvDetails, {
       const pkgPath = path.dirname(pkgJsonPath);
       const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      const branchWorkspace = isCi ? getSocketBranchWorkspaceComponent(workspace) : '';
+      const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
       const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.target?.version ?? n.version).filter(Boolean));
       if (!oldVersions.length) {
         debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
-        logger.logger.dedent();
-        spinner?.dedent();
+        cleanupInfoEntriesLoop();
         continue infoEntriesLoop;
       }
 
@@ -4440,6 +4522,7 @@ async function npmFix(pkgEnvDetails, {
       const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
         editable: true
       });
+      const fixedVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
       if (debug.isDebug()) {
@@ -4459,25 +4542,27 @@ async function npmFix(pkgEnvDetails, {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
         } of infos.values()) {
-          if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
+          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
+          if (!(newVersion && newVersionPackument)) {
+            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
+            continue infosLoop;
+          }
+          if (fixedVersions.has(newVersion)) {
+            continue infosLoop;
+          }
+          if (vendor.semverExports.gte(oldVersion, newVersion)) {
+            debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
           }
-          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
           if (activeBranches.find(b => b.workspace === branchWorkspace && b.newVersion === newVersion)) {
             debug.debugFn(`skip: open PR found for ${name}@${newVersion}`);
             if (++count >= limit) {
-              logger.logger.dedent();
-              spinner?.dedent();
+              cleanupInfoEntriesLoop();
               break infoEntriesLoop;
             }
             continue infosLoop;
           }
-          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
-          if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
-            continue infosLoop;
-          }
           const newVersionRange = utils.applyRange(oldVersion, newVersion, rangeStyle);
           const newId = `${name}@${newVersionRange}`;
           const revertData = {
@@ -4507,9 +4592,9 @@ async function npmFix(pkgEnvDetails, {
           }))) {
             debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
-            if (isCi) {
+            if (ciEnv) {
               // eslint-disable-next-line no-await-in-loop
-              await gitResetAndClean(baseBranch, cwd);
+              await gitResetAndClean(ciEnv.baseBranch, cwd);
             }
             continue infosLoop;
           }
@@ -4537,6 +4622,7 @@ async function npmFix(pkgEnvDetails, {
                 });
               }
               spinner?.success(`Fixed ${name} in ${workspace}.`);
+              fixedVersions.add(newVersion);
             } else {
               errored = true;
             }
@@ -4547,7 +4633,7 @@ async function npmFix(pkgEnvDetails, {
           spinner?.stop();
 
           // Check repoInfo to make TypeScript happy.
-          if (!errored && isCi && repoInfo) {
+          if (!errored && ciEnv?.repoInfo) {
             try {
               // eslint-disable-next-line no-await-in-loop
               const result = await gitUnstagedModifiedFiles(cwd);
@@ -4569,7 +4655,7 @@ async function npmFix(pkgEnvDetails, {
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
-              await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
+              await prExistForBranch(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch)) {
                 skipPr = true;
                 debug.debugFn(`skip: branch "${branch}" exists`);
               }
@@ -4581,15 +4667,15 @@ async function npmFix(pkgEnvDetails, {
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
                 cwd,
-                email: gitEmail,
-                user: gitUser
+                email: ciEnv.gitEmail,
+                user: ciEnv.gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
               }
               if (skipPr) {
                 // eslint-disable-next-line no-await-in-loop
-                await gitResetAndClean(baseBranch, cwd);
+                await gitResetAndClean(ciEnv.baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
                 const maybeActualTree = await install$1(arb, {
                   cwd
@@ -4603,14 +4689,14 @@ async function npmFix(pkgEnvDetails, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, ciEnv.githubToken, cwd), cleanupOpenPrs(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, {
                 newVersion,
                 purl: oldPurl,
                 workspace
               })]);
               // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(repoInfo.owner, repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch,
+              const prResponse = await openPr(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch, oldPurl, newVersion, {
+                baseBranch: ciEnv.baseBranch,
                 cwd,
                 workspace
               });
@@ -4643,10 +4729,10 @@ async function npmFix(pkgEnvDetails, {
               errored = true;
             }
           }
-          if (isCi) {
+          if (ciEnv) {
             spinner?.start();
             // eslint-disable-next-line no-await-in-loop
-            await gitResetAndClean(baseBranch, cwd);
+            await gitResetAndClean(ciEnv.baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
             const maybeActualTree = await install$1(arb, {
               cwd
@@ -4659,7 +4745,7 @@ async function npmFix(pkgEnvDetails, {
             }
           }
           if (errored) {
-            if (!isCi) {
+            if (!ciEnv) {
               spinner?.start();
               editablePkgJson.update(revertData);
               // eslint-disable-next-line no-await-in-loop
@@ -4680,8 +4766,7 @@ async function npmFix(pkgEnvDetails, {
             logger.logger.fail(`Update failed for ${oldId} in ${workspace}.`, error);
           }
           if (++count >= limit) {
-            logger.logger.dedent();
-            spinner?.dedent();
+            cleanupInfoEntriesLoop();
             break infoEntriesLoop;
           }
         }
@@ -4696,8 +4781,7 @@ async function npmFix(pkgEnvDetails, {
     if (!isLastInfoEntry) {
       logger.logger.logNewline();
     }
-    logger.logger.dedent();
-    spinner?.dedent();
+    cleanupInfoEntriesLoop();
   }
   spinner?.stop();
   return {
@@ -4764,19 +4848,9 @@ async function pnpmFix(pkgEnvDetails, {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
-
-  // Lazily access constants.ENV properties.
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && constants.ENV.GITHUB_ACTIONS && constants.ENV.GITHUB_REPOSITORY && gitEmail && gitUser && githubToken);
-  const repoInfo = isCi ? getGithubEnvRepoInfo() : null;
   spinner?.start();
-  const openPrs =
-  // Check repoInfo to make TypeScript happy.
-  isCi && repoInfo ? await getOpenSocketPrs(repoInfo.owner, repoInfo.repo, {
-    author: gitUser
-  }) : [];
+  const ciEnv = await getCiEnv();
+  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let count = 0;
   let actualTree;
   const lockfilePath = path.join(rootPath, 'pnpm-lock.yaml');
@@ -4852,16 +4926,23 @@ async function pnpmFix(pkgEnvDetails, {
       }
     };
   }
-  const baseBranch = isCi ? getBaseGitBranch() : '';
-  const branchParser = isCi ? createSocketBranchParser() : null;
+
+  // Lazily access constants.packumentCache.
+  const {
+    packumentCache
+  } = constants;
   const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
   const pkgJsonPaths = [...workspacePkgJsonPaths,
   // Process the workspace root last since it will add an override to package.json.
   pkgEnvDetails.editablePkgJson.filename];
   const sortedInfoEntries = [...infoByPartialPurl.entries()].sort((a, b) => sorts.naturalCompare(a[0], b[0]));
-  const handleInstallFail = () => {
+  const cleanupInfoEntriesLoop = () => {
     logger.logger.dedent();
     spinner?.dedent();
+    packumentCache.clear();
+  };
+  const handleInstallFail = () => {
+    cleanupInfoEntriesLoop();
     return {
       ok: false,
       message: 'Install failed',
@@ -4880,22 +4961,7 @@ async function pnpmFix(pkgEnvDetails, {
     if (!infos.length) {
       continue infoEntriesLoop;
     }
-    const activeBranches = [];
-    if (isCi) {
-      const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
-      const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-      for (const pr of openPrs) {
-        const parsedBranch = branchParser(pr.headRefName);
-        if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-          activeBranches.push(parsedBranch);
-        }
-      }
-      if (activeBranches.length) {
-        debug.debugFn(`found: ${activeBranches.length} active branches\n`, activeBranches);
-      } else if (openPrs.length) {
-        debug.debugFn('miss: 0 active branches found');
-      }
-    }
+    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     logger.logger.log(`Processing vulns for ${name}:`);
     logger.logger.indent();
     spinner?.indent();
@@ -4906,8 +4972,7 @@ async function pnpmFix(pkgEnvDetails, {
     const packument = await packages.fetchPackagePackument(name);
     if (!packument) {
       logger.logger.warn(`Unexpected condition: No packument found for ${name}.\n`);
-      logger.logger.dedent();
-      spinner?.dedent();
+      cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
     const availableVersions = Object.keys(packument.versions);
@@ -4922,15 +4987,15 @@ async function pnpmFix(pkgEnvDetails, {
       const pkgPath = path.dirname(pkgJsonPath);
       const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      const branchWorkspace = isCi ? getSocketBranchWorkspaceComponent(workspace) : '';
+      const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
 
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
-        if (!isCi) {
+        if (!ciEnv) {
           // eslint-disable-next-line no-await-in-loop
           await utils.removeNodeModules(cwd);
         }
-        const maybeActualTree = isCi && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
+        const maybeActualTree = ciEnv && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
         // eslint-disable-next-line no-await-in-loop
@@ -4954,8 +5019,7 @@ async function pnpmFix(pkgEnvDetails, {
       if (!oldVersions.length) {
         debug.debugFn(`skip: ${name} not found\n`);
         // Skip to next package.
-        logger.logger.dedent();
-        spinner?.dedent();
+        cleanupInfoEntriesLoop();
         continue infoEntriesLoop;
       }
 
@@ -4965,6 +5029,8 @@ async function pnpmFix(pkgEnvDetails, {
       const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
         editable: true
       });
+      const fixedVersions = new Set();
+
       // Get current overrides for revert logic.
       const oldPnpmSection = editablePkgJson.content[PNPM$7];
       const oldOverrides = oldPnpmSection?.[OVERRIDES$2];
@@ -4987,25 +5053,27 @@ async function pnpmFix(pkgEnvDetails, {
           firstPatchedVersionIdentifier,
           vulnerableVersionRange
         } of infos) {
-          if (vendor.semverExports.gte(oldVersion, firstPatchedVersionIdentifier)) {
-            debug.debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`);
+          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
+          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
+          if (!(newVersion && newVersionPackument)) {
+            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
+            continue infosLoop;
+          }
+          if (fixedVersions.has(newVersion)) {
+            continue infosLoop;
+          }
+          if (vendor.semverExports.gte(oldVersion, newVersion)) {
+            debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
           }
-          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, vulnerableVersionRange);
           if (activeBranches.find(b => b.workspace === branchWorkspace && b.newVersion === newVersion)) {
             debug.debugFn(`skip: open PR found for ${name}@${newVersion}`);
             if (++count >= limit) {
-              logger.logger.dedent();
-              spinner?.dedent();
+              cleanupInfoEntriesLoop();
               break infoEntriesLoop;
             }
             continue infosLoop;
           }
-          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
-          if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
-            continue infosLoop;
-          }
           const overrideKey = `${name}@${vulnerableVersionRange}`;
           const newVersionRange = utils.applyRange(oldOverrides?.[overrideKey] ?? oldVersion, newVersion, rangeStyle);
           const newId = `${name}@${newVersionRange}`;
@@ -5057,9 +5125,9 @@ async function pnpmFix(pkgEnvDetails, {
           }))) {
             debug.debugFn(`skip: ${workspace}/package.json unchanged`);
             // Reset things just in case.
-            if (isCi) {
+            if (ciEnv) {
               // eslint-disable-next-line no-await-in-loop
-              await gitResetAndClean(baseBranch, cwd);
+              await gitResetAndClean(ciEnv.baseBranch, cwd);
             }
             continue infosLoop;
           }
@@ -5106,6 +5174,7 @@ async function pnpmFix(pkgEnvDetails, {
                 });
               }
               spinner?.success(`Fixed ${name} in ${workspace}.`);
+              fixedVersions.add(newVersion);
             } else {
               errored = true;
             }
@@ -5116,7 +5185,7 @@ async function pnpmFix(pkgEnvDetails, {
           spinner?.stop();
 
           // Check repoInfo to make TypeScript happy.
-          if (!errored && isCi && repoInfo) {
+          if (!errored && ciEnv?.repoInfo) {
             try {
               // eslint-disable-next-line no-await-in-loop
               const result = await gitUnstagedModifiedFiles(cwd);
@@ -5136,7 +5205,7 @@ async function pnpmFix(pkgEnvDetails, {
               let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
-              await prExistForBranch(repoInfo.owner, repoInfo.repo, branch)) {
+              await prExistForBranch(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch)) {
                 skipPr = true;
                 debug.debugFn(`skip: branch "${branch}" exists`);
               }
@@ -5148,15 +5217,15 @@ async function pnpmFix(pkgEnvDetails, {
               // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
                 cwd,
-                email: gitEmail,
-                user: gitUser
+                email: ciEnv.gitEmail,
+                user: ciEnv.gitUser
               }))) {
                 skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
               }
               if (skipPr) {
                 // eslint-disable-next-line no-await-in-loop
-                await gitResetAndClean(baseBranch, cwd);
+                await gitResetAndClean(ciEnv.baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
                 const maybeActualTree = await install(pkgEnvDetails, {
                   cwd,
@@ -5175,14 +5244,14 @@ async function pnpmFix(pkgEnvDetails, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(repoInfo.owner, repoInfo.repo, githubToken, cwd), cleanupOpenPrs(repoInfo.owner, repoInfo.repo, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, ciEnv.githubToken, cwd), cleanupOpenPrs(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, {
                 newVersion,
                 purl: oldPurl,
                 workspace
               })]);
               // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(repoInfo.owner, repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch,
+              const prResponse = await openPr(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch, oldPurl, newVersion, {
+                baseBranch: ciEnv.baseBranch,
                 cwd,
                 workspace
               });
@@ -5215,10 +5284,10 @@ async function pnpmFix(pkgEnvDetails, {
               errored = true;
             }
           }
-          if (isCi) {
+          if (ciEnv) {
             spinner?.start();
             // eslint-disable-next-line no-await-in-loop
-            await gitResetAndClean(baseBranch, cwd);
+            await gitResetAndClean(ciEnv.baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
             const maybeActualTree = await install(pkgEnvDetails, {
               cwd,
@@ -5236,7 +5305,7 @@ async function pnpmFix(pkgEnvDetails, {
             }
           }
           if (errored) {
-            if (!isCi) {
+            if (!ciEnv) {
               spinner?.start();
               editablePkgJson.update(revertData);
               // eslint-disable-next-line no-await-in-loop
@@ -5269,8 +5338,7 @@ async function pnpmFix(pkgEnvDetails, {
           debug.debugFn('name:', name);
           debug.debugFn('increment: count', count + 1);
           if (++count >= limit) {
-            logger.logger.dedent();
-            spinner?.dedent();
+            cleanupInfoEntriesLoop();
             break infoEntriesLoop;
           }
         }
@@ -5285,8 +5353,7 @@ async function pnpmFix(pkgEnvDetails, {
     if (!isLastInfoEntry) {
       logger.logger.logNewline();
     }
-    logger.logger.dedent();
-    spinner?.dedent();
+    cleanupInfoEntriesLoop();
   }
   spinner?.stop();
 
@@ -14645,5 +14712,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=858f0ee1-e2b9-482a-bf53-f0c50425ff4
+//# debugId=ff4cb15e-6c8d-4702-a71b-9fdebd5e1b1
 //# sourceMappingURL=cli.js.map