socket 1.0.111 → 1.1.1

package/dist/cli.js

@@ -18,16 +18,13 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
-var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var registry = require('../external/@socketsecurity/registry');
-var npm = require('../external/@socketsecurity/registry/lib/npm');
-var packages = require('../external/@socketsecurity/registry/lib/packages');
-var sorts = require('../external/@socketsecurity/registry/lib/sorts');
-var shadowNpmInject = require('./shadow-npm-inject.js');
-var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
-var require$$11 = require('../external/@socketsecurity/registry/lib/promises');
+var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
+var registry = require('../external/@socketsecurity/registry');
+var packages = require('../external/@socketsecurity/registry/lib/packages');
+var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
+var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -318,7 +315,7 @@ async function handleAnalytics({
   });
 }
 
-const CMD_NAME$x = 'analytics';
+const CMD_NAME$w = 'analytics';
 const description$D = 'Look up analytics data';
 const hidden$v = false;
 const cmdAnalytics = {
@@ -330,7 +327,7 @@ async function run$Q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$x,
+    commandName: CMD_NAME$w,
     description: description$D,
     hidden: hidden$v,
     flags: {
@@ -348,7 +345,7 @@ async function run$Q(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
 
     The scope is either org or repo level, defaults to org.
 
@@ -742,7 +739,7 @@ async function handleAuditLog({
   });
 }
 
-const CMD_NAME$w = 'audit-log';
+const CMD_NAME$v = 'audit-log';
 const description$C = 'Look up the audit log for an organization';
 const hidden$u = false;
 const cmdAuditLog = {
@@ -754,7 +751,7 @@ async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
+    commandName: CMD_NAME$v,
     description: description$C,
     hidden: hidden$u,
     flags: {
@@ -784,7 +781,7 @@ async function run$P(argv, importMeta, {
       $ ${command} [options] [FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit ${constants.SOCKET_WEBSITE_URL}/pricing
@@ -926,7 +923,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
 
 async function fetchSupportedScanFileNames(options) {
   const {
-    sdkOpts
+    sdkOpts,
+    spinner
   } = {
     __proto__: null,
     ...options
@@ -937,7 +935,8 @@ async function fetchSupportedScanFileNames(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
-    desc: 'supported scan file types'
+    desc: 'supported scan file types',
+    spinner
   });
 }
 
@@ -2157,7 +2156,12 @@ async function handleCreateNewScan({
     });
     logger.logger.info('Auto-generation finished. Proceeding with Scan creation.');
   }
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const {
+    spinner
+  } = constants;
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputCreateNewScan(supportedFilesCResult, {
       interactive,
@@ -2165,9 +2169,6 @@ async function handleCreateNewScan({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local files to include in scan...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -2599,7 +2600,7 @@ async function handleConfigAuto({
   await outputConfigAuto(key, result, outputKind);
 }
 
-const CMD_NAME$v = 'auto';
+const CMD_NAME$u = 'auto';
 const description$B = 'Automatically discover and set the correct value config item';
 const hidden$t = false;
 const cmdConfigAuto = {
@@ -2611,7 +2612,7 @@ async function run$N(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
+    commandName: CMD_NAME$u,
     description: description$B,
     hidden: hidden$t,
     flags: {
@@ -2949,7 +2950,7 @@ async function handleConfigSet({
   await outputConfigSet(result, outputKind);
 }
 
-const CMD_NAME$u = 'set';
+const CMD_NAME$t = 'set';
 const description$A = 'Update the value of a local CLI config item';
 const hidden$s = false;
 const cmdConfigSet = {
@@ -2961,7 +2962,7 @@ async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
+    commandName: CMD_NAME$t,
     description: description$A,
     hidden: hidden$s,
     flags: {
@@ -3073,7 +3074,7 @@ async function handleConfigUnset({
   await outputConfigUnset(updateResult, outputKind);
 }
 
-const CMD_NAME$t = 'unset';
+const CMD_NAME$s = 'unset';
 const description$z = 'Clear the value of a local CLI config item';
 const hidden$r = false;
 const cmdConfigUnset = {
@@ -3085,7 +3086,7 @@ async function run$J(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
+    commandName: CMD_NAME$s,
     description: description$z,
     hidden: hidden$r,
     flags: {
@@ -3168,330 +3169,76 @@ const cmdConfig = {
   }
 };
 
-function formatBranchName(name) {
-  return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
+const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
+function getSocketFixBranchName(ghsaId) {
+  return `socket/fix/${ghsaId}`;
 }
-function createSocketBranchParser(options) {
-  const pattern = getSocketBranchPattern(options);
-  return function parse(branch) {
-    const match = pattern.exec(branch);
-    if (!match) {
-      return null;
-    }
-    const {
-      1: type,
-      2: workspace,
-      3: fullName,
-      4: version,
-      5: newVersion
-    } = match;
-    return {
-      fullName,
-      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
-      type,
-      workspace,
-      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
-    };
-  };
+function getSocketFixBranchPattern(ghsaId) {
+  return new RegExp(`^socket/fix/(${ghsaId ?? '.+'})$`);
 }
-const genericSocketBranchParser = createSocketBranchParser();
-function getSocketBranchFullNameComponent(pkgName) {
-  const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
-  const branchMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
-  return `${branchMaybeNamespace}${formatBranchName(purlObj.name)}`;
-}
-function getSocketBranchName(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const branchType = getSocketBranchPurlTypeComponent(purlObj);
-  const branchWorkspace = getSocketBranchWorkspaceComponent(workspace);
-  const branchFullName = getSocketBranchFullNameComponent(purlObj);
-  const branchVersion = getSocketBranchPackageVersionComponent(purlObj.version);
-  const branchNewVersion = formatBranchName(newVersion);
-  return `socket/${branchType}/${branchWorkspace}/${branchFullName}_${branchVersion}_${branchNewVersion}`;
-}
-function getSocketBranchPackageVersionComponent(version) {
-  const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
-  return formatBranchName(purlObj.version);
-}
-function getSocketBranchPattern(options) {
-  const {
-    newVersion,
-    purl,
-    workspace
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const purlObj = purl ? utils.getPurlObject(purl) : null;
-  const escType = purlObj ? regexps.escapeRegExp(purlObj.type) : '[^/]+';
-  const escWorkspace = workspace ? `${regexps.escapeRegExp(formatBranchName(workspace))}` : '.+';
-  const escMaybeNamespace = purlObj?.namespace ? `${regexps.escapeRegExp(formatBranchName(purlObj.namespace))}--` : '';
-  const escFullName = purlObj ? `${escMaybeNamespace}${regexps.escapeRegExp(formatBranchName(purlObj.name))}` : '[^/_]+';
-  const escVersion = purlObj ? regexps.escapeRegExp(formatBranchName(purlObj.version)) : '[^_]+';
-  const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
-  return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
-}
-function getSocketBranchPurlTypeComponent(purl) {
-  const purlObj = utils.getPurlObject(purl);
-  return formatBranchName(purlObj.type);
-}
-function getSocketBranchWorkspaceComponent(workspace) {
-  return workspace ? formatBranchName(workspace) : 'root';
-}
-function getSocketCommitMessage(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `socket: Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
-}
-function getSocketPullRequestBody(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  const pkgOverviewUrl = utils.getSocketDevPackageOverviewUrlFromPurl(purlObj);
-  return `Bump [${fullName}](${pkgOverviewUrl}) from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}.`;
-}
-function getSocketPullRequestTitle(purl, newVersion, workspace) {
-  const purlObj = utils.getPurlObject(purl);
-  const fullName = utils.getPkgFullNameFromPurl(purlObj);
-  return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
-}
-
-let _octokit;
-function getOctokit() {
-  if (_octokit === undefined) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    const octokitOptions = {
-      auth: SOCKET_CLI_GITHUB_TOKEN,
-      baseUrl: constants.ENV.GITHUB_API_URL
-    };
-    require$$9.debugDir('inspect', {
-      octokitOptions
-    });
-    _octokit = new vendor.Octokit(octokitOptions);
-  }
-  return _octokit;
+function getSocketFixCommitMessage(ghsaId, details) {
+  const summary = details?.summary;
+  return `fix: ${ghsaId}${summary ? ` - ${summary}` : ''}`;
 }
-let _octokitGraphql;
-function getOctokitGraphql() {
-  if (!_octokitGraphql) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    _octokitGraphql = vendor.graphql2.defaults({
-      headers: {
-        authorization: `token ${SOCKET_CLI_GITHUB_TOKEN}`
-      }
-    });
-  }
-  return _octokitGraphql;
-}
-async function readCache(key,
-// 5 minute in milliseconds time to live (TTL).
-ttlMs = 5 * 60 * 1000) {
-  const cacheJsonPath = path.join(constants.githubCachePath, `${key}.json`);
-  const stat = fs$2.safeStatsSync(cacheJsonPath);
-  if (stat) {
-    const isExpired = Date.now() - stat.mtimeMs > ttlMs;
-    if (!isExpired) {
-      return await fs$2.readJson(cacheJsonPath);
+function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
+  const vulnCount = ghsaIds.length;
+  if (vulnCount === 1) {
+    const ghsaId = ghsaIds[0];
+    const details = ghsaDetails?.get(ghsaId);
+    const body = `[Socket](${constants.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
+    if (!details) {
+      return body;
     }
+    const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
+    return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
   }
-  return null;
-}
-async function writeCache(key, data) {
-  const {
-    githubCachePath
-  } = constants;
-  const cacheJsonPath = path.join(githubCachePath, `${key}.json`);
-  if (!fs$1.existsSync(githubCachePath)) {
-    await fs$1.promises.mkdir(githubCachePath, {
-      recursive: true
-    });
-  }
-  await fs$2.writeJson(cacheJsonPath, data);
-}
-async function cacheFetch(key, fetcher, ttlMs) {
-  // Optionally disable cache.
-  if (constants.ENV.DISABLE_GITHUB_CACHE) {
-    return await fetcher();
-  }
-  let data = await readCache(key, ttlMs);
-  if (!data) {
-    data = await fetcher();
-    await writeCache(key, data);
-  }
-  return data;
-}
-async function fetchGhsaDetails(ids) {
-  const results = new Map();
-  if (!ids.length) {
-    return results;
-  }
-  const octokitGraphql = getOctokitGraphql();
-  try {
-    const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
-    const aliases = ids.map((id, index) => `advisory${index}: securityAdvisory(ghsaId: "${id}") {
-        ghsaId
-        summary
-        severity
-        publishedAt
-        withdrawnAt
-        vulnerabilities(first: 10) {
-          nodes {
-            package {
-              ecosystem
-              name
-            }
-            vulnerableVersionRange
-          }
-        }
-      }`).join('\n');
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
-        query {
-          ${aliases}
-        }
-      `));
-    for (let i = 0, {
-        length
-      } = ids; i < length; i += 1) {
-      const id = ids[i];
-      const advisoryKey = `advisory${i}`;
-      const advisory = gqlResp?.[advisoryKey];
-      if (advisory && advisory.ghsaId) {
-        results.set(id, advisory);
-      } else {
-        require$$9.debugFn('notice', `miss: no advisory found for ${id}`);
-      }
+  return [`[Socket](${constants.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+    const details = ghsaDetails?.get(id);
+    const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
+    if (details) {
+      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
+      return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
     }
-  } catch (e) {
-    require$$9.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
-  }
-  return results;
+    return item;
+  })].join('\n');
 }
-async function cleanupPrs(owner, repo, options) {
-  const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
-  if (!contextualMatches.length) {
-    return [];
-  }
-  const cachesToSave = new Map();
+function getSocketFixPullRequestTitle(ghsaIds) {
+  const vulnCount = ghsaIds.length;
+  return vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
+}
+
+async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
   const {
-    newVersion
+    baseBranch = 'main',
+    ghsaDetails
   } = {
     __proto__: null,
     ...options
   };
-  const branchParser = createSocketBranchParser(options);
-  const octokit = getOctokit();
-  const settledMatches = await Promise.allSettled(contextualMatches.map(async ({
-    context,
-    match
-  }) => {
-    const {
-      number: prNum
-    } = match;
-    const prRef = `PR #${prNum}`;
-    const parsedBranch = branchParser(match.headRefName);
-    const prToVersion = parsedBranch?.newVersion;
-
-    // Close older PRs.
-    if (prToVersion && newVersion && vendor.semverExports.lt(prToVersion, newVersion)) {
-      try {
-        await octokit.pulls.update({
-          owner,
-          repo,
-          pull_number: prNum,
-          state: 'closed'
-        });
-        require$$9.debugFn('notice', `pr: closing ${prRef} for ${prToVersion}`);
-        // Remove entry from parent object.
-        context.parent.splice(context.index, 1);
-        // Mark cache to be saved.
-        cachesToSave.set(context.cacheKey, context.data);
-        return null;
-      } catch (e) {
-        require$$9.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'Unknown error');
-      }
-    }
-    // Update stale PRs.
-    // https://docs.github.com/en/graphql/reference/enums#mergestatestatus
-    if (match.mergeStateStatus === 'BEHIND') {
-      try {
-        await octokit.repos.merge({
-          owner,
-          repo,
-          base: match.headRefName,
-          head: match.baseRefName
-        });
-        require$$9.debugFn('notice', `pr: updating stale ${prRef}`);
-        // Update entry entry.
-        if (context.apiType === 'graphql') {
-          context.entry.mergeStateStatus = 'CLEAN';
-        } else if (context.apiType === 'rest') {
-          context.entry.mergeable_state = 'clean';
-        }
-        // Mark cache to be saved.
-        cachesToSave.set(context.cacheKey, context.data);
-      } catch (e) {
-        const message = e?.message || 'Unknown error';
-        require$$9.debugFn('error', `pr: failed to update ${prRef} - ${message}`);
-      }
-    }
-    return match;
-  }));
-  if (cachesToSave.size) {
-    await Promise.allSettled(Array.from(cachesToSave).map(({
-      0: key,
-      1: data
-    }) => writeCache(key, data)));
-  }
-  const fulfilledMatches = settledMatches.filter(r => r.status === 'fulfilled' && r.value);
-  return fulfilledMatches.map(r => r.value.match);
-}
-async function enablePrAutoMerge({
-  node_id: prId
-}) {
-  const octokitGraphql = getOctokitGraphql();
+  const octokit = utils.getOctokit();
   try {
-    const gqlResp = await octokitGraphql(`
-      mutation EnableAutoMerge($pullRequestId: ID!) {
-        enablePullRequestAutoMerge(input: {
-          pullRequestId: $pullRequestId,
-          mergeMethod: SQUASH
-        }) {
-          pullRequest {
-            number
-          }
-        }
-      }`, {
-      pullRequestId: prId
+    const octokitPullsCreateParams = {
+      owner,
+      repo,
+      title: getSocketFixPullRequestTitle(ghsaIds),
+      head: branch,
+      base: baseBranch,
+      body: getSocketFixPullRequestBody(ghsaIds, ghsaDetails)
+    };
+    require$$9.debugDir('inspect', {
+      octokitPullsCreateParams
     });
-    const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
-    if (respPrNumber) {
-      return {
-        enabled: true
-      };
-    }
+    return await octokit.pulls.create(octokitPullsCreateParams);
   } catch (e) {
-    if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
-      const details = e.errors.map(({
-        message: m
-      }) => m.trim());
-      return {
-        enabled: false,
-        details
-      };
+    let message = `Failed to open pull request`;
+    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
+    if (Array.isArray(errors) && errors.length) {
+      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
+      message += `:\n${details}`;
     }
+    require$$9.debugFn('error', message);
   }
-  return {
-    enabled: false
-  };
+  return null;
 }
 async function getSocketPrs(owner, repo, options) {
   return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3499,22 +3246,23 @@ async function getSocketPrs(owner, repo, options) {
 async function getSocketPrsWithContext(owner, repo, options) {
   const {
     author,
+    ghsaId,
     states: statesValue = 'all'
   } = {
     __proto__: null,
     ...options
   };
-  const branchPattern = getSocketBranchPattern(options);
+  const branchPattern = getSocketFixBranchPattern(ghsaId);
   const checkAuthor = strings.isNonEmptyString(author);
-  const octokit = getOctokit();
-  const octokitGraphql = getOctokitGraphql();
+  const octokit = utils.getOctokit();
+  const octokitGraphql = utils.getOctokitGraphql();
   const contextualMatches = [];
   const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
     // API quota usage. Fallback to REST if no matching PRs are found.
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
+    const gqlResp = await utils.cacheFetch(gqlCacheKey, () => octokitGraphql(`
           query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
             repository(owner: $owner, name: $repo) {
               pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
@@ -3571,7 +3319,7 @@ async function getSocketPrsWithContext(owner, repo, options) {
   let allPrs;
   const cacheKey = `${repo}-pull-requests`;
   try {
-    allPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
+    allPrs = await utils.cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
       owner,
       repo,
       state: 'all',
@@ -3620,117 +3368,6 @@ async function getSocketPrsWithContext(owner, repo, options) {
   }
   return contextualMatches;
 }
-async function openPr(owner, repo, branch, purl, newVersion, options) {
-  const {
-    baseBranch = 'main',
-    workspace
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const purlObj = utils.getPurlObject(purl);
-  const octokit = getOctokit();
-  try {
-    const octokitPullsCreateParams = {
-      owner,
-      repo,
-      title: getSocketPullRequestTitle(purlObj, newVersion, workspace),
-      head: branch,
-      base: baseBranch,
-      body: getSocketPullRequestBody(purlObj, newVersion, workspace)
-    };
-    require$$9.debugDir('inspect', {
-      octokitPullsCreateParams
-    });
-    return await octokit.pulls.create(octokitPullsCreateParams);
-  } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
-    }
-    require$$9.debugFn('error', message);
-  }
-  return null;
-}
-async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
-  const {
-    baseBranch = 'main',
-    ghsaDetails
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const octokit = getOctokit();
-  const vulnCount = ghsaIds.length;
-  const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
-  let prBody = '';
-  if (vulnCount === 1) {
-    const ghsaId = ghsaIds[0];
-    const details = ghsaDetails?.get(ghsaId);
-    prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
-    if (details) {
-      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
-      prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
-    }
-  } else {
-    prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
-      const details = ghsaDetails?.get(id);
-      const item = `- [${id}](https://github.com/advisories/${id})`;
-      if (details) {
-        const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
-        return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
-      }
-      return item;
-    })].join('\n');
-  }
-  try {
-    const octokitPullsCreateParams = {
-      owner,
-      repo,
-      title: prTitle,
-      head: branch,
-      base: baseBranch,
-      body: prBody
-    };
-    require$$9.debugDir('inspect', {
-      octokitPullsCreateParams
-    });
-    return await octokit.pulls.create(octokitPullsCreateParams);
-  } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
-    }
-    require$$9.debugFn('error', message);
-  }
-  return null;
-}
-async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
-  const {
-    host
-  } = new URL(constants.ENV.GITHUB_SERVER_URL);
-  const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
-  const stdioIgnoreOptions = {
-    cwd,
-    stdio: require$$9.isDebug('stdio') ? 'inherit' : 'ignore'
-  };
-  const quotedCmd = `\`git remote set-url origin ${url}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
-    return true;
-  } catch (e) {
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-  }
-  return false;
-}
 
 function ciRepoInfo() {
   const {
@@ -3809,7 +3446,9 @@ async function coanaFix(fixConfig) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     return supportedFilesCResult;
   }
@@ -3833,7 +3472,7 @@ async function coanaFix(fixConfig) {
       data: uploadCResult.data
     };
   }
-  const isAll = ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const isAll = !ghsas.length || ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     const ids = isAll ? ['all'] : ghsas.slice(0, limit);
@@ -3888,7 +3527,7 @@ async function coanaFix(fixConfig) {
     };
   }
   require$$9.debugFn('notice', `fetch: ${ids.length} GHSA details for ${arrays.joinAnd(ids)}`);
-  const ghsaDetails = await fetchGhsaDetails(ids);
+  const ghsaDetails = await utils.fetchGhsaDetails(ids);
   const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
   require$$9.debugFn('notice', `found: ${ghsaDetails.size} GHSA details`);
   let count = 0;
@@ -3898,18 +3537,18 @@ async function coanaFix(fixConfig) {
   ghsaLoop: for (let i = 0, {
       length
     } = ids; i < length; i += 1) {
-    const id = ids[i];
-    require$$9.debugFn('notice', `check: ${id}`);
+    const ghsaId = ids[i];
+    require$$9.debugFn('notice', `check: ${ghsaId}`);
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${id}: ${fixCResult.message || 'Unknown error'}`);
+      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || 'Unknown error'}`);
       continue ghsaLoop;
     }
 
@@ -3918,11 +3557,11 @@ async function coanaFix(fixConfig) {
     const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
     const modifiedFiles = unstagedCResult.ok ? unstagedCResult.data.filter(relPath => scanBaseNames.has(path.basename(relPath))) : [];
     if (!modifiedFiles.length) {
-      require$$9.debugFn('notice', `skip: no changes for ${id}`);
+      require$$9.debugFn('notice', `skip: no changes for ${ghsaId}`);
       continue ghsaLoop;
     }
     overallFixed = true;
-    const branch = `socket/fix/${id}`;
+    const branch = getSocketFixBranchName(ghsaId);
     try {
       // Check if branch already exists.
       // eslint-disable-next-line no-await-in-loop
@@ -3930,17 +3569,16 @@ async function coanaFix(fixConfig) {
         require$$9.debugFn('notice', `skip: remote branch "${branch}" exists`);
         continue ghsaLoop;
       }
-      require$$9.debugFn('notice', `pr: creating for ${id}`);
-      const details = ghsaDetails.get(id);
-      const summary = details?.summary;
-      require$$9.debugFn('notice', `ghsa: ${id} details ${details ? 'found' : 'missing'}`);
+      require$$9.debugFn('notice', `pr: creating for ${ghsaId}`);
+      const details = ghsaDetails.get(ghsaId);
+      require$$9.debugFn('notice', `ghsa: ${ghsaId} details ${details ? 'found' : 'missing'}`);
       const pushed =
       // eslint-disable-next-line no-await-in-loop
       (await utils.gitCreateBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
-      await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
+      await utils.gitCommit(getSocketFixCommitMessage(ghsaId, details), modifiedFiles, {
         cwd,
         email: fixEnv.gitEmail,
         user: fixEnv.gitUser
@@ -3948,7 +3586,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitPushBranch(branch, cwd));
       if (!pushed) {
-        logger.logger.warn(`Push failed for ${id}, skipping PR creation.`);
+        logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
         // eslint-disable-next-line no-await-in-loop
         await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
         // eslint-disable-next-line no-await-in-loop
@@ -3960,12 +3598,12 @@ async function coanaFix(fixConfig) {
 
       // Set up git remote.
       // eslint-disable-next-line no-await-in-loop
-      await setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
+      await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
       // eslint-disable-next-line no-await-in-loop
-      const prResponse = await openCoanaPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      const prResponse = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
       // Single GHSA ID.
-      [id], {
+      [ghsaId], {
         baseBranch: fixEnv.baseBranch,
         cwd,
         ghsaDetails
@@ -3975,7 +3613,7 @@ async function coanaFix(fixConfig) {
           data
         } = prResponse;
         const prRef = `PR #${data.number}`;
-        logger.logger.success(`Opened ${prRef} for ${id}.`);
+        logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
         if (autoMerge) {
           logger.logger.indent();
           spinner?.indent();
@@ -3983,7 +3621,7 @@ async function coanaFix(fixConfig) {
           const {
             details,
             enabled
-          } = await enablePrAutoMerge(data);
+          } = await utils.enablePrAutoMerge(data);
           if (enabled) {
             logger.logger.info(`Auto-merge enabled for ${prRef}.`);
           } else {
@@ -4001,7 +3639,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
-      logger.logger.warn(`Unexpected condition: Push failed for ${id}, skipping PR creation.`);
+      logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
       require$$9.debugDir('inspect', {
         error: e
       });
@@ -4016,822 +3654,13 @@ async function coanaFix(fixConfig) {
       break ghsaLoop;
     }
   }
-  spinner?.stop();
-  return {
-    ok: true,
-    data: {
-      fixed: overallFixed
-    }
-  };
-}
-
-function getPrsForPurl(fixEnv, partialPurl) {
-  if (!fixEnv) {
-    return [];
-  }
-  const prs = [];
-  const partialPurlObj = utils.getPurlObject(partialPurl);
-  const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
-  const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-  for (const pr of fixEnv.prs) {
-    const parsedBranch = genericSocketBranchParser(pr.headRefName);
-    if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-      prs.push(pr);
-    }
-  }
-  if (require$$9.isDebug('notice,silly')) {
-    const fullName = packages.resolvePackageName(partialPurlObj);
-    if (prs.length) {
-      require$$9.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
-      require$$9.debugDir('silly', {
-        prs
-      });
-    } else if (fixEnv.prs.length) {
-      require$$9.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
-    }
-  }
-  return prs;
-}
-
-async function getActualTree(cwd = process.cwd()) {
-  try {
-    // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-    // folders. However, support is iffy resulting in unhappy paths of errors and hangs.
-    // So, to avoid unhappy paths, we restrict our usage to --dry-run loading of the
-    // node_modules folder.
-    const arb = new shadowNpmInject.Arborist({
-      path: cwd,
-      ...shadowNpmInject.SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-    });
-    return {
-      actualTree: await arb.loadActual()
-    };
-  } catch (e) {
-    return {
-      error: e
-    };
-  }
-}
-
-const {
-  BUN: BUN$4,
-  NPM: NPM$4,
-  OVERRIDES: OVERRIDES$1,
-  PNPM: PNPM$4,
-  RESOLUTIONS: RESOLUTIONS$1,
-  VLT: VLT$5,
-  YARN_BERRY: YARN_BERRY$4,
-  YARN_CLASSIC: YARN_CLASSIC$4
-} = constants;
-function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$4,
-    overrides
-  };
-}
-
-// npm overrides documentation:
-// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
-function getOverridesDataNpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
-  return {
-    type: NPM$4,
-    overrides
-  };
-}
-
-// pnpm overrides documentation:
-// https://pnpm.io/package_json#pnpmoverrides
-function getOverridesDataPnpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[PNPM$4]?.[OVERRIDES$1] ?? {};
-  return {
-    type: PNPM$4,
-    overrides
-  };
-}
-function getOverridesDataVlt(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
-  return {
-    type: VLT$5,
-    overrides
-  };
-}
-
-// Yarn resolutions documentation:
-// https://yarnpkg.com/configuration/manifest#resolutions
-function getOverridesDataYarn(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_BERRY$4,
-    overrides
-  };
-}
-
-// Yarn resolutions documentation:
-// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
-function getOverridesDataYarnClassic(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
-  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
-  return {
-    type: YARN_CLASSIC$4,
-    overrides
-  };
-}
-function getOverridesData(pkgEnvDetails, pkgJson) {
-  switch (pkgEnvDetails.agent) {
-    case BUN$4:
-      return getOverridesDataBun(pkgEnvDetails, pkgJson);
-    case PNPM$4:
-      return getOverridesDataPnpm(pkgEnvDetails, pkgJson);
-    case VLT$5:
-      return getOverridesDataVlt(pkgEnvDetails, pkgJson);
-    case YARN_BERRY$4:
-      return getOverridesDataYarn(pkgEnvDetails, pkgJson);
-    case YARN_CLASSIC$4:
-      return getOverridesDataYarnClassic(pkgEnvDetails, pkgJson);
-    case NPM$4:
-    default:
-      return getOverridesDataNpm(pkgEnvDetails, pkgJson);
-  }
-}
-
-const noopHandler = () => {};
-async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
-  afterInstall = noopHandler,
-  afterUpdate = noopHandler,
-  beforeInstall = noopHandler,
-  revertInstall = noopHandler
-}, fixConfig) {
-  const {
-    pkgPath: rootPath
-  } = pkgEnvDetails;
-  const fixEnv = await getFixEnv();
-  require$$9.debugDir('inspect', {
-    fixEnv
-  });
-  const {
-    autoMerge,
-    cwd,
-    limit,
-    minSatisfying,
-    prCheck,
-    rangeStyle,
-    spinner,
-    test,
-    testScript
-  } = fixConfig;
-  let count = 0;
-  const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
-    filter: {
-      upgradable: false
-    }
-  });
-  if (!infoByPartialPurl) {
-    spinner?.stop();
-    logger.logger.info('No fixable vulns found.');
-    if (alertsMap.size) {
-      require$$9.debugDir('inspect', {
-        alertsMap
-      });
-    } else {
-      require$$9.debugFn('inspect', '{ alertsMap: Map(0) {} }');
-    }
-    return {
-      ok: true,
-      data: {
-        fixed: false
-      }
-    };
-  }
-  if (require$$9.isDebug('notice,inspect')) {
-    spinner?.stop();
-    const partialPurls = Array.from(infoByPartialPurl.keys());
-    const {
-      length: purlsCount
-    } = partialPurls;
-    require$$9.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
-    require$$9.debugDir('inspect', {
-      partialPurls
-    });
-    spinner?.start();
-  }
-  const {
-    packumentCache
-  } = constants;
-  const workspacePkgJsonPaths = await utils.globWorkspace(pkgEnvDetails.agent, rootPath);
-  const pkgJsonPaths = [...workspacePkgJsonPaths,
-  // Process the workspace root last since it will add an override to package.json.
-  pkgEnvDetails.editablePkgJson.filename];
-  const sortedInfoEntries = Array.from(infoByPartialPurl.entries()).sort((a, b) => sorts.naturalCompare(a[0], b[0]));
-  const cleanupInfoEntriesLoop = () => {
-    logger.logger.dedent();
-    spinner?.dedent();
-    packumentCache.clear();
-  };
-  const getModifiedFiles = async (cwd = process.cwd()) => {
-    const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
-    return unstagedCResult.ok ? unstagedCResult.data.filter(filepath => {
-      const basename = path.basename(filepath);
-      return basename === 'package.json' || basename === pkgEnvDetails.lockName;
-    }) : [];
-  };
-  const handleInstallFail = error => {
-    cleanupInfoEntriesLoop();
-    spinner?.stop();
-    return {
-      ok: false,
-      message: 'Install failed',
-      cause: `${pkgEnvDetails.agent} install failed${error ? `; ${error}` : ''}`
-    };
-  };
-  const hasModifiedFiles = async (cwd = process.cwd()) => {
-    return (await getModifiedFiles(cwd)).length > 0;
-  };
-  spinner?.stop();
-  infoEntriesLoop: for (let i = 0, {
-      length
-    } = sortedInfoEntries; i < length; i += 1) {
-    const isLastInfoEntry = i === length - 1;
-    const infoEntry = sortedInfoEntries[i];
-    const partialPurlObj = utils.getPurlObject(infoEntry[0]);
-    const name = packages.resolvePackageName(partialPurlObj);
-    const infos = Array.from(infoEntry[1].values());
-    if (!infos.length) {
-      require$$9.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
-      continue infoEntriesLoop;
-    }
-    logger.logger.log(`Processing '${name}'`);
-    logger.logger.indent();
-    spinner?.indent();
-    if (registry.getManifestData(partialPurlObj.type, name)) {
-      require$$9.debugFn('notice', `found: Socket Optimize variant for ${name}`);
-    }
-    // eslint-disable-next-line no-await-in-loop
-    const packument = await packages.fetchPackagePackument(name);
-    if (!packument) {
-      logger.logger.warn(`Unexpected condition: No packument found for ${name}.\n`);
-      cleanupInfoEntriesLoop();
-      // Skip to next package.
-      continue infoEntriesLoop;
-    }
-    require$$9.debugDir('inspect', {
-      infos
-    });
-    const availableVersions = Object.keys(packument.versions);
-    const prs = getPrsForPurl(fixEnv, infoEntry[0]);
-    const warningsForAfter = new Set();
-    let changed = false;
-    // eslint-disable-next-line no-unused-labels
-    for (let j = 0, {
-        length: length_j
-      } = pkgJsonPaths; j < length_j; j += 1) {
-      const isLastPkgJsonPath = j === length_j - 1;
-      const pkgJsonPath = pkgJsonPaths[j];
-      const pkgPath = path.dirname(pkgJsonPath);
-      const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
-      const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
-      if (!actualTree) {
-        if (!fixEnv.isCi) {
-          // eslint-disable-next-line no-await-in-loop
-          await utils.removeNodeModules(cwd);
-        }
-        if (fixEnv.isCi && fs$1.existsSync(path.join(rootPath, 'node_modules'))) {
-          // eslint-disable-next-line no-await-in-loop
-          const treeResult = await getActualTree(cwd);
-          const maybeActualTree = treeResult.actualTree;
-          if (!maybeActualTree) {
-            // Exit early if install fails.
-            return handleInstallFail(treeResult.error);
-          }
-          actualTree = maybeActualTree;
-        } else {
-          // eslint-disable-next-line no-await-in-loop
-          const installResult = await installer(pkgEnvDetails, {
-            cwd,
-            spinner
-          });
-          const maybeActualTree = installResult.actualTree;
-          if (!maybeActualTree) {
-            // Exit early if install fails.
-            return handleInstallFail(installResult.error);
-          }
-          actualTree = maybeActualTree;
-        }
-        if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-          // Exit early if lockfile is missing.
-          return handleInstallFail(new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`));
-        }
-      }
-      const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
-      if (!oldVersions.length) {
-        require$$9.debugFn('notice', `skip: ${name} not found`);
-        cleanupInfoEntriesLoop();
-        // Skip to next package.
-        continue infoEntriesLoop;
-      }
-
-      // Always re-read the editable package.json to avoid stale mutations
-      // across iterations.
-      // eslint-disable-next-line no-await-in-loop
-      const editablePkgJson = await packages.readPackageJson(pkgJsonPath, {
-        editable: true
-      });
-      const seenBranches = new Set();
-      const seenVersions = new Set();
-      let hasAnnouncedWorkspace = false;
-      let workspaceLogCallCount = logger.logger.logCallCount;
-      if (require$$9.isDebug('notice')) {
-        require$$9.debugFn('notice', `check: workspace ${workspace}`);
-        hasAnnouncedWorkspace = true;
-        workspaceLogCallCount = logger.logger.logCallCount;
-      }
-      oldVersionsLoop: for (const oldVersion of oldVersions) {
-        const oldId = `${name}@${oldVersion}`;
-        const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
-        const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
-        if (!node) {
-          require$$9.debugFn('notice', `skip: ${oldId} not found`);
-          continue oldVersionsLoop;
-        }
-        infosLoop: for (const {
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange
-        } of infos) {
-          const newVersion = shadowNpmInject.findBestPatchVersion(node, availableVersions, {
-            minSatisfying,
-            vulnerableVersionRange
-          });
-          const newVersionPackument = newVersion ? packument.versions[newVersion] : undefined;
-          if (!(newVersion && newVersionPackument)) {
-            warningsForAfter.add(`${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`);
-            continue infosLoop;
-          }
-          if (seenVersions.has(newVersion)) {
-            continue infosLoop;
-          }
-          if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            require$$9.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
-            continue infosLoop;
-          }
-          const branch = getSocketBranchName(oldPurl, newVersion, workspace);
-          if (seenBranches.has(branch)) {
-            continue infosLoop;
-          }
-          const pr = prCheck ? prs.find(p => p.headRefName === branch) : undefined;
-          if (pr) {
-            require$$9.debugFn('notice', `skip: PR #${pr.number} for ${name}@${newVersion} exists`);
-            seenBranches.add(branch);
-            continue infosLoop;
-          }
-          if (fixEnv.isCi && (
-          // eslint-disable-next-line no-await-in-loop
-          await utils.gitRemoteBranchExists(branch, cwd))) {
-            require$$9.debugFn('notice', `skip: remote branch "${branch}" for ${name}@${newVersion} exists`);
-            seenBranches.add(branch);
-            continue infosLoop;
-          }
-          const {
-            overrides: oldOverrides
-          } = getOverridesData(pkgEnvDetails, editablePkgJson.content);
-          let refRange = oldOverrides?.[`${name}@${vulnerableVersionRange}`];
-          if (!strings.isNonEmptyString(refRange)) {
-            refRange = oldOverrides?.[name];
-          }
-          if (!strings.isNonEmptyString(refRange)) {
-            refRange = oldVersion;
-          }
-
-          // eslint-disable-next-line no-await-in-loop
-          await beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-          shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
-
-          // eslint-disable-next-line no-await-in-loop
-          await editablePkgJson.save({
-            ignoreWhitespace: true
-          });
-
-          // eslint-disable-next-line no-await-in-loop
-          await afterUpdate(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-
-          // eslint-disable-next-line no-await-in-loop
-          if (!(await hasModifiedFiles(cwd))) {
-            require$$9.debugFn('notice', `skip: no changes for ${name}@${newVersion}`);
-            seenVersions.add(newVersion);
-            // Reset things just in case.
-            if (fixEnv.isCi) {
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-            }
-            continue infosLoop;
-          }
-          spinner?.start();
-          if (!hasAnnouncedWorkspace) {
-            hasAnnouncedWorkspace = true;
-            workspaceLogCallCount = logger.logger.logCallCount;
-          }
-          const newId = `${name}@${utils.applyRange(refRange, newVersion, rangeStyle)}`;
-          spinner?.info(`Installing ${newId} in ${workspace}.`);
-          let error;
-          let errored = false;
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            const installResult = await installer(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            const maybeActualTree = installResult.actualTree;
-            if (!maybeActualTree) {
-              errored = true;
-              error = installResult.error;
-            } else if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-              errored = true;
-              error = new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`);
-            } else {
-              actualTree = maybeActualTree;
-              // eslint-disable-next-line no-await-in-loop
-              await afterInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-              if (test) {
-                spinner?.info(`Testing ${newId} in ${workspace}.`);
-                // eslint-disable-next-line no-await-in-loop
-                await npm.runNpmScript(testScript, [], {
-                  spinner,
-                  stdio: 'ignore'
-                });
-              }
-              spinner?.success(`Fixed ${name} in ${workspace}.`);
-              seenVersions.add(newVersion);
-            }
-          } catch (e) {
-            error = e;
-            errored = true;
-          }
-          spinner?.stop();
-
-          // Check repoInfo to make TypeScript happy.
-          if (!errored && fixEnv.isCi && fixEnv.repoInfo) {
-            require$$9.debugFn('notice', 'pr: creating');
-            try {
-              const pushed =
-              // eslint-disable-next-line no-await-in-loop
-              (await utils.gitCreateBranch(branch, cwd)) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCheckoutBranch(branch, cwd)) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitCommit(getSocketCommitMessage(oldPurl, newVersion, workspace),
-              // eslint-disable-next-line no-await-in-loop
-              await getModifiedFiles(cwd), {
-                cwd,
-                email: fixEnv.gitEmail,
-                user: fixEnv.gitUser
-              })) && (
-              // eslint-disable-next-line no-await-in-loop
-              await utils.gitPushBranch(branch, cwd));
-              if (!pushed) {
-                logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                await utils.gitDeleteBranch(branch, cwd);
-                // eslint-disable-next-line no-await-in-loop
-                const installResult = await installer(pkgEnvDetails, {
-                  cwd,
-                  spinner
-                });
-                const maybeActualTree = installResult.actualTree;
-                if (!maybeActualTree) {
-                  // Exit early if install fails.
-                  return handleInstallFail(installResult.error);
-                }
-                if (!fs$1.existsSync(pkgEnvDetails.lockPath)) {
-                  // Exit early if lockfile is missing.
-                  return handleInstallFail(new Error(`Missing lockfile at ${pkgEnvDetails.lockPath}`));
-                }
-                actualTree = maybeActualTree;
-                continue infosLoop;
-              }
-              seenBranches.add(branch);
-
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd), cleanupPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
-                newVersion,
-                purl: oldPurl,
-                workspace
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch: fixEnv.baseBranch,
-                cwd,
-                workspace
-              });
-              if (prResponse) {
-                const {
-                  data
-                } = prResponse;
-                const prRef = `PR #${data.number}`;
-                logger.logger.success(`Opened ${prRef}.`);
-                if (autoMerge) {
-                  logger.logger.indent();
-                  spinner?.indent();
-                  // eslint-disable-next-line no-await-in-loop
-                  const {
-                    details,
-                    enabled
-                  } = await enablePrAutoMerge(data);
-                  if (enabled) {
-                    logger.logger.info(`Auto-merge enabled for ${prRef}.`);
-                  } else {
-                    const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
-                    logger.logger.error(message);
-                  }
-                  logger.logger.dedent();
-                  spinner?.dedent();
-                }
-              }
-            } catch (e) {
-              error = e;
-              errored = true;
-            }
-          } else if (fixEnv.isCi) {
-            require$$9.debugFn('notice', 'skip: PR creation');
-          }
-          if (fixEnv.isCi) {
-            spinner?.start();
-            // eslint-disable-next-line no-await-in-loop
-            await utils.gitResetAndClean(branch, cwd);
-            // eslint-disable-next-line no-await-in-loop
-            await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-            // eslint-disable-next-line no-await-in-loop
-            const installResult = await installer(pkgEnvDetails, {
-              cwd,
-              spinner
-            });
-            spinner?.stop();
-            const maybeActualTree = installResult.actualTree;
-            if (maybeActualTree) {
-              actualTree = maybeActualTree;
-            } else {
-              errored = true;
-              error = installResult.error;
-            }
-          }
-          if (errored) {
-            if (!fixEnv.isCi) {
-              spinner?.start();
-              // eslint-disable-next-line no-await-in-loop
-              await revertInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
-              // eslint-disable-next-line no-await-in-loop
-              await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
-                ignoreWhitespace: true
-              })]);
-              // eslint-disable-next-line no-await-in-loop
-              const installResult = await installer(pkgEnvDetails, {
-                cwd,
-                spinner
-              });
-              spinner?.stop();
-              const maybeActualTree = installResult.actualTree;
-              if (!maybeActualTree) {
-                // Exit early if install fails.
-                return handleInstallFail(installResult.error);
-              }
-              actualTree = maybeActualTree;
-            }
-            return {
-              ok: false,
-              message: 'Update failed',
-              cause: `Update failed for ${oldId} in ${workspace}${error ? `; ${error}` : ''}`
-            };
-          } else {
-            changed = true;
-          }
-          require$$9.debugFn('notice', 'increment: count', count + 1);
-          if (++count >= limit) {
-            cleanupInfoEntriesLoop();
-            // Exit main loop.
-            break infoEntriesLoop;
-          }
-        }
-      }
-      if (!isLastPkgJsonPath && logger.logger.logCallCount > workspaceLogCallCount) {
-        logger.logger.logNewline();
-      }
-    }
-    for (const warningText of warningsForAfter) {
-      logger.logger.warn(warningText);
-    }
-    if (!changed && !warningsForAfter.size) {
-      logger.logger.info('No vulnerable versions found.');
-    }
-    if (!isLastInfoEntry) {
-      logger.logger.logNewline();
-    }
-    cleanupInfoEntriesLoop();
-  }
-  spinner?.stop();
-
-  // Or, did we change anything?
-  return {
-    ok: true,
-    data: {
-      fixed: true
-    }
-  };
-}
-
-const CMD_NAME$s = 'socket fix';
-function getFixAlertsMapOptions(options = {}) {
-  return {
-    __proto__: null,
-    consolidate: true,
-    nothrow: true,
-    onlyFixable: true,
-    ...options,
-    filter: utils.toFilterConfig({
-      existing: true,
-      ...require$$10.getOwn(options, 'filter')
-    })
-  };
-}
-
-async function install$1(pkgEnvDetails, options) {
-  const {
-    args: extraArgs,
-    cwd,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const useDebug = require$$9.isDebug('stdio');
-  const args = [
-  // If "true", npm does not run scripts specified in package.json files.
-  // Note that commands explicitly intended to run a particular script, such
-  // as `npm start`, `npm stop`, `npm restart`, `npm test`, and `npm run` will
-  // still run their intended script if `ignore-scripts` is set, but they will
-  // not run any pre- or post-scripts.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#ignore-scripts
-  '--ignore-scripts',
-  // When "true" submit audit reports alongside the current npm command to the
-  // default registry and all registries configured for scopes. See the
-  // documentation for `npm audit` for details on what is submitted.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#audit
-  '--no-audit',
-  // When "true" displays the message at the end of each `npm install` acknowledging
-  // the number of dependencies looking for funding. See `npm fund` for details.
-  // https://docs.npmjs.com/cli/v11/commands/npm-install#fund
-  '--no-fund',
-  // When set to "true", npm will display a progress bar during time intensive
-  // operations, if `process.stderr` is a TTY. Set to "false" to suppress the
-  // progress bar.
-  // https://docs.npmjs.com/cli/v8/using-npm/config#progress
-  '--no-progress',
-  // What level of logs to report. All logs are written to a debug log, with
-  // the path to that file printed if the execution of a command fails. The
-  // default is "notice".
-  // https://docs.npmjs.com/cli/v8/using-npm/config#loglevel
-  ...(useDebug ? [] : ['--silent']), ...(extraArgs ?? [])];
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await utils.runAgentInstall(pkgEnvDetails, {
-      args,
-      spinner,
-      stdio: useDebug ? 'inherit' : 'ignore'
-    });
-  } catch (error) {
-    const result = {
-      error
-    };
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', result);
-    return result;
-  }
-  const treeResult = await getActualTree(cwd);
-  if (treeResult.actualTree) {
-    if (wasSpinning) {
-      spinner.start();
-    }
-    return treeResult;
-  }
-  require$$9.debugFn('error', 'caught: await arb.loadActual() error');
-  require$$9.debugDir('inspect', treeResult);
-  if (wasSpinning) {
-    spinner.start();
-  }
-  return treeResult;
-}
-async function npmFix(pkgEnvDetails, fixConfig) {
-  const {
-    purls,
-    spinner
-  } = fixConfig;
-  spinner?.start();
-  const flatConfig = await utils.getNpmConfig({
-    npmVersion: pkgEnvDetails.agentVersion
-  });
-  let actualTree;
-  let alertsMap;
-  try {
-    if (purls.length) {
-      alertsMap = await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions());
-    } else {
-      let arb;
-      try {
-        arb = new shadowNpmInject.Arborist({
-          path: pkgEnvDetails.pkgPath,
-          ...flatConfig,
-          ...shadowNpmInject.SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-        });
-        // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
-        // and populates arb.actualTree.
-        actualTree = await arb.reify();
-      } catch (e) {
-        spinner?.stop();
-        require$$9.debugFn('error', 'caught: await arb.reify() error');
-        require$$9.debugDir('inspect', {
-          error: e
-        });
-        return {
-          ok: false,
-          message: 'npm error',
-          cause: e?.message || 'Unknown npm error.'
-        };
-      }
-      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getFixAlertsMapOptions());
-    }
-  } catch (e) {
-    spinner?.stop();
-    require$$9.debugFn('error', 'caught: Socket batch PURL API error');
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-    return {
-      ok: false,
-      message: 'Socket API error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
-  let revertData;
-  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install$1, {
-    async beforeInstall(editablePkgJson) {
-      revertData = {
-        // Track existing dependencies in the root package.json to revert to later.
-        ...(editablePkgJson.content.dependencies && {
-          dependencies: {
-            ...editablePkgJson.content.dependencies
-          }
-        }),
-        ...(editablePkgJson.content.optionalDependencies && {
-          optionalDependencies: {
-            ...editablePkgJson.content.optionalDependencies
-          }
-        }),
-        ...(editablePkgJson.content.peerDependencies && {
-          peerDependencies: {
-            ...editablePkgJson.content.peerDependencies
-          }
-        })
-      };
-    },
-    async afterUpdate(editablePkgJson, packument, oldVersion, newVersion) {
-      // Exit early if not the root workspace.
-      if (editablePkgJson.filename !== pkgEnvDetails.editablePkgJson.filename) {
-        return;
-      }
-      // Update package-lock.json using @npmcli/arborist.
-      const arb = new shadowNpmInject.Arborist({
-        path: pkgEnvDetails.pkgPath,
-        ...flatConfig,
-        ...shadowNpmInject.SAFE_WITH_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-      });
-      // Build the ideal tree of nodes that are used to generated the saved
-      // package-lock.json
-      const idealTree = await arb.buildIdealTree();
-      const node = shadowNpmInject.findPackageNode(idealTree, packument.name, oldVersion);
-      if (node) {
-        // Update the ideal tree node.
-        shadowNpmInject.updateNode(node, newVersion, packument.versions[newVersion]);
-        // Save package-lock.json lockfile.
-        await arb.reify();
-      }
-    },
-    async revertInstall(editablePkgJson) {
-      if (revertData) {
-        // Revert package.json.
-        editablePkgJson.update(revertData);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-      }
+  spinner?.stop();
+  return {
+    ok: true,
+    data: {
+      fixed: overallFixed
     }
-  }, fixConfig);
+  };
 }
 
 async function outputFixResult(result, outputKind) {
@@ -4850,216 +3679,6 @@ async function outputFixResult(result, outputKind) {
   logger.logger.success('Finished!');
 }
 
-async function install(pkgEnvDetails, options) {
-  const {
-    args: extraArgs,
-    cwd,
-    spinner
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const args = [
-  // Do not execute any scripts defined in the project package.json and its dependencies.
-  // https://pnpm.io/9.x/cli/install#--ignore-scripts
-  '--ignore-scripts',
-  // Enable pnpm updates to pnpm-lock.yaml in CI environments.
-  // https://pnpm.io/cli/install#--frozen-lockfile
-  '--no-frozen-lockfile',
-  // Enable a non-interactive pnpm install
-  // https://github.com/pnpm/pnpm/issues/6778
-  '--config.confirmModulesPurge=false', ...(extraArgs ?? [])];
-  const wasSpinning = !!spinner?.isSpinning;
-  spinner?.stop();
-  const quotedCmd = `\`${pkgEnvDetails.agent} install ${args.join(' ')}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await utils.runAgentInstall(pkgEnvDetails, {
-      args,
-      spinner,
-      stdio: require$$9.isDebug('stdio') ? 'inherit' : 'ignore'
-    });
-  } catch (error) {
-    const result = {
-      error
-    };
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', result);
-    return result;
-  }
-  const treeResult = await getActualTree(cwd);
-  if (treeResult.actualTree) {
-    if (wasSpinning) {
-      spinner.start();
-    }
-    return treeResult;
-  }
-  require$$9.debugFn('error', 'caught: await arb.loadActual() error');
-  require$$9.debugDir('inspect', treeResult);
-  if (wasSpinning) {
-    spinner.start();
-  }
-  return treeResult;
-}
-async function pnpmFix(pkgEnvDetails, fixConfig) {
-  const {
-    cwd,
-    purls,
-    spinner
-  } = fixConfig;
-  spinner?.start();
-  let actualTree;
-  let lockSrc = pkgEnvDetails.lockSrc;
-  let lockfile = utils.parsePnpmLockfile(lockSrc);
-  // Update pnpm-lock.yaml if its version is older than what the installed pnpm
-  // produces.
-  if (pkgEnvDetails.agentVersion.major >= 10 && (utils.parsePnpmLockfileVersion(lockfile?.lockfileVersion)?.major ?? 0) <= 6) {
-    const installResult = await install(pkgEnvDetails, {
-      args: ['--lockfile-only'],
-      cwd,
-      spinner
-    });
-    const maybeActualTree = installResult.actualTree;
-    if (maybeActualTree) {
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-    } else {
-      lockSrc = '';
-    }
-    if (lockSrc) {
-      actualTree = maybeActualTree;
-      lockfile = utils.parsePnpmLockfile(lockSrc);
-    } else {
-      lockfile = null;
-    }
-  }
-
-  // Exit early if pnpm-lock.yaml is not found or usable.
-  // Check !lockSrc to make TypeScript happy.
-  if (!lockfile || !lockSrc) {
-    spinner?.stop();
-    return {
-      ok: false,
-      message: 'Missing lockfile',
-      cause: 'Required pnpm-lock.yaml not found or usable'
-    };
-  }
-  let alertsMap;
-  try {
-    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions()) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getFixAlertsMapOptions());
-  } catch (e) {
-    spinner?.stop();
-    require$$9.debugFn('error', 'caught: Socket batch PURL API error');
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-    return {
-      ok: false,
-      message: 'Socket API error',
-      cause: e?.message || 'Unknown Socket batch PURL API error.'
-    };
-  }
-  let revertData;
-  let revertOverrides;
-  let revertOverridesSrc = '';
-  return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
-    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, options) {
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-
-      // Update overrides for the root workspace.
-      if (editablePkgJson.filename === pkgEnvDetails.editablePkgJson.filename) {
-        const {
-          overrides: oldOverrides
-        } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
-        const oldPnpmSection = editablePkgJson.content['pnpm'];
-        const overrideKey = `${packument.name}@${vulnerableVersionRange}`;
-        revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
-        // Track existing overrides in the root package.json to revert to later.
-        revertOverrides = {
-          pnpm: oldPnpmSection ? {
-            ...oldPnpmSection,
-            overrides: require$$10.hasKeys(oldOverrides) ? {
-              ...oldOverrides,
-              [overrideKey]: undefined
-            } :
-            // Properties with undefined values are deleted when saved as JSON.
-            undefined
-          } :
-          // Properties with undefined values are deleted when saved as JSON.
-          undefined
-        };
-        // Update overrides in the root package.json so that when `pnpm install`
-        // generates pnpm-lock.yaml it updates transitive dependencies too.
-        editablePkgJson.update({
-          pnpm: {
-            ...oldPnpmSection,
-            overrides: {
-              ...oldOverrides,
-              [overrideKey]: utils.applyRange(oldOverrides?.[overrideKey] ?? oldVersion, newVersion, options.rangeStyle)
-            }
-          }
-        });
-      } else {
-        revertOverrides = undefined;
-        revertOverridesSrc = '';
-      }
-      revertData = {
-        // If "pnpm" or "pnpm.overrides" fields are undefined they will be
-        // deleted when saved.
-        ...revertOverrides,
-        // Track existing dependencies in the root package.json to revert to later.
-        ...(editablePkgJson.content.dependencies && {
-          dependencies: {
-            ...editablePkgJson.content.dependencies
-          }
-        }),
-        ...(editablePkgJson.content.optionalDependencies && {
-          optionalDependencies: {
-            ...editablePkgJson.content.optionalDependencies
-          }
-        }),
-        ...(editablePkgJson.content.peerDependencies && {
-          peerDependencies: {
-            ...editablePkgJson.content.peerDependencies
-          }
-        })
-      };
-    },
-    async afterInstall(editablePkgJson) {
-      if (revertOverrides) {
-        // Revert overrides metadata in package.json now that pnpm-lock.yaml
-        // has been updated.
-        editablePkgJson.update(revertOverrides);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-      }
-      lockSrc = (await utils.readLockfile(pkgEnvDetails.lockPath)) ?? '';
-      // Remove "overrides" block from pnpm-lock.yaml lockfile when processing
-      // the root workspace.
-      if (editablePkgJson.filename === pkgEnvDetails.editablePkgJson.filename) {
-        const updatedOverridesContent = utils.extractOverridesFromPnpmLockSrc(lockSrc);
-        if (updatedOverridesContent) {
-          // Remove "overrides" block from pnpm-lock.yaml lockfile.
-          lockSrc = lockSrc.replace(updatedOverridesContent, revertOverridesSrc);
-          // Save pnpm-lock.yaml lockfile.
-          await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
-        }
-      }
-    },
-    async revertInstall(editablePkgJson) {
-      if (revertData) {
-        // Revert package.json.
-        editablePkgJson.update(revertData);
-        await editablePkgJson.save({
-          ignoreWhitespace: true
-        });
-        // Revert pnpm-lock.yaml lockfile to be on the safe side.
-        await fs$1.promises.writeFile(pkgEnvDetails.lockPath, lockSrc, 'utf8');
-      }
-    }
-  }, fixConfig);
-}
-
 async function handleFix({
   autoMerge,
   cwd,
@@ -5076,70 +3695,14 @@ async function handleFix({
   testScript,
   unknownFlags
 }) {
-  if (ghsas.length) {
-    await outputFixResult(await coanaFix({
-      autoMerge,
-      cwd,
-      ghsas,
-      limit,
-      orgSlug,
-      rangeStyle,
-      spinner,
-      unknownFlags
-    }), outputKind);
-    return;
-  }
-  const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$s,
-    logger: logger.logger
-  });
-  if (!pkgEnvCResult.ok) {
-    await outputFixResult(pkgEnvCResult, outputKind);
-    return;
-  }
-  const {
-    data: pkgEnvDetails
-  } = pkgEnvCResult;
-  if (!pkgEnvDetails) {
-    await outputFixResult({
-      ok: false,
-      message: 'No package found.',
-      cause: `No valid package environment found for project path: ${cwd}`
-    }, outputKind);
-    return;
-  }
-  require$$9.debugDir('inspect', {
-    pkgEnvDetails
-  });
-  const {
-    agent,
-    agentVersion
-  } = pkgEnvDetails;
-  const isNpm = agent === 'npm';
-  const isPnpm = agent === 'pnpm';
-  if (!isNpm && !isPnpm) {
-    await outputFixResult({
-      ok: false,
-      message: 'Not supported.',
-      cause: `${agent} v${agentVersion} is not supported by this command.`
-    }, outputKind);
-    return;
-  }
-  logger.logger.info(`Fixing packages for ${agent} v${agentVersion}.\n`);
-  const fixer = isNpm ? npmFix : pnpmFix;
-  await outputFixResult(await fixer(pkgEnvDetails, {
+  await outputFixResult(await coanaFix({
     autoMerge,
     cwd,
     ghsas,
     limit,
-    minSatisfying,
     orgSlug,
-    prCheck,
-    purls,
     rangeStyle,
     spinner,
-    test,
-    testScript,
     unknownFlags
   }), outputKind);
 }
@@ -5171,14 +3734,14 @@ async function run$I(argv, importMeta, {
       autopilot: {
         type: 'boolean',
         default: false,
-        description: `Shorthand for --auto-merge --test`
+        description: `Shorthand for --auto-merge --test`,
+        hidden: true
       },
-      ghsa: {
+      id: {
         type: 'string',
         default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags.\nUse '--ghsa all' to lookup all GHSA IDs and compute fixes for them.`,
-        isMultiple: true,
-        hidden: true
+        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+        isMultiple: true
       },
       limit: {
         type: 'number',
@@ -5194,7 +3757,8 @@ async function run$I(argv, importMeta, {
       minSatisfying: {
         type: 'boolean',
         default: false,
-        description: 'Constrain dependency updates to the minimum satisfying version'
+        description: 'Constrain dependency updates to the minimum satisfying version',
+        hidden: true
       },
       prCheck: {
         type: 'boolean',
@@ -5207,7 +3771,8 @@ async function run$I(argv, importMeta, {
         default: [],
         description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags, instead of querying the Socket API`,
         isMultiple: true,
-        shortFlag: 'p'
+        shortFlag: 'p',
+        hidden: true
       },
       rangeStyle: {
         type: 'string',
@@ -5228,12 +3793,14 @@ Available styles:
       test: {
         type: 'boolean',
         default: false,
-        description: 'Verify the fix by running unit tests'
+        description: 'Verify the fix by running unit tests',
+        hidden: true
       },
       testScript: {
         type: 'string',
         default: 'test',
-        description: "The test script to run for fix attempts (default 'test')"
+        description: "The test script to run for fix attempts (default 'test')",
+        hidden: true
       }
     },
     help: (command, config) => `
@@ -7668,12 +6235,12 @@ async function run$t(argv, importMeta, {
 }
 
 const {
-  BUN: BUN$3,
-  NPM: NPM$3,
-  PNPM: PNPM$3,
-  VLT: VLT$4,
-  YARN_BERRY: YARN_BERRY$3,
-  YARN_CLASSIC: YARN_CLASSIC$3
+  BUN: BUN$4,
+  NPM: NPM$4,
+  PNPM: PNPM$4,
+  VLT: VLT$5,
+  YARN_BERRY: YARN_BERRY$4,
+  YARN_CLASSIC: YARN_CLASSIC$4
 } = constants;
 function matchLsCmdViewHumanStdout(stdout, name) {
   return stdout.includes(` ${name}@`);
@@ -7683,13 +6250,13 @@ function matchQueryCmdStdout(stdout, name) {
 }
 function lsStdoutIncludes(pkgEnvDetails, stdout, name) {
   switch (pkgEnvDetails.agent) {
-    case BUN$3:
-    case YARN_BERRY$3:
-    case YARN_CLASSIC$3:
+    case BUN$4:
+    case YARN_BERRY$4:
+    case YARN_CLASSIC$4:
       return matchLsCmdViewHumanStdout(stdout, name);
-    case PNPM$3:
-    case VLT$4:
-    case NPM$3:
+    case PNPM$4:
+    case VLT$5:
+    case NPM$4:
     default:
       return matchQueryCmdStdout(stdout, name);
   }
@@ -7719,6 +6286,88 @@ function getDependencyEntries(pkgEnvDetails) {
   }) => o);
 }
 
+const {
+  BUN: BUN$3,
+  NPM: NPM$3,
+  OVERRIDES: OVERRIDES$1,
+  PNPM: PNPM$3,
+  RESOLUTIONS: RESOLUTIONS$1,
+  VLT: VLT$4,
+  YARN_BERRY: YARN_BERRY$3,
+  YARN_CLASSIC: YARN_CLASSIC$3
+} = constants;
+function getOverridesDataBun(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_BERRY$3,
+    overrides
+  };
+}
+
+// npm overrides documentation:
+// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
+function getOverridesDataNpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
+  return {
+    type: NPM$3,
+    overrides
+  };
+}
+
+// pnpm overrides documentation:
+// https://pnpm.io/package_json#pnpmoverrides
+function getOverridesDataPnpm(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[PNPM$3]?.[OVERRIDES$1] ?? {};
+  return {
+    type: PNPM$3,
+    overrides
+  };
+}
+function getOverridesDataVlt(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[OVERRIDES$1] ?? {};
+  return {
+    type: VLT$4,
+    overrides
+  };
+}
+
+// Yarn resolutions documentation:
+// https://yarnpkg.com/configuration/manifest#resolutions
+function getOverridesDataYarn(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_BERRY$3,
+    overrides
+  };
+}
+
+// Yarn resolutions documentation:
+// https://classic.yarnpkg.com/en/docs/selective-version-resolutions
+function getOverridesDataYarnClassic(pkgEnvDetails, pkgJson = pkgEnvDetails.editablePkgJson.content) {
+  const overrides = pkgJson?.[RESOLUTIONS$1] ?? {};
+  return {
+    type: YARN_CLASSIC$3,
+    overrides
+  };
+}
+function getOverridesData(pkgEnvDetails, pkgJson) {
+  switch (pkgEnvDetails.agent) {
+    case BUN$3:
+      return getOverridesDataBun(pkgEnvDetails, pkgJson);
+    case PNPM$3:
+      return getOverridesDataPnpm(pkgEnvDetails, pkgJson);
+    case VLT$4:
+      return getOverridesDataVlt(pkgEnvDetails, pkgJson);
+    case YARN_BERRY$3:
+      return getOverridesDataYarn(pkgEnvDetails, pkgJson);
+    case YARN_CLASSIC$3:
+      return getOverridesDataYarnClassic(pkgEnvDetails, pkgJson);
+    case NPM$3:
+    default:
+      return getOverridesDataNpm(pkgEnvDetails, pkgJson);
+  }
+}
+
 const {
   BUN: BUN$2,
   LOCK_EXT,
@@ -7994,8 +6643,8 @@ function updatePkgJsonField(editablePkgJson, field, value) {
   if (oldValue) {
     // The field already exists so we simply update the field value.
     if (field === PNPM) {
-      const isPnpmObj = require$$10.isObject(oldValue);
-      if (require$$10.hasKeys(value)) {
+      const isPnpmObj = require$$11.isObject(oldValue);
+      if (require$$11.hasKeys(value)) {
         editablePkgJson.update({
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
@@ -8007,7 +6656,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
         });
       } else {
         // Properties with undefined values are deleted when saved as JSON.
-        editablePkgJson.update(require$$10.hasKeys(oldValue) ? {
+        editablePkgJson.update(require$$11.hasKeys(oldValue) ? {
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
             overrides: undefined
@@ -8019,7 +6668,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     } else if (field === OVERRIDES || field === RESOLUTIONS) {
       // Properties with undefined values are deleted when saved as JSON.
       editablePkgJson.update({
-        [field]: require$$10.hasKeys(value) ? value : undefined
+        [field]: require$$11.hasKeys(value) ? value : undefined
       });
     } else {
       editablePkgJson.update({
@@ -8028,7 +6677,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     }
     return;
   }
-  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$10.hasKeys(value)) {
+  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$11.hasKeys(value)) {
     return;
   }
   // Since the field doesn't exist we want to insert it into the package.json
@@ -8160,7 +6809,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   let loggedAddingText = false;
 
   // Chunk package names to process them in parallel 3 at a time.
-  await require$$11.pEach(manifestEntries, async ({
+  await require$$12.pEach(manifestEntries, async ({
     1: data
   }) => {
     const {
@@ -8174,11 +6823,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
     for (const {
       1: depObj
     } of depEntries) {
-      const sockSpec = require$$10.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
+      const sockSpec = require$$11.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
       if (sockSpec) {
         depAliasMap.set(sockRegPkgName, sockSpec);
       }
-      const origSpec = require$$10.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
+      const origSpec = require$$11.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
       if (origSpec) {
         let thisSpec = origSpec;
         // Add package aliases for direct dependencies to avoid npm EOVERRIDE
@@ -8214,11 +6863,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         npmExecPath
       });
       // Chunk package names to process them in parallel 3 at a time.
-      await require$$11.pEach(overridesDataObjects, async ({
+      await require$$12.pEach(overridesDataObjects, async ({
         overrides,
         type
       }) => {
-        const overrideExists = require$$10.hasOwn(overrides, origPkgName);
+        const overrideExists = require$$11.hasOwn(overrides, origPkgName);
         if (overrideExists || thingScanner(pkgEnvDetails, thingToScan, origPkgName, lockName)) {
           const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
           const origDepAlias = depAliasMap.get(origPkgName);
@@ -8272,7 +6921,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   });
   if (isWorkspace) {
     // Chunk package names to process them in parallel 3 at a time.
-    await require$$11.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
+    await require$$12.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
       const otherState = await addOverrides(pkgEnvDetails, path.dirname(workspacePkgJsonPath), {
         logger,
         pin,
@@ -8295,7 +6944,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         overrides,
         type
       } of overridesDataObjects) {
-        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$10.toSortedObject(overrides));
+        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$11.toSortedObject(overrides));
       }
     }
     await pkgEnvDetails.editablePkgJson.save();
@@ -13413,8 +12062,14 @@ async function handleScanReach({
   reachabilityOptions,
   targets
 }) {
+  const {
+    spinner
+  } = constants;
+
   // Get supported file names
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputScanReach(supportedFilesCResult, {
       cwd,
@@ -13422,9 +12077,6 @@ async function handleScanReach({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local manifest files to include in reachability analysis...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -15350,5 +14002,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=6b91ffac-2883-43db-b1da-8c6b087473f4
+//# debugId=11a3cbfe-6b5a-4bf7-afd9-6885b9deef59
 //# sourceMappingURL=cli.js.map