socket 1.0.21 → 1.0.23

package/dist/cli.js

@@ -22,8 +22,8 @@ var sorts = require('../external/@socketsecurity/registry/lib/sorts');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var shadowNpmInject = require('./shadow-npm-inject.js');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
+var shadowNpmInject = require('./shadow-npm-inject.js');
 var objects = require('../external/@socketsecurity/registry/lib/objects');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var require$$7 = require('../external/@socketsecurity/registry/lib/promises');
@@ -333,7 +333,7 @@ const config$P = {
     The TIME argument must be number 7, 30, or 90 and defaults to 30.
 
     Options
-      ${utils.getFlagListOutput(flags, 6)}
+      ${utils.getFlagListOutput(flags)}
 
     Examples
       $ ${command} org 7
@@ -591,7 +591,10 @@ ${table}
   } catch (e) {
     process.exitCode = 1;
     logger.logger.fail('There was a problem converting the logs to Markdown, please try the `--json` flag');
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn('error', 'caught: unexpected error');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return 'Failed to generate the markdown report';
   }
 }
@@ -776,7 +779,7 @@ const config$O = {
     The page arg should be a positive integer, offset 1. Defaults to 1.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -863,7 +866,7 @@ async function run$O(argv, importMeta, {
 async function getDefaultOrgSlug() {
   const defaultOrgResult = utils.getConfigValueOrUndef('defaultOrg');
   if (defaultOrgResult) {
-    debug.debugFn('use: default org', defaultOrgResult);
+    debug.debugFn('notice', 'use: default org', defaultOrgResult);
     return {
       ok: true,
       data: defaultOrgResult
@@ -895,7 +898,7 @@ async function getDefaultOrgSlug() {
       data: `Was unable to determine the default organization for the current API token. Unable to continue.`
     };
   }
-  debug.debugFn('resolve: org', slug);
+  debug.debugFn('notice', 'resolve: org', slug);
   return {
     ok: true,
     message: 'Retrieved default org from server',
@@ -999,7 +1002,10 @@ async function fetchReportData(orgSlug, scanId, includeLicensePolicy) {
         return JSON.parse(line);
       } catch {
         ok = false;
-        debug.debugFn('fail: parse NDJSON\n', line);
+        debug.debugFn('error', 'fail: parse NDJSON');
+        debug.debugDir('inspect', {
+          line
+        });
         return;
       }
     });
@@ -1497,28 +1503,28 @@ sockJson, cwd = process.cwd()) {
     sbt: false
   };
   if (sockJson?.defaults?.manifest?.sbt?.disabled) {
-    debug.debugLog('[DEBUG] - sbt auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - sbt auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'build.sbt'))) {
-    debug.debugLog('[DEBUG] - Detected a Scala sbt build file');
+    debug.debugLog('notice', '[DEBUG] - Detected a Scala sbt build file');
     output.sbt = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.gradle?.disabled) {
-    debug.debugLog('[DEBUG] - gradle auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - gradle auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'gradlew'))) {
-    debug.debugLog('[DEBUG] - Detected a gradle build file');
+    debug.debugLog('notice', '[DEBUG] - Detected a gradle build file');
     output.gradle = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.conda?.disabled) {
-    debug.debugLog('[DEBUG] - conda auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - conda auto-detection is disabled in socket.json');
   } else {
     const envyml = path.join(cwd, 'environment.yml');
     const hasEnvyml = fs$1.existsSync(envyml);
     const envyaml = path.join(cwd, 'environment.yaml');
     const hasEnvyaml = !hasEnvyml && fs$1.existsSync(envyaml);
     if (hasEnvyml || hasEnvyaml) {
-      debug.debugLog('[DEBUG] - Detected an environment.yml Conda file');
+      debug.debugLog('notice', '[DEBUG] - Detected an environment.yml Conda file');
       output.conda = true;
       output.count += 1;
     }
@@ -2103,7 +2109,7 @@ const config$N = {
       $ ${command} [options]
 
     Options
-      ${utils.getFlagListOutput(config$N.flags, 6)}
+      ${utils.getFlagListOutput(config$N.flags)}
 
     This command is intended to use in CI runs to allow automated systems to
     accept or reject a current build. When the scan does not pass your security
@@ -2395,7 +2401,7 @@ const config$M = {
       $ ${command} [options] KEY
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Attempt to automatically discover the correct value for given config KEY.
 
@@ -2516,7 +2522,7 @@ const config$L = {
     config then the value will come from that override.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     KEY is an enum. Valid keys:
 
@@ -2659,7 +2665,7 @@ const config$K = {
       $ ${command} [options]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -2760,7 +2766,7 @@ const config$J = {
       $ ${command} [options] <KEY> <VALUE>
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     This is a crude way of updating the local configuration for this CLI tool.
 
@@ -2886,7 +2892,7 @@ const config$I = {
       $ ${command} [options] <KEY> <VALUE>
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Removes a value from a config key, allowing the default value to be used
     for it instead.
@@ -2992,6 +2998,7 @@ function createSocketBranchParser(options) {
     };
   };
 }
+const genericSocketBranchParser = createSocketBranchParser();
 async function getBaseGitBranch(cwd = process.cwd()) {
   // Lazily access constants.ENV properties.
   const {
@@ -3024,17 +3031,17 @@ async function getBaseGitBranch(cwd = process.cwd()) {
 }
 function getSocketBranchFullNameComponent(pkgName) {
   const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
-  const fmtMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
-  return `${fmtMaybeNamespace}${formatBranchName(purlObj.name)}`;
+  const branchMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
+  return `${branchMaybeNamespace}${formatBranchName(purlObj.name)}`;
 }
 function getSocketBranchName(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
-  const fmtType = getSocketBranchPurlTypeComponent(purlObj);
-  const fmtWorkspace = getSocketBranchWorkspaceComponent(workspace);
-  const fmtFullName = getSocketBranchFullNameComponent(purlObj);
-  const fmtVersion = getSocketBranchPackageVersionComponent(purlObj.version);
-  const fmtNewVersion = formatBranchName(newVersion);
-  return `socket/${fmtType}/${fmtWorkspace}/${fmtFullName}_${fmtVersion}_${fmtNewVersion}`;
+  const branchType = getSocketBranchPurlTypeComponent(purlObj);
+  const branchWorkspace = getSocketBranchWorkspaceComponent(workspace);
+  const branchFullName = getSocketBranchFullNameComponent(purlObj);
+  const branchVersion = getSocketBranchPackageVersionComponent(purlObj.version);
+  const branchNewVersion = formatBranchName(newVersion);
+  return `socket/${branchType}/${branchWorkspace}/${branchFullName}_${branchVersion}_${branchNewVersion}`;
 }
 function getSocketBranchPackageVersionComponent(version) {
   const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
@@ -3112,7 +3119,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn(`catch: git push --force --set-upstream origin ${branch} failed\n`, e);
+    debug.debugFn('error', `caught: git push --force --set-upstream origin ${branch} failed\n`, e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3146,9 +3153,15 @@ async function gitRepoInfo(cwd = process.cwd()) {
         };
       }
     } catch {}
-    debug.debugFn('git: unmatched git remote URL format', remoteUrl);
+    debug.debugFn('error', 'git: unmatched git remote URL format');
+    debug.debugDir('inspect', {
+      remoteUrl
+    });
   } catch (e) {
-    debug.debugFn('catch: git remote get-url origin failed\n', e);
+    debug.debugFn('error', 'caught: `git remote get-url origin` failed');
+    debug.debugDir('inspect', {
+      error: e
+    });
   }
   return null;
 }
@@ -3174,7 +3187,10 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn(`catch: git config ${prop} ${value} failed\n`, e);
+        debug.debugFn('error', `caught: git config ${prop} ${value} failed`);
+        debug.debugDir('inspect', {
+          error: e
+        });
       }
     }
   }));
@@ -3213,7 +3229,10 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
       data: rawRelPaths.map(relPath => path$1.normalizePath(relPath))
     };
   } catch (e) {
-    debug.debugFn('catch: git diff --name-only failed\n', e);
+    debug.debugFn('error', 'caught: git diff --name-only failed');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'Git Error',
@@ -3222,41 +3241,32 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
   }
 }
 
-function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
-  if (!ciEnv) {
+function getPrsForPurl(fixEnv, partialPurl) {
+  if (!fixEnv) {
     return [];
   }
-  const activeBranches = [];
+  const prs = [];
   const partialPurlObj = utils.getPurlObject(partialPurl);
   const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
   const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-  for (const pr of openPrs) {
-    const parsedBranch = ciEnv.branchParser(pr.headRefName);
+  for (const pr of fixEnv.prs) {
+    const parsedBranch = genericSocketBranchParser(pr.headRefName);
     if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-      activeBranches.push(parsedBranch);
+      prs.push(pr);
     }
   }
-  if (debug.isDebug()) {
+  if (debug.isDebug('notice,inspect')) {
     const fullName = packages.resolvePackageName(partialPurlObj);
-    if (activeBranches.length) {
-      debug.debugFn(`found: ${activeBranches.length} active branches for ${fullName}\n`, activeBranches);
-    } else if (openPrs.length) {
-      debug.debugFn(`miss: 0 active branches found for ${fullName}`);
+    if (prs.length) {
+      debug.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
+      debug.debugDir('inspect', {
+        prs
+      });
+    } else if (fixEnv.prs.length) {
+      debug.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
     }
   }
-  return activeBranches;
-}
-
-async function getActualTree(cwd = process.cwd()) {
-  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-  // folders. However, support is iffy resulting in unhappy path errors and hangs.
-  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
-  // of the node_modules folder.
-  const arb = new shadowNpmInject.Arborist({
-    path: cwd,
-    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-  });
-  return await arb.loadActual();
+  return prs;
 }
 
 let _octokit;
@@ -3267,10 +3277,12 @@ function getOctokit() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     _octokit = new vendor.Octokit({
-      auth: SOCKET_CLI_GITHUB_TOKEN
+      auth: SOCKET_CLI_GITHUB_TOKEN,
+      // Lazily access constants.ENV.GITHUB_API_URL.
+      baseUrl: constants.ENV.GITHUB_API_URL
     });
   }
   return _octokit;
@@ -3283,7 +3295,7 @@ function getOctokitGraphql() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     _octokitGraphql = vendor.graphql2.defaults({
       headers: {
@@ -3333,8 +3345,8 @@ async function writeCache(key, data) {
   }
   await fs$2.writeJson(cacheJsonPath, data);
 }
-async function cleanupOpenPrs(owner, repo, options) {
-  const contextualMatches = await getOpenSocketPrsWithContext(owner, repo, options);
+async function cleanupPrs(owner, repo, options) {
+  const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
   if (!contextualMatches.length) {
     return [];
   }
@@ -3367,14 +3379,14 @@ async function cleanupOpenPrs(owner, repo, options) {
           pull_number: prNum,
           state: 'closed'
         });
-        debug.debugFn(`close: ${prRef} for ${prToVersion}`);
+        debug.debugFn('notice', `close: ${prRef} for ${prToVersion}`);
         // Remove entry from parent object.
         context.parent.splice(context.index, 1);
         // Mark cache to be saved.
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        debug.debugFn(`fail: close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
+        debug.debugFn('error', `fail: close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
       }
     }
     // Update stale PRs.
@@ -3387,7 +3399,7 @@ async function cleanupOpenPrs(owner, repo, options) {
           base: match.headRefName,
           head: match.baseRefName
         });
-        debug.debugFn('update: stale', prRef);
+        debug.debugFn('notice', 'update: stale', prRef);
         // Update entry entry.
         if (context.apiType === 'graphql') {
           context.entry.mergeStateStatus = 'CLEAN';
@@ -3398,7 +3410,7 @@ async function cleanupOpenPrs(owner, repo, options) {
         cachesToSave.set(context.cacheKey, context.data);
       } catch (e) {
         const message = e?.message || 'Unknown error';
-        debug.debugFn(`fail: update ${prRef} - ${message}`);
+        debug.debugFn('error', `fail: update ${prRef} - ${message}`);
       }
     }
     return match;
@@ -3442,8 +3454,8 @@ async function enablePrAutoMerge({
   }
   if (error instanceof vendor.GraphqlResponseError && Array.isArray(error.errors) && error.errors.length) {
     const details = error.errors.map(({
-      message
-    }) => message.trim());
+      message: m
+    }) => m.trim());
     return {
       enabled: false,
       details
@@ -3453,30 +3465,30 @@ async function enablePrAutoMerge({
     enabled: false
   };
 }
-async function getOpenSocketPrs(owner, repo, options) {
-  return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+async function getSocketPrs(owner, repo, options) {
+  return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
 }
-async function getOpenSocketPrsWithContext(owner, repo, options_) {
-  const options = {
+async function getSocketPrsWithContext(owner, repo, options) {
+  const {
+    author,
+    states: statesValue = 'all'
+  } = {
     __proto__: null,
-    ...options_
+    ...options
   };
-  const {
-    author
-  } = options;
   const checkAuthor = strings.isNonEmptyString(author);
   const octokit = getOctokit();
   const octokitGraphql = getOctokitGraphql();
-  const branchPattern = getSocketBranchPattern(options);
   const contextualMatches = [];
+  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
     // API quota usage. Fallback to REST if no matching PRs are found.
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
     const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
-          query($owner: String!, $repo: String!) {
+          query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
             repository(owner: $owner, name: $repo) {
-              pullRequests(first: 50, states: OPEN, orderBy: {field: CREATED_AT, direction: DESC}) {
+              pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
                 nodes {
                   author {
                     login
@@ -3485,6 +3497,7 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
                   headRefName
                   mergeStateStatus
                   number
+                  state
                   title
                 }
               }
@@ -3492,7 +3505,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           }
           `, {
       owner,
-      repo
+      repo,
+      states
     }));
     const nodes = gqlResp?.repository?.pullRequests?.nodes ?? [];
     for (let i = 0, {
@@ -3501,8 +3515,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
       const node = nodes[i];
       const login = node.author?.login;
       const matchesAuthor = checkAuthor ? login === author : true;
-      const matchesBranch = branchPattern.test(node.headRefName);
-      if (matchesAuthor && matchesBranch) {
+      const parsedBranch = genericSocketBranchParser(node.headRefName);
+      if (matchesAuthor && parsedBranch) {
         contextualMatches.push({
           context: {
             apiType: 'graphql',
@@ -3514,7 +3528,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           },
           match: {
             ...node,
-            author: login ?? '<unknown>'
+            author: login ?? '<unknown>',
+            parsedBranch
           }
         });
       }
@@ -3525,44 +3540,52 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
   }
 
   // Fallback to REST if GraphQL found no matching PRs.
-  let allOpenPrs;
-  const cacheKey = `${repo}-open-prs`;
+  let allPrs;
+  const cacheKey = `${repo}-pull-requests`;
   try {
-    allOpenPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
+    allPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
       owner,
       repo,
-      state: 'open',
+      state: 'all',
       per_page: 100
     }));
   } catch {}
-  if (!allOpenPrs) {
+  if (!allPrs) {
     return contextualMatches;
   }
   for (let i = 0, {
       length
-    } = allOpenPrs; i < length; i += 1) {
-    const pr = allOpenPrs[i];
+    } = allPrs; i < length; i += 1) {
+    const pr = allPrs[i];
     const login = pr.user?.login;
+    const headRefName = pr.head.ref;
     const matchesAuthor = checkAuthor ? login === author : true;
-    const matchesBranch = branchPattern.test(pr.head.ref);
-    if (matchesAuthor && matchesBranch) {
+    const parsedBranch = genericSocketBranchParser(headRefName);
+    if (matchesAuthor && parsedBranch) {
+      // Upper cased mergeable_state is equivalent to mergeStateStatus.
+      // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
+      const mergeStateStatus = pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN';
+      // The REST API does not have a distinct merged state for pull requests.
+      // Instead, a merged pull request is represented as a closed pull request
+      // with a non-null merged_at timestamp.
+      const state = pr.merged_at ? 'MERGED' : pr.state.toUpperCase();
       contextualMatches.push({
         context: {
           apiType: 'rest',
           cacheKey,
-          data: allOpenPrs,
+          data: allPrs,
           entry: pr,
           index: i,
-          parent: allOpenPrs
+          parent: allPrs
         },
         match: {
           author: login ?? '<unknown>',
           baseRefName: pr.base.ref,
-          headRefName: pr.head.ref,
-          // Upper cased mergeable_state is equivalent to mergeStateStatus.
-          // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
-          mergeStateStatus: pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN',
+          headRefName,
+          mergeStateStatus,
           number: pr.number,
+          parsedBranch,
+          state,
           title: pr.title
         }
       });
@@ -3596,37 +3619,88 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
       const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
       message += `:\n${details}`;
     }
-    debug.debugFn(message);
+    debug.debugFn('error', message);
   }
   return null;
 }
-async function prExistForBranch(owner, repo, branch) {
-  const octokit = getOctokit();
-  try {
-    const {
-      data: prs
-    } = await octokit.pulls.list({
-      owner,
-      repo,
-      head: `${owner}:${branch}`,
-      state: 'open',
-      per_page: 1
-    });
-    return prs.length > 0;
-  } catch {}
-  return false;
-}
 async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const stdioIgnoreOptions = {
     cwd,
     stdio: 'ignore'
   };
-  const url = `https://x-access-token:${token}@github.com/${owner}/${repo}`;
+  const {
+    host
+  } = new URL(constants.ENV.GITHUB_SERVER_URL);
+  const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
   try {
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
   } catch (e) {
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn('error', 'caught: unexpected error');
+    debug.debugDir('inspect', {
+      error: e
+    });
+  }
+}
+
+function ciRepoInfo() {
+  // Lazily access constants.ENV.GITHUB_REPOSITORY.
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
   }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
+  const slashIndex = ownerSlashRepo.indexOf('/');
+  if (slashIndex === -1) {
+    return null;
+  }
+  return {
+    owner: ownerSlashRepo.slice(0, slashIndex),
+    repo: ownerSlashRepo.slice(slashIndex + 1)
+  };
+}
+async function getFixEnv() {
+  const baseBranch = await getBaseGitBranch();
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  let repoInfo = null;
+  if (isCi) {
+    repoInfo = ciRepoInfo();
+  }
+  if (!repoInfo) {
+    if (isCi) {
+      debug.debugFn('notice', 'falling back to `git remote get-url origin`');
+    }
+    repoInfo = await gitRepoInfo();
+  }
+  const prs = isCi && repoInfo ? await getSocketPrs(repoInfo.owner, repoInfo.repo, {
+    author: gitUser,
+    states: 'all'
+  }) : [];
+  return {
+    baseBranch,
+    gitEmail,
+    githubToken,
+    gitUser,
+    isCi,
+    prs,
+    repoInfo
+  };
+}
+
+async function getActualTree(cwd = process.cwd()) {
+  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
+  // folders. However, support is iffy resulting in unhappy path errors and hangs.
+  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
+  // of the node_modules folder.
+  const arb = new shadowNpmInject.Arborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  return await arb.loadActual();
 }
 
 const {
@@ -3717,10 +3791,11 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   // eslint-disable-next-line sort-destructure-keys/sort-destructure-keys
   afterInstall = noopHandler,
   revertInstall = noopHandler
-}, ciEnv, openPrs, fixConfig) {
+}, fixConfig) {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+  const fixEnv = await getFixEnv();
   const {
     autoMerge,
     cwd,
@@ -3733,17 +3808,19 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   } = fixConfig;
   let count = 0;
   const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
-    limit: Math.max(limit, openPrs.length)
+    exclude: {
+      upgradable: true
+    }
   });
   if (!infoByPartialPurl) {
     spinner?.stop();
     logger.logger.info('No fixable vulns found.');
     if (alertsMap.size) {
-      debug.debugFn('inspect:', {
+      debug.debugDir('inspect', {
         alertsMap
       });
     } else {
-      debug.debugFn('inspect: { alertsMap: Map(0) {} }');
+      debug.debugFn('inspect', '{ alertsMap: Map(0) {} }');
     }
     return {
       ok: true,
@@ -3752,8 +3829,17 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
     };
   }
-  if (debug.isDebug()) {
-    debug.debugFn('found: cves for', Array.from(infoByPartialPurl.keys()));
+  if (debug.isDebug('notice,inspect')) {
+    spinner?.stop();
+    const partialPurls = Array.from(infoByPartialPurl.keys());
+    const {
+      length: purlsCount
+    } = partialPurls;
+    debug.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
+    debug.debugDir('inspect', {
+      partialPurls
+    });
+    spinner?.start();
   }
 
   // Lazily access constants.packumentCache.
@@ -3788,13 +3874,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     const name = packages.resolvePackageName(partialPurlObj);
     const infos = Array.from(infoEntry[1].values());
     if (!infos.length) {
+      debug.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
       continue infoEntriesLoop;
     }
-    logger.logger.log(`Processing vulns for ${name}:`);
+    logger.logger.log(`Processing vulns for ${name}`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(partialPurlObj.type, name)) {
-      debug.debugFn(`found: Socket Optimize variant for ${name}`);
+      debug.debugFn('notice', `found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -3803,8 +3890,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
-    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     const availableVersions = Object.keys(packument.versions);
+    const prs = getPrsForPurl(fixEnv, infoEntry[0]);
     const warningsForAfter = new Set();
 
     // eslint-disable-next-line no-unused-labels
@@ -3816,15 +3903,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       const pkgPath = path.dirname(pkgJsonPath);
       const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
-
+      const branchWorkspace = fixEnv.isCi ? getSocketBranchWorkspaceComponent(workspace) : '';
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
-        if (!ciEnv) {
+        if (!fixEnv.isCi) {
           // eslint-disable-next-line no-await-in-loop
           await utils.removeNodeModules(cwd);
         }
-        const maybeActualTree = ciEnv && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
+        const maybeActualTree = fixEnv.isCi && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
         // eslint-disable-next-line no-await-in-loop
@@ -3845,7 +3931,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
       const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`skip: ${name} not found\n`);
+        debug.debugFn('notice', `skip: ${name} not found\n`);
         // Skip to next package.
         cleanupInfoEntriesLoop();
         continue infoEntriesLoop;
@@ -3860,8 +3946,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       const seenVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
-      if (debug.isDebug()) {
-        debug.debugFn(`check: workspace ${workspace}`);
+      if (debug.isDebug('notice')) {
+        debug.debugFn('notice', `check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -3870,7 +3956,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
         const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
         const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`skip: ${oldId} not found`);
+          debug.debugFn('notice', `skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -3890,11 +3976,25 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             continue infosLoop;
           }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
+            debug.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
           }
-          if (activeBranches.find(b => b.workspace === branchWorkspace && b.newVersion === newVersion)) {
-            debug.debugFn(`skip: open PR found for ${name}@${newVersion}`);
+          const branch = getSocketBranchName(oldPurl, newVersion, workspace);
+          const pr = prs.find(({
+            parsedBranch: b
+          }) => b.workspace === branchWorkspace && b.newVersion === newVersion);
+          if (pr) {
+            debug.debugFn('notice', `skip: PR #${pr.number} for ${name} exists`);
+            if (++count >= limit) {
+              cleanupInfoEntriesLoop();
+              break infoEntriesLoop;
+            }
+            continue infosLoop;
+          }
+          if (fixEnv.isCi && (
+          // eslint-disable-next-line no-await-in-loop
+          await gitRemoteBranchExists(branch, cwd))) {
+            debug.debugFn('notice', `skip: remote branch "${branch}" exists`);
             if (++count >= limit) {
               cleanupInfoEntriesLoop();
               break infoEntriesLoop;
@@ -3913,17 +4013,26 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           }
 
           // eslint-disable-next-line no-await-in-loop
-          await beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+          await beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
           shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
+
           // eslint-disable-next-line no-await-in-loop
-          if (!(await editablePkgJson.save({
+          await editablePkgJson.save({
             ignoreWhitespace: true
-          }))) {
-            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
+          });
+
+          // eslint-disable-next-line no-await-in-loop
+          const unstagedCResult = await gitUnstagedModifiedFiles(cwd);
+          const moddedFilepaths = unstagedCResult.ok ? unstagedCResult.data.filter(filepath => {
+            const basename = path.basename(filepath);
+            return basename === 'package.json' || basename === pkgEnvDetails.lockName;
+          }) : [];
+          if (!moddedFilepaths.length) {
+            logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
             // Reset things just in case.
-            if (ciEnv) {
+            if (fixEnv.isCi) {
               // eslint-disable-next-line no-await-in-loop
-              await gitResetAndClean(ciEnv.baseBranch, cwd);
+              await gitResetAndClean(fixEnv.baseBranch, cwd);
             }
             continue infosLoop;
           }
@@ -3948,7 +4057,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             if (maybeActualTree && maybeLockSrc) {
               actualTree = maybeActualTree;
               // eslint-disable-next-line no-await-in-loop
-              await afterInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+              await afterInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
               if (test) {
                 spinner?.info(`Testing ${newId} in ${workspace}.`);
                 // eslint-disable-next-line no-await-in-loop
@@ -3969,47 +4078,18 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           spinner?.stop();
 
           // Check repoInfo to make TypeScript happy.
-          if (!errored && ciEnv?.repoInfo) {
+          if (!errored && fixEnv.isCi && fixEnv.repoInfo) {
             try {
-              // eslint-disable-next-line no-await-in-loop
-              const unstagedCResult = await gitUnstagedModifiedFiles(cwd);
-              if (!unstagedCResult.ok) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue;
-              }
-              const moddedFilepaths = unstagedCResult.data.filter(filepath => {
-                const basename = path.basename(filepath);
-                return basename === 'package.json' || basename === pkgEnvDetails.lockName;
-              });
-              if (!moddedFilepaths.length) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue infosLoop;
-              }
-              const branch = getSocketBranchName(oldPurl, newVersion, workspace);
-              let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
-              await prExistForBranch(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch)) {
-                skipPr = true;
-                debug.debugFn(`skip: branch "${branch}" exists`);
-              }
-              // eslint-disable-next-line no-await-in-loop
-              else if (await gitRemoteBranchExists(branch, cwd)) {
-                skipPr = true;
-                debug.debugFn(`skip: remote branch "${branch}" exists`);
-              } else if (
-              // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
                 cwd,
-                email: ciEnv.gitEmail,
-                user: ciEnv.gitUser
+                email: fixEnv.gitEmail,
+                user: fixEnv.gitUser
               }))) {
-                skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
-              }
-              if (skipPr) {
                 // eslint-disable-next-line no-await-in-loop
-                await gitResetAndClean(ciEnv.baseBranch, cwd);
+                await gitResetAndClean(fixEnv.baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
                 const maybeActualTree = await installer(pkgEnvDetails, {
                   cwd,
@@ -4027,14 +4107,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, ciEnv.githubToken, cwd), cleanupOpenPrs(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd), cleanupPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
                 newVersion,
                 purl: oldPurl,
                 workspace
               })]);
               // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch: ciEnv.baseBranch,
+              const prResponse = await openPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch, oldPurl, newVersion, {
+                baseBranch: fixEnv.baseBranch,
                 cwd,
                 workspace
               });
@@ -4067,10 +4147,10 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               errored = true;
             }
           }
-          if (ciEnv) {
+          if (fixEnv.isCi) {
             spinner?.start();
             // eslint-disable-next-line no-await-in-loop
-            await gitResetAndClean(ciEnv.baseBranch, cwd);
+            await gitResetAndClean(fixEnv.baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
             const maybeActualTree = await installer(pkgEnvDetails, {
               cwd,
@@ -4084,10 +4164,10 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             }
           }
           if (errored) {
-            if (!ciEnv) {
+            if (!fixEnv.isCi) {
               spinner?.start();
               // eslint-disable-next-line no-await-in-loop
-              await revertInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+              await revertInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
               // eslint-disable-next-line no-await-in-loop
               await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
                 ignoreWhitespace: true
@@ -4111,8 +4191,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
             };
           }
-          debug.debugFn('name:', name);
-          debug.debugFn('increment: count', count + 1);
+          debug.debugFn('notice', 'increment: count', count + 1);
           if (++count >= limit) {
             cleanupInfoEntriesLoop();
             break infoEntriesLoop;
@@ -4142,57 +4221,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   };
 }
 
-async function getEnvRepoInfo(cwd) {
-  // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const {
-    GITHUB_REPOSITORY
-  } = constants.ENV;
-  if (!GITHUB_REPOSITORY) {
-    debug.debugFn('miss: GITHUB_REPOSITORY env var');
-  }
-  const ownerSlashRepo = GITHUB_REPOSITORY;
-  const slashIndex = ownerSlashRepo.indexOf('/');
-  if (slashIndex !== -1) {
-    return {
-      owner: ownerSlashRepo.slice(0, slashIndex),
-      repo: ownerSlashRepo.slice(slashIndex + 1)
-    };
-  }
-  return await gitRepoInfo(cwd);
-}
-async function getCiEnv() {
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
-  if (!isCi) {
-    return null;
-  }
-  const baseBranch = await getBaseGitBranch();
-  if (!baseBranch) {
-    return null;
-  }
-  const repoInfo = await getEnvRepoInfo();
-  if (!repoInfo) {
-    return null;
-  }
-  return {
-    gitEmail,
-    gitUser,
-    githubToken,
-    repoInfo,
-    baseBranch,
-    branchParser: createSocketBranchParser()
-  };
-}
-async function getOpenPrsForEnvironment(env) {
-  return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
-    author: env.gitUser
-  }) : [];
-}
-
 const CMD_NAME$1 = 'socket fix';
-function getAlertsMapOptions(options = {}) {
+function getFixAlertsMapOptions(options = {}) {
   return {
     __proto__: null,
     consolidate: true,
@@ -4221,7 +4251,7 @@ async function install$1(pkgEnvDetails, options) {
     await utils.runAgentInstall(pkgEnvDetails, {
       args,
       spinner,
-      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+      stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
     });
     return await getActualTree(cwd);
   } catch {}
@@ -4229,59 +4259,35 @@ async function install$1(pkgEnvDetails, options) {
 }
 async function npmFix(pkgEnvDetails, fixConfig) {
   const {
-    limit,
     purls,
     spinner
   } = fixConfig;
   spinner?.start();
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
+  let arb;
   let actualTree;
   let alertsMap;
   try {
     if (purls.length) {
-      alertsMap = await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-        limit: Math.max(limit, openPrs.length)
-      }));
+      alertsMap = await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions());
     } else {
-      const npmPath = path.resolve(fs$1.realpathSync(pkgEnvDetails.agentExecPath), '../..');
-      const config = new vendor.libExports$2({
-        argv: [],
-        cwd: process.cwd(),
-        definitions: vendor.definitionsExports.definitions,
-        // Lazily access constants.execPath.
-        execPath: constants.execPath,
-        env: {
-          ...process.env
-        },
-        flatten: vendor.definitionsExports.flatten,
-        npmPath,
-        platform: process.platform,
-        shorthands: vendor.definitionsExports.shorthands
+      const flatConfig = await utils.getNpmConfig({
+        npmVersion: pkgEnvDetails.agentVersion
       });
-      await config.load();
-      const flatConfig = {
-        __proto__: null,
-        ...config.flat
-      };
-      flatConfig.nodeVersion = constants.NODE_VERSION;
-      flatConfig.npmVersion = pkgEnvDetails.agentVersion.toString();
-      flatConfig.npmCommand = 'install';
-      const arb = new shadowNpmInject.Arborist({
+      arb = new shadowNpmInject.Arborist({
         path: pkgEnvDetails.pkgPath,
-        ...flatConfig,
-        ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+        ...flatConfig
       });
       actualTree = await arb.reify();
       // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
       // and populates arb.actualTree.
-      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getAlertsMapOptions({
-        limit: Math.max(limit, openPrs.length)
-      }));
+      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getFixAlertsMapOptions());
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
+    debug.debugFn('error', 'caught: PURL API');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'API Error',
@@ -4290,7 +4296,7 @@ async function npmFix(pkgEnvDetails, fixConfig) {
   }
   let revertData;
   return await agentFix(pkgEnvDetails, actualTree, alertsMap, install$1, {
-    async beforeInstall(editablePkgJson) {
+    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion) {
       revertData = {
         ...(editablePkgJson.content.dependencies && {
           dependencies: {
@@ -4308,13 +4314,19 @@ async function npmFix(pkgEnvDetails, fixConfig) {
           }
         })
       };
+      const idealTree = await arb.buildIdealTree();
+      const node = shadowNpmInject.findPackageNode(idealTree, packument.name, oldVersion);
+      if (node) {
+        shadowNpmInject.updateNode(node, newVersion, packument.versions[newVersion]);
+        await arb.reify();
+      }
     },
     async revertInstall(editablePkgJson) {
       if (revertData) {
         editablePkgJson.update(revertData);
       }
     }
-  }, ciEnv, openPrs, fixConfig);
+  }, fixConfig);
 }
 
 async function outputFixResult(result, outputKind) {
@@ -4356,7 +4368,7 @@ async function install(pkgEnvDetails, options) {
       // https://github.com/pnpm/pnpm/issues/6778
       '--config.confirmModulesPurge=false'],
       spinner,
-      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+      stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
     });
     return await getActualTree(cwd);
   } catch {}
@@ -4365,7 +4377,6 @@ async function install(pkgEnvDetails, options) {
 async function pnpmFix(pkgEnvDetails, fixConfig) {
   const {
     cwd,
-    limit,
     purls,
     spinner
   } = fixConfig;
@@ -4403,18 +4414,15 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
       cause: 'Required pnpm-lock.yaml not found or usable'
     };
   }
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let alertsMap;
   try {
-    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    })) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    }));
+    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions()) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getFixAlertsMapOptions());
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
+    debug.debugFn('error', 'caught: PURL API');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'API Error',
@@ -4425,14 +4433,14 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
   let revertOverrides;
   let revertOverridesSrc;
   return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
-    async beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options) {
+    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, options) {
       const isWorkspaceRoot = editablePkgJson.path === pkgEnvDetails.editablePkgJson.filename;
       // Get current overrides for revert logic.
       const {
         overrides: oldOverrides
       } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
       const oldPnpmSection = editablePkgJson.content[PNPM$7];
-      const overrideKey = `${name}@${vulnerableVersionRange}`;
+      const overrideKey = `${packument.name}@${vulnerableVersionRange}`;
       revertOverrides = undefined;
       revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
       if (isWorkspaceRoot) {
@@ -4496,7 +4504,7 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
         editablePkgJson.update(revertData);
       }
     }
-  }, ciEnv, openPrs, fixConfig);
+  }, fixConfig);
 }
 
 const {
@@ -4532,7 +4540,8 @@ async function handleFix({
         ghsas = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(autoCResult.data)?.[0]);
         ghsasCount = ghsas.length;
       } else {
-        debug.debugFn('coana fail:', {
+        debug.debugFn('error', 'fail: Coana CLI');
+        debug.debugDir('inspect', {
           message: autoCResult.message,
           cause: autoCResult.cause
         });
@@ -4549,7 +4558,8 @@ async function handleFix({
       });
       spinner?.stop();
       if (!applyFixesCResult.ok) {
-        debug.debugFn('coana fail:', {
+        debug.debugFn('error', 'fail: Coana CLI');
+        debug.debugDir('inspect', {
           message: applyFixesCResult.message,
           cause: applyFixesCResult.cause
         });
@@ -4690,7 +4700,7 @@ const config$H = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -4819,9 +4829,9 @@ async function setupTabCompletion(targetName) {
 
   // Target dir is something like ~/.local/share/socket/settings/completion (linux)
   const targetDir = path.dirname(targetPath);
-  debug.debugFn('target: path + dir', targetPath, targetDir);
+  debug.debugFn('notice', 'target: path + dir', targetPath, targetDir);
   if (!fs$1.existsSync(targetDir)) {
-    debug.debugFn('create: target dir');
+    debug.debugFn('notice', 'create: target dir');
     fs$1.mkdirSync(targetDir, {
       recursive: true
     });
@@ -4921,7 +4931,7 @@ const config$G = {
     different alias for socket on your system.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
 
@@ -5190,7 +5200,7 @@ const config$E = {
     Logs into the Socket API by prompting for an API key
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -5419,6 +5429,8 @@ const arrayToLower = arg => arg.map(toLower);
 //   [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
 //                                                        "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"]
 //       --exclude                Additional glob pattern(s) to ignore                                              [array]
+//       --export-proto           Serialize and export BOM as protobuf binary.  [boolean] [default: false]
+//       --proto-bin-file         Path for the serialized protobuf binary.  [default: "bom.cdx"]
 //       --include-formulation    Generate formulation section with git metadata and build tools. Defaults to false.
 //                                                                                               [boolean] [default: false]
 //       --include-crypto         Include crypto libraries as components.                        [boolean] [default: false]
@@ -5474,7 +5486,7 @@ const yargsConfig = {
     //'deps-slices-file': 'deps.slices.json', // hidden
     //evidence: false,
     //'exclude-type': [],
-    //'export-proto': true, // hidden
+    //'export-proto': false,
     //'fail-on-error': isSecureMode,
     //'feature-flags': [], // hidden
     //'include-crypto': false,
@@ -5485,7 +5497,7 @@ const yargsConfig = {
     //output: 'bom.json',
     //profile: 'generic',
     //'project-version': '',
-    //'proto-bin-file': 'bom.cdx', // hidden
+    //'proto-bin-file': 'bom.cdx',
     //recurse: true,
     //'skip-dt-tls-check': false,
     //'semantics-slices-file': 'semantics.slices.json',
@@ -5537,9 +5549,7 @@ const yargsConfig = {
   }],
   boolean: ['auto-compositions', 'babel', 'banner',
   // hidden
-  'deep', 'evidence', 'export-proto',
-  // hidden
-  'fail-on-error', 'generate-key-and-sign', 'help', 'include-crypto', 'include-formulation', 'install-deps', 'json-pretty', 'print', 'recurse', 'required-only', 'resolve-class', 'skip-dt-tls-check', 'server', 'validate', 'version',
+  'deep', 'evidence', 'export-proto', 'fail-on-error', 'generate-key-and-sign', 'help', 'include-crypto', 'include-formulation', 'install-deps', 'json-pretty', 'print', 'recurse', 'required-only', 'resolve-class', 'skip-dt-tls-check', 'server', 'validate', 'version',
   // The --yes flag and -y alias map to the corresponding flag and alias of npx.
   // https://docs.npmjs.com/cli/v7/commands/npx#compatibility-with-older-npx-versions
   'yes'],
@@ -5553,9 +5563,7 @@ const yargsConfig = {
   // number
   'openapi-spec-file',
   // hidden
-  'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'proto-bin-file',
-  // hidden
-  'reachables-slices-file',
+  'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'proto-bin-file', 'reachables-slices-file',
   // hidden
   'semantics-slices-file',
   // hidden
@@ -5647,7 +5655,7 @@ const config$B = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Tries to figure out what language your target repo uses. If it finds a
     supported case then it will try to generate the manifest file for that
@@ -5697,7 +5705,9 @@ async function run$B(argv, importMeta, {
   }
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
   const detected = await detectManifestActions(sockJson, cwd);
-  debug.debugLog('[DEBUG]', detected);
+  debug.debugDir('inspect', {
+    detected
+  });
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAILING_NOW$A);
     return;
@@ -5765,7 +5775,7 @@ const config$A = {
           contents of a file to have it processed.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
 
@@ -5905,7 +5915,7 @@ const config$z = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Uses gradle, preferably through your local project \`gradlew\`, to generate a
     \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
@@ -5962,7 +5972,7 @@ async function run$z(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6062,7 +6072,7 @@ const config$y = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Uses gradle, preferably through your local project \`gradlew\`, to generate a
     \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
@@ -6119,7 +6129,7 @@ async function run$y(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6221,7 +6231,7 @@ const config$x = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Uses \`sbt makePom\` to generate a \`pom.xml\` from your \`build.sbt\` file.
     This xml file is the dependency manifest (like a package.json
@@ -6285,7 +6295,7 @@ async function run$x(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
+  debug.debugFn('inspect', 'override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6379,7 +6389,9 @@ async function outputManifestSetup(result) {
 
 async function setupManifestConfig(cwd, defaultOnReadError = false) {
   const detected = await detectManifestActions(null, cwd);
-  debug.debugLog('[DEBUG]', detected);
+  debug.debugDir('inspect', {
+    detected
+  });
 
   // - repeat
   //   - give the user an option to configure one of the supported targets
@@ -6526,15 +6538,15 @@ async function setupConda(config) {
   } else {
     config.disabled = true;
   }
-  const inf = await askForInputFile(config.infile || 'environment.yml');
-  if (inf === undefined) {
+  const infile = await askForInputFile(config.infile || 'environment.yml');
+  if (infile === undefined) {
     return canceledByUser$1();
-  } else if (inf.trim() === '-') {
+  } else if (infile === '-') {
     config.stdin = true;
   } else {
     delete config.stdin;
-    if (inf.trim()) {
-      config.infile = inf.trim();
+    if (infile) {
+      config.infile = infile;
     } else {
       delete config.infile;
     }
@@ -6557,8 +6569,8 @@ async function setupConda(config) {
       config.stdout = true;
     } else {
       delete config.stdout;
-      if (out?.trim()) {
-        config.outfile = out.trim();
+      if (out) {
+        config.outfile = out;
       } else {
         delete config.outfile;
       }
@@ -6578,8 +6590,8 @@ async function setupGradle(config) {
   const bin = await askForBin(config.bin || './gradlew');
   if (bin === undefined) {
     return canceledByUser$1();
-  } else if (bin.trim()) {
-    config.bin = bin.trim();
+  } else if (bin) {
+    config.bin = bin;
   } else {
     delete config.bin;
   }
@@ -6591,8 +6603,8 @@ async function setupGradle(config) {
   });
   if (opts === undefined) {
     return canceledByUser$1();
-  } else if (opts.trim()) {
-    config.gradleOpts = opts.trim();
+  } else if (opts) {
+    config.gradleOpts = opts;
   } else {
     delete config.gradleOpts;
   }
@@ -6610,8 +6622,8 @@ async function setupSbt(config) {
   const bin = await askForBin(config.bin || 'sbt');
   if (bin === undefined) {
     return canceledByUser$1();
-  } else if (bin.trim()) {
-    config.bin = bin.trim();
+  } else if (bin) {
+    config.bin = bin;
   } else {
     delete config.bin;
   }
@@ -6623,8 +6635,8 @@ async function setupSbt(config) {
   });
   if (opts === undefined) {
     return canceledByUser$1();
-  } else if (opts.trim()) {
-    config.sbtOpts = opts.trim();
+  } else if (opts) {
+    config.sbtOpts = opts;
   } else {
     delete config.sbtOpts;
   }
@@ -6646,8 +6658,8 @@ async function setupSbt(config) {
       config.stdout = true;
     } else {
       delete config.stdout;
-      if (out?.trim()) {
-        config.outfile = out.trim();
+      if (out) {
+        config.outfile = out;
       } else {
         delete config.outfile;
       }
@@ -6788,7 +6800,7 @@ const config$w = {
       $ ${command} [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     This command will try to detect all supported ecosystems in given CWD. Then
     it starts a configurator where you can setup default values for certain flags
@@ -7602,7 +7614,10 @@ async function updateLockfile(pkgEnvDetails, options) {
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('fail: update\n', e);
+    debug.debugFn('error', 'fail: update');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'Update failed',
@@ -7761,7 +7776,7 @@ const config$r = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -7928,7 +7943,7 @@ const config$q = {
       - Permissions: none (does need token with access to target org)
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       ${command}
@@ -8052,7 +8067,7 @@ const config$p = {
       - Permissions: license-policy:read
 
     Options
-      ${utils.getFlagListOutput(config$p.flags, 6)}
+      ${utils.getFlagListOutput(config$p.flags)}
 
     Your API token will need the \`license-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -8180,7 +8195,7 @@ const config$o = {
       - Permissions: security-policy:read
 
     Options
-      ${utils.getFlagListOutput(config$o.flags, 6)}
+      ${utils.getFlagListOutput(config$o.flags)}
 
     Your API token will need the \`security-policy:read\` permission otherwise
     the request will fail with an authentication error.
@@ -8321,7 +8336,7 @@ const config$n = {
       - Permissions: none (does need a token)
 
     Options
-      ${utils.getFlagListOutput(config$n.flags, 6)}
+      ${utils.getFlagListOutput(config$n.flags)}
 
     Examples
       $ ${command}
@@ -8449,7 +8464,7 @@ const config$m = {
       $ ${command} [options]
 
     Options
-      ${utils.getFlagListOutput(config$m.flags, 6)}
+      ${utils.getFlagListOutput(config$m.flags)}
 
     Examples
       $ ${command}
@@ -8775,7 +8790,7 @@ const config$l = {
       - Permissions: packages:list
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Show deep scoring details for one package. The score will reflect the package
     itself, any of its dependencies, and any of its transitive dependencies.
@@ -8922,7 +8937,7 @@ function formatReportCard(artifact, color) {
   };
   const alertString = getAlertString(artifact.alerts, !color);
   if (!artifact.ecosystem) {
-    debug.debugFn('miss: artifact ecosystem', artifact);
+    debug.debugFn('notice', 'miss: artifact ecosystem', artifact);
   }
   const purl = `pkg:${artifact.ecosystem}/${artifact.name}${artifact.version ? '@' + artifact.version : ''}`;
   return ['Package: ' + (color ? vendor.yoctocolorsCjsExports.bold(purl) : purl), '', ...Object.entries(scoreResult).map(score => `- ${score[0]}:`.padEnd(20, ' ') + `  ${formatScore(score[1], !color, true)}`), alertString].join('\n');
@@ -9126,7 +9141,7 @@ const config$k = {
       - Permissions: packages:list
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Show scoring details for one or more packages purely based on their own package.
     This means that any dependency scores are not reflected by the score. You can
@@ -9480,7 +9495,7 @@ const config$h = {
     The REPO name should be a "slug". Follows the same naming convention as GitHub.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} test-repo
@@ -9612,7 +9627,7 @@ const config$g = {
       - Permissions: repo:delete
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} test-repo
@@ -9700,19 +9715,22 @@ async function fetchListAllRepos({
       };
     }
     // eslint-disable-next-line no-await-in-loop
-    const result = await utils.handleApiCall(sockSdk.getOrgRepoList(orgSlug, {
+    const orgRepoListCResult = await utils.handleApiCall(sockSdk.getOrgRepoList(orgSlug, {
       sort,
       direction,
       per_page: String(100),
       // max
       page: String(nextPage)
     }), 'list of repositories');
-    if (!result.ok) {
-      debug.debugFn('fail: fetch repo\n', result);
-      return result;
+    if (!orgRepoListCResult.ok) {
+      debug.debugFn('error', 'fail: fetch repo');
+      debug.debugDir('inspect', {
+        orgRepoListCResult
+      });
+      return orgRepoListCResult;
     }
-    result.data.results.forEach(row => rows.push(row));
-    nextPage = result.data.nextPage ?? -1;
+    orgRepoListCResult.data.results.forEach(row => rows.push(row));
+    nextPage = orgRepoListCResult.data.nextPage ?? -1;
   }
   return {
     ok: true,
@@ -9890,7 +9908,7 @@ const config$f = {
       - Permissions: repo:list
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -10076,7 +10094,7 @@ const config$e = {
       - Permissions: repo:update
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} test-repo
@@ -10233,7 +10251,7 @@ const config$d = {
       - Permissions: repo:list
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} test-repo
@@ -10444,7 +10462,7 @@ const config$c = {
       - Permissions: full-scans:create
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Uploads the specified dependency manifest files for Go, Gradle, JavaScript,
     Kotlin, Python, and Scala. Files like "package.json" and "requirements.txt".
@@ -10732,7 +10750,7 @@ const config$b = {
       - Permissions: full-scans:delete
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} 000aaaa1-0000-0a0a-00a0-00a0000000a0
@@ -11032,7 +11050,7 @@ const config$a = {
           added/removed list (similar to diffing two files with git).
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} aaa0aa0a-aaaa-0000-0a0a-0000000a00a0 aaa1aa1a-aaaa-1111-1a1a-1111111a11a1
@@ -11128,7 +11146,7 @@ async function createScanFromGithub({
   outputKind,
   repos
 }) {
-  let targetRepos = repos.trim().split(',').map(repo => repo.trim()).filter(Boolean);
+  let targetRepos = repos.trim().split(',').map(r => r.trim()).filter(Boolean);
   if (all || targetRepos.length === 0) {
     // Fetch from Socket API
     const result = await fetchListAllRepos({
@@ -11141,7 +11159,7 @@ async function createScanFromGithub({
     }
     targetRepos = result.data.results.map(obj => obj.slug || '');
   }
-  targetRepos = targetRepos.map(slug => slug.trim()).filter(Boolean);
+  targetRepos = targetRepos.map(s => s.trim()).filter(Boolean);
   logger.logger.info(`Have ${targetRepos.length} repo names to Scan!`);
   logger.logger.log('');
   if (!targetRepos.filter(Boolean).length) {
@@ -11253,7 +11271,7 @@ async function scanOneRepo(repoSlug, {
     };
   }
   const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
-  debug.debugFn('init: temp dir for scan root', tmpDir);
+  debug.debugFn('notice', 'init: temp dir for scan root', tmpDir);
   const downloadResult = await testAndDownloadManifestFiles({
     files,
     tmpDir,
@@ -11366,9 +11384,9 @@ async function testAndDownloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('testing: file', file);
+  debug.debugFn('notice', 'testing: file', file);
   if (!SUPPORTED_FILE_PATTERNS.some(regex => regex.test(file))) {
-    debug.debugFn('  - skip: not a known pattern');
+    debug.debugFn('notice', '  - skip: not a known pattern');
     // Not an error.
     return {
       ok: true,
@@ -11377,7 +11395,7 @@ async function testAndDownloadManifestFile({
       }
     };
   }
-  debug.debugFn('found: manifest file, going to attempt to download it;', file);
+  debug.debugFn('notice', 'found: manifest file, going to attempt to download it;', file);
   const result = await downloadManifestFile({
     file,
     tmpDir,
@@ -11399,18 +11417,18 @@ async function downloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('request: download url from GitHub');
+  debug.debugFn('notice', 'request: download url from GitHub');
   const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
-  debug.debugFn('url: file', fileUrl);
+  debug.debugFn('inspect', 'url: file', fileUrl);
   const downloadUrlResponse = await fetch(fileUrl, {
     method: 'GET',
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
-  debug.debugFn('complete: request');
+  debug.debugFn('notice', 'complete: request');
   const downloadUrlText = await downloadUrlResponse.text();
-  debug.debugFn('response: raw download url', downloadUrlText);
+  debug.debugFn('inspect', 'response: raw download url', downloadUrlText);
   let downloadUrl;
   try {
     downloadUrl = JSON.parse(downloadUrlText).download_url;
@@ -11423,7 +11441,7 @@ async function downloadManifestFile({
     };
   }
   const localPath = path.join(tmpDir, file);
-  debug.debugFn('download: manifest file started', downloadUrl, '->', localPath);
+  debug.debugFn('notice', 'download: manifest file started', downloadUrl, '->', localPath);
 
   // Now stream the file to that file...
   const result = await streamDownloadWithFetch(localPath, downloadUrl);
@@ -11432,7 +11450,7 @@ async function downloadManifestFile({
     logger.logger.fail(`Failed to download manifest file, skipping to next file. File: ${file}`);
     return result;
   }
-  debug.debugFn('download: manifest file completed');
+  debug.debugFn('notice', 'download: manifest file completed');
   return {
     ok: true,
     data: undefined
@@ -11484,8 +11502,9 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
     };
   } catch (error) {
     logger.logger.fail('An error was thrown while trying to download a manifest file... url:', downloadUrl);
-    debug.debugFn('Raw error:');
-    debug.debugFn(error);
+    debug.debugFn('inspect', {
+      error
+    });
 
     // If an error occurs and fileStream was created, attempt to clean up.
     if (fs$1.existsSync(localPath)) {
@@ -11507,7 +11526,7 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       // If error was due to bad HTTP status
       detailedError += ` (HTTP Status: ${response.status} ${response.statusText})`;
     }
-    debug.debugFn(detailedError);
+    debug.debugFn('error', detailedError);
     return {
       ok: false,
       message: 'Download Failed',
@@ -11524,14 +11543,14 @@ async function getLastCommitDetails({
 }) {
   logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
   const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
-  debug.debugFn('url: commit', commitApiUrl);
+  debug.debugFn('inspect', 'url: commit', commitApiUrl);
   const commitResponse = await fetch(commitApiUrl, {
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
   const commitText = await commitResponse.text();
-  debug.debugFn('response: commit', commitText);
+  debug.debugFn('inspect', 'response: commit', commitText);
   let lastCommit;
   try {
     lastCommit = JSON.parse(commitText)?.[0];
@@ -11618,7 +11637,7 @@ async function getRepoDetails({
   repoSlug
 }) {
   const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
-  debug.debugFn('url: repo', repoApiUrl);
+  debug.debugFn('inspect', 'url: repo', repoApiUrl);
   const repoDetailsResponse = await fetch(repoApiUrl, {
     method: 'GET',
     headers: {
@@ -11627,7 +11646,7 @@ async function getRepoDetails({
   });
   logger.logger.success(`Request completed.`);
   const repoDetailsText = await repoDetailsResponse.text();
-  debug.debugFn('response: repo', repoDetailsText);
+  debug.debugFn('inspect', 'response: repo', repoDetailsText);
   let repoDetails;
   try {
     repoDetails = JSON.parse(repoDetailsText);
@@ -11666,7 +11685,7 @@ async function getRepoBranchTree({
 }) {
   logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
   const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
-  debug.debugFn('url: tree', treeApiUrl);
+  debug.debugFn('inspect', 'url: tree', treeApiUrl);
   const treeResponse = await fetch(treeApiUrl, {
     method: 'GET',
     headers: {
@@ -11674,7 +11693,7 @@ async function getRepoBranchTree({
     }
   });
   const treeText = await treeResponse.text();
-  debug.debugFn('response: tree', treeText);
+  debug.debugFn('inspect', 'response: tree', treeText);
   let treeDetails;
   try {
     treeDetails = JSON.parse(treeText);
@@ -11703,7 +11722,7 @@ async function getRepoBranchTree({
     };
   }
   if (!treeDetails.tree || !Array.isArray(treeDetails.tree)) {
-    debug.debugFn('treeDetails.tree:', treeDetails.tree);
+    debug.debugFn('inspect', 'treeDetails.tree:', treeDetails.tree);
     return {
       ok: false,
       message: `Tree response for default branch ${defaultBranch} for ${orgGithub}/${repoSlug} was not a list`
@@ -11814,7 +11833,7 @@ const config$9 = {
     You can use \`socket scan setup\` to configure certain repo flag defaults.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -12130,7 +12149,7 @@ const config$8 = {
     \`--branch\` to filter by branch across all repos).
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -12288,7 +12307,7 @@ const config$7 = {
       - Permissions: full-scans:list
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} 000aaaa1-0000-0a0a-00a0-00a0000000a0
@@ -12407,7 +12426,7 @@ const config$6 = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
@@ -12505,7 +12524,7 @@ const config$5 = {
       - Permissions: full-scans:list security-policy:read
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     When no output path is given the contents is sent to stdout.
 
@@ -12722,10 +12741,10 @@ async function configureScan(config) {
   if (defaultRepoName === undefined) {
     return canceledByUser();
   }
-  if (defaultRepoName.trim()) {
+  if (defaultRepoName) {
     // Even if it's 'socket-default-repository' store it because if we change
     // this default then an existing user probably would not expect the change?
-    config.repo = defaultRepoName.trim();
+    config.repo = defaultRepoName;
   } else {
     delete config.repo;
   }
@@ -12738,10 +12757,10 @@ async function configureScan(config) {
   if (defaultBranchName === undefined) {
     return canceledByUser();
   }
-  if (defaultBranchName.trim()) {
+  if (defaultBranchName) {
     // Even if it's 'socket-default-branch' store it because if we change
     // this default then an existing user probably would not expect the change?
-    config.branch = defaultBranchName.trim();
+    config.branch = defaultBranchName;
   } else {
     delete config.branch;
   }
@@ -12841,23 +12860,27 @@ async function configureGithub(config) {
     if (defaultRepos === undefined) {
       return canceledByUser();
     }
-    if (defaultRepos.trim()) {
-      config.repos = defaultRepos.trim();
+    if (defaultRepos) {
+      config.repos = defaultRepos;
     } else {
       delete config.repos;
     }
   }
   const defaultGithubApiUrl = await prompts.input({
     message: '(--githubApiUrl) Do you want to override the default github url?',
-    default: config.githubApiUrl || 'https://api.github.com',
+    default: config.githubApiUrl ||
+    // Lazily access constants.ENV.GITHUB_API_URL.
+    constants.ENV.GITHUB_API_URL,
     required: false
     // validate: async string => bool
   });
   if (defaultGithubApiUrl === undefined) {
     return canceledByUser();
   }
-  if (defaultGithubApiUrl.trim() && defaultGithubApiUrl.trim() !== 'https://api.github.com') {
-    config.githubApiUrl = defaultGithubApiUrl.trim();
+  if (defaultGithubApiUrl &&
+  // Lazily access constants.ENV.GITHUB_API_URL.
+  defaultGithubApiUrl !== constants.ENV.GITHUB_API_URL) {
+    config.githubApiUrl = defaultGithubApiUrl;
   } else {
     delete config.githubApiUrl;
   }
@@ -12870,8 +12893,8 @@ async function configureGithub(config) {
   if (defaultOrgGithub === undefined) {
     return canceledByUser();
   }
-  if (defaultOrgGithub.trim()) {
-    config.orgGithub = defaultOrgGithub.trim();
+  if (defaultOrgGithub) {
+    config.orgGithub = defaultOrgGithub;
   } else {
     delete config.orgGithub;
   }
@@ -12921,7 +12944,7 @@ const config$4 = {
       $ ${command} [options] [CWD=.]
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Interactive configurator to create a local json file in the target directory
     that helps to set flag defaults for \`socket scan create\`.
@@ -12983,7 +13006,10 @@ async function fetchScan(orgSlug, scanId) {
       return JSON.parse(line);
     } catch {
       ok = false;
-      debug.debugFn('fail: parse NDJSON\n', line);
+      debug.debugFn('error', 'fail: parse NDJSON');
+      debug.debugDir('inspect', {
+        line
+      });
       return null;
     }
   });
@@ -13126,7 +13152,7 @@ const config$3 = {
     When no output path is given the contents is sent to stdout.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
       $ ${command} 000aaaa1-0000-0a0a-00a0-00a0000000a0
@@ -13488,7 +13514,7 @@ const config$2 = {
     sales@socket.dev if you are interested in purchasing this access.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Valid ecosystems:
 
@@ -13749,7 +13775,7 @@ const config$1 = {
     tab completion that is registered for it in bash.
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     Examples
 
@@ -13863,7 +13889,10 @@ Do you want to install "safe npm" (this will create an alias to the socket-npm c
       }
     }
   } catch (e) {
-    debug.debugFn('fail: setup tab completion\n', e);
+    debug.debugFn('error', 'fail: setup tab completion');
+    debug.debugDir('inspect', {
+      error: e
+    });
     // Ignore. Skip tab completion setup.
   }
   if (!updatedTabCompletion) {
@@ -13943,7 +13972,7 @@ const config = {
       $ ${command} <"on" | "off">
 
     Options
-      ${utils.getFlagListOutput(config.flags, 6)}
+      ${utils.getFlagListOutput(config.flags)}
 
     While enabled, the wrapper makes it so that when you call npm/npx on your
     machine, it will automatically actually run \`socket npm\` / \`socket npx\`
@@ -14177,8 +14206,10 @@ void (async () => {
     });
   } catch (e) {
     process.exitCode = 1;
-    debug.debugFn('Uncaught error (BAD!):');
-    debug.debugFn(e);
+    debug.debugFn('error', 'Uncaught error (BAD!):');
+    debug.debugDir('inspect', {
+      error: e
+    });
 
     // Try to parse the flags, find out if --json or --markdown is set.
     let isJson = false;
@@ -14220,12 +14251,13 @@ void (async () => {
       logger.logger.error('\n'); // Any-spinner-newline
       logger.logger.fail(utils.failMsgWithBadge(errorTitle, errorMessage));
       if (errorBody) {
-        // Explicitly use debugLog here.
-        debug.debugLog(errorBody);
+        debug.debugDir('inspect', {
+          errorBody
+        });
       }
     }
     await utils.captureException(e);
   }
 })();
-//# debugId=22ea4fe2-a3e7-46a5-b720-03c98211a8ec
+//# debugId=3366e965-b082-456e-8e60-114997e8eaf0
 //# sourceMappingURL=cli.js.map