socket 1.0.97 → 1.0.99

package/dist/cli.js

@@ -18,11 +18,11 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
+var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var registry = require('../external/@socketsecurity/registry');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var sorts = require('../external/@socketsecurity/registry/lib/sorts');
-var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var shadowNpmInject = require('./shadow-npm-inject.js');
 var require$$9 = require('../external/@socketsecurity/registry/lib/objects');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
@@ -322,21 +322,21 @@ async function handleAnalytics({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$M
 } = constants;
-const CMD_NAME$w = 'analytics';
-const description$C = 'Look up analytics data';
-const hidden$u = false;
+const CMD_NAME$x = 'analytics';
+const description$D = 'Look up analytics data';
+const hidden$v = false;
 const cmdAnalytics = {
-  description: description$C,
-  hidden: hidden$u,
-  run: run$P
+  description: description$D,
+  hidden: hidden$v,
+  run: run$Q
 };
-async function run$P(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$w,
-    description: description$C,
-    hidden: hidden$u,
+    commandName: CMD_NAME$x,
+    description: description$D,
+    hidden: hidden$v,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -352,7 +352,7 @@ async function run$P(argv, importMeta, {
       $ ${command} [options] [ "org" | "repo" <reponame>] [TIME]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
 
     The scope is either org or repo level, defaults to org.
 
@@ -755,21 +755,21 @@ const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$L,
   SOCKET_WEBSITE_URL: SOCKET_WEBSITE_URL$3
 } = constants;
-const CMD_NAME$v = 'audit-log';
-const description$B = 'Look up the audit log for an organization';
-const hidden$t = false;
+const CMD_NAME$w = 'audit-log';
+const description$C = 'Look up the audit log for an organization';
+const hidden$u = false;
 const cmdAuditLog = {
-  description: description$B,
-  hidden: hidden$t,
-  run: run$O
+  description: description$C,
+  hidden: hidden$u,
+  run: run$P
 };
-async function run$O(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$v,
-    description: description$B,
-    hidden: hidden$t,
+    commandName: CMD_NAME$w,
+    description: description$C,
+    hidden: hidden$u,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -797,7 +797,7 @@ async function run$O(argv, importMeta, {
       $ ${command} [options] [FILTER]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$v}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$w}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit ${SOCKET_WEBSITE_URL$3}/pricing
@@ -2376,9 +2376,9 @@ const config$k = {
 const cmdCI = {
   description: config$k.description,
   hidden: config$k.hidden,
-  run: run$N
+  run: run$O
 };
-async function run$N(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2623,21 +2623,21 @@ async function handleConfigAuto({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$J
 } = constants;
-const CMD_NAME$u = 'auto';
-const description$A = 'Automatically discover and set the correct value config item';
-const hidden$s = false;
+const CMD_NAME$v = 'auto';
+const description$B = 'Automatically discover and set the correct value config item';
+const hidden$t = false;
 const cmdConfigAuto = {
-  description: description$A,
-  hidden: hidden$s,
-  run: run$M
+  description: description$B,
+  hidden: hidden$t,
+  run: run$N
 };
-async function run$M(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$u,
-    description: description$A,
-    hidden: hidden$s,
+    commandName: CMD_NAME$v,
+    description: description$B,
+    hidden: hidden$t,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -2764,9 +2764,9 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
 const cmdConfigGet = {
   description: config$j.description,
   hidden: config$j.hidden,
-  run: run$L
+  run: run$M
 };
-async function run$L(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2903,9 +2903,9 @@ const config$i = {
 const cmdConfigList = {
   description: config$i.description,
   hidden: config$i.hidden,
-  run: run$K
+  run: run$L
 };
-async function run$K(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -2982,21 +2982,21 @@ async function handleConfigSet({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$G
 } = constants;
-const CMD_NAME$t = 'set';
-const description$z = 'Update the value of a local CLI config item';
-const hidden$r = false;
+const CMD_NAME$u = 'set';
+const description$A = 'Update the value of a local CLI config item';
+const hidden$s = false;
 const cmdConfigSet = {
-  description: description$z,
-  hidden: hidden$r,
-  run: run$J
+  description: description$A,
+  hidden: hidden$s,
+  run: run$K
 };
-async function run$J(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$t,
-    description: description$z,
-    hidden: hidden$r,
+    commandName: CMD_NAME$u,
+    description: description$A,
+    hidden: hidden$s,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -3109,21 +3109,21 @@ async function handleConfigUnset({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$F
 } = constants;
-const CMD_NAME$s = 'unset';
-const description$y = 'Clear the value of a local CLI config item';
-const hidden$q = false;
+const CMD_NAME$t = 'unset';
+const description$z = 'Clear the value of a local CLI config item';
+const hidden$r = false;
 const cmdConfigUnset = {
-  description: description$y,
-  hidden: hidden$q,
-  run: run$I
+  description: description$z,
+  hidden: hidden$r,
+  run: run$J
 };
-async function run$I(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$s,
-    description: description$y,
-    hidden: hidden$q,
+    commandName: CMD_NAME$t,
+    description: description$z,
+    hidden: hidden$r,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -3182,9 +3182,9 @@ ${utils.getSupportedConfigEntries().map(([key, desc]) => `     - ${key} -- ${des
   });
 }
 
-const description$x = 'Manage Socket CLI configuration';
+const description$y = 'Manage Socket CLI configuration';
 const cmdConfig = {
-  description: description$x,
+  description: description$y,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -3197,74 +3197,13 @@ const cmdConfig = {
       unset: cmdConfigUnset
     }, {
       argv,
-      description: description$x,
+      description: description$y,
       importMeta,
       name: `${parentName} config`
     });
   }
 };
 
-async function coanaFix(fixConfig) {
-  const {
-    ghsas
-  } = fixConfig;
-  if (!ghsas.length) {
-    return {
-      ok: true,
-      data: {
-        fixed: false
-      }
-    };
-  }
-  const {
-    cwd,
-    orgSlug,
-    spinner
-  } = fixConfig;
-  spinner?.start();
-  const sockSdkCResult = await utils.setupSdk();
-  let lastCResult = sockSdkCResult;
-  const sockSdk = sockSdkCResult.ok ? sockSdkCResult.data : undefined;
-  const supportedFilesCResult = sockSdk ? await fetchSupportedScanFileNames() : undefined;
-  if (supportedFilesCResult) {
-    lastCResult = supportedFilesCResult;
-  }
-  const supportedFiles = supportedFilesCResult?.ok ? supportedFilesCResult.data : undefined;
-  const packagePaths = supportedFiles ? await utils.getPackageFilesForScan(['.'], supportedFiles, {
-    cwd
-  }) : [];
-  const uploadCResult = sockSdk ? await utils.handleApiCall(sockSdk?.uploadManifestFiles(orgSlug, packagePaths), {
-    desc: 'upload manifests'
-  }) : undefined;
-  if (uploadCResult) {
-    lastCResult = uploadCResult;
-  }
-  const tarHash = uploadCResult?.ok ? uploadCResult.data.tarHash : '';
-  if (!tarHash) {
-    spinner?.stop();
-    return lastCResult;
-  }
-  const isAllOrAuto = ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
-  const ids = isAllOrAuto ? ['all'] : ghsas;
-  const fixCResult = ids.length ? await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
-    cwd,
-    spinner
-  }) : undefined;
-  if (fixCResult) {
-    lastCResult = fixCResult;
-  }
-  spinner?.stop();
-  require$$8.debugDir('inspect', {
-    lastCResult
-  });
-  return lastCResult.ok ? {
-    ok: true,
-    data: {
-      fixed: true
-    }
-  } : lastCResult;
-}
-
 function formatBranchName(name) {
   return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
 }
@@ -3352,34 +3291,6 @@ function getSocketPullRequestTitle(purl, newVersion, workspace) {
   return `Bump ${fullName} from ${purlObj.version} to ${newVersion}${workspace ? ` in ${workspace}` : ''}`;
 }
 
-function getPrsForPurl(fixEnv, partialPurl) {
-  if (!fixEnv) {
-    return [];
-  }
-  const prs = [];
-  const partialPurlObj = utils.getPurlObject(partialPurl);
-  const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
-  const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-  for (const pr of fixEnv.prs) {
-    const parsedBranch = genericSocketBranchParser(pr.headRefName);
-    if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-      prs.push(pr);
-    }
-  }
-  if (require$$8.isDebug('notice,silly')) {
-    const fullName = packages.resolvePackageName(partialPurlObj);
-    if (prs.length) {
-      require$$8.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
-      require$$8.debugDir('silly', {
-        prs
-      });
-    } else if (fixEnv.prs.length) {
-      require$$8.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
-    }
-  }
-  return prs;
-}
-
 let _octokit;
 function getOctokit() {
   if (_octokit === undefined) {
@@ -3420,19 +3331,6 @@ function getOctokitGraphql() {
   }
   return _octokitGraphql;
 }
-async function cacheFetch(key, fetcher, ttlMs) {
-  // Optionally disable cache.
-  // Lazily access constants.ENV.DISABLE_GITHUB_CACHE.
-  if (constants.ENV.DISABLE_GITHUB_CACHE) {
-    return await fetcher();
-  }
-  let data = await readCache(key, ttlMs);
-  if (!data) {
-    data = await fetcher();
-    await writeCache(key, data);
-  }
-  return data;
-}
 async function readCache(key,
 // 5 minute in milliseconds time to live (TTL).
 ttlMs = 5 * 60 * 1000) {
@@ -3460,6 +3358,75 @@ async function writeCache(key, data) {
   }
   await fs$2.writeJson(cacheJsonPath, data);
 }
+async function cacheFetch(key, fetcher, ttlMs) {
+  // Optionally disable cache.
+  // Lazily access constants.ENV.DISABLE_GITHUB_CACHE.
+  if (constants.ENV.DISABLE_GITHUB_CACHE) {
+    return await fetcher();
+  }
+  let data = await readCache(key, ttlMs);
+  if (!data) {
+    data = await fetcher();
+    await writeCache(key, data);
+  }
+  return data;
+}
+async function fetchGhsaDetails(ids) {
+  const results = new Map();
+  if (!ids.length) {
+    return results;
+  }
+  const octokitGraphql = getOctokitGraphql();
+  try {
+    const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
+    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
+        query($identifiers: [SecurityAdvisoryIdentifierFilter!]!) {
+          securityAdvisories(first: ${ids.length}, identifiers: $identifiers) {
+            nodes {
+              ghsaId
+              cveId
+              summary
+              severity
+              publishedAt
+              withdrawnAt
+              references {
+                url
+              }
+              vulnerabilities(first: 10) {
+                nodes {
+                  package {
+                    ecosystem
+                    name
+                  }
+                  vulnerableVersionRange
+                }
+              }
+            }
+          }
+        }`, {
+      identifiers: ids.map(id => ({
+        type: 'GHSA',
+        value: id
+      }))
+    }));
+    const advisories = gqlResp?.securityAdvisories?.nodes || [];
+    for (const advisory of advisories) {
+      if (advisory.ghsaId) {
+        results.set(advisory.ghsaId, advisory);
+      }
+    }
+
+    // Log any missing advisories
+    for (const id of ids) {
+      if (!results.has(id)) {
+        require$$8.debugFn('notice', `No advisory found for ${id}`);
+      }
+    }
+  } catch (e) {
+    require$$8.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
+  }
+  return results;
+}
 async function cleanupPrs(owner, repo, options) {
   const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
   if (!contextualMatches.length) {
@@ -3501,7 +3468,7 @@ async function cleanupPrs(owner, repo, options) {
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        require$$8.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
+        require$$8.debugFn('error', `pr: failed to close ${prRef} for ${prToVersion}\n`, e?.message || 'Unknown error');
       }
     }
     // Update stale PRs.
@@ -3543,9 +3510,8 @@ async function enablePrAutoMerge({
   node_id: prId
 }) {
   const octokitGraphql = getOctokitGraphql();
-  let error;
   try {
-    const response = await octokitGraphql(`
+    const gqlResp = await octokitGraphql(`
       mutation EnableAutoMerge($pullRequestId: ID!) {
         enablePullRequestAutoMerge(input: {
           pullRequestId: $pullRequestId,
@@ -3558,23 +3524,22 @@ async function enablePrAutoMerge({
       }`, {
       pullRequestId: prId
     });
-    const respPrNumber = response?.enablePullRequestAutoMerge?.pullRequest?.number;
+    const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
     if (respPrNumber) {
       return {
         enabled: true
       };
     }
   } catch (e) {
-    error = e;
-  }
-  if (error instanceof vendor.GraphqlResponseError && Array.isArray(error.errors) && error.errors.length) {
-    const details = error.errors.map(({
-      message: m
-    }) => m.trim());
-    return {
-      enabled: false,
-      details
-    };
+    if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
+      const details = e.errors.map(({
+        message: m
+      }) => m.trim());
+      return {
+        enabled: false,
+        details
+      };
+    }
   }
   return {
     enabled: false
@@ -3741,6 +3706,61 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
   }
   return null;
 }
+async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
+  const {
+    baseBranch = 'main',
+    ghsaDetails
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const octokit = getOctokit();
+  const vulnCount = ghsaIds.length;
+  const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
+  let prBody = '';
+  if (vulnCount === 1) {
+    const ghsaId = ghsaIds[0];
+    const details = ghsaDetails?.get(ghsaId);
+    prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
+    if (details) {
+      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
+      prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
+    }
+  } else {
+    prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+      const details = ghsaDetails?.get(id);
+      const item = `- [${id}](https://github.com/advisories/${id})`;
+      if (details) {
+        const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
+        return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
+      }
+      return item;
+    })].join('\n');
+  }
+  try {
+    const octokitPullsCreateParams = {
+      owner,
+      repo,
+      title: prTitle,
+      head: branch,
+      base: baseBranch,
+      body: prBody
+    };
+    require$$8.debugDir('inspect', {
+      octokitPullsCreateParams
+    });
+    return await octokit.pulls.create(octokitPullsCreateParams);
+  } catch (e) {
+    let message = `Failed to open pull request`;
+    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
+    if (Array.isArray(errors) && errors.length) {
+      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
+      message += `:\n${details}`;
+    }
+    require$$8.debugFn('error', message);
+  }
+  return null;
+}
 async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const {
     host
@@ -3823,25 +3843,281 @@ async function getFixEnv() {
   };
 }
 
-async function getActualTree(cwd = process.cwd()) {
-  try {
-    // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-    // folders. However, support is iffy resulting in unhappy paths of errors and hangs.
-    // So, to avoid unhappy paths, we restrict our usage to --dry-run loading of the
-    // node_modules folder.
-    const arb = new shadowNpmInject.Arborist({
-      path: cwd,
-      ...shadowNpmInject.SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-    });
-    return {
-      actualTree: await arb.loadActual()
-    };
-  } catch (e) {
-    return {
-      error: e
-    };
-  }
-}
+async function coanaFix(fixConfig) {
+  const {
+    autoMerge,
+    cwd,
+    ghsas,
+    limit,
+    orgSlug,
+    spinner
+  } = fixConfig;
+  const fixEnv = await getFixEnv();
+  require$$8.debugDir('inspect', {
+    fixEnv
+  });
+  spinner?.start();
+  const sockSdkCResult = await utils.setupSdk();
+  if (!sockSdkCResult.ok) {
+    return sockSdkCResult;
+  }
+  const sockSdk = sockSdkCResult.data;
+  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  if (!supportedFilesCResult.ok) {
+    return supportedFilesCResult;
+  }
+  const supportedFiles = supportedFilesCResult.data;
+  const scanFilepaths = await utils.getPackageFilesForScan(['.'], supportedFiles, {
+    cwd
+  });
+  const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, scanFilepaths), {
+    desc: 'upload manifests'
+  });
+  if (!uploadCResult.ok) {
+    return uploadCResult;
+  }
+  const tarHash = uploadCResult.data.tarHash;
+  if (!tarHash) {
+    spinner?.stop();
+    return {
+      ok: false,
+      message: 'No tar hash returned from Socket API upload-manifest-files endpoint',
+      data: uploadCResult.data
+    };
+  }
+  const isAll = ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
+  if (!shouldOpenPrs) {
+    const ids = isAll ? ['all'] : ghsas.slice(0, limit);
+    if (!ids.length) {
+      spinner?.stop();
+      return {
+        ok: true,
+        data: {
+          fixed: false
+        }
+      };
+    }
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      cwd,
+      spinner
+    });
+    spinner?.stop();
+    return fixCResult.ok ? {
+      ok: true,
+      data: {
+        fixed: true
+      }
+    } : fixCResult;
+  }
+  let ids;
+  if (isAll) {
+    const foundCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      cwd,
+      spinner
+    });
+    if (foundCResult.ok) {
+      const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
+      ids = foundIds.slice(0, limit);
+    }
+  } else {
+    ids = ghsas.slice(0, limit);
+  }
+  if (!ids?.length) {
+    require$$8.debugFn('notice', 'miss: no GHSA IDs to process');
+  }
+  if (!fixEnv.repoInfo) {
+    require$$8.debugFn('notice', 'miss: no repo info detected');
+  }
+  if (!ids?.length || !fixEnv.repoInfo) {
+    spinner?.stop();
+    return {
+      ok: true,
+      data: {
+        fixed: false
+      }
+    };
+  }
+  const ghsaDetails = await fetchGhsaDetails(ids);
+  const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
+  let count = 0;
+  let overallFixed = false;
+
+  // Process each GHSA ID individually, similar to npm-fix/pnpm-fix.
+  ghsaLoop: for (let i = 0, {
+      length
+    } = ids; i < length; i += 1) {
+    const id = ids[i];
+    require$$8.debugFn('notice', `check: ${id}`);
+
+    // Apply fix for single GHSA ID.
+    // eslint-disable-next-line no-await-in-loop
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      cwd,
+      spinner
+    });
+    if (!fixCResult.ok) {
+      logger.logger.error(`Update failed for ${id}: ${fixCResult.message || 'Unknown error'}`);
+      continue ghsaLoop;
+    }
+
+    // Check for modified files after applying the fix.
+    // eslint-disable-next-line no-await-in-loop
+    const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
+    const modifiedFiles = unstagedCResult.ok ? unstagedCResult.data.filter(relPath => scanBaseNames.has(path.basename(relPath))) : [];
+    if (!modifiedFiles.length) {
+      require$$8.debugFn('notice', `skip: no changes for ${id}`);
+      continue ghsaLoop;
+    }
+    overallFixed = true;
+    const branch = `socket/fix/${id}`;
+    try {
+      // Check if branch already exists.
+      // eslint-disable-next-line no-await-in-loop
+      if (await utils.gitRemoteBranchExists(branch, cwd)) {
+        require$$8.debugFn('notice', `skip: remote branch "${branch}" exists`);
+        continue ghsaLoop;
+      }
+      require$$8.debugFn('notice', `pr: creating for ${id}`);
+      const summary = ghsaDetails.get(id)?.summary;
+      const pushed =
+      // eslint-disable-next-line no-await-in-loop
+      (await utils.gitCreateBranch(branch, cwd)) && (
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitCheckoutBranch(branch, cwd)) && (
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
+        cwd,
+        email: fixEnv.gitEmail,
+        user: fixEnv.gitUser
+      })) && (
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitPushBranch(branch, cwd));
+      if (!pushed) {
+        logger.logger.warn(`Push failed for ${id}, skipping PR creation.`);
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitDeleteBranch(branch, cwd);
+        continue ghsaLoop;
+      }
+
+      // Set up git remote.
+      // eslint-disable-next-line no-await-in-loop
+      await setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
+
+      // eslint-disable-next-line no-await-in-loop
+      const prResponse = await openCoanaPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      // Single GHSA ID.
+      [id], {
+        baseBranch: fixEnv.baseBranch,
+        cwd,
+        ghsaDetails
+      });
+      if (prResponse) {
+        const {
+          data
+        } = prResponse;
+        const prRef = `PR #${data.number}`;
+        logger.logger.success(`Opened ${prRef} for ${id}.`);
+        if (autoMerge) {
+          logger.logger.indent();
+          spinner?.indent();
+          // eslint-disable-next-line no-await-in-loop
+          const {
+            details,
+            enabled
+          } = await enablePrAutoMerge(data);
+          if (enabled) {
+            logger.logger.info(`Auto-merge enabled for ${prRef}.`);
+          } else {
+            const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
+            logger.logger.error(message);
+          }
+          logger.logger.dedent();
+          spinner?.dedent();
+        }
+      }
+
+      // Reset back to base branch for next iteration.
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitResetAndClean(branch, cwd);
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
+    } catch (e) {
+      logger.logger.warn(`Unexpected condition: Push failed for ${id}, skipping PR creation.`);
+      require$$8.debugDir('inspect', {
+        error: e
+      });
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
+      // eslint-disable-next-line no-await-in-loop
+      await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
+    }
+    count += 1;
+    require$$8.debugFn('notice', `increment: count ${count}/${Math.min(limit, ids.length)}`);
+    if (count >= limit) {
+      break ghsaLoop;
+    }
+  }
+  spinner?.stop();
+  return {
+    ok: true,
+    data: {
+      fixed: overallFixed
+    }
+  };
+}
+
+function getPrsForPurl(fixEnv, partialPurl) {
+  if (!fixEnv) {
+    return [];
+  }
+  const prs = [];
+  const partialPurlObj = utils.getPurlObject(partialPurl);
+  const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
+  const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
+  for (const pr of fixEnv.prs) {
+    const parsedBranch = genericSocketBranchParser(pr.headRefName);
+    if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
+      prs.push(pr);
+    }
+  }
+  if (require$$8.isDebug('notice,silly')) {
+    const fullName = packages.resolvePackageName(partialPurlObj);
+    if (prs.length) {
+      require$$8.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
+      require$$8.debugDir('silly', {
+        prs
+      });
+    } else if (fixEnv.prs.length) {
+      require$$8.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
+    }
+  }
+  return prs;
+}
+
+async function getActualTree(cwd = process.cwd()) {
+  try {
+    // @npmcli/arborist DOES have partial support for pnpm structured node_modules
+    // folders. However, support is iffy resulting in unhappy paths of errors and hangs.
+    // So, to avoid unhappy paths, we restrict our usage to --dry-run loading of the
+    // node_modules folder.
+    const arb = new shadowNpmInject.Arborist({
+      path: cwd,
+      ...shadowNpmInject.SAFE_NO_SAVE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+    });
+    return {
+      actualTree: await arb.loadActual()
+    };
+  } catch (e) {
+    return {
+      error: e
+    };
+  }
+}
 
 const {
   BUN: BUN$4,
@@ -4415,7 +4691,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   };
 }
 
-const CMD_NAME$r = 'socket fix';
+const CMD_NAME$s = 'socket fix';
 function getFixAlertsMapOptions(options = {}) {
   return {
     __proto__: null,
@@ -4854,8 +5130,10 @@ async function handleFix({
 }) {
   if (ghsas.length) {
     await outputFixResult(await coanaFix({
+      autoMerge,
       cwd,
       ghsas,
+      limit,
       orgSlug,
       spinner,
       unknownFlags
@@ -4863,7 +5141,7 @@ async function handleFix({
     return;
   }
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$r,
+    cmdName: CMD_NAME$s,
     logger: logger.logger
   });
   if (!pkgEnvCResult.ok) {
@@ -4922,24 +5200,24 @@ async function handleFix({
 }
 
 const {
-  DRY_RUN_NOT_SAVING
+  DRY_RUN_NOT_SAVING: DRY_RUN_NOT_SAVING$1
 } = constants;
-const CMD_NAME$q = 'fix';
+const CMD_NAME$r = 'fix';
 const DEFAULT_LIMIT = 10;
-const description$w = 'Update dependencies with "fixable" Socket alerts';
-const hidden$p = false;
+const description$x = 'Update dependencies with "fixable" Socket alerts';
+const hidden$q = false;
 const cmdFix = {
-  description: description$w,
-  hidden: hidden$p,
-  run: run$H
+  description: description$x,
+  hidden: hidden$q,
+  run: run$I
 };
-async function run$H(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$q,
-    description: description$w,
-    hidden: hidden$p,
+    commandName: CMD_NAME$r,
+    description: description$x,
+    hidden: hidden$q,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -5021,7 +5299,7 @@ Available styles:
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$r}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -5076,7 +5354,7 @@ Available styles:
     return;
   }
   if (dryRun) {
-    logger.logger.log(DRY_RUN_NOT_SAVING);
+    logger.logger.log(DRY_RUN_NOT_SAVING$1);
     return;
   }
   const orgSlugCResult = await utils.getDefaultOrgSlug();
@@ -5287,9 +5565,9 @@ const config$h = {
 const cmdInstallCompletion = {
   description: config$h.description,
   hidden: config$h.hidden,
-  run: run$G
+  run: run$H
 };
-async function run$G(argv, importMeta, {
+async function run$H(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5307,9 +5585,9 @@ async function run$G(argv, importMeta, {
   await handleInstallCompletion(String(targetName));
 }
 
-const description$v = 'Install Socket CLI tab completion';
+const description$w = 'Install Socket CLI tab completion';
 const cmdInstall = {
-  description: description$v,
+  description: description$w,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -5318,7 +5596,7 @@ const cmdInstall = {
       completion: cmdInstallCompletion
     }, {
       argv,
-      description: description$v,
+      description: description$w,
       importMeta,
       name: `${parentName} install`
     });
@@ -5370,9 +5648,9 @@ const config$g = {
 const cmdJson = {
   description: config$g.description,
   hidden: config$g.hidden,
-  run: run$F
+  run: run$G
 };
-async function run$F(argv, importMeta, {
+async function run$G(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5532,21 +5810,21 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$D
 } = constants;
-const CMD_NAME$p = 'login';
-const description$u = 'Setup Socket CLI with an API token and defaults';
-const hidden$o = false;
+const CMD_NAME$q = 'login';
+const description$v = 'Setup Socket CLI with an API token and defaults';
+const hidden$p = false;
 const cmdLogin = {
-  description: description$u,
-  hidden: hidden$o,
-  run: run$E
+  description: description$v,
+  hidden: hidden$p,
+  run: run$F
 };
-async function run$E(argv, importMeta, {
+async function run$F(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$p,
-    description: description$u,
-    hidden: hidden$o,
+    commandName: CMD_NAME$q,
+    description: description$v,
+    hidden: hidden$p,
     flags: {
       ...flags.commonFlags,
       apiBaseUrl: {
@@ -5563,7 +5841,7 @@ async function run$E(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$p}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$q}`)}
 
     Logs into the Socket API by prompting for an API token
 
@@ -5637,9 +5915,9 @@ const config$f = {
 const cmdLogout = {
   description: config$f.description,
   hidden: config$f.hidden,
-  run: run$D
+  run: run$E
 };
-async function run$D(argv, importMeta, {
+async function run$E(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -5951,9 +6229,9 @@ const config$e = {
 const cmdManifestCdxgen = {
   description: config$e.description,
   hidden: config$e.hidden,
-  run: run$C
+  run: run$D
 };
-async function run$C(argv, importMeta, {
+async function run$D(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6050,9 +6328,9 @@ const config$d = {
 const cmdManifestAuto = {
   description: config$d.description,
   hidden: config$d.hidden,
-  run: run$B
+  run: run$C
 };
-async function run$B(argv, importMeta, {
+async function run$C(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6165,9 +6443,9 @@ const config$c = {
 const cmdManifestConda = {
   description: config$c.description,
   hidden: config$c.hidden,
-  run: run$A
+  run: run$B
 };
-async function run$A(argv, importMeta, {
+async function run$B(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6324,9 +6602,9 @@ const config$b = {
 const cmdManifestGradle = {
   description: config$b.description,
   hidden: config$b.hidden,
-  run: run$z
+  run: run$A
 };
-async function run$z(argv, importMeta, {
+async function run$A(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6483,9 +6761,9 @@ const config$a = {
 const cmdManifestKotlin = {
   description: config$a.description,
   hidden: config$a.hidden,
-  run: run$y
+  run: run$z
 };
-async function run$y(argv, importMeta, {
+async function run$z(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -6649,9 +6927,9 @@ const config$9 = {
 const cmdManifestScala = {
   description: config$9.description,
   hidden: config$9.hidden,
-  run: run$x
+  run: run$y
 };
-async function run$x(argv, importMeta, {
+async function run$y(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -7213,9 +7491,9 @@ const config$8 = {
 const cmdManifestSetup = {
   description: config$8.description,
   hidden: config$8.hidden,
-  run: run$w
+  run: run$x
 };
-async function run$w(argv, importMeta, {
+async function run$x(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -7249,9 +7527,9 @@ const config$7 = {
 const cmdManifest = {
   description: config$7.description,
   hidden: config$7.hidden,
-  run: run$v
+  run: run$w
 };
-async function run$v(argv, importMeta, {
+async function run$w(argv, importMeta, {
   parentName
 }) {
   await utils.meowWithSubcommands({
@@ -7282,21 +7560,21 @@ const require$3 = require$$5.createRequire(require('node:url').pathToFileURL(__f
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$u
 } = constants;
-const CMD_NAME$o = 'npm';
-const description$t = 'Run npm with the Socket wrapper';
-const hidden$n = false;
+const CMD_NAME$p = 'npm';
+const description$u = 'Run npm with the Socket wrapper';
+const hidden$o = false;
 const cmdNpm = {
-  description: description$t,
-  hidden: hidden$n,
-  run: run$u
+  description: description$u,
+  hidden: hidden$o,
+  run: run$v
 };
-async function run$u(argv, importMeta, {
+async function run$v(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$o,
-    description: description$t,
-    hidden: hidden$n,
+    commandName: CMD_NAME$p,
+    description: description$u,
+    hidden: hidden$o,
     flags: {
       ...flags.commonFlags
     },
@@ -7305,7 +7583,7 @@ async function run$u(argv, importMeta, {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$p}`)}
 
     Note: Everything after "npm" is passed to the npm command.
           Only the \`--dry-run\` and \`--help\` flags are caught here.
@@ -7338,21 +7616,21 @@ const require$2 = require$$5.createRequire(require('node:url').pathToFileURL(__f
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$t
 } = constants;
-const CMD_NAME$n = 'npx';
-const description$s = 'Run npx with the Socket wrapper';
-const hidden$m = false;
+const CMD_NAME$o = 'npx';
+const description$t = 'Run npx with the Socket wrapper';
+const hidden$n = false;
 const cmdNpx = {
-  description: description$s,
-  hidden: hidden$m,
-  run: run$t
+  description: description$t,
+  hidden: hidden$n,
+  run: run$u
 };
-async function run$t(argv, importMeta, {
+async function run$u(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$n,
-    description: description$s,
-    hidden: hidden$m,
+    commandName: CMD_NAME$o,
+    description: description$t,
+    hidden: hidden$n,
     flags: {
       ...flags.commonFlags
     },
@@ -7361,7 +7639,7 @@ async function run$t(argv, importMeta, {
       $ ${command} ...
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$n}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$o}`)}
 
     Note: Everything after "npx" is passed to the npx command.
           Only the \`--dry-run\` and \`--help\` flags are caught here.
@@ -7415,9 +7693,9 @@ const config$6 = {
 const cmdOops = {
   description: config$6.description,
   hidden: config$6.hidden,
-  run: run$s
+  run: run$t
 };
-async function run$s(argv, importMeta, {
+async function run$t(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -7758,7 +8036,7 @@ async function listPackages(pkgEnvDetails, options) {
   }
 }
 
-const CMD_NAME$m = 'socket optimize';
+const CMD_NAME$n = 'socket optimize';
 
 const {
   BUN,
@@ -7933,7 +8211,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   npmExecPath === NPM && !state.warnedPnpmWorkspaceRequiresNpm) {
     state.warnedPnpmWorkspaceRequiresNpm = true;
     spinner?.stop();
-    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$m, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
+    logger?.warn(utils.cmdPrefixMessage(CMD_NAME$n, `${agent} workspace support requires \`npm ls\`, falling back to \`${agent} list\``));
     spinner?.start();
   }
   const overridesDataObjects = [];
@@ -8164,7 +8442,7 @@ async function applyOptimization(pkgEnvDetails, {
   const pkgJsonChanged = addedCount > 0 || updatedCount > 0;
   if (pkgJsonChanged || pkgEnvDetails.features.npmBuggyOverrides) {
     const result = await updateLockfile(pkgEnvDetails, {
-      cmdName: CMD_NAME$m,
+      cmdName: CMD_NAME$n,
       logger: logger.logger,
       spinner
     });
@@ -8226,7 +8504,7 @@ async function handleOptimize({
   prod
 }) {
   const pkgEnvCResult = await utils.detectAndValidatePackageEnvironment(cwd, {
-    cmdName: CMD_NAME$m,
+    cmdName: CMD_NAME$n,
     logger: logger.logger,
     prod
   });
@@ -8251,7 +8529,7 @@ async function handleOptimize({
     await outputOptimizeResult({
       ok: false,
       message: 'Unsupported',
-      cause: utils.cmdPrefixMessage(CMD_NAME$m, `${agent} v${agentVersion} does not support overrides.`)
+      cause: utils.cmdPrefixMessage(CMD_NAME$n, `${agent} v${agentVersion} does not support overrides.`)
     }, outputKind);
     return;
   }
@@ -8265,21 +8543,21 @@ async function handleOptimize({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$r
 } = constants;
-const CMD_NAME$l = 'optimize';
-const description$r = 'Optimize dependencies with @socketregistry overrides';
-const hidden$l = false;
+const CMD_NAME$m = 'optimize';
+const description$s = 'Optimize dependencies with @socketregistry overrides';
+const hidden$m = false;
 const cmdOptimize = {
-  description: description$r,
-  hidden: hidden$l,
-  run: run$r
+  description: description$s,
+  hidden: hidden$m,
+  run: run$s
 };
-async function run$r(argv, importMeta, {
+async function run$s(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$l,
-    description: description$r,
-    hidden: hidden$l,
+    commandName: CMD_NAME$m,
+    description: description$s,
+    hidden: hidden$m,
     flags: {
       ...flags.commonFlags,
       pin: {
@@ -8298,7 +8576,7 @@ async function run$r(argv, importMeta, {
       $ ${command} [options] [CWD=.]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$m}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8444,21 +8722,21 @@ async function handleDependencies({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$q
 } = constants;
-const CMD_NAME$k = 'dependencies';
-const description$q = 'Search for any dependency that is being used in your organization';
-const hidden$k = false;
+const CMD_NAME$l = 'dependencies';
+const description$r = 'Search for any dependency that is being used in your organization';
+const hidden$l = false;
 const cmdOrganizationDependencies = {
-  description: description$q,
-  hidden: hidden$k,
-  run: run$q
+  description: description$r,
+  hidden: hidden$l,
+  run: run$r
 };
-async function run$q(argv, importMeta, {
+async function run$r(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$k,
-    description: description$q,
-    hidden: hidden$k,
+    commandName: CMD_NAME$l,
+    description: description$r,
+    hidden: hidden$l,
     flags: {
       ...flags.commonFlags,
       limit: {
@@ -8478,7 +8756,7 @@ async function run$q(argv, importMeta, {
       ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$l}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8581,21 +8859,21 @@ async function handleLicensePolicy(orgSlug, outputKind) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$p
 } = constants;
-const CMD_NAME$j = 'license';
-const description$p = 'Retrieve the license policy of an organization';
-const hidden$j = false;
+const CMD_NAME$k = 'license';
+const description$q = 'Retrieve the license policy of an organization';
+const hidden$k = false;
 const cmdOrganizationPolicyLicense = {
-  description: description$p,
-  hidden: hidden$j,
-  run: run$p
+  description: description$q,
+  hidden: hidden$k,
+  run: run$q
 };
-async function run$p(argv, importMeta, {
+async function run$q(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$j,
-    description: description$p,
-    hidden: hidden$j,
+    commandName: CMD_NAME$k,
+    description: description$q,
+    hidden: hidden$k,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -8614,7 +8892,7 @@ async function run$p(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$k}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8718,21 +8996,21 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$o
 } = constants;
-const CMD_NAME$i = 'security';
-const description$o = 'Retrieve the security policy of an organization';
-const hidden$i = true;
+const CMD_NAME$j = 'security';
+const description$p = 'Retrieve the security policy of an organization';
+const hidden$j = true;
 const cmdOrganizationPolicySecurity = {
-  description: description$o,
-  hidden: hidden$i,
-  run: run$o
+  description: description$p,
+  hidden: hidden$j,
+  run: run$p
 };
-async function run$o(argv, importMeta, {
+async function run$p(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$i,
-    description: description$o,
-    hidden: hidden$i,
+    commandName: CMD_NAME$j,
+    description: description$p,
+    hidden: hidden$j,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags,
@@ -8751,7 +9029,7 @@ async function run$o(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$j}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8856,21 +9134,21 @@ async function handleOrganizationList(outputKind = 'text') {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$n
 } = constants;
-const CMD_NAME$h = 'list';
-const description$n = 'List organizations associated with the Socket API token';
-const hidden$h = false;
+const CMD_NAME$i = 'list';
+const description$o = 'List organizations associated with the Socket API token';
+const hidden$i = false;
 const cmdOrganizationList = {
-  description: description$n,
-  hidden: hidden$h,
-  run: run$n
+  description: description$o,
+  hidden: hidden$i,
+  run: run$o
 };
-async function run$n(argv, importMeta, {
+async function run$o(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$h,
-    description: description$n,
-    hidden: hidden$h,
+    commandName: CMD_NAME$i,
+    description: description$o,
+    hidden: hidden$i,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -8880,7 +9158,7 @@ async function run$n(argv, importMeta, {
       $ ${command} [options]
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$i}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -8924,9 +9202,9 @@ async function run$n(argv, importMeta, {
   await handleOrganizationList(outputKind);
 }
 
-const description$m = 'Organization policy details';
+const description$n = 'Organization policy details';
 const cmdOrganizationPolicy = {
-  description: description$m,
+  description: description$n,
   // Hidden because it was broken all this time (nobody could be using it)
   // and we're not sure if it's useful to anyone in its current state.
   // Until we do, we'll hide this to keep the help tidier.
@@ -8940,7 +9218,7 @@ const cmdOrganizationPolicy = {
       license: cmdOrganizationPolicyLicense
     }, {
       argv,
-      description: description$m,
+      description: description$n,
       defaultSub: 'list',
       // Backwards compat
       importMeta,
@@ -9020,9 +9298,9 @@ const config$5 = {
 const cmdOrganizationQuota = {
   description: config$5.description,
   hidden: config$5.hidden,
-  run: run$m
+  run: run$n
 };
-async function run$m(argv, importMeta, {
+async function run$n(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
@@ -9057,9 +9335,9 @@ async function run$m(argv, importMeta, {
   await handleQuota(outputKind);
 }
 
-const description$l = 'Manage Socket organization account details';
+const description$m = 'Manage Socket organization account details';
 const cmdOrganization = {
-  description: description$l,
+  description: description$m,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -9088,7 +9366,7 @@ const cmdOrganization = {
         }
       },
       argv,
-      description: description$l,
+      description: description$m,
       importMeta,
       name: `${parentName} organization`
     });
@@ -9316,21 +9594,21 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$l
 } = constants;
-const CMD_NAME$g = 'score';
-const description$k = 'Look up score for one package which reflects all of its transitive dependencies as well';
-const hidden$g = false;
+const CMD_NAME$h = 'score';
+const description$l = 'Look up score for one package which reflects all of its transitive dependencies as well';
+const hidden$h = false;
 const cmdPackageScore = {
-  description: description$k,
-  hidden: hidden$g,
-  run: run$l
+  description: description$l,
+  hidden: hidden$h,
+  run: run$m
 };
-async function run$l(argv, importMeta, {
+async function run$m(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$g,
-    description: description$k,
-    hidden: hidden$g,
+    commandName: CMD_NAME$h,
+    description: description$l,
+    hidden: hidden$h,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -9340,7 +9618,7 @@ async function run$l(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <NAME> | <PURL>>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$g}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$h}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9701,28 +9979,28 @@ async function handlePurlsShallowScore({
 const {
   DRY_RUN_BAILING_NOW: DRY_RUN_BAILING_NOW$k
 } = constants;
-const CMD_NAME$f = 'shallow';
-const description$j = 'Look up info regarding one or more packages but not their transitives';
-const hidden$f = false;
+const CMD_NAME$g = 'shallow';
+const description$k = 'Look up info regarding one or more packages but not their transitives';
+const hidden$g = false;
 const cmdPackageShallow = {
-  description: description$j,
-  hidden: hidden$f,
+  description: description$k,
+  hidden: hidden$g,
   alias: {
     shallowScore: {
-      description: description$j,
+      description: description$k,
       hidden: true,
       argv: []
     }
   },
-  run: run$k
+  run: run$l
 };
-async function run$k(argv, importMeta, {
+async function run$l(argv, importMeta, {
   parentName
 }) {
   const config = {
-    commandName: CMD_NAME$f,
-    description: description$j,
-    hidden: hidden$f,
+    commandName: CMD_NAME$g,
+    description: description$k,
+    hidden: hidden$g,
     flags: {
       ...flags.commonFlags,
       ...flags.outputFlags
@@ -9732,7 +10010,7 @@ async function run$k(argv, importMeta, {
       $ ${command} [options] <<ECOSYSTEM> <PKGNAME> [<PKGNAME> ...] | <PURL> [<PURL> ...]>
 
     API Token Requirements
-      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$f}`)}
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$g}`)}
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -9806,9 +10084,9 @@ async function run$k(argv, importMeta, {
   });
 }
 
-const description$i = 'Look up published package details';
+const description$j = 'Look up published package details';
 const cmdPackage = {
-  description: description$i,
+  description: description$j,
   hidden: false,
   async run(argv, importMeta, {
     parentName
@@ -9819,19 +10097,166 @@ const cmdPackage = {
     }, {
       aliases: {
         deep: {
-          description: description$i,
+          description: description$j,
           hidden: true,
           argv: ['score']
         }
       },
       argv,
-      description: description$i,
+      description: description$j,
       importMeta,
       name: `${parentName} package`
     });
   }
 };
 
+async function outputPatchResult(result, outputKind) {
+  if (!result.ok) {
+    process.exitCode = result.code ?? 1;
+  }
+  if (outputKind === 'json') {
+    logger.logger.log(utils.serializeResultJson(result));
+    return;
+  }
+  if (!result.ok) {
+    logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
+    return;
+  }
+  const {
+    patchedPackages
+  } = result.data;
+  if (patchedPackages.length > 0) {
+    logger.logger.success(`Successfully processed patches for ${patchedPackages.length} package(s):`);
+    for (const pkg of patchedPackages) {
+      logger.logger.success(pkg);
+    }
+  } else {
+    logger.logger.info('No packages found requiring patches');
+  }
+  logger.logger.log('');
+  logger.logger.success('Patch command completed!');
+}
+
+async function handlePatch({
+  outputKind,
+  packages,
+  spinner
+}) {
+  spinner.start('Analyzing dependencies for security patches...');
+  try {
+    // TODO: Implement actual patch logic
+    // This is a stub implementation
+    const result = {
+      ok: true,
+      data: {
+        patchedPackages: packages.length > 0 ? packages : ['example-package']
+      }
+    };
+    spinner.stop();
+    logger.logger.log('');
+    if (packages.length > 0) {
+      logger.logger.info(`Checking patches for: ${packages.join(', ')}`);
+    } else {
+      logger.logger.info('Scanning all dependencies for available patches');
+    }
+    logger.logger.log('');
+    await outputPatchResult(result, outputKind);
+  } catch (e) {
+    spinner.stop();
+    const result = {
+      ok: false,
+      code: 1,
+      message: 'Failed to apply patches',
+      cause: e?.message || 'Unknown error'
+    };
+    await outputPatchResult(result, outputKind);
+  }
+}
+
+const {
+  DRY_RUN_NOT_SAVING
+} = constants;
+const CMD_NAME$f = 'patch';
+const description$i = 'Apply CVE patches to dependencies';
+const hidden$f = true;
+const cmdPatch = {
+  description: description$i,
+  hidden: hidden$f,
+  run: run$k
+};
+async function run$k(argv, importMeta, {
+  parentName
+}) {
+  const config = {
+    commandName: CMD_NAME$f,
+    description: description$i,
+    hidden: hidden$f,
+    flags: {
+      ...flags.commonFlags,
+      ...flags.outputFlags,
+      package: {
+        type: 'string',
+        default: [],
+        description: 'Specify packages to patch, as either a comma separated value or as multiple flags',
+        isMultiple: true,
+        shortFlag: 'p'
+      }
+    },
+    help: (command, config) => `
+    Usage
+      $ ${command} [options] [CWD=.]
+
+    API Token Requirements
+      ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$f}`)}
+
+    Options
+      ${utils.getFlagListOutput(config.flags)}
+
+    Examples
+      $ ${command}
+      $ ${command} --package lodash
+      $ ${command} ./proj/tree --package lodash,react
+    `
+  };
+  const cli = utils.meowOrExit({
+    allowUnknownFlags: false,
+    argv,
+    config,
+    importMeta,
+    parentName
+  });
+  const dryRun = !!cli.flags['dryRun'];
+  const outputKind = utils.getOutputKind(cli.flags['json'], cli.flags['markdown']);
+  const wasValidInput = utils.checkCommandInput(outputKind, {
+    nook: true,
+    test: !cli.flags['json'] || !cli.flags['markdown'],
+    message: 'The json and markdown flags cannot be both set, pick one',
+    fail: 'omit one'
+  });
+  if (!wasValidInput) {
+    return;
+  }
+  if (dryRun) {
+    logger.logger.log(DRY_RUN_NOT_SAVING);
+    return;
+  }
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  const packages = Array.isArray(cli.flags['package']) ? cli.flags['package'].flatMap(p => String(p).split(',')) : String(cli.flags['package'] || '').split(',').filter(Boolean);
+  await handlePatch({
+    outputKind,
+    packages,
+    spinner
+  });
+}
+
 async function runRawNpm(argv) {
   const spawnPromise = spawn.spawn(utils.getNpmBinPath(), argv, {
     // Lazily access constants.WIN32.
@@ -12093,7 +12518,7 @@ async function testAndDownloadManifestFile({
   const supportedFilesCResult = await fetchSupportedScanFileNames();
   const supportedFiles = supportedFilesCResult.ok ? supportedFilesCResult.data : undefined;
   if (!supportedFiles || !utils.isReportSupportedFile(file, supportedFiles)) {
-    require$$8.debugFn('notice', '  - skip: not a known pattern');
+    require$$8.debugFn('notice', 'skip: not a known pattern');
     // Not an error.
     return {
       ok: true,
@@ -14934,6 +15359,7 @@ const rootCommands = {
   optimize: cmdOptimize,
   organization: cmdOrganization,
   package: cmdPackage,
+  patch: cmdPatch,
   'raw-npm': cmdRawNpm,
   'raw-npx': cmdRawNpx,
   repository: cmdRepository,
@@ -15103,5 +15529,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=6fac2505-850a-4521-994a-eda179c5047a
+//# debugId=dc11ece4-8083-4322-9e08-9883c0bc7831
 //# sourceMappingURL=cli.js.map