socket 1.1.0 → 1.1.2

package/dist/cli.js

@@ -18,13 +18,14 @@ var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
-var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var shadowNpmBin = require('./shadow-npm-bin.js');
-var require$$10 = require('../external/@socketsecurity/registry/lib/objects');
+var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
 var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
-var require$$11 = require('../external/@socketsecurity/registry/lib/promises');
+var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
+var regexps = require('../external/@socketsecurity/registry/lib/regexps');
+var require$$0$1 = require('node:crypto');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -923,7 +924,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
 
 async function fetchSupportedScanFileNames(options) {
   const {
-    sdkOpts
+    sdkOpts,
+    spinner
   } = {
     __proto__: null,
     ...options
@@ -934,7 +936,8 @@ async function fetchSupportedScanFileNames(options) {
   }
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
-    desc: 'supported scan file types'
+    desc: 'supported scan file types',
+    spinner
   });
 }
 
@@ -2154,7 +2157,12 @@ async function handleCreateNewScan({
     });
     logger.logger.info('Auto-generation finished. Proceeding with Scan creation.');
   }
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const {
+    spinner
+  } = constants;
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputCreateNewScan(supportedFilesCResult, {
       interactive,
@@ -2162,9 +2170,6 @@ async function handleCreateNewScan({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local files to include in scan...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -3165,210 +3170,76 @@ const cmdConfig = {
   }
 };
 
-function formatBranchName(name) {
-  return name.replace(/[^-a-zA-Z0-9/._-]+/g, '+');
+const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
+function getSocketFixBranchName(ghsaId) {
+  return `socket/fix/${ghsaId}`;
 }
-function createSocketBranchParser(options) {
-  const pattern = getSocketBranchPattern(options);
-  return function parse(branch) {
-    const match = pattern.exec(branch);
-    if (!match) {
-      return null;
+function getSocketFixBranchPattern(ghsaId) {
+  return new RegExp(`^socket/fix/(${ghsaId ?? '.+'})$`);
+}
+function getSocketFixCommitMessage(ghsaId, details) {
+  const summary = details?.summary;
+  return `fix: ${ghsaId}${summary ? ` - ${summary}` : ''}`;
+}
+function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
+  const vulnCount = ghsaIds.length;
+  if (vulnCount === 1) {
+    const ghsaId = ghsaIds[0];
+    const details = ghsaDetails?.get(ghsaId);
+    const body = `[Socket](${constants.SOCKET_WEBSITE_URL}) fix for [${ghsaId}](${GITHUB_ADVISORIES_URL}/${ghsaId}).`;
+    if (!details) {
+      return body;
     }
-    const {
-      1: type,
-      2: workspace,
-      3: fullName,
-      4: version,
-      5: newVersion
-    } = match;
-    return {
-      fullName,
-      newVersion: vendor.semverExports.coerce(newVersion.replaceAll('+', '.'))?.version,
-      type,
-      workspace,
-      version: vendor.semverExports.coerce(version.replaceAll('+', '.'))?.version
-    };
-  };
+    const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
+    return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
+  }
+  return [`[Socket](${constants.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
+    const details = ghsaDetails?.get(id);
+    const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
+    if (details) {
+      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
+      return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
+    }
+    return item;
+  })].join('\n');
+}
+function getSocketFixPullRequestTitle(ghsaIds) {
+  const vulnCount = ghsaIds.length;
+  return vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
 }
-createSocketBranchParser();
-function getSocketBranchPattern(options) {
+
+async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
   const {
-    newVersion,
-    purl,
-    workspace
+    baseBranch = 'main',
+    ghsaDetails
   } = {
     __proto__: null,
     ...options
   };
-  const purlObj = purl ? utils.getPurlObject(purl) : null;
-  const escType = purlObj ? regexps.escapeRegExp(purlObj.type) : '[^/]+';
-  const escWorkspace = workspace ? `${regexps.escapeRegExp(formatBranchName(workspace))}` : '.+';
-  const escMaybeNamespace = purlObj?.namespace ? `${regexps.escapeRegExp(formatBranchName(purlObj.namespace))}--` : '';
-  const escFullName = purlObj ? `${escMaybeNamespace}${regexps.escapeRegExp(formatBranchName(purlObj.name))}` : '[^/_]+';
-  const escVersion = purlObj ? regexps.escapeRegExp(formatBranchName(purlObj.version)) : '[^_]+';
-  const escNewVersion = newVersion ? regexps.escapeRegExp(formatBranchName(newVersion)) : '[^_]+';
-  return new RegExp(`^socket/(${escType})/(${escWorkspace})/(${escFullName})_(${escVersion})_(${escNewVersion})$`);
-}
-
-let _octokit;
-function getOctokit() {
-  if (_octokit === undefined) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    const octokitOptions = {
-      auth: SOCKET_CLI_GITHUB_TOKEN,
-      baseUrl: constants.ENV.GITHUB_API_URL
+  const octokit = utils.getOctokit();
+  try {
+    const octokitPullsCreateParams = {
+      owner,
+      repo,
+      title: getSocketFixPullRequestTitle(ghsaIds),
+      head: branch,
+      base: baseBranch,
+      body: getSocketFixPullRequestBody(ghsaIds, ghsaDetails)
     };
     require$$9.debugDir('inspect', {
-      octokitOptions
-    });
-    _octokit = new vendor.Octokit(octokitOptions);
-  }
-  return _octokit;
-}
-let _octokitGraphql;
-function getOctokitGraphql() {
-  if (!_octokitGraphql) {
-    const {
-      SOCKET_CLI_GITHUB_TOKEN
-    } = constants.ENV;
-    if (!SOCKET_CLI_GITHUB_TOKEN) {
-      require$$9.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
-    }
-    _octokitGraphql = vendor.graphql2.defaults({
-      headers: {
-        authorization: `token ${SOCKET_CLI_GITHUB_TOKEN}`
-      }
-    });
-  }
-  return _octokitGraphql;
-}
-async function readCache(key,
-// 5 minute in milliseconds time to live (TTL).
-ttlMs = 5 * 60 * 1000) {
-  const cacheJsonPath = path.join(constants.githubCachePath, `${key}.json`);
-  const stat = fs$2.safeStatsSync(cacheJsonPath);
-  if (stat) {
-    const isExpired = Date.now() - stat.mtimeMs > ttlMs;
-    if (!isExpired) {
-      return await fs$2.readJson(cacheJsonPath);
-    }
-  }
-  return null;
-}
-async function writeCache(key, data) {
-  const {
-    githubCachePath
-  } = constants;
-  const cacheJsonPath = path.join(githubCachePath, `${key}.json`);
-  if (!fs$1.existsSync(githubCachePath)) {
-    await fs$1.promises.mkdir(githubCachePath, {
-      recursive: true
-    });
-  }
-  await fs$2.writeJson(cacheJsonPath, data);
-}
-async function cacheFetch(key, fetcher, ttlMs) {
-  // Optionally disable cache.
-  if (constants.ENV.DISABLE_GITHUB_CACHE) {
-    return await fetcher();
-  }
-  let data = await readCache(key, ttlMs);
-  if (!data) {
-    data = await fetcher();
-    await writeCache(key, data);
-  }
-  return data;
-}
-async function fetchGhsaDetails(ids) {
-  const results = new Map();
-  if (!ids.length) {
-    return results;
-  }
-  const octokitGraphql = getOctokitGraphql();
-  try {
-    const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
-    const aliases = ids.map((id, index) => `advisory${index}: securityAdvisory(ghsaId: "${id}") {
-        ghsaId
-        summary
-        severity
-        publishedAt
-        withdrawnAt
-        vulnerabilities(first: 10) {
-          nodes {
-            package {
-              ecosystem
-              name
-            }
-            vulnerableVersionRange
-          }
-        }
-      }`).join('\n');
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
-        query {
-          ${aliases}
-        }
-      `));
-    for (let i = 0, {
-        length
-      } = ids; i < length; i += 1) {
-      const id = ids[i];
-      const advisoryKey = `advisory${i}`;
-      const advisory = gqlResp?.[advisoryKey];
-      if (advisory && advisory.ghsaId) {
-        results.set(id, advisory);
-      } else {
-        require$$9.debugFn('notice', `miss: no advisory found for ${id}`);
-      }
-    }
-  } catch (e) {
-    require$$9.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
-  }
-  return results;
-}
-async function enablePrAutoMerge({
-  node_id: prId
-}) {
-  const octokitGraphql = getOctokitGraphql();
-  try {
-    const gqlResp = await octokitGraphql(`
-      mutation EnableAutoMerge($pullRequestId: ID!) {
-        enablePullRequestAutoMerge(input: {
-          pullRequestId: $pullRequestId,
-          mergeMethod: SQUASH
-        }) {
-          pullRequest {
-            number
-          }
-        }
-      }`, {
-      pullRequestId: prId
+      octokitPullsCreateParams
     });
-    const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
-    if (respPrNumber) {
-      return {
-        enabled: true
-      };
-    }
+    return await octokit.pulls.create(octokitPullsCreateParams);
   } catch (e) {
-    if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
-      const details = e.errors.map(({
-        message: m
-      }) => m.trim());
-      return {
-        enabled: false,
-        details
-      };
+    let message = `Failed to open pull request`;
+    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
+    if (Array.isArray(errors) && errors.length) {
+      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
+      message += `:\n${details}`;
     }
+    require$$9.debugFn('error', message);
   }
-  return {
-    enabled: false
-  };
+  return null;
 }
 async function getSocketPrs(owner, repo, options) {
   return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3376,22 +3247,23 @@ async function getSocketPrs(owner, repo, options) {
 async function getSocketPrsWithContext(owner, repo, options) {
   const {
     author,
+    ghsaId,
     states: statesValue = 'all'
   } = {
     __proto__: null,
     ...options
   };
-  const branchPattern = getSocketBranchPattern(options);
+  const branchPattern = getSocketFixBranchPattern(ghsaId);
   const checkAuthor = strings.isNonEmptyString(author);
-  const octokit = getOctokit();
-  const octokitGraphql = getOctokitGraphql();
+  const octokit = utils.getOctokit();
+  const octokitGraphql = utils.getOctokitGraphql();
   const contextualMatches = [];
   const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
     // API quota usage. Fallback to REST if no matching PRs are found.
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
-    const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
+    const gqlResp = await utils.cacheFetch(gqlCacheKey, () => octokitGraphql(`
           query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
             repository(owner: $owner, name: $repo) {
               pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
@@ -3448,7 +3320,7 @@ async function getSocketPrsWithContext(owner, repo, options) {
   let allPrs;
   const cacheKey = `${repo}-pull-requests`;
   try {
-    allPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
+    allPrs = await utils.cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
       owner,
       repo,
       state: 'all',
@@ -3497,83 +3369,6 @@ async function getSocketPrsWithContext(owner, repo, options) {
   }
   return contextualMatches;
 }
-async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
-  const {
-    baseBranch = 'main',
-    ghsaDetails
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const octokit = getOctokit();
-  const vulnCount = ghsaIds.length;
-  const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
-  let prBody = '';
-  if (vulnCount === 1) {
-    const ghsaId = ghsaIds[0];
-    const details = ghsaDetails?.get(ghsaId);
-    prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
-    if (details) {
-      const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
-      prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
-    }
-  } else {
-    prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
-      const details = ghsaDetails?.get(id);
-      const item = `- [${id}](https://github.com/advisories/${id})`;
-      if (details) {
-        const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
-        return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
-      }
-      return item;
-    })].join('\n');
-  }
-  try {
-    const octokitPullsCreateParams = {
-      owner,
-      repo,
-      title: prTitle,
-      head: branch,
-      base: baseBranch,
-      body: prBody
-    };
-    require$$9.debugDir('inspect', {
-      octokitPullsCreateParams
-    });
-    return await octokit.pulls.create(octokitPullsCreateParams);
-  } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
-    }
-    require$$9.debugFn('error', message);
-  }
-  return null;
-}
-async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
-  const {
-    host
-  } = new URL(constants.ENV.GITHUB_SERVER_URL);
-  const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
-  const stdioIgnoreOptions = {
-    cwd,
-    stdio: require$$9.isDebug('stdio') ? 'inherit' : 'ignore'
-  };
-  const quotedCmd = `\`git remote set-url origin ${url}\``;
-  require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
-  try {
-    await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
-    return true;
-  } catch (e) {
-    require$$9.debugFn('error', `caught: ${quotedCmd} failed`);
-    require$$9.debugDir('inspect', {
-      error: e
-    });
-  }
-  return false;
-}
 
 function ciRepoInfo() {
   const {
@@ -3652,7 +3447,9 @@ async function coanaFix(fixConfig) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     return supportedFilesCResult;
   }
@@ -3731,7 +3528,7 @@ async function coanaFix(fixConfig) {
     };
   }
   require$$9.debugFn('notice', `fetch: ${ids.length} GHSA details for ${arrays.joinAnd(ids)}`);
-  const ghsaDetails = await fetchGhsaDetails(ids);
+  const ghsaDetails = await utils.fetchGhsaDetails(ids);
   const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
   require$$9.debugFn('notice', `found: ${ghsaDetails.size} GHSA details`);
   let count = 0;
@@ -3741,18 +3538,18 @@ async function coanaFix(fixConfig) {
   ghsaLoop: for (let i = 0, {
       length
     } = ids; i < length; i += 1) {
-    const id = ids[i];
-    require$$9.debugFn('notice', `check: ${id}`);
+    const ghsaId = ids[i];
+    require$$9.debugFn('notice', `check: ${ghsaId}`);
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', id, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoana(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${id}: ${fixCResult.message || 'Unknown error'}`);
+      logger.logger.error(`Update failed for ${ghsaId}: ${fixCResult.message || 'Unknown error'}`);
       continue ghsaLoop;
     }
 
@@ -3761,11 +3558,11 @@ async function coanaFix(fixConfig) {
     const unstagedCResult = await utils.gitUnstagedModifiedFiles(cwd);
     const modifiedFiles = unstagedCResult.ok ? unstagedCResult.data.filter(relPath => scanBaseNames.has(path.basename(relPath))) : [];
     if (!modifiedFiles.length) {
-      require$$9.debugFn('notice', `skip: no changes for ${id}`);
+      require$$9.debugFn('notice', `skip: no changes for ${ghsaId}`);
       continue ghsaLoop;
     }
     overallFixed = true;
-    const branch = `socket/fix/${id}`;
+    const branch = getSocketFixBranchName(ghsaId);
     try {
       // Check if branch already exists.
       // eslint-disable-next-line no-await-in-loop
@@ -3773,17 +3570,16 @@ async function coanaFix(fixConfig) {
         require$$9.debugFn('notice', `skip: remote branch "${branch}" exists`);
         continue ghsaLoop;
       }
-      require$$9.debugFn('notice', `pr: creating for ${id}`);
-      const details = ghsaDetails.get(id);
-      const summary = details?.summary;
-      require$$9.debugFn('notice', `ghsa: ${id} details ${details ? 'found' : 'missing'}`);
+      require$$9.debugFn('notice', `pr: creating for ${ghsaId}`);
+      const details = ghsaDetails.get(ghsaId);
+      require$$9.debugFn('notice', `ghsa: ${ghsaId} details ${details ? 'found' : 'missing'}`);
       const pushed =
       // eslint-disable-next-line no-await-in-loop
       (await utils.gitCreateBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(branch, cwd)) && (
       // eslint-disable-next-line no-await-in-loop
-      await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
+      await utils.gitCommit(getSocketFixCommitMessage(ghsaId, details), modifiedFiles, {
         cwd,
         email: fixEnv.gitEmail,
         user: fixEnv.gitUser
@@ -3791,7 +3587,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitPushBranch(branch, cwd));
       if (!pushed) {
-        logger.logger.warn(`Push failed for ${id}, skipping PR creation.`);
+        logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
         // eslint-disable-next-line no-await-in-loop
         await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
         // eslint-disable-next-line no-await-in-loop
@@ -3803,12 +3599,12 @@ async function coanaFix(fixConfig) {
 
       // Set up git remote.
       // eslint-disable-next-line no-await-in-loop
-      await setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
+      await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
       // eslint-disable-next-line no-await-in-loop
-      const prResponse = await openCoanaPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      const prResponse = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
       // Single GHSA ID.
-      [id], {
+      [ghsaId], {
         baseBranch: fixEnv.baseBranch,
         cwd,
         ghsaDetails
@@ -3818,7 +3614,7 @@ async function coanaFix(fixConfig) {
           data
         } = prResponse;
         const prRef = `PR #${data.number}`;
-        logger.logger.success(`Opened ${prRef} for ${id}.`);
+        logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
         if (autoMerge) {
           logger.logger.indent();
           spinner?.indent();
@@ -3826,7 +3622,7 @@ async function coanaFix(fixConfig) {
           const {
             details,
             enabled
-          } = await enablePrAutoMerge(data);
+          } = await utils.enablePrAutoMerge(data);
           if (enabled) {
             logger.logger.info(`Auto-merge enabled for ${prRef}.`);
           } else {
@@ -3844,7 +3640,7 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
-      logger.logger.warn(`Unexpected condition: Push failed for ${id}, skipping PR creation.`);
+      logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
       require$$9.debugDir('inspect', {
         error: e
       });
@@ -3921,69 +3717,27 @@ const cmdFix = {
   hidden: hidden$q,
   run: run$I
 };
-async function run$I(argv, importMeta, {
-  parentName
-}) {
-  const config = {
-    commandName: CMD_NAME$r,
-    description: description$x,
-    hidden: hidden$q,
-    flags: {
-      ...flags.commonFlags,
-      ...flags.outputFlags,
-      autoMerge: {
-        type: 'boolean',
-        default: false,
-        description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
-      },
-      autopilot: {
-        type: 'boolean',
-        default: false,
-        description: `Shorthand for --auto-merge --test`,
-        hidden: true
-      },
-      ghsa: {
-        type: 'string',
-        default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags.\nUse '--ghsa all' to lookup all GHSA IDs and compute fixes for them.`,
-        isMultiple: true,
-        hidden: true
-      },
-      limit: {
-        type: 'number',
-        default: DEFAULT_LIMIT,
-        description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
-      },
-      maxSatisfying: {
-        type: 'boolean',
-        default: true,
-        description: 'Use the maximum satisfying version for dependency updates',
-        hidden: true
-      },
-      minSatisfying: {
-        type: 'boolean',
-        default: false,
-        description: 'Constrain dependency updates to the minimum satisfying version',
-        hidden: true
-      },
-      prCheck: {
-        type: 'boolean',
-        default: true,
-        description: 'Check for an existing PR before attempting a fix',
-        hidden: true
-      },
-      purl: {
-        type: 'string',
-        default: [],
-        description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags, instead of querying the Socket API`,
-        isMultiple: true,
-        shortFlag: 'p',
-        hidden: true
-      },
-      rangeStyle: {
-        type: 'string',
-        default: 'preserve',
-        description: `
+const generalFlags$2 = {
+  autoMerge: {
+    type: 'boolean',
+    default: false,
+    description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
+  },
+  id: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+    isMultiple: true
+  },
+  limit: {
+    type: 'number',
+    default: DEFAULT_LIMIT,
+    description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
+  },
+  rangeStyle: {
+    type: 'string',
+    default: 'preserve',
+    description: `
 Define how dependency version ranges are updated in package.json (default 'preserve').
 Available styles:
   * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
@@ -3995,17 +3749,70 @@ Available styles:
   * preserve - Retain the existing version range style as-is
   * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
       `.trim()
-      },
-      test: {
-        type: 'boolean',
-        default: false,
-        description: 'Verify the fix by running unit tests'
-      },
-      testScript: {
-        type: 'string',
-        default: 'test',
-        description: "The test script to run for fix attempts (default 'test')"
-      }
+  }
+};
+const hiddenFlags = {
+  autopilot: {
+    type: 'boolean',
+    default: false,
+    description: `Shorthand for --auto-merge --test`,
+    hidden: true
+  },
+  ghsa: {
+    ...generalFlags$2['id'],
+    hidden: true
+  },
+  maxSatisfying: {
+    type: 'boolean',
+    default: true,
+    description: 'Use the maximum satisfying version for dependency updates',
+    hidden: true
+  },
+  minSatisfying: {
+    type: 'boolean',
+    default: false,
+    description: 'Constrain dependency updates to the minimum satisfying version',
+    hidden: true
+  },
+  prCheck: {
+    type: 'boolean',
+    default: true,
+    description: 'Check for an existing PR before attempting a fix',
+    hidden: true
+  },
+  purl: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl')} to compute fixes for, as either a comma separated value or as\nmultiple flags, instead of querying the Socket API`,
+    isMultiple: true,
+    shortFlag: 'p',
+    hidden: true
+  },
+  test: {
+    type: 'boolean',
+    default: false,
+    description: 'Verify the fix by running unit tests',
+    hidden: true
+  },
+  testScript: {
+    type: 'string',
+    default: 'test',
+    description: "The test script to run for fix attempts (default 'test')",
+    hidden: true
+  }
+};
+async function run$I(argv, importMeta, {
+  parentName
+}) {
+  const config = {
+    commandName: CMD_NAME$r,
+    description: description$x,
+    hidden: hidden$q,
+    flags: {
+      ...flags.commonFlags,
+      ...flags.outputFlags,
+      ...generalFlags$2,
+      ...hiddenFlags
     },
     help: (command, config) => `
     Usage
@@ -4093,7 +3900,7 @@ Available styles:
   // We patched in this feature with `npx custompatch meow` at
   // socket-cli/patches/meow#13.2.0.patch.
   const unknownFlags = cli.unknownFlags ?? [];
-  const ghsas = utils.cmdFlagValueToArray(cli.flags['ghsa']);
+  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
   const limit = Number(cli.flags['limit']) || DEFAULT_LIMIT;
   const maxSatisfying = Boolean(cli.flags['maxSatisfying']);
   const minSatisfying = Boolean(cli.flags['minSatisfying']) || !maxSatisfying;
@@ -6847,8 +6654,8 @@ function updatePkgJsonField(editablePkgJson, field, value) {
   if (oldValue) {
     // The field already exists so we simply update the field value.
     if (field === PNPM) {
-      const isPnpmObj = require$$10.isObject(oldValue);
-      if (require$$10.hasKeys(value)) {
+      const isPnpmObj = require$$11.isObject(oldValue);
+      if (require$$11.hasKeys(value)) {
         editablePkgJson.update({
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
@@ -6860,7 +6667,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
         });
       } else {
         // Properties with undefined values are deleted when saved as JSON.
-        editablePkgJson.update(require$$10.hasKeys(oldValue) ? {
+        editablePkgJson.update(require$$11.hasKeys(oldValue) ? {
           [field]: {
             ...(isPnpmObj ? oldValue : {}),
             overrides: undefined
@@ -6872,7 +6679,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     } else if (field === OVERRIDES || field === RESOLUTIONS) {
       // Properties with undefined values are deleted when saved as JSON.
       editablePkgJson.update({
-        [field]: require$$10.hasKeys(value) ? value : undefined
+        [field]: require$$11.hasKeys(value) ? value : undefined
       });
     } else {
       editablePkgJson.update({
@@ -6881,7 +6688,7 @@ function updatePkgJsonField(editablePkgJson, field, value) {
     }
     return;
   }
-  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$10.hasKeys(value)) {
+  if ((field === OVERRIDES || field === PNPM || field === RESOLUTIONS) && !require$$11.hasKeys(value)) {
     return;
   }
   // Since the field doesn't exist we want to insert it into the package.json
@@ -7013,7 +6820,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   let loggedAddingText = false;
 
   // Chunk package names to process them in parallel 3 at a time.
-  await require$$11.pEach(manifestEntries, async ({
+  await require$$12.pEach(manifestEntries, async ({
     1: data
   }) => {
     const {
@@ -7027,11 +6834,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
     for (const {
       1: depObj
     } of depEntries) {
-      const sockSpec = require$$10.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
+      const sockSpec = require$$11.hasOwn(depObj, sockRegPkgName) ? depObj[sockRegPkgName] : undefined;
       if (sockSpec) {
         depAliasMap.set(sockRegPkgName, sockSpec);
       }
-      const origSpec = require$$10.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
+      const origSpec = require$$11.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
       if (origSpec) {
         let thisSpec = origSpec;
         // Add package aliases for direct dependencies to avoid npm EOVERRIDE
@@ -7067,11 +6874,11 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         npmExecPath
       });
       // Chunk package names to process them in parallel 3 at a time.
-      await require$$11.pEach(overridesDataObjects, async ({
+      await require$$12.pEach(overridesDataObjects, async ({
         overrides,
         type
       }) => {
-        const overrideExists = require$$10.hasOwn(overrides, origPkgName);
+        const overrideExists = require$$11.hasOwn(overrides, origPkgName);
         if (overrideExists || thingScanner(pkgEnvDetails, thingToScan, origPkgName, lockName)) {
           const oldSpec = overrideExists ? overrides[origPkgName] : undefined;
           const origDepAlias = depAliasMap.get(origPkgName);
@@ -7125,7 +6932,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
   });
   if (isWorkspace) {
     // Chunk package names to process them in parallel 3 at a time.
-    await require$$11.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
+    await require$$12.pEach(workspacePkgJsonPaths, async workspacePkgJsonPath => {
       const otherState = await addOverrides(pkgEnvDetails, path.dirname(workspacePkgJsonPath), {
         logger,
         pin,
@@ -7148,7 +6955,7 @@ async function addOverrides(pkgEnvDetails, pkgPath, options) {
         overrides,
         type
       } of overridesDataObjects) {
-        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$10.toSortedObject(overrides));
+        updateManifest(type, pkgEnvDetails.editablePkgJson, require$$11.toSortedObject(overrides));
       }
     }
     await pkgEnvDetails.editablePkgJson.save();
@@ -8866,6 +8673,30 @@ const cmdPackage = {
   }
 };
 
+const PatchRecordSchema = vendor.object({
+  exportedAt: vendor.string(),
+  files: vendor.record(vendor.string(),
+  // File path
+  vendor.object({
+    beforeHash: vendor.string(),
+    afterHash: vendor.string()
+  })),
+  vulnerabilities: vendor.record(vendor.string(),
+  // Vulnerability ID like "GHSA-jrhj-2j3q-xf3v"
+  vendor.object({
+    cves: vendor.array(vendor.string()),
+    summary: vendor.string(),
+    severity: vendor.string(),
+    description: vendor.string(),
+    patchExplanation: vendor.string()
+  }))
+});
+const PatchManifestSchema = vendor.object({
+  patches: vendor.record(
+  // Package identifier like "npm:simplehttpserver@0.0.6".
+  vendor.string(), PatchRecordSchema)
+});
+
 async function outputPatchResult(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -8893,21 +8724,220 @@ async function outputPatchResult(result, outputKind) {
   logger.logger.success('Patch command completed!');
 }
 
+async function applyNPMPatches(patches, dryRun, socketDir, packages) {
+  const patchLookup = new Map();
+  for (const patchInfo of patches) {
+    const {
+      purl
+    } = patchInfo;
+    const fullName = purl.namespace ? `@${purl.namespace}/${purl.name}` : purl.name;
+    const lookupKey = `${fullName}@${purl.version}`;
+    patchLookup.set(lookupKey, patchInfo);
+  }
+  const nodeModulesFolders = await findNodeModulesFolders(process.cwd());
+  logger.logger.log(`Found ${nodeModulesFolders.length} node_modules folders`);
+  for (const nodeModulesPath of nodeModulesFolders) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      const entries = await fs$1.promises.readdir(nodeModulesPath);
+      for (const entry of entries) {
+        const entryPath = path.join(nodeModulesPath, entry);
+        if (entry.startsWith('@')) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            const scopedEntries = await fs$1.promises.readdir(entryPath);
+            for (const scopedEntry of scopedEntries) {
+              const packagePath = path.join(entryPath, scopedEntry);
+              // eslint-disable-next-line no-await-in-loop
+              const pkg = await readPackageJson(packagePath);
+              if (pkg) {
+                // Skip if specific packages requested and this isn't one of them
+                if (packages.length > 0 && !packages.includes(pkg.name)) {
+                  continue;
+                }
+                const lookupKey = `${pkg.name}@${pkg.version}`;
+                const patchInfo = patchLookup.get(lookupKey);
+                if (patchInfo) {
+                  logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${packagePath}`);
+                  logger.logger.log(`  Patch key: ${patchInfo.key}`);
+                  logger.logger.log(`  Processing files:`);
+                  for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
+                    // eslint-disable-next-line no-await-in-loop
+                    await processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir);
+                  }
+                }
+              }
+            }
+          } catch {
+            // Ignore errors reading scoped packages
+          }
+        } else {
+          // eslint-disable-next-line no-await-in-loop
+          const pkg = await readPackageJson(entryPath);
+          if (pkg) {
+            // Skip if specific packages requested and this isn't one of them
+            if (packages.length > 0 && !packages.includes(pkg.name)) {
+              continue;
+            }
+            const lookupKey = `${pkg.name}@${pkg.version}`;
+            const patchInfo = patchLookup.get(lookupKey);
+            if (patchInfo) {
+              logger.logger.log(`Found match: ${pkg.name}@${pkg.version} at ${entryPath}`);
+              logger.logger.log(`  Patch key: ${patchInfo.key}`);
+              logger.logger.log(`  Processing files:`);
+              for (const [fileName, fileInfo] of Object.entries(patchInfo.patch.files)) {
+                // eslint-disable-next-line no-await-in-loop
+                await processFilePatch(entryPath, fileName, fileInfo, dryRun, socketDir);
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      logger.logger.error(`Error processing ${nodeModulesPath}:`, error);
+    }
+  }
+}
+async function computeSHA256(filePath) {
+  try {
+    const content = await fs$1.promises.readFile(filePath);
+    const hash = require$$0$1.createHash('sha256');
+    hash.update(content);
+    return hash.digest('hex');
+  } catch {
+    return null;
+  }
+}
+async function findNodeModulesFolders(rootDir) {
+  const nodeModulesPaths = [];
+  async function searchDir(dir) {
+    try {
+      const entries = await fs$1.promises.readdir(dir);
+      for (const entry of entries) {
+        if (entry.startsWith('.') || entry === 'dist' || entry === 'build') {
+          continue;
+        }
+        const fullPath = path.join(dir, entry);
+        // eslint-disable-next-line no-await-in-loop
+        const stats = await fs$1.promises.stat(fullPath);
+        if (stats.isDirectory()) {
+          if (entry === 'node_modules') {
+            nodeModulesPaths.push(fullPath);
+          } else {
+            // eslint-disable-next-line no-await-in-loop
+            await searchDir(fullPath);
+          }
+        }
+      }
+    } catch (error) {
+      // Ignore permission errors or missing directories
+    }
+  }
+  await searchDir(rootDir);
+  return nodeModulesPaths;
+}
+function parsePURL(purlString) {
+  const [ecosystem, rest] = purlString.split(':', 2);
+  const [nameAndNamespace, version] = (rest ?? '').split('@', 2);
+  let namespace;
+  let name;
+  if (ecosystem === 'npm' && nameAndNamespace?.startsWith('@')) {
+    const parts = nameAndNamespace.split('/');
+    namespace = parts[0]?.substring(1);
+    name = parts.slice(1).join('/');
+  } else {
+    name = nameAndNamespace ?? '';
+  }
+  return {
+    type: ecosystem ?? 'unknown',
+    namespace: namespace ?? '',
+    name: name ?? '',
+    version: version ?? '0.0.0'
+  };
+}
+async function processFilePatch(packagePath, fileName, fileInfo, dryRun, socketDir) {
+  const filePath = path.join(packagePath, fileName);
+  if (!fs$1.existsSync(filePath)) {
+    logger.logger.log(`File not found: ${fileName}`);
+    return;
+  }
+  const currentHash = await computeSHA256(filePath);
+  if (!currentHash) {
+    logger.logger.log(`Failed to compute hash for: ${fileName}`);
+    return;
+  }
+  if (currentHash === fileInfo.beforeHash) {
+    logger.logger.success(`File matches expected hash: ${fileName}`);
+    logger.logger.log(`Current hash: ${currentHash}`);
+    logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
+    {
+      const blobPath = path.join(socketDir, 'blobs', fileInfo.afterHash);
+      if (!fs$1.existsSync(blobPath)) {
+        logger.logger.fail(`Error: Patch file not found at ${blobPath}`);
+        return;
+      }
+      try {
+        await fs$1.promises.copyFile(blobPath, filePath);
+        logger.logger.success(`Patch applied successfully`);
+      } catch (error) {
+        logger.logger.log(`Error applying patch: ${error}`);
+      }
+    }
+  } else if (currentHash === fileInfo.afterHash) {
+    logger.logger.success(`File already patched: ${fileName}`);
+    logger.logger.log(`Current hash: ${currentHash}`);
+  } else {
+    logger.logger.fail(`File hash mismatch: ${fileName}`);
+    logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
+    logger.logger.log(`Current:  ${currentHash}`);
+    logger.logger.log(`Target:   ${fileInfo.afterHash}`);
+  }
+}
+async function readPackageJson(packagePath) {
+  const pkgJsonPath = path.join(packagePath, 'package.json');
+  const pkg = await fs$2.readJson(pkgJsonPath, {
+    throws: false
+  });
+  if (pkg) {
+    return {
+      name: pkg.name || '',
+      version: pkg.version || ''
+    };
+  }
+  return null;
+}
 async function handlePatch({
+  cwd,
   outputKind,
   packages,
   spinner
 }) {
-  spinner.start('Analyzing dependencies for security patches...');
+  const dryRun = false; // TODO: Add dryRun support via config
+
   try {
-    // TODO: Implement actual patch logic
-    // This is a stub implementation
-    const result = {
-      ok: true,
-      data: {
-        patchedPackages: packages.length > 0 ? packages : ['example-package']
+    const dotSocketDirPath = path.join(cwd, '.socket');
+    const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+
+    // Read the manifest file
+    const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
+    const manifestData = JSON.parse(manifestContent);
+
+    // Validate the schema
+    const validated = PatchManifestSchema.parse(manifestData);
+
+    // Parse PURLs and group by ecosystem
+    const patchesByEcosystem = {};
+    for (const [key, patch] of Object.entries(validated.patches)) {
+      const purl = parsePURL(key);
+      if (!patchesByEcosystem[purl.type]) {
+        patchesByEcosystem[purl.type] = [];
       }
-    };
+      patchesByEcosystem[purl.type]?.push({
+        key,
+        purl,
+        patch
+      });
+    }
     spinner.stop();
     logger.logger.log('');
     if (packages.length > 0) {
@@ -8916,14 +8946,32 @@ async function handlePatch({
       logger.logger.info('Scanning all dependencies for available patches');
     }
     logger.logger.log('');
+    if (patchesByEcosystem['npm']) {
+      await applyNPMPatches(patchesByEcosystem['npm'], dryRun, dotSocketDirPath, packages);
+    }
+    const result = {
+      ok: true,
+      data: {
+        patchedPackages: packages.length > 0 ? packages : ['patched successfully']
+      }
+    };
     await outputPatchResult(result, outputKind);
   } catch (e) {
     spinner.stop();
+    let message = 'Failed to apply patches';
+    let cause = e?.message || 'Unknown error';
+    if (e instanceof SyntaxError) {
+      message = 'Invalid JSON in manifest.json';
+      cause = e.message;
+    } else if (e instanceof Error && 'issues' in e) {
+      message = 'Schema validation failed';
+      cause = String(e);
+    }
     const result = {
       ok: false,
       code: 1,
-      message: 'Failed to apply patches',
-      cause: e?.message || 'Unknown error'
+      message,
+      cause
     };
     await outputPatchResult(result, outputKind);
   }
@@ -8997,11 +9045,21 @@ async function run$k(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
+  const dotSocketDirPath = path.join(cwd, '.socket');
+  if (!fs$1.existsSync(dotSocketDirPath)) {
+    logger.logger.error('Error: No .socket directory found in current directory');
+    return;
+  }
+  const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
+  if (!fs$1.existsSync(manifestPath)) {
+    logger.logger.error('Error: No manifest.json found in .socket directory');
+  }
   const {
     spinner
   } = constants;
-  const packages = Array.isArray(cli.flags['package']) ? cli.flags['package'].flatMap(p => String(p).split(',')) : String(cli.flags['package'] || '').split(',').filter(Boolean);
+  const packages = utils.cmdFlagValueToArray(cli.flags['package']);
   await handlePatch({
+    cwd,
     outputKind,
     packages,
     spinner
@@ -12266,8 +12324,14 @@ async function handleScanReach({
   reachabilityOptions,
   targets
 }) {
+  const {
+    spinner
+  } = constants;
+
   // Get supported file names
-  const supportedFilesCResult = await fetchSupportedScanFileNames();
+  const supportedFilesCResult = await fetchSupportedScanFileNames({
+    spinner
+  });
   if (!supportedFilesCResult.ok) {
     await outputScanReach(supportedFilesCResult, {
       cwd,
@@ -12275,9 +12339,6 @@ async function handleScanReach({
     });
     return;
   }
-  const {
-    spinner
-  } = constants;
   spinner.start('Searching for local manifest files to include in reachability analysis...');
   const supportedFiles = supportedFilesCResult.data;
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
@@ -14203,5 +14264,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=2d71faa1-844b-480a-a713-c572fd14e2f4
+//# debugId=41b305c0-5c97-4685-a7f1-88a4cbb5e41c
 //# sourceMappingURL=cli.js.map