socket 1.1.19 → 1.1.21

package/dist/cli.js

@@ -95,7 +95,7 @@ async function outputAnalytics(result, {
       try {
         await fs.writeFile(filepath, serialized, 'utf8');
         utils.debugFileOp('write', filepath);
-        logger.logger.success(`Data successfully written to ${filepath}`);
+        logger.logger.success(`Data successfully written to ${utils.fileLink(filepath)}`);
       } catch (e) {
         utils.debugFileOp('write', filepath, e);
         process.exitCode = 1;
@@ -119,7 +119,7 @@ async function outputAnalytics(result, {
       try {
         await fs.writeFile(filepath, serialized, 'utf8');
         utils.debugFileOp('write', filepath);
-        logger.logger.success(`Data successfully written to ${filepath}`);
+        logger.logger.success(`Data successfully written to ${utils.fileLink(filepath)}`);
       } catch (e) {
         utils.debugFileOp('write', filepath, e);
         logger.logger.error(e);
@@ -376,8 +376,8 @@ async function run$S(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
 
   // Supported inputs:
@@ -418,7 +418,7 @@ async function run$S(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -793,7 +793,7 @@ async function run$R(argv, importMeta, {
       ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$x}`)}
 
     This feature requires an Enterprise Plan. To learn more about getting access
-    to this feature and many more, please visit ${constants.default.SOCKET_WEBSITE_URL}/pricing
+    to this feature and many more, please visit the ${utils.webLink(`${constants.default.SOCKET_WEBSITE_URL}/pricing`, 'Socket pricing page')}.
 
     The type FILTER arg is an enum. Defaults to any. It should be one of these:
       associateLabel, cancelInvitation, changeMemberRole, changePlanSubscriptionSeats,
@@ -818,8 +818,8 @@ async function run$R(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     interactive,
@@ -841,7 +841,7 @@ async function run$R(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -1574,7 +1574,7 @@ async function performReachabilityAnalysis(options) {
     return {
       ok: false,
       message: 'Tier 1 Reachability analysis requires an enterprise plan',
-      cause: `Please ${vendor.terminalLinkExports('upgrade your plan', `${constants.SOCKET_WEBSITE_URL}/pricing`)}. This feature is only available for organizations with an enterprise plan.`
+      cause: `Please ${utils.socketDevLink('upgrade your plan', '/pricing')}. This feature is only available for organizations with an enterprise plan.`
     };
   }
   const wasSpinning = !!spinner?.isSpinning;
@@ -2214,7 +2214,7 @@ async function handleCreateNewScan({
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: packagePaths.length > 0,
-    fail: `found no eligible files to scan. See supported manifest files at ${vendor.terminalLinkExports('docs.socket.dev', 'https://docs.socket.dev/docs/manifest-file-detection-in-socket')}`,
+    fail: `found no eligible files to scan. See supported manifest files at ${utils.socketDocsLink('/docs/manifest-file-detection-in-socket', 'docs.socket.dev')}`,
     message: 'TARGET (file/dir) must contain matching / supported file types for a scan'
   });
   if (!wasValidInput) {
@@ -2422,8 +2422,8 @@ async function run$Q(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$k,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -2596,7 +2596,7 @@ async function outputConfigAuto(key, result, outputKind) {
     }
     logger.logger.log(`- ${key}: ${result.data}`);
     logger.logger.log('');
-    if (utils.isReadOnlyConfig()) {
+    if (utils.isConfigFromFlag()) {
       logger.logger.log('(Unable to persist this value because the config is in read-only mode, meaning it was overridden through env or flag.)');
     } else if (key === 'defaultOrg') {
       const proceed = await prompts.select({
@@ -2744,7 +2744,7 @@ async function outputConfigGet(key, result, outputKind) {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
-  const readOnly = utils.isReadOnlyConfig();
+  const readOnly = utils.isConfigFromFlag();
   if (outputKind === 'markdown') {
     logger.logger.log(`# Config Value`);
     logger.logger.log('');
@@ -2847,7 +2847,7 @@ async function outputConfigList({
   full,
   outputKind
 }) {
-  const readOnly = utils.isReadOnlyConfig();
+  const readOnly = utils.isConfigFromFlag();
   const supportedConfigKeys = utils.getSupportedConfigKeys();
   if (outputKind === 'json') {
     let failed = false;
@@ -3235,16 +3235,18 @@ const cmdConfig = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      auto: cmdConfigAuto,
-      get: cmdConfigGet,
-      list: cmdConfigList,
-      set: cmdConfigSet,
-      unset: cmdConfigUnset
-    }, {
       argv,
-      description: description$A,
+      name: `${parentName} config`,
       importMeta,
-      name: `${parentName} config`
+      subcommands: {
+        auto: cmdConfigAuto,
+        get: cmdConfigGet,
+        list: cmdConfigList,
+        set: cmdConfigSet,
+        unset: cmdConfigUnset
+      }
+    }, {
+      description: description$A
     });
   }
 };
@@ -4088,11 +4090,12 @@ async function run$K(argv, importMeta, {
     `
   };
   const cli = utils.meowOrExit({
-    allowUnknownFlags: false,
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
+  }, {
+    allowUnknownFlags: false
   });
   const {
     autopilot,
@@ -4323,8 +4326,8 @@ async function run$J(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$h,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -4343,18 +4346,20 @@ const cmdInstall = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      completion: cmdInstallCompletion
-    }, {
       argv,
-      description: description$y,
+      name: `${parentName} install`,
       importMeta,
-      name: `${parentName} install`
+      subcommands: {
+        completion: cmdInstallCompletion
+      }
+    }, {
+      description: description$y
     });
   }
 };
 
 async function outputCmdJson(cwd) {
-  logger.logger.info('Target cwd:', constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(cwd));
+  logger.logger.info('Target cwd:', constants.default.ENV.VITEST ? constants.REDACTED : utils.tildify(cwd));
   const sockJsonPath = path.join(cwd, constants.SOCKET_JSON);
   const tildeSockJsonPath = constants.default.ENV.VITEST ? '<redacted>' : utils.tildify(sockJsonPath);
   if (!fs$1.existsSync(sockJsonPath)) {
@@ -4406,8 +4411,8 @@ async function run$I(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$g,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   let [cwd = '.'] = cli.input;
   // Note: path.resolve vs .join:
@@ -4427,7 +4432,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   apiBaseUrl ??= utils.getConfigValueOrUndef(constants.CONFIG_KEY_API_BASE_URL) ?? undefined;
   apiProxy ??= utils.getConfigValueOrUndef(constants.CONFIG_KEY_API_PROXY) ?? undefined;
   const apiTokenInput = await prompts.password({
-    message: `Enter your ${vendor.terminalLinkExports('Socket.dev API token', 'https://docs.socket.dev/docs/api-keys')} (leave blank to use a limited public token)`
+    message: `Enter your ${utils.socketDocsLink('/docs/api-keys', 'Socket.dev API token')} (leave blank to use a limited public token)`
   });
   if (apiTokenInput === undefined) {
     logger.logger.fail('Canceled by user');
@@ -4544,7 +4549,7 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   try {
     applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy);
     logger.logger.success(`API credentials ${previousPersistedToken === apiToken ? 'refreshed' : previousPersistedToken ? 'updated' : 'set'}`);
-    if (utils.isReadOnlyConfig()) {
+    if (utils.isConfigFromFlag()) {
       logger.logger.log('');
       logger.logger.warn('Note: config is in read-only mode, at least one key was overridden through flag/env, so the login was not persisted!');
     }
@@ -4602,8 +4607,8 @@ async function run$H(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -4631,7 +4636,7 @@ function attemptLogout() {
   try {
     applyLogout();
     logger.logger.success('Successfully logged out');
-    if (utils.isReadOnlyConfig()) {
+    if (utils.isConfigFromFlag()) {
       logger.logger.log('');
       logger.logger.warn('Note: config is in read-only mode, at least one key was overridden through flag/env, so the logout was not persisted!');
     }
@@ -4685,7 +4690,7 @@ const {
   YARN_LOCK
 } = constants.default;
 const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', constants.NPM, constants.PNPM, 'ts', 'tsx', 'typescript']);
-function argvToArray(argvObj) {
+function argvObjectToArray(argvObj) {
   if (argvObj['help']) {
     return [constants.FLAG_HELP];
   }
@@ -4733,7 +4738,7 @@ async function runCdxgen(argvObj) {
     stdio: 'inherit'
   };
 
-  // Detect package manager based on lockfiles
+  // Detect package manager based on lockfiles.
   const pnpmLockPath = await utils.findUp(PNPM_LOCK_YAML, {
     onlyFiles: true
   });
@@ -4745,7 +4750,7 @@ async function runCdxgen(argvObj) {
   });
   const agent = pnpmLockPath ? constants.PNPM : yarnLockPath && utils.isYarnBerry() ? constants.YARN : constants.NPM;
   let cleanupPackageLock = false;
-  if (argvMutable['type'] !== constants.YARN && nodejsPlatformTypes.has(argvMutable['type']) && yarnLockPath) {
+  if (yarnLockPath && argvMutable['type'] !== constants.YARN && nodejsPlatformTypes.has(argvMutable['type'])) {
     if (npmLockPath) {
       argvMutable['type'] = constants.NPM;
     } else {
@@ -4763,8 +4768,8 @@ async function runCdxgen(argvObj) {
     }
   }
 
-  // Use appropriate package manager for cdxgen
-  const shadowResult = await utils.spawnCdxgenDlx(argvToArray(argvMutable), {
+  // Use appropriate package manager for cdxgen.
+  const shadowResult = await utils.spawnCdxgenDlx(argvObjectToArray(argvMutable), {
     ...shadowOpts,
     agent
   });
@@ -6303,15 +6308,19 @@ async function run$y(argv, importMeta, {
   parentName
 }) {
   await utils.meowWithSubcommands({
-    auto: cmdManifestAuto,
-    cdxgen: cmdManifestCdxgen,
-    conda: cmdManifestConda,
-    gradle: cmdManifestGradle,
-    kotlin: cmdManifestKotlin,
-    scala: cmdManifestScala,
-    setup: cmdManifestSetup
-  }, {
     argv,
+    name: `${parentName} ${config$7.commandName}`,
+    importMeta,
+    subcommands: {
+      auto: cmdManifestAuto,
+      cdxgen: cmdManifestCdxgen,
+      conda: cmdManifestConda,
+      gradle: cmdManifestGradle,
+      kotlin: cmdManifestKotlin,
+      scala: cmdManifestScala,
+      setup: cmdManifestSetup
+    }
+  }, {
     aliases: {
       yolo: {
         description: config$7.description,
@@ -6320,9 +6329,7 @@ async function run$y(argv, importMeta, {
       }
     },
     description: config$7.description,
-    importMeta,
-    flags: config$7.flags,
-    name: `${parentName} ${config$7.commandName}`
+    flags: config$7.flags
   });
 }
 
@@ -6443,8 +6450,8 @@ async function run$w(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -6502,8 +6509,8 @@ async function run$v(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$6,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -6785,6 +6792,9 @@ async function npmQuery(npmExecPath, cwd) {
   try {
     stdout = (await spawn.spawn(npmExecPath, ['query', ':not(.dev)'], {
       cwd,
+      // On Windows, npm is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -6802,6 +6812,9 @@ async function lsBun(pkgEnvDetails, options) {
     // https://github.com/oven-sh/bun/issues/8283
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['pm', 'ls', '--all'], {
       cwd,
+      // On Windows, bun is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -6837,6 +6850,9 @@ async function lsPnpm(pkgEnvDetails, options) {
     // https://en.wiktionary.org/wiki/parsable
     ['ls', '--parseable', constants.FLAG_PROD, '--depth', 'Infinity'], {
       cwd,
+      // On Windows, pnpm is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -6854,6 +6870,9 @@ async function lsVlt(pkgEnvDetails, options) {
     // See https://docs.vlt.sh/cli/commands/list#options.
     stdout = (await spawn.spawn(pkgEnvDetails.agentExecPath, ['ls', '--view', 'human', ':not(.dev)'], {
       cwd,
+      // On Windows, pnpm is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -6871,6 +6890,9 @@ async function lsYarnBerry(pkgEnvDetails, options) {
     // https://github.com/yarnpkg/berry/issues/5117
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['info', '--recursive', '--name-only'], {
       cwd,
+      // On Windows, yarn is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -6890,6 +6912,9 @@ async function lsYarnClassic(pkgEnvDetails, options) {
     //   environment is production
     return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', constants.FLAG_PROD], {
       cwd,
+      // On Windows, yarn is often a .cmd file that requires shell execution.
+      // The spawn function from @socketsecurity/registry will handle this properly
+      // when shell is true.
       shell: constants.default.WIN32
     })).stdout;
   } catch {}
@@ -7387,6 +7412,7 @@ async function handleOptimize({
     prod
   });
   if (!pkgEnvCResult.ok) {
+    process.exitCode = pkgEnvCResult.code ?? 1;
     require$$9.debugFn('warn', 'Package environment validation failed');
     require$$9.debugDir('inspect', {
       pkgEnvCResult
@@ -7396,6 +7422,7 @@ async function handleOptimize({
   }
   const pkgEnvDetails = pkgEnvCResult.data;
   if (!pkgEnvDetails) {
+    process.exitCode = 1;
     require$$9.debugFn('warn', 'No package environment details found');
     await outputOptimizeResult({
       ok: false,
@@ -7413,6 +7440,7 @@ async function handleOptimize({
     agentVersion
   } = pkgEnvDetails;
   if (agent === VLT) {
+    process.exitCode = 1;
     require$$9.debugFn('warn', `${agent} does not support overrides`);
     await outputOptimizeResult({
       ok: false,
@@ -7427,6 +7455,9 @@ async function handleOptimize({
     pin,
     prod
   });
+  if (!optimizationResult.ok) {
+    process.exitCode = optimizationResult.code ?? 1;
+  }
   require$$9.debugFn('notice', `Optimization ${optimizationResult.ok ? 'succeeded' : 'failed'}`);
   require$$9.debugDir('inspect', {
     optimizationResult
@@ -7667,8 +7698,8 @@ async function run$t(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -7803,8 +7834,8 @@ async function run$s(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -7939,8 +7970,8 @@ async function run$r(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -8072,8 +8103,8 @@ async function run$q(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -8115,15 +8146,16 @@ const cmdOrganizationPolicy = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      security: cmdOrganizationPolicySecurity,
-      license: cmdOrganizationPolicyLicense
-    }, {
       argv,
-      description: description$p,
-      defaultSub: 'list',
-      // Backwards compat
+      name: `${parentName} policy`,
       importMeta,
-      name: `${parentName} policy`
+      subcommands: {
+        security: cmdOrganizationPolicySecurity,
+        license: cmdOrganizationPolicyLicense
+      }
+    }, {
+      description: description$p,
+      defaultSub: 'list' // Backwards compat
     });
   }
 };
@@ -8204,8 +8236,8 @@ async function run$p(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$5,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   const json = Boolean(cli.flags['json']);
@@ -8241,10 +8273,15 @@ const cmdOrganization = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      dependencies: cmdOrganizationDependencies,
-      list: cmdOrganizationList,
-      quota: cmdOrganizationQuota,
-      policy: cmdOrganizationPolicy
+      argv,
+      name: `${parentName} organization`,
+      importMeta,
+      subcommands: {
+        dependencies: cmdOrganizationDependencies,
+        list: cmdOrganizationList,
+        quota: cmdOrganizationQuota,
+        policy: cmdOrganizationPolicy
+      }
     }, {
       aliases: {
         deps: {
@@ -8263,10 +8300,7 @@ const cmdOrganization = {
           argv: ['policy', 'security']
         }
       },
-      argv,
-      description: description$o,
-      importMeta,
-      name: `${parentName} organization`
+      description: description$o
     });
   }
 };
@@ -9002,8 +9036,13 @@ const cmdPackage = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      score: cmdPackageScore,
-      shallow: cmdPackageShallow
+      argv,
+      name: `${parentName} package`,
+      importMeta,
+      subcommands: {
+        score: cmdPackageScore,
+        shallow: cmdPackageShallow
+      }
     }, {
       aliases: {
         deep: {
@@ -9012,10 +9051,7 @@ const cmdPackage = {
           argv: ['score']
         }
       },
-      argv,
-      description: description$l,
-      importMeta,
-      name: `${parentName} package`
+      description: description$l
     });
   }
 };
@@ -9281,7 +9317,22 @@ async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options)
   let result = true;
   try {
     await fs$1.promises.copyFile(blobPath, filepath);
-    logger.logger.success(`Patch applied successfully`);
+
+    // Verify the hash after copying to ensure file integrity.
+    const verifyHashResult = await computeSHA256(filepath);
+    if (!verifyHashResult.ok) {
+      logger.logger.error(`Failed to verify hash after patch: ${verifyHashResult.cause || verifyHashResult.message}`);
+      result = false;
+    } else if (verifyHashResult.data !== fileInfo.afterHash) {
+      logger.logger.error(`Hash verification failed after patch`);
+      logger.logger.group();
+      logger.logger.log(`Expected: ${fileInfo.afterHash}`);
+      logger.logger.log(`Got:      ${verifyHashResult.data}`);
+      logger.logger.groupEnd();
+      result = false;
+    } else {
+      logger.logger.success(`Patch applied successfully`);
+    }
   } catch (e) {
     logger.logger.error('Error applying patch');
     require$$9.debugDir('error', e);
@@ -9424,11 +9475,12 @@ async function run$m(argv, importMeta, {
     `
   };
   const cli = utils.meowOrExit({
-    allowUnknownFlags: false,
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
+  }, {
+    allowUnknownFlags: false
   });
   const {
     dryRun,
@@ -9517,8 +9569,8 @@ async function run$l(argv, importMeta, context) {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -9542,6 +9594,9 @@ async function run$l(argv, importMeta, context) {
 async function runRawNpm(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpmBinPath(), argv, {
+    // On Windows, npm is often a .cmd file that requires shell execution.
+    // The spawn function from @socketsecurity/registry will handle this properly
+    // when shell is true.
     shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9591,8 +9646,8 @@ async function run$k(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$4,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -9605,6 +9660,9 @@ async function run$k(argv, importMeta, {
 async function runRawNpx(argv) {
   process.exitCode = 1;
   const spawnPromise = spawn.spawn(utils.getNpxBinPath(), argv, {
+    // On Windows, npx is often a .cmd file that requires shell execution.
+    // The spawn function from @socketsecurity/registry will handle this properly
+    // when shell is true.
     shell: constants.default.WIN32,
     stdio: 'inherit'
   });
@@ -9654,8 +9712,8 @@ async function run$j(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$3,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -9815,8 +9873,8 @@ async function run$i(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -9840,7 +9898,7 @@ async function run$i(argv, importMeta, {
   }, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     test: !!repoName,
@@ -9951,8 +10009,8 @@ async function run$h(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -9971,7 +10029,7 @@ async function run$h(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -10244,8 +10302,8 @@ async function run$g(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     all,
@@ -10442,8 +10500,8 @@ async function run$f(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -10462,7 +10520,7 @@ async function run$f(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -10604,8 +10662,8 @@ async function run$e(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     json,
@@ -10624,7 +10682,7 @@ async function run$e(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -10663,16 +10721,18 @@ const cmdRepository = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      create: cmdRepositoryCreate,
-      view: cmdRepositoryView,
-      list: cmdRepositoryList,
-      del: cmdRepositoryDel,
-      update: cmdRepositoryUpdate
-    }, {
       argv,
-      description: description$d,
+      name: `${parentName} repository`,
       importMeta,
-      name: `${parentName} repository`
+      subcommands: {
+        create: cmdRepositoryCreate,
+        view: cmdRepositoryView,
+        list: cmdRepositoryList,
+        del: cmdRepositoryDel,
+        update: cmdRepositoryUpdate
+      }
+    }, {
+      description: description$d
     });
   }
 };
@@ -10876,7 +10936,7 @@ async function run$d(argv, importMeta, {
     Note: for a first run you probably want to set --default-branch to indicate
           the default branch name, like "main" or "master".
 
-    The "alerts page" (https://socket.dev/dashboard/org/YOURORG/alerts) will show
+    The ${utils.socketDashboardLink('/org/YOURORG/alerts', '"alerts page"')} will show
     the results from the last scan designated as the "pending head" on the branch
     configured on Socket to be the "default branch". When creating a scan the
     --set-as-alerts-page flag will default to true to update this. You can prevent
@@ -10894,8 +10954,8 @@ async function run$d(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const {
     commitHash,
@@ -11299,7 +11359,7 @@ async function handleJson(data, file, dashboardMessage) {
         logger.logger.fail(`Writing to \`${file}\` failed...`);
         logger.logger.error(err);
       } else {
-        logger.logger.success(`Data successfully written to \`${file}\``);
+        logger.logger.success(`Data successfully written to \`${utils.fileLink(file)}\``);
       }
       logger.logger.error(dashboardMessage);
     });
@@ -12641,7 +12701,7 @@ async function run$9(argv, importMeta, {
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: noLegacy,
-    message: `Legacy flags are no longer supported. See ${vendor.terminalLinkExports('v1 migration guide', constants.V1_MIGRATION_GUIDE_URL)}.`,
+    message: `Legacy flags are no longer supported. See the ${utils.webLink(constants.V1_MIGRATION_GUIDE_URL, 'v1 migration guide')}.`,
     fail: `received legacy flags`
   }, {
     nook: true,
@@ -13541,8 +13601,8 @@ async function run$5(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$2,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -13613,7 +13673,7 @@ async function outputScanView(result, orgSlug, scanId, filePath, outputKind) {
       logger.logger.info('Writing json results to', filePath);
       try {
         await fs.writeFile(filePath, json, 'utf8');
-        logger.logger.info(`Data successfully written to ${filePath}`);
+        logger.logger.info(`Data successfully written to ${utils.fileLink(filePath)}`);
       } catch (e) {
         process.exitCode = 1;
         logger.logger.fail('There was an error trying to write the markdown to disk');
@@ -13654,7 +13714,7 @@ View this report at: ${constants.default.SOCKET_WEBSITE_URL}/dashboard/org/${org
   if (filePath && filePath !== '-') {
     try {
       await fs.writeFile(filePath, report, 'utf8');
-      logger.logger.log(`Data successfully written to ${filePath}`);
+      logger.logger.log(`Data successfully written to ${utils.fileLink(filePath)}`);
     } catch (e) {
       process.exitCode = 1;
       logger.logger.fail('There was an error trying to write the markdown to disk');
@@ -13809,16 +13869,21 @@ const cmdScan = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      create: cmdScanCreate,
-      del: cmdScanDel,
-      diff: cmdScanDiff,
-      github: cmdScanGithub,
-      list: cmdScanList,
-      metadata: cmdScanMetadata,
-      reach: cmdScanReach,
-      report: cmdScanReport,
-      setup: cmdScanSetup,
-      view: cmdScanView
+      argv,
+      name: `${parentName} scan`,
+      importMeta,
+      subcommands: {
+        create: cmdScanCreate,
+        del: cmdScanDel,
+        diff: cmdScanDiff,
+        github: cmdScanGithub,
+        list: cmdScanList,
+        metadata: cmdScanMetadata,
+        reach: cmdScanReach,
+        report: cmdScanReport,
+        setup: cmdScanSetup,
+        view: cmdScanView
+      }
     }, {
       aliases: {
         meta: {
@@ -13832,10 +13897,7 @@ const cmdScan = {
           argv: ['reach']
         }
       },
-      argv,
-      description: description$3,
-      importMeta,
-      name: `${parentName} scan`
+      description: description$3
     });
   }
 };
@@ -14090,7 +14152,7 @@ async function run$3(argv, importMeta, {
       - Special access
 
     This feature requires a Threat Feed license. Please contact
-    sales@socket.dev if you are interested in purchasing this access.
+    ${utils.mailtoLink('sales@socket.dev')} if you are interested in purchasing this access.
 
     Options
       ${utils.getFlagListOutput(config.flags)}
@@ -14360,8 +14422,8 @@ async function run$2(argv, importMeta, {
   const cli = utils.meowOrExit({
     argv,
     config: config$1,
-    importMeta,
-    parentName
+    parentName,
+    importMeta
   });
   const dryRun = !!cli.flags['dryRun'];
   if (dryRun) {
@@ -14380,12 +14442,14 @@ const cmdUninstall = {
     parentName
   }) {
     await utils.meowWithSubcommands({
-      completion: cmdUninstallCompletion
-    }, {
       argv,
-      description: description$1,
+      name: `${parentName} uninstall`,
       importMeta,
-      name: `${parentName} uninstall`
+      subcommands: {
+        completion: cmdUninstallCompletion
+      }
+    }, {
+      description: description$1
     });
   }
 };
@@ -14811,17 +14875,19 @@ void (async () => {
     version: constants.default.ENV.INLINED_SOCKET_CLI_VERSION,
     logCallback: (name, version, latest) => {
       logger.logger.log(`\n\n📦 Update available for ${vendor.yoctocolorsCjsExports.cyan(name)}: ${vendor.yoctocolorsCjsExports.gray(version)} → ${vendor.yoctocolorsCjsExports.green(latest)}`);
-      logger.logger.log(`📝 ${vendor.terminalLinkExports('View changelog', `https://socket.dev/npm/package/${name}/files/${latest}/CHANGELOG.md`)}`);
+      logger.logger.log(`📝 ${utils.socketPackageLink('npm', name, `files/${latest}/CHANGELOG.md`, 'View changelog')}`);
     }
   });
   try {
-    await utils.meowWithSubcommands(rootCommands, {
-      aliases: rootAliases,
-      argv: process.argv.slice(2),
+    await utils.meowWithSubcommands({
       name: constants.default.SOCKET_CLI_BIN_NAME,
+      argv: process.argv.slice(2),
       importMeta: {
         url: `${require$$0.pathToFileURL(__filename$1)}`
-      }
+      },
+      subcommands: rootCommands
+    }, {
+      aliases: rootAliases
     });
   } catch (e) {
     process.exitCode = 1;
@@ -14878,5 +14944,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=6d9d1b81-f05f-4bdf-ae16-71ba7e848b55
+//# debugId=506030ac-6b44-42d9-8af7-b61f2468318b
 //# sourceMappingURL=cli.js.map