socket 1.1.8 → 1.1.11

package/dist/utils.js

@@ -11,21 +11,21 @@ var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var sorts = require('../external/@socketsecurity/registry/lib/sorts');
 var spinner = require('../external/@socketsecurity/registry/lib/spinner');
 var words = require('../external/@socketsecurity/registry/lib/words');
-var Module = require('node:module');
-var path = require('node:path');
 var flags = require('./flags.js');
+var path = require('node:path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs = require('../external/@socketsecurity/registry/lib/fs');
+var require$$5 = require('node:module');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var fs$1 = require('node:fs');
+var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var promises = require('node:timers/promises');
 var npm = require('../external/@socketsecurity/registry/lib/npm');
 var globs = require('../external/@socketsecurity/registry/lib/globs');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var streams = require('../external/@socketsecurity/registry/lib/streams');
-var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 const sensitiveConfigKeyLookup = new Set(['apiToken']);
@@ -92,20 +92,30 @@ function findSocketYmlSync(dir = process.cwd()) {
     if (typeof yml === 'string') {
       try {
         return {
-          path: ymlPath,
-          parsed: vendor.configExports.parseSocketConfig(yml)
+          ok: true,
+          data: {
+            path: ymlPath,
+            parsed: vendor.configExports.parseSocketConfig(yml)
+          }
         };
       } catch (e) {
         require$$9.debugDir('inspect', {
           error: e
         });
-        throw new Error(`Found file but was unable to parse ${ymlPath}`);
+        return {
+          ok: false,
+          message: `Found file but was unable to parse ${ymlPath}`,
+          cause: e instanceof Error ? e.message : String(e)
+        };
       }
     }
     prevDir = dir;
     dir = path.join(dir, '..');
   }
-  return undefined;
+  return {
+    ok: true,
+    data: undefined
+  };
 }
 function getConfigValue(key) {
   const localConfig = getConfigValues();
@@ -256,6 +266,22 @@ function updateConfigValue(configKey, value) {
   };
 }
 
+const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
+let _requirements;
+function getRequirements() {
+  if (_requirements === undefined) {
+    _requirements = /*@__PURE__*/require$2(path.join(constants.default.rootPath, 'requirements.json'));
+  }
+  return _requirements;
+}
+
+/**
+ * Convert command path to requirements key.
+ */
+function getRequirementsKey(cmdPath) {
+  return cmdPath.replace(/^socket[: ]/, '').replace(/ +/g, ':');
+}
+
 const TOKEN_PREFIX = 'sktsec_';
 const TOKEN_PREFIX_LENGTH = TOKEN_PREFIX.length;
 const TOKEN_VISIBLE_LENGTH = 5;
@@ -330,10 +356,14 @@ async function setupSdk(options) {
   return {
     ok: true,
     data: new vendor.distExports.SocketSdk(apiToken, {
-      agent: apiProxy ? new ProxyAgent({
-        proxy: apiProxy
-      }) : undefined,
-      baseUrl: apiBaseUrl,
+      ...(apiProxy ? {
+        agent: new ProxyAgent({
+          proxy: apiProxy
+        })
+      } : {}),
+      ...(apiBaseUrl ? {
+        baseUrl: apiBaseUrl
+      } : {}),
       timeout: constants.default.ENV.SOCKET_CLI_API_TIMEOUT,
       userAgent: vendor.distExports.createUserAgentFromPkgJson({
         name: constants.default.ENV.INLINED_SOCKET_CLI_NAME,
@@ -345,6 +375,32 @@ async function setupSdk(options) {
 }
 
 const NO_ERROR_MESSAGE = 'No error message returned';
+/**
+ * Get command requirements from requirements.json based on command path.
+ */
+function getCommandRequirements(cmdPath) {
+  if (!cmdPath) {
+    return undefined;
+  }
+  const requirements = getRequirements();
+  const key = getRequirementsKey(cmdPath);
+  return requirements.api[key] || undefined;
+}
+
+/**
+ * Log required permissions for a command when encountering 403 errors.
+ */
+function logPermissionsFor403(cmdPath) {
+  const requirements = getCommandRequirements(cmdPath);
+  if (!requirements?.permissions?.length) {
+    return;
+  }
+  logger.logger.error('This command requires the following API permissions:');
+  for (const permission of requirements.permissions) {
+    logger.logger.error(`  - ${permission}`);
+  }
+  logger.logger.error('Please ensure your API token has the required permissions.');
+}
 
 // The Socket API server that should be used for operations.
 function getDefaultApiBaseUrl() {
@@ -355,6 +411,10 @@ function getDefaultApiBaseUrl() {
   const API_V0_URL = constants.default.API_V0_URL;
   return API_V0_URL;
 }
+
+/**
+ * Get user-friendly error message for HTTP status codes.
+ */
 async function getErrorMessageForHttpStatusCode(code) {
   if (code === 400) {
     return 'One of the options passed might be incorrect';
@@ -370,8 +430,12 @@ async function getErrorMessageForHttpStatusCode(code) {
   }
   return `Server responded with status code ${code}`;
 }
+/**
+ * Handle Socket SDK API calls with error handling and permission logging.
+ */
 async function handleApiCall(value, options) {
   const {
+    commandPath,
     description,
     spinner
   } = {
@@ -399,7 +463,7 @@ async function handleApiCall(value, options) {
     spinner?.stop();
     const socketSdkErrorResult = {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause: vendor.messageWithCauses(e)
     };
     if (description) {
@@ -430,12 +494,17 @@ async function handleApiCall(value, options) {
     const cause = reason && message !== reason ? `${message} (reason: ${reason})` : message;
     const socketSdkErrorResult = {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause,
       data: {
         code: sdkResult.status
       }
     };
+
+    // Log required permissions for 403 errors when in a command context.
+    if (commandPath && sdkResult.status === 403) {
+      logPermissionsFor403(commandPath);
+    }
     return socketSdkErrorResult;
   }
   const socketSdkSuccessResult = {
@@ -454,7 +523,7 @@ async function handleApiCallNoSpinner(value, description) {
       error: e
     });
     const errStr = e ? String(e).trim() : '';
-    const message = 'Socket API returned an error';
+    const message = 'Socket API error';
     const rawCause = errStr || NO_ERROR_MESSAGE;
     const cause = message !== rawCause ? rawCause : '';
     return {
@@ -479,7 +548,7 @@ async function handleApiCallNoSpinner(value, description) {
     const cause = reason && message !== reason ? `${message} (reason: ${reason})` : message;
     return {
       ok: false,
-      message: 'Socket API returned an error',
+      message: 'Socket API error',
       cause,
       data: {
         code: sdkResult.status
@@ -494,9 +563,9 @@ async function handleApiCallNoSpinner(value, description) {
   }
 }
 async function queryApi(path, apiToken) {
-  const baseUrl = getDefaultApiBaseUrl() || '';
+  const baseUrl = getDefaultApiBaseUrl();
   if (!baseUrl) {
-    logger.logger.warn('API endpoint is not set and default was empty. Request is likely to fail.');
+    throw new Error('Socket API endpoint is not configured');
   }
   return await fetch(`${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`, {
     method: 'GET',
@@ -505,7 +574,11 @@ async function queryApi(path, apiToken) {
     }
   });
 }
-async function queryApiSafeText(path, description) {
+
+/**
+ * Query Socket API endpoint and return text response with error handling.
+ */
+async function queryApiSafeText(path, description, commandPath) {
   const apiToken = getDefaultApiToken();
   if (!apiToken) {
     return {
@@ -550,11 +623,10 @@ async function queryApiSafeText(path, description) {
     const {
       status
     } = result;
-    const reason = await getErrorMessageForHttpStatusCode(status);
     return {
       ok: false,
-      message: 'Socket API returned an error',
-      cause: `${result.statusText} (reason: ${reason})`,
+      message: 'Socket API error',
+      cause: `${result.statusText} (reason: ${await getErrorMessageForHttpStatusCode(status)})`,
       data: {
         code: status
       }
@@ -578,6 +650,10 @@ async function queryApiSafeText(path, description) {
     };
   }
 }
+
+/**
+ * Query Socket API endpoint and return parsed JSON response.
+ */
 async function queryApiSafeJson(path, description = '') {
   const result = await queryApiSafeText(path, description);
   if (!result.ok) {
@@ -592,10 +668,13 @@ async function queryApiSafeJson(path, description = '') {
     return {
       ok: false,
       message: 'Server returned invalid JSON',
-      cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || '<empty>').trim() + (result.data?.length > 100 ? '...' : '')}\``
+      cause: `Please report this. JSON.parse threw an error over the following response: \`${(result.data?.slice?.(0, 100) || constants.EMPTY_VALUE).trim() + (result.data?.length > 100 ? '...' : '')}\``
     };
   }
 }
+/**
+ * Send POST/PUT request to Socket API with JSON response handling.
+ */
 async function sendApiRequest(path, options) {
   const apiToken = getDefaultApiToken();
   if (!apiToken) {
@@ -605,12 +684,17 @@ async function sendApiRequest(path, options) {
       cause: 'User must be authenticated to run this command. To log in, run the command `socket login` and enter your Socket API token.'
     };
   }
-  const baseUrl = getDefaultApiBaseUrl() || '';
+  const baseUrl = getDefaultApiBaseUrl();
   if (!baseUrl) {
-    logger.logger.warn('API endpoint is not set and default was empty. Request is likely to fail.');
+    return {
+      ok: false,
+      message: 'Configuration Error',
+      cause: 'Socket API endpoint is not configured. Please check your environment configuration.'
+    };
   }
   const {
     body,
+    commandPath,
     description,
     method
   } = {
@@ -663,11 +747,14 @@ async function sendApiRequest(path, options) {
     const {
       status
     } = result;
-    const reason = await getErrorMessageForHttpStatusCode(status);
+    // Log required permissions for 403 errors when in a command context.
+    if (commandPath && status === 403) {
+      logPermissionsFor403(commandPath);
+    }
     return {
       ok: false,
-      message: 'Socket API returned an error',
-      cause: `${result.statusText} (reason: ${reason})`,
+      message: 'Socket API error',
+      cause: `${result.statusText} (reason: ${await getErrorMessageForHttpStatusCode(status)})`,
       data: {
         code: status
       }
@@ -693,7 +780,7 @@ async function sendApiRequest(path, options) {
 }
 
 function failMsgWithBadge(badge, message) {
-  const prefix = vendor.yoctocolorsCjsExports.bgRed(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.white(` ${badge}${message ? ': ' : ''}`)));
+  const prefix = vendor.yoctocolorsCjsExports.bgRedBright(vendor.yoctocolorsCjsExports.bold(vendor.yoctocolorsCjsExports.red(` ${badge}${message ? ': ' : ''}`)));
   const postfix = message ? ` ${vendor.yoctocolorsCjsExports.bold(message)}` : '';
   return `${prefix}${postfix}`;
 }
@@ -887,18 +974,10 @@ function getOutputKind(json, markdown) {
   return constants.OUTPUT_TEXT;
 }
 
-const require$2 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
-let _requirements;
-function getRequirements() {
-  if (_requirements === undefined) {
-    _requirements = /*@__PURE__*/require$2(path.join(constants.default.rootPath, 'requirements.json'));
-  }
-  return _requirements;
+function camelToKebab(str) {
+  return str === '' ? '' : str.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
 }
 
-function camelToKebab(string) {
-  return string.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
-}
 function getFlagApiRequirementsOutput(cmdPath, options) {
   const {
     indent = 6
@@ -906,20 +985,21 @@ function getFlagApiRequirementsOutput(cmdPath, options) {
     __proto__: null,
     ...options
   };
-  const key = cmdPath.replace(/^socket[: ]/, '').replace(/ +/g, ':');
+  const key = getRequirementsKey(cmdPath);
   const requirements = getRequirements();
   const data = requirements.api[key];
   let result = '';
   if (data) {
     const quota = data?.quota;
-    const perms = data?.permissions;
+    const rawPerms = data?.permissions;
     const padding = ''.padEnd(indent);
     const lines = [];
-    if (typeof quota === 'number') {
+    if (Number.isFinite(quota) && quota > 0) {
       lines.push(`${padding}- Quota: ${quota} ${words.pluralize('unit', quota)}`);
     }
-    if (Array.isArray(perms) && perms.length) {
-      lines.push(`${padding}- Permissions: ${perms.join(' ')}`);
+    if (Array.isArray(rawPerms) && rawPerms.length) {
+      const perms = rawPerms.slice().sort(sorts.naturalCompare);
+      lines.push(`${padding}- Permissions: ${arrays.joinAnd(perms)}`);
     }
     result += lines.join('\n');
   }
@@ -980,6 +1060,10 @@ function tildify(cwd) {
 
 const HELP_INDENT = 2;
 const HELP_PAD_NAME = 28;
+
+/**
+ * Format a command description for help output.
+ */
 function description(command) {
   const description = command?.description;
   const str = typeof description === 'string' ? description : String(description);
@@ -1004,6 +1088,10 @@ function findBestCommandMatch(input, subcommands, aliases) {
   }
   return bestMatch;
 }
+
+/**
+ * Generate the ASCII banner header for Socket CLI commands.
+ */
 function getAsciiHeader(command, orgFlag) {
   // Note: In tests we return <redacted> because otherwise snapshots will fail.
   const {
@@ -1047,19 +1135,28 @@ function levenshteinDistance(a, b) {
   for (let i = 1; i <= a.length; i++) {
     for (let j = 1; j <= b.length; j++) {
       const cost = a[i - 1] === b[j - 1] ? 0 : 1;
-      matrix[i][j] = Math.min(matrix[i - 1][j] + 1,
+      matrix[i][j] = Math.min(
       // Deletion.
-      matrix[i][j - 1] + 1,
+      matrix[i - 1][j] + 1,
       // Insertion.
-      matrix[i - 1][j - 1] + cost // Substitution.
-      );
+      matrix[i][j - 1] + 1,
+      // Substitution.
+      matrix[i - 1][j - 1] + cost);
     }
   }
   return matrix[a.length][b.length];
 }
+
+/**
+ * Determine if the banner should be suppressed based on output flags.
+ */
 function shouldSuppressBanner(flags) {
-  return Boolean(flags['json'] || flags['markdown'] || flags['nobanner']);
+  return Boolean(flags['json'] || flags['markdown'] || flags['banner'] === false);
 }
+
+/**
+ * Emit the Socket CLI banner to stderr for branding and debugging.
+ */
 function emitBanner(name, orgFlag) {
   // Print a banner at the top of each command.
   // This helps with brand recognition and marketing.
@@ -1071,6 +1168,10 @@ function emitBanner(name, orgFlag) {
   //       The spinner also emits over stderr for example.
   logger.logger.error(getAsciiHeader(name, orgFlag));
 }
+
+/**
+ * Main function for handling CLI with subcommands using meow.
+ */
 async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
@@ -1083,11 +1184,6 @@ async function meowWithSubcommands(subcommands, options) {
     __proto__: null,
     ...options
   };
-  const [commandOrAliasName_, ...rawCommandArgv] = argv;
-  let commandOrAliasName = commandOrAliasName_;
-  if (!commandOrAliasName && defaultSub) {
-    commandOrAliasName = defaultSub;
-  }
   const flags$1 = {
     ...flags.commonFlags,
     version: {
@@ -1095,13 +1191,18 @@ async function meowWithSubcommands(subcommands, options) {
       hidden: true,
       description: 'Print the app version'
     },
-    ...additionalOptions.flags
+    ...require$$11.getOwn(additionalOptions, 'flags')
   };
+  const [commandOrAliasName_, ...rawCommandArgv] = argv;
+  let commandOrAliasName = commandOrAliasName_;
+  if (!commandOrAliasName && defaultSub) {
+    commandOrAliasName = defaultSub;
+  }
 
-  // No further args or first arg is a flag (shrug)
+  // No further args or first arg is a flag (shrug).
   const isRootCommand = name === 'socket' && (!commandOrAliasName || commandOrAliasName?.startsWith('-'));
 
-  // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`
+  // Try to support `socket <purl>` as a shorthand for `socket package score <purl>`.
   if (!isRootCommand) {
     if (commandOrAliasName?.startsWith('pkg:')) {
       logger.logger.info('Invoking `socket package score`.');
@@ -1174,7 +1275,6 @@ async function meowWithSubcommands(subcommands, options) {
   if (noSpinner) {
     constants.default.spinner.spinner = spinner.getCliSpinners('ci');
   }
-
   // Hard override the config if instructed to do so.
   // The env var overrides the --flag, which overrides the persisted config
   // Also, when either of these are used, config updates won't persist.
@@ -1182,7 +1282,7 @@ async function meowWithSubcommands(subcommands, options) {
   if (constants.default.ENV.SOCKET_CLI_CONFIG) {
     configOverrideResult = overrideCachedConfig(constants.default.ENV.SOCKET_CLI_CONFIG);
   } else if (cli1.flags['config']) {
-    configOverrideResult = overrideCachedConfig(String(cli1.flags['config'] || ''));
+    configOverrideResult = overrideCachedConfig(cli1.flags['config']);
   }
   if (constants.default.ENV.SOCKET_CLI_NO_API_TOKEN) {
     // This overrides the config override and even the explicit token env var.
@@ -1216,6 +1316,8 @@ async function meowWithSubcommands(subcommands, options) {
     const commandDefinition = commandName ? subcommands[commandName] : undefined;
     // Third: If a valid command has been found, then we run it...
     if (commandDefinition) {
+      // Extract the original command arguments from the full argv
+      // by skipping the command name
       return await commandDefinition.run(commandArgv, importMeta, {
         parentName: name
       });
@@ -1303,7 +1405,7 @@ async function meowWithSubcommands(subcommands, options) {
 
   // Parse it again. Config overrides should now be applied (may affect help).
   // Note: this is displayed as help screen if the command does not override it
-  //       (which is the case for most sub-commands with sub-commands)
+  //       (which is the case for most sub-commands with sub-commands).
   const cli2 = vendor.meow({
     argv,
     importMeta,
@@ -1323,7 +1425,7 @@ async function meowWithSubcommands(subcommands, options) {
   // ...else we provide basic instructions and help.
   if (!shouldSuppressBanner(cli2.flags)) {
     emitBanner(name, orgFlag);
-    // meow will add newline so don't add stderr spacing here
+    // Meow will add newline so don't add stderr spacing here.
   }
   if (!cli2.flags['help'] && cli2.flags['dryRun']) {
     process.exitCode = 0;
@@ -1336,7 +1438,8 @@ async function meowWithSubcommands(subcommands, options) {
 }
 
 /**
- * Note: meow will exit immediately if it calls its .showHelp()
+ * Create meow CLI instance or exit with help/error (meow will exit immediately
+ * if it calls .showHelp()).
  */
 function meowOrExit({
   allowUnknownFlags = true,
@@ -1361,14 +1464,19 @@ function meowOrExit({
     help: strings.trimNewlines(config.help(command, config)),
     importMeta
   });
-  const noSpinner = cli.flags['spinner'] === false;
+  const {
+    help,
+    org: orgFlag,
+    spinner: spinnerFlag,
+    version
+  } = cli.flags;
+  const noSpinner = spinnerFlag === false;
 
   // Use CI spinner style when --no-spinner is passed.
   if (noSpinner) {
     constants.default.spinner.spinner = spinner.getCliSpinners('ci');
   }
   if (!shouldSuppressBanner(cli.flags)) {
-    const orgFlag = String(cli.flags['org'] || '').trim() || undefined;
     emitBanner(command, orgFlag);
     // Add newline in stderr.
     // Meow help adds a newline too so we do it here.
@@ -1393,12 +1501,12 @@ function meowOrExit({
   //   })
   // }
 
-  if (cli.flags['help']) {
+  if (help) {
     cli.showHelp(0);
   }
 
   // Meow doesn't detect 'version' as an unknown flag, so we do the leg work here.
-  if (!require$$11.hasOwn(config.flags, 'version') && cli.flags['version']) {
+  if (version && !require$$11.hasOwn(config.flags, 'version')) {
     // Use `console.error` here instead of `logger.error` to match Meow behavior.
     console.error('Unknown flag\n--version');
     // eslint-disable-next-line n/no-process-exit
@@ -1408,7 +1516,6 @@ function meowOrExit({
   // Now test for help state. Run Meow again. If it exits now, it must be due
   // to wanting to print the help screen. But it would exit(0) and we want a
   // consistent exit(2) for that case (missing input).
-  // TODO: Move away from meow.
   process.exitCode = 2;
   vendor.meow({
     argv,
@@ -1679,7 +1786,7 @@ async function getBaseBranch(cwd = process.cwd()) {
   return 'main';
 }
 async function getRepoInfo(cwd = process.cwd()) {
-  let info = null;
+  let info;
   const quotedCmd = '`git remote get-url origin`';
   require$$9.debugFn('stdio', `spawn: ${quotedCmd}`);
   try {
@@ -1745,7 +1852,7 @@ async function gitBranch(cwd = process.cwd()) {
       });
     }
   }
-  return null;
+  return undefined;
 }
 
 /**
@@ -2056,7 +2163,7 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
 }
 const parsedGitRemoteUrlCache = new Map();
 function parseGitRemoteUrl(remoteUrl) {
-  let result = parsedGitRemoteUrlCache.get(remoteUrl) ?? null;
+  let result = parsedGitRemoteUrlCache.get(remoteUrl);
   if (result) {
     return {
       ...result
@@ -2108,7 +2215,7 @@ function getPurlObject(purl, options) {
     if (shouldThrow) {
       throw e;
     }
-    return null;
+    return undefined;
   }
 }
 function normalizePurl(rawPurl) {
@@ -2501,7 +2608,7 @@ function getNpmRequire() {
   if (_npmRequire === undefined) {
     const npmDirPath = getNpmDirPath();
     const npmNmPath = path.join(npmDirPath, `${constants.NODE_MODULES}/npm`);
-    _npmRequire = Module.createRequire(path.join(fs$1.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
+    _npmRequire = require$$5.createRequire(path.join(fs$1.existsSync(npmNmPath) ? npmNmPath : npmDirPath, '<dummy-basename>'));
   }
   return _npmRequire;
 }
@@ -2530,23 +2637,33 @@ function isNpxBinPathShadowed() {
 }
 
 const helpFlags = new Set(['--help', '-h']);
+
+/**
+ * Convert command arguments to a properly formatted string representation.
+ */
 function cmdFlagsToString(args) {
   const result = [];
   for (let i = 0, {
       length
     } = args; i < length; i += 1) {
-    if (args[i].startsWith('--')) {
+    const arg = args[i].trim();
+    if (arg.startsWith('--')) {
+      const nextArg = i + 1 < length ? args[i + 1].trim() : undefined;
       // Check if the next item exists and is NOT another flag.
-      if (i + 1 < length && !args[i + 1].startsWith('--')) {
-        result.push(`${args[i]}=${args[i + 1]}`);
+      if (nextArg?.startsWith('--')) {
+        result.push(`${arg}=${nextArg}`);
         i += 1;
       } else {
-        result.push(args[i]);
+        result.push(arg);
       }
     }
   }
   return result.join(' ');
 }
+
+/**
+ * Convert flag values to array format for processing.
+ */
 function cmdFlagValueToArray(value) {
   if (typeof value === 'string') {
     return value.trim().split(/, */).filter(Boolean);
@@ -2556,10 +2673,81 @@ function cmdFlagValueToArray(value) {
   }
   return [];
 }
+
+/**
+ * Add command name prefix to message text.
+ */
 function cmdPrefixMessage(cmdName, text) {
   const cmdPrefix = cmdName ? `${cmdName}: ` : '';
   return `${cmdPrefix}${text}`;
 }
+
+/**
+ * Filter out Socket flags from argv before passing to subcommands.
+ */
+function filterFlags(argv, flagsToFilter, exceptions) {
+  const filtered = [];
+
+  // Build set of flags to filter from the provided flag objects.
+  const flagsToFilterSet = new Set();
+  const flagsWithValueSet = new Set();
+  for (const [flagName, flag] of Object.entries(flagsToFilter)) {
+    const longFlag = `--${camelToKebab(flagName)}`;
+    // Special case for negated booleans.
+    if (flagName === 'spinner' || flagName === 'banner') {
+      flagsToFilterSet.add(`--no-${flagName}`);
+    } else {
+      flagsToFilterSet.add(longFlag);
+    }
+    if (flag?.shortFlag) {
+      flagsToFilterSet.add(`-${flag.shortFlag}`);
+    }
+    // Track flags that take values.
+    if (flag.type !== 'boolean') {
+      flagsWithValueSet.add(longFlag);
+      if (flag?.shortFlag) {
+        flagsWithValueSet.add(`-${flag.shortFlag}`);
+      }
+    }
+  }
+  for (let i = 0, {
+      length
+    } = argv; i < length; i += 1) {
+    const arg = argv[i];
+    // Check if this flag should be kept as an exception.
+    if (exceptions?.includes(arg)) {
+      filtered.push(arg);
+      // Handle flags that take values.
+      if (flagsWithValueSet.has(arg)) {
+        // Include the next argument (the flag value).
+        i += 1;
+        if (i < length) {
+          filtered.push(argv[i]);
+        }
+      }
+    } else if (flagsToFilterSet.has(arg)) {
+      // Skip flags that take values.
+      if (flagsWithValueSet.has(arg)) {
+        // Skip the next argument (the flag value).
+        i += 1;
+      }
+      // Skip boolean flags (no additional argument to skip).
+    } else if (arg && Array.from(flagsWithValueSet).some(flag => arg.startsWith(`${flag}=`))) {
+      // Skip --flag=value format for Socket flags unless it's an exception.
+      if (exceptions?.some(exc => arg.startsWith(`${exc}=`))) {
+        filtered.push(arg);
+      }
+      // Otherwise skip it.
+    } else {
+      filtered.push(arg);
+    }
+  }
+  return filtered;
+}
+
+/**
+ * Check if argument is a help flag.
+ */
 function isHelpFlag(cmdArg) {
   return helpFlags.has(cmdArg);
 }
@@ -2809,7 +2997,7 @@ ttlMs = 5 * 60 * 1000) {
       return await fs.readJson(cacheJsonPath);
     }
   }
-  return null;
+  return undefined;
 }
 async function writeCache(key, data) {
   const {
@@ -2959,8 +3147,17 @@ async function enablePrAutoMerge({
 }
 async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const {
-    host
-  } = new URL(constants.default.ENV.GITHUB_SERVER_URL);
+    GITHUB_SERVER_URL
+  } = constants.default.ENV;
+  const urlObj = require$$13.parseUrl(GITHUB_SERVER_URL);
+  const host = urlObj?.host;
+  if (!host) {
+    require$$9.debugFn('error', 'invalid: GITHUB_SERVER_URL env var');
+    require$$9.debugDir('inspect', {
+      GITHUB_SERVER_URL
+    });
+    return false;
+  }
   const url = `https://x-access-token:${token}@${host}/${owner}/${repo}`;
   const stdioIgnoreOptions = {
     cwd,
@@ -2980,13 +3177,106 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   return false;
 }
 
-const RangeStyles = ['caret', 'gt', 'gte', 'lt', 'lte', 'pin', 'preserve', 'tilde'];
+/**
+ * Converts CVE IDs to GHSA IDs using GitHub API.
+ */
+async function convertCveToGhsa(cveId) {
+  try {
+    const cacheKey = `cve-to-ghsa-${cveId}`;
+    const octokit = getOctokit();
+    const response = await cacheFetch(cacheKey, () => octokit.rest.securityAdvisories.listGlobalAdvisories({
+      cve_id: cveId,
+      per_page: 1
+    }));
+    if (!response.data.length) {
+      return {
+        ok: false,
+        message: `No GHSA found for CVE ${cveId}`
+      };
+    }
+    return {
+      ok: true,
+      data: response.data[0].ghsa_id
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: `Failed to convert CVE to GHSA: ${e instanceof Error ? e.message : 'Unknown error'}`
+    };
+  }
+}
+
+const PURL_TO_GITHUB_ECOSYSTEM_MAPPING = {
+  __proto__: null,
+  // GitHub Advisory Database supported ecosystems
+  cargo: 'rust',
+  composer: 'composer',
+  gem: 'rubygems',
+  go: 'go',
+  golang: 'go',
+  maven: 'maven',
+  npm: 'npm',
+  nuget: 'nuget',
+  pypi: 'pip',
+  swift: 'swift'
+};
+
+/**
+ * Converts PURL to GHSA IDs using GitHub API.
+ */
+async function convertPurlToGhsas(purl) {
+  try {
+    const purlObj = getPurlObject(purl, {
+      throws: false
+    });
+    if (!purlObj) {
+      return {
+        ok: false,
+        message: `Invalid PURL format: ${purl}`
+      };
+    }
+    const {
+      name,
+      type: ecosystem,
+      version
+    } = purlObj;
+
+    // Map PURL ecosystem to GitHub ecosystem.
+    const githubEcosystem = PURL_TO_GITHUB_ECOSYSTEM_MAPPING[ecosystem];
+    if (!githubEcosystem) {
+      return {
+        ok: false,
+        message: `Unsupported PURL ecosystem: ${ecosystem}`
+      };
+    }
+
+    // Search for advisories affecting this package.
+    const cacheKey = `purl-to-ghsa-${ecosystem}-${name}-${version || constants.LATEST}`;
+    const octokit = getOctokit();
+    const affects = version ? `${name}@${version}` : name;
+    const response = await cacheFetch(cacheKey, () => octokit.rest.securityAdvisories.listGlobalAdvisories({
+      ecosystem: githubEcosystem,
+      affects
+    }));
+    return {
+      ok: true,
+      data: response.data.map(a => a.ghsa_id)
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: `Failed to convert PURL to GHSA: ${e instanceof Error ? e.message : constants.UNKNOWN_ERROR}`
+    };
+  }
+}
+
+const RangeStyles = ['pin', 'preserve'];
 function getMajor(version) {
   try {
     const coerced = vendor.semverExports.coerce(version);
-    return coerced ? vendor.semverExports.major(coerced) : null;
+    return coerced ? vendor.semverExports.major(coerced) : undefined;
   } catch {}
-  return null;
+  return undefined;
 }
 
 const COMPLETION_CMD_PREFIX = 'complete -F _socket_completion';
@@ -3078,7 +3368,7 @@ function npa(...args) {
   try {
     return Reflect.apply(vendor.npaExports, undefined, args);
   } catch {}
-  return null;
+  return undefined;
 }
 
 function shadowNpmInstall(options) {
@@ -3594,7 +3884,7 @@ function toFilterConfig(obj) {
   return normalized;
 }
 
-const require$1 = Module.createRequire(require('node:url').pathToFileURL(__filename).href);
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('utils.js', document.baseURI).href)));
 let _translations;
 function getTranslations() {
   if (_translations === undefined) {
@@ -3987,7 +4277,8 @@ async function getAlertsMapFromPurls(purls, options) {
     throw new Error('Auth error: Run `socket login` first');
   }
   const sockSdk = sockSdkCResult.data;
-  const socketYml = findSocketYmlSync()?.parsed;
+  const socketYmlResult = findSocketYmlSync();
+  const socketYml = socketYmlResult.ok ? socketYmlResult.data.parsed : undefined;
   const alertsMapOptions = {
     consolidate: opts.consolidate,
     filter: opts.filter,
@@ -4053,6 +4344,8 @@ exports.checkCommandInput = checkCommandInput;
 exports.cmdFlagValueToArray = cmdFlagValueToArray;
 exports.cmdFlagsToString = cmdFlagsToString;
 exports.cmdPrefixMessage = cmdPrefixMessage;
+exports.convertCveToGhsa = convertCveToGhsa;
+exports.convertPurlToGhsas = convertPurlToGhsas;
 exports.createEnum = createEnum;
 exports.detectAndValidatePackageEnvironment = detectAndValidatePackageEnvironment;
 exports.detectDefaultBranch = detectDefaultBranch;
@@ -4062,6 +4355,7 @@ exports.extractTier1ReachabilityScanId = extractTier1ReachabilityScanId;
 exports.failMsgWithBadge = failMsgWithBadge;
 exports.fetchGhsaDetails = fetchGhsaDetails;
 exports.fetchOrganization = fetchOrganization;
+exports.filterFlags = filterFlags;
 exports.findUp = findUp;
 exports.getAlertsMapFromPurls = getAlertsMapFromPurls;
 exports.getBaseBranch = getBaseBranch;
@@ -4138,5 +4432,5 @@ exports.toFilterConfig = toFilterConfig;
 exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=737faea9-c80e-4b25-92fc-cf5802905b27
+//# debugId=5923006d-eb5f-4f79-acbc-223ba7f465ba
 //# sourceMappingURL=utils.js.map