v2.1.5

Fixes the infinite Reconcile/Update loop in npu outdated: when node_modules is physically stale but the lockfiles already record newer versions (left behind by interrupted or Socket-blocked installs), npm install pkg@version reports "up to date" without installing anything. Every npu out action "succeeded" while node_modules never changed.

• Sync and Patch/Minor/Major installs now remove the targeted node_modules copies first (same stale-lockfile fix npu install got in 2.1.4) and verify the requested versions physically landed, erroring loudly on silent no-ops
• New integrity check on every npu out run: compares node_modules/.package-lock.json against the packages physically on disk (including transitive deps) and warns about desync; platform-skipped optional packages are ignored
• New Heal action (menu + --heal flag): removes desynced copies and reinstalls under Socket so disk matches the lockfile again, then re-verifies
• Reconcile is strictly ahead-only — no longer downgrades package.json to match a stale install; points at Sync instead
• New --sync shortcut flag for non-interactive syncs
• Failed/blocked installs restore package-lock.json alongside package.json so a failed run can't mint the desync; Socket blocks list flagged packages and suggest socket npm update for CVE-pinned transitive deps
• CLI bin exits cleanly (code 1) on failure instead of an unhandled rejection
• npm test script uses mocha from PATH (mocha ≥9 ships bin/mocha.js)
• Shared lib/npm.js: removeInstalledCopies, removeLocations, findDesynced, verifyInstalled

v2.1.4

Fix npu install pkg@latest silently doing nothing due to npm lockfile caching —
npu now removes the stale node_modules copy before re-installing when an explicit
version or tag is specified.

Split outdated discrepancy handling into Sync (install to match package.json) and
Reconcile (update package.json to match installed). Previously Reconcile would
always downgrade package.json to match an older installed version.

Add --cwd / -C global flag to run npu against a different directory without cd-ing.

v2.1.3

Routine dependency bumps:

• @inquirer/prompts 8.3.2 → 8.4.3 (patch)
• npm-check-updates 20.0.0 → 22.2.0 (major)
• prepare-package 2.0.7 → 2.1.0 (minor)

The npm-check-updates major bump was verified to not break our usage: src/commands/outdated.js calls ncu.run({ packageFile, dep, target }) and reads the return value as a { name: versionRange } object. ncu@22 returns the same shape for all three targets (patch/minor/latest) and filters correctly — confirmed by calling it directly against omega-manager's outdated deps. All 4 mocha tests pass.

prepare-package@2.1.0 also added a "hooks": {} field to the prepare-package config block in package.json, written by the prepare step itself.

v2.1.2

Socket wrap was treating any non-zero exit from socket npm as a supply chain risk-block, even when the failure was actually an npm error like ERESOLVE, a peer-dependency conflict, or a network problem. Users would see "Socket detected supply chain risks" plus advice to retry with --force or SOCKET_CLI_ACCEPT_RISKS=1 — neither of which would have fixed the real underlying npm issue.

Socket wrap now inspects the subprocess output for Socket's own risk markers ("new risk", "socket found", "exiting due to risks") to distinguish a real risk-block from a generic npm failure. When the subprocess fails without Socket markers, the thrown error is tagged with reason: 'npm-failed' and the message says "npm install failed. See the error output above." instead of the misleading Socket text.

The outdated and install commands branch on err.reason: npm failures get an honest "Fix the npm error above and retry" message and skip the inapplicable Socket bypass instructions. Risk-blocks still produce the existing flagged-package trace and retry advice.

Also removed "warning" and "alert" from the risk-marker regex since those words appear in unrelated npm output and caused false positives, and applied the same exit-code-vs-output discrimination to socket audit so audit subprocess failures don't get mislabeled either.

Verified end-to-end against the original ERESOLVE scenario in omega-manager: the npm error is printed in full followed by the honest "npm install failed" verdict.

v2.1.1

Add npu audit command that runs socket npm audit against the current
dependency tree. Includes CLI alias, command implementation, and README docs.

v2.1.0

Integrate Socket CLI into install and outdated commands for supply chain
protection. All npm installs are wrapped with Socket to detect malicious
or compromised packages before installation.

• Add socket.js lib for wrapping npm commands with Socket CLI
• Add install command (npu i) with Socket protection and post-install audit
• Outdated command backs up and restores package.json on failed installs
• Add --ignore flag to exclude packages from outdated (e.g. --ignore mocha)
• Trace and report which parent packages bring in flagged transitive deps
• Suggest actionable commands (--ignore, --force, SOCKET_CLI_ACCEPT_RISKS)
• Add --force flag to bypass Socket with SOCKET_CLI_ACCEPT_RISKS=1
• Handle Ctrl+C gracefully instead of dumping stack traces
• Remove .npmignore in favor of package.json files field
• Add development section to README
• Upgrade deps: node-powertools 3, npm-check-updates 20, mocha 11,
  prepare-package 2, @inquirer/prompts 8.3.2