Fixes the infinite Reconcile/Update loop in npu outdated: when node_modules is physically stale but the lockfiles already record newer versions (left behind by interrupted or Socket-blocked installs), npm install pkg@version reports "up to date" without installing anything. Every npu out action "succeeded" while node_modules never changed.
- Sync and Patch/Minor/Major installs now remove the targeted node_modules copies first (same stale-lockfile fix
npu installgot in 2.1.4) and verify the requested versions physically landed, erroring loudly on silent no-ops - New integrity check on every
npu outrun: comparesnode_modules/.package-lock.jsonagainst the packages physically on disk (including transitive deps) and warns about desync; platform-skipped optional packages are ignored - New Heal action (menu +
--healflag): removes desynced copies and reinstalls under Socket so disk matches the lockfile again, then re-verifies - Reconcile is strictly ahead-only — no longer downgrades package.json to match a stale install; points at Sync instead
- New
--syncshortcut flag for non-interactive syncs - Failed/blocked installs restore package-lock.json alongside package.json so a failed run can't mint the desync; Socket blocks list flagged packages and suggest
socket npm updatefor CVE-pinned transitive deps - CLI bin exits cleanly (code 1) on failure instead of an unhandled rejection
npm testscript uses mocha from PATH (mocha ≥9 shipsbin/mocha.js)- Shared
lib/npm.js:removeInstalledCopies,removeLocations,findDesynced,verifyInstalled