SocketDev · jdalton · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/src/utils/alerts-map.mts b/src/utils/alerts-map.mts
@@ -27,7 +27,7 @@ import { isNonEmptyString } from '@socketsecurity/registry/lib/strings'
 import { findSocketYmlSync } from './config.mts'
 import { toFilterConfig } from './filter-config.mts'
 import { extractPurlsFromPnpmLockfile } from './pnpm.mts'
-import { getPublicApiToken, setupSdk } from './sdk.mts'
+import { setupSdk } from './sdk.mts'
 import { addArtifactToAlertsMap } from './socket-package-alert.mts'
 
 import type { CompactSocketArtifact } from './alert/artifact.mts'
@@ -91,7 +91,7 @@ export async function getAlertsMapFromPurls(
     opts.filter.fixable = true
   }
 
-  const { apiToken = getPublicApiToken(), spinner } = opts
+  const { apiToken, spinner } = opts
 
   const getText = () => `Looking up data for ${remaining} packages`
 

diff --git a/src/utils/alerts-map.test.mts b/src/utils/alerts-map.test.mts
@@ -0,0 +1,115 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+import { getAlertsMapFromPurls } from './alerts-map.mts'
+
+// Mock all dependencies with vi.hoisted for better type safety.
+const mockSetupSdk = vi.hoisted(() => vi.fn())
+const mockFindSocketYmlSync = vi.hoisted(() => vi.fn())
+const mockAddArtifactToAlertsMap = vi.hoisted(() => vi.fn())
+const mockBatchPackageStream = vi.hoisted(() => vi.fn())
+
+vi.mock('./sdk.mts', () => ({
+  setupSdk: mockSetupSdk,
+}))
+
+vi.mock('./config.mts', () => ({
+  findSocketYmlSync: mockFindSocketYmlSync,
+}))
+
+vi.mock('./socket-package-alert.mts', () => ({
+  addArtifactToAlertsMap: mockAddArtifactToAlertsMap,
+}))
+
+vi.mock('./filter-config.mts', () => ({
+  toFilterConfig: vi.fn(filter => filter || {}),
+}))
+
+describe('Alerts Map', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+
+    // Setup default mock implementations.
+    mockFindSocketYmlSync.mockReturnValue({ ok: false, data: undefined })
+    mockAddArtifactToAlertsMap.mockResolvedValue(undefined)
+
+    mockBatchPackageStream.mockImplementation(async function* () {
+      yield {
+        success: true,
+        data: {
+          alerts: [],
+          name: 'lodash',
+          purl: 'pkg:npm/[email protected]',
+          version: '4.17.21',
+        },
+      }
+    })
+
+    mockSetupSdk.mockResolvedValue({
+      ok: true,
+      data: {
+        batchPackageStream: mockBatchPackageStream,
+      },
+    })
+  })
+
+  describe('getAlertsMapFromPurls', () => {
+    it('should pass undefined apiToken to setupSdk when not provided', async () => {
+      const purls = ['pkg:npm/[email protected]']
+
+      await getAlertsMapFromPurls(purls, {
+        nothrow: true,
+      })
+
+      // setupSdk should be called with undefined apiToken to let it handle token resolution.
+      expect(mockSetupSdk).toHaveBeenCalledWith({ apiToken: undefined })
+    })
+
+    it('should pass provided apiToken to setupSdk when explicitly set', async () => {
+      const purls = ['pkg:npm/[email protected]']
+      const customToken = 'sktsec_test_custom_token'
+
+      await getAlertsMapFromPurls(purls, {
+        apiToken: customToken,
+        nothrow: true,
+      })
+
+      // setupSdk should be called with the custom token.
+      expect(mockSetupSdk).toHaveBeenCalledWith({ apiToken: customToken })
+    })
+
+    it('should return empty map when no purls provided', async () => {
+      const alertsMap = await getAlertsMapFromPurls([], {
+        nothrow: true,
+      })
+
+      expect(alertsMap).toBeInstanceOf(Map)
+      expect(alertsMap.size).toBe(0)
+      // setupSdk should not be called if there are no purls.
+      expect(mockSetupSdk).not.toHaveBeenCalled()
+    })
+
+    it('should process purls and return alerts map', async () => {
+      const purls = ['pkg:npm/[email protected]', 'pkg:npm/[email protected]']
+
+      const alertsMap = await getAlertsMapFromPurls(purls, {
+        nothrow: true,
+      })
+
+      expect(alertsMap).toBeInstanceOf(Map)
+      expect(mockSetupSdk).toHaveBeenCalledWith({ apiToken: undefined })
+      expect(mockBatchPackageStream).toHaveBeenCalled()
+    })
+
+    it('should handle filter options correctly', async () => {
+      const purls = ['pkg:npm/[email protected]']
+
+      await getAlertsMapFromPurls(purls, {
+        filter: { actions: ['error', 'warn'] },
+        nothrow: true,
+      })
+
+      expect(mockSetupSdk).toHaveBeenCalled()
+      expect(mockBatchPackageStream).toHaveBeenCalled()
+    })
+  })
+})
diff --git a/src/utils/pnpm-scanning.test.mts b/src/utils/pnpm-scanning.test.mts
@@ -3,7 +3,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 import { getAlertsMapFromPnpmLockfile } from './alerts-map.mts'
 import { extractPurlsFromPnpmLockfile, parsePnpmLockfile } from './pnpm.mts'
 
-// Mock all dependencies with vi.hoisted for better type safety
+// Mock all dependencies with vi.hoisted for better type safety.
 const mockGetPublicApiToken = vi.hoisted(() => vi.fn())
 const mockSetupSdk = vi.hoisted(() => vi.fn())
 const mockFindSocketYmlSync = vi.hoisted(() => vi.fn())
@@ -31,7 +31,7 @@ describe('PNPM Lockfile PURL Scanning', () => {
   beforeEach(() => {
     vi.clearAllMocks()
 
-    // Setup default mock implementations
+    // Setup default mock implementations.
     mockGetPublicApiToken.mockReturnValue('test-token')
     mockFindSocketYmlSync.mockReturnValue({ ok: false, data: undefined })
     mockAddArtifactToAlertsMap.mockResolvedValue(undefined)