@coana-tech/cli 14.12.129 → 14.12.131

package/cli.mjs

@@ -14560,8 +14560,8 @@ var require_follow_redirects = __commonJS({
       }
       return parsed;
     }
-    function resolveUrl(relative20, base) {
-      return useNativeURL ? new URL3(relative20, base) : parseUrl(url2.resolve(base, relative20));
+    function resolveUrl(relative23, base) {
+      return useNativeURL ? new URL3(relative23, base) : parseUrl(url2.resolve(base, relative23));
     }
     function validateUrl(input) {
       if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) {
@@ -70309,16 +70309,16 @@ var require_lockfile = __commonJS({
             if (process.platform === "win32") {
               yield fsSymlink(src, dest, "junction");
             } else {
-              let relative20;
+              let relative23;
               try {
-                relative20 = (_path2 || _load_path()).default.relative((_fs || _load_fs()).default.realpathSync((_path2 || _load_path()).default.dirname(dest)), (_fs || _load_fs()).default.realpathSync(src));
+                relative23 = (_path2 || _load_path()).default.relative((_fs || _load_fs()).default.realpathSync((_path2 || _load_path()).default.dirname(dest)), (_fs || _load_fs()).default.realpathSync(src));
               } catch (err) {
                 if (err.code !== "ENOENT") {
                   throw err;
                 }
-                relative20 = (_path2 || _load_path()).default.relative((_path2 || _load_path()).default.dirname(dest), src);
+                relative23 = (_path2 || _load_path()).default.relative((_path2 || _load_path()).default.dirname(dest), src);
               }
-              yield fsSymlink(relative20 || ".", dest);
+              yield fsSymlink(relative23 || ".", dest);
             }
           });
           return function symlink2(_x24, _x25) {
@@ -70345,17 +70345,17 @@ var require_lockfile = __commonJS({
                 _ref28 = _i14.value;
               }
               const name2 = _ref28;
-              const relative20 = relativeDir ? (_path2 || _load_path()).default.join(relativeDir, name2) : name2;
+              const relative23 = relativeDir ? (_path2 || _load_path()).default.join(relativeDir, name2) : name2;
               const loc = (_path2 || _load_path()).default.join(dir, name2);
               const stat6 = yield lstat3(loc);
               files.push({
-                relative: relative20,
+                relative: relative23,
                 basename: name2,
                 absolute: loc,
                 mtime: +stat6.mtime
               });
               if (stat6.isDirectory()) {
-                files = files.concat(yield walk(loc, relative20, ignoreBasenames));
+                files = files.concat(yield walk(loc, relative23, ignoreBasenames));
               }
             }
             return files;
@@ -73599,9 +73599,9 @@ var require_lockfile = __commonJS({
       /* 85 */
       /***/
       function(module3, exports3) {
-        module3.exports = function(exec4) {
+        module3.exports = function(exec5) {
           try {
-            return !!exec4();
+            return !!exec5();
           } catch (e) {
             return true;
           }
@@ -73733,9 +73733,9 @@ var require_lockfile = __commonJS({
       /* 104 */
       /***/
       function(module3, exports3) {
-        module3.exports = function(exec4) {
+        module3.exports = function(exec5) {
           try {
-            return { e: false, v: exec4() };
+            return { e: false, v: exec5() };
           } catch (e) {
             return { e: true, v: e };
           }
@@ -75208,7 +75208,7 @@ ${indent3}`);
           });
         } catch (e) {
         }
-        module3.exports = function(exec4, skipClosing) {
+        module3.exports = function(exec5, skipClosing) {
           if (!skipClosing && !SAFE_CLOSING) return false;
           var safe = false;
           try {
@@ -75220,7 +75220,7 @@ ${indent3}`);
             arr[ITERATOR] = function() {
               return iter;
             };
-            exec4(arr);
+            exec5(arr);
           } catch (e) {
           }
           return safe;
@@ -75543,8 +75543,8 @@ ${indent3}`);
         var USE_NATIVE = !!function() {
           try {
             var promise = $Promise.resolve(1);
-            var FakePromise = (promise.constructor = {})[__webpack_require__(13)("species")] = function(exec4) {
-              exec4(empty2, empty2);
+            var FakePromise = (promise.constructor = {})[__webpack_require__(13)("species")] = function(exec5) {
+              exec5(empty2, empty2);
             };
             return (isNode2 || typeof PromiseRejectionEvent == "function") && promise.then(empty2) instanceof FakePromise && v8.indexOf("6.6") !== 0 && userAgent.indexOf("Chrome/66") === -1;
           } catch (e) {
@@ -206687,6 +206687,13 @@ async function execNeverFail(cmd, dir, options) {
     childProcess.stdin?.end();
   });
 }
+async function exec(cmd, dir, options) {
+  const { error, stdout, stderr } = await execNeverFail(cmd, dir, options);
+  if (!error) return { stdout, stderr };
+  error.stdout = stdout;
+  error.stderr = stderr;
+  throw error;
+}
 async function runCommandResolveStdOut(cmd, dir, options) {
   const { stdout, error } = await execNeverFail(cmd, dir, options);
   if (error) throw error;
@@ -213305,6 +213312,17 @@ async function execNeverFail2(cmd, dir, options) {
   logger.debug(`Command ${formatCmd(cmd, dir)} finished ${result.error ? "with error" : "successfully"}`);
   return result;
 }
+async function exec2(cmd, dir, options) {
+  logger.debug(`Running command: ${formatCmd(cmd, dir)}`);
+  try {
+    const result = await exec(cmd, dir, options);
+    logger.debug(`Command ${formatCmd(cmd, dir)} finished successfully`);
+    return result;
+  } catch (error) {
+    logger.debug(`Command ${formatCmd(cmd, dir)} finished with error`);
+    throw error;
+  }
+}
 async function runCommandResolveStdOut2(cmd, dir, options) {
   logger.debug(`Running command: ${formatCmd(cmd, dir)}`);
   try {
@@ -213451,13 +213469,13 @@ var Diff = class {
       editLength++;
     };
     if (callback) {
-      (function exec4() {
+      (function exec5() {
         setTimeout(function() {
           if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
             return callback(void 0);
           }
           if (!execEditLength()) {
-            exec4();
+            exec5();
           }
         }, 0);
       })();
@@ -219898,7 +219916,7 @@ ${indent(1, indentationSize)}`)}
 import { existsSync as existsSync13 } from "fs";
 import { readFile as readFile18 } from "fs/promises";
 import assert10 from "node:assert";
-import { dirname as dirname14, join as join12, relative as relative7, resolve as resolve25 } from "path";
+import { dirname as dirname14, join as join12, relative as relative10, resolve as resolve25 } from "path";
 
 // ../utils/src/npm-utils.ts
 import { access as access2, constants as constants2 } from "fs/promises";
@@ -224561,10 +224579,10 @@ var Ignore = class {
   ignored(p3) {
     const fullpath = p3.fullpath();
     const fullpaths = `${fullpath}/`;
-    const relative20 = p3.relative() || ".";
-    const relatives = `${relative20}/`;
+    const relative23 = p3.relative() || ".";
+    const relatives = `${relative23}/`;
     for (const m4 of this.relative) {
-      if (m4.match(relative20) || m4.match(relatives))
+      if (m4.match(relative23) || m4.match(relatives))
         return true;
     }
     for (const m4 of this.absolute) {
@@ -224575,9 +224593,9 @@ var Ignore = class {
   }
   childrenIgnored(p3) {
     const fullpath = p3.fullpath() + "/";
-    const relative20 = (p3.relative() || ".") + "/";
+    const relative23 = (p3.relative() || ".") + "/";
     for (const m4 of this.relativeChildren) {
-      if (m4.match(relative20))
+      if (m4.match(relative23))
         return true;
     }
     for (const m4 of this.absoluteChildren) {
@@ -225788,7 +225806,7 @@ async function getYarnType(projectDir) {
 
 // ../fixing-management/src/fixing-management/npm/npm-fixing-manager.ts
 import { readFile as readFile15, writeFile as writeFile4 } from "fs/promises";
-import { resolve as resolve21 } from "path";
+import { relative as relative6, resolve as resolve21 } from "path";
 
 // ../fixing-management/src/fixing-management/npm/npm-ecosystem-fixing-manager.ts
 var NpmEcosystemFixingManager = class {
@@ -225813,7 +225831,12 @@ var NpmEcosystemFixingManager = class {
         signalFixApplied2?.(fixId, this.subprojectPath, workspacePath, vulnerabilityFixes);
       });
     });
-    await this.finalizeFixes();
+    try {
+      await this.finalizeFixes();
+    } catch (e) {
+      logCommandOutput({ error: e, stdout: e.stdout ?? "", stderr: e.stderr ?? "" }, "finalizeFixes", this.rootDir);
+      throw e;
+    }
   }
   async applySecurityFixesForWorkspace(workspacePath, fixes, dependencyTree, directDependencyToPackageType) {
     const that = this;
@@ -225867,14 +225890,18 @@ var NpmFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async finalizeFixes() {
-    logger.info(`Adjusting lock file using \`npm install\``);
-    await actuallyRunInstall(void 0, resolve21(this.rootDir, this.subprojectPath));
+    const cmd = cmdt`${await getNpmBin()} install --package-lock-only --ignore-scripts --no-fund --no-audit --no-progress`;
+    logger.info(`Adjusting lock file by running '${cmd}'`);
+    await exec2(cmd, resolve21(this.rootDir, this.subprojectPath));
+    logger.info(
+      `Run 'npm install' in '${relative6(this.rootDir, this.subprojectPath) || "."}' to install the updated dependencies`
+    );
   }
 };
 
 // ../fixing-management/src/fixing-management/npm/pnpm-fixing-manager.ts
 import { readFile as readFile16, writeFile as writeFile5 } from "fs/promises";
-import { resolve as resolve22 } from "path";
+import { relative as relative7, resolve as resolve22 } from "path";
 var import_yaml = __toESM(require_dist10(), 1);
 var import_lockfile_file2 = __toESM(require_lib25(), 1);
 import { existsSync as existsSync11 } from "fs";
@@ -226006,12 +226033,12 @@ var PnpmFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async finalizeFixes() {
-    const cmd = cmdt`pnpm install --ignore-scripts --fix-lockfile --config.confirmModulesPurge=false `;
-    logger.info(`Adjusting lock file changes by running '${cmd}'`);
-    const result = await execAndLogOnFailure2(cmd, resolve22(this.rootDir, this.subprojectPath));
-    if (!result) {
-      throw new Error(`Failed to install packages`);
-    }
+    const cmd = cmdt`pnpm install --lockfile-only --fix-lockfile --config.confirmModulesPurge=false`;
+    logger.info(`Adjusting lock file by running '${cmd}'`);
+    await exec2(cmd, resolve22(this.rootDir, this.subprojectPath));
+    logger.info(
+      `Run 'pnpm install' in '${relative7(this.rootDir, this.subprojectPath) || "."}' to install the updated dependencies`
+    );
   }
 };
 function getVersionNumber(version4) {
@@ -226058,10 +226085,10 @@ function updateCatalog(update3, map2) {
 
 // ../fixing-management/src/fixing-management/npm/yarn-fixing-manager.ts
 import { readFile as readFile17, writeFile as writeFile6 } from "fs/promises";
-import { resolve as resolve24 } from "path";
+import { relative as relative9, resolve as resolve24 } from "path";
 
 // ../utils/src/package-utils.ts
-import { parse as parse7, join as join11, resolve as resolve23, normalize as normalize3, dirname as dirname13, basename as basename6, relative as relative6 } from "path";
+import { parse as parse7, join as join11, resolve as resolve23, normalize as normalize3, dirname as dirname13, basename as basename6, relative as relative8 } from "path";
 import { existsSync as existsSync12, readFileSync as readFileSync3, readdirSync as readdirSync3, statSync as statSync4, writeFileSync as writeFileSync2 } from "fs";
 function setFieldInPackageJson(workspaceRoot, field, value2) {
   const packageJSONContentObj = getPackageJsonObject2(workspaceRoot);
@@ -226259,8 +226286,29 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async finalizeFixes() {
-    logger.info(`Adjusting lock file changes by running a yarn dependency install command`);
-    await this.installPackages();
+    const runYarnCommandOrThrow = async (cmd, dir, options) => {
+      const result = await this.runYarnCommand(cmd, dir, options);
+      if (result.error) {
+        const error = result.error;
+        error.stdout = result.stdout;
+        error.stderr = result.stderr;
+        throw error;
+      }
+    };
+    const yarnType = await this.getYarnType();
+    if (yarnType === "berry") {
+      const env = { ...process.env, YARN_ENABLE_SCRIPTS: "false", YARN_NODE_LINKER: "node-modules" };
+      const cmd = cmdt`yarn install --mode=update-lockfile`;
+      logger.info(`Adjusting lock file by running '${cmd}'`);
+      await runYarnCommandOrThrow(cmd, resolve24(this.rootDir, this.subprojectPath), { env });
+      logger.info(
+        `Run 'yarn install' in '${relative9(this.rootDir, this.subprojectPath) || "."}' to install the updated dependencies`
+      );
+    } else {
+      const cmd = cmdt`yarn install --ignore-scripts --noninteractive`;
+      logger.info(`Adjusting lock file by running '${cmd}'`);
+      await runYarnCommandOrThrow(cmd, resolve24(this.rootDir, this.subprojectPath));
+    }
   }
 };
 
@@ -226333,7 +226381,7 @@ var NpmSocketUpgradeManager = class {
         if (!subprojectToUpgrade.has(subprojectDir)) {
           subprojectToUpgrade.set(subprojectDir, /* @__PURE__ */ new Map());
         }
-        const workspacePath = relative7(subprojectDir, packageJsonDir) || ".";
+        const workspacePath = relative10(subprojectDir, packageJsonDir) || ".";
         if (!subprojectToUpgrade.get(subprojectDir)?.has(workspacePath)) {
           subprojectToUpgrade.get(subprojectDir)?.set(workspacePath, []);
         }
@@ -226408,6 +226456,7 @@ var NpmSocketUpgradeManager = class {
         status: "error",
         file: lockfilePath,
         message: `Failed to finalize lockfile: ${e.message}`,
+        details: e.stderr,
         artifacts: i3(allUpgrades.map((u8) => u8.idx))
       });
       throw e;
@@ -226824,7 +226873,7 @@ import { dirname as dirname16, resolve as resolve27 } from "node:path";
 // ../utils/src/nuget-project-utils.ts
 var import_parse_xml3 = __toESM(require_dist(), 1);
 import { readFile as readFile20 } from "node:fs/promises";
-import { dirname as dirname15, join as join15, relative as relative8, resolve as resolve26, basename as basename8, extname } from "node:path";
+import { dirname as dirname15, join as join15, relative as relative11, resolve as resolve26, basename as basename8, extname } from "node:path";
 import { existsSync as existsSync14 } from "node:fs";
 
 // ../utils/dist/version-comparison/version-satisfies.js
@@ -228409,7 +228458,7 @@ async function loadNuGetProjectOrTarget(rootDir, projectFile, mainProject, visit
       });
       currentProject.sourceFiles.push(...files);
     } catch (err) {
-      logger.debug(`Failed to glob default pattern for ${relative8(rootDir, validatedProjectPath)}: ${err}`);
+      logger.debug(`Failed to glob default pattern for ${relative11(rootDir, validatedProjectPath)}: ${err}`);
     }
   }
   mainProject ??= currentProject;
@@ -228672,11 +228721,11 @@ async function handleCompileItem(project, child) {
       } catch (err) {
         if (evaluatedExclude) {
           logger.debug(
-            `Failed to glob Compile Include ${includePatterns}, Exclude ${excludePatterns} in ${relative8(project.rootDir, project.validatedProjectPath)}: ${err}`
+            `Failed to glob Compile Include ${includePatterns}, Exclude ${excludePatterns} in ${relative11(project.rootDir, project.validatedProjectPath)}: ${err}`
           );
         } else {
           logger.debug(
-            `Failed to glob Compile Include ${includePatterns} in ${relative8(project.rootDir, project.validatedProjectPath)}: ${err}`
+            `Failed to glob Compile Include ${includePatterns} in ${relative11(project.rootDir, project.validatedProjectPath)}: ${err}`
           );
         }
       }
@@ -228696,7 +228745,7 @@ async function handleCompileItem(project, child) {
         project.sourceFiles = project.sourceFiles.filter((f6) => !removeSet.has(f6));
       } catch (err) {
         logger.debug(
-          `Failed to glob Compile Remove pattern ${evaluatedRemove} in ${relative8(project.rootDir, project.validatedProjectPath)}: ${err}`
+          `Failed to glob Compile Remove pattern ${evaluatedRemove} in ${relative11(project.rootDir, project.validatedProjectPath)}: ${err}`
         );
       }
     }
@@ -228706,7 +228755,7 @@ function handlePropertyGroupElement(project, propertyGroup) {
   const condition = createAttributeMap(propertyGroup, project.sourceText).get("Condition");
   if (condition) {
     logger.debug(
-      `Skipping conditional property group ${propertyGroup.name} (${propertyGroup.start}, ${propertyGroup.end}) with condition ${condition.text} in file ${relative8(project.rootDir, project.validatedProjectPath)}`
+      `Skipping conditional property group ${propertyGroup.name} (${propertyGroup.start}, ${propertyGroup.end}) with condition ${condition.text} in file ${relative11(project.rootDir, project.validatedProjectPath)}`
     );
     return;
   }
@@ -228716,7 +228765,7 @@ function handlePropertyGroupElement(project, propertyGroup) {
     const condition2 = createAttributeMap(propertyElement, project.sourceText).get("Condition");
     if (condition2) {
       logger.debug(
-        `Skipping conditional property ${propertyElement.name} (${propertyElement.start}, ${propertyElement.end}) with condition ${condition2.text} in file ${relative8(project.rootDir, project.validatedProjectPath)}`
+        `Skipping conditional property ${propertyElement.name} (${propertyElement.start}, ${propertyElement.end}) with condition ${condition2.text} in file ${relative11(project.rootDir, project.validatedProjectPath)}`
       );
       continue;
     }
@@ -228786,7 +228835,7 @@ function evaluate3(expression, project) {
   function evaluateWithContext(value2, depth) {
     if (depth > 50) {
       logger.warn(
-        `Recursion limit hit while evaluating expression ${expression} in project ${relative8(project.rootDir, project.validatedProjectPath)}`
+        `Recursion limit hit while evaluating expression ${expression} in project ${relative11(project.rootDir, project.validatedProjectPath)}`
       );
       isFullyEvaluated = false;
       return value2;
@@ -228797,7 +228846,7 @@ function evaluate3(expression, project) {
         return evaluateWithContext(property.text, depth + 1);
       } else {
         logger.debug(
-          `Unknown property ${propertyName} for project ${relative8(project.rootDir, project.validatedProjectPath)}`
+          `Unknown property ${propertyName} for project ${relative11(project.rootDir, project.validatedProjectPath)}`
         );
         isFullyEvaluated = false;
         return "";
@@ -229271,7 +229320,7 @@ var NuGetSocketUpgradeManager = class {
 };
 
 // ../fixing-management/src/fixing-management/rust/cargo-socket-upgrade-manager.ts
-import { dirname as dirname18, relative as relative9, resolve as resolve29 } from "node:path";
+import { dirname as dirname18, relative as relative12, resolve as resolve29 } from "node:path";
 var import_picomatch6 = __toESM(require_picomatch2(), 1);
 var import_semver4 = __toESM(require_semver2(), 1);
 import assert12 from "node:assert";
@@ -229423,14 +229472,14 @@ var CargoSocketUpgradeManager = class {
         await writeFile8(path9, content);
         ctxt.statusUpdater?.({
           status: "success",
-          file: relative9(this.rootDir, path9),
+          file: relative12(this.rootDir, path9),
           message: "File restored",
           artifacts: i3(artifacts)
         });
       } catch (e) {
         ctxt.statusUpdater?.({
           status: "error",
-          file: relative9(this.rootDir, path9),
+          file: relative12(this.rootDir, path9),
           message: "Could not restore file",
           artifacts: i3(artifacts)
         });
@@ -229629,7 +229678,7 @@ ${newDependencyLine}`
 };
 
 // ../fixing-management/src/fixing-management/pip/pip-socket-upgrade-manager.ts
-import { dirname as dirname20, relative as relative10, resolve as resolve32 } from "node:path";
+import { dirname as dirname20, relative as relative13, resolve as resolve32 } from "node:path";
 var import_picomatch8 = __toESM(require_picomatch2(), 1);
 import assert13 from "node:assert";
 import { readFile as readFile25, writeFile as writeFile9 } from "node:fs/promises";
@@ -230146,14 +230195,14 @@ var PipSocketUpgradeManager = class {
         await writeFile9(path9, content);
         ctxt.statusUpdater?.({
           status: "success",
-          file: relative10(this.rootDir, path9),
+          file: relative13(this.rootDir, path9),
           message: "File restored",
           artifacts: i3(artifacts)
         });
       } catch (e) {
         ctxt.statusUpdater?.({
           status: "error",
-          file: relative10(this.rootDir, path9),
+          file: relative13(this.rootDir, path9),
           message: "Could not restore file",
           artifacts: i3(artifacts)
         });
@@ -230591,14 +230640,14 @@ function satisfiestVersionSpecs(version4, versionSpec) {
 }
 
 // ../fixing-management/src/fixing-management/rubygems/rubygems-socket-upgrade-manager.ts
-import { dirname as dirname22, relative as relative12, resolve as resolve34 } from "node:path";
+import { dirname as dirname22, relative as relative15, resolve as resolve34 } from "node:path";
 var import_picomatch9 = __toESM(require_picomatch2(), 1);
 import assert14 from "node:assert";
 
 // ../fixing-management/src/fixing-management/rubygems/gemfile-utils.ts
 var import_good_enough_parser4 = __toESM(require_cjs(), 1);
 init_ruby_lang();
-import { resolve as resolve33, dirname as dirname21, relative as relative11 } from "node:path";
+import { resolve as resolve33, dirname as dirname21, relative as relative14 } from "node:path";
 import { existsSync as existsSync16, readFileSync as readFileSync4, readdirSync as readdirSync4 } from "node:fs";
 init_gemspec_utils();
 var booleanQuery2 = import_good_enough_parser4.query.alt(
@@ -230707,13 +230756,13 @@ var evalGemfileQuery = import_good_enough_parser4.query.sym("eval_gemfile").join
   ctx.exprEndOffset = void 0;
   if (ctx.depth > 50) {
     logger.warn(
-      `Recursion limit hit while evaluating gemfile: ${relative11(ctx.gemfile.rootDir, resolve33(ctx.gemfile.rootDir, ctx.gemfile.file))}`
+      `Recursion limit hit while evaluating gemfile: ${relative14(ctx.gemfile.rootDir, resolve33(ctx.gemfile.rootDir, ctx.gemfile.file))}`
     );
     return ctx;
   }
   if (pathEvaluated === void 0) return ctx;
   const rootDir = ctx.gemfile.rootDir;
-  const file = relative11(rootDir, resolve33(rootDir, dirname21(ctx.gemfile.file), pathEvaluated));
+  const file = relative14(rootDir, resolve33(rootDir, dirname21(ctx.gemfile.file), pathEvaluated));
   if (!existsSync16(resolve33(rootDir, file))) return ctx;
   const sourceText = readFileSync4(resolve33(rootDir, file), "utf-8");
   const parser2 = import_good_enough_parser4.lang.createLang(lang3);
@@ -230766,7 +230815,7 @@ var gemspecQuery = import_good_enough_parser4.query.sym("gemspec").opt(
 ).handler((ctx) => {
   if (ctx.depth > 50) {
     logger.warn(
-      `Recursion limit hit while evaluating gemspec: ${relative11(ctx.gemfile.rootDir, resolve33(ctx.gemfile.rootDir, ctx.gemfile.file))}`
+      `Recursion limit hit while evaluating gemspec: ${relative14(ctx.gemfile.rootDir, resolve33(ctx.gemfile.rootDir, ctx.gemfile.file))}`
     );
     ctx.currentGem = void 0;
     return ctx;
@@ -230805,7 +230854,7 @@ var gemspecQuery = import_good_enough_parser4.query.sym("gemspec").opt(
   if (gemspecFiles.length === 0) return ctx;
   const gemspecFile = gemspecFiles[0];
   const gemspecFullPath = resolve33(searchDir, gemspecFile);
-  const gemspecRelativePath = relative11(rootDir, gemspecFullPath);
+  const gemspecRelativePath = relative14(rootDir, gemspecFullPath);
   try {
     const sourceText = readFileSync4(gemspecFullPath, "utf-8");
     const gemspec = parseGemspec(rootDir, gemspecRelativePath, sourceText);
@@ -231181,7 +231230,7 @@ var RubygemsSocketUpgradeManager = class {
             });
             continue;
           }
-          const gemfileName = relative12(this.rootDir, resolve34(this.rootDir, dirname22(mf.file), "Gemfile"));
+          const gemfileName = relative15(this.rootDir, resolve34(this.rootDir, dirname22(mf.file), "Gemfile"));
           gemfileToLockfile.set(gemfileName, mf.file);
           if (pathGems.length > 0) {
             const { gemspecPatches, gemfilePatches } = await this.handleGemspecDependency(
@@ -231260,14 +231309,14 @@ var RubygemsSocketUpgradeManager = class {
         await writeFile10(path9, content);
         ctxt.statusUpdater?.({
           status: "success",
-          file: relative12(this.rootDir, path9),
+          file: relative15(this.rootDir, path9),
           message: "File restored",
           artifacts: i3(artifacts)
         });
       } catch (e) {
         ctxt.statusUpdater?.({
           status: "error",
-          file: relative12(this.rootDir, path9),
+          file: relative15(this.rootDir, path9),
           message: "Could not restore file",
           artifacts: i3(artifacts)
         });
@@ -231532,7 +231581,7 @@ var import_lodash7 = __toESM(require_lodash(), 1);
 var import_micromatch2 = __toESM(require_micromatch(), 1);
 import { existsSync as existsSync17 } from "fs";
 import { access as access4, cp as cp3, readdir as readdir4, stat as stat4 } from "fs/promises";
-import { basename as basename9, join as join17, relative as relative13, resolve as resolve35 } from "path";
+import { basename as basename9, join as join17, relative as relative16, resolve as resolve35 } from "path";
 var { uniq: uniq2 } = import_lodash7.default;
 var { isMatch: isMatch2 } = import_micromatch2.default;
 function* parents2(dir) {
@@ -232105,12 +232154,12 @@ import { rmSync } from "fs";
 import { mkdir as mkdir5, readFile as readFile30, writeFile as writeFile11 } from "fs/promises";
 import assert15 from "node:assert";
 import { platform as platform6 } from "os";
-import { join as join24, posix as posix2, relative as relative15, sep as sep3 } from "path";
+import { join as join24, posix as posix2, relative as relative18, sep as sep3 } from "path";
 
 // ../utils/src/tmp-file.ts
 import { rm, mkdtemp, cp as cp4, lstat as lstat2 } from "fs/promises";
 import { tmpdir as tmpdir2 } from "os";
-import { join as join22, relative as relative14, sep as sep2, extname as extname2 } from "path";
+import { join as join22, relative as relative17, sep as sep2, extname as extname2 } from "path";
 async function createTmpDirectory(prefix) {
   try {
     const tmpDir = await mkdtemp(join22(tmpdir2(), prefix));
@@ -232147,7 +232196,7 @@ async function copyForNpmAnalysis(srcDir, prefix) {
       verbatimSymlinks: true,
       // Preserve symlinks as symlinks instead of dereferencing them
       filter: async (src) => {
-        const relativePath = relative14(srcDir, src);
+        const relativePath = relative17(srcDir, src);
         if (relativePath === "") return true;
         const pathSegments = relativePath.split(sep2);
         if (pathSegments.some((segment) => EXCLUDED_DIRECTORIES.has(segment))) {
@@ -232528,7 +232577,7 @@ var OtherModulesCommunicator = class {
     }
     if (cmd === "getWorkspacePathsMultipleSubprojects")
       return `${_cmdStr()}: (${packageManagerName}) ${abbreviateList(subprojects, 10)}`;
-    return `${_cmdStr()}: (${packageManagerName}) ${relative15(this.rootWorkingDir, subprojectPath) || "."}`;
+    return `${_cmdStr()}: (${packageManagerName}) ${relative18(this.rootWorkingDir, subprojectPath) || "."}`;
   }
   getSpinnerTextForReachabilityAnalyzerCommand(cmd, ecosystem, subprojectPath, workspacePath) {
     function _cmdStr() {
@@ -232541,10 +232590,10 @@ var OtherModulesCommunicator = class {
           return "Running reachability analysis on package registry package";
       }
     }
-    return `${_cmdStr()}: (${ecosystem}) ${relative15(this.rootWorkingDir, join24(subprojectPath, workspacePath)) || "."}`;
+    return `${_cmdStr()}: (${ecosystem}) ${relative18(this.rootWorkingDir, join24(subprojectPath, workspacePath)) || "."}`;
   }
   getProjectPath(subprojectPath) {
-    return this.options.runWithoutDocker ? subprojectPath : posix2.resolve("/project", relative15(this.rootWorkingDir, subprojectPath).replaceAll(sep3, posix2.sep));
+    return this.options.runWithoutDocker ? subprojectPath : posix2.resolve("/project", relative18(this.rootWorkingDir, subprojectPath).replaceAll(sep3, posix2.sep));
   }
   // options shared between package-management and reachability-analyzers
   commonOptions = once7(
@@ -232697,7 +232746,7 @@ var OtherModulesCommunicator = class {
       "getWorkspacePathsMultipleSubprojects",
       packageManagerName,
       this.rootWorkingDir,
-      subprojectPaths.map((subprojectPath) => relative15(this.rootWorkingDir, subprojectPath) || ".")
+      subprojectPaths.map((subprojectPath) => relative18(this.rootWorkingDir, subprojectPath) || ".")
     );
   }
   async getProvidedArgsForSubproject(subprojectPath, providedOptions) {
@@ -234038,16 +234087,16 @@ function getVulnerabilitiesFromReport(report) {
 var import_packageurl_js = __toESM(require_packageurl_js(), 1);
 
 // dist/cli-upgrade-purl.js
-import { join as join27, relative as relative18, resolve as resolve41 } from "node:path";
+import { join as join27, relative as relative21, resolve as resolve41 } from "node:path";
 var import_picomatch10 = __toESM(require_picomatch2(), 1);
 
 // ../project-management/src/project-management/project-manager.ts
-import { relative as relative17, resolve as resolve40 } from "path";
+import { relative as relative20, resolve as resolve40 } from "path";
 
 // ../project-management/src/project-management/ecosystem-management/ecosystem-manager.ts
 var import_micromatch3 = __toESM(require_micromatch2(), 1);
 import { readdir as readdir6 } from "fs/promises";
-import { join as join26, relative as relative16, resolve as resolve39 } from "path";
+import { join as join26, relative as relative19, resolve as resolve39 } from "path";
 
 // ../project-management/src/project-management/ecosystem-management/ecosystem-specs.ts
 import { existsSync as existsSync21 } from "fs";
@@ -234185,7 +234234,7 @@ var EcosystemManager = class _EcosystemManager {
           const resolvedProjectDir = resolve39(mainProjectDir, relativeProjectDir);
           if (config3.includeDirs.length > 0)
             workspacePaths = workspacePaths.filter(
-              (workspacePath) => isMatch3(relative16(mainProjectDir, join26(resolvedProjectDir, workspacePath)), config3.includeDirs)
+              (workspacePath) => isMatch3(relative19(mainProjectDir, join26(resolvedProjectDir, workspacePath)), config3.includeDirs)
             );
           workspacePaths.filter((workspacePath) => workspacePath !== ".").forEach((workspacePath) => projectDirsAlreadyCovered.push(resolve39(resolvedProjectDir, workspacePath)));
           if (workspacePaths.length > 0)
@@ -234226,7 +234275,7 @@ var EcosystemManager = class _EcosystemManager {
         return typeof packageManagerNameProvider === "function" ? await packageManagerNameProvider(projectDir) : packageManagerNameProvider;
       } catch (e) {
         if (e instanceof InvalidProjectFileError) {
-          const projectDirRelative = relative16(mainProjectDir, projectDir) || ".";
+          const projectDirRelative = relative19(mainProjectDir, projectDir) || ".";
           logger.error(
             `Invalid ${e.fileName} file in ${projectDirRelative}. If the project is intentionally invalid, and you want Coana to skip it in the scan, then add "--exclude-dirs ${projectDirRelative}" to the Coana command.`
           );
@@ -234318,7 +234367,7 @@ function shouldIgnoreDir(dir) {
   return dirsToIgnore.includes(dir);
 }
 function shouldIgnoreDueToExcludeDirsOrChangedFiles({ mainProjectDir, excludeDirs, changedFiles }, fullPath) {
-  const relativeToProjectDir = relative16(mainProjectDir, fullPath) || ".";
+  const relativeToProjectDir = relative19(mainProjectDir, fullPath) || ".";
   return !!(isMatch3(relativeToProjectDir, excludeDirs) || changedFiles && !changedFiles.some((changedFile) => changedFile.startsWith(relativeToProjectDir)));
 }
 
@@ -234366,7 +234415,7 @@ var ProjectManager = class _ProjectManager {
       if (subprojects.length === 0) return void 0;
       return `  ${ecosystem}:
 ${subprojects.map(
-        ({ subprojectPath, workspacePaths }) => `    ${relative17(this.projectDir, subprojectPath) || ". (Root)"}${workspacePaths.length > 1 || workspacePaths[0] !== "." ? ` (${workspacePaths.length} ${ecosystem === "MAVEN" ? "modules" : "workspaces"})` : ""}`
+        ({ subprojectPath, workspacePaths }) => `    ${relative20(this.projectDir, subprojectPath) || ". (Root)"}${workspacePaths.length > 1 || workspacePaths[0] !== "." ? ` (${workspacePaths.length} ${ecosystem === "MAVEN" ? "modules" : "workspaces"})` : ""}`
       ).join("\n")}`;
     }).filter((line) => line).join("\n");
     const detailsString = Object.entries(this.ecosystemToEcosystemManager).map(([ecosystem, manager]) => {
@@ -234374,7 +234423,7 @@ ${subprojects.map(
       if (subprojects.length === 0) return void 0;
       const subprojectsString = subprojects.map(({ subprojectPath, workspacePaths, packageManagerName }) => {
         if (workspacePaths.length === 1 && workspacePaths[0] === ".") return void 0;
-        return `    ${relative17(this.projectDir, subprojectPath) || ". (Root)"}
+        return `    ${relative20(this.projectDir, subprojectPath) || ". (Root)"}
 ${workspacePaths.map((ws) => `      ${ws === "." ? ". (Root)" : ws} - ${packageManagerName}`).join("\n")}`;
       }).filter((line) => line).join("\n");
       if (!subprojectsString) return void 0;
@@ -234530,7 +234579,7 @@ ${Array.from(upgrades).map(([idx, upgradeVersion]) => `	${prettyPrintPurlUpgrade
             warn: "\u26A0\uFE0F",
             error: "\u274C"
           };
-          logger.info(`${statusIcons[update3.status]} ${update3.message} \u2500 ${relative18(rootDir, resolve41(rootDir, update3.file))}`);
+          logger.info(`${statusIcons[update3.status]} ${update3.message} \u2500 ${relative21(rootDir, resolve41(rootDir, update3.file))}`);
           update3.artifacts.forEach((idx, i7) => {
             logger.info(`${" ".repeat(3)}${i7 === update3.artifacts.length - 1 ? "\u2514\u2500" : "\u251C\u2500"} ${prettyPrintSocketFactArtifactUpgrade(artifacts[idx], upgrades2.get(idx))}`);
           });
@@ -234584,7 +234633,7 @@ ${Array.from(upgrades).map(([idx, upgradeVersion]) => `	${prettyPrintPurlUpgrade
     const subprojectPromiseQueue = new PromiseQueue(Number(options.concurrency));
     supportedSubprojects.forEach((subproject) => {
       subprojectPromiseQueue.enqueueTask(async () => {
-        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => wsFilter(relative18(rootDir, resolve41(rootDir, subproject.subprojectPath, wsPath)) || "."));
+        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => wsFilter(relative21(rootDir, resolve41(rootDir, subproject.subprojectPath, wsPath)) || "."));
         if (workspacePathsMatchingGlob.length === 0)
           return;
         const filterDescription = options.include !== void 0 || options.exclude !== void 0 ? `matching filters ${options.include ? `include: [${options.include.join(", ")}]` : ""}${options.include && options.exclude ? " " : ""}${options.exclude ? `exclude: [${options.exclude.join(", ")}]` : ""}` : "";
@@ -234626,7 +234675,7 @@ ${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
           logger.info(`No dependencies matching upgrade specs found for subproject ${subproject.subprojectPath}`);
           return;
         }
-        await applySecurityFixes(subproject.packageManagerName, rootDir, relative18(rootDir, subproject.subprojectPath) || ".", otherModulesCommunicator, workspaceToFixes, fixingData, signalFixApplied);
+        await applySecurityFixes(subproject.packageManagerName, rootDir, relative21(rootDir, subproject.subprojectPath) || ".", otherModulesCommunicator, workspaceToFixes, fixingData, signalFixApplied);
       });
     });
     await subprojectPromiseQueue.onIdle();
@@ -234946,7 +234995,7 @@ var kleur_default = $;
 // dist/cli-core.js
 var import_lodash15 = __toESM(require_lodash(), 1);
 import os from "os";
-import { join as join30, relative as relative19, resolve as resolve43 } from "path";
+import { join as join30, relative as relative22, resolve as resolve43 } from "path";
 
 // ../utils/src/dashboard-api/shared-api.ts
 var DashboardAPI = class {
@@ -236227,7 +236276,7 @@ function getMongoClient() {
 }
 
 // ../security-auditor/security-auditor-api/src/vulnerability-patterns-helper/get-interesting-urls-for-vulnerability.ts
-import { exec as exec3 } from "child_process";
+import { exec as exec4 } from "child_process";
 import { promisify } from "util";
 
 // ../../node_modules/.pnpm/cheerio@1.0.0-rc.12/node_modules/cheerio/lib/esm/options.js
@@ -237868,10 +237917,10 @@ function compareDocumentPosition(nodeA, nodeB) {
 function uniqueSort(nodes) {
   nodes = nodes.filter((node, i7, arr) => !arr.includes(node, i7 + 1));
   nodes.sort((a4, b) => {
-    const relative20 = compareDocumentPosition(a4, b);
-    if (relative20 & DocumentPosition.PRECEDING) {
+    const relative23 = compareDocumentPosition(a4, b);
+    if (relative23 & DocumentPosition.PRECEDING) {
       return -1;
-    } else if (relative20 & DocumentPosition.FOLLOWING) {
+    } else if (relative23 & DocumentPosition.FOLLOWING) {
       return 1;
     }
     return 0;
@@ -249823,7 +249872,7 @@ async function getInterestingURLsForVulnerability(vulnerability, packageMetadata
 }
 async function computeComparisonURLs(scmUrl, vulnAndFixVersionsArr) {
   try {
-    const gitTags = (await promisify(exec3)(`git ls-remote ${scmUrl} | grep -F "refs/tags"`)).stdout.split("\n");
+    const gitTags = (await promisify(exec4)(`git ls-remote ${scmUrl} | grep -F "refs/tags"`)).stdout.split("\n");
     logger3.debug("gitTags", gitTags);
     logger3.debug("vulnAndFixVersionsArr", vulnAndFixVersionsArr);
     const versionToSha = {};
@@ -249858,7 +249907,7 @@ async function computeInterestingCommitURLs(text3, scmUrl) {
     const repo = scmUrl.split("/").slice(-2).join("/");
     const cmd = `gh search commits ${text3} --repo ${repo}`;
     logger3.debug(`Finding issue or PR url for text ${text3}`, cmd);
-    const { stdout } = await promisify(exec3)(cmd, { shell: "/bin/zsh" });
+    const { stdout } = await promisify(exec4)(cmd, { shell: "/bin/zsh" });
     return stdout.split("\n").filter((line) => line).map((line) => {
       const [repo2, sha] = line.split("	");
       return `https://www.github.com/${repo2}/commit/${sha}`;
@@ -249872,7 +249921,7 @@ async function computeInterestingIssueAndPRUrlsWithText(text3, scmUrl) {
   const repo = scmUrl.split("/").slice(-2).join("/");
   const cmd = `gh search issues ${text3} in:title,body,comment --repo ${repo} --include-prs`;
   console.log(`Finding issue or PR url for text ${text3}`, cmd);
-  const { stdout } = await promisify(exec3)(cmd, { shell: "/bin/zsh" });
+  const { stdout } = await promisify(exec4)(cmd, { shell: "/bin/zsh" });
   return stdout.split("\n").filter((line) => line).map((line) => {
     const [issueOrPr, repo2, id] = line.split("	");
     const issueOrPrUrlPart = issueOrPr === "issue" ? "issues" : "pull";
@@ -251101,7 +251150,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.129";
+var version3 = "14.12.131";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
@@ -251494,7 +251543,7 @@ var CliCore = class {
     const { reachabilitySupport, traditionalScaSupport, noSupport } = manager.getSubprojectsWithWorkspacePaths();
     await this.dashboardAPI.registerSubprojects([...reachabilitySupport, ...traditionalScaSupport, ...noSupport].map((sp) => ({
       ...sp,
-      subprojectPath: relative19(this.rootWorkingDirectory, sp.subprojectPath) || "."
+      subprojectPath: relative22(this.rootWorkingDirectory, sp.subprojectPath) || "."
     })), this.reportId, this.apiKey);
     for (const unsupported of noSupport)
       logger.warn(unsupported.unsupportedMsg);
@@ -251523,7 +251572,7 @@ var CliCore = class {
           await this.spinner.succeed();
         } catch (error) {
           if (this.options.ignoreFailingWorkspaces) {
-            const relativeSubprojectPath = relative19(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
+            const relativeSubprojectPath = relative22(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
             this.failedSubprojects.push({
               subproject: relativeSubprojectPath,
               error: error.message || "Unknown error"
@@ -251582,7 +251631,7 @@ Subproject: ${subproject}`);
   }
   async updateSpinnerTextOnNewSubproject(subprojectAndWsPath, numberSubprojects, index2) {
     this.spinner.start();
-    const relativeSubprojectPath = relative19(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
+    const relativeSubprojectPath = relative22(this.rootWorkingDirectory, subprojectAndWsPath.subprojectPath) || ".";
     await this.spinner.setText(numberSubprojects > 1 ? `Processing subproject ${relativeSubprojectPath} (${index2 + 1}/${numberSubprojects})${+this.options.concurrency > 1 ? `. May process up to ${+this.options.concurrency - 1} other workspaces in parallel` : ""}` : `Processing ${relativeSubprojectPath}`);
   }
   async initialize() {
@@ -251664,7 +251713,7 @@ Subproject: ${subproject}`);
         return workspaceToAugmentedVulnerabilities[workspacePath] !== void 0;
       }).map((workspacePath) => {
         return {
-          subprojectPath: relative19(this.rootWorkingDirectory, subprojectPath) || ".",
+          subprojectPath: relative22(this.rootWorkingDirectory, subprojectPath) || ".",
           workspacePath,
           directDependencies: projectInfo[workspacePath].dataForAnalysis.directDependenciesMap ?? {},
           vulnerabilities: workspaceToAugmentedVulnerabilities[workspacePath],
@@ -251879,7 +251928,8 @@ Subproject: ${subproject}`);
       printLogFile: this.options.printAnalysisLogFile,
       // entryPoints are only supported for root workspace atm.
       entryPoints: workspacePath === "." ? this.options.entryPoints : void 0,
-      excludeDirs: this.options.excludeDirs
+      excludeDirs: this.options.excludeDirs,
+      lazy: this.options.lazyMode
     }, {
       disableBucketing: !!this.options.disableAnalysisSplitting,
       lightweightReachability: this.options.lightweightReachability,
@@ -251892,7 +251942,7 @@ Subproject: ${subproject}`);
   async sendProgress(type, isStartEvent, subprojectPath, workspacePath) {
     await this.dashboardAPI.registerCLIProgress({
       type,
-      ...subprojectPath ? { subprojectPath: relative19(this.rootWorkingDirectory, subprojectPath) || "." } : {},
+      ...subprojectPath ? { subprojectPath: relative22(this.rootWorkingDirectory, subprojectPath) || "." } : {},
       ...workspacePath ? { workspacePath } : {}
     }, isStartEvent, this.reportId, this.apiKey);
   }
@@ -251948,7 +251998,7 @@ Subproject: ${subproject}`);
       dependencyTree: workspaceToPlainDependencyTree[workspacePath],
       ecosystem: workspaceToPlainDependencyTree[workspacePath].ecosystem ?? "NPM",
       workspacePath,
-      subprojectPath: relative19(rootWorkingDirectory, subprojectPath) || "."
+      subprojectPath: relative22(rootWorkingDirectory, subprojectPath) || "."
     }));
     if (this.options.socketMode) {
       this.reportDependencyTrees = workspacePaths.map((workspacePath) => ({
@@ -251956,7 +252006,7 @@ Subproject: ${subproject}`);
         dependencyTree: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree,
         ecosystem: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree.ecosystem ?? "NPM",
         workspacePath,
-        subprojectPath: relative19(rootWorkingDirectory, subprojectPath) || "."
+        subprojectPath: relative22(rootWorkingDirectory, subprojectPath) || "."
       }));
     }
     if (this.shareWithDashboard)
@@ -251972,7 +252022,7 @@ Subproject: ${subproject}`);
       } catch (e) {
         logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
         if (this.options.ignoreFailingWorkspaces) {
-          const relativeSubprojectPath = relative19(this.rootWorkingDirectory, subprojectPath) || ".";
+          const relativeSubprojectPath = relative22(this.rootWorkingDirectory, subprojectPath) || ".";
           this.failedWorkspaces.push({
             subproject: relativeSubprojectPath,
             workspace: workspacePath,
@@ -251991,7 +252041,7 @@ Subproject: ${subproject}`);
   }
 };
 function getRelativeSubprojectPath(subprojectPath, projectDir) {
-  return relative19(projectDir, subprojectPath) || ".";
+  return relative22(projectDir, subprojectPath) || ".";
 }
 function getDependencyType(vulnChainDetails, codeAwareScanResults, directDependencies, reachability) {
   if (reachability === "UNREACHABLE" || reachability === "UNKNOWN") {
@@ -252027,7 +252077,7 @@ async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
 handleNexeBinaryMode();
 var program2 = new Command();
 var run2 = new Command();
-run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
+run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.", false).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version3;
   options.ecosystems = options.ecosystems?.map((e) => e.toUpperCase());
   options.minSeverity = options.minSeverity?.toUpperCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.129",
+  "version": "14.12.131",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -76299,7 +76299,7 @@ var Spinner = class _Spinner {
 // ../utils/src/logging/socket-transport.ts
 var import_winston_transport = __toESM(require_winston_transport2(), 1);
 import { Socket } from "net";
-var SocketTransport = class extends import_winston_transport.default {
+var SocketTransport = class _SocketTransport extends import_winston_transport.default {
   socket = null;
   socketPath;
   context;
@@ -76307,6 +76307,11 @@ var SocketTransport = class extends import_winston_transport.default {
   connected = false;
   messageQueue = [];
   reconnectTimer = null;
+  lastActivityTime = 0;
+  // Maximum number of messages to queue during reconnection
+  static MAX_QUEUE_SIZE = 1e3;
+  // After this much idle time, proactively reconnect before sending to avoid stale connections
+  static STALE_CONNECTION_THRESHOLD_MS = 3e4;
   constructor(options) {
     super(options);
     this.socketPath = options.socketPath;
@@ -76328,7 +76333,7 @@ var SocketTransport = class extends import_winston_transport.default {
         processVariant: this.processVariant,
         startTime: Date.now()
       };
-      this.sendMessage(handshake);
+      this.sendMessageDirect(handshake);
       this.flushQueue();
     });
     this.socket.on("error", () => {
@@ -76351,23 +76356,70 @@ var SocketTransport = class extends import_winston_transport.default {
     }, 1e3);
     this.reconnectTimer.unref();
   }
+  /**
+   * Check if the connection might be stale due to inactivity.
+   * After a long idle period, the connection may have died without us knowing.
+   */
+  isConnectionPotentiallyStale() {
+    if (!this.connected || this.lastActivityTime === 0) {
+      return false;
+    }
+    const idleTime = Date.now() - this.lastActivityTime;
+    return idleTime > _SocketTransport.STALE_CONNECTION_THRESHOLD_MS;
+  }
+  /**
+   * Queue a message for sending. If connected, sends immediately.
+   * If not connected, queues for later (with size limit).
+   */
   sendMessage(message) {
+    const serialized = JSON.stringify(message) + "\n";
+    if (this.isConnectionPotentiallyStale()) {
+      this.connected = false;
+      if (this.messageQueue.length < _SocketTransport.MAX_QUEUE_SIZE) {
+        this.messageQueue.push(serialized);
+      }
+      if (this.socket) {
+        this.socket.destroy();
+      }
+      return;
+    }
+    if (!this.socket || !this.connected) {
+      if (this.messageQueue.length < _SocketTransport.MAX_QUEUE_SIZE) {
+        this.messageQueue.push(serialized);
+      }
+      this.scheduleReconnect();
+      return;
+    }
+    this.writeToSocket(serialized);
+  }
+  /**
+   * Send a message directly without queueing (used for handshake).
+   */
+  sendMessageDirect(message) {
     if (!this.socket || !this.connected) {
       return;
     }
     const serialized = JSON.stringify(message) + "\n";
-    this.socket.write(serialized, (error) => {
+    this.writeToSocket(serialized);
+  }
+  /**
+   * Write data to socket with error handling.
+   * Note: On write error, the socket will emit 'error' event which triggers reconnect.
+   */
+  writeToSocket(data2) {
+    if (!this.socket) return;
+    this.socket.write(data2, (error) => {
       if (error) {
         this.connected = false;
+      } else {
+        this.lastActivityTime = Date.now();
       }
     });
   }
   flushQueue() {
     while (this.messageQueue.length > 0 && this.connected) {
       const message = this.messageQueue.shift();
-      if (this.socket) {
-        this.socket.write(message);
-      }
+      this.writeToSocket(message);
     }
   }
   log(info, callback) {
@@ -110460,13 +110512,14 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const affectedPackagesFile = resolve14(tmpFolder, "affected-packages.json");
     const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve14(projectRoot, "js-analysis.log"));
     await writeFile6(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
+    const useLazy = experiment === "LAZY_EXPERIMENT" || reachabilityAnalysisOptions.lazy;
     const jellyCmd = cmdt`
       ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
         ${jellyExecutable}
         --basedir ${mainProjectRoot}
         --timeout ${timeoutInSeconds}
         --vulnerabilities ${vulnerabilitiesFile}
-        ${experiment === "LAZY_EXPERIMENT" && ["--lazy", "--lazy-cleanup"]}
+        ${useLazy && ["--lazy", "--lazy-cleanup"]}
         --reachable-json ${affectedPackagesFile}
         ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
         --diagnostics-json ${diagnosticsFile}
@@ -110482,10 +110535,8 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     await runCommandResolveStdOut2(
       jellyCmd,
       void 0,
-      // If experiment is enabled, fail if Jelly exceeds 1.5x the timeout.
-      // Otherwise, fail if Jelly exceeds 3x the timeout.
-      // Use SIGKILL to ensure termination even if the process is unresponsive (e.g., due to GC pressure).
-      { timeout: timeoutInSeconds * 1e3 * (experiment ? 1.5 : 3), killSignal: "SIGKILL" }
+      // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout (e.g., due to GC pressure).
+      { timeout: timeoutInSeconds * 1e3 * 1.5, killSignal: "SIGKILL" }
     );
     if (reachabilityAnalysisOptions.printLogFile)
       logger.info("JS analysis log file:", await readFile8(logFile, "utf-8"));