@coana-tech/cli 14.12.9 → 14.12.11

package/cli.mjs

@@ -52321,7 +52321,7 @@ var require_cjs2 = __commonJS({
 var require_lib12 = __commonJS({
   "../../node_modules/.pnpm/write-file-atomic@5.0.1/node_modules/write-file-atomic/lib/index.js"(exports2, module2) {
     "use strict";
-    module2.exports = writeFile10;
+    module2.exports = writeFile11;
     module2.exports.sync = writeFileSync4;
     module2.exports._getTmpname = getTmpname;
     module2.exports._cleanupOnExit = cleanupOnExit;
@@ -52446,7 +52446,7 @@ var require_lib12 = __commonJS({
         }
       }
     }
-    async function writeFile10(filename, data2, options, callback) {
+    async function writeFile11(filename, data2, options, callback) {
       if (options instanceof Function) {
         callback = options;
         options = {};
@@ -83615,7 +83615,7 @@ var require_lockfile = __commonJS({
               }
               const file = _ref22;
               if (yield exists2(file)) {
-                return readFile26(file);
+                return readFile27(file);
               }
             }
             return null;
@@ -83634,7 +83634,7 @@ var require_lockfile = __commonJS({
         })();
         let readJsonAndFile = exports3.readJsonAndFile = (() => {
           var _ref24 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (loc) {
-            const file = yield readFile26(loc);
+            const file = yield readFile27(loc);
             try {
               return {
                 object: (0, (_map || _load_map()).default)(JSON.parse(stripBOM2(file))),
@@ -83776,7 +83776,7 @@ var require_lockfile = __commonJS({
             if (eol !== "\n") {
               data2 = data2.replace(/\n/g, eol);
             }
-            yield writeFile10(path2, data2);
+            yield writeFile11(path2, data2);
           });
           return function writeFilePreservingEol2(_x30, _x31) {
             return _ref31.apply(this, arguments);
@@ -83788,7 +83788,7 @@ var require_lockfile = __commonJS({
             const file = (_path || _load_path()).default.join(dir, filename);
             const fileLink = (_path || _load_path()).default.join(dir, filename + "-link");
             try {
-              yield writeFile10(file, "test");
+              yield writeFile11(file, "test");
               yield link(file, fileLink);
             } catch (err) {
               return false;
@@ -83874,7 +83874,7 @@ var require_lockfile = __commonJS({
           };
         })();
         exports3.copy = copy;
-        exports3.readFile = readFile26;
+        exports3.readFile = readFile27;
         exports3.readFileRaw = readFileRaw;
         exports3.normalizeOS = normalizeOS;
         var _fs;
@@ -83938,7 +83938,7 @@ var require_lockfile = __commonJS({
         const lockQueue = exports3.lockQueue = new (_blockingQueue || _load_blockingQueue()).default("fs lock");
         const readFileBuffer = exports3.readFileBuffer = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.readFile);
         const open = exports3.open = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.open);
-        const writeFile10 = exports3.writeFile = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.writeFile);
+        const writeFile11 = exports3.writeFile = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.writeFile);
         const readlink2 = exports3.readlink = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.readlink);
         const realpath2 = exports3.realpath = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.realpath);
         const readdir7 = exports3.readdir = (0, (_promise2 || _load_promise2()).promisify)((_fs || _load_fs()).default.readdir);
@@ -83972,7 +83972,7 @@ var require_lockfile = __commonJS({
             });
           });
         }
-        function readFile26(loc) {
+        function readFile27(loc) {
           return _readFile(loc, "utf8").then(normalizeOS);
         }
         function readFileRaw(loc) {
@@ -111894,7 +111894,7 @@ var require_summary = __commonJS({
     exports2.summary = exports2.markdownSummary = exports2.SUMMARY_DOCS_URL = exports2.SUMMARY_ENV_VAR = void 0;
     var os_1 = __require("os");
     var fs_1 = __require("fs");
-    var { access: access5, appendFile, writeFile: writeFile10 } = fs_1.promises;
+    var { access: access5, appendFile, writeFile: writeFile11 } = fs_1.promises;
     exports2.SUMMARY_ENV_VAR = "GITHUB_STEP_SUMMARY";
     exports2.SUMMARY_DOCS_URL = "https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary";
     var Summary = class {
@@ -111952,7 +111952,7 @@ var require_summary = __commonJS({
         return __awaiter(this, void 0, void 0, function* () {
           const overwrite = !!(options === null || options === void 0 ? void 0 : options.overwrite);
           const filePath = yield this.filePath();
-          const writeFunc = overwrite ? writeFile10 : appendFile;
+          const writeFunc = overwrite ? writeFile11 : appendFile;
           yield writeFunc(filePath, this._buffer, { encoding: "utf8" });
           return this.emptyBuffer();
         });
@@ -190082,7 +190082,7 @@ var {
 } = import_index.default;
 
 // dist/index.js
-import { readFile as readFile25 } from "fs/promises";
+import { readFile as readFile26 } from "fs/promises";
 
 // ../../node_modules/.pnpm/remeda@2.21.2/node_modules/remeda/dist/chunk-ANXBDSUI.js
 var s = { done: false, hasNext: false };
@@ -197891,6 +197891,7 @@ async function registerAnalysisMetadataSocket(subprojectPath, workspacePath, eco
 }
 async function getLatestBucketsSocket(subprojectPath, workspacePath) {
   try {
+    if (!process.env.SOCKET_REPO_NAME || !process.env.SOCKET_BRANCH_NAME) return void 0;
     const url2 = getSocketApiUrl("tier1-reachability-scan/latest-buckets");
     const params = {
       workspacePath,
@@ -206006,11 +206007,47 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
 // ../fixing-management/src/fixing-management/npm/npm-ecosystem-socket-fixing-manager.ts
 import { dirname as dirname5, join as join8, relative as relative5 } from "path";
 import { existsSync as existsSync11 } from "fs";
+import { readFile as readFile15, writeFile as writeFile6 } from "fs/promises";
+function applyUpgradesToPackageJson(packageJsonContent, upgrades, rangeStyle) {
+  let modifiedContent = packageJsonContent;
+  for (const upgrade of upgrades) {
+    const escapedPackageName = upgrade.packageName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const depSection = upgrade.isDev ? "devDependencies" : "dependencies";
+    const pattern = new RegExp(`("${escapedPackageName}"\\s*:\\s*")([^"]*)"`, "g");
+    const sectionPattern = new RegExp(`"${depSection}"\\s*:\\s*\\{[^}]*"${escapedPackageName}"\\s*:`, "s");
+    if (!sectionPattern.test(modifiedContent)) {
+      continue;
+    }
+    modifiedContent = modifiedContent.replace(pattern, (match2, prefix, currentVersion, offset) => {
+      const beforeMatch = modifiedContent.substring(0, offset);
+      const lastDepSection = beforeMatch.lastIndexOf(`"${depSection}"`);
+      const lastOtherSection = Math.max(
+        beforeMatch.lastIndexOf('"dependencies"'),
+        beforeMatch.lastIndexOf('"devDependencies"'),
+        beforeMatch.lastIndexOf('"peerDependencies"'),
+        beforeMatch.lastIndexOf('"optionalDependencies"')
+      );
+      if (lastOtherSection > lastDepSection && beforeMatch.substring(lastOtherSection).includes(depSection === "dependencies" ? "devDependencies" : "dependencies")) {
+        return match2;
+      }
+      let versionString;
+      if (rangeStyle === "pin") {
+        versionString = upgrade.upgradeVersion;
+      } else {
+        const specifierMatch = currentVersion.match(/^([^\d]*)/);
+        const specifier = specifierMatch ? specifierMatch[1] : "";
+        versionString = specifier + upgrade.upgradeVersion;
+      }
+      return `${prefix}${versionString}"`;
+    });
+  }
+  return modifiedContent;
+}
 var NpmSocketUpgradeManager = class {
   constructor(rootDir) {
     this.rootDir = rootDir;
   }
-  async applySocketArtifactUpgrades(upgrades, artifacts) {
+  async applySocketArtifactUpgrades(upgrades, artifacts, rangeStyle) {
     const subprojectToUpgrade = await this.groupUpgradesBySubprojectAndWorkspace(upgrades, artifacts);
     for (const [subprojectDir, workspaceToUpgrade] of subprojectToUpgrade) {
       const fixingManager = getFixingManagerFromPackageManager(
@@ -206018,7 +206055,13 @@ var NpmSocketUpgradeManager = class {
         this.rootDir,
         subprojectDir
       );
-      this.applySecurityFixesForSocketArtifacts(fixingManager, artifacts, workspaceToUpgrade);
+      this.applySecurityFixesForSocketArtifacts(
+        subprojectDir,
+        fixingManager,
+        artifacts,
+        workspaceToUpgrade,
+        rangeStyle
+      );
     }
   }
   async groupUpgradesBySubprojectAndWorkspace(upgrades, artifacts) {
@@ -206061,7 +206104,7 @@ var NpmSocketUpgradeManager = class {
     }
     return subprojectToUpgrade;
   }
-  async applySecurityFixesForSocketArtifacts(fixingManager, artifacts, workspaceTofixes) {
+  async applySecurityFixesForSocketArtifacts(subprojectDir, fixingManager, artifacts, workspaceTofixes, rangeStyle) {
     for (const [workspacePath, upgrades] of workspaceTofixes.entries()) {
       const upgradesTransformed = upgrades.map((upgrade) => ({
         dependencyName: getNameFromNamespaceAndName(
@@ -206076,13 +206119,20 @@ var NpmSocketUpgradeManager = class {
       await fixingManager.applySecurityFixesSpecificPackageManager(upgradesTransformed);
       const upgradesToDirectDependencies = upgrades.filter((upgrade) => artifacts[upgrade.idx].direct);
       if (upgradesToDirectDependencies.length === 0) continue;
-      for (const isDev of [false, true]) {
-        const upgradesOfDirectDependenciesOfType = upgradesToDirectDependencies.filter((upgrade) => artifacts[upgrade.idx].dev === isDev).map(
-          ({ idx, upgradeVersion }) => `${artifacts[idx].namespace ? `${artifacts[idx].namespace}/` : ""}${artifacts[idx].name}@${upgradeVersion}`
-        );
-        if (upgradesOfDirectDependenciesOfType.length === 0) continue;
-        await fixingManager.installSpecificPackages(workspacePath, isDev, upgradesOfDirectDependenciesOfType);
-      }
+      const packageJsonPath = join8(subprojectDir, workspacePath, "package.json");
+      const packageJsonContent = await readFile15(packageJsonPath, "utf-8");
+      const upgradesWithPackageNames = upgradesToDirectDependencies.map(
+        (upgrade) => {
+          const artifact = artifacts[upgrade.idx];
+          return {
+            packageName: artifact.namespace ? `${artifact.namespace}/${artifact.name}` : artifact.name,
+            upgradeVersion: upgrade.upgradeVersion,
+            isDev: artifact.dev ?? false
+          };
+        }
+      );
+      const modifiedContent = applyUpgradesToPackageJson(packageJsonContent, upgradesWithPackageNames, rangeStyle);
+      await writeFile6(packageJsonPath, modifiedContent, "utf-8");
     }
     await fixingManager.finalizeFixes();
   }
@@ -206115,7 +206165,7 @@ var RushFixingManager = class {
 };
 
 // ../fixing-management/src/fixing-management/nuget/nuget-fixing-manager.ts
-import { readFile as readFile15, writeFile as writeFile6 } from "fs/promises";
+import { readFile as readFile16, writeFile as writeFile7 } from "fs/promises";
 import { join as join9 } from "path";
 
 // ../utils/src/nuget-utils.ts
@@ -206218,16 +206268,16 @@ var NugetFixingManager = class {
         if (projectFiles.length !== 1)
           throw new Error("Applying fixes to workspaces with more than 1 project file currently not supported");
         const projectFilePath = join9(this.getAbsWsPath(wsPath), projectFiles[0]);
-        const initialProjectFile = await readFile15(projectFilePath, "utf-8");
+        const initialProjectFile = await readFile16(projectFilePath, "utf-8");
         const initialLockFile = await this.restoreWorkspaceAndParseLockFile(wsPath);
         await applySeries(fixesWithId, async ({ fixId, vulnerabilityFixes }) => {
           await this.applySecurityFixesForWorkspace(wsPath, projectFilePath, vulnerabilityFixes, dependencyTree);
           signalFixApplied2?.(fixId, this.subprojectPath, wsPath, vulnerabilityFixes);
         });
-        const finalProjectFile = await readFile15(projectFilePath, "utf-8");
-        const finalLockFile = JSON.parse(await readFile15(this.getLockFilePath(wsPath), "utf-8"));
-        await writeFile6(projectFilePath, initialProjectFile);
-        await writeFile6(this.getLockFilePath(wsPath), JSON.stringify(initialLockFile, null, 2));
+        const finalProjectFile = await readFile16(projectFilePath, "utf-8");
+        const finalLockFile = JSON.parse(await readFile16(this.getLockFilePath(wsPath), "utf-8"));
+        await writeFile7(projectFilePath, initialProjectFile);
+        await writeFile7(this.getLockFilePath(wsPath), JSON.stringify(initialLockFile, null, 2));
         return { projectFile: finalProjectFile, lockFile: finalLockFile };
       }
     );
@@ -206237,8 +206287,8 @@ var NugetFixingManager = class {
       const projectFiles = fixingInfo.projectFiles[wsPath];
       if (projectFiles.length !== 1)
         throw new Error("Applying fixes to workspaces with more than 1 project file currently not supported");
-      await writeFile6(join9(this.getAbsWsPath(wsPath), projectFiles[0]), finalProjectFile);
-      await writeFile6(this.getLockFilePath(wsPath), JSON.stringify(finalLockFile, null, 2));
+      await writeFile7(join9(this.getAbsWsPath(wsPath), projectFiles[0]), finalProjectFile);
+      await writeFile7(this.getLockFilePath(wsPath), JSON.stringify(finalLockFile, null, 2));
     });
     if (solutionFiles) {
       for (const solutionFile of solutionFiles) {
@@ -206257,7 +206307,7 @@ var NugetFixingManager = class {
     }
   }
   async applySecurityFixesForWorkspace(wsPath, projectFilePath, vulnFixes, dependencyTree) {
-    const initialProjectFile = await readFile15(projectFilePath, "utf-8");
+    const initialProjectFile = await readFile16(projectFilePath, "utf-8");
     const initialLockFile = await this.restoreWorkspaceAndParseLockFile(wsPath);
     const typeCache = new Cache();
     const requestedCache = new Cache();
@@ -206304,7 +206354,7 @@ var NugetFixingManager = class {
         details.requested = requestedRange;
       });
     });
-    await writeFile6(projectFilePath, initialProjectFile);
+    await writeFile7(projectFilePath, initialProjectFile);
     await applySeries(vulnFixes, async ({ dependencyIdentifier, dependencyName }) => {
       await applySeries(
         dependencyTree.transitiveDependencies[dependencyIdentifier].frameworks?.filter(
@@ -206330,7 +206380,7 @@ var NugetFixingManager = class {
         }
       );
     });
-    await writeFile6(this.getLockFilePath(wsPath), JSON.stringify(lockFileWithFixes, null, 2));
+    await writeFile7(this.getLockFilePath(wsPath), JSON.stringify(lockFileWithFixes, null, 2));
   }
   async addPackage(packageName, version3, framework, wsPath) {
     const dir = join9(this.rootDir, this.subprojectPath, wsPath);
@@ -206347,7 +206397,7 @@ var NugetFixingManager = class {
   async restoreWorkspaceAndParseLockFile(wsPath) {
     const succeeded = await execAndLogOnFailure("dotnet restore --use-lock-file", this.getAbsWsPath(wsPath));
     if (!succeeded) throw new Error(`Error applying fix - could not restore project ${this.subprojectPath}/${wsPath}`);
-    return JSON.parse(await readFile15(this.getLockFilePath(wsPath), "utf-8"));
+    return JSON.parse(await readFile16(this.getLockFilePath(wsPath), "utf-8"));
   }
   getLockFilePath(wsPath, lockFileName = "packages.lock.json") {
     return join9(this.getAbsWsPath(wsPath), lockFileName);
@@ -206458,10 +206508,10 @@ async function applySecurityFixes(packageManagerName, rootDir, subprojectPath, o
     otherModulesCommunicator
   ).applySecurityFixes(fixes, fixingInfo, signalFixApplied2);
 }
-async function applySocketUpgrades(ecosystem, rootDir, upgrades, artifacts) {
+async function applySocketUpgrades(ecosystem, rootDir, upgrades, artifacts, rangeStyle) {
   const C2 = socketUpgradeManagerConstructors[ecosystem];
   if (!C2) return;
-  await new C2(rootDir).applySocketArtifactUpgrades(upgrades, artifacts);
+  await new C2(rootDir).applySocketArtifactUpgrades(upgrades, artifacts, rangeStyle);
 }
 
 // dist/cli-apply-fix.js
@@ -207105,7 +207155,7 @@ function utilFormatter2() {
 }
 
 // ../web-compat-utils/dist/logger-singleton.js
-import { readFile as readFile16 } from "fs/promises";
+import { readFile as readFile17 } from "fs/promises";
 var CLILogger2 = class {
   logger = console;
   writeStream;
@@ -207185,7 +207235,7 @@ var CLILogger2 = class {
     await this.finish();
     let logContent;
     try {
-      logContent = await readFile16(logFilePath, "utf-8");
+      logContent = await readFile17(logFilePath, "utf-8");
     } catch (e) {
       console.error("Error reading log file", e);
     }
@@ -207230,13 +207280,13 @@ async function detectVariantMaven(projectDir) {
 // ../docker-management/src/maven/gradle-version-detector.ts
 import { existsSync as existsSync13 } from "fs";
 import { join as join14 } from "path";
-import { readFile as readFile17 } from "fs/promises";
+import { readFile as readFile18 } from "fs/promises";
 async function detectVariantGradle(projectDir) {
   return sanitizeJvmVariant("GRADLE", projectDir, await detect(projectDir));
 }
 async function detect(projectDir) {
   const gradleWrapperPropertiesPath = join14(projectDir, "gradle", "wrapper", "gradle-wrapper.properties");
-  const gradleWrapperProperties = existsSync13(gradleWrapperPropertiesPath) ? (await readFile17(gradleWrapperPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
+  const gradleWrapperProperties = existsSync13(gradleWrapperPropertiesPath) ? (await readFile18(gradleWrapperPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
   if (!gradleWrapperProperties) return void 0;
   const distributionUrlRegex = /.*gradle-(\d+(\.\d+(\.\d+)?)?)/;
   for (const prop2 of gradleWrapperProperties) {
@@ -207252,13 +207302,13 @@ async function detect(projectDir) {
 // ../docker-management/src/maven/sbt-version-detector.ts
 import { existsSync as existsSync14 } from "fs";
 import { join as join15 } from "path";
-import { readFile as readFile18 } from "fs/promises";
+import { readFile as readFile19 } from "fs/promises";
 async function detectVariantSbt(projectDir) {
   return sanitizeJvmVariant("SBT", projectDir, await detect2(projectDir));
 }
 async function detect2(projectDir) {
   const sbtBuildPropertiesPath = join15(projectDir, "project", "build.properties");
-  const sbtBuildProperties = existsSync14(sbtBuildPropertiesPath) ? (await readFile18(sbtBuildPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
+  const sbtBuildProperties = existsSync14(sbtBuildPropertiesPath) ? (await readFile19(sbtBuildPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
   if (!sbtBuildProperties) return void 0;
   for (const prop2 of sbtBuildProperties) {
     const [key, value] = prop2.split("=");
@@ -207372,7 +207422,7 @@ async function findReachabilityAnalyzersDockerImage(ecosystem) {
 // ../other-modules-communicator/src/other-modules-communicator.ts
 var import_lodash11 = __toESM(require_lodash(), 1);
 import { rmSync } from "fs";
-import { mkdir, readFile as readFile19, writeFile as writeFile7 } from "fs/promises";
+import { mkdir, readFile as readFile20, writeFile as writeFile8 } from "fs/promises";
 import { platform } from "os";
 import { join as join19, posix as posix2, relative as relative8, sep as sep3 } from "path";
 
@@ -207823,7 +207873,7 @@ var OtherModulesCommunicator = class {
         COANA_API_KEY: this.apiKey.type === "present" ? this.apiKey.value : ""
       }
     );
-    return JSON.parse(await readFile19(outputFilePathThisProcess, "utf-8")).result;
+    return JSON.parse(await readFile20(outputFilePathThisProcess, "utf-8")).result;
   }
   async runReachabilityAnalyzerCommand(commandName, ecosystem, subprojectPath, workspacePath, args2, env) {
     const tmpDir = await this.getTmpDirForSubproject(subprojectPath);
@@ -207884,7 +207934,7 @@ var OtherModulesCommunicator = class {
       [...args2, "-o", outputFilePathOtherProcess],
       env
     );
-    return JSON.parse(await readFile19(outputFilePathThisProcess, "utf-8")).result;
+    return JSON.parse(await readFile20(outputFilePathThisProcess, "utf-8")).result;
   }
   async runInDocker(ecosystem, image, entryPoint, commandName, args2, subprojectPath, tmpDir, env = process.env) {
     if (!await pullDockerImage(image)) return false;
@@ -207913,7 +207963,7 @@ var OtherModulesCommunicator = class {
         const providerFileName = "provider.json";
         const providerFileThisProcess = join19(tmpDir, providerFileName);
         const providerFileOtherProcess = this.options.runWithoutDocker ? providerFileThisProcess : posix2.join(TMP_DIR_IN_DOCKER, providerFileName);
-        await writeFile7(providerFileThisProcess, JSON.stringify(providedOptions.provider));
+        await writeFile8(providerFileThisProcess, JSON.stringify(providedOptions.provider));
         return ["--provider", providerFileOtherProcess];
       } else {
         return ["--as-provider"];
@@ -207957,7 +208007,7 @@ var OtherModulesCommunicator = class {
     const inputFileName = `${v4_default()}-runReachabilityAnalysis-input.json`;
     const inputFileThisProcess = join19(tmpDir, inputFileName);
     const inputFileOtherProcess = this.options.runWithoutDocker ? inputFileThisProcess : posix2.join(TMP_DIR_IN_DOCKER, inputFileName);
-    await writeFile7(
+    await writeFile8(
       inputFileThisProcess,
       JSON.stringify({
         workspaceData,
@@ -208134,7 +208184,7 @@ function t3(...r2) {
 }
 
 // ../utils/src/dashboard-api/coana-api.ts
-import { writeFile as writeFile8 } from "fs/promises";
+import { writeFile as writeFile9 } from "fs/promises";
 var import_artifact = __toESM(require_artifact_client2(), 1);
 var coanaAPI = process.env.PUBLIC_API_URL ?? "https://app.coana.tech/api/v1";
 var axiosClient2 = getAxiosClient();
@@ -208264,7 +208314,7 @@ async function sendToDashboard(report, writeReportToFile, reportId, apiKey) {
   try {
     if (writeReportToFile) {
       logger.info("Writing report to dashboard-report.json");
-      await writeFile8("dashboard-report.json", JSON.stringify(report, null, 2));
+      await writeFile9("dashboard-report.json", JSON.stringify(report, null, 2));
       if (process.env.GITHUB_ACTIONS === "true") {
         logger.info("uploading dashboard-report.json as an artifact");
         (0, import_artifact.create)().uploadArtifact("dashboard-report", ["dashboard-report.json"], process.cwd());
@@ -209342,12 +209392,12 @@ import { join as join22, relative as relative9, resolve as resolve20 } from "pat
 
 // ../project-management/src/project-management/ecosystem-management/ecosystem-specs.ts
 import { existsSync as existsSync18 } from "fs";
-import { readdir as readdir5, readFile as readFile22 } from "fs/promises";
+import { readdir as readdir5, readFile as readFile23 } from "fs/promises";
 import { join as join21, sep as sep4 } from "path";
 
 // ../utils/src/pip-utils.ts
 import { existsSync as existsSync17 } from "fs";
-import { readFile as readFile21 } from "fs/promises";
+import { readFile as readFile22 } from "fs/promises";
 import { resolve as resolve19 } from "path";
 import util4 from "util";
 
@@ -209356,7 +209406,7 @@ var import_lodash13 = __toESM(require_lodash(), 1);
 var import_semver4 = __toESM(require_semver2(), 1);
 import { execFileSync as execFileSync2 } from "child_process";
 import { constants as constants2 } from "fs";
-import { access as access4, readFile as readFile20 } from "fs/promises";
+import { access as access4, readFile as readFile21 } from "fs/promises";
 import { join as join20, resolve as resolve18 } from "path";
 import util3 from "util";
 var { once: once7 } = import_lodash13.default;
@@ -209365,7 +209415,7 @@ var hasPyenv = once7(async () => !(await execNeverFail("which pyenv")).error);
 
 // ../utils/src/pip-utils.ts
 async function isSetupPySetuptools(file) {
-  const content = await readFile21(file, "utf-8");
+  const content = await readFile22(file, "utf-8");
   return content.includes("setup(") && (/^\s*from\s+(?:setuptools|distutils\.core)\s+import\s+.*setup/m.test(content) || /^\s*import\s+(?:setuptools|distutils\.core)/m.test(content));
 }
 
@@ -209447,7 +209497,7 @@ function packageManagerIfPackageJSONExistsAndValid(packageManager) {
     if (!existsSync18(join21(projectDir, "package.json"))) return void 0;
     const packageJSONPath = join21(projectDir, "package.json");
     try {
-      JSON.parse(await readFile22(packageJSONPath, "utf-8"));
+      JSON.parse(await readFile23(packageJSONPath, "utf-8"));
       return packageManager;
     } catch (e) {
       throw new InvalidProjectFileError(projectDir, "package.json");
@@ -209708,7 +209758,7 @@ ${detailsString}` : ""}`;
 
 // dist/cli-core.js
 import { writeFileSync as writeFileSync3 } from "fs";
-import { mkdir as mkdir2, writeFile as writeFile9 } from "fs/promises";
+import { mkdir as mkdir2, writeFile as writeFile10 } from "fs/promises";
 
 // ../../node_modules/.pnpm/kleur@4.1.5/node_modules/kleur/index.mjs
 var FORCE_COLOR;
@@ -210133,7 +210183,7 @@ var DEFAULT_REPORT_FILENAME_BASE = "coana-report";
 
 // dist/internal/exclude-dirs-from-configuration-files.js
 import { existsSync as existsSync19 } from "fs";
-import { readFile as readFile23 } from "fs/promises";
+import { readFile as readFile24 } from "fs/promises";
 import { basename as basename6, resolve as resolve22 } from "path";
 var import_yaml2 = __toESM(require_dist11(), 1);
 async function inferExcludeDirsFromConfigurationFiles(rootWorkingDir) {
@@ -210147,7 +210197,7 @@ async function inferExcludeDirsFromConfigurationFiles(rootWorkingDir) {
 }
 async function inferExcludeDirsFromSocketConfig(socketConfigFile) {
   try {
-    const config3 = (0, import_yaml2.parse)(await readFile23(socketConfigFile, "utf8"));
+    const config3 = (0, import_yaml2.parse)(await readFile24(socketConfigFile, "utf8"));
     const version3 = config3.version;
     const ignorePaths = config3[version3 === 1 ? "ignore" : "projectIgnorePaths"];
     if (!ignorePaths)
@@ -210722,7 +210772,7 @@ function toSocketFactsSocketDependencyTree(artifacts, vulnerabilities, tier1Reac
 }
 
 // dist/internal/vulnerability-scanning.js
-import { readFile as readFile24 } from "fs/promises";
+import { readFile as readFile25 } from "fs/promises";
 
 // ../security-auditor/security-auditor-builder/src/mongo-connection.ts
 var import_mongodb = __toESM(require_lib30(), 1);
@@ -225591,7 +225641,7 @@ async function scanForVulnerabilities(dependencyTree, offlineVulnerabilityScanne
 }
 async function offlineScan(dependencyTree, offlineVulnerabilityScannerDBPath) {
   logger.info("using offline vulnerability scanner db");
-  const offlineVulnerabilityScannerDB = JSON.parse(await readFile24(offlineVulnerabilityScannerDBPath, "utf-8"));
+  const offlineVulnerabilityScannerDB = JSON.parse(await readFile25(offlineVulnerabilityScannerDBPath, "utf-8"));
   const { ecosystemToUrlToVulnerabilityDetails, vulnerabilityDatabase } = offlineVulnerabilityScannerDB;
   const coanaSupportedVulnerabilitiesLoader = CoanaSupportedVulnerabilitiesLoader.create(ecosystemToUrlToVulnerabilityDetails);
   const vulnerabilityAccessPathLoader = CoanaSupportedVulnerabilitiesLoader.create(ecosystemToUrlToVulnerabilityDetails);
@@ -225609,7 +225659,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.9";
+var version2 = "14.12.11";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -225795,7 +225845,7 @@ var CliCore = class {
     }
     const socketReport = toSocketFactsSocketDependencyTree(artifacts, vulnsWithResults, this.reportId);
     const outputFile = resolve23(this.options.socketMode);
-    await writeFile9(outputFile, JSON.stringify(socketReport, null, 2));
+    await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
     logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
   }
   async shareErrorLogWithBackend(e, shouldLogSharing) {
@@ -225813,7 +225863,7 @@ var CliCore = class {
       }
       const socketReport = toSocketFacts(report, this.reportDependencyTrees, subPjToWsPathToDirectDependencies);
       const outputFile = resolve23(this.options.socketMode);
-      await writeFile9(outputFile, JSON.stringify(socketReport, null, 2));
+      await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
       logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
       return;
     }
@@ -226296,6 +226346,9 @@ import { join as join26, relative as relative12 } from "node:path";
 var import_packageurl_js2 = __toESM(require_packageurl_js(), 1);
 var ECOSYSTEMS_WITH_SOCKET_UPGRADES = ["NPM", "MAVEN"];
 async function upgradePurl(path2, upgrades, options, logFile, cliFixRunId) {
+  if (options.rangeStyle && options.rangeStyle !== "pin") {
+    throw new Error('Range style must be "pin"');
+  }
   logger.initWinstonLogger(options.debug);
   logger.silent = options.silent;
   let cliRunId = cliFixRunId;
@@ -226341,7 +226394,11 @@ ${upgrades.map((upgrade) => `	${upgrade.purl} -> ${upgrade.upgradeVersion}`).joi
           });
         });
         for (const [ecosystem, upgrades2] of Object.entries(ecosystemToSocketArtifactUpgrades)) {
-          await applySocketUpgrades(ecosystem, path2, upgrades2, artifacts);
+          if (options.rangeStyle && ecosystem !== "NPM") {
+            logger.warn(`Range style is only supported for npm, skipping upgrades for ${ecosystem}`);
+            continue;
+          }
+          await applySocketUpgrades(ecosystem, path2, upgrades2, artifacts, options.rangeStyle);
         }
         if (upgradePurlRunId) {
           await getSocketAPI().finalizeUpgradePurlRun(upgradePurlRunId, "success");
@@ -226474,7 +226531,8 @@ async function computeFixesAndUpgradePurls(path2, options, logFile) {
       runWithoutDocker: options.runWithoutDocker,
       manifestsTarHash: options.manifestsTarHash,
       concurrency: "1",
-      globPattern: options.globPattern
+      globPattern: options.globPattern,
+      rangeStyle: options.rangeStyle
     }, autofixRunId) ?? "fixed-all";
     if (autofixRunId) {
       await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasFailedToFix.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : ghsasFailedToFix.length === Object.keys(ghsaToVulnerableArtifactIdsToApply).length || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some");
@@ -226595,7 +226653,7 @@ applyFixes.name("apply-fixes").argument("<path>", "File system path to the folde
   await applyFix(path2, fixIds, options);
 }).configureHelp({ sortOptions: true });
 var upgradePurls = new Command();
-upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the folder containing the project").argument("<specs...>", "Package upgrade specifications in the format 'purl -> newVersion' (e.g., 'pkg:maven/io.micrometer/micrometer-core@1.10.9 -> 1.15.0')").option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--socket-mode", "Use Socket for computing dependency trees").default(process.env.SOCKET_MODE === "true").hideHelp()).version(version2).action(async (path2, specs2, options) => {
+upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the folder containing the project").argument("<specs...>", "Package upgrade specifications in the format 'purl -> newVersion' (e.g., 'pkg:maven/io.micrometer/micrometer-core@1.10.9 -> 1.15.0')").option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--socket-mode", "Use Socket for computing dependency trees").default(process.env.SOCKET_MODE === "true").hideHelp()).version(version2).action(async (path2, specs2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   await withTmpDirectory("upgrade-purls", async (tmpDir) => {
     const logFile = join27(tmpDir, "upgrade-purls.log");
@@ -226613,8 +226671,11 @@ upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the f
   });
 }).configureHelp({ sortOptions: true });
 var computeFixesAndUpgradePurlsCmd = new Command();
-computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
+computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
+  if (options.rangeStyle && options.rangeStyle !== "pin") {
+    throw new Error('Range style must be "pin"');
+  }
   await withTmpDirectory("compute-fixes-and-upgrade-purls", async (tmpDir) => {
     const logFile = join27(tmpDir, "compute-fixes-and-upgrade-purls.log");
     logger.initWinstonLogger(options.debug, logFile);
@@ -226624,7 +226685,7 @@ computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument(
 var compareReportsCommand = new Command();
 compareReportsCommand.name("compare-reports").argument("<baselineReportPath>", "Path to the baseline report").argument("<newReportPath>", "Path to the new report").option("--api-key <key>", "Set the Coana dashboard API key.").option("-d, --debug", "Enable debug logging", false).option("--no-pr-comment", "Disable pull request comments (only relevant when run from a PR)", true).option("--no-block", "Do not fail with a non-zero exit code when new reachable vulnerabilities are detected", true).option("--ignore-undeterminable-reachability", "Ignore vulnerabilities with undeterminable reachability", false).action(async (baselineReportPath, newReportPath, options) => {
   async function readReport(reportPath) {
-    return JSON.parse(await readFile25(reportPath, "utf-8"));
+    return JSON.parse(await readFile26(reportPath, "utf-8"));
   }
   const baselineReport = await readReport(baselineReportPath);
   const newReport = await readReport(newReportPath);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.9",
+  "version": "14.12.11",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -73366,6 +73366,7 @@ async function registerAnalysisMetadataSocket(subprojectPath, workspacePath, eco
 }
 async function getLatestBucketsSocket(subprojectPath, workspacePath) {
   try {
+    if (!process.env.SOCKET_REPO_NAME || !process.env.SOCKET_BRANCH_NAME) return void 0;
     const url2 = getSocketApiUrl("tier1-reachability-scan/latest-buckets");
     const params = {
       workspacePath,