npm - @coana-tech/cli - Versions diffs - 15.2.6 → 15.2.8 - Mend

@coana-tech/cli 15.2.6 → 15.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/cli.mjs +40 -12
package/package.json +1 -1
package/repos/coana-tech/goana/bin/goana-darwin-amd64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-darwin-arm64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-linux-amd64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-linux-arm64.gz +0 -0
package/repos/coana-tech/javap-service/javap-service.jar +0 -0

package/cli.mjs CHANGED Viewed

@@ -225628,13 +225628,39 @@ var PnpmFixingManager = class extends NpmEcosystemFixingManager {
     if (result.error) {
       logger.debug("finalize fixes stdout", result.stdout);
       logger.debug("finalize fixes stderr", result.stderr);
-      throw result.error;
+      const trustErrorMessage = buildPnpmTrustDowngradeMessage(`${result.stdout}
+${result.stderr}`);
+      if (trustErrorMessage !== void 0) throw new Error(trustErrorMessage);
+      throw new Error(buildPnpmFinalizeFailureMessage(result.stdout, result.stderr, result.error.message));
     }
     logger.info(
       `Run 'pnpm install' in '${relative7(this.rootDir, this.subprojectPath) || "."}' to install the updated dependencies`
     );
   }
 };
+function parsePnpmTrustDowngrade(output) {
+  const match2 = output.match(/ERR_PNPM_TRUST_DOWNGRADE[^\n]*?"([^"]+)"/);
+  return match2 ? { packageRef: match2[1] } : void 0;
+}
+function buildPnpmFinalizeFailureMessage(stdout, stderr, fallbackMessage) {
+  const combined = [stderr.trim(), stdout.trim()].filter(Boolean).join("\n").trim();
+  return combined ? `${fallbackMessage}
+pnpm output:
+${combined}` : fallbackMessage;
+}
+function buildPnpmTrustDowngradeMessage(output) {
+  const parsed = parsePnpmTrustDowngrade(output);
+  if (!parsed) return void 0;
+  const { packageRef } = parsed;
+  return `pnpm refused to update the lockfile due to a trust-downgrade on "${packageRef}" (ERR_PNPM_TRUST_DOWNGRADE). This usually means the package lost its npm provenance attestation between releases \u2014 often a publishing-workflow regression rather than a real supply-chain incident.
+To unblock the fix, edit pnpm-workspace.yaml at the workspace root (the same file your \`trustPolicy: no-downgrade\` setting lives in) and either:
+  \u2022 set \`trustPolicy: off\` to disable the check entirely, or
+  \u2022 keep the policy on and allow just this release via:
+      trustPolicyExclude:
+        - '${packageRef}'`;
+}
 function getVersionNumber(version4) {
   const pnpmLockVersionSuffix = /((\d+)\.(\d+)\.(\d+)((-((\d|[a-zA-Z]|\.)+)){0,1})((\+((\d|\.)+)){0,1}))(_|\()(.+)/;
   const match2 = version4.match(pnpmLockVersionSuffix);
@@ -234564,14 +234590,14 @@ function getEcosystemsFromManifestFileNames(fileNames) {
   }
   return [...ecosystems];
 }
-async function validateExternalDependencies(ecosystems, command, manifestFileNames) {
+async function validateExternalDependencies(ecosystems, command, manifestFileNames, packageManagers) {
   const checks = [];
   const ecosystemSet = new Set(ecosystems);
   if (ecosystemSet.has("NPM")) {
-    checks.push(...getNpmChecks(command, manifestFileNames));
+    checks.push(...getNpmChecks(command, manifestFileNames, packageManagers));
   }
   if (ecosystemSet.has("PIP")) {
-    checks.push(...getPipChecks(command, manifestFileNames));
+    checks.push(...getPipChecks(command, manifestFileNames, packageManagers));
   }
   if (ecosystemSet.has("MAVEN") && command === "run") {
     checks.push(checkJavaAvailable());
@@ -234611,9 +234637,10 @@ async function validateExternalDependencies(ecosystems, command, manifestFileNam
     throw new Error(message2);
   }
 }
-function getNpmChecks(command, manifestFileNames) {
+function getNpmChecks(command, manifestFileNames, packageManagers) {
   const checks = [];
   const nexe = isNexeMode();
+  const isAllowed = (pm) => !packageManagers || packageManagers.includes(pm);
   if (command === "run") {
     checks.push(Promise.resolve(checkNodeVersion(20)));
     if (!nexe) {
@@ -234621,21 +234648,22 @@ function getNpmChecks(command, manifestFileNames) {
     }
   } else {
     const files = manifestFileNames ?? [];
-    if (files.some((f5) => f5.endsWith("package-lock.json")) && !nexe) {
+    if (files.some((f5) => f5.endsWith("package-lock.json")) && !nexe && isAllowed("NPM")) {
       checks.push(checkTool("npm", "NPM", "Required for NPM dependency management. Install from https://nodejs.org"));
     }
-    if (files.some((f5) => f5.endsWith("pnpm-lock.yaml"))) {
+    if (files.some((f5) => f5.endsWith("pnpm-lock.yaml")) && isAllowed("PNPM")) {
       checks.push(checkTool("pnpm", "NPM", "Required for pnpm dependency management. Install from https://pnpm.io"));
     }
-    if (files.some((f5) => f5.endsWith("yarn.lock"))) {
+    if (files.some((f5) => f5.endsWith("yarn.lock")) && isAllowed("YARN")) {
       checks.push(checkTool("yarn", "NPM", "Required for Yarn dependency management. Install from https://yarnpkg.com"));
     }
   }
   return checks;
 }
-function getPipChecks(command, manifestFileNames) {
+function getPipChecks(command, manifestFileNames, packageManagers) {
   const checks = [];
   const nexe = isNexeMode();
+  const isAllowed = (pm) => !packageManagers || packageManagers.includes(pm);
   if (command === "run") {
     checks.push(checkEitherTool("python3", "python", "Python (PIP)", "python3 (or python)", "Required for Python dependency management. Install from https://python.org"));
     if (!nexe) {
@@ -234643,7 +234671,7 @@ function getPipChecks(command, manifestFileNames) {
     }
   } else {
     const files = manifestFileNames ?? [];
-    if (files.some((f5) => f5.endsWith("uv.lock")) && !nexe) {
+    if (files.some((f5) => f5.endsWith("uv.lock")) && !nexe && isAllowed("UV")) {
       checks.push(checkTool("uv", "Python (PIP)", "Required for Python dependency management. Install from https://docs.astral.sh/uv/"));
     }
   }
@@ -234745,7 +234773,7 @@ ${Array.from(upgrades).map(([idx, upgradeVersion]) => `	${prettyPrintPurlUpgrade
       }
       const detectedEcosystems = Array.from(ecosystemToSocketArtifactUpgrades.keys());
       if (!options.disableExternalToolChecks) {
-        await validateExternalDependencies(detectedEcosystems, "compute-fixes-and-upgrade-purls", manifestFiles);
+        await validateExternalDependencies(detectedEcosystems, "compute-fixes-and-upgrade-purls", manifestFiles, options.packageManagers);
       }
       let anyErrors = false;
       let anySkipped = false;
@@ -252321,7 +252349,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 // dist/version.js
-var version3 = "15.2.6";
+var version3 = "15.2.8";
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.2.6",
+  "version": "15.2.8",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/repos/coana-tech/goana/bin/goana-darwin-amd64.gz CHANGED Viewed

Binary file

package/repos/coana-tech/goana/bin/goana-darwin-arm64.gz CHANGED Viewed

Binary file

package/repos/coana-tech/goana/bin/goana-linux-amd64.gz CHANGED Viewed

Binary file

package/repos/coana-tech/goana/bin/goana-linux-arm64.gz CHANGED Viewed

Binary file

package/repos/coana-tech/javap-service/javap-service.jar CHANGED Viewed

Binary file