@socketsecurity/cli-with-sentry 1.1.40 → 1.1.42

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.42](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.42) - 2025-12-04
+
+### Added
+- Added `--ecosystems` flag to `socket fix`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.113`.
+- Rename `--limit` flag to `--pr-limit` for `socket fix`, but keep old flag as an alias. Note: `--pr-limit` has no effect in local mode, use `--id` options instead.
+- Process all vulnerabilities with `socket fix` when no `--id` options are provided.
+
+## [1.1.41](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.41) - 2025-12-02
+
+### Added
+- Added `--reach-version` flag to `socket scan create` and `socket scan reach` to override the @coana-tech/cli version used for reachability analysis.
+- Added `--fix-version` flag to `socket fix` to override the @coana-tech/cli version used for fix analysis.
+
 ## [1.1.40](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-02
 
 ### Fixed

package/dist/cli.js

@@ -446,7 +446,7 @@ async function run$S(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -850,7 +850,7 @@ async function run$R(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -1658,6 +1658,7 @@ async function performReachabilityAnalysis(options) {
 
   // Run Coana with the manifests tar hash.
   const coanaResult = await utils.spawnCoanaDlx(coanaArgs, orgSlug, {
+    coanaVersion: reachabilityOptions.reachVersion,
     cwd,
     env: coanaEnv,
     spinner,
@@ -2380,15 +2381,16 @@ async function handleCi(autoManifest) {
     pendingHead: true,
     pullRequest: 0,
     reach: {
-      reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
-      reachDisableAnalytics: false,
       reachDisableAnalysisSplitting: false,
+      reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
+      reachVersion: undefined,
       runReachabilityAnalysis: false
     },
     repoName,
@@ -3692,28 +3694,27 @@ async function getFixEnv() {
 async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
-    limit,
+    ecosystems,
     spinner
   } = {
     __proto__: null,
     ...options
   };
-  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash], orgSlug, {
+  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
     cwd,
-    spinner
+    spinner,
+    coanaVersion: options?.coanaVersion
   }, {
     stdio: 'pipe'
   });
   if (foundCResult.ok) {
-    // Coana prints ghsaIds as json-formatted string on the final line of the output
-    const foundIds = [];
     try {
+      // Coana prints ghsaIds as json-formatted string on the final line of the output.
       const ghsaIdsRaw = foundCResult.data.trim().split('\n').pop();
       if (ghsaIdsRaw) {
-        foundIds.push(...JSON.parse(ghsaIdsRaw));
+        return JSON.parse(ghsaIdsRaw);
       }
     } catch {}
-    return limit !== undefined ? foundIds.slice(0, limit) : foundIds;
   }
   return [];
 }
@@ -3721,15 +3722,17 @@ async function coanaFix(fixConfig) {
   const {
     applyFixes,
     autopilot,
+    coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    prLimit,
     showAffectedDirectDependencies,
     spinner
   } = fixConfig;
@@ -3772,7 +3775,7 @@ async function coanaFix(fixConfig) {
       data: uploadCResult.data
     };
   }
-  const isAll = !ghsas.length || ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const shouldDiscoverGhsaIds = !ghsas.length;
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     // Inform user about local mode when fixes will be applied.
@@ -3788,19 +3791,15 @@ async function coanaFix(fixConfig) {
         logger.logger.info('Running in local mode - fixes will be applied directly to your working directory.\n' + getCiEnvInstructions());
       }
     }
-    let ids;
-    if (isAll && limit > 0) {
-      ids = await discoverGhsaIds(orgSlug, tarHash, {
-        cwd,
-        limit,
-        spinner
-      });
-    } else if (limit > 0) {
-      ids = ghsas.slice(0, limit);
-    } else {
-      ids = [];
-    }
-    if (limit < 1 || ids.length === 0) {
+
+    // In local mode, process all discovered/provided IDs (no limit).
+    const ids = shouldDiscoverGhsaIds ? await discoverGhsaIds(orgSlug, tarHash, {
+      coanaVersion,
+      cwd,
+      ecosystems,
+      spinner
+    }) : ghsas;
+    if (ids.length === 0) {
       spinner?.stop();
       return {
         ok: true,
@@ -3814,7 +3813,8 @@ async function coanaFix(fixConfig) {
     const tmpDir = os.tmpdir();
     const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
     try {
-      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+        coanaVersion,
         cwd,
         spinner,
         stdio: 'inherit'
@@ -3852,8 +3852,8 @@ async function coanaFix(fixConfig) {
     }
   }
 
-  // Adjust limit based on open Socket Fix PRs.
-  let adjustedLimit = limit;
+  // Adjust PR limit based on open Socket Fix PRs.
+  let adjustedPrLimit = prLimit;
   if (shouldOpenPrs && fixEnv.repoInfo) {
     try {
       const openPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
@@ -3861,25 +3861,24 @@ async function coanaFix(fixConfig) {
       });
       const openPrCount = openPrs.length;
       // Reduce limit by number of open PRs to avoid creating too many.
-      adjustedLimit = Math.max(0, limit - openPrCount);
+      adjustedPrLimit = Math.max(0, prLimit - openPrCount);
       if (openPrCount > 0) {
-        require$$9.debugFn('notice', `limit: adjusted from ${limit} to ${adjustedLimit} (${openPrCount} open Socket Fix ${words.pluralize('PR', openPrCount)}`);
+        require$$9.debugFn('notice', `prLimit: adjusted from ${prLimit} to ${adjustedPrLimit} (${openPrCount} open Socket Fix ${words.pluralize('PR', openPrCount)}`);
       }
     } catch (e) {
       require$$9.debugFn('warn', 'Failed to count open PRs, using original limit');
       require$$9.debugDir('error', e);
     }
   }
-  const shouldSpawnCoana = adjustedLimit > 0;
+  const shouldSpawnCoana = adjustedPrLimit > 0;
   let ids;
-  if (shouldSpawnCoana && isAll) {
-    ids = await discoverGhsaIds(orgSlug, tarHash, {
+  if (shouldSpawnCoana) {
+    ids = (shouldDiscoverGhsaIds ? await discoverGhsaIds(orgSlug, tarHash, {
+      coanaVersion,
       cwd,
-      limit: adjustedLimit,
+      ecosystems,
       spinner
-    });
-  } else if (shouldSpawnCoana) {
-    ids = ghsas.slice(0, adjustedLimit);
+    }) : ghsas).slice(0, adjustedPrLimit);
   }
   if (!ids?.length) {
     require$$9.debugFn('notice', 'miss: no GHSA IDs to process');
@@ -3912,7 +3911,8 @@ async function coanaFix(fixConfig) {
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      coanaVersion,
       cwd,
       spinner,
       stdio: 'inherit'
@@ -4072,8 +4072,8 @@ async function coanaFix(fixConfig) {
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     }
     count += 1;
-    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedLimit, ids.length)}`);
-    if (count >= adjustedLimit) {
+    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedPrLimit, ids.length)}`);
+    if (count >= adjustedPrLimit) {
       break ghsaLoop;
     }
   }
@@ -4169,18 +4169,20 @@ async function convertIdsToGhsas(ids) {
 async function handleFix({
   applyFixes,
   autopilot,
+  coanaVersion,
   cwd,
   disableMajorUpdates,
+  ecosystems,
   exclude,
   ghsas,
   include,
-  limit,
   minSatisfying,
   minimumReleaseAge,
   orgSlug,
   outputFile,
   outputKind,
   prCheck,
+  prLimit,
   rangeStyle,
   showAffectedDirectDependencies,
   spinner,
@@ -4190,17 +4192,19 @@ async function handleFix({
   require$$9.debugDir('inspect', {
     applyFixes,
     autopilot,
+    coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minSatisfying,
     minimumReleaseAge,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     unknownFlags
@@ -4208,18 +4212,20 @@ async function handleFix({
   await outputFixResult(await coanaFix({
     applyFixes,
     autopilot,
+    coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
     ghsas: await convertIdsToGhsas(ghsas),
     include,
-    limit,
     minimumReleaseAge,
     minSatisfying,
     orgSlug,
     outputFile,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     spinner,
@@ -4242,6 +4248,10 @@ const generalFlags$2 = {
     default: false,
     description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
   },
+  fixVersion: {
+    type: 'string',
+    description: `Override the version of @coana-tech/cli used for fix analysis. Default: ${constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`
+  },
   applyFixes: {
     aliases: ['onlyCompute'],
     type: 'boolean',
@@ -4281,10 +4291,11 @@ const generalFlags$2 = {
     Can be provided as comma separated values or as multiple flags`,
     isMultiple: true
   },
-  limit: {
+  prLimit: {
+    aliases: ['limit'],
     type: 'number',
     default: DEFAULT_LIMIT,
-    description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
+    description: `Maximum number of pull requests to create in CI mode (default ${DEFAULT_LIMIT}). Has no effect in local mode.`
   },
   rangeStyle: {
     type: 'string',
@@ -4306,6 +4317,12 @@ Available styles:
     default: '',
     description: 'Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.'
   },
+  ecosystems: {
+    type: 'string',
+    default: [],
+    description: 'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
+    isMultiple: true
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -4419,16 +4436,18 @@ async function run$K(argv, importMeta, {
   const {
     applyFixes,
     autopilot,
+    ecosystems,
     exclude,
+    fixVersion,
     include,
     json,
-    limit,
     majorUpdates,
     markdown,
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     // We patched in this feature with `npx custompatch meow` at
@@ -4439,6 +4458,21 @@ async function run$K(argv, importMeta, {
   const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
   const disableMajorUpdates = !majorUpdates;
   const outputKind = utils.getOutputKind(json, markdown);
+
+  // Process comma-separated values for ecosystems flag.
+  const ecosystemsRaw = utils.cmdFlagValueToArray(ecosystems);
+
+  // Validate ecosystem values early, before dry-run check.
+  const validatedEcosystems = [];
+  const validEcosystemChoices = utils.getEcosystemChoicesForMeow();
+  for (const ecosystem of ecosystemsRaw) {
+    if (!validEcosystemChoices.includes(ecosystem)) {
+      logger.logger.fail(`Invalid ecosystem: "${ecosystem}". Valid values are: ${arrays.joinAnd(validEcosystemChoices)}`);
+      process.exitCode = 1;
+      return;
+    }
+    validatedEcosystems.push(ecosystem);
+  }
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
@@ -4476,18 +4510,20 @@ async function run$K(argv, importMeta, {
   await handleFix({
     applyFixes,
     autopilot,
+    coanaVersion: fixVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems: validatedEcosystems,
     exclude: excludePatterns,
     ghsas,
     include: includePatterns,
-    limit,
     minimumReleaseAge,
     minSatisfying,
     orgSlug,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     spinner,
@@ -8047,7 +8083,7 @@ async function run$t(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8186,7 +8222,7 @@ async function run$s(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8322,7 +8358,7 @@ async function run$r(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8450,7 +8486,7 @@ async function run$q(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8581,7 +8617,7 @@ async function run$p(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8950,7 +8986,7 @@ async function run$o(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10236,7 +10272,7 @@ async function run$i(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10372,7 +10408,7 @@ async function run$h(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10664,7 +10700,7 @@ async function run$g(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -10863,7 +10899,7 @@ async function run$f(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -11030,7 +11066,7 @@ async function run$e(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -11068,6 +11104,10 @@ const cmdRepository = {
 };
 
 const reachabilityFlags = {
+  reachVersion: {
+    type: 'string',
+    description: `Override the version of @coana-tech/cli used for reachability analysis. Default: ${constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`
+  },
   reachAnalysisMemoryLimit: {
     type: 'number',
     default: 8192,
@@ -11356,6 +11396,7 @@ async function run$d(argv, importMeta, {
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
+    reachVersion,
     readOnly,
     reportLevel,
     setAsAlertsPage: pendingHeadFlag,
@@ -11483,7 +11524,8 @@ async function run$d(argv, importMeta, {
   const isUsingNonDefaultTimeout = reachAnalysisTimeout !== reachabilityFlags['reachAnalysisTimeout']?.default;
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
-  const isUsingAnyReachabilityFlags = isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultConcurrency || isUsingNonDefaultAnalytics || hasReachEcosystems || hasReachExcludePaths || reachSkipCache || reachDisableAnalysisSplitting;
+  const isUsingNonDefaultVersion = reachVersion !== reachabilityFlags['reachVersion']?.default;
+  const isUsingAnyReachabilityFlags = hasReachEcosystems || hasReachExcludePaths || isUsingNonDefaultAnalytics || isUsingNonDefaultConcurrency || isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || reachDisableAnalysisSplitting || reachSkipCache;
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach ? await validateReachabilityTarget(targets, cwd) : {
@@ -11508,7 +11550,7 @@ async function run$d(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -11568,16 +11610,17 @@ async function run$d(argv, importMeta, {
     pendingHead: Boolean(pendingHead),
     pullRequest: Number(pullRequest),
     reach: {
-      runReachabilityAnalysis: Boolean(reach),
-      reachDisableAnalytics: Boolean(reachDisableAnalytics),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
-      reachSkipCache: Boolean(reachSkipCache)
+      reachSkipCache: Boolean(reachSkipCache),
+      reachVersion,
+      runReachabilityAnalysis: Boolean(reach)
     },
     readOnly: Boolean(readOnly),
     repoName,
@@ -11696,7 +11739,7 @@ async function run$c(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -12010,7 +12053,7 @@ async function run$b(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -12216,16 +12259,17 @@ async function scanOneRepo(repoSlug, {
     pendingHead: true,
     pullRequest: 0,
     reach: {
-      runReachabilityAnalysis: false,
-      reachDisableAnalytics: false,
-      reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
       reachDisableAnalysisSplitting: false,
+      reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
-      reachSkipCache: false
+      reachSkipCache: false,
+      reachVersion: undefined,
+      runReachabilityAnalysis: false
     },
     readOnly: false,
     repoName: repoSlug,
@@ -12902,11 +12946,11 @@ async function run$a(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasSocketApiToken,
+    test: dryRun || hasSocketApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
-    test: hasGithubApiToken,
+    test: dryRun || hasGithubApiToken,
     message: 'This command requires a GitHub API token for access',
     fail: 'missing'
   });
@@ -13170,7 +13214,7 @@ async function run$9(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -13331,7 +13375,7 @@ async function run$8(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -13511,7 +13555,8 @@ async function run$7(argv, importMeta, {
     reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
-    reachSkipCache
+    reachSkipCache,
+    reachVersion
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
 
@@ -13553,7 +13598,7 @@ async function run$7(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires an API token for access',
     fail: 'try `socket login`'
   }, {
@@ -13601,15 +13646,16 @@ async function run$7(argv, importMeta, {
     outputKind,
     outputPath: outputPath || '',
     reachabilityOptions: {
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
-      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
-      reachSkipCache: Boolean(reachSkipCache)
+      reachSkipCache: Boolean(reachSkipCache),
+      reachVersion
     },
     targets
   });
@@ -13742,7 +13788,7 @@ async function run$6(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -14341,7 +14387,7 @@ async function run$4(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -14776,7 +14822,7 @@ async function run$3(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -15448,5 +15494,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=abe9e0d9-90ff-4e73-99b1-648bc5ca3347
+//# debugId=5f201233-b128-4a9f-b7eb-542d9cde563b
 //# sourceMappingURL=cli.js.map