@socketsecurity/cli-with-sentry 1.1.97 → 1.1.98

package/CHANGELOG.md

@@ -10,6 +10,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - **`socket manifest bazel [beta]`** — Generate Bazel JVM SBOM manifests by running `bazel query` against discovered Maven repos in a Bazel workspace. Closes the inline-Maven-declaration gap that lockfile-only parsing misses for repos like envoy, ray, tensorflow, tink-java, and or-tools. Auto-detects Bzlmod and legacy `WORKSPACE`.
 - **`socket scan create --auto-manifest`** now covers Bazel workspaces in addition to Gradle/Scala/Kotlin/Conda. Repos with `MODULE.bazel`, `WORKSPACE`, or `WORKSPACE.bazel` are detected automatically and their Maven dependencies extracted as part of the standard scan-create flow.
 
+## [1.1.98](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.98) - 2026-05-20
+
+### Changed
+- `socket scan create --reach` now uploads the reachability facts file as brotli on the wire, shrinking mono-repo upload sizes by roughly 85% with no change to the on-disk or stored format. Faster scan submissions on slow connections.
+
 ## [1.1.97](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.97) - 2026-05-18
 
 ### Changed

package/dist/cli.js

@@ -2826,6 +2826,21 @@ function bazelExternalDir(cwd, outputBase) {
   }
 }
 
+// Internal diagnostic: when truthy, skip the unsorted_deps.json fast path
+// and force the bazel-query regex fallback. Used by bazel-bench to
+// deterministically exercise parseBazelBuildOutput on every CI run. Truthy
+// values are '1', 'true', 'yes' (case-insensitive); anything else (unset,
+// '', '0', 'false') is treated as off. Not exposed as a user-facing CLI
+// flag, so it is read here rather than added to constants.mts.
+function isForceQueryFallbackEnabled() {
+  const raw = process.env['SOCKET_BAZEL_FORCE_QUERY_FALLBACK'];
+  if (!raw) {
+    return false;
+  }
+  const normalized = raw.toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes';
+}
+
 // Tries `external/<repo>/unsorted_deps.json` first; falls back to parsing the
 // probe stdout the caller already captured during discovery. Discovery runs
 // the same `kind("jvm_import rule|aar_import rule", @<repo>//:*)` query that
@@ -2841,7 +2856,11 @@ async function extractFromOneRepo(repoName, queryOpts, cachedProbeStdout) {
   if (verbose) {
     logger.logger.log(`[VERBOSE] @${repoName}: external dir:`, externalDir ?? '(unresolved — bazel-out symlink absent)');
   }
-  const candidates = externalDir ? [path.join(externalDir, repoName, 'unsorted_deps.json')] : [];
+  const forceFallback = isForceQueryFallbackEnabled();
+  if (forceFallback && verbose) {
+    logger.logger.log(`[VERBOSE] @${repoName}: SOCKET_BAZEL_FORCE_QUERY_FALLBACK set; skipping unsorted_deps.json fast path.`);
+  }
+  const candidates = forceFallback ? [] : externalDir ? [path.join(externalDir, repoName, 'unsorted_deps.json')] : [];
   for (const c of candidates) {
     if (fs$1.existsSync(c)) {
       // Bound the read to 1GB to prevent OOM on hostile content while allowing large real-world lockfiles.
@@ -3727,21 +3746,34 @@ async function handleCreateNewScan({
     scanPaths = [...pathsForScan, ...(reachabilityReport ? [reachabilityReport] : [])];
     tier1ReachabilityScanId = reachResult.data?.tier1ReachabilityScanId;
   }
-  const fullScanCResult = await fetchCreateOrgFullScan(scanPaths, orgSlug, {
-    commitHash,
-    commitMessage,
-    committers,
-    pullRequest,
-    repoName,
-    branchName,
-    scanType: reach.runReachabilityAnalysis ? constants.default.SCAN_TYPE_SOCKET_TIER1 : constants.default.SCAN_TYPE_SOCKET,
-    workspace
-  }, {
-    cwd,
-    defaultBranch,
-    pendingHead,
-    tmp
-  });
+
+  // Brotli-compress any .socket.facts.json paths in scanPaths just before
+  // upload. depscan's api-v0 multipart boundary streams brotli decode based
+  // on the .br filename suffix. Coana keeps writing plain .socket.facts.json
+  // on disk, so the local read paths (extractTier1ReachabilityScanId,
+  // extractReachabilityErrors) stay correct. The cleanup() in the finally
+  // block removes the temp dirs whether the upload succeeded or threw.
+  const compressed = await utils.compressSocketFactsForUpload(scanPaths);
+  let fullScanCResult;
+  try {
+    fullScanCResult = await fetchCreateOrgFullScan(compressed.paths, orgSlug, {
+      commitHash,
+      commitMessage,
+      committers,
+      pullRequest,
+      repoName,
+      branchName,
+      scanType: reach.runReachabilityAnalysis ? constants.default.SCAN_TYPE_SOCKET_TIER1 : constants.default.SCAN_TYPE_SOCKET,
+      workspace
+    }, {
+      cwd,
+      defaultBranch,
+      pendingHead,
+      tmp
+    });
+  } finally {
+    await compressed.cleanup();
+  }
   const scanId = fullScanCResult.ok ? fullScanCResult.data?.id : undefined;
   if (reach && scanId && tier1ReachabilityScanId) {
     await finalizeTier1Scan(tier1ReachabilityScanId, scanId);
@@ -17223,5 +17255,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=18cb97b2-20ce-409e-aec7-5485ca050fb0
+//# debugId=70895ae2-8c82-49e4-a1fb-3cbc0ccb2c57
 //# sourceMappingURL=cli.js.map