@socketsecurity/cli 1.1.28 → 1.1.30

package/CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.30](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.30) - 2025-11-18
+
+### Changed
+- Enhanced `SOCKET_CLI_COANA_LOCAL_PATH` to support compiled Coana CLI binaries alongside Node.js script files
+
+### Fixed
+- Resolved PR creation workflow to properly recreate pull requests after closing or merging
+- Corrected API token selection to honor `SOCKET_CLI_API_TOKEN` environment variable in package alert requests
+
+## [1.1.29](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.29) - 2025-11-16
+
+### Added
+- Added options `--reach-concurrency <number>` and `--reach-disable-analysis-splitting` for `socket scan create --reach`
+
 ## [1.1.28](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.28) - 2025-11-13
 
 ### Added

package/dist/cli.js

@@ -1631,7 +1631,7 @@ async function performReachabilityAnalysis(options) {
   spinner?.infoAndStop('Running reachability analysis with Coana...');
 
   // Build Coana arguments.
-  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
 
@@ -2371,7 +2371,9 @@ async function handleCi(autoManifest) {
     reach: {
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachConcurrency: 1,
       reachDisableAnalytics: false,
+      reachDisableAnalysisSplitting: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
@@ -3262,6 +3264,68 @@ const cmdConfig = {
   }
 };
 
+/**
+ * Branch cleanup utilities for socket fix command.
+ * Manages local and remote branch lifecycle during PR creation.
+ *
+ * Critical distinction: Remote branches are sacred when a PR exists, disposable when they don't.
+ */
+
+
+/**
+ * Clean up a stale branch (both remote and local).
+ * Safe to delete both since no PR exists for this branch.
+ *
+ * Returns true if cleanup succeeded or should continue, false if should skip GHSA.
+ */
+async function cleanupStaleBranch(branch, ghsaId, cwd) {
+  logger.logger.warn(`Stale branch ${branch} found without open PR, cleaning up...`);
+  require$$9.debugFn('notice', `cleanup: deleting stale branch ${branch}`);
+  const deleted = await utils.gitDeleteRemoteBranch(branch, cwd);
+  if (!deleted) {
+    logger.logger.error(`Failed to delete stale remote branch ${branch}, skipping ${ghsaId}.`);
+    require$$9.debugFn('error', `cleanup: remote deletion failed for ${branch}`);
+    return false;
+  }
+
+  // Clean up local branch too to avoid conflicts.
+  await utils.gitDeleteBranch(branch, cwd);
+  return true;
+}
+
+/**
+ * Clean up branches after PR creation failure.
+ * Safe to delete both remote and local since no PR was created.
+ */
+async function cleanupFailedPrBranches(branch, cwd) {
+  // Clean up pushed branch since PR creation failed.
+  // Safe to delete both remote and local since no PR exists.
+  await utils.gitDeleteRemoteBranch(branch, cwd);
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
+/**
+ * Clean up local branch after successful PR creation.
+ * Keeps remote branch - PR needs it to be mergeable.
+ */
+async function cleanupSuccessfulPrLocalBranch(branch, cwd) {
+  // Clean up local branch only - keep remote branch for PR merge.
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
+/**
+ * Clean up branches in catch block after unexpected error.
+ * Safe to delete both remote and local since no PR was created.
+ */
+async function cleanupErrorBranches(branch, cwd, remoteBranchExists) {
+  // Clean up remote branch if it exists (push may have succeeded before error).
+  // Safe to delete both remote and local since no PR was created.
+  if (remoteBranchExists) {
+    await utils.gitDeleteRemoteBranch(branch, cwd);
+  }
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
 const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
 function getSocketFixBranchName(ghsaId) {
   return `socket/fix/${ghsaId}`;
@@ -3321,17 +3385,66 @@ async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
     require$$9.debugDir('inspect', {
       octokitPullsCreateParams
     });
-    return await octokit.pulls.create(octokitPullsCreateParams);
+    const pr = await octokit.pulls.create(octokitPullsCreateParams);
+    return {
+      ok: true,
+      pr
+    };
   } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
+    // Handle RequestError from Octokit.
+    if (e instanceof vendor.RequestError) {
+      const errors = e.response?.data?.['errors'];
+      const errorMessages = Array.isArray(errors) ? errors.map(d => d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`) : [];
+
+      // Check for "PR already exists" error.
+      if (errorMessages.some(msg => msg.toLowerCase().includes('pull request already exists'))) {
+        require$$9.debugFn('error', 'Failed to open pull request: already exists');
+        return {
+          ok: false,
+          reason: 'already_exists',
+          error: e
+        };
+      }
+
+      // Check for validation errors (e.g., no commits between branches).
+      if (errors && errors.length > 0) {
+        const details = errorMessages.map(d => `- ${d}`).join('\n');
+        require$$9.debugFn('error', `Failed to open pull request:\n${details}`);
+        return {
+          ok: false,
+          reason: 'validation_error',
+          error: e,
+          details
+        };
+      }
+
+      // Check HTTP status codes.
+      if (e.status === 403 || e.status === 401) {
+        require$$9.debugFn('error', 'Failed to open pull request: permission denied');
+        return {
+          ok: false,
+          reason: 'permission_denied',
+          error: e
+        };
+      }
+      if (e.status && e.status >= 500) {
+        require$$9.debugFn('error', 'Failed to open pull request: network error');
+        return {
+          ok: false,
+          reason: 'network_error',
+          error: e
+        };
+      }
     }
-    require$$9.debugFn('error', message);
+
+    // Unknown error.
+    require$$9.debugFn('error', `Failed to open pull request: ${e}`);
+    return {
+      ok: false,
+      reason: 'unknown',
+      error: e
+    };
   }
-  return undefined;
 }
 async function getSocketFixPrs(owner, repo, options) {
   return (await getSocketFixPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3758,10 +3871,34 @@ async function coanaFix(fixConfig) {
     overallFixed = true;
     const branch = getSocketFixBranchName(ghsaId);
     try {
-      // Check if branch already exists.
+      // Check if an open PR already exists for this GHSA.
+      // eslint-disable-next-line no-await-in-loop
+      const existingOpenPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
+        ghsaId,
+        states: constants.GQL_PR_STATE_OPEN
+      });
+      if (existingOpenPrs.length > 0) {
+        const prNum = existingOpenPrs[0].number;
+        logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        require$$9.debugFn('notice', `skip: open PR #${prNum} exists for ${ghsaId}`);
+        continue ghsaLoop;
+      }
+
+      // If branch exists but no open PR, delete the stale branch.
+      // This handles cases where PR creation failed but branch was pushed.
       // eslint-disable-next-line no-await-in-loop
       if (await utils.gitRemoteBranchExists(branch, cwd)) {
-        require$$9.debugFn('notice', `skip: remote branch "${branch}" exists`);
+        // eslint-disable-next-line no-await-in-loop
+        const shouldContinue = await cleanupStaleBranch(branch, ghsaId, cwd);
+        if (!shouldContinue) {
+          continue ghsaLoop;
+        }
+      }
+
+      // Check for GitHub token before doing any git operations.
+      if (!fixEnv.githubToken) {
+        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        require$$9.debugFn('error', `skip: missing GitHub token for ${ghsaId}`);
         continue ghsaLoop;
       }
       require$$9.debugFn('notice', `pr: creating for ${ghsaId}`);
@@ -3792,31 +3929,21 @@ async function coanaFix(fixConfig) {
       }
 
       // Set up git remote.
-      if (!fixEnv.githubToken) {
-        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitDeleteBranch(branch, cwd);
-        continue ghsaLoop;
-      }
       // eslint-disable-next-line no-await-in-loop
       await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
       // eslint-disable-next-line no-await-in-loop
-      const prResponse = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      const prResult = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
       // Single GHSA ID.
       [ghsaId], {
         baseBranch: fixEnv.baseBranch,
         cwd,
         ghsaDetails
       });
-      if (prResponse) {
+      if (prResult.ok) {
         const {
           data
-        } = prResponse;
+        } = prResult.pr;
         const prRef = `PR #${data.number}`;
         logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
         if (autopilot) {
@@ -3836,16 +3963,47 @@ async function coanaFix(fixConfig) {
           logger.logger.dedent();
           spinner?.dedent();
         }
+
+        // Clean up local branch only - keep remote branch for PR merge.
+        // eslint-disable-next-line no-await-in-loop
+        await cleanupSuccessfulPrLocalBranch(branch, cwd);
+      } else {
+        // Handle PR creation failures.
+        if (prResult.reason === 'already_exists') {
+          logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          // Don't delete branch - PR exists and needs it.
+        } else if (prResult.reason === 'validation_error') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else if (prResult.reason === 'permission_denied') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else if (prResult.reason === 'network_error') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        }
       }
 
       // Reset back to base branch for next iteration.
       // eslint-disable-next-line no-await-in-loop
-      await utils.gitResetAndClean(branch, cwd);
+      await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
       logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
       require$$9.debugDir('error', e);
+      // Clean up branches (push may have succeeded before error).
+      // eslint-disable-next-line no-await-in-loop
+      const remoteBranchExists = await utils.gitRemoteBranchExists(branch, cwd);
+      // eslint-disable-next-line no-await-in-loop
+      await cleanupErrorBranches(branch, cwd, remoteBranchExists);
       // eslint-disable-next-line no-await-in-loop
       await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
       // eslint-disable-next-line no-await-in-loop
@@ -10858,11 +11016,21 @@ const reachabilityFlags = {
     default: 0,
     description: 'Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.'
   },
+  reachConcurrency: {
+    type: 'number',
+    default: 1,
+    description: 'Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.'
+  },
   reachDisableAnalytics: {
     type: 'boolean',
     default: false,
     description: 'Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.'
   },
+  reachDisableAnalysisSplitting: {
+    type: 'boolean',
+    default: false,
+    description: 'Limits Coana to at most 1 reachability analysis run per workspace.'
+  },
   reachEcosystems: {
     type: 'string',
     isMultiple: true,
@@ -11081,6 +11249,8 @@ async function run$d(argv, importMeta, {
     reach,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
+    reachConcurrency,
+    reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
     readOnly,
@@ -11208,8 +11378,9 @@ async function run$d(argv, importMeta, {
   const hasReachExcludePaths = reachExcludePaths.length > 0;
   const isUsingNonDefaultMemoryLimit = reachAnalysisMemoryLimit !== reachabilityFlags['reachAnalysisMemoryLimit']?.default;
   const isUsingNonDefaultTimeout = reachAnalysisTimeout !== reachabilityFlags['reachAnalysisTimeout']?.default;
+  const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
-  const isUsingAnyReachabilityFlags = isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultAnalytics || hasReachEcosystems || hasReachExcludePaths || reachSkipCache;
+  const isUsingAnyReachabilityFlags = isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultConcurrency || isUsingNonDefaultAnalytics || hasReachEcosystems || hasReachExcludePaths || reachSkipCache || reachDisableAnalysisSplitting;
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: !!orgSlug,
@@ -11270,6 +11441,8 @@ async function run$d(argv, importMeta, {
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachConcurrency: Number(reachConcurrency),
+      reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache)
@@ -11915,6 +12088,8 @@ async function scanOneRepo(repoSlug, {
       reachDisableAnalytics: false,
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachConcurrency: 1,
+      reachDisableAnalysisSplitting: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false
@@ -13185,6 +13360,8 @@ async function run$7(argv, importMeta, {
     org: orgFlag,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
+    reachConcurrency,
+    reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache
   } = cli.flags;
@@ -13250,7 +13427,9 @@ async function run$7(argv, importMeta, {
     reachabilityOptions: {
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachConcurrency: Number(reachConcurrency),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
+      reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache)
@@ -15091,5 +15270,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=13d5a945-42af-4203-b65f-268cf102639c
+//# debugId=dbcc0fa8-7ea6-462d-9ebe-824e2129f7b8
 //# sourceMappingURL=cli.js.map