@socketsecurity/cli 1.1.29 → 1.1.30

package/CHANGELOG.md

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.30](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.30) - 2025-11-18
+
+### Changed
+- Enhanced `SOCKET_CLI_COANA_LOCAL_PATH` to support compiled Coana CLI binaries alongside Node.js script files
+
+### Fixed
+- Resolved PR creation workflow to properly recreate pull requests after closing or merging
+- Corrected API token selection to honor `SOCKET_CLI_API_TOKEN` environment variable in package alert requests
+
 ## [1.1.29](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.29) - 2025-11-16
 
 ### Added

package/dist/cli.js

@@ -3264,6 +3264,68 @@ const cmdConfig = {
   }
 };
 
+/**
+ * Branch cleanup utilities for socket fix command.
+ * Manages local and remote branch lifecycle during PR creation.
+ *
+ * Critical distinction: Remote branches are sacred when a PR exists, disposable when they don't.
+ */
+
+
+/**
+ * Clean up a stale branch (both remote and local).
+ * Safe to delete both since no PR exists for this branch.
+ *
+ * Returns true if cleanup succeeded or should continue, false if should skip GHSA.
+ */
+async function cleanupStaleBranch(branch, ghsaId, cwd) {
+  logger.logger.warn(`Stale branch ${branch} found without open PR, cleaning up...`);
+  require$$9.debugFn('notice', `cleanup: deleting stale branch ${branch}`);
+  const deleted = await utils.gitDeleteRemoteBranch(branch, cwd);
+  if (!deleted) {
+    logger.logger.error(`Failed to delete stale remote branch ${branch}, skipping ${ghsaId}.`);
+    require$$9.debugFn('error', `cleanup: remote deletion failed for ${branch}`);
+    return false;
+  }
+
+  // Clean up local branch too to avoid conflicts.
+  await utils.gitDeleteBranch(branch, cwd);
+  return true;
+}
+
+/**
+ * Clean up branches after PR creation failure.
+ * Safe to delete both remote and local since no PR was created.
+ */
+async function cleanupFailedPrBranches(branch, cwd) {
+  // Clean up pushed branch since PR creation failed.
+  // Safe to delete both remote and local since no PR exists.
+  await utils.gitDeleteRemoteBranch(branch, cwd);
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
+/**
+ * Clean up local branch after successful PR creation.
+ * Keeps remote branch - PR needs it to be mergeable.
+ */
+async function cleanupSuccessfulPrLocalBranch(branch, cwd) {
+  // Clean up local branch only - keep remote branch for PR merge.
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
+/**
+ * Clean up branches in catch block after unexpected error.
+ * Safe to delete both remote and local since no PR was created.
+ */
+async function cleanupErrorBranches(branch, cwd, remoteBranchExists) {
+  // Clean up remote branch if it exists (push may have succeeded before error).
+  // Safe to delete both remote and local since no PR was created.
+  if (remoteBranchExists) {
+    await utils.gitDeleteRemoteBranch(branch, cwd);
+  }
+  await utils.gitDeleteBranch(branch, cwd);
+}
+
 const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
 function getSocketFixBranchName(ghsaId) {
   return `socket/fix/${ghsaId}`;
@@ -3323,17 +3385,66 @@ async function openSocketFixPr(owner, repo, branch, ghsaIds, options) {
     require$$9.debugDir('inspect', {
       octokitPullsCreateParams
     });
-    return await octokit.pulls.create(octokitPullsCreateParams);
+    const pr = await octokit.pulls.create(octokitPullsCreateParams);
+    return {
+      ok: true,
+      pr
+    };
   } catch (e) {
-    let message = `Failed to open pull request`;
-    const errors = e instanceof vendor.RequestError ? e.response?.data?.['errors'] : undefined;
-    if (Array.isArray(errors) && errors.length) {
-      const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
-      message += `:\n${details}`;
+    // Handle RequestError from Octokit.
+    if (e instanceof vendor.RequestError) {
+      const errors = e.response?.data?.['errors'];
+      const errorMessages = Array.isArray(errors) ? errors.map(d => d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`) : [];
+
+      // Check for "PR already exists" error.
+      if (errorMessages.some(msg => msg.toLowerCase().includes('pull request already exists'))) {
+        require$$9.debugFn('error', 'Failed to open pull request: already exists');
+        return {
+          ok: false,
+          reason: 'already_exists',
+          error: e
+        };
+      }
+
+      // Check for validation errors (e.g., no commits between branches).
+      if (errors && errors.length > 0) {
+        const details = errorMessages.map(d => `- ${d}`).join('\n');
+        require$$9.debugFn('error', `Failed to open pull request:\n${details}`);
+        return {
+          ok: false,
+          reason: 'validation_error',
+          error: e,
+          details
+        };
+      }
+
+      // Check HTTP status codes.
+      if (e.status === 403 || e.status === 401) {
+        require$$9.debugFn('error', 'Failed to open pull request: permission denied');
+        return {
+          ok: false,
+          reason: 'permission_denied',
+          error: e
+        };
+      }
+      if (e.status && e.status >= 500) {
+        require$$9.debugFn('error', 'Failed to open pull request: network error');
+        return {
+          ok: false,
+          reason: 'network_error',
+          error: e
+        };
+      }
     }
-    require$$9.debugFn('error', message);
+
+    // Unknown error.
+    require$$9.debugFn('error', `Failed to open pull request: ${e}`);
+    return {
+      ok: false,
+      reason: 'unknown',
+      error: e
+    };
   }
-  return undefined;
 }
 async function getSocketFixPrs(owner, repo, options) {
   return (await getSocketFixPrsWithContext(owner, repo, options)).map(d => d.match);
@@ -3760,10 +3871,34 @@ async function coanaFix(fixConfig) {
     overallFixed = true;
     const branch = getSocketFixBranchName(ghsaId);
     try {
-      // Check if branch already exists.
+      // Check if an open PR already exists for this GHSA.
+      // eslint-disable-next-line no-await-in-loop
+      const existingOpenPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
+        ghsaId,
+        states: constants.GQL_PR_STATE_OPEN
+      });
+      if (existingOpenPrs.length > 0) {
+        const prNum = existingOpenPrs[0].number;
+        logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        require$$9.debugFn('notice', `skip: open PR #${prNum} exists for ${ghsaId}`);
+        continue ghsaLoop;
+      }
+
+      // If branch exists but no open PR, delete the stale branch.
+      // This handles cases where PR creation failed but branch was pushed.
       // eslint-disable-next-line no-await-in-loop
       if (await utils.gitRemoteBranchExists(branch, cwd)) {
-        require$$9.debugFn('notice', `skip: remote branch "${branch}" exists`);
+        // eslint-disable-next-line no-await-in-loop
+        const shouldContinue = await cleanupStaleBranch(branch, ghsaId, cwd);
+        if (!shouldContinue) {
+          continue ghsaLoop;
+        }
+      }
+
+      // Check for GitHub token before doing any git operations.
+      if (!fixEnv.githubToken) {
+        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        require$$9.debugFn('error', `skip: missing GitHub token for ${ghsaId}`);
         continue ghsaLoop;
       }
       require$$9.debugFn('notice', `pr: creating for ${ghsaId}`);
@@ -3794,31 +3929,21 @@ async function coanaFix(fixConfig) {
       }
 
       // Set up git remote.
-      if (!fixEnv.githubToken) {
-        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
-        // eslint-disable-next-line no-await-in-loop
-        await utils.gitDeleteBranch(branch, cwd);
-        continue ghsaLoop;
-      }
       // eslint-disable-next-line no-await-in-loop
       await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
       // eslint-disable-next-line no-await-in-loop
-      const prResponse = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
+      const prResult = await openSocketFixPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch,
       // Single GHSA ID.
       [ghsaId], {
         baseBranch: fixEnv.baseBranch,
         cwd,
         ghsaDetails
       });
-      if (prResponse) {
+      if (prResult.ok) {
         const {
           data
-        } = prResponse;
+        } = prResult.pr;
         const prRef = `PR #${data.number}`;
         logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
         if (autopilot) {
@@ -3838,16 +3963,47 @@ async function coanaFix(fixConfig) {
           logger.logger.dedent();
           spinner?.dedent();
         }
+
+        // Clean up local branch only - keep remote branch for PR merge.
+        // eslint-disable-next-line no-await-in-loop
+        await cleanupSuccessfulPrLocalBranch(branch, cwd);
+      } else {
+        // Handle PR creation failures.
+        if (prResult.reason === 'already_exists') {
+          logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          // Don't delete branch - PR exists and needs it.
+        } else if (prResult.reason === 'validation_error') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else if (prResult.reason === 'permission_denied') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else if (prResult.reason === 'network_error') {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        } else {
+          logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          // eslint-disable-next-line no-await-in-loop
+          await cleanupFailedPrBranches(branch, cwd);
+        }
       }
 
       // Reset back to base branch for next iteration.
       // eslint-disable-next-line no-await-in-loop
-      await utils.gitResetAndClean(branch, cwd);
+      await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
       logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
       require$$9.debugDir('error', e);
+      // Clean up branches (push may have succeeded before error).
+      // eslint-disable-next-line no-await-in-loop
+      const remoteBranchExists = await utils.gitRemoteBranchExists(branch, cwd);
+      // eslint-disable-next-line no-await-in-loop
+      await cleanupErrorBranches(branch, cwd, remoteBranchExists);
       // eslint-disable-next-line no-await-in-loop
       await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
       // eslint-disable-next-line no-await-in-loop
@@ -15114,5 +15270,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=af14f2c8-7f1a-4f12-bd1a-322165537e4f
+//# debugId=dbcc0fa8-7ea6-462d-9ebe-824e2129f7b8
 //# sourceMappingURL=cli.js.map