@socketsecurity/cli 1.1.30 → 1.1.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/dist/cli.js +54 -13
  3. package/dist/cli.js.map +1 -1
  4. package/dist/constants.js +5 -5
  5. package/dist/constants.js.map +1 -1
  6. package/dist/tsconfig.dts.tsbuildinfo +1 -1
  7. package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
  8. package/dist/types/commands/fix/git.d.mts.map +1 -1
  9. package/dist/utils.js +2 -2
  10. package/dist/utils.js.map +1 -1
  11. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
4
4
 
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
6
6
 
7
+ ## [1.1.32](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.32) - 2025-11-20
8
+
9
+ ### Changed
10
+ - Updated @coana-tech/cli to 14.12.90
11
+ - Updated @cyclonedx/cdxgen to 11.11.0
12
+
13
+ ### Fixed
14
+ - Resolved `--limit` flag behavior to correctly restrict vulnerability processing in `socket fix` local mode
15
+ - Exclude `.socket.facts.json` files from `socket fix` manifest uploads
16
+
17
+ ## [1.1.31](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.31) - 2025-11-19
18
+
19
+ ### Fixed
20
+ - Enhanced pull request descriptions to remove duplicate package listings for cleaner, more readable output
21
+
7
22
  ## [1.1.30](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.30) - 2025-11-18
8
23
 
9
24
  ### Changed
package/dist/cli.js CHANGED
@@ -3327,6 +3327,13 @@ async function cleanupErrorBranches(branch, cwd, remoteBranchExists) {
3327
3327
  }
3328
3328
 
3329
3329
  const GITHUB_ADVISORIES_URL = 'https://github.com/advisories';
3330
+
3331
+ /**
3332
+ * Extract unique package names with ecosystems from vulnerability details.
3333
+ */
3334
+ function getUniquePackages(details) {
3335
+ return [...new Set(details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`))];
3336
+ }
3330
3337
  function getSocketFixBranchName(ghsaId) {
3331
3338
  return `socket/fix/${ghsaId}`;
3332
3339
  }
@@ -3346,14 +3353,14 @@ function getSocketFixPullRequestBody(ghsaIds, ghsaDetails) {
3346
3353
  if (!details) {
3347
3354
  return body;
3348
3355
  }
3349
- const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
3356
+ const packages = getUniquePackages(details);
3350
3357
  return [body, '', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
3351
3358
  }
3352
3359
  return [`[Socket](${constants.default.SOCKET_WEBSITE_URL}) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
3353
3360
  const details = ghsaDetails?.get(id);
3354
3361
  const item = `- [${id}](${GITHUB_ADVISORIES_URL}/${id})`;
3355
3362
  if (details) {
3356
- const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
3363
+ const packages = getUniquePackages(details);
3357
3364
  return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
3358
3365
  }
3359
3366
  return item;
@@ -3666,6 +3673,29 @@ async function getFixEnv() {
3666
3673
  };
3667
3674
  }
3668
3675
 
3676
+ /**
3677
+ * Discovers GHSA IDs by running coana without applying fixes.
3678
+ * Returns a list of GHSA IDs, optionally limited.
3679
+ */
3680
+ async function discoverGhsaIds(orgSlug, tarHash, fixConfig, options) {
3681
+ const {
3682
+ cwd = process.cwd(),
3683
+ limit,
3684
+ spinner
3685
+ } = {
3686
+ __proto__: null,
3687
+ ...options
3688
+ };
3689
+ const foundCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(fixConfig.minimumReleaseAge ? ['--minimum-release-age', fixConfig.minimumReleaseAge] : []), ...(fixConfig.include.length ? ['--include', ...fixConfig.include] : []), ...(fixConfig.exclude.length ? ['--exclude', ...fixConfig.exclude] : []), ...(fixConfig.disableMajorUpdates ? ['--disable-major-updates'] : []), ...(fixConfig.showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], orgSlug, {
3690
+ cwd,
3691
+ spinner
3692
+ });
3693
+ if (foundCResult.ok) {
3694
+ const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
3695
+ return limit !== undefined ? foundIds.slice(0, limit) : foundIds;
3696
+ }
3697
+ return [];
3698
+ }
3669
3699
  async function coanaFix(fixConfig) {
3670
3700
  const {
3671
3701
  applyFixes,
@@ -3702,7 +3732,10 @@ async function coanaFix(fixConfig) {
3702
3732
  const scanFilepaths = await utils.getPackageFilesForScan(['.'], supportedFiles, {
3703
3733
  cwd
3704
3734
  });
3705
- const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, scanFilepaths), {
3735
+ // Exclude any .socket.facts.json files that happen to be in the scan
3736
+ // folder before the analysis was run.
3737
+ const filepathsToUpload = scanFilepaths.filter(p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON);
3738
+ const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload), {
3706
3739
  description: 'upload manifests',
3707
3740
  spinner
3708
3741
  });
@@ -3734,8 +3767,19 @@ async function coanaFix(fixConfig) {
3734
3767
  logger.logger.info('Running in local mode - fixes will be applied directly to your working directory.\n' + getCiEnvInstructions());
3735
3768
  }
3736
3769
  }
3737
- const ids = isAll ? ['all'] : ghsas.slice(0, limit);
3738
- if (!ids.length) {
3770
+ let ids;
3771
+ if (isAll && limit > 0) {
3772
+ ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
3773
+ cwd,
3774
+ limit,
3775
+ spinner
3776
+ });
3777
+ } else if (limit > 0) {
3778
+ ids = ghsas.slice(0, limit);
3779
+ } else {
3780
+ ids = [];
3781
+ }
3782
+ if (limit < 1 || ids.length === 0) {
3739
3783
  spinner?.stop();
3740
3784
  return {
3741
3785
  ok: true,
@@ -3749,7 +3793,7 @@ async function coanaFix(fixConfig) {
3749
3793
  const tmpDir = os.tmpdir();
3750
3794
  const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
3751
3795
  try {
3752
- const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
3796
+ const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
3753
3797
  cwd,
3754
3798
  spinner,
3755
3799
  stdio: 'inherit'
@@ -3781,7 +3825,7 @@ async function coanaFix(fixConfig) {
3781
3825
  // Clean up the temporary file.
3782
3826
  try {
3783
3827
  await fs$1.promises.unlink(tmpFile);
3784
- } catch (e) {
3828
+ } catch {
3785
3829
  // Ignore cleanup errors.
3786
3830
  }
3787
3831
  }
@@ -3808,14 +3852,11 @@ async function coanaFix(fixConfig) {
3808
3852
  const shouldSpawnCoana = adjustedLimit > 0;
3809
3853
  let ids;
3810
3854
  if (shouldSpawnCoana && isAll) {
3811
- const foundCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
3855
+ ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
3812
3856
  cwd,
3857
+ limit: adjustedLimit,
3813
3858
  spinner
3814
3859
  });
3815
- if (foundCResult.ok) {
3816
- const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
3817
- ids = foundIds.slice(0, adjustedLimit);
3818
- }
3819
3860
  } else if (shouldSpawnCoana) {
3820
3861
  ids = ghsas.slice(0, adjustedLimit);
3821
3862
  }
@@ -15270,5 +15311,5 @@ void (async () => {
15270
15311
  await utils.captureException(e);
15271
15312
  }
15272
15313
  })();
15273
- //# debugId=dbcc0fa8-7ea6-462d-9ebe-824e2129f7b8
15314
+ //# debugId=24f79e28-d381-4303-8ec8-8eade398a936
15274
15315
  //# sourceMappingURL=cli.js.map