socket 0.14.13 → 0.14.14

package/dist/cli.js

@@ -90,7 +90,12 @@ const yargsConfig = {
     //evidence: false,
     //'include-crypto': false,
     //'include-formulation': false,
-    //'install-deps': true,
+
+    // Default 'install-deps' to `false` and 'lifecycle' to 'pre-build' to
+    // sidestep arbitrary code execution during a cdxgen scan.
+    // https://github.com/CycloneDX/cdxgen/issues/1328
+    'install-deps': false,
+    lifecycle: 'pre-build',
     //output: 'bom.json',
     //profile: 'generic',
     //'project-version': '',
@@ -127,7 +132,7 @@ const yargsConfig = {
     type: 'string'
   }],
   boolean: ['auto-compositions', 'babel', 'deep', 'evidence', 'fail-on-error', 'generate-key-and-sign', 'help', 'include-formulation', 'include-crypto', 'install-deps', 'print', 'required-only', 'server', 'validate', 'version'],
-  string: ['api-key', 'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'server-host', 'server-port', 'server-url', 'spec-version']
+  string: ['api-key', 'lifecycle', 'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'server-host', 'server-port', 'server-url', 'spec-version']
 };
 function argvToArray(argv) {
   if (argv['help']) return ['--help'];
@@ -144,7 +149,7 @@ function argvToArray(argv) {
     } else if (value === true) {
       result.push(`--${key}`);
     } else if (typeof value === 'string') {
-      result.push(`--${key}=${value}`);
+      result.push(`--${key}`, String(value));
     } else if (Array.isArray(value)) {
       result.push(`--${key}`, ...value.map(String));
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "0.14.13",
+  "version": "0.14.14",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli",
   "license": "MIT",