socket 1.1.108 → 1.1.109

package/CHANGELOG.md

@@ -12,6 +12,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 - **Bazel diagnostics** — `socket manifest bazel --verbose` now emits bounded subprocess traces with argv, cwd, duration, exit status, output sizes, and failure stderr tails to make customer log-only triage safer and faster.
 
+## [1.1.109](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.109) - 2026-05-28
+
+### Added
+- **`socket fix --exclude-paths`** — Skip matching paths from the scan entirely: manifests under these paths are not uploaded, and fixes are not applied to workspaces under them. Use this to skip directories the current user cannot read (e.g. a postgres `pgdata` directory inside the repo) so they do not abort manifest collection. The pre-existing `--exclude` flag keeps its previous fix-application-only semantic but is now hidden in `--help` in favor of `--exclude-paths`.
+
 ## [1.1.108](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.108) - 2026-05-28
 
 ### Changed

package/dist/cli.js

@@ -5758,6 +5758,7 @@ async function coanaFix(fixConfig) {
     disableMajorUpdates,
     ecosystems,
     exclude,
+    excludePaths,
     ghsas,
     include,
     minimumReleaseAge,
@@ -5793,7 +5794,20 @@ async function coanaFix(fixConfig) {
   // Load socket.yml to respect projectIgnorePaths when collecting files.
   const socketYmlResult = utils.findSocketYmlSync(cwd);
   const socketConfig = socketYmlResult.ok ? socketYmlResult.data?.parsed : undefined;
+
+  // Expand user-supplied `--exclude-paths` patterns into the fast-glob ignore
+  // form so manifest discovery skips them. Without this an unreadable
+  // subdirectory (e.g. a postgres `pgdata` owned by another uid) would crash
+  // `socket fix` before coana is even invoked.
+  const additionalIgnores = excludePaths.length ? excludePaths.flatMap(excludePathToScanIgnores) : undefined;
+  // Forward --exclude-paths to coana's workspace filter too, so a workspace
+  // matching the pattern is also skipped during fix application even when
+  // its manifest somehow made it into the upload (e.g. picked up via a
+  // sibling manifest's references). --exclude stays separate as a hidden
+  // legacy escape hatch for the narrower "fix-application only" semantic.
+  const coanaExcludePatterns = [...exclude, ...excludePaths];
   const scanFilepaths = await utils.getPackageFilesForScan(['.'], supportedFiles, {
+    additionalIgnores,
     config: socketConfig,
     cwd
   });
@@ -5877,7 +5891,7 @@ async function coanaFix(fixConfig) {
     const tmpDir = os.tmpdir();
     const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
     try {
-      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(coanaExcludePatterns.length ? ['--exclude', ...coanaExcludePatterns] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
         spinner: silence ? undefined : spinner,
@@ -5989,7 +6003,7 @@ async function coanaFix(fixConfig) {
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(coanaExcludePatterns.length ? ['--exclude', ...coanaExcludePatterns] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
       spinner: silence ? undefined : spinner,
@@ -6330,6 +6344,7 @@ async function handleFix({
   disableMajorUpdates,
   ecosystems,
   exclude,
+  excludePaths,
   ghsas,
   include,
   minSatisfying,
@@ -6358,6 +6373,7 @@ async function handleFix({
     disableMajorUpdates,
     ecosystems,
     exclude,
+    excludePaths,
     ghsas,
     include,
     minSatisfying,
@@ -6383,6 +6399,7 @@ async function handleFix({
     disableMajorUpdates,
     ecosystems,
     exclude,
+    excludePaths,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
     ghsas: await convertIdsToGhsas(ghsas, {
       silence
@@ -6435,6 +6452,17 @@ const generalFlags$2 = {
     default: [],
     description: 'Exclude workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags',
     isMultiple: true,
+    // Hidden in favor of --exclude-paths, which covers both manifest
+    // discovery and workspace filtering. --exclude is preserved for
+    // backwards compatibility with the narrower (fix-application only)
+    // semantic.
+    hidden: true
+  },
+  excludePaths: {
+    type: 'string',
+    default: [],
+    description: 'Skip matching paths from the scan entirely: manifests under these paths are not uploaded, and fixes are not applied to workspaces under them. Patterns are anchored micromatch globs matched relative to the target directory (CWD); `data/postgres/pgdata` matches that exact path, `**/pgdata` matches at any depth. Use this to skip directories the current user cannot read so they do not abort manifest collection. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.',
+    isMultiple: true,
     hidden: false
   },
   include: {
@@ -6638,6 +6666,7 @@ async function run$L(argv, importMeta, {
     disableExternalToolChecks,
     ecosystems,
     exclude,
+    excludePaths,
     fixVersion,
     include,
     json,
@@ -6732,6 +6761,18 @@ async function run$L(argv, importMeta, {
     process.exitCode = 1;
     return;
   }
+  const includePatterns = utils.cmdFlagValueToArray(include);
+  const excludePatterns = utils.cmdFlagValueToArray(exclude);
+  const excludePathsPatterns = utils.cmdFlagValueToArray(excludePaths);
+  // Validate before the network round-trip so a bad pattern doesn't waste
+  // an org-slug API call.
+  try {
+    assertValidExcludePaths(excludePathsPatterns);
+  } catch (e) {
+    logger.logger.fail(e.message);
+    process.exitCode = 1;
+    return;
+  }
   if (dryRun) {
     logger.logger.log(constants.default.DRY_RUN_NOT_SAVING);
     return;
@@ -6746,8 +6787,6 @@ async function run$L(argv, importMeta, {
   const {
     spinner
   } = constants.default;
-  const includePatterns = utils.cmdFlagValueToArray(include);
-  const excludePatterns = utils.cmdFlagValueToArray(exclude);
   await handleFix({
     all,
     applyFixes,
@@ -6759,6 +6798,7 @@ async function run$L(argv, importMeta, {
     disableMajorUpdates,
     ecosystems: validatedEcosystems,
     exclude: excludePatterns,
+    excludePaths: excludePathsPatterns,
     ghsas,
     include: includePatterns,
     minimumReleaseAge,
@@ -19027,5 +19067,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=2c025222-c1b3-4410-abc9-e6c6a91083a2
+//# debugId=52e1770b-8fec-41b9-83a1-5c52a6251b6c
 //# sourceMappingURL=cli.js.map