npm - socket - Versions diffs - 1.1.121 → 1.1.123 - Mend

socket 1.1.121 → 1.1.123

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +13 -0
package/dist/cli.js +68 -19
package/dist/cli.js.map +1 -1
package/dist/constants.js +4 -4
package/dist/constants.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/scan/cmd-scan-create.d.mts.map +1 -1
package/dist/types/commands/scan/handle-create-new-scan.d.mts.map +1 -1
package/dist/types/commands/scan/handle-scan-reach.d.mts.map +1 -1
package/dist/types/commands/scan/perform-reachability-analysis.d.mts +4 -3
package/dist/types/commands/scan/perform-reachability-analysis.d.mts.map +1 -1
package/dist/types/commands/scan/reachability-units.d.mts +18 -0
package/dist/types/commands/scan/reachability-units.d.mts.map +1 -0
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+## [1.1.123](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.123) - 2026-06-18
+### Added
+- `socket scan create --reach` and `socket scan reach` now accept unit suffixes on `--reach-analysis-timeout` (`s`, `m`, `h` — e.g. `90s`, `10m`, `1h`) and `--reach-analysis-memory-limit` (`MB`, `GB` — e.g. `512MB`, `8GB`). Plain numbers keep working as before.
+### Changed
+- Updated the Coana CLI to v `15.5.0`.
+## [1.1.122](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.122) - 2026-06-17
+### Changed
+- Updated the Coana CLI to v `15.4.6`.
 ## [1.1.121](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.121) - 2026-06-17
 ### Fixed

package/dist/cli.js CHANGED Viewed

@@ -1707,11 +1707,45 @@ async function outputCreateNewScan(result, options) {
   }
 }
+// Helpers for the reachability unit values. Coana (@coana-tech/cli) is the sole
+// validator/parser of these values; the Socket CLI forwards the raw string
+// through verbatim. These helpers do NOT validate grammar (that would duplicate
+// Coana's and drift): they only handle the meow-default sentinel and detect
+// whether a value differs from the default, neither of which Coana models.
+// A zero-magnitude or empty value (e.g. "", "0", "0s", "0gb") means "use the
+// default": the flag is omitted when forwarding and Coana applies its own
+// default. This preserves the historical sentinel where a numeric 0 dropped the
+// flag, and avoids Coana's undefined zero (0ms / 0MB) path.
+function isOmittedReachValue(value) {
+  const match = /^\d+/.exec(value);
+  return !match || Number(match[0]) === 0;
+}
+// Resolve a memory-limit value to its magnitude in MB (the unit Coana uses), or
+// null when the value is omitted/zero (Coana then applies its own default).
+// Used only to compare a value against the default regardless of how the unit
+// is written: 8192, 8192MB and 8GB all resolve to 8192. This is default
+// detection, not validation, so an unrecognized value resolves to null and is
+// simply treated as "not a non-default value".
+function reachMemoryLimitToMb(value) {
+  if (isOmittedReachValue(value)) {
+    return null;
+  }
+  const match = /^(\d+)(mb|gb)?$/i.exec(value);
+  if (!match) {
+    return null;
+  }
+  const amount = Number(match[1]);
+  return match[2]?.toLowerCase() === 'gb' ? amount * 1024 : amount;
+}
 async function performReachabilityAnalysis(options) {
   const {
     branchName,
     cwd = process.cwd(),
     orgSlug,
+    outputKind = 'text',
     outputPath,
     packagePaths,
     reachabilityOptions,
@@ -1817,7 +1851,7 @@ async function performReachabilityAnalysis(options) {
   }
   // Build Coana arguments.
-  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachContinueOnAnalysisErrors ? ['--reach-continue-on-analysis-errors'] : []), ...(reachabilityOptions.reachContinueOnInstallErrors ? ['--reach-continue-on-install-errors'] : []), ...(reachabilityOptions.reachContinueOnMissingLockFiles ? ['--reach-continue-on-missing-lock-files'] : []), ...(reachabilityOptions.reachContinueOnNoSourceFiles ? ['--reach-continue-on-no-source-files'] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDetailedAnalysisLogFile ? ['--print-analysis-log-file'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(reachabilityOptions.reachEnableAnalysisSplitting ? [] : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(isOmittedReachValue(reachabilityOptions.reachAnalysisTimeout) ? [] : ['--analysis-timeout', reachabilityOptions.reachAnalysisTimeout]), ...(isOmittedReachValue(reachabilityOptions.reachAnalysisMemoryLimit) ? [] : ['--memory-limit', reachabilityOptions.reachAnalysisMemoryLimit]), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachContinueOnAnalysisErrors ? ['--reach-continue-on-analysis-errors'] : []), ...(reachabilityOptions.reachContinueOnInstallErrors ? ['--reach-continue-on-install-errors'] : []), ...(reachabilityOptions.reachContinueOnMissingLockFiles ? ['--reach-continue-on-missing-lock-files'] : []), ...(reachabilityOptions.reachContinueOnNoSourceFiles ? ['--reach-continue-on-no-source-files'] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDetailedAnalysisLogFile ? ['--print-analysis-log-file'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(reachabilityOptions.reachEnableAnalysisSplitting ? [] : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : []),
   // Hand the per-ecosystem build-tool config (mapped from socket.json) to
@@ -1834,6 +1868,13 @@ async function performReachabilityAnalysis(options) {
   if (branchName && branchName !== constants.default.SOCKET_DEFAULT_BRANCH) {
     coanaEnv['SOCKET_BRANCH_NAME'] = branchName;
   }
+  // In machine-readable modes (--json/--markdown) the final payload is written
+  // to stdout by the output layer. Coana streams progress/logs over stdout
+  // under `inherit`, which would corrupt that payload, so redirect the child's
+  // stdout to our stderr (fd 2). Progress stays visible for humans and
+  // `2>/dev/null` isolates the JSON/markdown. stdin and stderr stay inherited.
+  const coanaStdio = outputKind === 'text' ? 'inherit' : ['inherit', 2, 'inherit'];
   try {
     // Run Coana with the manifests tar hash.
     const coanaResult = await utils.spawnCoanaDlx(coanaArgs, orgSlug, {
@@ -1841,7 +1882,7 @@ async function performReachabilityAnalysis(options) {
       cwd,
       env: coanaEnv,
       spinner,
-      stdio: 'inherit'
+      stdio: coanaStdio
     });
     if (wasSpinning) {
       spinner.start();
@@ -5091,6 +5132,7 @@ async function handleCreateNewScan({
       branchName,
       cwd,
       orgSlug,
+      outputKind,
       packagePaths,
       reachabilityOptions: mergedReachabilityOptions,
       repoName,
@@ -5247,8 +5289,8 @@ async function handleCi(autoManifest) {
     pullRequest: 0,
     reach: {
       excludePaths: [],
-      reachAnalysisMemoryLimit: 0,
-      reachAnalysisTimeout: 0,
+      reachAnalysisMemoryLimit: '',
+      reachAnalysisTimeout: '',
       reachConcurrency: 1,
       reachContinueOnAnalysisErrors: false,
       reachContinueOnInstallErrors: false,
@@ -15605,14 +15647,14 @@ const reachabilityFlags = {
     description: `Override the version of @coana-tech/cli used for reachability analysis. Default: ${constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`
   },
   reachAnalysisMemoryLimit: {
-    type: 'number',
-    default: 8192,
-    description: 'The maximum memory in MB to use for the reachability analysis. The default is 8192MB.'
+    type: 'string',
+    default: '8192',
+    description: 'The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB.'
   },
   reachAnalysisTimeout: {
-    type: 'number',
-    default: 0,
-    description: 'Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.'
+    type: 'string',
+    default: '',
+    description: 'Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly.'
   },
   reachConcurrency: {
     type: 'number',
@@ -16110,8 +16152,14 @@ async function run$d(argv, importMeta, {
   // Validation helpers for better readability.
   const hasReachEcosystems = reachEcosystems.length > 0;
   const hasReachExcludePaths = reachExcludePaths.length > 0;
-  const isUsingNonDefaultMemoryLimit = reachAnalysisMemoryLimit !== reachabilityFlags['reachAnalysisMemoryLimit']?.default;
-  const isUsingNonDefaultTimeout = reachAnalysisTimeout !== reachabilityFlags['reachAnalysisTimeout']?.default;
+  // Compare by resolved magnitude, not string identity: 8192, 8192MB and 8GB
+  // all mean the default, and an omitted/zero timeout means "use the default".
+  // A naive string compare would flag those equivalents as non-default and
+  // wrongly require --reach.
+  const memoryLimitMb = reachMemoryLimitToMb(reachAnalysisMemoryLimit);
+  const isUsingNonDefaultMemoryLimit = memoryLimitMb !== null && memoryLimitMb !== reachMemoryLimitToMb(String(reachabilityFlags['reachAnalysisMemoryLimit']?.default ?? ''));
+  const isUsingNonDefaultTimeout = !isOmittedReachValue(reachAnalysisTimeout);
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
   const isUsingNonDefaultVersion = reachVersion !== reachabilityFlags['reachVersion']?.default;
@@ -16208,8 +16256,8 @@ async function run$d(argv, importMeta, {
         autoManifest: Boolean(autoManifest)
       }) : undefined,
       excludePaths,
-      reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
+      reachAnalysisMemoryLimit,
+      reachAnalysisTimeout,
       reachConcurrency: Number(reachConcurrency),
       reachContinueOnAnalysisErrors: Boolean(reachContinueOnAnalysisErrors),
       reachContinueOnInstallErrors: Boolean(reachContinueOnInstallErrors),
@@ -16867,8 +16915,8 @@ async function scanOneRepo(repoSlug, {
     pullRequest: 0,
     reach: {
       excludePaths: [],
-      reachAnalysisMemoryLimit: 0,
-      reachAnalysisTimeout: 0,
+      reachAnalysisMemoryLimit: '',
+      reachAnalysisTimeout: '',
       reachConcurrency: 1,
       reachContinueOnAnalysisErrors: false,
       reachContinueOnInstallErrors: false,
@@ -18100,6 +18148,7 @@ async function handleScanReach({
   const result = await performReachabilityAnalysis({
     cwd,
     orgSlug,
+    outputKind,
     outputPath,
     packagePaths,
     reachabilityOptions: mergedReachabilityOptions,
@@ -18323,8 +18372,8 @@ async function run$7(argv, importMeta, {
     outputPath: outputPath || '',
     reachabilityOptions: {
       excludePaths,
-      reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
+      reachAnalysisMemoryLimit,
+      reachAnalysisTimeout,
       reachConcurrency: Number(reachConcurrency),
       reachContinueOnAnalysisErrors: Boolean(reachContinueOnAnalysisErrors),
       reachContinueOnInstallErrors: Boolean(reachContinueOnInstallErrors),
@@ -20266,5 +20315,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=85257911-3f47-4452-8e33-51ee5c9c6b59
+//# debugId=cab2a634-ac20-4b27-aff5-55f1c4df59bc
 //# sourceMappingURL=cli.js.map