socket 1.1.122 → 1.1.124

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19
+
+### Added
+- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh tier 1 reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
+
+### Changed
+- Updated the Coana CLI to v `15.5.4`.
+
+## [1.1.123](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.123) - 2026-06-18
+
+### Added
+- `socket scan create --reach` and `socket scan reach` now accept unit suffixes on `--reach-analysis-timeout` (`s`, `m`, `h` — e.g. `90s`, `10m`, `1h`) and `--reach-analysis-memory-limit` (`MB`, `GB` — e.g. `512MB`, `8GB`). Plain numbers keep working as before.
+
+### Changed
+- Updated the Coana CLI to v `15.5.0`.
+
 ## [1.1.122](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.122) - 2026-06-17
 
 ### Changed

package/bin/cli.js

@@ -3,6 +3,7 @@
 
 void (async () => {
   const Module = require('node:module')
+  const os = require('node:os')
   const path = require('node:path')
   const rootPath = path.join(__dirname, '..')
   Module.enableCompileCache?.(path.join(rootPath, '.cache'))
@@ -38,10 +39,41 @@ void (async () => {
     },
   )
 
+  // The child shares our process group and handles the signal itself; wait briefly for it
+  // to exit (so its final output isn't printed after the prompt returns) and mirror its
+  // exit below. SIGKILL and leave if it outlasts the grace, or on a second signal.
+  const SHUTDOWN_GRACE_MS = 3_000
+  const hardAbort = signalName => {
+    const child = spawnPromise.process
+    if (child.exitCode === null && child.signalCode === null) {
+      child.kill('SIGKILL')
+    }
+    // eslint-disable-next-line n/no-process-exit
+    process.exit(signalName === 'SIGTERM' ? 143 : 130)
+  }
+  let sawSignal = false
+  const onSignal = signalName => {
+    if (sawSignal) {
+      hardAbort(signalName)
+      return
+    }
+    sawSignal = true
+    setTimeout(() => hardAbort(signalName), SHUTDOWN_GRACE_MS).unref?.()
+  }
+  const onSigint = () => onSignal('SIGINT')
+  const onSigterm = () => onSignal('SIGTERM')
+  process.on('SIGINT', onSigint)
+  process.on('SIGTERM', onSigterm)
+
   // See https://nodejs.org/api/child_process.html#event-exit.
   spawnPromise.process.on('exit', (code, signalName) => {
     if (signalName) {
-      process.kill(process.pid, signalName)
+      // Mirror a signal death as the conventional 128 + signum exit code. Exit explicitly
+      // rather than re-raising the signal: with our handlers installed the re-raise would
+      // race `await spawnPromise` resolving and could leave the default exitCode of 1.
+      const signum = os.constants.signals[signalName] ?? 0
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(128 + signum)
     } else if (typeof code === 'number') {
       // eslint-disable-next-line n/no-process-exit
       process.exit(code)

package/dist/cli.js

@@ -1707,11 +1707,45 @@ async function outputCreateNewScan(result, options) {
   }
 }
 
+// Helpers for the reachability unit values. Coana (@coana-tech/cli) is the sole
+// validator/parser of these values; the Socket CLI forwards the raw string
+// through verbatim. These helpers do NOT validate grammar (that would duplicate
+// Coana's and drift): they only handle the meow-default sentinel and detect
+// whether a value differs from the default, neither of which Coana models.
+
+// A zero-magnitude or empty value (e.g. "", "0", "0s", "0gb") means "use the
+// default": the flag is omitted when forwarding and Coana applies its own
+// default. This preserves the historical sentinel where a numeric 0 dropped the
+// flag, and avoids Coana's undefined zero (0ms / 0MB) path.
+function isOmittedReachValue(value) {
+  const match = /^\d+/.exec(value);
+  return !match || Number(match[0]) === 0;
+}
+
+// Resolve a memory-limit value to its magnitude in MB (the unit Coana uses), or
+// null when the value is omitted/zero (Coana then applies its own default).
+// Used only to compare a value against the default regardless of how the unit
+// is written: 8192, 8192MB and 8GB all resolve to 8192. This is default
+// detection, not validation, so an unrecognized value resolves to null and is
+// simply treated as "not a non-default value".
+function reachMemoryLimitToMb(value) {
+  if (isOmittedReachValue(value)) {
+    return null;
+  }
+  const match = /^(\d+)(mb|gb)?$/i.exec(value);
+  if (!match) {
+    return null;
+  }
+  const amount = Number(match[1]);
+  return match[2]?.toLowerCase() === 'gb' ? amount * 1024 : amount;
+}
+
 async function performReachabilityAnalysis(options) {
   const {
     branchName,
     cwd = process.cwd(),
     orgSlug,
+    outputKind = 'text',
     outputPath,
     packagePaths,
     reachabilityOptions,
@@ -1817,7 +1851,7 @@ async function performReachabilityAnalysis(options) {
   }
 
   // Build Coana arguments.
-  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachContinueOnAnalysisErrors ? ['--reach-continue-on-analysis-errors'] : []), ...(reachabilityOptions.reachContinueOnInstallErrors ? ['--reach-continue-on-install-errors'] : []), ...(reachabilityOptions.reachContinueOnMissingLockFiles ? ['--reach-continue-on-missing-lock-files'] : []), ...(reachabilityOptions.reachContinueOnNoSourceFiles ? ['--reach-continue-on-no-source-files'] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDetailedAnalysisLogFile ? ['--print-analysis-log-file'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(reachabilityOptions.reachEnableAnalysisSplitting ? [] : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(isOmittedReachValue(reachabilityOptions.reachAnalysisTimeout) ? [] : ['--analysis-timeout', reachabilityOptions.reachAnalysisTimeout]), ...(isOmittedReachValue(reachabilityOptions.reachAnalysisMemoryLimit) ? [] : ['--memory-limit', reachabilityOptions.reachAnalysisMemoryLimit]), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachContinueOnAnalysisErrors ? ['--reach-continue-on-analysis-errors'] : []), ...(reachabilityOptions.reachContinueOnInstallErrors ? ['--reach-continue-on-install-errors'] : []), ...(reachabilityOptions.reachContinueOnMissingLockFiles ? ['--reach-continue-on-missing-lock-files'] : []), ...(reachabilityOptions.reachContinueOnNoSourceFiles ? ['--reach-continue-on-no-source-files'] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDetailedAnalysisLogFile ? ['--print-analysis-log-file'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(reachabilityOptions.reachEnableAnalysisSplitting ? [] : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : []),
   // Hand the per-ecosystem build-tool config (mapped from socket.json) to
@@ -1834,6 +1868,13 @@ async function performReachabilityAnalysis(options) {
   if (branchName && branchName !== constants.default.SOCKET_DEFAULT_BRANCH) {
     coanaEnv['SOCKET_BRANCH_NAME'] = branchName;
   }
+
+  // In machine-readable modes (--json/--markdown) the final payload is written
+  // to stdout by the output layer. Coana streams progress/logs over stdout
+  // under `inherit`, which would corrupt that payload, so redirect the child's
+  // stdout to our stderr (fd 2). Progress stays visible for humans and
+  // `2>/dev/null` isolates the JSON/markdown. stdin and stderr stay inherited.
+  const coanaStdio = outputKind === 'text' ? 'inherit' : ['inherit', 2, 'inherit'];
   try {
     // Run Coana with the manifests tar hash.
     const coanaResult = await utils.spawnCoanaDlx(coanaArgs, orgSlug, {
@@ -1841,7 +1882,7 @@ async function performReachabilityAnalysis(options) {
       cwd,
       env: coanaEnv,
       spinner,
-      stdio: 'inherit'
+      stdio: coanaStdio
     });
     if (wasSpinning) {
       spinner.start();
@@ -5091,6 +5132,7 @@ async function handleCreateNewScan({
       branchName,
       cwd,
       orgSlug,
+      outputKind,
       packagePaths,
       reachabilityOptions: mergedReachabilityOptions,
       repoName,
@@ -5163,8 +5205,11 @@ async function handleCreateNewScan({
   // (e.g. from `socket manifest gradle --facts`) are NOT touched here —
   // those are user-owned input that the user can clean up themselves; in
   // the --reach path coana overwrites that file with its enriched output
-  // anyway, so it's the same path that gets removed.
-  if (fullScanCResult.ok && scanId && reachabilityReport) {
+  // anyway, so it's the same path that gets removed. `--reach-retain-facts-file`
+  // opts out of this cleanup so the report can be inspected; the user is then
+  // responsible for deleting it before the next tier 1 scan (a stale file is
+  // picked up as pre-generated input and would make those results unreliable).
+  if (fullScanCResult.ok && scanId && reachabilityReport && !reach.reachRetainFactsFile) {
     try {
       await fs.unlink(path.resolve(cwd, reachabilityReport));
       require$$9.debugFn('notice', `[socket-facts] removed coana output after successful scan: ${reachabilityReport}`);
@@ -5247,8 +5292,8 @@ async function handleCi(autoManifest) {
     pullRequest: 0,
     reach: {
       excludePaths: [],
-      reachAnalysisMemoryLimit: 0,
-      reachAnalysisTimeout: 0,
+      reachAnalysisMemoryLimit: '',
+      reachAnalysisTimeout: '',
       reachConcurrency: 1,
       reachContinueOnAnalysisErrors: false,
       reachContinueOnInstallErrors: false,
@@ -5262,6 +5307,7 @@ async function handleCi(autoManifest) {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -15605,14 +15651,14 @@ const reachabilityFlags = {
     description: `Override the version of @coana-tech/cli used for reachability analysis. Default: ${constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`
   },
   reachAnalysisMemoryLimit: {
-    type: 'number',
-    default: 8192,
-    description: 'The maximum memory in MB to use for the reachability analysis. The default is 8192MB.'
+    type: 'string',
+    default: '8192',
+    description: 'The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB.'
   },
   reachAnalysisTimeout: {
-    type: 'number',
-    default: 0,
-    description: 'Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.'
+    type: 'string',
+    default: '',
+    description: 'Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly.'
   },
   reachConcurrency: {
     type: 'number',
@@ -15687,6 +15733,11 @@ const reachabilityFlags = {
     description: 'Enable lazy mode for reachability analysis.',
     hidden: true
   },
+  reachRetainFactsFile: {
+    type: 'boolean',
+    default: false,
+    description: 'Keep the `.socket.facts.json` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale `.socket.facts.json` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.'
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,
@@ -15962,6 +16013,7 @@ async function run$d(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion,
@@ -16110,8 +16162,14 @@ async function run$d(argv, importMeta, {
   // Validation helpers for better readability.
   const hasReachEcosystems = reachEcosystems.length > 0;
   const hasReachExcludePaths = reachExcludePaths.length > 0;
-  const isUsingNonDefaultMemoryLimit = reachAnalysisMemoryLimit !== reachabilityFlags['reachAnalysisMemoryLimit']?.default;
-  const isUsingNonDefaultTimeout = reachAnalysisTimeout !== reachabilityFlags['reachAnalysisTimeout']?.default;
+
+  // Compare by resolved magnitude, not string identity: 8192, 8192MB and 8GB
+  // all mean the default, and an omitted/zero timeout means "use the default".
+  // A naive string compare would flag those equivalents as non-default and
+  // wrongly require --reach.
+  const memoryLimitMb = reachMemoryLimitToMb(reachAnalysisMemoryLimit);
+  const isUsingNonDefaultMemoryLimit = memoryLimitMb !== null && memoryLimitMb !== reachMemoryLimitToMb(String(reachabilityFlags['reachAnalysisMemoryLimit']?.default ?? ''));
+  const isUsingNonDefaultTimeout = !isOmittedReachValue(reachAnalysisTimeout);
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
   const isUsingNonDefaultVersion = reachVersion !== reachabilityFlags['reachVersion']?.default;
@@ -16208,8 +16266,8 @@ async function run$d(argv, importMeta, {
         autoManifest: Boolean(autoManifest)
       }) : undefined,
       excludePaths,
-      reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
+      reachAnalysisMemoryLimit,
+      reachAnalysisTimeout,
       reachConcurrency: Number(reachConcurrency),
       reachContinueOnAnalysisErrors: Boolean(reachContinueOnAnalysisErrors),
       reachContinueOnInstallErrors: Boolean(reachContinueOnInstallErrors),
@@ -16223,6 +16281,7 @@ async function run$d(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
@@ -16867,8 +16926,8 @@ async function scanOneRepo(repoSlug, {
     pullRequest: 0,
     reach: {
       excludePaths: [],
-      reachAnalysisMemoryLimit: 0,
-      reachAnalysisTimeout: 0,
+      reachAnalysisMemoryLimit: '',
+      reachAnalysisTimeout: '',
       reachConcurrency: 1,
       reachContinueOnAnalysisErrors: false,
       reachContinueOnInstallErrors: false,
@@ -16882,6 +16941,7 @@ async function scanOneRepo(repoSlug, {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -18100,6 +18160,7 @@ async function handleScanReach({
   const result = await performReachabilityAnalysis({
     cwd,
     orgSlug,
+    outputKind,
     outputPath,
     packagePaths,
     reachabilityOptions: mergedReachabilityOptions,
@@ -18228,6 +18289,7 @@ async function run$7(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion
@@ -18323,8 +18385,8 @@ async function run$7(argv, importMeta, {
     outputPath: outputPath || '',
     reachabilityOptions: {
       excludePaths,
-      reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
+      reachAnalysisMemoryLimit,
+      reachAnalysisTimeout,
       reachConcurrency: Number(reachConcurrency),
       reachContinueOnAnalysisErrors: Boolean(reachContinueOnAnalysisErrors),
       reachContinueOnInstallErrors: Boolean(reachContinueOnInstallErrors),
@@ -18338,6 +18400,7 @@ async function run$7(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion
@@ -20266,5 +20329,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=85257911-3f47-4452-8e33-51ee5c9c6b59
+//# debugId=3456501d-db35-49f6-b25b-d2bd0fbae11f
 //# sourceMappingURL=cli.js.map