socket 1.1.123 → 1.1.124

package/CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19
+
+### Added
+- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh tier 1 reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
+
+### Changed
+- Updated the Coana CLI to v `15.5.4`.
+
 ## [1.1.123](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.123) - 2026-06-18
 
 ### Added

package/bin/cli.js

@@ -3,6 +3,7 @@
 
 void (async () => {
   const Module = require('node:module')
+  const os = require('node:os')
   const path = require('node:path')
   const rootPath = path.join(__dirname, '..')
   Module.enableCompileCache?.(path.join(rootPath, '.cache'))
@@ -38,10 +39,41 @@ void (async () => {
     },
   )
 
+  // The child shares our process group and handles the signal itself; wait briefly for it
+  // to exit (so its final output isn't printed after the prompt returns) and mirror its
+  // exit below. SIGKILL and leave if it outlasts the grace, or on a second signal.
+  const SHUTDOWN_GRACE_MS = 3_000
+  const hardAbort = signalName => {
+    const child = spawnPromise.process
+    if (child.exitCode === null && child.signalCode === null) {
+      child.kill('SIGKILL')
+    }
+    // eslint-disable-next-line n/no-process-exit
+    process.exit(signalName === 'SIGTERM' ? 143 : 130)
+  }
+  let sawSignal = false
+  const onSignal = signalName => {
+    if (sawSignal) {
+      hardAbort(signalName)
+      return
+    }
+    sawSignal = true
+    setTimeout(() => hardAbort(signalName), SHUTDOWN_GRACE_MS).unref?.()
+  }
+  const onSigint = () => onSignal('SIGINT')
+  const onSigterm = () => onSignal('SIGTERM')
+  process.on('SIGINT', onSigint)
+  process.on('SIGTERM', onSigterm)
+
   // See https://nodejs.org/api/child_process.html#event-exit.
   spawnPromise.process.on('exit', (code, signalName) => {
     if (signalName) {
-      process.kill(process.pid, signalName)
+      // Mirror a signal death as the conventional 128 + signum exit code. Exit explicitly
+      // rather than re-raising the signal: with our handlers installed the re-raise would
+      // race `await spawnPromise` resolving and could leave the default exitCode of 1.
+      const signum = os.constants.signals[signalName] ?? 0
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(128 + signum)
     } else if (typeof code === 'number') {
       // eslint-disable-next-line n/no-process-exit
       process.exit(code)

package/dist/cli.js

@@ -5205,8 +5205,11 @@ async function handleCreateNewScan({
   // (e.g. from `socket manifest gradle --facts`) are NOT touched here —
   // those are user-owned input that the user can clean up themselves; in
   // the --reach path coana overwrites that file with its enriched output
-  // anyway, so it's the same path that gets removed.
-  if (fullScanCResult.ok && scanId && reachabilityReport) {
+  // anyway, so it's the same path that gets removed. `--reach-retain-facts-file`
+  // opts out of this cleanup so the report can be inspected; the user is then
+  // responsible for deleting it before the next tier 1 scan (a stale file is
+  // picked up as pre-generated input and would make those results unreliable).
+  if (fullScanCResult.ok && scanId && reachabilityReport && !reach.reachRetainFactsFile) {
     try {
       await fs.unlink(path.resolve(cwd, reachabilityReport));
       require$$9.debugFn('notice', `[socket-facts] removed coana output after successful scan: ${reachabilityReport}`);
@@ -5304,6 +5307,7 @@ async function handleCi(autoManifest) {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -15729,6 +15733,11 @@ const reachabilityFlags = {
     description: 'Enable lazy mode for reachability analysis.',
     hidden: true
   },
+  reachRetainFactsFile: {
+    type: 'boolean',
+    default: false,
+    description: 'Keep the `.socket.facts.json` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale `.socket.facts.json` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.'
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,
@@ -16004,6 +16013,7 @@ async function run$d(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion,
@@ -16271,6 +16281,7 @@ async function run$d(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
@@ -16930,6 +16941,7 @@ async function scanOneRepo(repoSlug, {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -18277,6 +18289,7 @@ async function run$7(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion
@@ -18387,6 +18400,7 @@ async function run$7(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion
@@ -20315,5 +20329,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=cab2a634-ac20-4b27-aff5-55f1c4df59bc
+//# debugId=3456501d-db35-49f6-b25b-d2bd0fbae11f
 //# sourceMappingURL=cli.js.map