npm - socket - Versions diffs - 1.1.123 → 1.1.126 - Mend

socket 1.1.123 → 1.1.126

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+## [1.1.126](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.126) - 2026-06-22
+### Changed
+- Reachability analysis types are now referred to by descriptive names in command help, output, and docs: Full application reachability (formerly Tier 1), Precomputed reachability (formerly Tier 2), and Dependency reachability (formerly Tier 3).
+- Updated the Coana CLI to v `15.5.7`.
+## [1.1.125](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.125) - 2026-06-22
+### Added
+- New `socket manifest maven` command generates a Socket facts file (`.socket.facts.json`) directly from a Maven `pom.xml` project. Like the Gradle and sbt generators, it auto-detects your project, plugs into `socket manifest auto` and the `socket manifest setup` configurator, and accepts `--maven-opts` to pass options through to Maven (e.g. `--maven-opts="-P release -s settings.xml"`), plus `--bin` to point at a wrapper such as `./mvnw`.
+### Changed
+- Updated the Coana CLI to v `15.5.5`.
+## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19
+- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh full application reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
+### Changed
+- Updated the Coana CLI to v `15.5.4`.
 ## [1.1.123](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.123) - 2026-06-18
 ### Added

package/README.md CHANGED Viewed

@@ -60,6 +60,14 @@ All aliases support the flags and arguments of the commands they alias.
 - `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy)
+## Reachability analysis
+Socket reachability analysis comes in three forms:
+- **Full application reachability** (formerly Tier 1): Analyzes your application together with its dependencies to determine whether vulnerable code is actually invoked from your code through the full dependency graph — the highest-precision reachability analysis. Run it with `socket scan create --reach`.
+- **Precomputed reachability** (formerly Tier 2): Determines whether vulnerable code in transitive dependencies is reachable through your direct dependencies, using precomputed static analysis of dependency chains (no access to your application code required). In the CLI this is the fallback used when full application reachability cannot complete (see the `--reach-continue-on-*` flags).
+- **Dependency reachability** (formerly Tier 3): Package-level filtering that detects which dependencies are actually used, so CVEs in unused/dead dependencies can be filtered out.
 ## Flags
 ### Output flags

package/bin/cli.js CHANGED Viewed

@@ -3,6 +3,7 @@
 void (async () => {
   const Module = require('node:module')
+  const os = require('node:os')
   const path = require('node:path')
   const rootPath = path.join(__dirname, '..')
   Module.enableCompileCache?.(path.join(rootPath, '.cache'))
@@ -38,10 +39,41 @@ void (async () => {
     },
   )
+  // The child shares our process group and handles the signal itself; wait briefly for it
+  // to exit (so its final output isn't printed after the prompt returns) and mirror its
+  // exit below. SIGKILL and leave if it outlasts the grace, or on a second signal.
+  const SHUTDOWN_GRACE_MS = 3_000
+  const hardAbort = signalName => {
+    const child = spawnPromise.process
+    if (child.exitCode === null && child.signalCode === null) {
+      child.kill('SIGKILL')
+    }
+    // eslint-disable-next-line n/no-process-exit
+    process.exit(signalName === 'SIGTERM' ? 143 : 130)
+  }
+  let sawSignal = false
+  const onSignal = signalName => {
+    if (sawSignal) {
+      hardAbort(signalName)
+      return
+    }
+    sawSignal = true
+    setTimeout(() => hardAbort(signalName), SHUTDOWN_GRACE_MS).unref?.()
+  }
+  const onSigint = () => onSignal('SIGINT')
+  const onSigterm = () => onSignal('SIGTERM')
+  process.on('SIGINT', onSigint)
+  process.on('SIGTERM', onSigterm)
   // See https://nodejs.org/api/child_process.html#event-exit.
   spawnPromise.process.on('exit', (code, signalName) => {
     if (signalName) {
-      process.kill(process.pid, signalName)
+      // Mirror a signal death as the conventional 128 + signum exit code. Exit explicitly
+      // rather than re-raising the signal: with our handlers installed the re-raise would
+      // race `await spawnPromise` resolving and could leave the default exitCode of 1.
+      const signum = os.constants.signals[signalName] ?? 0
+      // eslint-disable-next-line n/no-process-exit
+      process.exit(128 + signum)
     } else if (typeof code === 'number') {
       // eslint-disable-next-line n/no-process-exit
       process.exit(code)