socket 1.1.14 → 1.1.17

package/CHANGELOG.md

@@ -4,6 +4,25 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.17](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.17) - 2025-09-18
+
+### Fixed
+- Enhanced Windows compatibility for package manager detection and execution
+
+## [1.1.16](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.16) - 2025-09-16
+
+### Fixed
+- Enhanced pnpm wrapper compatibility with dlx commands for better package execution support
+
+## [1.1.15](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.15) - 2025-09-16
+
+### Changed
+- Improved `socket fix` environment variable detection with clearer error messages when required variables are missing
+
+### Fixed
+- Resolved path handling issue in `socket optimize` command
+- Command flag parsing now correctly detects subsequent arguments
+
 ## [1.1.14](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.14) - 2025-09-17
 
 ### Changed

package/dist/cli.js

@@ -25,7 +25,6 @@ var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var require$$0$1 = require('node:crypto');
-var registryConstants = require('../external/@socketsecurity/registry/lib/constants');
 var require$$1 = require('node:util');
 var os = require('node:os');
 var promises = require('node:stream/promises');
@@ -230,10 +229,10 @@ function formatDataOrg(data) {
     const topFiveAlertTypes = entry['top_five_alert_types'];
     for (const type of Object.keys(topFiveAlertTypes)) {
       const count = topFiveAlertTypes[type] ?? 0;
-      if (!totalTopAlerts[type]) {
-        totalTopAlerts[type] = count;
-      } else {
+      if (totalTopAlerts[type]) {
         totalTopAlerts[type] += count;
+      } else {
+        totalTopAlerts[type] = count;
       }
     }
   }
@@ -241,10 +240,10 @@ function formatDataOrg(data) {
     const formatted = formattedData[metric];
     for (const entry of data) {
       const date = formatDate(entry['created_at']);
-      if (!formatted[date]) {
-        formatted[date] = entry[metric];
-      } else {
+      if (formatted[date]) {
         formatted[date] += entry[metric];
+      } else {
+        formatted[date] = entry[metric];
       }
     }
   }
@@ -3394,21 +3393,72 @@ function ciRepoInfo() {
     repo: ownerSlashRepo.slice(slashIndex + 1)
   };
 }
+/**
+ * Get formatted instructions for setting CI environment variables.
+ */
+function getCiEnvInstructions() {
+  return 'To enable automatic pull request creation, run in CI with these environment variables:\n' + '  - CI=1\n' + '  - SOCKET_CLI_GITHUB_TOKEN=<your-github-token>\n' + '  - SOCKET_CLI_GIT_USER_NAME=<git-username>\n' + '  - SOCKET_CLI_GIT_USER_EMAIL=<git-email>';
+}
+
+/**
+ * Check which required CI environment variables are missing.
+ * Returns lists of missing and present variables.
+ */
+function checkCiEnvVars() {
+  const {
+    CI,
+    SOCKET_CLI_GIT_USER_EMAIL,
+    SOCKET_CLI_GIT_USER_NAME,
+    SOCKET_CLI_GITHUB_TOKEN
+  } = constants.default.ENV;
+  const missing = [];
+  const present = [];
+  if (CI) {
+    present.push('CI');
+  } else {
+    missing.push('CI');
+  }
+  if (SOCKET_CLI_GIT_USER_EMAIL) {
+    present.push('SOCKET_CLI_GIT_USER_EMAIL');
+  } else {
+    missing.push('SOCKET_CLI_GIT_USER_EMAIL');
+  }
+  if (SOCKET_CLI_GIT_USER_NAME) {
+    present.push('SOCKET_CLI_GIT_USER_NAME');
+  } else {
+    missing.push('SOCKET_CLI_GIT_USER_NAME');
+  }
+  if (SOCKET_CLI_GITHUB_TOKEN) {
+    present.push('SOCKET_CLI_GITHUB_TOKEN');
+  } else {
+    missing.push('SOCKET_CLI_GITHUB_TOKEN (or GITHUB_TOKEN)');
+  }
+  return {
+    missing,
+    present
+  };
+}
 async function getFixEnv() {
   const baseBranch = await utils.getBaseBranch();
   const gitEmail = constants.default.ENV.SOCKET_CLI_GIT_USER_EMAIL;
   const gitUser = constants.default.ENV.SOCKET_CLI_GIT_USER_NAME;
   const githubToken = constants.default.ENV.SOCKET_CLI_GITHUB_TOKEN;
   const isCi = !!(constants.default.ENV.CI && gitEmail && gitUser && githubToken);
-  if (
-  // If isCi is false,
-  !isCi && (
-  // but some CI checks are passing,
-  constants.default.ENV.CI || gitEmail || gitUser || githubToken) &&
+  const envCheck = checkCiEnvVars();
+
+  // Provide clear feedback about missing environment variables.
+  if (constants.default.ENV.CI && envCheck.missing.length > 1) {
+    // CI is set but other required vars are missing.
+    const missingExceptCi = envCheck.missing.filter(v => v !== 'CI');
+    if (missingExceptCi.length) {
+      logger.logger.warn(`CI mode detected, but pull request creation is disabled due to missing environment variables:\n` + `  Missing: ${arrays.joinAnd(missingExceptCi)}\n` + `  Set these variables to enable automatic pull request creation.`);
+    }
+  } else if (
+  // If not in CI but some CI-related env vars are set.
+  !constants.default.ENV.CI && envCheck.present.length &&
   // then log about it when in debug mode.
   require$$9.isDebug('notice')) {
-    const envVars = [...(constants.default.ENV.CI ? [] : ['process.env.CI']), ...(gitEmail ? [] : ['process.env.SOCKET_CLI_GIT_USER_EMAIL']), ...(gitUser ? [] : ['process.env.SOCKET_CLI_GIT_USER_NAME']), ...(githubToken ? [] : ['process.env.GITHUB_TOKEN'])];
-    require$$9.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envVars)} to be set`);
+    require$$9.debugFn('notice', `miss: fixEnv.isCi is false, expected ${arrays.joinAnd(envCheck.missing)} to be set`);
   }
   let repoInfo;
   if (isCi) {
@@ -3486,6 +3536,19 @@ async function coanaFix(fixConfig) {
   const isAll = !ghsas.length || ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
+    // Inform user about local mode when fixes will be applied.
+    if (!onlyCompute && ghsas.length) {
+      const envCheck = checkCiEnvVars();
+      if (envCheck.present.length) {
+        // Some CI vars are set but not all - show what's missing.
+        if (envCheck.missing.length) {
+          logger.logger.info('Running in local mode - fixes will be applied directly to your working directory.\n' + `Missing environment variables for PR creation: ${arrays.joinAnd(envCheck.missing)}`);
+        }
+      } else {
+        // No CI vars are present - show general local mode message.
+        logger.logger.info('Running in local mode - fixes will be applied directly to your working directory.\n' + getCiEnvInstructions());
+      }
+    }
     const ids = isAll ? ['all'] : ghsas.slice(0, limit);
     if (!ids.length) {
       spinner?.stop();
@@ -3496,7 +3559,7 @@ async function coanaFix(fixConfig) {
         }
       };
     }
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), ...(onlyCompute ? ['--dry-run'] : []), ...(outputFile ? ['--output-file', outputFile] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), ...(onlyCompute ? [constants.FLAG_DRY_RUN] : []), ...(outputFile ? ['--output-file', outputFile] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
@@ -3630,6 +3693,16 @@ async function coanaFix(fixConfig) {
       }
 
       // Set up git remote.
+      if (!fixEnv.githubToken) {
+        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
+        // eslint-disable-next-line no-await-in-loop
+        await utils.gitDeleteBranch(branch, cwd);
+        continue ghsaLoop;
+      }
       // eslint-disable-next-line no-await-in-loop
       await utils.setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd);
 
@@ -3751,7 +3824,7 @@ async function convertIdsToGhsas(ids) {
       const conversionResult = await utils.convertPurlToGhsas(trimmedId);
       if (conversionResult.ok && conversionResult.data.length) {
         validGhsas.push(...conversionResult.data);
-        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${conversionResult.data.join(', ')}`);
+        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${arrays.joinAnd(conversionResult.data)}`);
       } else {
         errors.push(`${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`);
       }
@@ -3925,8 +3998,15 @@ async function run$K(argv, importMeta, {
     Options
       ${utils.getFlagListOutput(config.flags)}
 
+    Environment Variables (for CI/PR mode)
+      CI                          Set to enable CI mode
+      SOCKET_CLI_GITHUB_TOKEN     GitHub token for PR creation (or GITHUB_TOKEN)
+      SOCKET_CLI_GIT_USER_NAME    Git username for commits
+      SOCKET_CLI_GIT_USER_EMAIL   Git email for commits
+
     Examples
       $ ${command}
+      $ ${command} --id CVE-2021-23337
       $ ${command} ./path/to/project --range-style pin
     `
   };
@@ -4530,7 +4610,7 @@ const {
 const nodejsPlatformTypes = new Set(['javascript', 'js', 'nodejs', constants.NPM, constants.PNPM, 'ts', 'tsx', 'typescript']);
 function argvToArray(argvObj) {
   if (argvObj['help']) {
-    return ['--help'];
+    return [constants.FLAG_HELP];
   }
   const result = [];
   for (const {
@@ -4614,6 +4694,8 @@ async function runCdxgen(argvObj) {
   shadowResult.spawnPromise.process.on('exit', () => {
     if (cleanupPackageLock) {
       try {
+        // TODO: Consider using trash instead of rmSync for safer deletion.
+        // This removes the temporary package-lock.json we created for cdxgen.
         fs$1.rmSync(`./${PACKAGE_LOCK_JSON}`);
       } catch {}
     }
@@ -4857,7 +4939,7 @@ async function run$F(argv, importMeta, context) {
   const argsToProcess = utils.filterFlags(argv, {
     ...flags.commonFlags,
     ...flags.outputFlags
-  }, ['--no-banner', '--help', '-h']);
+  }, ['--no-banner', constants.FLAG_HELP, '-h']);
   const yargv = {
     ...vendor.yargsParser(argsToProcess, yargsConfig)
   };
@@ -4879,7 +4961,7 @@ async function run$F(argv, importMeta, context) {
     // options or missing arguments.
     // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
     process.exitCode = 2;
-    logger.logger.fail(`Unknown ${words.pluralize('argument', unknownsCount)}: ${unknowns.join(', ')}`);
+    logger.logger.fail(`Unknown ${words.pluralize('argument', unknownsCount)}: ${arrays.joinAnd(unknowns)}`);
     return;
   }
   if (dryRun) {
@@ -6676,7 +6758,7 @@ async function lsPnpm(pkgEnvDetails, options) {
     stdout = (await spawn.spawn(pkgEnvDetails.agentExecPath,
     // Pnpm uses the alternative spelling of parsable.
     // https://en.wiktionary.org/wiki/parsable
-    ['ls', '--parseable', '--prod', '--depth', 'Infinity'], {
+    ['ls', '--parseable', constants.FLAG_PROD, '--depth', 'Infinity'], {
       cwd,
       shell: constants.default.WIN32
     })).stdout;
@@ -6729,7 +6811,7 @@ async function lsYarnClassic(pkgEnvDetails, options) {
     // https://github.com/yarnpkg/yarn/releases/tag/v1.0.0
     // > Fix: Excludes dev dependencies from the yarn list output when the
     //   environment is production
-    return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', '--prod'], {
+    return (await spawn.spawn(pkgEnvDetails.agentExecPath, ['list', constants.FLAG_PROD], {
       cwd,
       shell: constants.default.WIN32
     })).stdout;
@@ -8405,7 +8487,7 @@ async function fetchPurlsShallowScore(purls, options) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
-  logger.logger.info(`Requesting shallow score data for ${purls.length} package urls (purl): ${purls.join(', ')}`);
+  logger.logger.info(`Requesting shallow score data for ${purls.length} package urls (purl): ${arrays.joinAnd(purls)}`);
   const batchPackageCResult = await utils.handleApiCall(sockSdk.batchPackageFetch({
     components: purls.map(purl => ({
       purl
@@ -8969,7 +9051,7 @@ async function computeSHA256(filepath) {
     return {
       ok: false,
       message: 'Failed to compute file hash',
-      cause: `Unable to read file ${filepath}: ${e instanceof Error ? e.message : 'Unknown error'}`
+      cause: `Unable to read file ${filepath}: ${e instanceof Error ? e.message : constants.UNKNOWN_ERROR}`
     };
   }
 }
@@ -9089,9 +9171,9 @@ async function handlePatch({
   spinner
 }) {
   try {
-    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
-    const manifestPath = path.join(dotSocketDirPath, 'manifest.json');
-    const manifestContent = await fs$1.promises.readFile(manifestPath, 'utf-8');
+    const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
+    const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
+    const manifestContent = await fs$1.promises.readFile(manifestPath, constants.UTF8);
     const manifestData = JSON.parse(manifestContent);
     const purls = purlObjs.map(String);
     const validated = PatchManifestSchema.parse(manifestData);
@@ -9152,7 +9234,7 @@ async function handlePatch({
     let message = 'Failed to apply patches';
     let cause = e?.message || constants.UNKNOWN_ERROR;
     if (e instanceof SyntaxError) {
-      message = `Invalid JSON in ${registryConstants.MANIFEST_JSON}`;
+      message = `Invalid JSON in ${constants.MANIFEST_JSON}`;
       cause = e.message;
     } else if (e instanceof Error && 'issues' in e) {
       message = 'Schema validation failed';
@@ -9235,13 +9317,13 @@ async function run$m(argv, importMeta, {
   // Note: path.resolve vs .join:
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
-  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
+  const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET_DIR);
   if (!fs$1.existsSync(dotSocketDirPath)) {
-    throw new utils.InputError(`No ${constants.DOT_SOCKET} directory found in current directory`);
+    throw new utils.InputError(`No ${constants.DOT_SOCKET_DIR} directory found in current directory`);
   }
   const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
   if (!fs$1.existsSync(manifestPath)) {
-    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
+    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET_DIR} directory`);
   }
   const {
     spinner
@@ -13963,7 +14045,7 @@ async function run$3(argv, importMeta, {
     }
   });
   if (argSet.size) {
-    logger.logger.info(`Warning: ignoring these excessive args: ${Array.from(argSet).join(', ')}`);
+    logger.logger.info(`Warning: ignoring these excessive args: ${arrays.joinAnd(Array.from(argSet))}`);
   }
   const hasApiToken = utils.hasDefaultApiToken();
   const {
@@ -14652,5 +14734,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=934b325d-4c21-4b37-9c71-c80f38f54d52
+//# debugId=b2633ba4-7e32-440b-9581-735f53ff9fc8
 //# sourceMappingURL=cli.js.map