socket 1.1.22 → 1.1.24

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.23](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.23) - 2025-09-22
+
+### Changed
+- Enhanced `--no-apply-fixes` flag naming for improved clarity (previously `--dont-apply-fixes`)
+- Streamlined documentation and help text for better user experience
+- Improved `pnpm dlx` operations by removing unnecessary `--ignore-scripts` flag
+
+### Fixed
+- Resolved JSON example formatting in usage documentation
+- Enhanced test reliability for cdxgen on Windows platforms
+- Improved error handling in optimize command for pnpm environments
+
 ## [1.1.22](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.22) - 2025-09-20
 
 ### Changed

package/README.md

@@ -3,7 +3,7 @@
 [![Socket Badge](https://socket.dev/api/badge/npm/package/socket)](https://socket.dev/npm/package/socket)
 [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
 
-> CLI tool for [Socket.dev]
+CLI for [Socket.dev] security analysis
 
 ## Usage
 
@@ -14,73 +14,58 @@ socket --help
 
 ## Commands
 
-- `socket npm [args...]` and `socket npx [args...]` - Wraps `npm` and `npx` to
-  integrate [Socket.dev] and preempt installation of alerted packages using the
-  builtin resolution of `npm` to precisely determine package installations
+- `socket npm [args...]` and `socket npx [args...]` - Wraps npm/npx with Socket security scanning
 
-- `socket optimize` - Optimize dependencies with
-  [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
-  _(👀 [our blog post](https://socket.dev/blog/introducing-socket-optimize))_
+- `socket fix` - Fix CVEs in dependencies
 
-  - `--pin` - Pin overrides to their latest version
-  - `--prod` - Add overrides for only production dependencies
+- `socket optimize` - Optimize dependencies with [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
 
-- `socket cdxgen [command]` - Call out to
-  [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started). See
-  [their documentation](https://cyclonedx.github.io/cdxgen/#/CLI?id=getting-help)
-  for commands.
+- `socket cdxgen [command]` - Run [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started) for SBOM generation
 
 ## Aliases
 
 All aliases support the flags and arguments of the commands they alias.
 
-- `socket ci` - alias for `socket scan create --report` which creates a report for the current directory and quits with an exit code if the result is unhealthy
+- `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy)
 
 ## Flags
 
 ### Output flags
 
-- `--json` - Outputs result as JSON which can be piped into [`jq`](https://stedolan.github.io/jq/) and other tools
-- `--markdown` - Outputs result as Markdown which can be copied into issues, pull requests, or chats
+- `--json` - Output as JSON
+- `--markdown` - Output as Markdown
 
 ### Other flags
 
-- `--dry-run` - Run a command without uploading anything
-- `--debug` - Output additional debug
-- `--help` - Prints help documentation
-- `--max-old-space-size` - Set Node's V8 [`--max-old-space-size`](https://nodejs.org/api/cli.html#--max-old-space-sizesize-in-mib) option
-- `--max-semi-space-size` - Set Node's V8 [`--max-semi-space-size`](https://nodejs.org/api/cli.html#--max-semi-space-sizesize-in-mib) option
-- `--version` - Prints the Socket CLI version
+- `--dry-run` - Run without uploading
+- `--debug` - Show debug output
+- `--help` - Show help
+- `--max-old-space-size` - Set Node.js memory limit
+- `--max-semi-space-size` - Set Node.js heap size
+- `--version` - Show version
 
 ## Configuration files
 
-Socket CLI reads and uses data from a
-[`socket.yml` file](https://docs.socket.dev/docs/socket-yml) in the folder you
-run it in. It supports the version 2 of the `socket.yml` file format and makes
-use of the `projectIgnorePaths` to excludes files when creating a report.
+Socket CLI reads [`socket.yml`](https://docs.socket.dev/docs/socket-yml) configuration files.
+Supports version 2 format with `projectIgnorePaths` for excluding files from reports.
 
 ## Environment variables
 
-- `SOCKET_CLI_API_TOKEN` - Set the Socket API token
-- `SOCKET_CLI_CONFIG` - A JSON stringified Socket configuration object
-- `SOCKET_CLI_GITHUB_API_URL` - Change the base URL for GitHub REST API calls
-- `SOCKET_CLI_GIT_USER_EMAIL` - The git config `user.email` used by Socket CLI<br>
-  *Defaults:* `github-actions[bot]@users.noreply.github.com`<br>
-- `SOCKET_CLI_GIT_USER_NAME` - The git config `user.name` used by Socket CLI<br>
-  *Defaults:* `github-actions[bot]`<br>
-- `SOCKET_CLI_GITHUB_TOKEN` - A classic or fine-grained [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) with the "repo" scope or read/write permissions set for "Contents" and "Pull Request"<br>
-  *Aliases:* `GITHUB_TOKEN`<br>
-- `SOCKET_CLI_NO_API_TOKEN` - Make the default API token `undefined`
-- `SOCKET_CLI_NPM_PATH` - The absolute location of the npm directory
-- `SOCKET_CLI_ORG_SLUG` - Specify the Socket organization slug<br><br>
-- `SOCKET_CLI_ACCEPT_RISKS` - Accept risks of a Socket wrapped npm/npx run
-- `SOCKET_CLI_VIEW_ALL_RISKS` - View all risks of a Socket wrapped npm/npx run
+- `SOCKET_CLI_API_TOKEN` - Socket API token
+- `SOCKET_CLI_CONFIG` - JSON configuration object
+- `SOCKET_CLI_GITHUB_API_URL` - GitHub API base URL
+- `SOCKET_CLI_GIT_USER_EMAIL` - Git user email (default: `github-actions[bot]@users.noreply.github.com`)
+- `SOCKET_CLI_GIT_USER_NAME` - Git user name (default: `github-actions[bot]`)
+- `SOCKET_CLI_GITHUB_TOKEN` - GitHub token with repo access (alias: `GITHUB_TOKEN`)
+- `SOCKET_CLI_NO_API_TOKEN` - Disable default API token
+- `SOCKET_CLI_NPM_PATH` - Path to npm directory
+- `SOCKET_CLI_ORG_SLUG` - Socket organization slug
+- `SOCKET_CLI_ACCEPT_RISKS` - Accept npm/npx risks
+- `SOCKET_CLI_VIEW_ALL_RISKS` - Show all npm/npx risks
 
 ## Contributing
 
-### Setup
-
-To run locally execute the following commands:
+Run locally:
 
 ```
 npm install
@@ -88,23 +73,19 @@ npm run build
 npm exec socket
 ```
 
-### Environment variables for development
+### Development environment variables
 
-- `SOCKET_CLI_API_BASE_URL` - Change the base URL for Socket API calls<br>
-  *Defaults:* The "apiBaseUrl" value of socket/settings local app data if present, else `https://api.socket.dev/v0/`<br>
-- `SOCKET_CLI_API_PROXY` - Set the proxy Socket API requests are routed through, e.g. if set to<br>
-  [`http://127.0.0.1:9090`](https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries), then all request are passed through that proxy<br>
-  *Aliases:* `HTTPS_PROXY`, `https_proxy`, `HTTP_PROXY`, and `http_proxy`<br>
-- `SOCKET_CLI_API_TIMEOUT` - Set the timeout in milliseconds for Socket API requests
-- `SOCKET_CLI_DEBUG` - Enable debug logging in Socket CLI
-- `DEBUG` - Enable debug logging based on the [`debug`](https://socket.dev/npm/package/debug) package
+- `SOCKET_CLI_API_BASE_URL` - API base URL (default: `https://api.socket.dev/v0/`)
+- `SOCKET_CLI_API_PROXY` - Proxy for API requests (aliases: `HTTPS_PROXY`, `https_proxy`, `HTTP_PROXY`, `http_proxy`)
+- `SOCKET_CLI_API_TIMEOUT` - API request timeout in milliseconds
+- `SOCKET_CLI_DEBUG` - Enable debug logging
+- `DEBUG` - Enable [`debug`](https://socket.dev/npm/package/debug) package logging
 
 ## See also
 
-- [Announcement blog post](https://socket.dev/blog/announcing-socket-cli-preview)
-- [Socket API Reference](https://docs.socket.dev/reference) - The API used by Socket CLI
-- [Socket GitHub App](https://github.com/apps/socket-security) - The plug-and-play GitHub App
-- [`@socketsecurity/sdk`](https://github.com/SocketDev/socket-sdk-js) - The SDK used by Socket CLI
+- [Socket API Reference](https://docs.socket.dev/reference)
+- [Socket GitHub App](https://github.com/apps/socket-security)
+- [`@socketsecurity/sdk`](https://github.com/SocketDev/socket-sdk-js)
 
 [Socket.dev]: https://socket.dev/
 

package/dist/cli.js

@@ -2378,7 +2378,7 @@ async function handleCi(autoManifest) {
 
 const config$k = {
   commandName: 'ci',
-  description: 'Shorthand for `socket scan create --report --no-interactive`',
+  description: 'Alias for `socket scan create --report` (creates report and exits with error if unhealthy)',
   hidden: false,
   flags: {
     ...flags.commonFlags,
@@ -3544,12 +3544,13 @@ async function getFixEnv() {
 
 async function coanaFix(fixConfig) {
   const {
+    applyFixes,
     autopilot,
     cwd,
-    dontApplyFixes,
     ghsas,
     glob,
     limit,
+    minimumReleaseAge,
     orgSlug,
     outputFile,
     spinner
@@ -3594,7 +3595,7 @@ async function coanaFix(fixConfig) {
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     // Inform user about local mode when fixes will be applied.
-    if (!dontApplyFixes && ghsas.length) {
+    if (applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars();
       if (envCheck.present.length) {
         // Some CI vars are set but not all - show what's missing.
@@ -3616,7 +3617,7 @@ async function coanaFix(fixConfig) {
         }
       };
     }
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), ...(dontApplyFixes ? [constants.FLAG_DRY_RUN] : []), ...(outputFile ? ['--output-file', outputFile] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...(isAll ? ['all'] : ghsas), ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(glob ? ['--glob', glob] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), ...(outputFile ? ['--output-file', outputFile] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
@@ -3651,7 +3652,7 @@ async function coanaFix(fixConfig) {
   const shouldSpawnCoana = adjustedLimit > 0;
   let ids;
   if (shouldSpawnCoana && isAll) {
-    const foundCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const foundCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(glob ? ['--glob', glob] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner
     });
@@ -3693,7 +3694,7 @@ async function coanaFix(fixConfig) {
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(glob ? ['--glob', glob] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       cwd,
       spinner,
       stdio: 'inherit'
@@ -3903,13 +3904,14 @@ async function convertIdsToGhsas(ids) {
   return validGhsas;
 }
 async function handleFix({
+  applyFixes,
   autopilot,
   cwd,
-  dontApplyFixes,
   ghsas,
   glob,
   limit,
   minSatisfying,
+  minimumReleaseAge,
   orgSlug,
   outputFile,
   outputKind,
@@ -3926,7 +3928,7 @@ async function handleFix({
     glob,
     limit,
     minSatisfying,
-    dontApplyFixes,
+    applyFixes,
     outputFile,
     outputKind,
     prCheck,
@@ -3935,12 +3937,13 @@ async function handleFix({
   });
   await outputFixResult(await coanaFix({
     autopilot,
-    dontApplyFixes,
+    applyFixes,
     cwd,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only
     ghsas: await convertIdsToGhsas(ghsas),
     glob,
     limit,
+    minimumReleaseAge,
     orgSlug,
     rangeStyle,
     spinner,
@@ -3951,7 +3954,7 @@ async function handleFix({
 
 const CMD_NAME$t = 'fix';
 const DEFAULT_LIMIT = 10;
-const description$z = 'Update dependencies with "fixable" Socket alerts';
+const description$z = 'Fix CVEs in dependencies';
 const hidden$s = false;
 const cmdFix = {
   description: description$z,
@@ -3964,11 +3967,13 @@ const generalFlags$2 = {
     default: false,
     description: `Enable auto-merge for pull requests that Socket opens.\nSee ${vendor.terminalLinkExports('GitHub documentation', 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository')} for managing auto-merge for pull requests in your repository.`
   },
-  dontApplyFixes: {
+  applyFixes: {
     aliases: ['onlyCompute'],
     type: 'boolean',
-    default: false,
-    description: 'Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.'
+    default: true,
+    description: 'Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.',
+    // Hidden to allow custom documenting of the negated `--no-apply-fixes` variant.
+    hidden: true
   },
   id: {
     type: 'string',
@@ -3999,6 +4004,11 @@ Available styles:
     type: 'string',
     default: '',
     description: 'Path to store upgrades as a JSON file at this path.'
+  },
+  minimumReleaseAge: {
+    type: 'string',
+    default: '',
+    description: 'Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.'
   }
 };
 const hiddenFlags = {
@@ -4076,7 +4086,14 @@ async function run$K(argv, importMeta, {
       ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$t}`)}
 
     Options
-      ${utils.getFlagListOutput(config.flags)}
+      ${utils.getFlagListOutput({
+      ...config.flags,
+      // Explicitly document the negated --no-apply-fixes variant.
+      noApplyFixes: {
+        ...config.flags['applyFixes'],
+        hidden: false
+      }
+    })}
 
     Environment Variables (for CI/PR mode)
       CI                          Set to enable CI mode
@@ -4099,13 +4116,14 @@ async function run$K(argv, importMeta, {
     allowUnknownFlags: false
   });
   const {
+    applyFixes,
     autopilot,
-    dontApplyFixes,
     glob,
     json,
     limit,
     markdown,
     maxSatisfying,
+    minimumReleaseAge,
     outputFile,
     prCheck,
     rangeStyle,
@@ -4150,11 +4168,12 @@ async function run$K(argv, importMeta, {
   const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   await handleFix({
     autopilot,
-    dontApplyFixes,
+    applyFixes,
     cwd,
     ghsas,
     glob,
     limit,
+    minimumReleaseAge,
     minSatisfying,
     prCheck,
     orgSlug,
@@ -4988,7 +5007,7 @@ const yargsConfig = {
 };
 const config$e = {
   commandName: 'cdxgen',
-  description: 'Create an SBOM with CycloneDX generator (cdxgen)',
+  description: 'Run cdxgen for SBOM generation',
   hidden: false,
   // Stub out flags and help.
   // TODO: Convert yargs to meow.
@@ -6336,7 +6355,7 @@ async function run$y(argv, importMeta, {
 
 const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$r = constants.NPM;
-const description$w = 'Run npm with the Socket wrapper';
+const description$w = 'Wraps npm with Socket security scanning';
 const hidden$q = false;
 const cmdNpm = {
   description: description$w,
@@ -6414,7 +6433,7 @@ async function run$x(argv, importMeta, context) {
 
 const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$q = constants.NPX;
-const description$v = 'Run npx with the Socket wrapper';
+const description$v = 'Wraps npx with Socket security scanning';
 const hidden$p = false;
 const cmdNpx = {
   description: description$v,
@@ -7486,12 +7505,12 @@ async function run$u(argv, importMeta, {
       pin: {
         type: 'boolean',
         default: false,
-        description: 'Pin overrides to their latest version'
+        description: 'Pin overrides to latest version'
       },
       prod: {
         type: 'boolean',
         default: false,
-        description: 'Only add overrides for production dependencies'
+        description: 'Add overrides for production dependencies only'
       }
     },
     help: (command, config) => `
@@ -9527,7 +9546,7 @@ async function run$m(argv, importMeta, {
 
 const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$g = constants.PNPM;
-const description$j = 'Run pnpm with the Socket wrapper';
+const description$j = 'Wraps pnpm with Socket security scanning';
 const hidden$g = true;
 const cmdPnpm = {
   description: description$j,
@@ -14688,7 +14707,7 @@ async function run$1(argv, importMeta, {
 
 const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME = constants.YARN;
-const description = 'Run yarn with the Socket wrapper';
+const description = 'Wraps yarn with Socket security scanning';
 const hidden = true;
 const cmdYarn = {
   description,
@@ -14945,5 +14964,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=4aa44248-7031-4a9e-8cad-1c9fbaa730ef
+//# debugId=a37ba0b8-5e27-487b-ba57-2d9a99bbccae
 //# sourceMappingURL=cli.js.map