socket 1.1.41 → 1.1.43

package/CHANGELOG.md

@@ -4,7 +4,25 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
-## [1.1.41](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-02
+## [1.1.43](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.43) - 2025-12-08
+
+### Added
+- Added `--all` flag to `socket fix` for explicitly processing all vulnerabilities in local mode. Cannot be used with `--id`.
+
+### Deprecated
+- Running `socket fix` in local mode without `--all` or `--id` is deprecated. A warning is shown when neither flag is provided. In a future release, one of these flags will be required.
+
+## [1.1.42](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.42) - 2025-12-04
+
+### Added
+- Added `--ecosystems` flag to `socket fix`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.113`.
+- Rename `--limit` flag to `--pr-limit` for `socket fix`, but keep old flag as an alias. Note: `--pr-limit` has no effect in local mode, use `--id` options instead.
+- Process all vulnerabilities with `socket fix` when no `--id` options are provided.
+
+## [1.1.41](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.41) - 2025-12-02
 
 ### Added
 - Added `--reach-version` flag to `socket scan create` and `socket scan reach` to override the @coana-tech/cli version used for reachability analysis.

package/dist/cli.js

@@ -446,7 +446,7 @@ async function run$S(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -850,7 +850,7 @@ async function run$R(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -3694,13 +3694,13 @@ async function getFixEnv() {
 async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
-    limit,
+    ecosystems,
     spinner
   } = {
     __proto__: null,
     ...options
   };
-  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash], orgSlug, {
+  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
     cwd,
     spinner,
     coanaVersion: options?.coanaVersion
@@ -3708,32 +3708,32 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
     stdio: 'pipe'
   });
   if (foundCResult.ok) {
-    // Coana prints ghsaIds as json-formatted string on the final line of the output
-    const foundIds = [];
     try {
+      // Coana prints ghsaIds as json-formatted string on the final line of the output.
       const ghsaIdsRaw = foundCResult.data.trim().split('\n').pop();
       if (ghsaIdsRaw) {
-        foundIds.push(...JSON.parse(ghsaIdsRaw));
+        return JSON.parse(ghsaIdsRaw);
       }
     } catch {}
-    return limit !== undefined ? foundIds.slice(0, limit) : foundIds;
   }
   return [];
 }
 async function coanaFix(fixConfig) {
   const {
+    all,
     applyFixes,
     autopilot,
     coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    prLimit,
     showAffectedDirectDependencies,
     spinner
   } = fixConfig;
@@ -3776,9 +3776,14 @@ async function coanaFix(fixConfig) {
       data: uploadCResult.data
     };
   }
-  const isAll = !ghsas.length || ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto');
+  const shouldDiscoverGhsaIds = all || !ghsas.length;
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
+    // In local mode, if neither --all nor --id is provided, show deprecation warning.
+    if (shouldDiscoverGhsaIds && !all) {
+      logger.logger.warn('Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.');
+    }
+
     // Inform user about local mode when fixes will be applied.
     if (applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars();
@@ -3792,20 +3797,15 @@ async function coanaFix(fixConfig) {
         logger.logger.info('Running in local mode - fixes will be applied directly to your working directory.\n' + getCiEnvInstructions());
       }
     }
-    let ids;
-    if (isAll && limit > 0) {
-      ids = await discoverGhsaIds(orgSlug, tarHash, {
-        cwd,
-        limit,
-        spinner,
-        coanaVersion
-      });
-    } else if (limit > 0) {
-      ids = ghsas.slice(0, limit);
-    } else {
-      ids = [];
-    }
-    if (limit < 1 || ids.length === 0) {
+
+    // In local mode, process all discovered/provided IDs (no limit).
+    const ids = shouldDiscoverGhsaIds ? await discoverGhsaIds(orgSlug, tarHash, {
+      coanaVersion,
+      cwd,
+      ecosystems,
+      spinner
+    }) : ghsas;
+    if (ids.length === 0) {
       spinner?.stop();
       return {
         ok: true,
@@ -3819,7 +3819,7 @@ async function coanaFix(fixConfig) {
     const tmpDir = os.tmpdir();
     const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
     try {
-      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
         spinner,
@@ -3858,8 +3858,8 @@ async function coanaFix(fixConfig) {
     }
   }
 
-  // Adjust limit based on open Socket Fix PRs.
-  let adjustedLimit = limit;
+  // Adjust PR limit based on open Socket Fix PRs.
+  let adjustedPrLimit = prLimit;
   if (shouldOpenPrs && fixEnv.repoInfo) {
     try {
       const openPrs = await getSocketFixPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
@@ -3867,26 +3867,24 @@ async function coanaFix(fixConfig) {
       });
       const openPrCount = openPrs.length;
       // Reduce limit by number of open PRs to avoid creating too many.
-      adjustedLimit = Math.max(0, limit - openPrCount);
+      adjustedPrLimit = Math.max(0, prLimit - openPrCount);
       if (openPrCount > 0) {
-        require$$9.debugFn('notice', `limit: adjusted from ${limit} to ${adjustedLimit} (${openPrCount} open Socket Fix ${words.pluralize('PR', openPrCount)}`);
+        require$$9.debugFn('notice', `prLimit: adjusted from ${prLimit} to ${adjustedPrLimit} (${openPrCount} open Socket Fix ${words.pluralize('PR', openPrCount)}`);
       }
     } catch (e) {
       require$$9.debugFn('warn', 'Failed to count open PRs, using original limit');
       require$$9.debugDir('error', e);
     }
   }
-  const shouldSpawnCoana = adjustedLimit > 0;
+  const shouldSpawnCoana = adjustedPrLimit > 0;
   let ids;
-  if (shouldSpawnCoana && isAll) {
-    ids = await discoverGhsaIds(orgSlug, tarHash, {
+  if (shouldSpawnCoana) {
+    ids = (shouldDiscoverGhsaIds ? await discoverGhsaIds(orgSlug, tarHash, {
+      coanaVersion,
       cwd,
-      limit: adjustedLimit,
-      spinner,
-      coanaVersion
-    });
-  } else if (shouldSpawnCoana) {
-    ids = ghsas.slice(0, adjustedLimit);
+      ecosystems,
+      spinner
+    }) : ghsas).slice(0, adjustedPrLimit);
   }
   if (!ids?.length) {
     require$$9.debugFn('notice', 'miss: no GHSA IDs to process');
@@ -3919,7 +3917,7 @@ async function coanaFix(fixConfig) {
 
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
       spinner,
@@ -4080,8 +4078,8 @@ async function coanaFix(fixConfig) {
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     }
     count += 1;
-    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedLimit, ids.length)}`);
-    if (count >= adjustedLimit) {
+    require$$9.debugFn('notice', `increment: count ${count}/${Math.min(adjustedPrLimit, ids.length)}`);
+    if (count >= adjustedPrLimit) {
       break ghsaLoop;
     }
   }
@@ -4175,21 +4173,23 @@ async function convertIdsToGhsas(ids) {
   return validGhsas;
 }
 async function handleFix({
+  all,
   applyFixes,
   autopilot,
   coanaVersion,
   cwd,
   disableMajorUpdates,
+  ecosystems,
   exclude,
   ghsas,
   include,
-  limit,
   minSatisfying,
   minimumReleaseAge,
   orgSlug,
   outputFile,
   outputKind,
   prCheck,
+  prLimit,
   rangeStyle,
   showAffectedDirectDependencies,
   spinner,
@@ -4197,40 +4197,44 @@ async function handleFix({
 }) {
   require$$9.debugFn('notice', `Starting fix command for ${orgSlug}`);
   require$$9.debugDir('inspect', {
+    all,
     applyFixes,
     autopilot,
     coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minSatisfying,
     minimumReleaseAge,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     unknownFlags
   });
   await outputFixResult(await coanaFix({
+    all,
     applyFixes,
     autopilot,
     coanaVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
     ghsas: await convertIdsToGhsas(ghsas),
     include,
-    limit,
     minimumReleaseAge,
     minSatisfying,
     orgSlug,
     outputFile,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     spinner,
@@ -4286,6 +4290,11 @@ const generalFlags$2 = {
     // Hidden to allow custom documenting of the negated `--no-major-updates` variant.
     hidden: true
   },
+  all: {
+    type: 'boolean',
+    default: false,
+    description: 'Process all discovered vulnerabilities in local mode. Cannot be used with --id.'
+  },
   id: {
     type: 'string',
     default: [],
@@ -4293,13 +4302,14 @@ const generalFlags$2 = {
     - ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} (e.g., GHSA-xxxx-xxxx-xxxx)
     - ${vendor.terminalLinkExports('CVE IDs', 'https://cve.mitre.org/cve/identifiers/')} (e.g., CVE-${new Date().getFullYear()}-1234) - automatically converted to GHSA
     - ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec')} (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA
-    Can be provided as comma separated values or as multiple flags`,
+    Can be provided as comma separated values or as multiple flags. Cannot be used with --all.`,
     isMultiple: true
   },
-  limit: {
+  prLimit: {
+    aliases: ['limit'],
     type: 'number',
     default: DEFAULT_LIMIT,
-    description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`
+    description: `Maximum number of pull requests to create in CI mode (default ${DEFAULT_LIMIT}). Has no effect in local mode.`
   },
   rangeStyle: {
     type: 'string',
@@ -4321,6 +4331,12 @@ Available styles:
     default: '',
     description: 'Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.'
   },
+  ecosystems: {
+    type: 'string',
+    default: [],
+    description: 'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
+    isMultiple: true
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -4432,19 +4448,21 @@ async function run$K(argv, importMeta, {
     allowUnknownFlags: false
   });
   const {
+    all,
     applyFixes,
     autopilot,
+    ecosystems,
     exclude,
     fixVersion,
     include,
     json,
-    limit,
     majorUpdates,
     markdown,
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     // We patched in this feature with `npx custompatch meow` at
@@ -4455,6 +4473,24 @@ async function run$K(argv, importMeta, {
   const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
   const disableMajorUpdates = !majorUpdates;
   const outputKind = utils.getOutputKind(json, markdown);
+
+  // Process comma-separated values for ecosystems flag.
+  const ecosystemsRaw = utils.cmdFlagValueToArray(ecosystems);
+
+  // Validate ecosystem values early, before dry-run check.
+  const validatedEcosystems = [];
+  const validEcosystemChoices = utils.getEcosystemChoicesForMeow();
+  for (const ecosystem of ecosystemsRaw) {
+    if (!validEcosystemChoices.includes(ecosystem)) {
+      logger.logger.fail(`Invalid ecosystem: "${ecosystem}". Valid values are: ${arrays.joinAnd(validEcosystemChoices)}`);
+      process.exitCode = 1;
+      return;
+    }
+    validatedEcosystems.push(ecosystem);
+  }
+
+  // Collect ghsas early to validate --all and --id mutual exclusivity.
+  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
     message: `Expecting range style of ${arrays.joinOr(utils.RangeStyles)}`,
@@ -4464,6 +4500,11 @@ async function run$K(argv, importMeta, {
     test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
+  }, {
+    nook: true,
+    test: !all || !ghsas.length,
+    message: 'The --all and --id flags cannot be used together',
+    fail: 'omit one'
   });
   if (!wasValidInput) {
     return;
@@ -4486,25 +4527,26 @@ async function run$K(argv, importMeta, {
   const {
     spinner
   } = constants.default;
-  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   const includePatterns = utils.cmdFlagValueToArray(include);
   const excludePatterns = utils.cmdFlagValueToArray(exclude);
   await handleFix({
+    all,
     applyFixes,
     autopilot,
     coanaVersion: fixVersion,
     cwd,
     disableMajorUpdates,
+    ecosystems: validatedEcosystems,
     exclude: excludePatterns,
     ghsas,
     include: includePatterns,
-    limit,
     minimumReleaseAge,
     minSatisfying,
     orgSlug,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     spinner,
@@ -8064,7 +8106,7 @@ async function run$t(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8203,7 +8245,7 @@ async function run$s(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8339,7 +8381,7 @@ async function run$r(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8467,7 +8509,7 @@ async function run$q(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8598,7 +8640,7 @@ async function run$p(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -8967,7 +9009,7 @@ async function run$o(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10253,7 +10295,7 @@ async function run$i(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10389,7 +10431,7 @@ async function run$h(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -10681,7 +10723,7 @@ async function run$g(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -10880,7 +10922,7 @@ async function run$f(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -11047,7 +11089,7 @@ async function run$e(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -11531,7 +11573,7 @@ async function run$d(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -11720,7 +11762,7 @@ async function run$c(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -12034,7 +12076,7 @@ async function run$b(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -12927,11 +12969,11 @@ async function run$a(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasSocketApiToken,
+    test: dryRun || hasSocketApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
-    test: hasGithubApiToken,
+    test: dryRun || hasGithubApiToken,
     message: 'This command requires a GitHub API token for access',
     fail: 'missing'
   });
@@ -13195,7 +13237,7 @@ async function run$9(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -13356,7 +13398,7 @@ async function run$8(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -13579,7 +13621,7 @@ async function run$7(argv, importMeta, {
     fail: 'missing'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires an API token for access',
     fail: 'try `socket login`'
   }, {
@@ -13769,7 +13811,7 @@ async function run$6(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -14368,7 +14410,7 @@ async function run$4(argv, importMeta, {
     fail: 'bad'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   }, {
@@ -14803,7 +14845,7 @@ async function run$3(argv, importMeta, {
     fail: 'omit one'
   }, {
     nook: true,
-    test: hasApiToken,
+    test: dryRun || hasApiToken,
     message: 'This command requires a Socket API token for access',
     fail: 'try `socket login`'
   });
@@ -15475,5 +15517,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=3354d2a8-858e-47ae-8d62-34c8832fddf8
+//# debugId=ebb27358-0f57-49ac-99e3-bf4b9dd0739e
 //# sourceMappingURL=cli.js.map