socket 1.1.51 → 1.1.53

package/CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.53](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.53) - 2026-01-06
+
+### Changed
+- The `scan_type` query argument is now set to `'socket_tier1'` when running `socket scan create --reach`.
+This change ensures Tier 1 alerts from scans are ingested into the organization-level alerts correctly.
+
+## [1.1.52](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.52) - 2026-01-02
+
+### Added
+- Added `--silence` flag to `socket fix` to suppress intermediate output and show only the final result.
+
+### Changed
+- Updated the Coana CLI to v `14.12.139`.
+
 ## [1.1.51](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.51) - 2025-12-23
 
 ### Added

package/dist/cli.js

@@ -886,7 +886,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
     commitMessage,
     committers,
     pullRequest,
-    repoName
+    repoName,
+    scanType
   } = {
     __proto__: null,
     ...config
@@ -934,6 +935,7 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
     ...(pullRequest ? {
       pull_request: String(pullRequest)
     } : {}),
+    scan_type: scanType,
     repo: repoName,
     set_as_pending_head: String(pendingHead),
     tmp: String(tmp)
@@ -945,7 +947,8 @@ async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
 async function fetchSupportedScanFileNames(options) {
   const {
     sdkOpts,
-    spinner
+    spinner,
+    silence = false
   } = {
     __proto__: null,
     ...options
@@ -957,7 +960,8 @@ async function fetchSupportedScanFileNames(options) {
   const sockSdk = sockSdkCResult.data;
   return await utils.handleApiCall(sockSdk.getSupportedScanFiles(), {
     description: 'supported scan file types',
-    spinner
+    spinner,
+    silence
   });
 }
 
@@ -2329,7 +2333,8 @@ async function handleCreateNewScan({
     committers,
     pullRequest,
     repoName,
-    branchName
+    branchName,
+    scanType: reach.runReachabilityAnalysis ? constants.default.SCAN_TYPE_SOCKET_TIER1 : constants.default.SCAN_TYPE_SOCKET
   }, {
     cwd,
     defaultBranch,
@@ -3730,6 +3735,7 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
     ecosystems,
+    silence = false,
     spinner
   } = {
     __proto__: null,
@@ -3737,7 +3743,7 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   };
   const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
     cwd,
-    spinner,
+    spinner: silence ? undefined : spinner,
     coanaVersion: options?.coanaVersion
   }, {
     stdio: 'pipe'
@@ -3771,20 +3777,24 @@ async function coanaFix(fixConfig) {
     outputFile,
     prLimit,
     showAffectedDirectDependencies,
+    silence,
     spinner
   } = fixConfig;
   const fixEnv = await getFixEnv();
   require$$9.debugDir('inspect', {
     fixEnv
   });
-  spinner?.start();
+  if (!silence) {
+    spinner?.start();
+  }
   const sockSdkCResult = await utils.setupSdk();
   if (!sockSdkCResult.ok) {
     return sockSdkCResult;
   }
   const sockSdk = sockSdkCResult.data;
   const supportedFilesCResult = await fetchSupportedScanFileNames({
-    spinner
+    spinner: silence ? undefined : spinner,
+    silence
   });
   if (!supportedFilesCResult.ok) {
     return supportedFilesCResult;
@@ -3798,14 +3808,17 @@ async function coanaFix(fixConfig) {
   const filepathsToUpload = scanFilepaths.filter(p => path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON);
   const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload, cwd), {
     description: 'upload manifests',
-    spinner
+    spinner,
+    silence
   });
   if (!uploadCResult.ok) {
     return uploadCResult;
   }
   const tarHash = uploadCResult.data.tarHash;
   if (!tarHash) {
-    spinner?.stop();
+    if (!silence) {
+      spinner?.stop();
+    }
     return {
       ok: false,
       message: 'No tar hash returned from Socket API upload-manifest-files endpoint',
@@ -3816,12 +3829,12 @@ async function coanaFix(fixConfig) {
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo;
   if (!shouldOpenPrs) {
     // In local mode, if neither --all nor --id is provided, show deprecation warning.
-    if (shouldDiscoverGhsaIds && !all) {
+    if (!silence && shouldDiscoverGhsaIds && !all) {
       logger.logger.warn('Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.');
     }
 
     // Inform user about local mode when fixes will be applied.
-    if (applyFixes && ghsas.length) {
+    if (!silence && applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars();
       if (envCheck.present.length) {
         // Some CI vars are set but not all - show what's missing.
@@ -3839,10 +3852,13 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      silence,
       spinner
     }) : ghsas;
     if (ids.length === 0) {
-      spinner?.stop();
+      if (!silence) {
+        spinner?.stop();
+      }
       return {
         ok: true,
         data: {
@@ -3858,10 +3874,12 @@ async function coanaFix(fixConfig) {
       const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
-        spinner,
-        stdio: 'inherit'
+        spinner: silence ? undefined : spinner,
+        stdio: silence ? 'pipe' : 'inherit'
       });
-      spinner?.stop();
+      if (!silence) {
+        spinner?.stop();
+      }
       if (!fixCResult.ok) {
         return fixCResult;
       }
@@ -3873,7 +3891,9 @@ async function coanaFix(fixConfig) {
 
       // Copy to outputFile if provided.
       if (outputFile) {
-        logger.logger.info(`Copying fixes result to ${outputFile}`);
+        if (!silence) {
+          logger.logger.info(`Copying fixes result to ${outputFile}`);
+        }
         const tmpContent = await fs$1.promises.readFile(tmpFile, 'utf8');
         await fs$1.promises.writeFile(outputFile, tmpContent, 'utf8');
       }
@@ -3919,6 +3939,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      silence,
       spinner
     }) : ghsas).slice(0, adjustedPrLimit);
   }
@@ -3929,7 +3950,9 @@ async function coanaFix(fixConfig) {
     require$$9.debugFn('notice', 'miss: no repo info detected');
   }
   if (!ids?.length || !fixEnv.repoInfo) {
-    spinner?.stop();
+    if (!silence) {
+      spinner?.stop();
+    }
     return {
       ok: true,
       data: {
@@ -3956,11 +3979,13 @@ async function coanaFix(fixConfig) {
     const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(debug ? ['--debug'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
-      spinner,
-      stdio: 'inherit'
+      spinner: silence ? undefined : spinner,
+      stdio: silence ? 'pipe' : 'inherit'
     });
     if (!fixCResult.ok) {
-      logger.logger.error(`Update failed for ${ghsaId}: ${utils.getErrorCause(fixCResult)}`);
+      if (!silence) {
+        logger.logger.error(`Update failed for ${ghsaId}: ${utils.getErrorCause(fixCResult)}`);
+      }
       continue ghsaLoop;
     }
 
@@ -3983,7 +4008,9 @@ async function coanaFix(fixConfig) {
       });
       if (existingOpenPrs.length > 0) {
         const prNum = existingOpenPrs[0].number;
-        logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        if (!silence) {
+          logger.logger.info(`PR #${prNum} already exists for ${ghsaId}, skipping.`);
+        }
         require$$9.debugFn('notice', `skip: open PR #${prNum} exists for ${ghsaId}`);
         continue ghsaLoop;
       }
@@ -4001,7 +4028,9 @@ async function coanaFix(fixConfig) {
 
       // Check for GitHub token before doing any git operations.
       if (!fixEnv.githubToken) {
-        logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        if (!silence) {
+          logger.logger.error('Cannot create pull request: SOCKET_CLI_GITHUB_TOKEN environment variable is not set.\n' + 'Set SOCKET_CLI_GITHUB_TOKEN or GITHUB_TOKEN to enable PR creation.');
+        }
         require$$9.debugFn('error', `skip: missing GitHub token for ${ghsaId}`);
         continue ghsaLoop;
       }
@@ -4022,7 +4051,9 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitPushBranch(branch, cwd));
       if (!pushed) {
-        logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
+        if (!silence) {
+          logger.logger.warn(`Push failed for ${ghsaId}, skipping PR creation.`);
+        }
         // eslint-disable-next-line no-await-in-loop
         await utils.gitResetAndClean(fixEnv.baseBranch, cwd);
         // eslint-disable-next-line no-await-in-loop
@@ -4049,23 +4080,29 @@ async function coanaFix(fixConfig) {
           data
         } = prResult.pr;
         const prRef = `PR #${data.number}`;
-        logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
+        if (!silence) {
+          logger.logger.success(`Opened ${prRef} for ${ghsaId}.`);
+        }
         if (autopilot) {
-          logger.logger.indent();
-          spinner?.indent();
+          if (!silence) {
+            logger.logger.indent();
+            spinner?.indent();
+          }
           // eslint-disable-next-line no-await-in-loop
           const {
             details,
             enabled
           } = await utils.enablePrAutoMerge(data);
-          if (enabled) {
-            logger.logger.info(`Auto-merge enabled for ${prRef}.`);
-          } else {
-            const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
-            logger.logger.error(message);
+          if (!silence) {
+            if (enabled) {
+              logger.logger.info(`Auto-merge enabled for ${prRef}.`);
+            } else {
+              const message = `Failed to enable auto-merge for ${prRef}${details ? `:\n${details.map(d => ` - ${d}`).join('\n')}` : '.'}`;
+              logger.logger.error(message);
+            }
+            logger.logger.dedent();
+            spinner?.dedent();
           }
-          logger.logger.dedent();
-          spinner?.dedent();
         }
 
         // Clean up local branch only - keep remote branch for PR merge.
@@ -4074,22 +4111,32 @@ async function coanaFix(fixConfig) {
       } else {
         // Handle PR creation failures.
         if (prResult.reason === 'already_exists') {
-          logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          if (!silence) {
+            logger.logger.info(`PR already exists for ${ghsaId} (this should not happen due to earlier check).`);
+          }
           // Don't delete branch - PR exists and needs it.
         } else if (prResult.reason === 'validation_error') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}:\n${prResult.details}`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else if (prResult.reason === 'permission_denied') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: Permission denied. Check SOCKET_CLI_GITHUB_TOKEN permissions.`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else if (prResult.reason === 'network_error') {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: Network error. Please try again.`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         } else {
-          logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          if (!silence) {
+            logger.logger.error(`Failed to create PR for ${ghsaId}: ${prResult.error.message}`);
+          }
           // eslint-disable-next-line no-await-in-loop
           await cleanupFailedPrBranches(branch, cwd);
         }
@@ -4101,7 +4148,9 @@ async function coanaFix(fixConfig) {
       // eslint-disable-next-line no-await-in-loop
       await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
     } catch (e) {
-      logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
+      if (!silence) {
+        logger.logger.warn(`Unexpected condition: Push failed for ${ghsaId}, skipping PR creation.`);
+      }
       require$$9.debugDir('error', e);
       // Clean up branches (push may have succeeded before error).
       // eslint-disable-next-line no-await-in-loop
@@ -4119,7 +4168,9 @@ async function coanaFix(fixConfig) {
       break ghsaLoop;
     }
   }
-  spinner?.stop();
+  if (!silence) {
+    spinner?.stop();
+  }
   return {
     ok: true,
     data: {
@@ -4150,7 +4201,13 @@ const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/;
  * Converts mixed CVE/GHSA/PURL IDs to GHSA IDs only.
  * Filters out invalid IDs and logs conversion results.
  */
-async function convertIdsToGhsas(ids) {
+async function convertIdsToGhsas(ids, options) {
+  const {
+    silence = false
+  } = {
+    __proto__: null,
+    ...options
+  };
   require$$9.debugFn('notice', `Converting ${ids.length} IDs to GHSA format`);
   require$$9.debugDir('inspect', {
     ids
@@ -4177,17 +4234,21 @@ async function convertIdsToGhsas(ids) {
       const conversionResult = await utils.convertCveToGhsa(trimmedId);
       if (conversionResult.ok) {
         validGhsas.push(conversionResult.data);
-        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+        if (!silence) {
+          logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+        }
       } else {
         errors.push(`${trimmedId}: ${conversionResult.message}`);
       }
     } else if (trimmedId.startsWith('pkg:')) {
-      // Convert PURL to GHSAs
+      // Convert PURL to GHSAs.
       // eslint-disable-next-line no-await-in-loop
       const conversionResult = await utils.convertPurlToGhsas(trimmedId);
       if (conversionResult.ok && conversionResult.data.length) {
         validGhsas.push(...conversionResult.data);
-        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${arrays.joinAnd(conversionResult.data)}`);
+        if (!silence) {
+          logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${arrays.joinAnd(conversionResult.data)}`);
+        }
       } else {
         errors.push(`${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`);
       }
@@ -4197,7 +4258,9 @@ async function convertIdsToGhsas(ids) {
     }
   }
   if (errors.length) {
-    logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+    if (!silence) {
+      logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+    }
     require$$9.debugDir('inspect', {
       errors
     });
@@ -4229,6 +4292,7 @@ async function handleFix({
   prLimit,
   rangeStyle,
   showAffectedDirectDependencies,
+  silence,
   spinner,
   unknownFlags
 }) {
@@ -4253,6 +4317,7 @@ async function handleFix({
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     unknownFlags
   });
   await outputFixResult(await coanaFix({
@@ -4266,7 +4331,9 @@ async function handleFix({
     ecosystems,
     exclude,
     // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
-    ghsas: await convertIdsToGhsas(ghsas),
+    ghsas: await convertIdsToGhsas(ghsas, {
+      silence
+    }),
     include,
     minimumReleaseAge,
     minSatisfying,
@@ -4276,6 +4343,7 @@ async function handleFix({
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     spinner,
     unknownFlags
   }), outputKind);
@@ -4386,6 +4454,11 @@ Available styles:
     type: 'boolean',
     default: false,
     description: 'List the direct dependencies responsible for introducing transitive vulnerabilities and list the updates required to resolve the vulnerabilities'
+  },
+  silence: {
+    type: 'boolean',
+    default: false,
+    description: 'Silence all output except the final result'
   }
 };
 const hiddenFlags = {
@@ -4511,6 +4584,7 @@ async function run$K(argv, importMeta, {
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     // We patched in this feature with `npx custompatch meow` at
     // socket-cli/patches/meow#13.2.0.patch.
     unknownFlags = []
@@ -4559,7 +4633,7 @@ async function run$K(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_NOT_SAVING);
     return;
   }
-  const orgSlugCResult = await utils.getDefaultOrgSlug();
+  const orgSlugCResult = await utils.getDefaultOrgSlug(silence);
   if (!orgSlugCResult.ok) {
     process.exitCode = orgSlugCResult.code ?? 1;
     logger.logger.fail(`${constants.ERROR_UNABLE_RESOLVE_ORG}.\nEnsure a Socket API token is specified for the organization using the SOCKET_CLI_API_TOKEN environment variable.`);
@@ -4596,6 +4670,7 @@ async function run$K(argv, importMeta, {
     prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
+    silence,
     spinner,
     unknownFlags
   });
@@ -15267,5 +15342,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=90b6bd73-b1dd-42e8-a3d1-d309882d77f4
+//# debugId=34fc0e98-20b6-46ae-ac78-e1d398b7a973
 //# sourceMappingURL=cli.js.map