socket 1.1.8 → 1.1.9

package/CHANGELOG.md

@@ -4,7 +4,15 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
-## [1.1.8](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.8) - 2025-09-04
+## [1.1.9](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.9) - 2025-09-11
+
+### Added
+- Enhanced `socket fix --id` to accept CVE IDs and PURLs in addition to GHSA IDs
+
+### Fixed
+- Correct SOCKET_CLI_API_TIMEOUT environment variable lookup
+
+## [1.1.8](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.8) - 2025-09-11
 
 ### Changed
 - Made insufficient permissions errors more helpful

package/README.md

@@ -111,8 +111,8 @@ npm exec socket
 <br/>
 <div align="center">
   <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="logo-white.png">
-    <source media="(prefers-color-scheme: light)" srcset="logo-black.png">
-    <img width="324" height="108" alt="Socket Logo" src="logo-black.png">
+    <source media="(prefers-color-scheme: dark)" srcset="logo-dark.png">
+    <source media="(prefers-color-scheme: light)" srcset="logo-light.png">
+    <img width="324" height="108" alt="Socket Logo" src="logo-light.png">
   </picture>
 </div>

package/dist/cli.js

@@ -3710,6 +3710,59 @@ async function outputFixResult(result, outputKind) {
   logger.logger.success('Finished!');
 }
 
+const GHSA_FORMAT_REGEXP = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/;
+const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/;
+/**
+ * Converts mixed CVE/GHSA/PURL IDs to GHSA IDs only.
+ * Filters out invalid IDs and logs conversion results.
+ */
+async function convertIdsToGhsas(ids) {
+  const validGhsas = [];
+  const errors = [];
+  for (const id of ids) {
+    const trimmedId = id.trim();
+    if (trimmedId.startsWith('GHSA-')) {
+      // Already a GHSA ID, validate format
+      if (GHSA_FORMAT_REGEXP.test(trimmedId)) {
+        validGhsas.push(trimmedId);
+      } else {
+        errors.push(`Invalid GHSA format: ${trimmedId}`);
+      }
+    } else if (trimmedId.startsWith('CVE-')) {
+      // Convert CVE to GHSA
+      if (!CVE_FORMAT_REGEXP.test(trimmedId)) {
+        errors.push(`Invalid CVE format: ${trimmedId}`);
+        continue;
+      }
+
+      // eslint-disable-next-line no-await-in-loop
+      const conversionResult = await utils.convertCveToGhsa(trimmedId);
+      if (conversionResult.ok) {
+        validGhsas.push(conversionResult.data);
+        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data}`);
+      } else {
+        errors.push(`${trimmedId}: ${conversionResult.message}`);
+      }
+    } else if (trimmedId.startsWith('pkg:')) {
+      // Convert PURL to GHSAs
+      // eslint-disable-next-line no-await-in-loop
+      const conversionResult = await utils.convertPurlToGhsas(trimmedId);
+      if (conversionResult.ok && conversionResult.data.length) {
+        validGhsas.push(...conversionResult.data);
+        logger.logger.info(`Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${conversionResult.data.join(', ')}`);
+      } else {
+        errors.push(`${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`);
+      }
+    } else {
+      // Neither CVE, GHSA, nor PURL, skip
+      errors.push(`Unsupported ID format (expected CVE, GHSA, or PURL): ${trimmedId}`);
+    }
+  }
+  if (errors.length) {
+    logger.logger.warn(`Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+  }
+  return validGhsas;
+}
 async function handleFix({
   autopilot,
   cwd,
@@ -3726,7 +3779,8 @@ async function handleFix({
   await outputFixResult(await coanaFix({
     autopilot,
     cwd,
-    ghsas,
+    // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only
+    ghsas: await convertIdsToGhsas(ghsas),
     limit,
     orgSlug,
     rangeStyle,
@@ -3753,7 +3807,11 @@ const generalFlags$2 = {
   id: {
     type: 'string',
     default: [],
-    description: `Provide a list of ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} to compute fixes for, as either a comma separated value or as multiple flags`,
+    description: `Provide a list of vulnerability identifiers to compute fixes for:
+    - ${vendor.terminalLinkExports('GHSA IDs', 'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids')} (e.g., GHSA-xxxx-xxxx-xxxx)
+    - ${vendor.terminalLinkExports('CVE IDs', 'https://cve.mitre.org/cve/identifiers/')} (e.g., CVE-${new Date().getFullYear()}-1234) - automatically converted to GHSA
+    - ${vendor.terminalLinkExports('PURLs', 'https://github.com/package-url/purl-spec')} (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA
+    Can be provided as comma separated values or as multiple flags`,
     isMultiple: true
   },
   limit: {
@@ -3767,14 +3825,8 @@ const generalFlags$2 = {
     description: `
 Define how dependency version ranges are updated in package.json (default 'preserve').
 Available styles:
-  * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
-  * gt - Use > to allow any newer version (e.g. >1.2.3)
-  * gte - Use >= to allow any newer version (e.g. >=1.2.3)
-  * lt - Use < to allow only lower versions (e.g. <1.2.3)
-  * lte - Use <= to allow only lower versions (e.g. <=1.2.3)
   * pin - Use the exact version (e.g. 1.2.3)
   * preserve - Retain the existing version range style as-is
-  * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
       `.trim()
   }
 };
@@ -3875,23 +3927,6 @@ async function run$I(argv, importMeta, {
   } = cli.flags;
   const dryRun = !!cli.flags['dryRun'];
   const minSatisfying = cli.flags['minSatisfying'] || !maxSatisfying;
-  const rawPurls = utils.cmdFlagValueToArray(cli.flags['purl']);
-  const purls = [];
-  for (const purl of rawPurls) {
-    const version = utils.getPurlObject(purl, {
-      throws: false
-    })?.version;
-    if (version) {
-      purls.push(purl);
-    } else {
-      logger.logger.warn(`--purl ${purl} is missing a version and will be ignored.`);
-    }
-  }
-  if (rawPurls.length !== purls.length && !purls.length) {
-    process.exitCode = 1;
-    logger.logger.fail('No valid --purl values provided.');
-    return;
-  }
   const outputKind = utils.getOutputKind(json, markdown);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     test: utils.RangeStyles.includes(rangeStyle),
@@ -3924,7 +3959,7 @@ async function run$I(argv, importMeta, {
   const {
     spinner
   } = constants.default;
-  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa'])]);
+  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   await handleFix({
     autopilot,
     cwd,
@@ -8407,12 +8442,12 @@ function getAlertString(alerts, options) {
 
   // We need to create the no-color string regardless because the actual string
   // contains a bunch of invisible ANSI chars which would screw up length checks.
-  const colorless = `- Alerts (${bad.length}/${mid.length.toString()}/${low.length}):`;
+  const colorless = `- Alerts (${bad.length}/${mid.length}/${low.length}):`;
   const padding = `  ${' '.repeat(Math.max(0, 20 - colorless.length))}`;
   if (colorize) {
-    return `- Alerts (${vendor.yoctocolorsCjsExports.red(bad.length.toString())}/${vendor.yoctocolorsCjsExports.yellow(mid.length.toString())}/${low.length}):` + padding + [bad.map(a => vendor.yoctocolorsCjsExports.red(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)).join(', '), mid.map(a => vendor.yoctocolorsCjsExports.yellow(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)).join(', '), low.map(a => `${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`).join(', ')].filter(Boolean).join(', ');
+    return `- Alerts (${vendor.yoctocolorsCjsExports.red(bad.length)}/${vendor.yoctocolorsCjsExports.yellow(mid.length)}/${low.length}):${padding}${arrays.joinAnd([...bad.map(a => vendor.yoctocolorsCjsExports.red(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)), ...mid.map(a => vendor.yoctocolorsCjsExports.yellow(`${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)), ...low.map(a => `${vendor.yoctocolorsCjsExports.dim(`[${a.severity}] `)}${a.type}`)])}`;
   }
-  return colorless + padding + [bad.map(a => `[${a.severity}] ${a.type}`).join(', '), mid.map(a => `[${a.severity}] ${a.type}`).join(', '), low.map(a => `[${a.severity}] ${a.type}`).join(', ')].filter(Boolean).join(', ');
+  return `${colorless}${padding}${arrays.joinAnd([...bad.map(a => `[${a.severity}] ${a.type}`), ...mid.map(a => `[${a.severity}] ${a.type}`), ...low.map(a => `[${a.severity}] ${a.type}`)])}`;
 }
 function preProcess(artifacts, requestedPurls) {
   // Dedupe results (for example, pypi will emit one package for each system release (win/mac/cpu) even if it's
@@ -8845,14 +8880,26 @@ async function applyNpmPatches(socketDir, patches, options) {
   }
   return result;
 }
+
+/**
+ * Compute SHA256 hash of file contents.
+ */
 async function computeSHA256(filepath) {
   try {
     const content = await fs$1.promises.readFile(filepath);
     const hash = require$$0$1.createHash('sha256');
     hash.update(content);
-    return hash.digest('hex');
-  } catch {}
-  return null;
+    return {
+      ok: true,
+      data: hash.digest('hex')
+    };
+  } catch (e) {
+    return {
+      ok: false,
+      message: 'Failed to compute file hash',
+      cause: `Unable to read file ${filepath}: ${e instanceof Error ? e.message : 'Unknown error'}`
+    };
+  }
 }
 async function findNodeModulesPaths(cwd) {
   const rootNmPath = await utils.findUp(constants.NODE_MODULES, {
@@ -8888,29 +8935,29 @@ async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options)
     }
     return false;
   }
-  const currentHash = await computeSHA256(filepath);
-  if (!currentHash) {
-    logger.logger.log(`Failed to compute hash for: ${fileName}`);
+  const currentHashResult = await computeSHA256(filepath);
+  if (!currentHashResult.ok) {
+    logger.logger.log(`Failed to compute hash for: ${fileName}: ${currentHashResult.cause || currentHashResult.message}`);
     if (wasSpinning) {
       spinner?.start();
     }
     return false;
   }
-  if (currentHash === fileInfo.afterHash) {
+  if (currentHashResult.data === fileInfo.afterHash) {
     logger.logger.success(`File already patched: ${fileName}`);
     logger.logger.group();
-    logger.logger.log(`Current hash: ${currentHash}`);
+    logger.logger.log(`Current hash: ${currentHashResult.data}`);
     logger.logger.groupEnd();
     if (wasSpinning) {
       spinner?.start();
     }
     return true;
   }
-  if (currentHash !== fileInfo.beforeHash) {
+  if (currentHashResult.data !== fileInfo.beforeHash) {
     logger.logger.fail(`File hash mismatch: ${fileName}`);
     logger.logger.group();
     logger.logger.log(`Expected: ${fileInfo.beforeHash}`);
-    logger.logger.log(`Current:  ${currentHash}`);
+    logger.logger.log(`Current:  ${currentHashResult.data}`);
     logger.logger.log(`Target:   ${fileInfo.afterHash}`);
     logger.logger.groupEnd();
     if (wasSpinning) {
@@ -8920,7 +8967,7 @@ async function processFilePatch(pkgPath, fileName, fileInfo, socketDir, options)
   }
   logger.logger.success(`File matches expected hash: ${fileName}`);
   logger.logger.group();
-  logger.logger.log(`Current hash: ${currentHash}`);
+  logger.logger.log(`Current hash: ${currentHashResult.data}`);
   logger.logger.log(`Ready to patch to: ${fileInfo.afterHash}`);
   logger.logger.group();
   if (dryRun) {
@@ -9118,13 +9165,11 @@ async function run$k(argv, importMeta, {
   cwd = path.resolve(process.cwd(), cwd);
   const dotSocketDirPath = path.join(cwd, constants.DOT_SOCKET);
   if (!fs$1.existsSync(dotSocketDirPath)) {
-    logger.logger.error(`Error: No ${constants.DOT_SOCKET} directory found in current directory`);
-    return;
+    throw new utils.InputError(`No ${constants.DOT_SOCKET} directory found in current directory`);
   }
   const manifestPath = path.join(dotSocketDirPath, constants.MANIFEST_JSON);
   if (!fs$1.existsSync(manifestPath)) {
-    logger.logger.error(`Error: No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
-    return;
+    throw new utils.InputError(`No ${constants.MANIFEST_JSON} found in ${constants.DOT_SOCKET} directory`);
   }
   const {
     spinner
@@ -11151,7 +11196,7 @@ async function createScanFromGithub({
   repos
 }) {
   let targetRepos = repos.trim().split(',').map(r => r.trim()).filter(Boolean);
-  if (all || targetRepos.length === 0) {
+  if (all || !targetRepos.length) {
     // Fetch from Socket API
     const result = await fetchListAllRepos(orgSlug, {
       direction: 'asc',
@@ -11522,10 +11567,10 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       ok: true,
       data: localPath
     };
-  } catch (error) {
+  } catch (e) {
     logger.logger.fail('An error was thrown while trying to download a manifest file... url:', downloadUrl);
     require$$9.debugDir('inspect', {
-      error
+      error: e
     });
 
     // If an error occurs and fileStream was created, attempt to clean up.
@@ -11539,10 +11584,10 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       });
     }
     // Construct a more informative error message
-    let detailedError = `Error during download of ${downloadUrl}: ${error.message}`;
-    if (error.cause) {
+    let detailedError = `Error during download of ${downloadUrl}: ${e.message}`;
+    if (e.cause) {
       // Include cause if available (e.g., from network errors)
-      detailedError += `\nCause: ${error.cause}`;
+      detailedError += `\nCause: ${e.cause}`;
     }
     if (response && !response.ok) {
       // If error was due to bad HTTP status
@@ -14395,5 +14440,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=ac9751e6-2458-4e89-9ffb-14171de230d0
+//# debugId=712a8ff2-24bd-4ae4-981f-0c05a45a4d0f
 //# sourceMappingURL=cli.js.map