socket 1.1.88 → 1.1.90

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/CHANGELOG.md +13 -0
  2. package/dist/cli.js +36 -5
  3. package/dist/cli.js.map +1 -1
  4. package/dist/constants.js +4 -4
  5. package/dist/constants.js.map +1 -1
  6. package/dist/tsconfig.dts.tsbuildinfo +1 -1
  7. package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
  8. package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
  9. package/dist/types/commands/fix/handle-fix.d.mts +1 -1
  10. package/dist/types/commands/fix/handle-fix.d.mts.map +1 -1
  11. package/dist/types/commands/fix/types.d.mts +1 -0
  12. package/dist/types/commands/fix/types.d.mts.map +1 -1
  13. package/dist/types/utils/glob.d.mts.map +1 -1
  14. package/dist/types/utils/package-manager.d.mts +12 -0
  15. package/dist/types/utils/package-manager.d.mts.map +1 -0
  16. package/dist/utils.js +22 -3
  17. package/dist/utils.js.map +1 -1
  18. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
4
4
 
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
6
6
 
7
+ ## [1.1.90](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.90) - 2026-04-30
8
+
9
+ ### Added
10
+ - `socket fix` now accepts a `--package-managers` flag to narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM in a monorepo that mixes pnpm/yarn/npm). Accepts space- or comma-separated values and is case-insensitive. When combined with `--ecosystems`, both filters must match.
11
+
12
+ ### Changed
13
+ - Updated the Coana CLI to v `15.2.0`.
14
+
15
+ ## [1.1.89](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.89) - 2026-04-30
16
+
17
+ ### Fixed
18
+ - `socket scan create` now matches manifest filenames case-insensitively, so capitalized files such as `Pipfile` and `Pipfile.lock` are no longer silently dropped from the scan.
19
+
7
20
  ## [1.1.88](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.88) - 2026-04-29
8
21
 
9
22
  ### Changed
package/dist/cli.js CHANGED
@@ -2208,7 +2208,9 @@ function filterToCdxSpdxAndFactsFiles(filepaths, supportedFiles) {
2208
2208
  return true;
2209
2209
  }
2210
2210
  // Include CDX and SPDX files.
2211
- return vendor.micromatchExports.some(filepath, patterns);
2211
+ return vendor.micromatchExports.some(filepath, patterns, {
2212
+ nocase: true
2213
+ });
2212
2214
  });
2213
2215
  }
2214
2216
  async function handleCreateNewScan({
@@ -3770,13 +3772,14 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
3770
3772
  const {
3771
3773
  cwd = process.cwd(),
3772
3774
  ecosystems,
3775
+ packageManagers,
3773
3776
  silence = false,
3774
3777
  spinner
3775
3778
  } = {
3776
3779
  __proto__: null,
3777
3780
  ...options
3778
3781
  };
3779
- const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
3782
+ const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers?.length ? ['--package-managers', ...packageManagers] : [])], orgSlug, {
3780
3783
  cwd,
3781
3784
  spinner: silence ? undefined : spinner,
3782
3785
  coanaVersion: options?.coanaVersion
@@ -3811,6 +3814,7 @@ async function coanaFix(fixConfig) {
3811
3814
  minimumReleaseAge,
3812
3815
  orgSlug,
3813
3816
  outputFile,
3817
+ packageManagers,
3814
3818
  prLimit,
3815
3819
  showAffectedDirectDependencies,
3816
3820
  silence,
@@ -3903,6 +3907,7 @@ async function coanaFix(fixConfig) {
3903
3907
  coanaVersion,
3904
3908
  cwd,
3905
3909
  ecosystems,
3910
+ packageManagers,
3906
3911
  silence,
3907
3912
  spinner
3908
3913
  }) : ghsas;
@@ -3923,7 +3928,7 @@ async function coanaFix(fixConfig) {
3923
3928
  const tmpDir = os.tmpdir();
3924
3929
  const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
3925
3930
  try {
3926
- const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
3931
+ const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
3927
3932
  coanaVersion,
3928
3933
  cwd,
3929
3934
  spinner: silence ? undefined : spinner,
@@ -3991,6 +3996,7 @@ async function coanaFix(fixConfig) {
3991
3996
  coanaVersion,
3992
3997
  cwd,
3993
3998
  ecosystems,
3999
+ packageManagers,
3994
4000
  silence,
3995
4001
  spinner
3996
4002
  }) : ghsas).slice(0, adjustedPrLimit);
@@ -4034,7 +4040,7 @@ async function coanaFix(fixConfig) {
4034
4040
 
4035
4041
  // Apply fix for single GHSA ID.
4036
4042
  // eslint-disable-next-line no-await-in-loop
4037
- const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
4043
+ const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
4038
4044
  coanaVersion,
4039
4045
  cwd,
4040
4046
  spinner: silence ? undefined : spinner,
@@ -4382,6 +4388,7 @@ async function handleFix({
4382
4388
  orgSlug,
4383
4389
  outputFile,
4384
4390
  outputKind,
4391
+ packageManagers,
4385
4392
  prCheck,
4386
4393
  prLimit,
4387
4394
  rangeStyle,
@@ -4408,6 +4415,7 @@ async function handleFix({
4408
4415
  minimumReleaseAge,
4409
4416
  outputFile,
4410
4417
  outputKind,
4418
+ packageManagers,
4411
4419
  prCheck,
4412
4420
  prLimit,
4413
4421
  rangeStyle,
@@ -4435,6 +4443,7 @@ async function handleFix({
4435
4443
  minSatisfying,
4436
4444
  orgSlug,
4437
4445
  outputFile,
4446
+ packageManagers,
4438
4447
  prCheck,
4439
4448
  prLimit,
4440
4449
  rangeStyle,
@@ -4551,6 +4560,12 @@ Available styles:
4551
4560
  description: 'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
4552
4561
  isMultiple: true
4553
4562
  },
4563
+ packageManagers: {
4564
+ type: 'string',
4565
+ default: [],
4566
+ description: 'Limit fix analysis to specific package managers within an ecosystem (e.g. NPM, PNPM, YARN, MAVEN, POETRY). Accepts space- or comma-separated values and is case-insensitive. When combined with --ecosystems, an artifact must satisfy both filters.',
4567
+ isMultiple: true
4568
+ },
4554
4569
  showAffectedDirectDependencies: {
4555
4570
  type: 'boolean',
4556
4571
  default: false,
@@ -4682,6 +4697,7 @@ async function run$K(argv, importMeta, {
4682
4697
  maxSatisfying,
4683
4698
  minimumReleaseAge,
4684
4699
  outputFile,
4700
+ packageManagers,
4685
4701
  prCheck,
4686
4702
  prLimit,
4687
4703
  rangeStyle,
@@ -4711,6 +4727,20 @@ async function run$K(argv, importMeta, {
4711
4727
  validatedEcosystems.push(ecosystem);
4712
4728
  }
4713
4729
 
4730
+ // Process and validate package manager values early, before dry-run check.
4731
+ // Coana normalizes input to uppercase and rejects unknown values, so do the
4732
+ // same here for a consistent UX and an early failure when invalid.
4733
+ const packageManagersRaw = utils.cmdFlagValueToArray(packageManagers).map(s => s.toUpperCase());
4734
+ const validatedPackageManagers = [];
4735
+ for (const pm of packageManagersRaw) {
4736
+ if (!utils.isValidPackageManager(pm)) {
4737
+ logger.logger.fail(`Invalid package manager: "${pm}". Valid values are: ${arrays.joinAnd([...utils.ALL_PACKAGE_MANAGERS])}`);
4738
+ process.exitCode = 1;
4739
+ return;
4740
+ }
4741
+ validatedPackageManagers.push(pm);
4742
+ }
4743
+
4714
4744
  // Collect ghsas early to validate --all and --id mutual exclusivity.
4715
4745
  const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
4716
4746
  const wasValidInput = utils.checkCommandInput(outputKind, {
@@ -4785,6 +4815,7 @@ async function run$K(argv, importMeta, {
4785
4815
  orgSlug,
4786
4816
  outputFile,
4787
4817
  outputKind,
4818
+ packageManagers: validatedPackageManagers,
4788
4819
  prCheck,
4789
4820
  prLimit,
4790
4821
  rangeStyle,
@@ -15613,5 +15644,5 @@ process.on('unhandledRejection', async (reason, promise) => {
15613
15644
  // eslint-disable-next-line n/no-process-exit
15614
15645
  process.exit(1);
15615
15646
  });
15616
- //# debugId=88bbd944-b943-4785-a2f1-659724fdd70f
15647
+ //# debugId=153cbd15-be5d-4aed-94ad-8f71776559da
15617
15648
  //# sourceMappingURL=cli.js.map