npm - socket - Versions diffs - 1.1.89 → 1.1.90 - Mend

socket 1.1.89 → 1.1.90

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +8 -0
package/dist/cli.js +33 -4
package/dist/cli.js.map +1 -1
package/dist/constants.js +4 -4
package/dist/constants.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
package/dist/types/commands/fix/handle-fix.d.mts +1 -1
package/dist/types/commands/fix/handle-fix.d.mts.map +1 -1
package/dist/types/commands/fix/types.d.mts +1 -0
package/dist/types/commands/fix/types.d.mts.map +1 -1
package/dist/types/utils/package-manager.d.mts +12 -0
package/dist/types/utils/package-manager.d.mts.map +1 -0
package/dist/utils.js +18 -1
package/dist/utils.js.map +1 -1
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+## [1.1.90](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.90) - 2026-04-30
+### Added
+- `socket fix` now accepts a `--package-managers` flag to narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM in a monorepo that mixes pnpm/yarn/npm). Accepts space- or comma-separated values and is case-insensitive. When combined with `--ecosystems`, both filters must match.
+### Changed
+- Updated the Coana CLI to v `15.2.0`.
 ## [1.1.89](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.89) - 2026-04-30
 ### Fixed

package/dist/cli.js CHANGED Viewed

@@ -3772,13 +3772,14 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
     ecosystems,
+    packageManagers,
     silence = false,
     spinner
   } = {
     __proto__: null,
     ...options
   };
-  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
+  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers?.length ? ['--package-managers', ...packageManagers] : [])], orgSlug, {
     cwd,
     spinner: silence ? undefined : spinner,
     coanaVersion: options?.coanaVersion
@@ -3813,6 +3814,7 @@ async function coanaFix(fixConfig) {
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    packageManagers,
     prLimit,
     showAffectedDirectDependencies,
     silence,
@@ -3905,6 +3907,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      packageManagers,
       silence,
       spinner
     }) : ghsas;
@@ -3925,7 +3928,7 @@ async function coanaFix(fixConfig) {
     const tmpDir = os.tmpdir();
     const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
     try {
-      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
         spinner: silence ? undefined : spinner,
@@ -3993,6 +3996,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      packageManagers,
       silence,
       spinner
     }) : ghsas).slice(0, adjustedPrLimit);
@@ -4036,7 +4040,7 @@ async function coanaFix(fixConfig) {
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
       spinner: silence ? undefined : spinner,
@@ -4384,6 +4388,7 @@ async function handleFix({
   orgSlug,
   outputFile,
   outputKind,
+  packageManagers,
   prCheck,
   prLimit,
   rangeStyle,
@@ -4410,6 +4415,7 @@ async function handleFix({
     minimumReleaseAge,
     outputFile,
     outputKind,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4437,6 +4443,7 @@ async function handleFix({
     minSatisfying,
     orgSlug,
     outputFile,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4553,6 +4560,12 @@ Available styles:
     description: 'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
     isMultiple: true
   },
+  packageManagers: {
+    type: 'string',
+    default: [],
+    description: 'Limit fix analysis to specific package managers within an ecosystem (e.g. NPM, PNPM, YARN, MAVEN, POETRY). Accepts space- or comma-separated values and is case-insensitive. When combined with --ecosystems, an artifact must satisfy both filters.',
+    isMultiple: true
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -4684,6 +4697,7 @@ async function run$K(argv, importMeta, {
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4713,6 +4727,20 @@ async function run$K(argv, importMeta, {
     validatedEcosystems.push(ecosystem);
   }
+  // Process and validate package manager values early, before dry-run check.
+  // Coana normalizes input to uppercase and rejects unknown values, so do the
+  // same here for a consistent UX and an early failure when invalid.
+  const packageManagersRaw = utils.cmdFlagValueToArray(packageManagers).map(s => s.toUpperCase());
+  const validatedPackageManagers = [];
+  for (const pm of packageManagersRaw) {
+    if (!utils.isValidPackageManager(pm)) {
+      logger.logger.fail(`Invalid package manager: "${pm}". Valid values are: ${arrays.joinAnd([...utils.ALL_PACKAGE_MANAGERS])}`);
+      process.exitCode = 1;
+      return;
+    }
+    validatedPackageManagers.push(pm);
+  }
   // Collect ghsas early to validate --all and --id mutual exclusivity.
   const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   const wasValidInput = utils.checkCommandInput(outputKind, {
@@ -4787,6 +4815,7 @@ async function run$K(argv, importMeta, {
     orgSlug,
     outputFile,
     outputKind,
+    packageManagers: validatedPackageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -15615,5 +15644,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=6e6c11a1-66cb-495b-a9aa-426b4995d18c
+//# debugId=153cbd15-be5d-4aed-94ad-8f71776559da
 //# sourceMappingURL=cli.js.map