npm - socket - Versions diffs - 1.1.89 → 1.1.91 - Mend

socket 1.1.89 → 1.1.91

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/CHANGELOG.md +13 -0
package/dist/cli.js +33 -8
package/dist/cli.js.map +1 -1
package/dist/constants.js +4 -4
package/dist/constants.js.map +1 -1
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/fix/cmd-fix.d.mts.map +1 -1
package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
package/dist/types/commands/fix/handle-fix.d.mts +1 -1
package/dist/types/commands/fix/handle-fix.d.mts.map +1 -1
package/dist/types/commands/fix/types.d.mts +1 -0
package/dist/types/commands/fix/types.d.mts.map +1 -1
package/dist/types/commands/scan/reachability-flags.d.mts.map +1 -1
package/dist/types/utils/glob.d.mts.map +1 -1
package/dist/types/utils/package-manager.d.mts +12 -0
package/dist/types/utils/package-manager.d.mts.map +1 -0
package/dist/utils.js +32 -2
package/dist/utils.js.map +1 -1
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+## [1.1.91](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.91) - 2026-05-01
+### Added
+- New `socket scan create` and `socket scan reach` flags let you keep reachability analysis going when it would otherwise halt: `--reach-continue-on-analysis-errors`, `--reach-continue-on-install-errors`, `--reach-continue-on-missing-lock-files`, and `--reach-continue-on-no-source-files`. Each falls back to precomputed (Tier 2) results so you still get a scan when individual workspaces hit timeouts, install failures, missing lock files, or empty source trees.
+## [1.1.90](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.90) - 2026-04-30
+### Added
+- `socket fix` now accepts a `--package-managers` flag to narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM in a monorepo that mixes pnpm/yarn/npm). Accepts space- or comma-separated values and is case-insensitive. When combined with `--ecosystems`, both filters must match.
+### Changed
+- Updated the Coana CLI to v `15.2.0`.
 ## [1.1.89](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.89) - 2026-04-30
 ### Fixed

package/dist/cli.js CHANGED Viewed

@@ -3772,13 +3772,14 @@ async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
     ecosystems,
+    packageManagers,
     silence = false,
     spinner
   } = {
     __proto__: null,
     ...options
   };
-  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : [])], orgSlug, {
+  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash, ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers?.length ? ['--package-managers', ...packageManagers] : [])], orgSlug, {
     cwd,
     spinner: silence ? undefined : spinner,
     coanaVersion: options?.coanaVersion
@@ -3813,6 +3814,7 @@ async function coanaFix(fixConfig) {
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    packageManagers,
     prLimit,
     showAffectedDirectDependencies,
     silence,
@@ -3905,6 +3907,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      packageManagers,
       silence,
       spinner
     }) : ghsas;
@@ -3925,7 +3928,7 @@ async function coanaFix(fixConfig) {
     const tmpDir = os.tmpdir();
     const tmpFile = path.join(tmpDir, `socket-fix-${Date.now()}.json`);
     try {
-      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+      const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ...ids, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(!applyFixes ? [constants.FLAG_DRY_RUN] : []), '--output-file', tmpFile, ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], fixConfig.orgSlug, {
         coanaVersion,
         cwd,
         spinner: silence ? undefined : spinner,
@@ -3993,6 +3996,7 @@ async function coanaFix(fixConfig) {
       coanaVersion,
       cwd,
       ecosystems,
+      packageManagers,
       silence,
       spinner
     }) : ghsas).slice(0, adjustedPrLimit);
@@ -4036,7 +4040,7 @@ async function coanaFix(fixConfig) {
     // Apply fix for single GHSA ID.
     // eslint-disable-next-line no-await-in-loop
-    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
+    const fixCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, '--apply-fixes-to', ghsaId, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(minimumReleaseAge ? ['--minimum-release-age', minimumReleaseAge] : []), ...(include.length ? ['--include', ...include] : []), ...(exclude.length ? ['--exclude', ...exclude] : []), ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []), ...(packageManagers.length ? ['--package-managers', ...packageManagers] : []), ...(debug ? ['--debug'] : []), ...(disableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(disableMajorUpdates ? ['--disable-major-updates'] : []), ...(showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), '--output-file', tmpFile, ...fixConfig.unknownFlags], fixConfig.orgSlug, {
       coanaVersion,
       cwd,
       spinner: silence ? undefined : spinner,
@@ -4384,6 +4388,7 @@ async function handleFix({
   orgSlug,
   outputFile,
   outputKind,
+  packageManagers,
   prCheck,
   prLimit,
   rangeStyle,
@@ -4410,6 +4415,7 @@ async function handleFix({
     minimumReleaseAge,
     outputFile,
     outputKind,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4437,6 +4443,7 @@ async function handleFix({
     minSatisfying,
     orgSlug,
     outputFile,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4553,6 +4560,12 @@ Available styles:
     description: 'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
     isMultiple: true
   },
+  packageManagers: {
+    type: 'string',
+    default: [],
+    description: 'Limit fix analysis to specific package managers within an ecosystem (e.g. NPM, PNPM, YARN, MAVEN, POETRY). Accepts space- or comma-separated values and is case-insensitive. When combined with --ecosystems, an artifact must satisfy both filters.',
+    isMultiple: true
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -4684,6 +4697,7 @@ async function run$K(argv, importMeta, {
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -4713,6 +4727,20 @@ async function run$K(argv, importMeta, {
     validatedEcosystems.push(ecosystem);
   }
+  // Process and validate package manager values early, before dry-run check.
+  // Coana normalizes input to uppercase and rejects unknown values, so do the
+  // same here for a consistent UX and an early failure when invalid.
+  const packageManagersRaw = utils.cmdFlagValueToArray(packageManagers).map(s => s.toUpperCase());
+  const validatedPackageManagers = [];
+  for (const pm of packageManagersRaw) {
+    if (!utils.isValidPackageManager(pm)) {
+      logger.logger.fail(`Invalid package manager: "${pm}". Valid values are: ${arrays.joinAnd([...utils.ALL_PACKAGE_MANAGERS])}`);
+      process.exitCode = 1;
+      return;
+    }
+    validatedPackageManagers.push(pm);
+  }
   // Collect ghsas early to validate --all and --id mutual exclusivity.
   const ghsas = arrays.arrayUnique([...utils.cmdFlagValueToArray(cli.flags['id']), ...utils.cmdFlagValueToArray(cli.flags['ghsa']), ...utils.cmdFlagValueToArray(cli.flags['purl'])]);
   const wasValidInput = utils.checkCommandInput(outputKind, {
@@ -4787,6 +4815,7 @@ async function run$K(argv, importMeta, {
     orgSlug,
     outputFile,
     outputKind,
+    packageManagers: validatedPackageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -11033,25 +11062,21 @@ const reachabilityFlags = {
   reachContinueOnAnalysisErrors: {
     type: 'boolean',
     default: false,
-    hidden: true,
     description: 'Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors.'
   },
   reachContinueOnInstallErrors: {
     type: 'boolean',
     default: false,
-    hidden: true,
     description: 'Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors.'
   },
   reachContinueOnMissingLockFiles: {
     type: 'boolean',
     default: false,
-    hidden: true,
     description: 'Continue reachability analysis when a Gradle or SBT project is missing its lock file (or version catalog / pre-generated SBOM). By default, the CLI halts.'
   },
   reachContinueOnNoSourceFiles: {
     type: 'boolean',
     default: false,
-    hidden: true,
     description: 'Continue reachability analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts.'
   },
   reachDisableExternalToolChecks: {
@@ -15615,5 +15640,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=6e6c11a1-66cb-495b-a9aa-426b4995d18c
+//# debugId=b896b0a3-35bb-4e49-a314-5769e9e8152f
 //# sourceMappingURL=cli.js.map