diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ed3737a2..2e92912d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [1.1.43](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.43) - 2025-12-08 + +### Added +- Added `--all` flag to `socket fix` for explicitly processing all vulnerabilities in local mode. Cannot be used with `--id`. + +### Deprecated +- Running `socket fix` in local mode without `--all` or `--id` is deprecated. A warning is shown when neither flag is provided. In a future release, one of these flags will be required. + ## [1.1.42](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.42) - 2025-12-04 ### Added diff --git a/package.json b/package.json index 66c4b478e..92ff2377f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket", - "version": "1.1.42", + "version": "1.1.43", "description": "CLI for Socket.dev", "homepage": "https://github.com/SocketDev/socket-cli", "license": "MIT AND OFL-1.1", diff --git a/src/commands/fix/cmd-fix.integration.test.mts b/src/commands/fix/cmd-fix.integration.test.mts index d9bb33bc0..c4a01b0af 100644 --- a/src/commands/fix/cmd-fix.integration.test.mts +++ b/src/commands/fix/cmd-fix.integration.test.mts @@ -164,6 +164,7 @@ describe('socket fix', async () => { - Permissions: full-scans:create and packages:list Options + --all Process all discovered vulnerabilities in local mode. Cannot be used with --id. --autopilot Enable auto-merge for pull requests that Socket opens. See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository. --ecosystems Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems. @@ -173,7 +174,7 @@ describe('socket fix', async () => { - GHSA IDs (https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids) (e.g., GHSA-xxxx-xxxx-xxxx) - CVE IDs (https://cve.mitre.org/cve/identifiers/) (e.g., CVE-2025-1234) - automatically converted to GHSA - PURLs (https://github.com/package-url/purl-spec) (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA - Can be provided as comma separated values or as multiple flags + Can be provided as comma separated values or as multiple flags. Cannot be used with --all. --include Include workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags --json Output as JSON --markdown Output as Markdown @@ -1127,6 +1128,55 @@ describe('socket fix', async () => { ) }) + describe('--all flag behavior', () => { + cmdit( + ['fix', FLAG_DRY_RUN, '--all', FLAG_CONFIG, '{"apiToken":"fakeToken"}'], + 'should accept --all flag', + async cmd => { + const { code, stdout } = await spawnSocketCli(binCliPath, cmd) + expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`) + expect(code, 'should exit with code 0').toBe(0) + }, + ) + + cmdit( + [ + 'fix', + FLAG_DRY_RUN, + '--all', + FLAG_ID, + 'GHSA-1234-5678-9abc', + FLAG_CONFIG, + '{"apiToken":"fakeToken"}', + ], + 'should fail when --all and --id are used together', + async cmd => { + const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd) + const output = stdout + stderr + expect(output).toContain('--all and --id flags cannot be used together') + expect(code, 'should exit with non-zero code').not.toBe(0) + }, + ) + + cmdit( + [ + 'fix', + FLAG_DRY_RUN, + '--all', + '--ecosystems', + 'npm', + FLAG_CONFIG, + '{"apiToken":"fakeToken"}', + ], + 'should accept --all with --ecosystems', + async cmd => { + const { code, stdout } = await spawnSocketCli(binCliPath, cmd) + expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`) + expect(code, 'should exit with code 0').toBe(0) + }, + ) + }) + describe('--id flag behavior', () => { cmdit( [ diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts index e5c27a97c..6c5c448b4 100644 --- a/src/commands/fix/cmd-fix.mts +++ b/src/commands/fix/cmd-fix.mts @@ -95,6 +95,12 @@ const generalFlags: MeowFlags = { // Hidden to allow custom documenting of the negated `--no-major-updates` variant. hidden: true, }, + all: { + type: 'boolean', + default: false, + description: + 'Process all discovered vulnerabilities in local mode. Cannot be used with --id.', + }, id: { type: 'string', default: [], @@ -111,7 +117,7 @@ const generalFlags: MeowFlags = { 'PURLs', 'https://github.com/package-url/purl-spec', )} (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA - Can be provided as comma separated values or as multiple flags`, + Can be provided as comma separated values or as multiple flags. Cannot be used with --all.`, isMultiple: true, }, prLimit: { @@ -272,6 +278,7 @@ async function run( ) const { + all, applyFixes, autopilot, ecosystems, @@ -292,6 +299,7 @@ async function run( // socket-cli/patches/meow#13.2.0.patch. unknownFlags = [], } = cli.flags as { + all: boolean applyFixes: boolean autopilot: boolean ecosystems: string[] @@ -338,6 +346,13 @@ async function run( validatedEcosystems.push(ecosystem as PURL_Type) } + // Collect ghsas early to validate --all and --id mutual exclusivity. + const ghsas = arrayUnique([ + ...cmdFlagValueToArray(cli.flags['id']), + ...cmdFlagValueToArray(cli.flags['ghsa']), + ...cmdFlagValueToArray(cli.flags['purl']), + ]) + const wasValidInput = checkCommandInput( outputKind, { @@ -351,6 +366,12 @@ async function run( message: 'The json and markdown flags cannot be both set, pick one', fail: 'omit one', }, + { + nook: true, + test: !all || !ghsas.length, + message: 'The --all and --id flags cannot be used together', + fail: 'omit one', + }, ) if (!wasValidInput) { return @@ -379,16 +400,11 @@ async function run( const { spinner } = constants - const ghsas = arrayUnique([ - ...cmdFlagValueToArray(cli.flags['id']), - ...cmdFlagValueToArray(cli.flags['ghsa']), - ...cmdFlagValueToArray(cli.flags['purl']), - ]) - const includePatterns = cmdFlagValueToArray(include) const excludePatterns = cmdFlagValueToArray(exclude) await handleFix({ + all, applyFixes, autopilot, coanaVersion: fixVersion, diff --git a/src/commands/fix/coana-fix.mts b/src/commands/fix/coana-fix.mts index 2ce508de7..d5aa1145a 100644 --- a/src/commands/fix/coana-fix.mts +++ b/src/commands/fix/coana-fix.mts @@ -107,6 +107,7 @@ export async function coanaFix( fixConfig: FixConfig, ): Promise> { const { + all, applyFixes, autopilot, coanaVersion, @@ -173,11 +174,18 @@ export async function coanaFix( } } - const shouldDiscoverGhsaIds = !ghsas.length + const shouldDiscoverGhsaIds = all || !ghsas.length const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo if (!shouldOpenPrs) { + // In local mode, if neither --all nor --id is provided, show deprecation warning. + if (shouldDiscoverGhsaIds && !all) { + logger.warn( + 'Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.', + ) + } + // Inform user about local mode when fixes will be applied. if (applyFixes && ghsas.length) { const envCheck = checkCiEnvVars() diff --git a/src/commands/fix/handle-fix-limit.test.mts b/src/commands/fix/handle-fix-limit.test.mts index 0d7f732e9..ea8ed14a1 100644 --- a/src/commands/fix/handle-fix-limit.test.mts +++ b/src/commands/fix/handle-fix-limit.test.mts @@ -72,6 +72,7 @@ vi.mock('./branch-cleanup.mts', () => ({ describe('socket fix --pr-limit behavior verification', () => { const baseConfig: FixConfig = { + all: false, applyFixes: true, autopilot: false, coanaVersion: undefined, diff --git a/src/commands/fix/handle-fix.mts b/src/commands/fix/handle-fix.mts index 3bb78d5f0..376f7259a 100644 --- a/src/commands/fix/handle-fix.mts +++ b/src/commands/fix/handle-fix.mts @@ -97,6 +97,7 @@ export async function convertIdsToGhsas(ids: string[]): Promise { } export async function handleFix({ + all, applyFixes, autopilot, coanaVersion, @@ -120,6 +121,7 @@ export async function handleFix({ }: HandleFixConfig) { debugFn('notice', `Starting fix command for ${orgSlug}`) debugDir('inspect', { + all, applyFixes, autopilot, coanaVersion, @@ -142,6 +144,7 @@ export async function handleFix({ await outputFixResult( await coanaFix({ + all, applyFixes, autopilot, coanaVersion, diff --git a/src/commands/fix/types.mts b/src/commands/fix/types.mts index e1edb2430..a6128a689 100644 --- a/src/commands/fix/types.mts +++ b/src/commands/fix/types.mts @@ -3,6 +3,7 @@ import type { RangeStyle } from '../../utils/semver.mts' import type { Spinner } from '@socketsecurity/registry/lib/spinner' export type FixConfig = { + all: boolean applyFixes: boolean autopilot: boolean coanaVersion: string | undefined