feat(fix): add --package-managers flag

Forward Coana's new --package-managers filter (coana-tech/coana-package-manager#2214) through socket fix so users can narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM in a monorepo that mixes pnpm/yarn/npm).

The flag accepts comma- or space-separated values, is case-insensitive (normalized to uppercase before validation and forward), and is passed to both `find-vulnerabilities` and `compute-fixes-and-upgrade-purls`. When combined with --ecosystems, both filters must match (Coana intersects them per-artifact).

Valid values mirror Coana's getFilterablePackageManagers(): CARGO, COMPOSER, GO, GRADLE, MAVEN, NPM, NUGET, PIPENV, PIP_REQUIREMENTS, PNPM, POETRY, RUBYGEMS, RUSH, SBT, YARN.

Out of scope (matching the Coana PR): --package-managers is not added to socket scan reach / the coana run command — that command's --purl-types runs at ecosystem-level pre-install and a per-PM filter would require a larger refactor in Coana.

Author: mtorp

src/commands/fix/cmd-fix.integration.test.mts

@@ -183,6 +183,7 @@ describe('socket fix', async () => {
             --no-apply-fixes    Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.
             --no-major-updates  Do not suggest or apply fixes that require major version updates of direct or transitive dependencies
             --output-file       Path to store upgrades as a JSON file at this path.
+            --package-managers  Limit fix analysis to specific package managers within an ecosystem (e.g. NPM, PNPM, YARN, MAVEN, POETRY). Accepts space- or comma-separated values and is case-insensitive. When combined with --ecosystems, an artifact must satisfy both filters.
             --pr-limit          Maximum number of pull requests to create in CI mode (default 10). Has no effect in local mode.
             --range-style       Define how dependency version ranges are updated in package.json (default 'preserve').
                                 Available styles:
@@ -1127,6 +1128,98 @@ describe('socket fix', async () => {
     )
   })
 
+  describe('--package-managers flag behavior', () => {
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--package-managers',
+        'NPM',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept --package-managers with single value',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--package-managers',
+        'npm,pnpm',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept --package-managers comma-separated case-insensitive',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--package-managers',
+        'NPM',
+        '--package-managers',
+        'PNPM',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept multiple --package-managers flags',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--package-managers',
+        'FOO',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should fail with invalid --package-managers value',
+      async cmd => {
+        const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
+        const output = stdout + stderr
+        expect(output).toContain('Invalid package manager')
+        expect(code, 'should exit with non-zero code').not.toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--ecosystems',
+        'npm',
+        '--package-managers',
+        'PNPM',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept --ecosystems combined with --package-managers',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+  })
+
   describe('--all flag behavior', () => {
     cmdit(
       ['fix', FLAG_DRY_RUN, '--all', FLAG_CONFIG, '{"apiToken":"fakeToken"}'],

src/commands/fix/cmd-fix.mts

@@ -25,6 +25,10 @@ import {
   getFlagApiRequirementsOutput,
   getFlagListOutput,
 } from '../../utils/output-formatting.mts'
+import {
+  ALL_PACKAGE_MANAGERS,
+  isValidPackageManager,
+} from '../../utils/package-manager.mts'
 import { RangeStyles } from '../../utils/semver.mts'
 import { getDefaultOrgSlug } from '../ci/fetch-default-org-slug.mts'
 
@@ -167,6 +171,13 @@ Available styles:
       'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
     isMultiple: true,
   },
+  packageManagers: {
+    type: 'string',
+    default: [],
+    description:
+      'Limit fix analysis to specific package managers within an ecosystem (e.g. NPM, PNPM, YARN, MAVEN, POETRY). Accepts space- or comma-separated values and is case-insensitive. When combined with --ecosystems, an artifact must satisfy both filters.',
+    isMultiple: true,
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -311,6 +322,7 @@ async function run(
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -336,6 +348,7 @@ async function run(
     minSatisfying: boolean
     minimumReleaseAge: string
     outputFile: string
+    packageManagers: string[]
     prCheck: boolean
     prLimit: number
     rangeStyle: RangeStyle
@@ -370,6 +383,24 @@ async function run(
     validatedEcosystems.push(ecosystem as PURL_Type)
   }
 
+  // Process and validate package manager values early, before dry-run check.
+  // Coana normalizes input to uppercase and rejects unknown values, so do the
+  // same here for a consistent UX and an early failure when invalid.
+  const packageManagersRaw = cmdFlagValueToArray(packageManagers).map(s =>
+    s.toUpperCase(),
+  )
+  const validatedPackageManagers: string[] = []
+  for (const pm of packageManagersRaw) {
+    if (!isValidPackageManager(pm)) {
+      logger.fail(
+        `Invalid package manager: "${pm}". Valid values are: ${joinAnd([...ALL_PACKAGE_MANAGERS])}`,
+      )
+      process.exitCode = 1
+      return
+    }
+    validatedPackageManagers.push(pm)
+  }
+
   // Collect ghsas early to validate --all and --id mutual exclusivity.
   const ghsas = arrayUnique([
     ...cmdFlagValueToArray(cli.flags['id']),
@@ -468,6 +499,7 @@ async function run(
     orgSlug,
     outputFile,
     outputKind,
+    packageManagers: validatedPackageManagers,
     prCheck,
     prLimit,
     rangeStyle,

src/commands/fix/coana-fix.mts

@@ -58,6 +58,7 @@ type DiscoverGhsaIdsOptions = {
   coanaVersion?: string | undefined
   cwd?: string | undefined
   ecosystems?: PURL_Type[] | undefined
+  packageManagers?: string[] | undefined
   silence?: boolean | undefined
   spinner?: Spinner | undefined
 }
@@ -74,6 +75,7 @@ async function discoverGhsaIds(
   const {
     cwd = process.cwd(),
     ecosystems,
+    packageManagers,
     silence = false,
     spinner,
   } = {
@@ -88,6 +90,9 @@ async function discoverGhsaIds(
       '--manifests-tar-hash',
       tarHash,
       ...(ecosystems?.length ? ['--purl-types', ...ecosystems] : []),
+      ...(packageManagers?.length
+        ? ['--package-managers', ...packageManagers]
+        : []),
     ],
     orgSlug,
     {
@@ -129,6 +134,7 @@ export async function coanaFix(
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    packageManagers,
     prLimit,
     showAffectedDirectDependencies,
     silence,
@@ -250,6 +256,7 @@ export async function coanaFix(
           coanaVersion,
           cwd,
           ecosystems,
+          packageManagers,
           silence,
           spinner,
         })
@@ -284,6 +291,9 @@ export async function coanaFix(
           ...(include.length ? ['--include', ...include] : []),
           ...(exclude.length ? ['--exclude', ...exclude] : []),
           ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []),
+          ...(packageManagers.length
+            ? ['--package-managers', ...packageManagers]
+            : []),
           ...(!applyFixes ? [FLAG_DRY_RUN] : []),
           '--output-file',
           tmpFile,
@@ -381,6 +391,7 @@ export async function coanaFix(
             coanaVersion,
             cwd,
             ecosystems,
+            packageManagers,
             silence,
             spinner,
           })
@@ -442,6 +453,9 @@ export async function coanaFix(
         ...(include.length ? ['--include', ...include] : []),
         ...(exclude.length ? ['--exclude', ...exclude] : []),
         ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []),
+        ...(packageManagers.length
+          ? ['--package-managers', ...packageManagers]
+          : []),
         ...(debug ? ['--debug'] : []),
         ...(disableExternalToolChecks
           ? ['--disable-external-tool-checks']

src/commands/fix/handle-fix.mts

@@ -131,6 +131,7 @@ export async function handleFix({
   orgSlug,
   outputFile,
   outputKind,
+  packageManagers,
   prCheck,
   prLimit,
   rangeStyle,
@@ -157,6 +158,7 @@ export async function handleFix({
     minimumReleaseAge,
     outputFile,
     outputKind,
+    packageManagers,
     prCheck,
     prLimit,
     rangeStyle,
@@ -184,6 +186,7 @@ export async function handleFix({
       minSatisfying,
       orgSlug,
       outputFile,
+      packageManagers,
       prCheck,
       prLimit,
       rangeStyle,

src/commands/fix/types.mts

@@ -19,6 +19,7 @@ export type FixConfig = {
   minSatisfying: boolean
   orgSlug: string
   outputFile: string
+  packageManagers: string[]
   prCheck: boolean
   prLimit: number
   rangeStyle: RangeStyle

src/utils/package-manager.mts

@@ -0,0 +1,38 @@
+/**
+ * Package manager identifiers accepted by Coana's --package-managers filter.
+ * Used by `socket fix` to narrow fix computation to specific package managers
+ * within an ecosystem (e.g. only PNPM artifacts in a mixed pnpm/yarn/npm repo).
+ *
+ * Mirrors the list returned by Coana's `getFilterablePackageManagers()` in
+ * packages/web-compat-utils/src/package-manager-utils.ts.
+ */
+
+export const ALL_PACKAGE_MANAGERS = [
+  'CARGO',
+  'COMPOSER',
+  'GO',
+  'GRADLE',
+  'MAVEN',
+  'NPM',
+  'NUGET',
+  'PIPENV',
+  'PIP_REQUIREMENTS',
+  'PNPM',
+  'POETRY',
+  'RUBYGEMS',
+  'RUSH',
+  'SBT',
+  'YARN',
+] as const
+
+export type PackageManager = (typeof ALL_PACKAGE_MANAGERS)[number]
+
+const ALL_PACKAGE_MANAGERS_SET = new Set<string>(ALL_PACKAGE_MANAGERS)
+
+export function getPackageManagerChoicesForMeow(): string[] {
+  return [...ALL_PACKAGE_MANAGERS]
+}
+
+export function isValidPackageManager(value: string): value is PackageManager {
+  return ALL_PACKAGE_MANAGERS_SET.has(value)
+}