From 3a58bc480912585b79a5920c915bb538520b35cd Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Wed, 29 Apr 2026 10:03:09 +0200 Subject: [PATCH 1/5] upgrading coana to version 15.1.0 --- CHANGELOG.md | 5 +++++ package.json | 4 ++-- pnpm-lock.yaml | 10 +++++----- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aac1a18b8..e00b23047 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [1.1.88](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.88) - 2026-04-29 + +### Changed +- Updated the Coana CLI to v `15.1.0`. + ## [1.1.87](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.87) - 2026-04-28 ### Changed diff --git a/package.json b/package.json index bce8e50de..84a7c7825 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket", - "version": "1.1.87", + "version": "1.1.88", "description": "CLI for Socket.dev", "homepage": "https://github.com/SocketDev/socket-cli", "license": "MIT AND OFL-1.1", @@ -97,7 +97,7 @@ "@babel/preset-typescript": "7.27.1", "@babel/runtime": "7.28.4", "@biomejs/biome": "2.2.4", - "@coana-tech/cli": "14.12.222", + "@coana-tech/cli": "15.1.0", "@cyclonedx/cdxgen": "12.1.2", "@dotenvx/dotenvx": "1.49.0", "@eslint/compat": "1.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8a73cbe4c..19fd6fead 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -128,8 +128,8 @@ importers: specifier: 2.2.4 version: 2.2.4 '@coana-tech/cli': - specifier: 14.12.222 - version: 14.12.222 + specifier: 15.1.0 + version: 15.1.0 '@cyclonedx/cdxgen': specifier: 12.1.2 version: 12.1.2 @@ -749,8 +749,8 @@ packages: resolution: {integrity: sha512-hAs5PPKPCQ3/Nha+1fo4A4/gL85fIfxZwHPehsjCJ+BhQH2/yw6/xReuaPA/RfNQr6iz1PcD7BZcE3ctyyl3EA==} cpu: [x64] - '@coana-tech/cli@14.12.222': - resolution: {integrity: sha512-loRzorTOCuTigI5wLwZThIMHTlZfRBgnTR4FyoV/Dtfx0I61Kz+av3qpEqWIJFgLEf+kR7fbLQCsLL3Kzc01Tg==} + '@coana-tech/cli@15.1.0': + resolution: {integrity: sha512-2lKo4A3c6WXR1AjQW+8feuiR+ltDn/5Y8P32zCY92Nyp3u3ARCke9iuePAQR+YBW0DI4xCckLlf9cU/jlobTHw==} hasBin: true '@colors/colors@1.5.0': @@ -5385,7 +5385,7 @@ snapshots: '@cdxgen/cdxgen-plugins-bin@2.0.2': optional: true - '@coana-tech/cli@14.12.222': {} + '@coana-tech/cli@15.1.0': {} '@colors/colors@1.5.0': optional: true From 3891b312f7fa6b4fa4ecdc6b83c86faa13eb89d2 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Wed, 29 Apr 2026 11:02:44 +0200 Subject: [PATCH 2/5] ci: add temporary diagnostic probe for tier1 legacy_mode --- .github/workflows/e2e-tests.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 099030092..13b7e7f6f 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -153,6 +153,36 @@ jobs: - name: Build run: pnpm run build + # TEMPORARY: probe the tier1-reachability-scan endpoint to capture the + # legacy_mode field returned by depscan for the API token's org. Only + # purpose is to diagnose why Coana v15 e2e tests halt as if the org were + # promoted out of legacy mode. Remove this step once the response has + # been captured in CI logs. + - name: Probe tier1 legacy_mode (DIAGNOSTIC - REMOVE AFTER USE) + if: matrix.node-version == 22 + env: + SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env] + run: | + set -eu + auth=$(printf '%s:' "$SOCKET_CLI_API_TOKEN" | base64 -w0) + response=$(curl -sS -X PUT https://api.socket.dev/v0/tier1-reachability-scan \ + -H "Authorization: Basic $auth" \ + -H "Content-Type: application/json" \ + -d '{"cli_options":null,"coana_cli_version":"15.1.0","socket_cli_version":"legacy-mode-probe","system_information":null}') + echo "Raw response:" + echo "$response" + echo "---" + echo "$response" | python3 -c "import json,sys + try: + d = json.load(sys.stdin) + except Exception as e: + print('response was not valid JSON:', e) + sys.exit(0) + print('response keys:', sorted(d.keys())) + print('legacy_mode present:', 'legacy_mode' in d) + print('legacy_mode value:', d.get('legacy_mode', '(absent)')) + print('scan_id present:', bool(d.get('tier1_reachability_scan_id')))" + - name: Run e2e tests env: SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env] From 117a85def30c3529057239d1fcc3703b6973d216 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Wed, 29 Apr 2026 11:14:56 +0200 Subject: [PATCH 3/5] test(e2e): opt out of v15 no-source-files halt for empty-subproject tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coana v15 halts by default when a workspace reports no source files for its ecosystem (15.0.6 changelog). Four e2e tests intentionally scan fixtures with empty subprojects or filter to an ecosystem the fixture doesn't fully populate, and these tests assert on workspace discovery, exclusion, --cwd resolution, and ecosystem filtering — not on source-file presence. Pass --reach-continue-on-no-source-files in those tests so v15's strict default doesn't fail them. --- src/commands/scan/cmd-scan-reach.e2e.test.mts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/commands/scan/cmd-scan-reach.e2e.test.mts b/src/commands/scan/cmd-scan-reach.e2e.test.mts index 8abb519b8..e0e74b7be 100644 --- a/src/commands/scan/cmd-scan-reach.e2e.test.mts +++ b/src/commands/scan/cmd-scan-reach.e2e.test.mts @@ -275,6 +275,11 @@ describe('socket scan reach (E2E tests)', async () => { '--reach-debug', '--no-interactive', '--reach-disable-analytics', + // The fixture has empty subprojects (the workspace root and + // packages/package-a contain no source files), which Coana v15 halts + // on by default. The test exercises multi-workspace discovery, not + // strict source-file presence, so opt out of the halt. + '--reach-continue-on-no-source-files', ], 'should run reachability analysis on workspace mono project', async cmd => { @@ -434,6 +439,10 @@ describe('socket scan reach (E2E tests)', async () => { '--reach-disable-analytics', '--reach-exclude-paths', 'packages/package-b', + // Excluding package-b leaves only empty subprojects, which Coana v15 + // halts on by default. The test asserts on the exclusion behavior, + // not source-file presence. + '--reach-continue-on-no-source-files', ], 'should run reachability analysis with excluded paths', async cmd => { @@ -637,6 +646,10 @@ describe('socket scan reach (E2E tests)', async () => { '--reach-debug', '--no-interactive', '--reach-disable-analytics', + // Same fixture as the workspace mono tests: root and package-a have + // no source files, which Coana v15 halts on by default. The test + // exercises --cwd resolution, not source-file presence. + '--reach-continue-on-no-source-files', ], 'should use --cwd to set the working directory', async cmd => { @@ -955,6 +968,11 @@ describe('socket scan reach (E2E tests)', async () => { '--reach-ecosystems', 'pypi', '--reach-disable-analytics', + // Filtering to pypi on this mixed mono project leaves the npm + // subproject with no source files for the requested ecosystem, which + // Coana v15 halts on by default. The test asserts on the ecosystem + // filter, not source-file presence. + '--reach-continue-on-no-source-files', ], 'should only analyze pypi ecosystem when --reach-ecosystems pypi is specified', async cmd => { From 70c7a86a5143eb130d7599a8316151ab33c20db8 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Wed, 29 Apr 2026 11:33:23 +0200 Subject: [PATCH 4/5] test(e2e): also opt out of v15 install-error halt for pypi-filter test After opting out of the no-source-files halt, the pypi-ecosystem test now hits the v15 install-error halt: the CI runner's network firewall blocks pypi.org, so the pre-install step for pypi packages fails. The test asserts on ecosystem-filter discovery, not on successful installs, so opt out of the install-error halt as well. --- src/commands/scan/cmd-scan-reach.e2e.test.mts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/commands/scan/cmd-scan-reach.e2e.test.mts b/src/commands/scan/cmd-scan-reach.e2e.test.mts index e0e74b7be..46b84ecb6 100644 --- a/src/commands/scan/cmd-scan-reach.e2e.test.mts +++ b/src/commands/scan/cmd-scan-reach.e2e.test.mts @@ -973,6 +973,11 @@ describe('socket scan reach (E2E tests)', async () => { // Coana v15 halts on by default. The test asserts on the ecosystem // filter, not source-file presence. '--reach-continue-on-no-source-files', + // The CI runner's network firewall blocks pypi.org, so the pypi + // pre-install step fails. Coana v15 halts on install errors by + // default; this test asserts on ecosystem-filter discovery, not + // successful installation. + '--reach-continue-on-install-errors', ], 'should only analyze pypi ecosystem when --reach-ecosystems pypi is specified', async cmd => { From 500d326e4c56509893c62f50c300550d3c6867a8 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Wed, 29 Apr 2026 12:18:07 +0200 Subject: [PATCH 5/5] test: bump timeout for memory-limit reach test under v15 The non-dry-run `--reach-analysis-memory-limit 999999999` test actually spawns Coana, which under v15 does more upfront work (tier1 scan registration, legacy-mode resolution) before bailing on the bad memory limit. The default 30s cmdit timeout is too tight on slower CI runners; bump to 60s. --- src/commands/scan/cmd-scan-reach.test.mts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/commands/scan/cmd-scan-reach.test.mts b/src/commands/scan/cmd-scan-reach.test.mts index 3883c9c28..52dfa78b4 100644 --- a/src/commands/scan/cmd-scan-reach.test.mts +++ b/src/commands/scan/cmd-scan-reach.test.mts @@ -1070,6 +1070,11 @@ describe('socket scan reach', async () => { const output = stdout + stderr expect(output.length).toBeGreaterThan(0) }, + // Non-dry-run invocation actually starts Coana, which under v15 + // performs more upfront work (tier1 scan registration, legacy-mode + // resolution) before failing on the bad memory limit. The default + // 30s cmdit timeout is too tight for that path on slower CI runners. + { timeout: 60_000 }, ) cmdit(