upgrading coana to version 15.1.0

.github/workflows/e2e-tests.yml

@@ -153,6 +153,36 @@ jobs:
       - name: Build
         run: pnpm run build
 
+      # TEMPORARY: probe the tier1-reachability-scan endpoint to capture the
+      # legacy_mode field returned by depscan for the API token's org. Only
+      # purpose is to diagnose why Coana v15 e2e tests halt as if the org were
+      # promoted out of legacy mode. Remove this step once the response has
+      # been captured in CI logs.
+      - name: Probe tier1 legacy_mode (DIAGNOSTIC - REMOVE AFTER USE)
+        if: matrix.node-version == 22
+        env:
+          SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        run: |
+          set -eu
+          auth=$(printf '%s:' "$SOCKET_CLI_API_TOKEN" | base64 -w0)
+          response=$(curl -sS -X PUT https://api.socket.dev/v0/tier1-reachability-scan \
+            -H "Authorization: Basic $auth" \
+            -H "Content-Type: application/json" \
+            -d '{"cli_options":null,"coana_cli_version":"15.1.0","socket_cli_version":"legacy-mode-probe","system_information":null}')
+          echo "Raw response:"
+          echo "$response"
+          echo "---"
+          echo "$response" | python3 -c "import json,sys
+          try:
+              d = json.load(sys.stdin)
+          except Exception as e:
+              print('response was not valid JSON:', e)
+              sys.exit(0)
+          print('response keys:', sorted(d.keys()))
+          print('legacy_mode present:', 'legacy_mode' in d)
+          print('legacy_mode value:', d.get('legacy_mode', '(absent)'))
+          print('scan_id present:', bool(d.get('tier1_reachability_scan_id')))"
+
       - name: Run e2e tests
         env:
           SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.88](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.88) - 2026-04-29
+
+### Changed
+- Updated the Coana CLI to v `15.1.0`.
+
 ## [1.1.87](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.87) - 2026-04-28
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.87",
+  "version": "1.1.88",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -97,7 +97,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.222",
+    "@coana-tech/cli": "15.1.0",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

src/commands/scan/cmd-scan-reach.e2e.test.mts

@@ -275,6 +275,11 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-debug',
         '--no-interactive',
         '--reach-disable-analytics',
+        // The fixture has empty subprojects (the workspace root and
+        // packages/package-a contain no source files), which Coana v15 halts
+        // on by default. The test exercises multi-workspace discovery, not
+        // strict source-file presence, so opt out of the halt.
+        '--reach-continue-on-no-source-files',
       ],
       'should run reachability analysis on workspace mono project',
       async cmd => {
@@ -434,6 +439,10 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-disable-analytics',
         '--reach-exclude-paths',
         'packages/package-b',
+        // Excluding package-b leaves only empty subprojects, which Coana v15
+        // halts on by default. The test asserts on the exclusion behavior,
+        // not source-file presence.
+        '--reach-continue-on-no-source-files',
       ],
       'should run reachability analysis with excluded paths',
       async cmd => {
@@ -637,6 +646,10 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-debug',
         '--no-interactive',
         '--reach-disable-analytics',
+        // Same fixture as the workspace mono tests: root and package-a have
+        // no source files, which Coana v15 halts on by default. The test
+        // exercises --cwd resolution, not source-file presence.
+        '--reach-continue-on-no-source-files',
       ],
       'should use --cwd to set the working directory',
       async cmd => {
@@ -955,6 +968,16 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-ecosystems',
         'pypi',
         '--reach-disable-analytics',
+        // Filtering to pypi on this mixed mono project leaves the npm
+        // subproject with no source files for the requested ecosystem, which
+        // Coana v15 halts on by default. The test asserts on the ecosystem
+        // filter, not source-file presence.
+        '--reach-continue-on-no-source-files',
+        // The CI runner's network firewall blocks pypi.org, so the pypi
+        // pre-install step fails. Coana v15 halts on install errors by
+        // default; this test asserts on ecosystem-filter discovery, not
+        // successful installation.
+        '--reach-continue-on-install-errors',
       ],
       'should only analyze pypi ecosystem when --reach-ecosystems pypi is specified',
       async cmd => {

src/commands/scan/cmd-scan-reach.test.mts

@@ -1070,6 +1070,11 @@ describe('socket scan reach', async () => {
         const output = stdout + stderr
         expect(output.length).toBeGreaterThan(0)
       },
+      // Non-dry-run invocation actually starts Coana, which under v15
+      // performs more upfront work (tier1 scan registration, legacy-mode
+      // resolution) before failing on the bad memory limit. The default
+      // 30s cmdit timeout is too tight for that path on slower CI runners.
+      { timeout: 60_000 },
     )
 
     cmdit(