feat(fix): add --package-managers flag#1292
Conversation
Forward Coana's new --package-managers filter (coana-tech/coana-package-manager#2214) through socket fix so users can narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM in a monorepo that mixes pnpm/yarn/npm). The flag accepts comma- or space-separated values, is case-insensitive (normalized to uppercase before validation and forward), and is passed to both `find-vulnerabilities` and `compute-fixes-and-upgrade-purls`. When combined with --ecosystems, both filters must match (Coana intersects them per-artifact). Valid values mirror Coana's getFilterablePackageManagers(): CARGO, COMPOSER, GO, GRADLE, MAVEN, NPM, NUGET, PIPENV, PIP_REQUIREMENTS, PNPM, POETRY, RUBYGEMS, RUSH, SBT, YARN. Out of scope (matching the Coana PR): --package-managers is not added to socket scan reach / the coana run command — that command's --purl-types runs at ecosystem-level pre-install and a per-PM filter would require a larger refactor in Coana.
…-managers - Bump @coana-tech/cli from 15.1.0 to 15.2.0 (release containing the upstream --package-managers filter). - Bump CLI version 1.1.89 → 1.1.90 with a CHANGELOG entry covering both the new flag and the Coana version bump. - Add a real-Coana e2e fixture under test/fixtures/commands/fix/e2e-test-multipm with npm-managed lodash and pnpm-managed axios subprojects (lockfiles generated with the actual npm/pnpm tools). - Add three e2e cases: - `--package-managers NPM`: only the npm-managed lodash gets upgraded; pnpm-managed axios is left untouched. - `--package-managers PNPM`: only the pnpm-managed axios gets upgraded; npm-managed lodash is left untouched. - `--package-managers <invalid>`: fails fast with the same friendly error path as the unit tests.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
The baseConfig in handle-fix-limit.test.mts is missing the new packageManagers field, which caused a TypeError ("Cannot read properties of undefined (reading 'length')") when coana-fix.mts evaluates packageManagers.length on the spread mock. Add packageManagers: [] alongside the existing array fields.
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Martin Torp (mtorp)
requested review from
Benjamin Barslev Nielsen (barslev) and
John-David Dalton (jdalton)
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 0d46020. Configure here.
Bugbot caught this: the helper was exported but never imported. cmd-fix.mts spreads ALL_PACKAGE_MANAGERS directly when building the validation error message, so the helper added no value.
2 participants
Summary
Forward Coana's new
--package-managersfilter (coana-tech/coana-package-manager#2214) throughsocket fixso users can narrow fix computation to specific package managers within an ecosystem (e.g. only PNPM artifacts in a monorepo that mixes pnpm/yarn/npm).Mirrors how
--ecosystems(→ Coana--purl-types) is already plumbed throughcmd-fix.mts→handle-fix.mts→coana-fix.mts.Behavior
--package-managers <values...>onsocket fix.getFilterablePackageManagers():CARGO, COMPOSER, GO, GRADLE, MAVEN, NPM, NUGET, PIPENV, PIP_REQUIREMENTS, PNPM, POETRY, RUBYGEMS, RUSH, SBT, YARN. Invalid values fail early with a friendly error listing valid values.find-vulnerabilities(GHSA discovery indiscoverGhsaIds)compute-fixes-and-upgrade-purls(both the local-mode call and the per-GHSA CI-loop call)--ecosystems, Coana intersects the two filters per-artifact (an artifact must satisfy both).Files changed
src/utils/package-manager.mts(new) —ALL_PACKAGE_MANAGERSconstant +isValidPackageManagervalidator.src/commands/fix/cmd-fix.mts— flag definition, validation, forwarding tohandleFix.src/commands/fix/types.mts—packageManagers: string[]onFixConfig.src/commands/fix/handle-fix.mts— destructure + forward tocoanaFix(and debug logging).src/commands/fix/coana-fix.mts— pass--package-managersto all three Coana spawn sites.src/commands/fix/cmd-fix.integration.test.mts— 5 newcmditcases (single, lowercase comma-separated, multiple flags, invalid value, combined with--ecosystems); updated--helpsnapshot.Out of scope
Mirrors the Coana PR's out-of-scope notes:
socket scan reach/ the Coanaruncommand. Its--purl-typesoperates at ecosystem-level pre-install and a per-PM filter there would require a larger refactor in Coana.@coana-tech/clihere. The flag is forward-compatible — once a Coana release containing the linked PR is published, a separate version-bump PR will activate the feature for users.--ecosystemstoday, the Socket CLI just forwards the flag; all matching logic lives in Coana.Test plan
tsgoclean.eslintclean on changed files (one pre-existing import-order warning incoana-fix.mtsis unrelated).pnpm test:unit src/commands/fix/cmd-fix.integration.test.mtspasses for all--ecosystems,--package-managers, and--helpsnapshot tests (5 new tests + 4 existing ecosystem tests + help snapshot).End-to-end smoke against a real multi-PM project (npm-app with
axios@0.21.0+ realpackage-lock.json, pnpm-app withlodash@4.17.20+ realpnpm-lock.yaml, yarn-app withminimist@1.2.5+ realyarn.lock):--package-managers NPM--package-managers PNPM--package-managers YARNThe
axios(npm) andlodash(pnpm) cases are mutually-exclusive across the NPM/PNPM filters as expected. Theminimist(yarn) case logs Coana's documentedCould not determine package manager from manifest files [yarn-app/package.json] — including in --package-managers resultsfallthrough — Coana's per-artifactmanifestFilesdoesn't include theyarn.lockfor that artifact, so its lockfile-based PM detection can't fire. That's a Coana-side detail (out of scope for this PR) — the Socket CLI is forwarding the flag correctly, as evidenced by the differentiated outputs across runs.Validation:
socket fix --package-managers FOOexits non-zero withInvalid package manager: "FOO". Valid values are: CARGO, COMPOSER, GO, GRADLE, MAVEN, NPM, NUGET, PIPENV, PIP_REQUIREMENTS, PNPM, POETRY, RUBYGEMS, RUSH, SBT, and YARN.Case-insensitive:
--package-managers npm,pnpmaccepted (uppercased before forward).Follow-ups
@coana-tech/clionce a release containing the linked PR ships.yarn.lockisn't surfacing on the artifact'smanifestFiles— would let YARN's filter exclude the yarn-app's vulns the same way NPM/PNPM do today.Note
Medium Risk
Moderate risk: changes
socket fixCLI surface area and alters which artifacts Coana processes by forwarding a new filter flag, which could change fix coverage in mixed-package-manager repos. Logic is straightforward (validation + argument plumbing) and covered by new integration/E2E tests.Overview
Adds a new
socket fix --package-managersfilter to restrict fix computation to specific package managers (case-insensitive, comma/space-separated), with early validation and a clear error listing allowed values.Plumbs the validated filter through the full fix flow (
cmd-fix→handle-fix→coana-fix) and forwards--package-managersto both Coana invocations used for discovery and fix computation (local and CI/PR modes). Updates help text, adds integration + E2E coverage (including a new multi-PM fixture), and bumps@coana-tech/clito15.2.0along with the release/version metadata (1.1.90).Reviewed by Cursor Bugbot for commit 0d46020. Configure here.