Conversation
- Remove unsupported --no-update-notifier flag from pnpm wrapper - Add test for pnpm dlx usage scenario - Update CLAUDE.md to forbid dynamic imports - Revert setup action to use pnpm dlx approach
#967) implicitly use `--all` if no `--id` but warn that this is deprecated in local mode
* use proper tmp directory in fix e2e tests * rename fixture to simple-npm * create e2e tests for the socket scan reach and socket scan reach --reach-exclude-paths commands * e2e test --reach-ecosystems * add requirements.txt fixture * assert correct recahability structure in one of the e2e tests * fix lint issues * add reachability e2e tests to test the --cwd option and target argument * upgrade @coana-tech/cli to v14.12.117 * fix typo * ignore all fixtures * upgrade coana to version 14.12.118 * increase e2e test timeout
* update coana to v14.12.126 * fix tags
…pper (#985) Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>
…king alerts were found. (#986) This is the expected behaviour based on our docs: https://docs.socket.dev/docs/socket-ci#non-zero-exit-code Co-authored-by: Graydon Hope <graydonhope@mac.lan>
* Use @socketsecurity/socket-patch for patch command - Replace inline patch implementation with @socketsecurity/socket-patch@1.0.0 - Use runPatch() from socket-patch/run for programmatic invocation - Remove deleted handle-patch.mts, manifest-schema.mts, output-patch-result.mts - Add SOCKET_PATCH_PROXY_URL environment variable support - Forward socket-cli environment to socket-patch options * update lockfile --------- Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>
Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>
* feat(config): use EditableJson for non-destructive config saving Use EditableJson for preserving existing properties and key order when updating config values. This prevents overwriting unrelated config properties during partial updates. - Add standalone EditableJson implementation in src/utils/editable-json.mts - Update config.mts to use EditableJson for config file writes - Fix socketAppDataPath usage to include config.json filename - Add resetConfigForTesting() helper for test isolation - Update tests to use Node.js built-in fs functions * fix: address PR review feedback - Preserve JSON formatting by using editor's indent/newline symbols - Handle deleted config keys explicitly (editor.update only merges) - Capture config snapshot at write time, not schedule time - Fix load method create parameter to actually create empty state * fix: TypeScript compilation errors - Fix symbol index type errors with type assertions - Remove unused getDefaultFormatting function - Add null check for match[1] in detectIndent - Remove unused contentWithoutImport variable * fix: ESLint errors in config and editable-json - Fix import sort order in config.test.mts (promises as fs sorted by alias name) - Add no-await-in-loop eslint-disable comments for retry loops in editable-json.mts - Remove unused eslint-disable directive * chore: remove unused imports from config.test.mts
* add --reach-lazy-mode. update coana to v138 * add missing option validation --------- Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>
* add --silence flag to suppress non-output stdout/stderr when running socket fix * fix silence bug. debug output to e2e reachability tests * upgrade coana. fix formatting
…1014) * set scanType to socket_tier1 when creating reachability full scans * fix changelog link
* fix(glob): add dot:true to match dotfiles and dot directories
Ensures fastGlob matches files and directories starting with a dot in
gitIgnoreStream and globWorkspace functions.
* fix(glob): add dot:true to micromatch for dot directory matching
Adds { dot: true } option to micromatch.some() calls in
filterBySupportedScanFiles() and isReportSupportedFile() to ensure
patterns like **/poetry.lock match files in dot directories such as
.mcp-servers/neo4j/poetry.lock.
* style: fix linting issues
…1006) Removes the semver-based Node version check that was filtering manifest entries, allowing all Socket registry overrides to be applied regardless of the Node version specified in package engines.
* fix: prevent heap overflow in large monorepo scans Add streaming-based filtering to globWithGitIgnore to prevent heap overflow when scanning large monorepos with 100k+ files. Instead of accumulating all file paths and filtering afterwards, files are now filtered during streaming which dramatically reduces memory usage. Changes: - Add `filter` option to globWithGitIgnore for early filtering during streaming - Add createSupportedFilesFilter helper to create filter from supported files - Update getPackageFilesForScan to use streaming filter - Add comprehensive tests for the new filter functionality Fixes SMO-522 * Update src/utils/glob.mts Signed-off-by: John-David Dalton <jdalton@users.noreply.github.com> --------- Signed-off-by: John-David Dalton <jdalton@users.noreply.github.com> Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>
Update socket-patch dependency from v1.0.0 to v1.2.0, which includes: - Progress spinner for scan command - Improved test coverage This update addresses reviewer feedback in depscan PR #16387 regarding the socket-patch version mismatch. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
License related alerts are no longer experimental
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| * text=auto eol=lfs | |||
There was a problem hiding this comment.
Typo eol=lfs instead of eol=lf in gitattributes
Medium Severity
The .gitattributes file sets eol=lfs, but lfs is not a valid value for the eol attribute. Git only recognizes eol=lf and eol=crlf. This likely means line-ending normalization won't work as intended, potentially causing inconsistent line endings across platforms.
| } | ||
| const newBin = { | ||
| ...(tmpBin[SOCKET_CLI_BIN_NAME] | ||
| ? { [SOCKET_CLI_BIN_NAME]: tmpBin.socket } |
There was a problem hiding this comment.
Hardcoded tmpBin.socket instead of using constant
Low Severity
In resetBin, the value for SOCKET_CLI_BIN_NAME uses tmpBin.socket (hardcoded property access) while every other entry consistently uses tmpBin[SOCKET_CLI_*_BIN_NAME] (computed property access via constants). This works only because SOCKET_CLI_BIN_NAME happens to equal 'socket', but breaks the pattern and would silently produce undefined if the constant ever changed.
| `${blessedContribNmPath}/${LICENSE_MD}`, | ||
| `${blessedContribPath}/${LICENSE_MD}`, | ||
| { dereference: true }, | ||
| ), |
There was a problem hiding this comment.
Misplaced await inside Promise.all array literal
Low Severity
The await fs.cp(...) inside the Promise.all array is eagerly awaited before Promise.all is invoked. This means fs.cp runs sequentially rather than concurrently with the copyPackage promises. More importantly, if fs.cp throws, the already-started copyPackage promises become orphaned since Promise.all is never reached, potentially causing unhandled promise rejections. Removing the inner await and passing the bare promise to Promise.all fixes both issues.
|
Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.
Or push these changes by commenting: Preview (34dfc0c4cc)diff --git a/.gitattributes b/.gitattributes
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1 @@
-* text=auto eol=lfs
+* text=auto eol=lf |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
License related alerts are no longer experimental
Note
Medium Risk
Touches core build/packaging, bin entrypoints, and CI publishing flows, so regressions could break installs or runtime startup despite limited direct feature logic changes.
Overview
This PR overhauls packaging/build and developer tooling: introduces shared Rollup configs (
.config/rollup.*) + Babel config to bundle the TypeScript.mtssources, inline build-timeprocess.envconstants, and post-process bundles to normalizenode:builtins, deduperequires, and vendor/copy selected external packages intoexternal/.It repackages the npm artifact by renaming to
socket(v1.1.57), adding multiple bin entrypoints (socket,socket-npm,socket-npx,socket-pnpm,socket-yarn) and new scripts for building dist/types/SEA, linting (ESLint flat config + oxlint + Biome), tests/e2e, and pre-commit hooks; legacy JS CLI/lib/command implementations and old CI configs are removed.CI/CD is updated with new GitHub workflows (lint/types/tests/e2e, provenance publish, auto PRs, Claude workflows), and dependency behavior is stabilized via pnpm overrides and a large set of patch files (notably for
blessed/blessed-contrib,meow,tiny-updater, Rollup plugins) to improve CJS/ESM compatibility and runtime behavior in the bundled distribution.Written by Cursor Bugbot for commit 600799b. This will update automatically on new commits. Configure here.