Skip to content

add --ecosystems flag and rename --limit to --pr-limit for socket fix #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdalton merged 1 commit into from
Dec 4, 2025
Merged

add --ecosystems flag and rename --limit to --pr-limit for socket fix #960

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,17 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

## [1.1.41](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-02
## [1.1.42](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.42) - 2025-12-04

### Added
- Added `--ecosystems` flag to `socket fix`.

### Changed
- Updated the Coana CLI to v `14.12.113`.
- Rename `--limit` flag to `--pr-limit` for `socket fix`, but keep old flag as an alias. Note: `--pr-limit` has no effect in local mode, use `--id` options instead.
- Process all vulnerabilities with `socket fix` when no `--id` options are provided.

## [1.1.41](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.41) - 2025-12-02

### Added
- Added `--reach-version` flag to `socket scan create` and `socket scan reach` to override the @coana-tech/cli version used for reachability analysis.
Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "socket",
"version": "1.1.41",
"version": "1.1.42",
"description": "CLI for Socket.dev",
"homepage": "https://github.com/SocketDev/socket-cli",
"license": "MIT AND OFL-1.1",
Expand Down Expand Up @@ -94,7 +94,7 @@
"@babel/preset-typescript": "7.27.1",
"@babel/runtime": "7.28.4",
"@biomejs/biome": "2.2.4",
"@coana-tech/cli": "14.12.110",
"@coana-tech/cli": "14.12.113",
"@cyclonedx/cdxgen": "11.11.0",
"@dotenvx/dotenvx": "1.49.0",
"@eslint/compat": "1.3.2",
Expand Down
10 changes: 5 additions & 5 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

139 changes: 115 additions & 24 deletions src/commands/fix/cmd-fix.integration.test.mts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ describe('socket fix', async () => {
Options
--autopilot Enable auto-merge for pull requests that Socket opens.
See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
--ecosystems Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.
--exclude Exclude workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
--fix-version Override the version of @coana-tech/cli used for fix analysis. Default: <coana-version>.
--id Provide a list of vulnerability identifiers to compute fixes for:
Expand All @@ -175,12 +176,12 @@ describe('socket fix', async () => {
Can be provided as comma separated values or as multiple flags
--include Include workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
--json Output as JSON
--limit The number of fixes to attempt at a time (default 10)
--markdown Output as Markdown
--minimum-release-age Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.
--no-apply-fixes Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.
--no-major-updates Do not suggest or apply fixes that require major version updates of direct or transitive dependencies
--output-file Path to store upgrades as a JSON file at this path.
--pr-limit Maximum number of pull requests to create in CI mode (default 10). Has no effect in local mode.
--range-style Define how dependency version ranges are updated in package.json (default 'preserve').
Available styles:
* pin - Use the exact version (e.g. 1.2.3)
Expand Down Expand Up @@ -921,17 +922,17 @@ describe('socket fix', async () => {
)
})

describe('--limit flag behavior', () => {
describe('--pr-limit flag behavior', () => {
cmdit(
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'0',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit with value 0',
'should accept --pr-limit with value 0',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -943,12 +944,12 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'1',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit with value 1',
'should accept --pr-limit with value 1',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -960,12 +961,12 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'100',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit with large value',
'should accept --pr-limit with large value',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -975,7 +976,7 @@ describe('socket fix', async () => {

cmdit(
['fix', FLAG_DRY_RUN, FLAG_CONFIG, '{"apiToken":"fakeToken"}'],
'should use default limit of 10 when --limit is not specified',
'should use default pr-limit of 10 when --pr-limit is not specified',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -984,8 +985,8 @@ describe('socket fix', async () => {
)

cmdit(
['fix', '--limit', '0', FLAG_CONFIG, '{"apiToken":"fake-token"}'],
'should handle --limit 0 in non-dry-run mode',
['fix', '--pr-limit', '0', FLAG_CONFIG, '{"apiToken":"fake-token"}'],
'should handle --pr-limit 0 in non-dry-run mode',
async cmd => {
const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
const output = stdout + stderr
Expand All @@ -995,6 +996,96 @@ describe('socket fix', async () => {
expect(code, 'should exit with non-zero code').not.toBe(0)
},
)

cmdit(
[
'fix',
FLAG_DRY_RUN,
'--limit',
'5',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit as hidden alias for --pr-limit',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
expect(code, 'should exit with code 0').toBe(0)
},
)
})

describe('--ecosystems flag behavior', () => {
cmdit(
[
'fix',
FLAG_DRY_RUN,
'--ecosystems',
'npm',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --ecosystems with single ecosystem',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
expect(code, 'should exit with code 0').toBe(0)
},
)

cmdit(
[
'fix',
FLAG_DRY_RUN,
'--ecosystems',
'npm,pypi',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --ecosystems with comma-separated values',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
expect(code, 'should exit with code 0').toBe(0)
},
)

cmdit(
[
'fix',
FLAG_DRY_RUN,
'--ecosystems',
'npm',
'--ecosystems',
'pypi',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept multiple --ecosystems flags',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
expect(code, 'should exit with code 0').toBe(0)
},
)

cmdit(
[
'fix',
FLAG_DRY_RUN,
'--ecosystems',
'invalid-ecosystem',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should fail with invalid ecosystem value',
async cmd => {
const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
const output = stdout + stderr
expect(output).toContain('Invalid ecosystem')
expect(code, 'should exit with non-zero code').not.toBe(0)
},
)
})

describe('--id flag behavior', () => {
Expand Down Expand Up @@ -1086,19 +1177,19 @@ describe('socket fix', async () => {
)
})

describe('--limit and --id combination', () => {
describe('--pr-limit and --id combination', () => {
cmdit(
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'1',
FLAG_ID,
'GHSA-1234-5678-9abc',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept both --limit and --id flags together',
'should accept both --pr-limit and --id flags together',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -1110,14 +1201,14 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'5',
FLAG_ID,
'GHSA-1234-5678-9abc,CVE-2021-12345,pkg:npm/[email protected]',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit with multiple vulnerability IDs',
'should accept --pr-limit with multiple vulnerability IDs',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -1129,15 +1220,15 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'1',
FLAG_ID,
'GHSA-1234-5678-9abc',
'--autopilot',
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit, --id, and --autopilot together',
'should accept --pr-limit, --id, and --autopilot together',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -1148,14 +1239,14 @@ describe('socket fix', async () => {
cmdit(
[
'fix',
'--limit',
'--pr-limit',
'2',
FLAG_ID,
'GHSA-1234-5678-9abc,GHSA-abcd-efgh-ijkl',
FLAG_CONFIG,
'{"apiToken":"fake-token"}',
],
'should handle --limit and --id in non-dry-run mode',
'should handle --pr-limit and --id in non-dry-run mode',
async cmd => {
const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
const output = stdout + stderr
Expand All @@ -1170,15 +1261,15 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'3',
FLAG_ID,
'GHSA-1234-5678-9abc',
FLAG_JSON,
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit, --id, and --json output format together',
'should accept --pr-limit, --id, and --json output format together',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand All @@ -1190,15 +1281,15 @@ describe('socket fix', async () => {
[
'fix',
FLAG_DRY_RUN,
'--limit',
'--pr-limit',
'10',
FLAG_ID,
'CVE-2021-12345',
FLAG_MARKDOWN,
FLAG_CONFIG,
'{"apiToken":"fakeToken"}',
],
'should accept --limit, --id, and --markdown output format together',
'should accept --pr-limit, --id, and --markdown output format together',
async cmd => {
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
Expand Down
Loading