Skip to content

upgrading coana to version 15.1.0#1289

Merged
Martin Torp (mtorp) merged 5 commits intov1.xfrom
coana-15.1.0
Apr 29, 2026
Merged

upgrading coana to version 15.1.0#1289
Martin Torp (mtorp) merged 5 commits intov1.xfrom
coana-15.1.0

Conversation

@mtorp
Copy link
Copy Markdown
Contributor

@mtorp Martin Torp (mtorp) commented Apr 29, 2026
edited by cursor Bot
Loading

Summary

  • Upgrades @coana-tech/cli from 14.12.222 to 15.1.0

Coana Changelog

For details on what's included in this Coana release, see the Coana Changelogs.

Note

Cursor Bugbot is generating a summary for commit 3a58bc4. Configure here.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 29, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.222 ⏵ 15.1.096 +110080 +198100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Apr 29, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.222 ⏵ 15.1.04710080 +198100

View full report

@mtorp
test(e2e): opt out of v15 no-source-files halt for empty-subproject t…
117a85d 
…ests

Coana v15 halts by default when a workspace reports no source files for
its ecosystem (15.0.6 changelog). Four e2e tests intentionally scan
fixtures with empty subprojects or filter to an ecosystem the fixture
doesn't fully populate, and these tests assert on workspace discovery,
exclusion, --cwd resolution, and ecosystem filtering — not on source-file
presence. Pass --reach-continue-on-no-source-files in those tests so
v15's strict default doesn't fail them.
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Apr 29, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @coana-tech/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@coana-tech/cli@15.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@coana-tech/cli@15.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@mtorp
test(e2e): also opt out of v15 install-error halt for pypi-filter test
70c7a86 
After opting out of the no-source-files halt, the pypi-ecosystem test
now hits the v15 install-error halt: the CI runner's network firewall
blocks pypi.org, so the pre-install step for pypi packages fails. The
test asserts on ecosystem-filter discovery, not on successful installs,
so opt out of the install-error halt as well.
@mtorp
test: bump timeout for memory-limit reach test under v15
500d326 
The non-dry-run `--reach-analysis-memory-limit 999999999` test actually
spawns Coana, which under v15 does more upfront work (tier1 scan
registration, legacy-mode resolution) before bailing on the bad memory
limit. The default 30s cmdit timeout is too tight on slower CI runners;
bump to 60s.
@mtorp Martin Torp (mtorp) merged commit 471b7aa into v1.x Apr 29, 2026
12 checks passed
@mtorp Martin Torp (mtorp) deleted the coana-15.1.0 branch April 29, 2026 11:11
@mtorp Martin Torp (mtorp) mentioned this pull request May 1, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barslev Benjamin Barslev Nielsen (barslev) barslev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtorp @barslev