From c0e40f3815e8b3d9c75e62fe73cb5d9d00a7b7d9 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Sun, 21 Sep 2025 20:09:02 +0200 Subject: [PATCH 1/2] use --no-apply-fixes instead of --dont-apply-fixes for consistency with other flags --- src/commands/fix/cmd-fix.mts | 21 +++++++++++++++------ src/commands/fix/cmd-fix.test.mts | 2 +- src/commands/fix/coana-fix.mts | 6 +++--- src/commands/fix/handle-fix.mts | 8 ++++---- src/commands/fix/types.mts | 2 +- 5 files changed, 24 insertions(+), 15 deletions(-) diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts index 00637ab36..540da6dc9 100644 --- a/src/commands/fix/cmd-fix.mts +++ b/src/commands/fix/cmd-fix.mts @@ -52,12 +52,14 @@ const generalFlags: MeowFlags = { 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository', )} for managing auto-merge for pull requests in your repository.`, }, - dontApplyFixes: { + applyFixes: { aliases: ['onlyCompute'], type: 'boolean', - default: false, + default: true, description: 'Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.', + // Hidden to allow custom documenting of the negated `--no-apply-fixes` variant. + hidden: true, }, id: { type: 'string', @@ -182,7 +184,14 @@ async function run( ${getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME}`)} Options - ${getFlagListOutput(config.flags)} + ${getFlagListOutput({ + ...config.flags, + // Explicitly document the negated --no-apply-fixes variant. + noApplyFixes: { + ...config.flags['applyFixes'], + hidden: false, + } as MeowFlag, + })} Environment Variables (for CI/PR mode) CI Set to enable CI mode @@ -208,8 +217,8 @@ async function run( ) const { + applyFixes, autopilot, - dontApplyFixes, glob, json, limit, @@ -223,7 +232,7 @@ async function run( unknownFlags = [], } = cli.flags as { autopilot: boolean - dontApplyFixes: boolean + applyFixes: boolean glob: string limit: number json: boolean @@ -292,7 +301,7 @@ async function run( await handleFix({ autopilot, - dontApplyFixes, + applyFixes, cwd, ghsas, glob, diff --git a/src/commands/fix/cmd-fix.test.mts b/src/commands/fix/cmd-fix.test.mts index 02fe6f832..f13e73af4 100644 --- a/src/commands/fix/cmd-fix.test.mts +++ b/src/commands/fix/cmd-fix.test.mts @@ -172,7 +172,6 @@ describe('socket fix', async () => { Options --autopilot Enable auto-merge for pull requests that Socket opens. See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository. - --dont-apply-fixes Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied. --id Provide a list of vulnerability identifiers to compute fixes for: - GHSA IDs (https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids) (e.g., GHSA-xxxx-xxxx-xxxx) - CVE IDs (https://cve.mitre.org/cve/identifiers/) (e.g., CVE-2025-1234) - automatically converted to GHSA @@ -181,6 +180,7 @@ describe('socket fix', async () => { --json Output result as json --limit The number of fixes to attempt at a time (default 10) --markdown Output result as markdown + --no-apply-fixes Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied. --output-file Path to store upgrades as a JSON file at this path. --range-style Define how dependency version ranges are updated in package.json (default 'preserve'). Available styles: diff --git a/src/commands/fix/coana-fix.mts b/src/commands/fix/coana-fix.mts index 5365d3c97..b1fd574d8 100644 --- a/src/commands/fix/coana-fix.mts +++ b/src/commands/fix/coana-fix.mts @@ -43,9 +43,9 @@ export async function coanaFix( fixConfig: FixConfig, ): Promise> { const { + applyFixes, autopilot, cwd, - dontApplyFixes, ghsas, glob, limit, @@ -106,7 +106,7 @@ export async function coanaFix( if (!shouldOpenPrs) { // Inform user about local mode when fixes will be applied. - if (!dontApplyFixes && ghsas.length) { + if (applyFixes && ghsas.length) { const envCheck = checkCiEnvVars() if (envCheck.present.length) { // Some CI vars are set but not all - show what's missing. @@ -143,7 +143,7 @@ export async function coanaFix( ? ['--range-style', fixConfig.rangeStyle] : []), ...(glob ? ['--glob', glob] : []), - ...(dontApplyFixes ? [FLAG_DRY_RUN] : []), + ...(!applyFixes ? [FLAG_DRY_RUN] : []), ...(outputFile ? ['--output-file', outputFile] : []), ...fixConfig.unknownFlags, ], diff --git a/src/commands/fix/handle-fix.mts b/src/commands/fix/handle-fix.mts index c37fb9e7e..534e180a9 100644 --- a/src/commands/fix/handle-fix.mts +++ b/src/commands/fix/handle-fix.mts @@ -16,7 +16,7 @@ const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/ export type HandleFixConfig = Remap< FixConfig & { - dontApplyFixes: boolean + applyFixes: boolean ghsas: string[] glob: string orgSlug: string @@ -98,9 +98,9 @@ export async function convertIdsToGhsas(ids: string[]): Promise { } export async function handleFix({ + applyFixes, autopilot, cwd, - dontApplyFixes, ghsas, glob, limit, @@ -121,7 +121,7 @@ export async function handleFix({ glob, limit, minSatisfying, - dontApplyFixes, + applyFixes, outputFile, outputKind, prCheck, @@ -132,7 +132,7 @@ export async function handleFix({ await outputFixResult( await coanaFix({ autopilot, - dontApplyFixes, + applyFixes, cwd, // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only ghsas: await convertIdsToGhsas(ghsas), diff --git a/src/commands/fix/types.mts b/src/commands/fix/types.mts index a21b7bda8..aaca8db35 100644 --- a/src/commands/fix/types.mts +++ b/src/commands/fix/types.mts @@ -3,7 +3,7 @@ import type { Spinner } from '@socketsecurity/registry/lib/spinner' export type FixConfig = { autopilot: boolean - dontApplyFixes: boolean + applyFixes: boolean cwd: string ghsas: string[] glob: string From ce37b7e09b924b7d0bb0c7684edd5be9ab927585 Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Sun, 21 Sep 2025 20:12:54 +0200 Subject: [PATCH 2/2] fix merge --- src/commands/fix/cmd-fix.test.mts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/commands/fix/cmd-fix.test.mts b/src/commands/fix/cmd-fix.test.mts index 2fa046548..a1655c8cb 100644 --- a/src/commands/fix/cmd-fix.test.mts +++ b/src/commands/fix/cmd-fix.test.mts @@ -179,7 +179,7 @@ describe('socket fix', async () => { Can be provided as comma separated values or as multiple flags --json Output as JSON --limit The number of fixes to attempt at a time (default 10) - --markdown Output as markdown + --markdown Output as Markdown --no-apply-fixes Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied. --output-file Path to store upgrades as a JSON file at this path. --range-style Define how dependency version ranges are updated in package.json (default 'preserve').