Skip to content

Commit bddea88

Browse files
authored
Merge branch 'v1.x' into lelia/add-workspace-support-v1x
2 parents 847f68b + 3a7ba36 commit bddea88

6 files changed

Lines changed: 236 additions & 34 deletions

File tree

CHANGELOG.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
44

55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
66

7+
## [1.1.68](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.68) - 2026-03-09
8+
9+
### Changed
10+
- Updated the Coana CLI to v `14.12.191`.
11+
12+
## [1.1.67](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.67) - 2026-03-06
13+
14+
### Changed
15+
- Updated `@socketsecurity/socket-patch` to v2.0.0, now powered by a native Rust binary for faster patch operations
16+
- The `socket patch` command now directly invokes the platform-specific Rust binary instead of a Node.js wrapper
17+
- Enhanced `socket patch` documentation with a complete subcommand reference and quick-start guide
18+
719
## [1.1.66](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.66) - 2026-03-02
820

921
### Changed
@@ -52,7 +64,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
5264
- Deprecated `--reach-disable-analysis-splitting` flag (now a no-op for backwards compatibility).
5365
- Updated the Coana CLI to v `14.12.154`.
5466

55-
5667
## [1.1.57](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.57) - 2026-01-10
5768

5869
### Changed

README.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,38 @@ socket --help
2222

2323
- `socket cdxgen [command]` - Run [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started) for SBOM generation
2424

25+
- `socket patch <command>` - Apply, manage, and rollback Socket security patches for vulnerable dependencies
26+
27+
### Patch subcommands
28+
29+
| Command | Description |
30+
|---------|-------------|
31+
| `socket patch scan` | Scan installed packages for available security patches |
32+
| `socket patch get <uuid> --org <slug>` | Download a patch by UUID and store it locally |
33+
| `socket patch apply` | Apply downloaded patches to `node_modules` |
34+
| `socket patch rollback [purl\|uuid]` | Rollback patches and restore original files |
35+
| `socket patch list [--json]` | List all patches in the local manifest |
36+
| `socket patch remove <purl\|uuid>` | Remove a patch from the manifest (rolls back by default) |
37+
| `socket patch setup [--yes]` | Add `socket patch apply` to `postinstall` scripts |
38+
| `socket patch repair` | Download missing blobs and clean up unused blobs |
39+
40+
**Quick start:**
41+
42+
```bash
43+
# Scan for available patches, download, and apply.
44+
socket patch scan
45+
socket patch apply
46+
47+
# Or download a specific patch by UUID.
48+
socket patch get <uuid> --org <org-slug>
49+
socket patch apply
50+
51+
# Add to postinstall so patches reapply on npm install.
52+
socket patch setup --yes
53+
```
54+
55+
Free patches work without authentication. For paid patches, set `SOCKET_CLI_API_TOKEN` and `SOCKET_CLI_ORG_SLUG`.
56+
2557
## Aliases
2658

2759
All aliases support the flags and arguments of the commands they alias.

package.json

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "socket",
3-
"version": "1.1.66",
3+
"version": "1.1.68",
44
"description": "CLI for Socket.dev",
55
"homepage": "https://github.com/SocketDev/socket-cli",
66
"license": "MIT AND OFL-1.1",
@@ -86,6 +86,9 @@
8686
"update:deps": "taze",
8787
"update:socket": "pnpm update '@socketsecurity/*' '@socketregistry/*' --latest"
8888
},
89+
"dependencies": {
90+
"@socketsecurity/socket-patch": "2.0.0"
91+
},
8992
"devDependencies": {
9093
"@babel/core": "7.28.4",
9194
"@babel/plugin-proposal-export-default-from": "7.27.1",
@@ -94,7 +97,7 @@
9497
"@babel/preset-typescript": "7.27.1",
9598
"@babel/runtime": "7.28.4",
9699
"@biomejs/biome": "2.2.4",
97-
"@coana-tech/cli": "14.12.189",
100+
"@coana-tech/cli": "14.12.191",
98101
"@cyclonedx/cdxgen": "11.11.0",
99102
"@dotenvx/dotenvx": "1.49.0",
100103
"@eslint/compat": "1.3.2",
@@ -123,7 +126,6 @@
123126
"@socketsecurity/config": "3.0.1",
124127
"@socketsecurity/registry": "1.1.17",
125128
"@socketsecurity/sdk": "1.4.96",
126-
"@socketsecurity/socket-patch": "1.2.0",
127129
"@types/blessed": "0.1.25",
128130
"@types/cmd-shim": "5.0.2",
129131
"@types/js-yaml": "4.0.9",

pnpm-lock.yaml

Lines changed: 103 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/commands/patch/cmd-patch.mts

Lines changed: 56 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,15 @@
1-
import { runPatch } from '@socketsecurity/socket-patch/run'
1+
import { spawnSync } from 'node:child_process'
2+
import { existsSync } from 'node:fs'
3+
import path from 'node:path'
24

35
import constants from '../../constants.mts'
46

57
import type { CliCommandContext } from '../../utils/meow-with-subcommands.mts'
68

79
export const CMD_NAME = 'patch'
810

9-
const description = 'Manage CVE patches for dependencies'
11+
const description =
12+
'Apply, manage, and rollback Socket security patches for vulnerable dependencies'
1013

1114
const hidden = false
1215

@@ -16,42 +19,80 @@ export const cmdPatch = {
1619
run,
1720
}
1821

22+
// Resolve the path to the socket-patch binary.
23+
// The @socketsecurity/socket-patch package registers a bin entry that pnpm
24+
// links into node_modules/.bin/socket-patch. This launcher script finds and
25+
// executes the platform-specific Rust binary from the optionalDependencies.
26+
function resolveSocketPatchBin(): string {
27+
// Walk up from this file (or dist/) to find the closest node_modules/.bin.
28+
let dir = __dirname
29+
for (let i = 0; i < 10; i += 1) {
30+
const candidate = path.join(dir, 'node_modules', '.bin', 'socket-patch')
31+
if (existsSync(candidate)) {
32+
return candidate
33+
}
34+
const parent = path.dirname(dir)
35+
if (parent === dir) {
36+
break
37+
}
38+
dir = parent
39+
}
40+
// Fallback: assume socket-patch is on PATH.
41+
return 'socket-patch'
42+
}
43+
1944
async function run(
2045
argv: string[] | readonly string[],
2146
_importMeta: ImportMeta,
2247
_context: CliCommandContext,
2348
): Promise<void> {
2449
const { ENV } = constants
2550

26-
// Map socket-cli environment to socket-patch options.
27-
// Only include properties with defined values (exactOptionalPropertyTypes).
28-
const options: Parameters<typeof runPatch>[1] = {}
51+
// Build environment variables for the socket-patch binary.
52+
const spawnEnv: Record<string, string | undefined> = {
53+
...process.env,
54+
}
2955

56+
// Map socket-cli environment to socket-patch environment variables.
3057
// Strip /v0/ suffix from API URL if present.
3158
const apiUrl = ENV.SOCKET_CLI_API_BASE_URL?.replace(/\/v0\/?$/, '')
3259
if (apiUrl) {
33-
options.apiUrl = apiUrl
60+
spawnEnv['SOCKET_API_URL'] = apiUrl
3461
}
3562
if (ENV.SOCKET_CLI_API_TOKEN) {
36-
options.apiToken = ENV.SOCKET_CLI_API_TOKEN
63+
spawnEnv['SOCKET_API_TOKEN'] = ENV.SOCKET_CLI_API_TOKEN
3764
}
3865
if (ENV.SOCKET_CLI_ORG_SLUG) {
39-
options.orgSlug = ENV.SOCKET_CLI_ORG_SLUG
66+
spawnEnv['SOCKET_ORG_SLUG'] = ENV.SOCKET_CLI_ORG_SLUG
4067
}
4168
if (ENV.SOCKET_PATCH_PROXY_URL) {
42-
options.patchProxyUrl = ENV.SOCKET_PATCH_PROXY_URL
69+
spawnEnv['SOCKET_PATCH_PROXY_URL'] = ENV.SOCKET_PATCH_PROXY_URL
4370
}
4471
if (ENV.SOCKET_CLI_API_PROXY) {
45-
options.httpProxy = ENV.SOCKET_CLI_API_PROXY
72+
spawnEnv['HTTPS_PROXY'] = ENV.SOCKET_CLI_API_PROXY
4673
}
4774
if (ENV.SOCKET_CLI_DEBUG) {
48-
options.debug = ENV.SOCKET_CLI_DEBUG
75+
spawnEnv['SOCKET_PATCH_DEBUG'] = '1'
4976
}
5077

51-
// Forward all arguments to socket-patch.
52-
const exitCode = await runPatch([...argv], options)
78+
// Resolve and spawn the socket-patch Rust binary.
79+
// On Windows, node_modules/.bin shims are .cmd scripts that require shell.
80+
const binPath = resolveSocketPatchBin()
81+
const result = spawnSync(binPath, [...argv], {
82+
stdio: 'inherit',
83+
env: spawnEnv,
84+
shell: constants.WIN32,
85+
})
5386

54-
if (exitCode !== 0) {
55-
process.exitCode = exitCode
87+
if (result.error) {
88+
throw result.error
89+
}
90+
// Propagate signal if the child was killed (e.g. SIGTERM, SIGINT).
91+
if (result.signal) {
92+
process.kill(process.pid, result.signal)
93+
return
94+
}
95+
if (result.status !== null && result.status !== 0) {
96+
process.exitCode = result.status
5697
}
5798
}

0 commit comments

Comments
 (0)