feat: update @socketsecurity/socket-patch to v2.0.0

- Upgrade socket-patch from v1.2.0 to v2.0.0, now a native Rust binary
- Rewrite patch command to spawn the platform-specific Rust binary
  directly instead of importing the Node.js runPatch() function
- Map socket-cli environment variables to socket-patch env vars
  (SOCKET_API_URL, SOCKET_API_TOKEN, SOCKET_ORG_SLUG, etc.)
- Add comprehensive patch command documentation to README with
  subcommand reference table and quick-start guide
- Bump version to 1.1.58

Author: mikolalysenko

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.67](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.67) - 2026-03-06
+
+### Changed
+- Updated `@socketsecurity/socket-patch` to v2.0.0, now powered by a native Rust binary for faster patch operations
+- The `socket patch` command now directly invokes the platform-specific Rust binary instead of a Node.js wrapper
+- Enhanced `socket patch` documentation with a complete subcommand reference and quick-start guide
+
 ## [1.1.66](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.66) - 2026-03-02
 
 ### Changed
@@ -52,7 +59,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Deprecated `--reach-disable-analysis-splitting` flag (now a no-op for backwards compatibility).
 - Updated the Coana CLI to v `14.12.154`.
 
-
 ## [1.1.57](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.57) - 2026-01-10
 
 ### Changed

README.md

@@ -22,6 +22,38 @@ socket --help
 
 - `socket cdxgen [command]` - Run [cdxgen](https://cyclonedx.github.io/cdxgen/#/?id=getting-started) for SBOM generation
 
+- `socket patch <command>` - Apply, manage, and rollback Socket security patches for vulnerable dependencies
+
+### Patch subcommands
+
+| Command | Description |
+|---------|-------------|
+| `socket patch scan` | Scan installed packages for available security patches |
+| `socket patch get <uuid> --org <slug>` | Download a patch by UUID and store it locally |
+| `socket patch apply` | Apply downloaded patches to `node_modules` |
+| `socket patch rollback [purl\|uuid]` | Rollback patches and restore original files |
+| `socket patch list [--json]` | List all patches in the local manifest |
+| `socket patch remove <purl\|uuid>` | Remove a patch from the manifest (rolls back by default) |
+| `socket patch setup [--yes]` | Add `socket patch apply` to `postinstall` scripts |
+| `socket patch repair` | Download missing blobs and clean up unused blobs |
+
+**Quick start:**
+
+```bash
+# Scan for available patches, download, and apply.
+socket patch scan
+socket patch apply
+
+# Or download a specific patch by UUID.
+socket patch get <uuid> --org <org-slug>
+socket patch apply
+
+# Add to postinstall so patches reapply on npm install.
+socket patch setup --yes
+```
+
+Free patches work without authentication. For paid patches, set `SOCKET_CLI_API_TOKEN` and `SOCKET_CLI_ORG_SLUG`.
+
 ## Aliases
 
 All aliases support the flags and arguments of the commands they alias.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.66",
+"version": "1.1.67",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -86,6 +86,9 @@
     "update:deps": "taze",
     "update:socket": "pnpm update '@socketsecurity/*' '@socketregistry/*' --latest"
   },
+  "dependencies": {
+    "@socketsecurity/socket-patch": "2.0.0"
+  },
   "devDependencies": {
     "@babel/core": "7.28.4",
     "@babel/plugin-proposal-export-default-from": "7.27.1",
@@ -123,7 +126,6 @@
     "@socketsecurity/config": "3.0.1",
     "@socketsecurity/registry": "1.1.17",
     "@socketsecurity/sdk": "1.4.96",
-    "@socketsecurity/socket-patch": "1.2.0",
     "@types/blessed": "0.1.25",
     "@types/cmd-shim": "5.0.2",
     "@types/js-yaml": "4.0.9",