fix(sea): use relative paths in sea-config and update SDK

- Update Node.js version requirement from 25.5.0 to 25.8.0
- Use relative paths in sea-config.json (binject requires relative paths)
- Remove update-config.json generation (update config is embedded in sea-config)
- Remove unused safeDelete import from builder.mjs
- Update @socketsecurity/sdk to 3.3.1 with new createRepository API
- Fix createRepository call signature (orgSlug, repoName, params)
- Add missing external tools to EXTERNAL_TOOLS array
- Fix visibility type to 'private' | 'public'

Author: jdalton

.node-version

@@ -1 +1 @@
-25.5.0
+25.8.0

package.json

@@ -1,7 +1,7 @@
 {
   "name": "socket-cli-monorepo",
   "version": "0.0.0",
-  "packageManager": "pnpm@10.30.2",
+  "packageManager": "pnpm@10.31.0",
   "private": true,
   "engines": {
     "node": ">=25.5.0",

packages/cli/package.json

@@ -129,7 +129,7 @@
     "zod": "catalog:"
   },
   "engines": {
-    "node": ">=25.5.0",
+    "node": ">=25.8.0",
     "pnpm": ">=10.22.0"
   },
   "repository": {

packages/cli/scripts/sea-build-utils/builder.mjs

@@ -11,7 +11,7 @@
 import { existsSync, promises as fs } from 'node:fs'
 import path from 'node:path'
 
-import { safeDelete, safeMkdir } from '@socketsecurity/lib/fs'
+import { safeMkdir } from '@socketsecurity/lib/fs'
 import { normalizePath } from '@socketsecurity/lib/paths/normalize'
 import { spawn } from '@socketsecurity/lib/spawn'
 
@@ -51,19 +51,20 @@ import { SOCKET_CLI_SEA_BUILD_DIR } from '../constants/paths.mjs'
  */
 export async function generateSeaConfig(entryPoint, outputPath) {
   const outputName = path.basename(outputPath, path.extname(outputPath))
+  const configDir = path.dirname(outputPath)
   const configPath = normalizePath(
-    path.join(path.dirname(outputPath), `sea-config-${outputName}.json`),
-  )
-  const blobPath = normalizePath(
-    path.join(path.dirname(outputPath), `sea-blob-${outputName}.blob`),
+    path.join(configDir, `sea-config-${outputName}.json`),
   )
+  // Use relative paths in sea-config.json (binject requires relative paths).
+  const blobPathRelative = `sea-blob-${outputName}.blob`
+  const mainPathRelative = path.relative(configDir, entryPoint)
 
   const config = {
     // No assets to minimize size.
     assets: {},
     disableExperimentalSEAWarning: true,
-    main: entryPoint,
-    output: blobPath,
+    main: mainPathRelative,
+    output: blobPathRelative,
     // Enable code cache for ~13% faster startup (~22ms improvement).
     // Pre-compiles JavaScript code during build time for instant execution.
     useCodeCache: true,
@@ -97,7 +98,7 @@ export async function generateSeaConfig(entryPoint, outputPath) {
 // which is critical for useCodeCache support (code cache is version-specific).
 //
 // This eliminates the Node.js version mismatch issue where we were using the host
-// Node.js (e.g., v25.5.0) to generate blobs for node-smol targets (e.g., v24.10.0).
+// Node.js to generate blobs for node-smol targets with different Node.js versions.
 //
 // See injectSeaBlob() below for the config-based blob generation implementation.
 
@@ -109,9 +110,8 @@ export async function generateSeaConfig(entryPoint, outputPath) {
  * Inject SEA blob and optional VFS assets into a Node.js binary using binject.
  *
  * This function performs the core SEA binary build step by:
- * 1. Generating an update-config.json for embedded update checking (binject --update-config).
- * 2. Invoking binject to inject the SEA blob into the Node.js binary.
- * 3. Optionally embedding security tools via VFS compression (binject --vfs).
+ * 1. Invoking binject to inject the SEA blob into the Node.js binary.
+ * 2. Optionally embedding security tools via VFS compression (binject --vfs).
  *
  * Config-Based Blob Generation:
  * Instead of pre-generating the SEA blob with `node --experimental-sea-config`, binject
@@ -123,11 +123,6 @@ export async function generateSeaConfig(entryPoint, outputPath) {
  * tools into the binary. This achieves ~70% compression compared to Node.js SEA assets.
  * If vfsTarGz is omitted, --vfs-compat mode is used (no actual VFS bundling).
  *
- * Update Config Embedding:
- * The function generates an update-config.json that node-smol's C stub uses for built-in
- * update checking. This enables SEA binaries to check GitHub releases and notify users of
- * available updates without needing TypeScript-based update checking.
- *
  * @param {string} nodeBinary - Path to the node-smol binary to inject into.
  * @param {string} configPath - Path to the sea-config.json file for config-based blob generation.
  * @param {string} outputPath - Path to the output SEA binary (may be same as nodeBinary).
@@ -215,72 +210,32 @@ export async function injectSeaBlob(
     env['SOCKET_DLX_DIR'] = uniqueCacheDir
   }
 
-  // Generate update-config.json for embedded update checking.
-  const updateConfigPath = normalizePath(
-    path.join(path.dirname(configPath), 'update-config.json'),
-  )
-  const updateConfig = {
-    binname: 'socket',
-    command: 'self-update',
-    interval: 86_400_000,
-    notify_interval: 86_400_000,
-    prompt: false,
-    prompt_default: 'n',
-    skip_env: 'SOCKET_CLI_SKIP_UPDATE_CHECK',
-    tag: 'socket-cli-*',
-    url: 'https://api.github.com/repos/SocketDev/socket-cli/releases',
+  // Inject SEA blob into Node binary using binject.
+  const args = [
+    'inject',
+    '--executable',
+    nodeBinary,
+    '--output',
+    outputPath,
+    '--sea',
+    configPath,
+  ]
+
+  // Add VFS if provided (compressed tar.gz), otherwise use vfs-compat mode.
+  if (vfsTarGz && existsSync(vfsTarGz)) {
+    args.push('--vfs', vfsTarGz)
+  } else {
+    args.push('--vfs-compat')
   }
-  await fs.writeFile(updateConfigPath, JSON.stringify(updateConfig, null, 2))
 
-  try {
-    // Inject SEA blob into Node binary using binject.
-    //
-    // Config-Based Blob Generation:
-    // When --sea points to a .json file (sea-config.json), binject reads the config
-    // and generates the blob automatically. This is more efficient than pre-generating
-    // with `node --experimental-sea-config`.
-    //
-    // VFS Compression:
-    // If vfsTarGz is provided, we use --vfs to embed compressed security tools.
-    // binject decompresses the tar.gz and injects the files into the binary's VFS.
-    // This achieves ~70% compression (460 MB → 140 MB for security tools).
-    //
-    // Without VFS (vfs-compat mode):
-    // If vfsTarGz is omitted, --vfs-compat mode is used, which injects only the SEA
-    // blob without any additional VFS data. This is useful for minimal CLI-only builds.
-    const args = [
-      'inject',
-      '--executable',
-      nodeBinary,
-      '--output',
-      outputPath,
-      '--sea',
-      configPath,
-    ]
+  const result = await spawn(binjectPath, args, { env, stdio: 'inherit' })
 
-    // Add VFS if provided (compressed tar.gz), otherwise use vfs-compat mode.
-    if (vfsTarGz && existsSync(vfsTarGz)) {
-      args.push('--vfs', vfsTarGz)
-    } else {
-      args.push('--vfs-compat')
-    }
-
-    args.push('--update-config', updateConfigPath)
-
-    const result = await spawn(binjectPath, args, { env, stdio: 'inherit' })
-
-    if (
-      result &&
-      typeof result === 'object' &&
-      'exitCode' in result &&
-      result.exitCode !== 0
-    ) {
-      throw new Error(`binject failed with exit code ${result.exitCode}`)
-    }
-  } finally {
-    // Clean up update config file (keep in debug mode for troubleshooting).
-    if (!process.env['DEBUG']) {
-      await safeDelete(updateConfigPath).catch(() => {})
-    }
+  if (
+    result &&
+    typeof result === 'object' &&
+    'exitCode' in result &&
+    result.exitCode !== 0
+  ) {
+    throw new Error(`binject failed with exit code ${result.exitCode}`)
   }
 }

packages/cli/src/commands/repository/cmd-repository-create.mts

@@ -29,14 +29,15 @@ export const cmdRepositoryCreate = createRepositoryCommand({
     },
   },
   handler: async ({ flags, orgSlug, outputKind, repoName }) => {
+    const visibility = String(flags['visibility'] || 'private')
     await handleCreateRepo(
       {
         defaultBranch: String(flags['defaultBranch'] || ''),
         description: String(flags['repoDescription'] || ''),
         homepage: String(flags['homepage'] || ''),
         orgSlug,
         repoName: String(repoName),
-        visibility: String(flags['visibility'] || 'private'),
+        visibility: visibility === 'public' ? 'public' : 'private',
       },
       outputKind,
     )

packages/cli/src/commands/repository/fetch-create-repo.mts

@@ -11,7 +11,7 @@ export type FetchCreateRepoConfig = {
   homepage: string
   orgSlug: string
   repoName: string
-  visibility: string
+  visibility: 'private' | 'public'
 }
 
 export type FetchCreateRepoOptions = {
@@ -44,11 +44,10 @@ export async function fetchCreateRepo(
   const sockSdk = sockSdkCResult.data
 
   return await handleApiCall<'createRepository'>(
-    sockSdk.createRepository(orgSlug, {
+    sockSdk.createRepository(orgSlug, repoName, {
       default_branch: defaultBranch,
       description,
       homepage,
-      name: repoName,
       visibility,
     }),
     {

packages/cli/src/commands/repository/handle-create-repo.mts

@@ -19,7 +19,7 @@ export async function handleCreateRepo(
     description: string
     homepage: string
     defaultBranch: string
-    visibility: string
+    visibility: 'private' | 'public'
   },
   outputKind: OutputKind,
 ): Promise<void> {

packages/cli/src/utils/basics/vfs-extract.mts

@@ -13,22 +13,15 @@
  */
 
 import { createHash } from 'node:crypto'
-import { existsSync, promises as fs } from 'node:fs'
 import { homedir } from 'node:os'
 import path from 'node:path'
 
-import { debug } from '@socketsecurity/lib/debug'
-import { safeDelete, safeMkdir } from '@socketsecurity/lib/fs'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { normalizePath } from '@socketsecurity/lib/paths/normalize'
 import { spawn } from '@socketsecurity/lib/spawn'
 
 import { UPDATE_STORE_DIR } from '../../constants/paths.mts'
-import { getOpengrepVersion } from '../../env/opengrep-version.mts'
-import { getPyCliVersion } from '../../env/pycli-version.mts'
 import { getPythonMajorMinor } from '../../env/python-version.mts'
-import { getTrivyVersion } from '../../env/trivy-version.mts'
-import { getTrufflehogVersion } from '../../env/trufflehog-version.mts'
 import { isSeaBinary } from '../sea/detect.mts'
 
 const logger = getDefaultLogger()
@@ -183,9 +176,11 @@ export async function extractBasicsTools(
     logger.group('Validating extracted basics tools...')
 
     const pythonExe = isPlatWin ? 'python3.exe' : 'python3'
-    const pythonPath = normalizePath(
-      path.join(extractedPaths.python, 'bin', pythonExe),
-    )
+    const pythonDir = extractedPaths['python']
+    if (!pythonDir) {
+      throw new Error('Python extraction path not found')
+    }
+    const pythonPath = normalizePath(path.join(pythonDir, 'bin', pythonExe))
 
     const validateResult = await spawn(pythonPath, ['--version'], {
       stdio: 'pipe',
@@ -226,7 +221,7 @@ export async function extractBasicsTools(
 
     logger.success('Basics tools extracted and validated')
     // Return the Python directory path for backward compatibility.
-    return extractedPaths.python
+    return extractedPaths['python'] ?? null
   } catch (e) {
     logger.error('VFS extraction failed')
     throw e

packages/cli/src/utils/dlx/vfs-extract.mts

@@ -79,10 +79,13 @@ import { isSeaBinary } from '../sea/detect.mts'
 const logger = getDefaultLogger()
 
 // External tool names bundled in VFS.
-// Currently only includes standalone binaries that are packaged in the VFS tarball.
-// npm packages (cdxgen, coana, socket-patch, synp) will be added in future updates.
+// Includes standalone binaries and npm packages that are packaged in the VFS tarball.
 export const EXTERNAL_TOOLS = [
+  'cdxgen',
+  'coana',
   'sfw',
+  'socket-patch',
+  'synp',
 ] as const
 
 export type ExternalTool = (typeof EXTERNAL_TOOLS)[number]