You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pin @coana-tech/cli version; make reachability auto-update opt-in (#230)
* Pin @coana-tech/cli version; make reachability auto-update opt-in
The Python CLI auto-updated the reachability (Coana) engine to the latest
published version on every --reach run via `npm install -g @coana-tech/cli`.
Automatically pulling a brand-new engine version without opting in is
undesirable for environments that need to review/approve dependency updates
before adopting them.
Run a fixed, pinned version (DEFAULT_COANA_CLI_VERSION = 15.3.22) via
`npx @coana-tech/cli@<pinned>` instead, so the engine version only changes
through a standard pip upgrade of this CLI. Opt into newest with
`--reach-version latest`; pin an explicit version with `--reach-version <semver>`.
The global `npm install -g` step is dropped entirely, so an existing global
install is never auto-updated or downgraded.
* Disable npx caching and add npm-install + node fallback for coana
Mirror the Socket Node CLI's coana launcher:
- Run the engine via `npx --yes --force` so the npx cache is bypassed; a
corrupt or partial cache entry can no longer wedge a reachability run.
- Fall back to `npm install --no-save --prefix <tmp> @coana-tech/cli@<ver>`
+ `node <bin>` when the npx launcher is missing or dies before coana starts
(spawn error / signal / exit >= 128). Small positive exit codes are treated
as real coana failures and are not retried.
- Toggle with SOCKET_CLI_COANA_FORCE_NPM_INSTALL and SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK.
- Strip npm_package_* env vars before spawning coana to avoid E2BIG in large monorepos.
Kept on version 2.4.7 (same unreleased version as the pin change).
* Bump pinned @coana-tech/cli to 15.3.24
* Address PR review: per-version fallback cache, node prereq, accurate npx wording
- M2: cache the npm-install fallback's resolved script path per version for the
process lifetime (mirrors the Node CLI's installedCoanaScriptPathsByVersion), so a
repeated fallback installs once instead of re-installing + leaking a temp dir each call.
- M3: surface a clear error when `node` is missing in the fallback (instead of an opaque
FileNotFoundError after a costly npm install), and add `node` to the up-front prereq check.
- M1: correct the overstated 'npx --force disables the cache' wording in docstrings, docs,
and CHANGELOG. The code already matches the Node CLI exactly (npx --yes --force); --force
does not force a re-download of an already-cached pinned version, so the docs now describe
what the flags actually do rather than claiming a cache bypass.
Adds tests for per-version caching, node-missing, and real _resolve_coana_bin /
_build_coana_node_cmd parsing.
* Address review comments: Final annotation, atexit tmp cleanup, parametrized tests
- Annotate DEFAULT_COANA_CLI_VERSION with typing.Final.
- Register an atexit handler to remove the npm-install fallback's temp dirs.
- Trim the over-long --force explanation in _spawn_coana's docstring and drop the
inline comment that duplicated it.
- Use try/finally in the cache-clearing test fixture.
- Parametrize the spec-resolution, npx-version, and launcher-failure-heuristic tests.
* Move launch-strategy rationale from the spec resolver to _spawn_coana
The 'why npx, not npm install -g' explanation describes how coana is launched, not
how a package spec string is built, so it belongs on _spawn_coana (per review). Leaves
_resolve_coana_package_spec with a minimal docstring.
* docs: show the real --reach-version default (15.3.24) in the Default column
* docs: show real reach-flag defaults from the Coana CLI implementation
Fill in the Default column for the flags whose defaults come from coana, verified
against the @coana-tech/cli source (coana-package-manager/packages/cli):
- --reach-analysis-timeout -> 600 (cli-core.ts: defaults to 600s when unset)
- --reach-analysis-memory-limit -> 8192 (index.ts --memory-limit default)
- --reach-concurrency -> 1 (index.ts --concurrency default)
- --reach-min-severity -> info (no coana default = analyze all; info is the effective floor)
|`--reach`| False | False | Enable reachability analysis to identify which vulnerable functions are actually called by your code. Creates a tier-1 full-application reachability scan (`scan_type=socket_tier1`). |
243
-
|`--reach-version`| False |latest | Version of @coana-tech/cli to usefor analysis |
244
-
|`--reach-analysis-timeout`| False |*coana*| Timeout in seconds for the reachability analysis. Omitted by default, so coana applies its own (currently 600s). Alias: `--reach-timeout`|
245
-
|`--reach-analysis-memory-limit`| False |*coana*| Memory limit in MB for the reachability analysis. Omitted by default, so coana applies its own (currently 8192). Alias: `--reach-memory-limit`|
246
-
|`--reach-concurrency`| False |*coana*| Control parallel analysis execution (must be >= 1). Omitted by default, so coana applies its own (currently 1)|
243
+
|`--reach-version`| False |15.3.24 | Version of @coana-tech/cli to use. Defaults to the pinned version that ships with this CLI release, so the engine only changes when you upgrade the Socket CLI. Pass `latest` to always use the newest published version (opt-in auto-update), or an explicit version (e.g. `1.2.3`) to pin it.|
244
+
|`--reach-analysis-timeout`| False |600 | Timeout in seconds for the reachability analysis. Omitted by default, so coana applies its own default. Alias: `--reach-timeout`|
245
+
|`--reach-analysis-memory-limit`| False |8192 | Memory limit in MB for the reachability analysis. Omitted by default, so coana applies its own default. Alias: `--reach-memory-limit`|
246
+
|`--reach-concurrency`| False |1 | Control parallel analysis execution (must be >= 1). Omitted by default, so coana applies its own default. |
247
247
|`--reach-additional-params`| False || Pass custom parameters to the coana CLI tool |
248
248
|`--reach-ecosystems`| False || Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed |
|`--reach-min-severity`| False |info| Minimum severity of vulnerabilities to analyze (info, low, moderate, high, critical). Omitted by default, so coana analyzes all severities — equivalent to `info`, the lowest.|
250
250
|`--reach-skip-cache`| False | False | Skip cache and force fresh reachability analysis |
|`--reach-enable-analysis-splitting`| False | False | Enable analysis splitting/bucketing (a legacy performance feature). Splitting is disabled by default. |
@@ -262,8 +262,9 @@ If you don't want to provide the Socket API Token every time then you can use th
262
262
**Reachability Analysis Requirements:**
263
263
264
264
The Python CLI verifies the following **up front** (before invoking the analysis engine) and exits with code **3** if any are unmet:
265
-
- `npm` - Required to install and run `@coana-tech/cli` (the analysis engine)
266
-
- `npx` - Required to execute `@coana-tech/cli`
265
+
- `npm` - Required (verified up front; ships alongside `npx`)
266
+
- `npx` - Required to fetch (on first use) and run `@coana-tech/cli` (the analysis engine)
267
+
- `node` - Required to run the engine (used directly by the `npm install` fallback)
267
268
- `uv` - Required by the analysis engine
268
269
- An **Enterprise** Socket organization plan (any `enterprise*` plan, including Enterprise trials)
269
270
@@ -313,7 +314,11 @@ Sample config files:
313
314
314
315
For CI-specific examples and guidance, see [`ci-cd.md`](ci-cd.md).
315
316
316
-
The CLI will automatically install `@coana-tech/cli` if not present. Use `--reach` to enable reachability analysis during a full scan, or add `--only-facts-file` (with `--reach`) to submit only the reachability facts file (`.socket.facts.json`) when creating the full scan.
317
+
The CLI runs a pinned `@coana-tech/cli` version via `npx --yes --force` (the same flags the Socket Node CLI passes for coana); it does **not** auto-update the engine or install it globally. `--yes` skips npx's interactive install prompt so non-interactive/CI runs don't hang. If the `npx` launcher is unavailable or fails before the engine starts, the CLI falls back to `npm install`-ing the pinned version into a temp directory and running it via `node`. Pass `--reach-version latest` to opt into the newest published version. Use `--reach` to enable reachability analysis during a full scan, or add `--only-facts-file` (with `--reach`) to submit only the reachability facts file (`.socket.facts.json`) when creating the full scan.
318
+
319
+
The launcher fallback can be tuned via environment variables:
320
+
- `SOCKET_CLI_COANA_FORCE_NPM_INSTALL` — skip `npx` entirely and always use the `npm install` + `node` path (useful where `npx` is known-broken).
321
+
- `SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK` — never fall back; surface the `npx` failure directly.
0 commit comments