Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm dlx (1.1.130)#1383

Merged
Martin Torp (mtorp) merged 1 commit into
v1.xSocketDev/socket-cli:v1.xfrom
martin/debug-palantir-errorSocketDev/socket-cli:martin/debug-palantir-errorCopy head branch name to clipboard
Jun 29, 2026
Merged

fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm dlx (1.1.130)#1383
Martin Torp (mtorp) merged 1 commit into
v1.xSocketDev/socket-cli:v1.xfrom
martin/debug-palantir-errorSocketDev/socket-cli:martin/debug-palantir-errorCopy head branch name to clipboard

Conversation

@mtorp

@mtorp Martin Torp (mtorp) commented Jun 29, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Problem

Reachability scans (socket scan create --reach) can fail to start with a confusing error when run inside a pnpm workspace whose root defines a .pnpmfile.cjs:

A syntax error in the ".../.pnpmfile.cjs"
.../some-file.js:1
version https://git-lfs.github.com/spec/v1
        ^^^^^
SyntaxError: Unexpected identifier 'https'
...
⠇ Coana reachability analysis failed ...
Details: Coana failed to run via the package manager (exit code 1): command failed

Root cause

Socket CLI launches its bundled analysis tools (Coana, and similarly cdxgen/synp) via pnpm dlx <pkg> with the target repo as the working directory (src/utils/dlx.mtsspawnDlx).

When that working directory is a pnpm workspace root, pnpm dlx evaluates the repo's root .pnpmfile.cjs before doing anything else. If a hook in that file throws at load time — for example a top-level require() of a file that is still an unresolved Git LFS pointer (so its contents are the LFS spec text, not JavaScript) — pnpm crashes with a bare exit code before the analysis tool ever boots. The CLI then surfaces only the generic "Coana failed to run via the package manager (exit code 1)".

Notes confirmed while debugging:

  • pnpm dlx loads the cwd's .pnpmfile.cjs only when the cwd is a workspace root; a standalone project dir is unaffected. This is why it only reproduces in monorepos.
  • The tool never started (no tool banner in the output), so this is purely a launcher problem — not a bug in the analysis tool itself.

Fix

In the pnpm branch of spawnDlx, always set npm_config_ignore_pnpmfile=true on the launch environment, so pnpm dlx never runs the target project's pnpm hooks. The dlx tool is installed into an isolated store, so the project's install hooks are irrelevant to it. This covers the Coana, cdxgen, and synp dlx launches.

The --ignore-pnpmfile CLI flag is rejected by pnpm dlx ("Unknown option"); only the npm_config_ignore_pnpmfile env/config form is honored — verified against pnpm 10.28.0/10.33.0.

Testing

  • Reproduced the original failure byte-for-byte locally, then confirmed the injected env var makes the same pnpm dlx launch in a workspace root succeed.
  • Added a unit test asserting the pnpm dlx launch sets npm_config_ignore_pnpmfile=true regardless of the force flag.
  • pnpm test:unit src/utils/dlx.test.mts — 29 pass.
  • pnpm check:tsc clean; eslint clean.

Note

Low Risk
Small, targeted change to pnpm dlx spawn env in dlx.mts; skips project hooks only for isolated dlx installs, with unit test coverage.

Overview
Fixes reachability and other scans that launch bundled tools (Coana, cdxgen, synp) with pnpm dlx from a pnpm workspace root, where pnpm dlx was loading the repo’s .pnpmfile.cjs and could exit before the tool started (e.g. hooks that require Git LFS pointer files).

spawnDlx now always sets npm_config_ignore_pnpmfile=true on the pnpm launch environment so project install hooks are skipped; the existing force path still sets npm_config_dlx_cache_max_age=0 in the same env block. Release 1.1.130 with changelog; unit test asserts the env var is set regardless of force.

Reviewed by Cursor Bugbot for commit 0d7ed41. Configure here.

@mtorp
fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm…
0d7ed41 
… dlx (1.1.130)

Reachability scans launch Coana (and cdxgen/synp) via `pnpm dlx` with the
target repo as cwd. In a pnpm workspace root, `pnpm dlx` evaluates that
repo's root `.pnpmfile.cjs`, so a broken or environment-specific hook there
(e.g. a `require()` of a file that is still an unresolved Git LFS pointer)
crashes the launcher with a bare exit code before the tool ever starts.

Set `npm_config_ignore_pnpmfile=true` on the pnpm dlx launch env so the
project's pnpm hooks never run. The dlx tool installs into an isolated
store, so those hooks are irrelevant to it. The `--ignore-pnpmfile` CLI
flag is rejected by `pnpm dlx`; only the env/config form works.
@mtorp Martin Torp (mtorp) enabled auto-merge (squash) June 29, 2026 10:40
BarrensZeppelin
Oskar Haarklou Veileborg (BarrensZeppelin) approved these changes Jun 29, 2026
View reviewed changes

@BarrensZeppelin Oskar Haarklou Veileborg (BarrensZeppelin) left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

@mtorp Martin Torp (mtorp) merged commit 10fe89e into v1.x Jun 29, 2026
13 checks passed
@mtorp Martin Torp (mtorp) deleted the martin/debug-palantir-error branch June 29, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BarrensZeppelin Oskar Haarklou Veileborg (BarrensZeppelin) BarrensZeppelin approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtorp @BarrensZeppelin
Morty Proxy This is a proxified and sanitized view of the page, visit original site.