Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: SocketDev/socket-python-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.4.6
Choose a base ref
Loading
...
head repository: SocketDev/socket-python-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.4.7
Choose a head ref
Loading
  • 1 commit
  • 9 files changed
  • 1 contributor

Commits on Jun 9, 2026

  1. Pin @coana-tech/cli version; make reachability auto-update opt-in (#230)

    * Pin @coana-tech/cli version; make reachability auto-update opt-in
    
    The Python CLI auto-updated the reachability (Coana) engine to the latest
    published version on every --reach run via `npm install -g @coana-tech/cli`.
    Automatically pulling a brand-new engine version without opting in is
    undesirable for environments that need to review/approve dependency updates
    before adopting them.
    
    Run a fixed, pinned version (DEFAULT_COANA_CLI_VERSION = 15.3.22) via
    `npx @coana-tech/cli@<pinned>` instead, so the engine version only changes
    through a standard pip upgrade of this CLI. Opt into newest with
    `--reach-version latest`; pin an explicit version with `--reach-version <semver>`.
    The global `npm install -g` step is dropped entirely, so an existing global
    install is never auto-updated or downgraded.
    
    * Disable npx caching and add npm-install + node fallback for coana
    
    Mirror the Socket Node CLI's coana launcher:
    - Run the engine via `npx --yes --force` so the npx cache is bypassed; a
      corrupt or partial cache entry can no longer wedge a reachability run.
    - Fall back to `npm install --no-save --prefix <tmp> @coana-tech/cli@<ver>`
      + `node <bin>` when the npx launcher is missing or dies before coana starts
      (spawn error / signal / exit >= 128). Small positive exit codes are treated
      as real coana failures and are not retried.
    - Toggle with SOCKET_CLI_COANA_FORCE_NPM_INSTALL and SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK.
    - Strip npm_package_* env vars before spawning coana to avoid E2BIG in large monorepos.
    
    Kept on version 2.4.7 (same unreleased version as the pin change).
    
    * Bump pinned @coana-tech/cli to 15.3.24
    
    * Address PR review: per-version fallback cache, node prereq, accurate npx wording
    
    - M2: cache the npm-install fallback's resolved script path per version for the
      process lifetime (mirrors the Node CLI's installedCoanaScriptPathsByVersion), so a
      repeated fallback installs once instead of re-installing + leaking a temp dir each call.
    - M3: surface a clear error when `node` is missing in the fallback (instead of an opaque
      FileNotFoundError after a costly npm install), and add `node` to the up-front prereq check.
    - M1: correct the overstated 'npx --force disables the cache' wording in docstrings, docs,
      and CHANGELOG. The code already matches the Node CLI exactly (npx --yes --force); --force
      does not force a re-download of an already-cached pinned version, so the docs now describe
      what the flags actually do rather than claiming a cache bypass.
    
    Adds tests for per-version caching, node-missing, and real _resolve_coana_bin /
    _build_coana_node_cmd parsing.
    
    * Address review comments: Final annotation, atexit tmp cleanup, parametrized tests
    
    - Annotate DEFAULT_COANA_CLI_VERSION with typing.Final.
    - Register an atexit handler to remove the npm-install fallback's temp dirs.
    - Trim the over-long --force explanation in _spawn_coana's docstring and drop the
      inline comment that duplicated it.
    - Use try/finally in the cache-clearing test fixture.
    - Parametrize the spec-resolution, npx-version, and launcher-failure-heuristic tests.
    
    * Move launch-strategy rationale from the spec resolver to _spawn_coana
    
    The 'why npx, not npm install -g' explanation describes how coana is launched, not
    how a package spec string is built, so it belongs on _spawn_coana (per review). Leaves
    _resolve_coana_package_spec with a minimal docstring.
    
    * docs: show the real --reach-version default (15.3.24) in the Default column
    
    * docs: show real reach-flag defaults from the Coana CLI implementation
    
    Fill in the Default column for the flags whose defaults come from coana, verified
    against the @coana-tech/cli source (coana-package-manager/packages/cli):
    - --reach-analysis-timeout -> 600 (cli-core.ts: defaults to 600s when unset)
    - --reach-analysis-memory-limit -> 8192 (index.ts --memory-limit default)
    - --reach-concurrency -> 1 (index.ts --concurrency default)
    - --reach-min-severity -> info (no coana default = analyze all; info is the effective floor)
    mtorp authored Jun 9, 2026
    Configuration menu
    Copy the full SHA
    f5ae591 View commit details
    Browse the repository at this point in the history
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.