Skip to content

feat!: migrate patch command to @socketsecurity/socket-patch@1.2.0 #1039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jdalton wants to merge 3 commits into from
Closed

feat!: migrate patch command to @socketsecurity/socket-patch@1.2.0 #1039

jdalton wants to merge 3 commits into from

Conversation

@jdalton
Copy link
Contributor

@jdalton jdalton commented Jan 12, 2026
edited by cursor bot
Loading

Summary

  • Migrated patch command to use external @socketsecurity/socket-patch@1.2.0 package
  • Follows the same pattern as Coana and SFW integrations

Changes

  • Added socket-patch@1.2.0 to external-tools.json
  • Created spawnSocketPatch() utility following the coana/sfw pattern
  • Created environment variable support for socket-patch version and local path
  • Updated constants/env.mts with socket-patch configuration
  • Replaced custom 30+ file patch implementation with simple wrapper that delegates to socket-patch
  • Moved old patch implementation to patch-old/ directory for reference
  • Fixed all external tool version getters (coana, sfw, socket-patch) to throw errors if versions are missing
  • Updated CHANGELOG.md

Breaking Changes

This migration replaces the built-in custom patch implementation with the external socket-patch package. The functionality remains the same from a user perspective, but the implementation is now delegated to the external package.

Test plan

  • Verify socket patch commands work with the external package
  • Test patch discovery, download, apply, and other subcommands
  • Verify local development path override works (SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH)
  • Ensure error handling works correctly

🤖 Generated with Claude Code

Note

Breaking change: socket patch now delegates to external @socketsecurity/socket-patch@1.2.0.

  • Replace multi-file in-repo patch implementation with wrapper (cmd-patch.mts) that forwards args to socket-patch; legacy code moved to patch-old/
  • Add spawnSocketPatch() utility and env support: inline socket-patch version, SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH; export through constants/env.mts
  • Add external tool entry: external-tools.json includes @socketsecurity/socket-patch@1.2.0; bump Coana CLI to 14.12.148
  • Harden version getters: getCoanaVersion, getSwfVersion, getSocketPatchVersion now throw if missing
  • Performance/memory: introduce streaming filter in globWithGitIgnore and createSupportedFilesFilter; use during scan file discovery to avoid accumulating all paths
  • Update CHANGELOG.md to reflect migration and memory fix

Written by Cursor Bugbot for commit 2a4e41c. Configure here.

jdalton and others added 3 commits January 12, 2026 12:28
@jdalton
chore(deps): update Coana CLI to v14.12.148
d69e195 
Update @coana-tech/cli from v14.12.139 to v14.12.148.

Ported from v1.x commits:
- b66490a: bump coana version (#1017) - 14.12.143
- f91f262: upgrade Coana (#1024) - 14.12.148
@jdalton @mikolalysenko
fix: prevent heap overflow in large monorepo scans
3712e70 
Add streaming-based filtering to globWithGitIgnore to prevent heap overflow
when scanning large monorepos with 100k+ files. Instead of accumulating all
file paths and filtering afterwards, files are now filtered during streaming
which dramatically reduces memory usage.

Changes:
- Add `filter` option to globWithGitIgnore for early filtering during streaming
- Add createSupportedFilesFilter helper to create filter from supported files
- Update getPackageFilesForScan to use streaming filter

Fixes SMO-522

Ported from v1.x commit 9bbb8e8 ([SMO-522] Fix heap overflow in large monorepo scans #1026)

Co-authored-by: Mikola Lysenko <mikolalysenko@gmail.com>
@jdalton
feat!: migrate patch command to @socketsecurity/socket-patch@1.2.0
2a4e41c 
BREAKING CHANGE: Replace custom built-in patch implementation with external
@socketsecurity/socket-patch package, following the same integration pattern
as Coana and SFW.

Changes:
- Add socket-patch@1.2.0 to external-tools.json
- Create socket-patch spawn utility (src/utils/socket-patch/spawn.mts)
- Add SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH environment variable support
- Replace 30+ custom patch files with simple wrapper that delegates to socket-patch
- Move old custom implementation to patch-old/ for reference
- Add INLINED_SOCKET_CLI_SOCKET_PATCH_VERSION to env constants

BREAKING CHANGE: External tool version getters now throw errors instead of
returning empty strings when versions are missing from external-tools.json.
This affects getCoanaVersion(), getSwfVersion(), and getSocketPatchVersion().

Benefits:
- Consistent external tool integration pattern across CLI
- Reduces maintenance burden (socket-patch maintained separately)
- Users get socket-patch updates without CLI releases
- Simplified codebase (~30 files → 1 wrapper)

Ported from v1.x commits:
- 44655ac: Use @socketsecurity/socket-patch for patch command (#987)
- dfe019d: feat: update @socketsecurity/socket-patch to v1.2.0 (#1030)
@jdalton jdalton closed this Jan 12, 2026
@jdalton jdalton deleted the feat/migrate-to-socket-patch branch January 12, 2026 18:05
cursor[bot]
cursor bot reviewed Jan 12, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

packages/cli/src/utils/socket-patch/spawn.mts
// Forward SOCKET_PATCH_PROXY_URL if set.
if (ENV.SOCKET_PATCH_PROXY_URL) {
mixinsEnv['SOCKET_PATCH_PROXY_URL'] = ENV.SOCKET_PATCH_PROXY_URL
}
Copy link

@cursor cursor bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Environment variable never forwarded due to missing definition

Medium Severity

The code attempts to forward SOCKET_PATCH_PROXY_URL to the socket-patch subprocess by accessing ENV.SOCKET_PATCH_PROXY_URL, but this environment variable is never imported or added to the ENV module's snapshot in env.mts. The ENV Proxy only reads from process.env in VITEST mode; in production, it reads from the snapshot where this property doesn't exist. As a result, ENV.SOCKET_PATCH_PROXY_URL is always undefined in production builds, and proxy configuration is never forwarded to socket-patch.

Fix in Cursor Fix in Web

packages/cli/src/utils/socket-patch/spawn.mts
return {
ok: true,
data: spawnResult.stdout?.toString() ?? '',
}
Copy link

@cursor cursor bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Local socket-patch spawn doesn't wait for process completion

High Severity

The local path case for spawning socket-patch doesn't properly await process completion. spawnNode returns a SpawnResult synchronously (per its type signature), and the result contains a spawnPromise that needs to be awaited to wait for the process to finish. Without awaiting spawnResult.spawnPromise, the function returns ok: true immediately while the subprocess may still be running or may have failed. The dlx case correctly awaits result.spawnPromise, and the similar spawnCoanaDlx function properly awaits the spawn result in its local path case. This could cause socket patch commands to report success before the actual patch operation completes or to miss failures.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton