Skip to content

feat: migrate patch command to @socketsecurity/socket-patch@1.2.0 #1042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jdalton wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: migrate patch command to @socketsecurity/socket-patch@1.2.0 #1042

jdalton wants to merge 9 commits into from

Conversation

@jdalton
Copy link
Contributor

@jdalton jdalton commented Jan 12, 2026
edited by cursor bot
Loading

Migrate patch command to use external socket-patch@1.2.0 package.

Note

Shifts patch functionality to the external Socket Patch CLI and wires up version/env plumbing.

  • socket patch now forwards all args to @socketsecurity/socket-patch@1.2.0 via spawnSocketPatch (DLX or local override)
  • Adds socket-patch to external-tools.json and inlined build metadata INLINED_SOCKET_CLI_SOCKET_PATCH_VERSION
  • New env helpers: getSocketPatchVersion, SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH; exports integrated in constants/env.mts
  • New spawn util utils/socket-patch/spawn.mts passes org slug, API token, and proxy to the external CLI
  • Tightens env getters for Coana/SFW to throw if versions are missing
  • Moves prior patch implementation to commands/patch-old/* for reference/compatibility
  • Changelog updated under Unreleased to reflect the migration

Written by Cursor Bugbot for commit 69011b8. Configure here.

cursor[bot]
cursor bot reviewed Jan 12, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

packages/cli/src/commands/patch/cmd-patch.mts

if (!result.ok) {
process.exitCode = 1
}
Copy link

@cursor cursor bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error messages silently discarded on spawn failure

Medium Severity

When spawnSocketPatch fails (e.g., network error downloading the package, invalid local path, permission issues), the error message is captured in result.message but never displayed to the user. The code only sets process.exitCode = 1 without outputting the error. Other commands in the codebase properly handle this by calling logger.fail() with the message. Users will experience silent failures with exit code 1 but no explanation of what went wrong.

Fix in Cursor Fix in Web

@jdalton jdalton force-pushed the feat/migrate-to-socket-patch branch 7 times, most recently from ba8a337 to aee59b7 Compare January 12, 2026 20:19
@jdalton jdalton force-pushed the feat/migrate-to-socket-patch branch 2 times, most recently from 453e76a to 174fe73 Compare January 12, 2026 20:59
@jdalton jdalton force-pushed the feat/migrate-to-socket-patch branch from 174fe73 to 92f1cca Compare January 12, 2026 21:11
@jdalton
fix: update patch command tests for socket-patch v1.2.0 subcommands
133968d 
- Replace 'info' test (removed command) with 'scan' (renamed from discover)
- Replace 'discover' test with 'scan' (renamed)
- Replace 'download' test with 'get' (download is alias)
- Replace 'cleanup' test with 'repair' (renamed)
- Replace 'rm' test with 'remove' (renamed)

These changes align tests with socket-patch v1.2.0 command structure.
@jdalton
Revert "fix: add 1-hour TTL cache for GitHub API requests to avoid ra…
7fb6023 
…te limiting"

This reverts commit 92f1cca.
@jdalton
Reapply "fix: add 1-hour TTL cache for GitHub API requests to avoid r…
3f6a7a6 
…ate limiting"

This reverts commit 7fb6023.
@jdalton
chore: merge main into feat/migrate-to-socket-patch
4be635a 
Resolved conflict in CHANGELOG.md by keeping all changes:
- Changed: Updated to @socketsecurity/socket-patch@1.2.0
- Changed: Updated Coana CLI to v14.12.148
- Fixed: Heap overflow prevention in large monorepo scans
@jdalton
fix: remove VITEST bypass from version getters
ba3742e 
Version getters should fail if environment variables aren't set,
even in test mode, because values should be properly defined in
external-tools.json.
@jdalton
test: remove obsolete patch command tests and rename rm to remove
d28da05 
Removed tests for commands not in socket-patch v1.2.0:
- cleanup (obsolete, repair is the actual command)
- discover (obsolete, scan is the actual command)
- info (obsolete, merged into get command)
- download (obsolete, alias of get command)

Renamed:
- cmd-patch-rm.test.mts → cmd-patch-remove.test.mts

socket-patch v1.2.0 actual commands: get, apply, rollback, remove, list, scan, setup, repair
@jdalton
fix: add external tool versions to .env.test
85db681 
Added INLINED_SOCKET_CLI_COANA_VERSION, INLINED_SOCKET_CLI_SFW_VERSION,
and INLINED_SOCKET_CLI_SOCKET_PATCH_VERSION to .env.test so unit tests
can access these values without going through the build process.
@jdalton jdalton force-pushed the feat/migrate-to-socket-patch branch from 0d338b4 to 85db681 Compare January 13, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton