add --no-major-updates and --show-affected-direct-dependencies flags

Author: mtorp

src/commands/fix/cmd-fix.mts

@@ -61,6 +61,14 @@ const generalFlags: MeowFlags = {
     // Hidden to allow custom documenting of the negated `--no-apply-fixes` variant.
     hidden: true,
   },
+  majorUpdates: {
+    type: 'boolean',
+    default: true,
+    description:
+      'Allow major version updates. Use --no-major-updates to disable.',
+    // Hidden to allow custom documenting of the negated `--no-major-updates` variant.
+    hidden: true,
+  },
   id: {
     type: 'string',
     default: [],
@@ -106,6 +114,12 @@ Available styles:
     description:
       'Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.',
   },
+  showAffectedDirectDependencies: {
+    type: 'boolean',
+    default: false,
+    description:
+      'List the direct dependencies responsible for introducing transitive vulnerabilities and list the updates required to resolve the vulnerabilities',
+  },
 }
 
 const hiddenFlags: MeowFlags = {
@@ -197,6 +211,13 @@ async function run(
           ...config.flags['applyFixes'],
           hidden: false,
         } as MeowFlag,
+        // Explicitly document the negated --no-major-updates variant.
+        noMajorUpdates: {
+          ...config.flags['majorUpdates'],
+          description:
+            'Do not suggest or apply fixes that require major version updates of direct or transitive dependencies',
+          hidden: false,
+        } as MeowFlag,
       })}
 
     Environment Variables (for CI/PR mode)
@@ -228,12 +249,14 @@ async function run(
     glob,
     json,
     limit,
+    majorUpdates,
     markdown,
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
     prCheck,
     rangeStyle,
+    showAffectedDirectDependencies,
     // We patched in this feature with `npx custompatch meow` at
     // socket-cli/patches/meow#13.2.0.patch.
     unknownFlags = [],
@@ -243,11 +266,13 @@ async function run(
     glob: string
     limit: number
     json: boolean
+    majorUpdates: boolean
     markdown: boolean
     maxSatisfying: boolean
     minSatisfying: boolean
     prCheck: boolean
     rangeStyle: RangeStyle
+    showAffectedDirectDependencies: boolean
     unknownFlags?: string[]
     outputFile: string
     minimumReleaseAge: string
@@ -258,6 +283,8 @@ async function run(
   const minSatisfying =
     (cli.flags['minSatisfying'] as boolean) || !maxSatisfying
 
+  const disableMajorUpdates = !majorUpdates
+
   const outputKind = getOutputKind(json, markdown)
 
   const wasValidInput = checkCommandInput(
@@ -311,6 +338,7 @@ async function run(
     autopilot,
     applyFixes,
     cwd,
+    disableMajorUpdates,
     ghsas,
     glob,
     limit,
@@ -320,6 +348,7 @@ async function run(
     orgSlug,
     outputKind,
     rangeStyle,
+    showAffectedDirectDependencies,
     spinner,
     unknownFlags,
     outputFile,

src/commands/fix/cmd-fix.test.mts

@@ -182,11 +182,13 @@ describe('socket fix', async () => {
             --markdown          Output as Markdown
             --minimum-release-age  Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.
             --no-apply-fixes    Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.
+            --no-major-updates  Do not suggest or apply fixes that require major version updates of direct or transitive dependencies
             --output-file       Path to store upgrades as a JSON file at this path.
             --range-style       Define how dependency version ranges are updated in package.json (default 'preserve').
                                 Available styles:
                                   * pin - Use the exact version (e.g. 1.2.3)
                                   * preserve - Retain the existing version range style as-is
+            --show-affected-direct-dependencies  List the direct dependencies responsible for introducing transitive vulnerabilities and list the updates required to resolve the vulnerabilities
 
           Environment Variables (for CI/PR mode)
             CI                          Set to enable CI mode
@@ -377,6 +379,57 @@ describe('socket fix', async () => {
     },
   )
 
+  cmdit(
+    [
+      'fix',
+      FLAG_DRY_RUN,
+      '--no-major-updates',
+      FLAG_CONFIG,
+      '{"apiToken":"fakeToken"}',
+    ],
+    'should accept --no-major-updates flag',
+    async cmd => {
+      const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+      expect(code, 'should exit with code 0').toBe(0)
+    },
+  )
+
+  cmdit(
+    [
+      'fix',
+      FLAG_DRY_RUN,
+      '--show-affected-direct-dependencies',
+      FLAG_CONFIG,
+      '{"apiToken":"fakeToken"}',
+    ],
+    'should accept --show-affected-direct-dependencies flag',
+    async cmd => {
+      const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+      expect(code, 'should exit with code 0').toBe(0)
+    },
+  )
+
+  cmdit(
+    [
+      'fix',
+      FLAG_DRY_RUN,
+      '--no-major-updates',
+      '--show-affected-direct-dependencies',
+      '--limit',
+      '5',
+      FLAG_CONFIG,
+      '{"apiToken":"fakeToken"}',
+    ],
+    'should accept new flags in combination',
+    async cmd => {
+      const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+      expect(code, 'should exit with code 0').toBe(0)
+    },
+  )
+
   cmdit(
     [
       'fix',

src/commands/fix/coana-fix.mts

@@ -46,12 +46,14 @@ export async function coanaFix(
     applyFixes,
     autopilot,
     cwd,
+    disableMajorUpdates,
     ghsas,
     glob,
     limit,
     minimumReleaseAge,
     orgSlug,
     outputFile,
+    showAffectedDirectDependencies,
     spinner,
   } = fixConfig
 
@@ -149,6 +151,10 @@ export async function coanaFix(
         ...(glob ? ['--glob', glob] : []),
         ...(!applyFixes ? [FLAG_DRY_RUN] : []),
         ...(outputFile ? ['--output-file', outputFile] : []),
+        ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
+        ...(showAffectedDirectDependencies
+          ? ['--show-affected-direct-dependencies']
+          : []),
         ...fixConfig.unknownFlags,
       ],
       fixConfig.orgSlug,
@@ -202,6 +208,10 @@ export async function coanaFix(
           ? ['--minimum-release-age', minimumReleaseAge]
           : []),
         ...(glob ? ['--glob', glob] : []),
+        ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
+        ...(showAffectedDirectDependencies
+          ? ['--show-affected-direct-dependencies']
+          : []),
         ...fixConfig.unknownFlags,
       ],
       fixConfig.orgSlug,
@@ -262,6 +272,10 @@ export async function coanaFix(
           ? ['--minimum-release-age', minimumReleaseAge]
           : []),
         ...(glob ? ['--glob', glob] : []),
+        ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
+        ...(showAffectedDirectDependencies
+          ? ['--show-affected-direct-dependencies']
+          : []),
         ...fixConfig.unknownFlags,
       ],
       fixConfig.orgSlug,

src/commands/fix/handle-fix.mts

@@ -102,6 +102,7 @@ export async function handleFix({
   applyFixes,
   autopilot,
   cwd,
+  disableMajorUpdates,
   ghsas,
   glob,
   limit,
@@ -112,13 +113,15 @@ export async function handleFix({
   outputKind,
   prCheck,
   rangeStyle,
+  showAffectedDirectDependencies,
   spinner,
   unknownFlags,
 }: HandleFixConfig) {
   debugFn('notice', `Starting fix command for ${orgSlug}`)
   debugDir('inspect', {
     autopilot,
     cwd,
+    disableMajorUpdates,
     ghsas,
     glob,
     limit,
@@ -128,6 +131,7 @@ export async function handleFix({
     outputKind,
     prCheck,
     rangeStyle,
+    showAffectedDirectDependencies,
     unknownFlags,
   })
 
@@ -136,6 +140,7 @@ export async function handleFix({
       autopilot,
       applyFixes,
       cwd,
+      disableMajorUpdates,
       // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only
       ghsas: await convertIdsToGhsas(ghsas),
       glob,
@@ -145,6 +150,7 @@ export async function handleFix({
       orgSlug,
       prCheck,
       rangeStyle,
+      showAffectedDirectDependencies,
       spinner,
       unknownFlags,
       outputFile,

src/commands/fix/types.mts

@@ -5,6 +5,7 @@ export type FixConfig = {
   autopilot: boolean
   applyFixes: boolean
   cwd: string
+  disableMajorUpdates: boolean
   ghsas: string[]
   glob: string
   limit: number
@@ -13,6 +14,7 @@ export type FixConfig = {
   orgSlug: string
   prCheck: boolean
   rangeStyle: RangeStyle
+  showAffectedDirectDependencies: boolean
   spinner: Spinner | undefined
   unknownFlags: string[]
   outputFile: string