feat(fix): add --all flag to process all vulnerabilities

Ported from v1.x commit da83fa1 (#967)

- Add --all flag to process all discovered vulnerabilities in local mode
- Make --all incompatible with --id (mutually exclusive)
- Add deprecation warning when neither --all nor --id provided in local mode
- Update shouldDiscoverGhsaIds logic to check all || !ghsas.length
- Pass all flag through cmd-fix -> handle-fix -> coana-fix
- Update test fixtures to include all parameter

Based on PR #967

Author: jdalton

packages/cli/src/commands/fix/cmd-fix.mts

@@ -72,9 +72,15 @@ const generalFlags: MeowFlags = {
     default: true,
     description:
       'Allow major version updates. Use --no-major-updates to disable.',
-    // Hidden to allow custom documenting of the negated `--no-major-updates` variant.
+    // Hidden to allow custom documenting the negated `--no-major-updates` variant.
     hidden: true,
   },
+  all: {
+    type: 'boolean',
+    default: false,
+    description:
+      'Process all discovered vulnerabilities in local mode. Cannot be used with --id.',
+  },
   id: {
     type: 'string',
     default: [],
@@ -91,7 +97,7 @@ const generalFlags: MeowFlags = {
       'PURLs',
       'https://github.com/package-url/purl-spec',
     )} (e.g., pkg:npm/package@1.0.0) - automatically converted to GHSA
-    Can be provided as comma separated values or as multiple flags`,
+    Can be provided as comma separated values or as multiple flags. Cannot be used with --all.`,
     isMultiple: true,
   },
   limit: {
@@ -258,6 +264,7 @@ async function run(
   )
 
   const {
+    all,
     applyFixes,
     autopilot,
     exclude,
@@ -276,6 +283,7 @@ async function run(
     // socket-cli/patches/meow#13.2.0.patch.
     unknownFlags = [],
   } = cli.flags as unknown as {
+    all: boolean
     applyFixes: boolean
     autopilot: boolean
     exclude: string[]
@@ -303,6 +311,12 @@ async function run(
 
   const outputKind = getOutputKind(json, markdown)
 
+  const ghsas = arrayUnique([
+    ...cmdFlagValueToArray(cli.flags['id']),
+    ...cmdFlagValueToArray(cli.flags['ghsa']),
+    ...cmdFlagValueToArray(cli.flags['purl']),
+  ])
+
   const wasValidInput = checkCommandInput(
     outputKind,
     {
@@ -316,6 +330,12 @@ async function run(
       message: 'The json and markdown flags cannot be both set, pick one',
       fail: 'omit one',
     },
+    {
+      nook: true,
+      test: !all || !ghsas.length,
+      message: 'The --all and --id flags cannot be used together',
+      fail: 'omit one',
+    },
   )
   if (!wasValidInput) {
     return
@@ -344,16 +364,11 @@ async function run(
 
   const spinner = undefined
 
-  const ghsas = arrayUnique([
-    ...cmdFlagValueToArray(cli.flags['id']),
-    ...cmdFlagValueToArray(cli.flags['ghsa']),
-    ...cmdFlagValueToArray(cli.flags['purl']),
-  ])
-
   const includePatterns = cmdFlagValueToArray(include)
   const excludePatterns = cmdFlagValueToArray(exclude)
 
   await handleFix({
+    all,
     applyFixes,
     autopilot,
     cwd,

packages/cli/src/commands/fix/coana-fix.mts

@@ -71,6 +71,7 @@ export async function coanaFix(
   fixConfig: FixConfig,
 ): Promise<CResult<{ data?: unknown; fixed: boolean }>> {
   const {
+    all,
     applyFixes,
     autopilot,
     cwd,
@@ -145,13 +146,18 @@ export async function coanaFix(
     }
   }
 
-  const isAll =
-    !ghsas.length ||
-    (ghsas.length === 1 && (ghsas[0] === 'all' || ghsas[0] === 'auto'))
+  const shouldDiscoverGhsaIds = all || !ghsas.length
 
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo
 
   if (!shouldOpenPrs) {
+    // In local mode, if neither --all nor --id is provided, show deprecation warning.
+    if (shouldDiscoverGhsaIds && !all) {
+      logger.warn(
+        'Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.',
+      )
+    }
+
     // Inform user about local mode when fixes will be applied.
     if (applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars()
@@ -172,7 +178,7 @@ export async function coanaFix(
       }
     }
 
-    const ids = isAll ? ['all'] : ghsas.slice(0, limit)
+    const ids = shouldDiscoverGhsaIds ? ['all'] : ghsas.slice(0, limit)
     if (!ids.length) {
       spinner?.stop()
       return { ok: true, data: { fixed: false } }
@@ -262,9 +268,9 @@ export async function coanaFix(
 
   let ids: string[] | undefined
 
-  // When isAll is true, discover vulnerabilities by running coana with --output-file.
+  // When shouldDiscoverGhsaIds is true, discover vulnerabilities by running coana with --output-file.
   // This gives us the GHSA IDs needed to create individual PRs in CI mode.
-  if (shouldSpawnCoana && isAll) {
+  if (shouldSpawnCoana && shouldDiscoverGhsaIds) {
     const discoverTmpFile = path.join(
       os.tmpdir(),
       `socket-discover-${Date.now()}.json`,

packages/cli/src/commands/fix/handle-fix.mts

@@ -103,6 +103,7 @@ export async function convertIdsToGhsas(ids: string[]): Promise<string[]> {
 }
 
 export async function handleFix({
+  all,
   applyFixes,
   autopilot,
   cwd,
@@ -124,6 +125,7 @@ export async function handleFix({
 }: HandleFixConfig) {
   debug(`Starting fix command for ${orgSlug}`)
   debugDir({
+    all,
     applyFixes,
     autopilot,
     cwd,
@@ -144,6 +146,7 @@ export async function handleFix({
 
   await outputFixResult(
     await coanaFix({
+      all,
       applyFixes,
       autopilot,
       cwd,

packages/cli/src/commands/fix/types.mts

@@ -3,6 +3,7 @@ import type { RangeStyle } from '../../utils/semver.mts'
 import type { Spinner } from '@socketsecurity/lib/spinner'
 
 export type FixConfig = {
+  all: boolean
   applyFixes: boolean
   autopilot: boolean
   cwd: string

packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts

@@ -123,6 +123,7 @@ vi.mock('node:fs', () => ({
 
 describe('socket fix --limit behavior verification', () => {
   const baseConfig: FixConfig = {
+    all: false,
     applyFixes: true,
     autopilot: false,
     cwd: '/test/cwd',