feat(fix): add --ecosystems flag and rename --limit to --pr-limit

jdalton · jdalton · commit 489eabdb8c7f · 2025-12-09T14:04:37.000-05:00
Ported from v1.x commit 39a114d (#960) - Add --ecosystems flag to limit fix analysis to specific package ecosystems - Rename --limit to --prLimit for clarity (only affects CI/PR mode) - In local mode, process all discovered/provided IDs without limit - Update types, handlers, and tests to use prLimit and ecosystems - Add ecosystem validation with getEcosystemChoicesForMeow() Based on PR #960
diff --git a/packages/cli/src/commands/fix/cmd-fix.mts b/packages/cli/src/commands/fix/cmd-fix.mts
@@ -2,13 +2,14 @@ import path from 'node:path'
 
 import terminalLink from 'terminal-link'
 
-import { arrayUnique, joinOr } from '@socketsecurity/lib/arrays'
+import { arrayUnique, joinAnd, joinOr } from '@socketsecurity/lib/arrays'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
 import { handleFix } from './handle-fix.mts'
 import { DRY_RUN_NOT_SAVING, FLAG_ID } from '../../constants/cli.mts'
 import { ERROR_UNABLE_RESOLVE_ORG } from '../../constants/errors.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
+import { getEcosystemChoicesForMeow } from '../../utils/ecosystem/types.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import {
   getFlagApiRequirementsOutput,
@@ -20,6 +21,7 @@ import { RangeStyles } from '../../utils/semver.mts'
 import { checkCommandInput } from '../../utils/validation/check-input.mts'
 import { getDefaultOrgSlug } from '../ci/fetch-default-org-slug.mts'
 
+import type { PURL_Type } from '../../utils/ecosystem/types.mts'
 import type { MeowFlag, MeowFlags } from '../../flags.mts'
 import type {
   CliCommandConfig,
@@ -81,6 +83,13 @@ const generalFlags: MeowFlags = {
     description:
       'Process all discovered vulnerabilities in local mode. Cannot be used with --id.',
   },
+  ecosystems: {
+    type: 'string',
+    default: [],
+    description:
+      'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
+    isMultiple: true,
+  },
   id: {
     type: 'string',
     default: [],
@@ -100,10 +109,10 @@ const generalFlags: MeowFlags = {
     Can be provided as comma separated values or as multiple flags. Cannot be used with --all.`,
     isMultiple: true,
   },
-  limit: {
+  prLimit: {
     type: 'number',
     default: DEFAULT_LIMIT,
-    description: `The number of fixes to attempt at a time (default ${DEFAULT_LIMIT})`,
+    description: `Maximum number of pull requests to create in CI mode (default ${DEFAULT_LIMIT}). Has no effect in local mode.`,
   },
   rangeStyle: {
     type: 'string',
@@ -267,16 +276,17 @@ async function run(
     all,
     applyFixes,
     autopilot,
+    ecosystems,
     exclude,
     include,
     json,
-    limit,
     majorUpdates,
     markdown,
     maxSatisfying,
     minimumReleaseAge,
     outputFile,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     // We patched in this feature with `npx custompatch meow` at
@@ -286,17 +296,18 @@ async function run(
     all: boolean
     applyFixes: boolean
     autopilot: boolean
+    ecosystems: string[]
     exclude: string[]
     include: string[]
     json: boolean
-    limit: number
     majorUpdates: boolean
     markdown: boolean
     maxSatisfying: boolean
     minSatisfying: boolean
     minimumReleaseAge: string
     outputFile: string
     prCheck: boolean
+    prLimit: number
     rangeStyle: RangeStyle
     showAffectedDirectDependencies: boolean
     unknownFlags?: string[]
@@ -311,6 +322,23 @@ async function run(
 
   const outputKind = getOutputKind(json, markdown)
 
+  // Process comma-separated values for ecosystems flag.
+  const ecosystemsRaw = cmdFlagValueToArray(ecosystems)
+
+  // Validate ecosystem values early, before dry-run check.
+  const validatedEcosystems: PURL_Type[] = []
+  const validEcosystemChoices = getEcosystemChoicesForMeow()
+  for (const ecosystem of ecosystemsRaw) {
+    if (!validEcosystemChoices.includes(ecosystem)) {
+      logger.fail(
+        `Invalid ecosystem: "${ecosystem}". Valid values are: ${joinAnd(validEcosystemChoices)}`,
+      )
+      process.exitCode = 1
+      return
+    }
+    validatedEcosystems.push(ecosystem as PURL_Type)
+  }
+
   const ghsas = arrayUnique([
     ...cmdFlagValueToArray(cli.flags['id']),
     ...cmdFlagValueToArray(cli.flags['ghsa']),
@@ -373,16 +401,17 @@ async function run(
     autopilot,
     cwd,
     disableMajorUpdates,
+    ecosystems: validatedEcosystems,
     exclude: excludePatterns,
     ghsas,
     include: includePatterns,
-    limit,
     minimumReleaseAge,
     minSatisfying,
     orgSlug,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     spinner,
diff --git a/packages/cli/src/commands/fix/coana-fix.mts b/packages/cli/src/commands/fix/coana-fix.mts
@@ -76,14 +76,15 @@ export async function coanaFix(
     autopilot,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minimumReleaseAge,
     orgSlug,
     outputFile,
     outputKind,
+    prLimit,
     showAffectedDirectDependencies,
     spinner,
   } = fixConfig
@@ -178,7 +179,8 @@ export async function coanaFix(
       }
     }
 
-    const ids = shouldDiscoverGhsaIds ? ['all'] : ghsas.slice(0, limit)
+    // In local mode, process all discovered/provided IDs (no limit).
+    const ids = shouldDiscoverGhsaIds ? ['all'] : ghsas
     if (!ids.length) {
       spinner?.stop()
       return { ok: true, data: { fixed: false } }
@@ -241,8 +243,8 @@ export async function coanaFix(
     }
   }
 
-  // Adjust limit based on open Socket Fix PRs.
-  let adjustedLimit = limit
+  // Adjust PR limit based on open Socket Fix PRs.
+  let adjustedLimit = prLimit
   if (shouldOpenPrs && fixEnv.repoInfo) {
     try {
       const openPrs = await getSocketFixPrs(
@@ -252,10 +254,10 @@ export async function coanaFix(
       )
       const openPrCount = openPrs.length
       // Reduce limit by number of open PRs to avoid creating too many.
-      adjustedLimit = Math.max(0, limit - openPrCount)
+      adjustedLimit = Math.max(0, prLimit - openPrCount)
       if (openPrCount > 0) {
         debug(
-          `limit: adjusted from ${limit} to ${adjustedLimit} (${openPrCount} open Socket Fix ${pluralize('PR', { count: openPrCount })}`,
+          `prLimit: adjusted from ${prLimit} to ${adjustedLimit} (${openPrCount} open Socket Fix ${pluralize('PR', { count: openPrCount })}`,
         )
       }
     } catch (e) {
diff --git a/packages/cli/src/commands/fix/handle-fix.mts b/packages/cli/src/commands/fix/handle-fix.mts
@@ -108,16 +108,17 @@ export async function handleFix({
   autopilot,
   cwd,
   disableMajorUpdates,
+  ecosystems,
   exclude,
   ghsas,
   include,
-  limit,
   minSatisfying,
   minimumReleaseAge,
   orgSlug,
   outputFile,
   outputKind,
   prCheck,
+  prLimit,
   rangeStyle,
   showAffectedDirectDependencies,
   spinner,
@@ -130,15 +131,16 @@ export async function handleFix({
     autopilot,
     cwd,
     disableMajorUpdates,
+    ecosystems,
     exclude,
     ghsas,
     include,
-    limit,
     minSatisfying,
     minimumReleaseAge,
     outputFile,
     outputKind,
     prCheck,
+    prLimit,
     rangeStyle,
     showAffectedDirectDependencies,
     unknownFlags,
@@ -151,17 +153,18 @@ export async function handleFix({
       autopilot,
       cwd,
       disableMajorUpdates,
+      ecosystems,
       exclude,
       // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
       ghsas: await convertIdsToGhsas(ghsas),
       include,
-      limit,
       minimumReleaseAge,
       minSatisfying,
       orgSlug,
       outputFile,
       outputKind,
       prCheck,
+      prLimit,
       rangeStyle,
       showAffectedDirectDependencies,
       spinner,
diff --git a/packages/cli/src/commands/fix/types.mts b/packages/cli/src/commands/fix/types.mts
@@ -1,3 +1,4 @@
+import type { PURL_Type } from '../../utils/ecosystem/types.mts'
 import type { OutputKind } from '../../types.mts'
 import type { RangeStyle } from '../../utils/semver.mts'
 import type { Spinner } from '@socketsecurity/lib/spinner'
@@ -8,16 +9,17 @@ export type FixConfig = {
   autopilot: boolean
   cwd: string
   disableMajorUpdates: boolean
+  ecosystems: PURL_Type[]
   exclude: string[]
   ghsas: string[]
   include: string[]
-  limit: number
   minimumReleaseAge: string
   minSatisfying: boolean
   orgSlug: string
   outputFile: string
   outputKind: OutputKind
   prCheck: boolean
+  prLimit: number
   rangeStyle: RangeStyle
   showAffectedDirectDependencies: boolean
   spinner: Spinner | undefined
diff --git a/packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts b/packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts
@@ -128,16 +128,17 @@ describe('socket fix --limit behavior verification', () => {
     autopilot: false,
     cwd: '/test/cwd',
     disableMajorUpdates: false,
+    ecosystems: [],
     exclude: [],
     ghsas: [],
     include: [],
-    limit: 10,
     minSatisfying: false,
     minimumReleaseAge: '',
     orgSlug: 'test-org',
     outputFile: '',
     outputKind: 'text',
     prCheck: true,
+    prLimit: 10,
     rangeStyle: 'preserve',
     showAffectedDirectDependencies: false,
     spinner: undefined,
