Pin @coana-tech/cli version; make reachability auto-update opt-in#230
Open
Martin Torp (mtorp) wants to merge 4 commits into
Open
Pin @coana-tech/cli version; make reachability auto-update opt-in#230Martin Torp (mtorp) wants to merge 4 commits into
Martin Torp (mtorp) wants to merge 4 commits into
Conversation
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.4.7.dev6Docker image: |
c92df38 to
ee8e107
Compare
The Python CLI auto-updated the reachability (Coana) engine to the latest published version on every --reach run via `npm install -g @coana-tech/cli`. Automatically pulling a brand-new engine version without opting in is undesirable for environments that need to review/approve dependency updates before adopting them. Run a fixed, pinned version (DEFAULT_COANA_CLI_VERSION = 15.3.22) via `npx @coana-tech/cli@<pinned>` instead, so the engine version only changes through a standard pip upgrade of this CLI. Opt into newest with `--reach-version latest`; pin an explicit version with `--reach-version <semver>`. The global `npm install -g` step is dropped entirely, so an existing global install is never auto-updated or downgraded.
ee8e107 to
adb2de7
Compare
Mirror the Socket Node CLI's coana launcher: - Run the engine via `npx --yes --force` so the npx cache is bypassed; a corrupt or partial cache entry can no longer wedge a reachability run. - Fall back to `npm install --no-save --prefix <tmp> @coana-tech/cli@<ver>` + `node <bin>` when the npx launcher is missing or dies before coana starts (spawn error / signal / exit >= 128). Small positive exit codes are treated as real coana failures and are not retried. - Toggle with SOCKET_CLI_COANA_FORCE_NPM_INSTALL and SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK. - Strip npm_package_* env vars before spawning coana to avoid E2BIG in large monorepos. Kept on version 2.4.7 (same unreleased version as the pin change).
…npx wording - M2: cache the npm-install fallback's resolved script path per version for the process lifetime (mirrors the Node CLI's installedCoanaScriptPathsByVersion), so a repeated fallback installs once instead of re-installing + leaking a temp dir each call. - M3: surface a clear error when `node` is missing in the fallback (instead of an opaque FileNotFoundError after a costly npm install), and add `node` to the up-front prereq check. - M1: correct the overstated 'npx --force disables the cache' wording in docstrings, docs, and CHANGELOG. The code already matches the Node CLI exactly (npx --yes --force); --force does not force a re-download of an already-cached pinned version, so the docs now describe what the flags actually do rather than claiming a cache bypass. Adds tests for per-version caching, node-missing, and real _resolve_coana_bin / _build_coana_node_cmd parsing.
Oskar Haarklou Veileborg (BarrensZeppelin)
approved these changes
Jun 9, 2026
Oskar Haarklou Veileborg (BarrensZeppelin)
left a comment
Member
There was a problem hiding this comment.
LGTM ✅
| |:---------------------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------------------------| | ||
| | `--reach` | False | False | Enable reachability analysis to identify which vulnerable functions are actually called by your code. Creates a tier-1 full-application reachability scan (`scan_type=socket_tier1`). | | ||
| | `--reach-version` | False | latest | Version of @coana-tech/cli to use for analysis | | ||
| | `--reach-version` | False | *pinned* | Version of @coana-tech/cli to use. Defaults to the version pinned to this CLI release (currently `15.3.24`), so the engine only changes when you upgrade the Socket CLI. Pass `latest` to always use the newest published version (opt-in auto-update), or an explicit version (e.g. `1.2.3`) to pin it. | |
There was a problem hiding this comment.
What's the point of the Default column if it doesn't contain the default value?
Comment on lines
+320
to
+321
| - `SOCKET_CLI_COANA_FORCE_NPM_INSTALL` — skip `npx` entirely and always use the `npm install` + `node` path (useful where `npx` is known-broken). | ||
| - `SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK` — never fall back; surface the `npx` failure directly. |
There was a problem hiding this comment.
These env variables seem related, so maybe they should be merged into one with two possible values?
| # Pinned @coana-tech/cli version. Bumped deliberately per Python CLI release so the | ||
| # reachability engine version only changes through a standard pip upgrade (advance notice). | ||
| # Pass --reach-version latest to opt into the newest published version instead. | ||
| DEFAULT_COANA_CLI_VERSION = "15.3.24" |
There was a problem hiding this comment.
Suggested change
| DEFAULT_COANA_CLI_VERSION = "15.3.24" | |
| DEFAULT_COANA_CLI_VERSION: Final = "15.3.24" |
Requires updating the from typing import ... import above.
| Resolve the @coana-tech/cli package spec to run with npx. | ||
|
|
||
| We pass an exact, versioned spec to npx so it runs a deterministic version from its | ||
| own cache (fetching once if absent). We intentionally do NOT ``npm install -g`` here: |
There was a problem hiding this comment.
Why would we run npm install -g here in the first place?
| return self._spawn_coana_via_npm_install(coana_args, effective_version, coana_env, cwd) | ||
|
|
||
| package_spec = f"@coana-tech/cli@{effective_version}" | ||
| # --yes skips npx's install confirmation; --force matches the Node CLI's coana flags. |
There was a problem hiding this comment.
This is duplicated in the docstring.
Comment on lines
+30
to
+33
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() | ||
| yield | ||
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() | ||
|
|
There was a problem hiding this comment.
Suggested change
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() | |
| yield | |
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() | |
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() | |
| try: | |
| yield | |
| finally: | |
| reachability._INSTALLED_COANA_SCRIPT_PATHS.clear() |
Comment on lines
+128
to
+149
| def test_resolve_spec_defaults_to_pinned_version(analyzer): | ||
| """No --reach-version -> pinned DEFAULT_COANA_CLI_VERSION (no auto-update).""" | ||
| assert ( | ||
| analyzer._resolve_coana_package_spec(None) | ||
| == f"@coana-tech/cli@{DEFAULT_COANA_CLI_VERSION}" | ||
| ) | ||
|
|
||
|
|
||
| def test_resolve_spec_pins_explicit_version(analyzer): | ||
| assert analyzer._resolve_coana_package_spec("1.2.3") == "@coana-tech/cli@1.2.3" | ||
|
|
||
|
|
||
| def test_resolve_spec_latest_opt_in(analyzer): | ||
| """'latest' opts into the newest published version.""" | ||
| assert analyzer._resolve_coana_package_spec("latest") == "@coana-tech/cli@latest" | ||
|
|
||
|
|
||
| def test_resolve_spec_is_always_versioned(analyzer): | ||
| """Never the bare '@coana-tech/cli' (which would let npx pick a stray global version).""" | ||
| for version in (None, "latest", "1.2.3", " 1.2.3 "): | ||
| assert analyzer._resolve_coana_package_spec(version).startswith("@coana-tech/cli@") | ||
|
|
There was a problem hiding this comment.
Use pytest.mark.parametrize
Comment on lines
+164
to
+176
| def test_npx_runs_pinned_version_by_default(analyzer, mocker): | ||
| cmd, _ = _run(analyzer, mocker) | ||
| assert _spec_in(cmd) == f"@coana-tech/cli@{DEFAULT_COANA_CLI_VERSION}" | ||
|
|
||
|
|
||
| def test_npx_runs_explicit_version(analyzer, mocker): | ||
| cmd, _ = _run(analyzer, mocker, version="9.9.9") | ||
| assert _spec_in(cmd) == "@coana-tech/cli@9.9.9" | ||
|
|
||
|
|
||
| def test_npx_runs_latest_when_opted_in(analyzer, mocker): | ||
| cmd, _ = _run(analyzer, mocker, version="latest") | ||
| assert _spec_in(cmd) == "@coana-tech/cli@latest" |
There was a problem hiding this comment.
Same
| # --- npm-install + node fallback (when the npx launcher fails before coana starts) --- | ||
|
|
||
|
|
||
| def test_launcher_failure_heuristic(): |
There was a problem hiding this comment.
Same
| # Resolved @coana-tech/cli script paths from the npm-install fallback, keyed by version. | ||
| # Lives for the process lifetime so repeated fallback invocations install only once | ||
| # (mirrors the Node CLI's installedCoanaScriptPathsByVersion). | ||
| _INSTALLED_COANA_SCRIPT_PATHS: Dict[str, str] = {} |
There was a problem hiding this comment.
Do we want to clean these up afterwards? Python has atexit.register
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Python CLI auto-updated the reachability (Coana) engine to the latest published version on every
--reachrun vianpm install -g @coana-tech/cli. Automatically pulling a brand-new engine version — without the operator opting in — is undesirable for environments that need to review/approve dependency updates before adopting them. This makes the engine version explicit and opt-in, and aligns the launcher behavior with the Socket Node CLI.What changed
Pin the engine version (no silent auto-update)
@coana-tech/cliversion baked into the release (DEFAULT_COANA_CLI_VERSION = 15.3.24, matching the Node CLI's pin). The engine version changes only through a standardpipupgrade of this CLI.npm install -g @coana-tech/clistep (the auto-update) is removed entirely. An existing global install is left untouched — never auto-updated or downgraded.--reach-version latest; pin an explicit version with--reach-version <semver>.Launcher (parity with the Socket Node CLI's
dlxpath)npx --yes --force @coana-tech/cli@<ver> …— the exact flags the Node CLI passes for coana.--yesskips npx's interactive install prompt so non-interactive/CI runs don't hang. (Note:--forcedoes not force a re-download of an already-cached pinned version; it mirrors the Node CLI's flags rather than bypassing the cache.)npm install+nodefallback: if thenpxlauncher is missing or dies before the engine starts (spawn error / signal / exit ≥128), fall back tonpm install --no-save --no-package-lock --no-audit --no-fund --prefix <tmpdir> @coana-tech/cli@<ver>, resolve thebinfrom the installedpackage.json, and run vianode. Small positive exit codes are real engine failures and are not retried. The resolved install is cached per version for the process lifetime (installs once).SOCKET_CLI_COANA_FORCE_NPM_INSTALL(use the fallback as the primary path) andSOCKET_CLI_COANA_DISABLE_NPM_FALLBACK(never fall back).nodeis now part of the up-front prerequisite check. Stripsnpm_package_*env vars before spawning to avoidE2BIGin large monorepos.Docs / changelog
--reach-versionhelp,docs/cli-reference.md, andCHANGELOG.md(2.4.7).Tests
tests/unit/test_reachability.py(29 tests): spec resolution, the--yes --forceflags,npm_package_*stripping, the launcher-failure heuristic, every fallback branch (launcher failure / missingnpx/FORCE_NPM_INSTALL/DISABLE_NPM_FALLBACK), per-version install caching, thenode-missing error, and real_resolve_coana_bin/_build_coana_node_cmdparsing. Full unit suite: 282 passed, 2 (pre-existing, unrelated) skips.Review
A comprehensive automated review was run on this PR; its Major findings (accurate npx-cache wording, a per-version fallback cache to avoid temp-dir leak / re-install, and a clear error + prereq for a missing
node) have been addressed in the latest commit.Maintenance note
DEFAULT_COANA_CLI_VERSIONis a deliberate, reviewable bump per release rather than an implicit "always latest". Reviewers should expect to update it (and thecurrently 15.3.24references in the docs/CHANGELOG) together.