add --all flag for socket fix and make it incompatible with --id (#967)

implicitly use `--all` if no `--id` but warn that this is deprecated in local mode

Author: jfblaa

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.43](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.43) - 2025-12-08
+
+### Added
+- Added `--all` flag to `socket fix` for explicitly processing all vulnerabilities in local mode. Cannot be used with `--id`.
+
+### Deprecated
+- Running `socket fix` in local mode without `--all` or `--id` is deprecated. A warning is shown when neither flag is provided. In a future release, one of these flags will be required.
+
 ## [1.1.42](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.42) - 2025-12-04
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.42",
+  "version": "1.1.43",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",

src/commands/fix/cmd-fix.integration.test.mts

@@ -164,6 +164,7 @@ describe('socket fix', async () => {
             - Permissions: full-scans:create and packages:list
 
           Options
+            --all               Process all discovered vulnerabilities in local mode. Cannot be used with --id.
             --autopilot         Enable auto-merge for pull requests that Socket opens.
                                 See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
             --ecosystems        Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.
@@ -173,7 +174,7 @@ describe('socket fix', async () => {
                                     - GHSA IDs (https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids) (e.g., GHSA-xxxx-xxxx-xxxx)
                                     - CVE IDs (https://cve.mitre.org/cve/identifiers/) (e.g., CVE-2025-1234) - automatically converted to GHSA
                                     - PURLs (https://github.com/package-url/purl-spec) (e.g., pkg:npm/[email protected]) - automatically converted to GHSA
-                                    Can be provided as comma separated values or as multiple flags
+                                    Can be provided as comma separated values or as multiple flags. Cannot be used with --all.
             --include           Include workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
             --json              Output as JSON
             --markdown          Output as Markdown
@@ -1127,6 +1128,55 @@ describe('socket fix', async () => {
     )
   })
 
+  describe('--all flag behavior', () => {
+    cmdit(
+      ['fix', FLAG_DRY_RUN, '--all', FLAG_CONFIG, '{"apiToken":"fakeToken"}'],
+      'should accept --all flag',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--all',
+        FLAG_ID,
+        'GHSA-1234-5678-9abc',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should fail when --all and --id are used together',
+      async cmd => {
+        const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
+        const output = stdout + stderr
+        expect(output).toContain('--all and --id flags cannot be used together')
+        expect(code, 'should exit with non-zero code').not.toBe(0)
+      },
+    )
+
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--all',
+        '--ecosystems',
+        'npm',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept --all with --ecosystems',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+  })
+
   describe('--id flag behavior', () => {
     cmdit(
       [

src/commands/fix/cmd-fix.mts

@@ -95,6 +95,12 @@ const generalFlags: MeowFlags = {
     // Hidden to allow custom documenting of the negated `--no-major-updates` variant.
     hidden: true,
   },
+  all: {
+    type: 'boolean',
+    default: false,
+    description:
+      'Process all discovered vulnerabilities in local mode. Cannot be used with --id.',
+  },
   id: {
     type: 'string',
     default: [],
@@ -111,7 +117,7 @@ const generalFlags: MeowFlags = {
       'PURLs',
       'https://github.com/package-url/purl-spec',
     )} (e.g., pkg:npm/[email protected]) - automatically converted to GHSA
-    Can be provided as comma separated values or as multiple flags`,
+    Can be provided as comma separated values or as multiple flags. Cannot be used with --all.`,
     isMultiple: true,
   },
   prLimit: {
@@ -272,6 +278,7 @@ async function run(
   )
 
   const {
+    all,
     applyFixes,
     autopilot,
     ecosystems,
@@ -292,6 +299,7 @@ async function run(
     // socket-cli/patches/meow#13.2.0.patch.
     unknownFlags = [],
   } = cli.flags as {
+    all: boolean
     applyFixes: boolean
     autopilot: boolean
     ecosystems: string[]
@@ -338,6 +346,13 @@ async function run(
     validatedEcosystems.push(ecosystem as PURL_Type)
   }
 
+  // Collect ghsas early to validate --all and --id mutual exclusivity.
+  const ghsas = arrayUnique([
+    ...cmdFlagValueToArray(cli.flags['id']),
+    ...cmdFlagValueToArray(cli.flags['ghsa']),
+    ...cmdFlagValueToArray(cli.flags['purl']),
+  ])
+
   const wasValidInput = checkCommandInput(
     outputKind,
     {
@@ -351,6 +366,12 @@ async function run(
       message: 'The json and markdown flags cannot be both set, pick one',
       fail: 'omit one',
     },
+    {
+      nook: true,
+      test: !all || !ghsas.length,
+      message: 'The --all and --id flags cannot be used together',
+      fail: 'omit one',
+    },
   )
   if (!wasValidInput) {
     return
@@ -379,16 +400,11 @@ async function run(
 
   const { spinner } = constants
 
-  const ghsas = arrayUnique([
-    ...cmdFlagValueToArray(cli.flags['id']),
-    ...cmdFlagValueToArray(cli.flags['ghsa']),
-    ...cmdFlagValueToArray(cli.flags['purl']),
-  ])
-
   const includePatterns = cmdFlagValueToArray(include)
   const excludePatterns = cmdFlagValueToArray(exclude)
 
   await handleFix({
+    all,
     applyFixes,
     autopilot,
     coanaVersion: fixVersion,

src/commands/fix/coana-fix.mts

@@ -107,6 +107,7 @@ export async function coanaFix(
   fixConfig: FixConfig,
 ): Promise<CResult<{ data?: unknown; fixed: boolean }>> {
   const {
+    all,
     applyFixes,
     autopilot,
     coanaVersion,
@@ -173,11 +174,18 @@ export async function coanaFix(
     }
   }
 
-  const shouldDiscoverGhsaIds = !ghsas.length
+  const shouldDiscoverGhsaIds = all || !ghsas.length
 
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo
 
   if (!shouldOpenPrs) {
+    // In local mode, if neither --all nor --id is provided, show deprecation warning.
+    if (shouldDiscoverGhsaIds && !all) {
+      logger.warn(
+        'Implicit --all is deprecated in local mode and will be removed in a future release. Please use --all explicitly.',
+      )
+    }
+
     // Inform user about local mode when fixes will be applied.
     if (applyFixes && ghsas.length) {
       const envCheck = checkCiEnvVars()

src/commands/fix/handle-fix-limit.test.mts

@@ -72,6 +72,7 @@ vi.mock('./branch-cleanup.mts', () => ({
 
 describe('socket fix --pr-limit behavior verification', () => {
   const baseConfig: FixConfig = {
+    all: false,
     applyFixes: true,
     autopilot: false,
     coanaVersion: undefined,

src/commands/fix/handle-fix.mts

@@ -97,6 +97,7 @@ export async function convertIdsToGhsas(ids: string[]): Promise<string[]> {
 }
 
 export async function handleFix({
+  all,
   applyFixes,
   autopilot,
   coanaVersion,
@@ -120,6 +121,7 @@ export async function handleFix({
 }: HandleFixConfig) {
   debugFn('notice', `Starting fix command for ${orgSlug}`)
   debugDir('inspect', {
+    all,
     applyFixes,
     autopilot,
     coanaVersion,
@@ -142,6 +144,7 @@ export async function handleFix({
 
   await outputFixResult(
     await coanaFix({
+      all,
       applyFixes,
       autopilot,
       coanaVersion,

src/commands/fix/types.mts

@@ -3,6 +3,7 @@ import type { RangeStyle } from '../../utils/semver.mts'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 export type FixConfig = {
+  all: boolean
   applyFixes: boolean
   autopilot: boolean
   coanaVersion: string | undefined