feat(cli): add scan --redirect hosted-vendored-patch mode#117
feat(cli): add scan --redirect hosted-vendored-patch mode#117Mikola Lysenko (mikolalysenko) wants to merge 1 commit into
scan --redirect hosted-vendored-patch mode#117Conversation
Adds a new patch-apply mode that rewrites lockfiles/manifests so ONLY patched dependencies resolve from Socket's hosted vendored patches (patch.socket.dev), instead of vendoring local artifact bytes or writing .socket/manifest.json. - `scan --redirect` flag (conflicts_with_all apply/sync/vendor) - `--patch-server-url` / `SOCKET_PATCH_SERVER_URL` global arg, defaulting to https://patch.socket.dev (DEFAULT_PATCH_SERVER_URL) - api/client.rs `fetch_registry_references` (authed /v0/orgs/{org}/patches/package, or proxy /patch/package) - patch/redirect/mod.rs rewriters for 9 ecosystems (npm package-lock, pnpm, yarn-classic, pypi requirements, uv, cargo, composer, nuget, gem); golang documented as a limitation (no per-dependency remote redirect without a global GOPROXY) Shared golden fixtures (tests/fixtures/redirect/**) are consumed by BOTH this crate's redirect_golden.rs and the depscan backend's golden.test.ts, keeping the two rewriter implementations byte-identical. Behavioral coverage: tests/in_process_redirect.rs. Assisted-by: Claude Code:opus-4-8
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Caution Review the following alerts detected in dependencies. According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
What
Adds a new patch-apply mode to the CLI:
scan --redirect. Instead of vendoring local artifact bytes or writing.socket/manifest.json, it rewrites lockfiles/manifests so only the patched dependencies resolve from Socket's hosted vendored patches (patch.socket.dev), with integrity pins matching the served bytes.This is the CLI half of a two-repo change; the depscan companion PR adds the matching backend registry endpoints, the byte-identical TS rewriters, and the optional GitHub-app mode.
Changes
scan --redirectflag (conflicts_with_all = [apply, sync, vendor]);--detached/--prunecompose as for vendor.--patch-server-url/SOCKET_PATCH_SERVER_URLglobal arg, defaulting tohttps://patch.socket.dev(DEFAULT_PATCH_SERVER_URLinconstants.rs).api/client.rs::fetch_registry_references— resolves patch UUIDs to grant token + artifact URLs + per-dependencyregistryOverride+ integrity (authed/v0/orgs/{org}/patches/package, or public proxy/patch/package).patch/redirect/mod.rs— per-dependency rewriters for 9 ecosystems: npmpackage-lock, pnpm, yarn-classic, piprequirements, uv, cargo, composer, nuget, gem. Minimal per-dep overrides only (e.g. cargoregistry = "socket-patches"), never a blanket fall-through proxy.Known limitation
GOPROXY(which would violate "only patched deps"), so golang stays on local-vendor mode. Documented on both the CLI and backend sides.Cross-language consistency
The shared golden fixtures under
tests/fixtures/redirect/**are consumed by both this crate'sredirect_golden.rsand the depscan backend'sgolden.test.ts. Theexpected/bytes were authored once and both implementations must reproduce them byte-for-byte — so a customer gets the identical lockfile whether Socket opens the PR (backend) or they runsocket-patch scan --redirectlocally.Testing
cargo test -p socket-patch-core --test redirect_golden— all 9 implemented ecosystems byte-identical + deterministic re-run.cargo test -p socket-patch-cli --test in_process_redirect— end-to-endscan --redirectagainst a mocked reference API rewrites the lockfile to the hosted patch.cargo clippy -p socket-patch-core -p socket-patch-cli --tests -- -D warnings— clean.Merge coordination
Merge this first. The depscan companion PR bumps its
submodules/socket-patchpointer to this branch and must be re-pointed to the squash-merged commit before it lands.