Pin @coana-tech/cli version; make reachability auto-update opt-in#230
Draft
Martin Torp (mtorp) wants to merge 4 commits into
Draft
Pin @coana-tech/cli version; make reachability auto-update opt-in#230Martin Torp (mtorp) wants to merge 4 commits into
Martin Torp (mtorp) wants to merge 4 commits into
Conversation
Martin Torp (mtorp)
temporarily deployed
to
socket-firewall
GitHub Actions
Inactive
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.4.7.dev5Docker image: |
Martin Torp (mtorp)
force-pushed
the
martin/remove-auto-update-from-the-socket-pytho
branch
from
c92df38 to
ee8e107
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
The Python CLI auto-updated the reachability (Coana) engine to the latest published version on every --reach run via `npm install -g @coana-tech/cli`. Automatically pulling a brand-new engine version without opting in is undesirable for environments that need to review/approve dependency updates before adopting them. Run a fixed, pinned version (DEFAULT_COANA_CLI_VERSION = 15.3.22) via `npx @coana-tech/cli@<pinned>` instead, so the engine version only changes through a standard pip upgrade of this CLI. Opt into newest with `--reach-version latest`; pin an explicit version with `--reach-version <semver>`. The global `npm install -g` step is dropped entirely, so an existing global install is never auto-updated or downgraded.
Martin Torp (mtorp)
force-pushed
the
martin/remove-auto-update-from-the-socket-pytho
branch
from
ee8e107 to
adb2de7
Compare
Martin Torp (mtorp)
temporarily deployed
to
socket-firewall
GitHub Actions
Inactive
Mirror the Socket Node CLI's coana launcher: - Run the engine via `npx --yes --force` so the npx cache is bypassed; a corrupt or partial cache entry can no longer wedge a reachability run. - Fall back to `npm install --no-save --prefix <tmp> @coana-tech/cli@<ver>` + `node <bin>` when the npx launcher is missing or dies before coana starts (spawn error / signal / exit >= 128). Small positive exit codes are treated as real coana failures and are not retried. - Toggle with SOCKET_CLI_COANA_FORCE_NPM_INSTALL and SOCKET_CLI_COANA_DISABLE_NPM_FALLBACK. - Strip npm_package_* env vars before spawning coana to avoid E2BIG in large monorepos. Kept on version 2.4.7 (same unreleased version as the pin change).
Martin Torp (mtorp)
temporarily deployed
to
socket-firewall
GitHub Actions
Inactive
Martin Torp (mtorp)
temporarily deployed
to
socket-firewall
GitHub Actions
Inactive
…npx wording - M2: cache the npm-install fallback's resolved script path per version for the process lifetime (mirrors the Node CLI's installedCoanaScriptPathsByVersion), so a repeated fallback installs once instead of re-installing + leaking a temp dir each call. - M3: surface a clear error when `node` is missing in the fallback (instead of an opaque FileNotFoundError after a costly npm install), and add `node` to the up-front prereq check. - M1: correct the overstated 'npx --force disables the cache' wording in docstrings, docs, and CHANGELOG. The code already matches the Node CLI exactly (npx --yes --force); --force does not force a re-download of an already-cached pinned version, so the docs now describe what the flags actually do rather than claiming a cache bypass. Adds tests for per-version caching, node-missing, and real _resolve_coana_bin / _build_coana_node_cmd parsing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Python CLI auto-updated the reachability (Coana) engine to the latest published version on every
--reachrun vianpm install -g @coana-tech/cli. Automatically pulling a brand-new engine version — without the operator opting in — is undesirable for environments that need to review/approve dependency updates before adopting them. This makes the engine version explicit and opt-in, and aligns the launcher behavior with the Socket Node CLI.What changed
Pin the engine version (no silent auto-update)
@coana-tech/cliversion baked into the release (DEFAULT_COANA_CLI_VERSION = 15.3.24, matching the Node CLI's pin). The engine version changes only through a standardpipupgrade of this CLI.npm install -g @coana-tech/clistep (the auto-update) is removed entirely. An existing global install is left untouched — never auto-updated or downgraded.--reach-version latest; pin an explicit version with--reach-version <semver>.Launcher (parity with the Socket Node CLI's
dlxpath)npx --yes --force @coana-tech/cli@<ver> …— the exact flags the Node CLI passes for coana.--yesskips npx's interactive install prompt so non-interactive/CI runs don't hang. (Note:--forcedoes not force a re-download of an already-cached pinned version; it mirrors the Node CLI's flags rather than bypassing the cache.)npm install+nodefallback: if thenpxlauncher is missing or dies before the engine starts (spawn error / signal / exit ≥128), fall back tonpm install --no-save --no-package-lock --no-audit --no-fund --prefix <tmpdir> @coana-tech/cli@<ver>, resolve thebinfrom the installedpackage.json, and run vianode. Small positive exit codes are real engine failures and are not retried. The resolved install is cached per version for the process lifetime (installs once).SOCKET_CLI_COANA_FORCE_NPM_INSTALL(use the fallback as the primary path) andSOCKET_CLI_COANA_DISABLE_NPM_FALLBACK(never fall back).nodeis now part of the up-front prerequisite check. Stripsnpm_package_*env vars before spawning to avoidE2BIGin large monorepos.Docs / changelog
--reach-versionhelp,docs/cli-reference.md, andCHANGELOG.md(2.4.7).Tests
tests/unit/test_reachability.py(29 tests): spec resolution, the--yes --forceflags,npm_package_*stripping, the launcher-failure heuristic, every fallback branch (launcher failure / missingnpx/FORCE_NPM_INSTALL/DISABLE_NPM_FALLBACK), per-version install caching, thenode-missing error, and real_resolve_coana_bin/_build_coana_node_cmdparsing. Full unit suite: 282 passed, 2 (pre-existing, unrelated) skips.Review
A comprehensive automated review was run on this PR; its Major findings (accurate npx-cache wording, a per-version fallback cache to avoid temp-dir leak / re-install, and a clear error + prereq for a missing
node) have been addressed in the latest commit.Maintenance note
DEFAULT_COANA_CLI_VERSIONis a deliberate, reviewable bump per release rather than an implicit "always latest". Reviewers should expect to update it (and thecurrently 15.3.24references in the docs/CHANGELOG) together.