include PR link and number in JSON output for socket fix. Also remove…

[mtorp]

Various updates to the --json output from socket fix:

• Adds ghsaDetails which is an array of fix details. This map is now also constructed from the PR mode where the Coana CLI is invoked multiple times.
• Adds the PR link and PR number to the fix details
• Removes the nested data: { data: { ... }} from the JSON output

Notice: This PR is including multiple breaking changes, so we need to inform frequent users of socket fix when we roll it out.

Example of what the new JSON output looks like:

{
  "ok": true,
  "data": {
    "fixedAll": true,
    "ghsaDetails": [
      {
        "type": "applied-fixes",
        "fixes": {
          "GHSA-v6h2-p8h4-qcjw": [
            {
              "purl": "pkg:npm/brace-expansion@1.1.11",
              "fixedVersion": "1.1.12"
            }
          ]
        },
        "pullRequestLink": "https://github.com/mtorp/socket-fix-test/pull/19",
        "pullRequestNumber": 19
      },
      {
        "type": "applied-fixes",
        "fixes": {
          "GHSA-73rr-hh4g-fpgx": [
            {
              "purl": "pkg:npm/diff@3.5.0",
              "fixedVersion": "5.2.2"
            },
            {
              "purl": "pkg:npm/mocha@5.2.0",
              "fixedVersion": "10.6.0"
            }
          ]
        },
        "pullRequestLink": "https://github.com/mtorp/socket-fix-test/pull/20",
        "pullRequestNumber": 20
      },
      {
        "type": "applied-fixes",
        "fixes": {
          "GHSA-f8q6-p94x-37v3": [
            {
              "purl": "pkg:npm/minimatch@3.0.4",
              "fixedVersion": "4.2.1"
            },
            {
              "purl": "pkg:npm/mocha@5.2.0",
              "fixedVersion": "9.2.2"
            }
          ]
        },
        "pullRequestLink": "https://github.com/mtorp/socket-fix-test/pull/21",
        "pullRequestNumber": 21
      }
    ]
  }
}

---

Note

Overhauls the socket fix --json response and plumbs Coana output through both local and PR modes.

• Replaces data: { data?, fixed } with data: { fixedAll, ghsaDetails[] }; fixed -> fixedAll and GHSA-specific details aggregated into ghsaDetails
• In PR mode, runs Coana per GHSA with --output-file, reads result JSON, and appends pullRequestLink and pullRequestNumber for each created PR
• In local mode, runs Coana once across IDs with --output-file and returns a single entry in ghsaDetails (if present)
• Adds strict typing when reading fix results and copies temp JSON to --output-file when provided
• Cleans up temp files in all paths and updates early-return cases to new output shape

^{Written by Cursor Bugbot for commit cf08af4. This will update automatically on new commits. Configure here.}

[cursor]

Bugbot Autofix prepared a fix for 2 of the 2 bugs found in the latest run.

• ✅ Fixed: Temp file leaked when no modified files detected
  • Added temp file cleanup with fs.unlink before the 'continue ghsaLoop' statement that was skipping the finally block.
• ✅ Fixed: Inconsistent ghsaDetails format between local and PR modes
  • Transformed local mode output to match the GHSA-keyed map format by iterating over fixesResultJson.fixes keys, consistent with PR mode.

Or push these changes by commenting:

@cursor push 46226d3a6c

Preview (46226d3a6c)

diff --git a/src/commands/fix/coana-fix.mts b/src/commands/fix/coana-fix.mts
--- a/src/commands/fix/coana-fix.mts
+++ b/src/commands/fix/coana-fix.mts
@@ -111,7 +111,9 @@ async function discoverGhsaIds(
 
 export async function coanaFix(
   fixConfig: FixConfig,
-): Promise<CResult<{ fixedAll: boolean; ghsaDetails: Record<string, unknown> }>> {
+): Promise<
+  CResult<{ fixedAll: boolean; ghsaDetails: Record<string, unknown> }>
+> {
   const {
     all,
     applyFixes,
@@ -290,7 +292,10 @@ export async function coanaFix(
       }
 
       // Read the temporary file to get the actual fixes result.
-      const fixesResultJson = readJsonSync(tmpFile, { throws: false })
+      const fixesResultJson = readJsonSync(tmpFile, { throws: false }) as
+        | { fixes?: Record<string, unknown> }
+        | null
+        | undefined
 
       // Copy to outputFile if provided.
       if (outputFile) {
@@ -301,11 +306,24 @@ export async function coanaFix(
         await fs.writeFile(outputFile, tmpContent, 'utf8')
       }
 
+      // Transform to GHSA-keyed map format for consistency with PR mode.
+      const ghsaDetails: Record<string, unknown> = {
+        __proto__: null,
+      } as Record<string, unknown>
+      if (fixesResultJson && typeof fixesResultJson === 'object') {
+        const fixes = fixesResultJson.fixes
+        if (fixes && typeof fixes === 'object') {
+          for (const ghsaKey of Object.keys(fixes)) {
+            ghsaDetails[ghsaKey] = fixesResultJson
+          }
+        }
+      }
+
       return {
         ok: true,
         data: {
           fixedAll: true,
-          ghsaDetails: (fixesResultJson as Record<string, unknown>) ?? {},
+          ghsaDetails,
         },
       }
     } finally {
@@ -462,6 +480,13 @@ export async function coanaFix(
 
     if (!modifiedFiles.length) {
       debugFn('notice', `skip: no changes for ${ghsaId}`)
+      // Clean up temp file before continuing.
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        await fs.unlink(tmpFile)
+      } catch {
+        // Ignore cleanup errors.
+      }
       continue ghsaLoop
     }

[mtorp]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR