feat: add --ecosystems flag to apply and rollback commands (#29)

mikolalysenko · claude · web-flow · commit 7f464f480330 · 2026-02-26T13:50:32.000-05:00
Adds ecosystem filtering to restrict patching/rollback to specific
ecosystems (npm, pypi). Also updates the default npm postinstall
command to include --ecosystems npm for scoped patching.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/commands/apply.ts b/src/commands/apply.ts
@@ -36,6 +36,7 @@ interface ApplyArgs {
   offline: boolean
   global: boolean
   'global-prefix'?: string
+  ecosystems?: string[]
 }
 
 async function applyPatches(
@@ -46,6 +47,7 @@ async function applyPatches(
   offline: boolean,
   useGlobal: boolean,
   globalPrefix?: string,
+  ecosystems?: string[],
 ): Promise<{ success: boolean; results: ApplyResult[] }> {
   // Read and parse manifest
   const manifestContent = await fs.readFile(manifestPath, 'utf-8')
@@ -102,8 +104,14 @@ async function applyPatches(
 
   // Partition manifest PURLs by ecosystem
   const manifestPurls = Object.keys(manifest.patches)
-  const npmPurls = manifestPurls.filter(p => isNpmPurl(p))
-  const pypiPurls = manifestPurls.filter(p => isPyPIPurl(p))
+  let npmPurls = manifestPurls.filter(p => isNpmPurl(p))
+  let pypiPurls = manifestPurls.filter(p => isPyPIPurl(p))
+
+  // Filter by ecosystem if specified
+  if (ecosystems && ecosystems.length > 0) {
+    if (!ecosystems.includes('npm')) npmPurls = []
+    if (!ecosystems.includes('pypi')) pypiPurls = []
+  }
 
   const crawlerOptions = {
     cwd,
@@ -316,6 +324,11 @@ export const applyCommand: CommandModule<{}, ApplyArgs> = {
         describe: 'Custom path to global node_modules (overrides auto-detection, useful for yarn/pnpm)',
         type: 'string',
       })
+      .option('ecosystems', {
+        describe: 'Restrict patching to specific ecosystems (comma-separated)',
+        type: 'array',
+        choices: ['npm', 'pypi'],
+      })
       .example('$0 apply', 'Apply all patches to local packages')
       .example('$0 apply --global', 'Apply patches to global npm packages')
       .example('$0 apply --global-prefix /custom/path', 'Apply patches to custom global location')
@@ -350,6 +363,7 @@ export const applyCommand: CommandModule<{}, ApplyArgs> = {
         argv.offline,
         argv.global,
         argv['global-prefix'],
+        argv.ecosystems,
       )
 
       // Print results if not silent
diff --git a/src/commands/rollback.ts b/src/commands/rollback.ts
@@ -43,6 +43,7 @@ interface RollbackArgs {
   org?: string
   'api-url'?: string
   'api-token'?: string
+  ecosystems?: string[]
 }
 
 interface PatchToRollback {
@@ -134,6 +135,7 @@ async function rollbackPatches(
   offline: boolean,
   useGlobal: boolean,
   globalPrefix?: string,
+  ecosystems?: string[],
 ): Promise<{ success: boolean; results: RollbackResult[] }> {
   // Read and parse manifest
   const manifestContent = await fs.readFile(manifestPath, 'utf-8')
@@ -214,8 +216,14 @@ async function rollbackPatches(
 
   // Partition PURLs by ecosystem
   const rollbackPurls = patchesToRollback.map(p => p.purl)
-  const npmPurls = rollbackPurls.filter(p => !isPyPIPurl(p))
-  const pypiPurls = rollbackPurls.filter(p => isPyPIPurl(p))
+  let npmPurls = rollbackPurls.filter(p => !isPyPIPurl(p))
+  let pypiPurls = rollbackPurls.filter(p => isPyPIPurl(p))
+
+  // Filter by ecosystem if specified
+  if (ecosystems && ecosystems.length > 0) {
+    if (!ecosystems.includes('npm')) npmPurls = []
+    if (!ecosystems.includes('pypi')) pypiPurls = []
+  }
 
   const crawlerOptions = { cwd, global: useGlobal, globalPrefix }
   const allPackages = new Map<string, string>()
@@ -374,6 +382,11 @@ export const rollbackCommand: CommandModule<{}, RollbackArgs> = {
         describe: 'Socket API token (overrides SOCKET_API_TOKEN env var)',
         type: 'string',
       })
+      .option('ecosystems', {
+        describe: 'Restrict rollback to specific ecosystems (comma-separated)',
+        type: 'array',
+        choices: ['npm', 'pypi'],
+      })
       .example('$0 rollback', 'Rollback all patches')
       .example(
         '$0 rollback pkg:npm/lodash@4.17.21',
@@ -453,6 +466,7 @@ export const rollbackCommand: CommandModule<{}, RollbackArgs> = {
         argv.offline,
         argv.global,
         argv['global-prefix'],
+        argv.ecosystems,
       )
 
       // Print results if not silent
diff --git a/src/package-json/detect.test.ts b/src/package-json/detect.test.ts
@@ -411,19 +411,19 @@ describe('isPostinstallConfigured', () => {
 describe('generateUpdatedPostinstall', () => {
   it('should create command for empty string', () => {
     const result = generateUpdatedPostinstall('')
-    assert.equal(result, 'socket patch apply --silent')
+    assert.equal(result, 'socket patch apply --silent --ecosystems npm')
   })
 
   it('should create command for whitespace-only string', () => {
     const result = generateUpdatedPostinstall('   \n\t  ')
-    assert.equal(result, 'socket patch apply --silent')
+    assert.equal(result, 'socket patch apply --silent --ecosystems npm')
   })
 
   it('should prepend to existing script', () => {
     const result = generateUpdatedPostinstall('echo "Hello"')
     assert.equal(
       result,
-      'socket patch apply --silent && echo "Hello"',
+      'socket patch apply --silent --ecosystems npm && echo "Hello"',
     )
   })
 
@@ -456,7 +456,7 @@ describe('generateUpdatedPostinstall', () => {
     const result = generateUpdatedPostinstall(existing)
     assert.equal(
       result,
-      'socket patch apply --silent && socket apply',
+      'socket patch apply --silent --ecosystems npm && socket apply',
       'Should add socket patch apply even if socket apply is present',
     )
   })
@@ -476,7 +476,7 @@ describe('updatePackageJsonContent', () => {
     assert.ok(updated.scripts)
     assert.equal(
       updated.scripts.postinstall,
-      'socket patch apply --silent',
+      'socket patch apply --silent --ecosystems npm',
     )
   })
 
@@ -496,7 +496,7 @@ describe('updatePackageJsonContent', () => {
     const updated = JSON.parse(result.content)
     assert.equal(
       updated.scripts.postinstall,
-      'socket patch apply --silent',
+      'socket patch apply --silent --ecosystems npm',
     )
     assert.equal(updated.scripts.test, 'jest', 'Should preserve other scripts')
     assert.equal(updated.scripts.build, 'tsc', 'Should preserve other scripts')
@@ -517,7 +517,7 @@ describe('updatePackageJsonContent', () => {
     assert.equal(result.oldScript, 'echo "Setup complete"')
     assert.equal(
       result.newScript,
-      'socket patch apply --silent && echo "Setup complete"',
+      'socket patch apply --silent --ecosystems npm && echo "Setup complete"',
     )
   })
 
@@ -575,7 +575,7 @@ describe('updatePackageJsonContent', () => {
     const updated = JSON.parse(result.content)
     assert.equal(
       updated.scripts.postinstall,
-      'socket patch apply --silent',
+      'socket patch apply --silent --ecosystems npm',
     )
   })
 
@@ -594,7 +594,7 @@ describe('updatePackageJsonContent', () => {
     const updated = JSON.parse(result.content)
     assert.equal(
       updated.scripts.postinstall,
-      'socket patch apply --silent',
+      'socket patch apply --silent --ecosystems npm',
     )
   })
 
diff --git a/src/package-json/detect.ts b/src/package-json/detect.ts
@@ -4,7 +4,7 @@
  */
 
 // The command to run for applying patches via socket CLI.
-const SOCKET_PATCH_COMMAND = 'socket patch apply --silent'
+const SOCKET_PATCH_COMMAND = 'socket patch apply --silent --ecosystems npm'
 
 // Legacy command patterns to detect existing configurations.
 const LEGACY_PATCH_PATTERNS = [
