From 8d607ca21ea8301bcebab31cb0f83b09c03b420c Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Fri, 20 Mar 2026 12:59:37 +0100
Subject: [PATCH 1/2] fix: make --version exit with code 0 instead of 2

The --version flag was defined and parsed but never explicitly handled
at the root command level, causing it to fall through to showHelp with
exit code 2. This broke automation (e.g. Ansible) that checks the exit
code of `socket --version`.
---
 package.json                        |  2 +-
 src/commands/cli.test.mts           | 12 ++++++++++++
 src/utils/meow-with-subcommands.mts | 14 +++++++++++++-
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 63013558f..487712e4a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.74",
+  "version": "1.1.75",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
diff --git a/src/commands/cli.test.mts b/src/commands/cli.test.mts
index 245418f9a..025cc8d67 100755
--- a/src/commands/cli.test.mts
+++ b/src/commands/cli.test.mts
@@ -6,6 +6,7 @@ import constants, {
   FLAG_CONFIG,
   FLAG_DRY_RUN,
   FLAG_HELP,
+  FLAG_VERSION,
 } from '../constants.mts'
 
 describe('socket root command', async () => {
@@ -87,6 +88,17 @@ describe('socket root command', async () => {
     },
   )
 
+  cmdit(
+    [FLAG_VERSION, FLAG_CONFIG, '{}'],
+    `should support ${FLAG_VERSION}`,
+    async cmd => {
+      const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+      // Version output should be a semver string.
+      expect(stdout).toMatch(/^\d+\.\d+\.\d+/)
+      expect(code, 'version should exit with code 0').toBe(0)
+    },
+  )
+
   cmdit(
     ['mootools', FLAG_DRY_RUN, FLAG_CONFIG, '{"apiToken":"fakeToken"}'],
     'should require args with just dry-run',
diff --git a/src/utils/meow-with-subcommands.mts b/src/utils/meow-with-subcommands.mts
index adf625be3..ad44f1bd0 100644
--- a/src/utils/meow-with-subcommands.mts
+++ b/src/utils/meow-with-subcommands.mts
@@ -743,9 +743,21 @@ export async function meowWithSubcommands(
     help: lines.map(l => indentString(l, HELP_INDENT)).join('\n'),
   })
 
-  const { dryRun, help: helpFlag } = cli2.flags as {
+  const {
+    dryRun,
+    help: helpFlag,
+    version: versionFlag,
+  } = cli2.flags as {
     dryRun: boolean
     help: boolean
+    version: boolean
+  }
+
+  // Handle --version: print version and exit successfully.
+  if (versionFlag) {
+    logger.log(constants.ENV.INLINED_SOCKET_CLI_VERSION)
+    process.exitCode = 0
+    return
   }
 
   // ...else we provide basic instructions and help.

From a3a357ddf968ec3cf0f113ff346f8b38589af5eb Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Fri, 20 Mar 2026 13:16:49 +0100
Subject: [PATCH 2/2] fix: add patch command to public commands set

The patch command was registered and unhidden but missing from the
hardcoded public commands validation set, causing a spurious
"Received an unknown command: patch" error on every CLI invocation.
Also removes the workaround in test utils that stripped this error.
---
 src/commands/cli.test.mts           | 1 +
 src/utils/meow-with-subcommands.mts | 3 ++-
 test/utils.mts                      | 5 -----
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/commands/cli.test.mts b/src/commands/cli.test.mts
index 025cc8d67..9b3986a75 100755
--- a/src/commands/cli.test.mts
+++ b/src/commands/cli.test.mts
@@ -49,6 +49,7 @@ describe('socket root command', async () => {
             manifest                    Generate a dependency manifest for certain ecosystems
             npm                         Wraps npm with Socket security scanning
             npx                         Wraps npx with Socket security scanning
+            patch                       Apply, manage, and rollback Socket security patches for vulnerable dependencies
             raw-npm                     Run npm without the Socket wrapper
             raw-npx                     Run npx without the Socket wrapper
 
diff --git a/src/utils/meow-with-subcommands.mts b/src/utils/meow-with-subcommands.mts
index ad44f1bd0..1b03f5315 100644
--- a/src/utils/meow-with-subcommands.mts
+++ b/src/utils/meow-with-subcommands.mts
@@ -553,7 +553,7 @@ export async function meowWithSubcommands(
       'optimize',
       'organization',
       'package',
-      //'patch',
+      'patch',
       // PNPM,
       'raw-npm',
       'raw-npx',
@@ -612,6 +612,7 @@ export async function meowWithSubcommands(
       `  manifest                    ${description(subcommands['manifest'])}`,
       `  npm                         ${description(subcommands[NPM])}`,
       `  npx                         ${description(subcommands[NPX])}`,
+      `  patch                       ${description(subcommands['patch'])}`,
       `  raw-npm                     ${description(subcommands['raw-npm'])}`,
       `  raw-npx                     ${description(subcommands['raw-npx'])}`,
       '',
diff --git a/test/utils.mts b/test/utils.mts
index fd99d8bf0..5badbc0bf 100644
--- a/test/utils.mts
+++ b/test/utils.mts
@@ -78,11 +78,6 @@ function normalizeBanner(str: string): string {
       )
       // Replace cwd path with "<redacted>".
       .replace(/cwd: [^\n"]+/g, 'cwd: <redacted>')
-      // Strip "Received an unknown command: patch" error line that appears
-      // when socket-patch binary is not available in the test build.
-      // Also consume any leading whitespace on the next line so indentation
-      // stays consistent when the error line is absent.
-      .replace(/[^\n]*Received an unknown command: patch[^\n]*\n\s*/g, '')
   )
 }