SocketDev · jdalton · Jun 27, 2025 · Jun 27, 2025
diff --git a/patches/meow#13.2.0.patch b/patches/meow#13.2.0.patch
@@ -0,0 +1,109 @@
+Index: /meow/build/index.d.ts
+===================================================================
+--- /meow/build/index.d.ts
++++ /meow/build/index.d.ts
+@@ -1313,8 +1313,15 @@
+ 	*/
+ 	readonly allowUnknownFlags?: boolean;
+
+ 	/**
++	Whether to collect unknown flags or not.
++
++	@default false
++	*/
++  readonly collectUnknownFlags?: boolean;
++
++	/**
+ 	The number of spaces to use for indenting the help text.
+
+ 	@default 2
+ 	*/
+@@ -1353,8 +1360,13 @@
+ 	Flags converted to camelCase excluding aliases.
+ 	*/
+ 	flags: CamelCasedProperties<TypedFlags<Flags>> & Record<string, unknown>;
+
++  /**
++	Collection of unknown flags.
++	*/
++  unknownFlags: string[]
++
+ 	/**
+ 	Flags converted camelCase including aliases.
+ 	*/
+ 	unnormalizedFlags: TypedFlags<Flags> & Record<string, unknown>;
+Index: /meow/build/index.js
+===================================================================
+--- /meow/build/index.js
++++ /meow/build/index.js
+@@ -1,9 +1,9 @@
+ import process from 'node:process';
+ import { y as yargsParser, t as trimNewlines, r as redent, n as normalizePackageData, c as camelcaseKeys } from './dependencies.js';
+ import { buildOptions } from './options.js';
+ import { buildParserOptions } from './parser.js';
+-import { checkUnknownFlags, validate, checkMissingRequiredFlags } from './validate.js';
++import { checkUnknownFlags, validate, checkMissingRequiredFlags, collectUnknownFlags } from './validate.js';
+
+ const buildResult = (options, parserOptions) => {
+ 	const {pkg: package_} = options;
+ 	const argv = yargsParser(options.argv, parserOptions);
+@@ -54,8 +54,9 @@
+ 		checkUnknownFlags(input);
+ 	}
+
+ 	const flags = camelcaseKeys(argv, {exclude: ['--', /^\w$/]});
++	const unknownFlags = options.collectUnknownFlags ? collectUnknownFlags(input) : [];
+ 	const unnormalizedFlags = {...flags};
+
+ 	validate(flags, options);
+
+@@ -73,8 +74,9 @@
+
+ 	return {
+ 		input,
+ 		flags,
++		unknownFlags,
+ 		unnormalizedFlags,
+ 		pkg: package_,
+ 		help,
+ 		showHelp,
+Index: /meow/build/parser.js
+===================================================================
+--- /meow/build/parser.js
++++ /meow/build/parser.js
+@@ -72,9 +72,9 @@
+ 	if (parserOptions['--']) {
+ 		parserOptions.configuration['populate--'] = true;
+ 	}
+
+-	if (!options.allowUnknownFlags) {
++	if (!options.allowUnknownFlags || options.collectUnknownFlags) {
+ 		// Collect unknown options in `argv._` to be checked later.
+ 		parserOptions.configuration['unknown-options-as-args'] = true;
+ 	}
+
+Index: /meow/build/validate.js
+===================================================================
+--- /meow/build/validate.js
++++ /meow/build/validate.js
+@@ -67,10 +67,12 @@
+ 		...unknownFlags,
+ 	].join('\n'));
+ };
+
++const collectUnknownFlags = input => input.filter(item => typeof item === 'string' && item.startsWith('-'));
++
+ const checkUnknownFlags = input => {
+-	const unknownFlags = input.filter(item => typeof item === 'string' && item.startsWith('-'));
++	const unknownFlags = collectUnknownFlags(input);
+ 	if (unknownFlags.length > 0) {
+ 		reportUnknownFlags(unknownFlags);
+ 		process.exit(2);
+ 	}
+@@ -118,5 +120,5 @@
+ 		process.exit(2);
+ 	}
+ };
+
+-export { checkMissingRequiredFlags, checkUnknownFlags, validate };
++export { checkMissingRequiredFlags, checkUnknownFlags, collectUnknownFlags, validate };
diff --git a/src/cli.mts b/src/cli.mts
@@ -185,16 +185,14 @@ void (async () => {
     debugFn('Uncaught error (BAD!):')
     debugFn(e)
 
-    // Try to parse the flags, find out if --json or --markdown is set
+    // Try to parse the flags, find out if --json or --markdown is set.
     let isJson = false
     try {
       const cli = meow(``, {
         argv: process.argv.slice(2),
-        importMeta: { url: `${pathToFileURL(__filename)}` } as ImportMeta,
-        flags: {},
-        // Do not strictly check for flags here.
-        allowUnknownFlags: true,
         autoHelp: false,
+        flags: {},
+        importMeta: { url: `${pathToFileURL(__filename)}` } as ImportMeta,
       })
       isJson = !!cli.flags['json']
     } catch {}

diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts
@@ -20,76 +20,78 @@ import type { RangeStyle } from '../../utils/semver.mts'
 
 const { DRY_RUN_NOT_SAVING } = constants
 
+const flags: CliCommandConfig['flags'] = {
+  ...commonFlags,
+  autoMerge: {
+    type: 'boolean',
+    default: false,
+    description: `Enable auto-merge for pull requests that Socket opens.\n                        See ${terminalLink(
+      'GitHub documentation',
+      'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository',
+    )} for managing auto-merge for pull requests in your repository.`,
+  },
+  autopilot: {
+    type: 'boolean',
+    default: false,
+    description: `Shorthand for --autoMerge --test`,
+  },
+  ghsa: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${terminalLink(
+      'GHSA IDs',
+      'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids',
+    )} to compute fixes for, as either a comma separated value or as multiple flags.\n                        Use '--ghsa auto' to automatically lookup GHSA IDs and compute fixes for them.`,
+    isMultiple: true,
+  },
+  limit: {
+    type: 'number',
+    default: Infinity,
+    description: 'The number of fixes to attempt at a time',
+  },
+  purl: {
+    type: 'string',
+    default: [],
+    description: `Provide a list of ${terminalLink(
+      'PURLs',
+      'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl',
+    )} to compute fixes for, as either a comma separated value or as multiple flags,\n                        instead of querying the Socket API`,
+    isMultiple: true,
+    shortFlag: 'p',
+  },
+  rangeStyle: {
+    type: 'string',
+    default: 'preserve',
+    description: `
+                      Define how updated dependency versions should be written in package.json.
+                      Available styles:
+                        * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
+                        * gt - Use > to allow any newer version (e.g. >1.2.3)
+                        * gte - Use >= to allow any newer version (e.g. >=1.2.3)
+                        * lt - Use < to allow only lower versions (e.g. <1.2.3)
+                        * lte - Use <= to allow only lower versions (e.g. <=1.2.3)
+                        * pin - Use the exact version (e.g. 1.2.3)
+                        * preserve - Retain the existing version range style as-is
+                        * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
+    `.trim(),
+  },
+  test: {
+    type: 'boolean',
+    default: false,
+    description: 'Verify the fix by running unit tests',
+  },
+  testScript: {
+    type: 'string',
+    default: 'test',
+    description: 'The test script to run for each fix attempt',
+  },
+}
+
 const config: CliCommandConfig = {
   commandName: 'fix',
   description: 'Update dependencies with "fixable" Socket alerts',
   hidden: false,
-  flags: {
-    ...commonFlags,
-    autoMerge: {
-      type: 'boolean',
-      default: false,
-      description: `Enable auto-merge for pull requests that Socket opens.\n                        See ${terminalLink(
-        'GitHub documentation',
-        'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository',
-      )} for managing auto-merge for pull requests in your repository.`,
-    },
-    autopilot: {
-      type: 'boolean',
-      default: false,
-      description: `Shorthand for --autoMerge --test`,
-    },
-    ghsa: {
-      type: 'string',
-      default: [],
-      description: `Provide a list of ${terminalLink(
-        'GHSA IDs',
-        'https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids',
-      )} to compute fixes for, as either a comma separated value or as multiple flags.\n                        Use '--ghsa auto' to automatically lookup GHSA IDs and compute fixes for them.`,
-      isMultiple: true,
-    },
-    limit: {
-      type: 'number',
-      default: Infinity,
-      description: 'The number of fixes to attempt at a time',
-    },
-    purl: {
-      type: 'string',
-      default: [],
-      description: `Provide a list of ${terminalLink(
-        'PURLs',
-        'https://github.com/package-url/purl-spec?tab=readme-ov-file#purl',
-      )} to compute fixes for, as either a comma separated value or as multiple flags,\n                        instead of querying the Socket API`,
-      isMultiple: true,
-      shortFlag: 'p',
-    },
-    rangeStyle: {
-      type: 'string',
-      default: 'preserve',
-      description: `
-                        Define how updated dependency versions should be written in package.json.
-                        Available styles:
-                          * caret - Use ^ range for compatible updates (e.g. ^1.2.3)
-                          * gt - Use > to allow any newer version (e.g. >1.2.3)
-                          * gte - Use >= to allow any newer version (e.g. >=1.2.3)
-                          * lt - Use < to allow only lower versions (e.g. <1.2.3)
-                          * lte - Use <= to allow only lower versions (e.g. <=1.2.3)
-                          * pin - Use the exact version (e.g. 1.2.3)
-                          * preserve - Retain the existing version range style as-is
-                          * tilde - Use ~ range for patch/minor updates (e.g. ~1.2.3)
-      `.trim(),
-    },
-    test: {
-      type: 'boolean',
-      default: false,
-      description: 'Verify the fix by running unit tests',
-    },
-    testScript: {
-      type: 'string',
-      default: 'test',
-      description: 'The test script to run for each fix attempt',
-    },
-  },
+  flags,
   help: (command, config) => `
     Usage
       $ ${command} [options] [CWD=.]
@@ -167,8 +169,9 @@ async function run(
       : Infinity) || Infinity
   const purls = cmdFlagValueToArray(cli.flags['purl'])
   const testScript = String(cli.flags['testScript'] || 'test')
+  const { unknownFlags } = cli
 
-  await handleFix(argv, {
+  await handleFix({
     autoMerge,
     cwd,
     ghsas,
@@ -178,5 +181,6 @@ async function run(
     rangeStyle,
     test,
     testScript,
+    unknownFlags,
   })
 }