SocketDev · John-David Dalton (jdalton) · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts
@@ -98,6 +98,12 @@ Available styles:
     default: '',
     description: 'Path to store upgrades as a JSON file at this path.',
   },
+  minimumReleaseAge: {
+    type: 'string',
+    default: '',
+    description:
+      'Minimum age required for suggested upgrades (e.g., 1h, 2d, 3w).',
+  },
 }
 
 const hiddenFlags: MeowFlags = {
@@ -215,6 +221,7 @@ async function run(
     limit,
     markdown,
     maxSatisfying,
+    minimumReleaseAge,
     outputFile,
     prCheck,
     rangeStyle,
@@ -234,6 +241,7 @@ async function run(
     rangeStyle: RangeStyle
     unknownFlags?: string[]
     outputFile: string
+    minimumReleaseAge: string
   }
 
   const dryRun = !!cli.flags['dryRun']
@@ -297,6 +305,7 @@ async function run(
     ghsas,
     glob,
     limit,
+    minimumReleaseAge,
     minSatisfying,
     prCheck,
     orgSlug,

diff --git a/src/commands/fix/cmd-fix.test.mts b/src/commands/fix/cmd-fix.test.mts
@@ -181,6 +181,7 @@ describe('socket fix', async () => {
             --json              Output as JSON
             --limit             The number of fixes to attempt at a time (default 10)
             --markdown          Output as Markdown
+            --minimum-release-age  Minimum age required for suggested upgrades (e.g., 1h, 2d, 3w).
             --output-file       Path to store upgrades as a JSON file at this path.
             --range-style       Define how dependency version ranges are updated in package.json (default 'preserve').
                                 Available styles:

diff --git a/src/commands/fix/coana-fix.mts b/src/commands/fix/coana-fix.mts
@@ -49,6 +49,7 @@ export async function coanaFix(
     ghsas,
     glob,
     limit,
+    minimumReleaseAge,
     orgSlug,
     outputFile,
     spinner,
@@ -142,6 +143,9 @@ export async function coanaFix(
         ...(fixConfig.rangeStyle
           ? ['--range-style', fixConfig.rangeStyle]
           : []),
+        ...(minimumReleaseAge
+          ? ['--minimum-release-age', minimumReleaseAge]
+          : []),
         ...(glob ? ['--glob', glob] : []),
         ...(dontApplyFixes ? [FLAG_DRY_RUN] : []),
         ...(outputFile ? ['--output-file', outputFile] : []),
@@ -194,6 +198,9 @@ export async function coanaFix(
         ...(fixConfig.rangeStyle
           ? ['--range-style', fixConfig.rangeStyle]
           : []),
+        ...(minimumReleaseAge
+          ? ['--minimum-release-age', minimumReleaseAge]
+          : []),
         ...(glob ? ['--glob', glob] : []),
         ...fixConfig.unknownFlags,
       ],
@@ -251,6 +258,9 @@ export async function coanaFix(
         ...(fixConfig.rangeStyle
           ? ['--range-style', fixConfig.rangeStyle]
           : []),
+        ...(minimumReleaseAge
+          ? ['--minimum-release-age', minimumReleaseAge]
+          : []),
         ...(glob ? ['--glob', glob] : []),
         ...fixConfig.unknownFlags,
       ],

diff --git a/src/commands/fix/handle-fix.mts b/src/commands/fix/handle-fix.mts
@@ -23,6 +23,7 @@ export type HandleFixConfig = Remap<
     outputKind: OutputKind
     unknownFlags: string[]
     outputFile: string
+    minimumReleaseAge: string
   }
 >
 
@@ -105,6 +106,7 @@ export async function handleFix({
   glob,
   limit,
   minSatisfying,
+  minimumReleaseAge,
   orgSlug,
   outputFile,
   outputKind,
@@ -138,6 +140,7 @@ export async function handleFix({
       ghsas: await convertIdsToGhsas(ghsas),
       glob,
       limit,
+      minimumReleaseAge,
       minSatisfying,
       orgSlug,
       prCheck,

diff --git a/src/commands/fix/types.mts b/src/commands/fix/types.mts
@@ -8,6 +8,7 @@ export type FixConfig = {
   ghsas: string[]
   glob: string
   limit: number
+  minimumReleaseAge: string
   minSatisfying: boolean
   orgSlug: string
   prCheck: boolean

diff --git a/src/utils/dlx.mts b/src/utils/dlx.mts
@@ -21,6 +21,7 @@
 import { createRequire } from 'node:module'
 
 import { getOwn } from '@socketsecurity/registry/lib/objects'
+import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import { getDefaultOrgSlug } from '../commands/ci/fetch-default-org-slug.mts'
 import constants, {
@@ -172,6 +173,9 @@ export async function spawnDlx(
  * Helper to spawn coana with dlx.
  * Automatically uses force and silent when version is not pinned exactly.
  * Returns a CResult with stdout extraction for backward compatibility.
+ *
+ * If SOCKET_CLI_COANA_LOCAL_PATH environment variable is set, uses the local
+ * Coana CLI at that path instead of downloading from npm.
  */
 export async function spawnCoanaDlx(
   args: string[] | readonly string[],
@@ -211,6 +215,25 @@ export async function spawnCoanaDlx(
   }
 
   try {
+    const localCoanaPath = process.env['SOCKET_CLI_COANA_LOCAL_PATH']
+    // Use local Coana CLI if path is provided.
+    if (localCoanaPath) {
+      const finalEnv = {
+        ...process.env,
+        ...constants.processEnv,
+        ...mixinsEnv,
+        ...spawnEnv,
+      }
+      const spawnResult = await spawn('node', [localCoanaPath, ...args], {
+        cwd: dlxOptions.cwd,
+        env: finalEnv,
+        stdio: spawnExtra?.['stdio'] || 'inherit',
+      })
+
+      return { ok: true, data: spawnResult.stdout }
+    }
+
+    // Use npm/dlx version.
     const result = await spawnDlx(
       {
         name: '@coana-tech/cli',