feat(cli): rename --default-branch (scan create) to --make-default-branch; harden default-branch flags#1230
Open
John-David Dalton (jdalton) wants to merge 6 commits intomainfrom
Open
Conversation
`--default-branch` is a boolean meow flag, so
`--default-branch=main` silently becomes `defaultBranch=true` with
the `"main"` portion discarded. Users with that (reasonable)
intuition ended up with scans that weren't tagged with any branch
name and didn't show up in the Main/PR dashboard tabs.
Pre-flight check in `run()` scans the raw argv for
`--default-branch=<value>`. Values that coerce to boolean
(`true` / `false`, any case) are let through; anything else is
treated as a misuse and fails with:
✗ "--default-branch=main" looks like you meant the branch name "main".
--default-branch is a boolean flag; pass the branch name with --branch instead:
socket scan create --branch main --default-branch
Exits with code 2 (invalid usage), consistent with other flag
validation failures in this command.
Added tests:
* misuse form with a branch-name value is caught and logged
* explicit `--default-branch=true|false|TRUE` all pass through
* bare `--default-branch` with paired `--branch main` flows through
John-David Dalton (jdalton)
force-pushed
the
fix/scan-default-branch-misuse-detection
branch
from
50d4d2b to
385aad4
Compare
Contributor
Author
|
Cursor (@cursor) review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Addresses Cursor bugbot feedback on PR #1230. yargs-parser expands camelCase flag names, so users can type either --default-branch= or --defaultBranch= from the shell. The pre-flight misuse check now tests both prefixes. Added a regression test for the camelCase variant.
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit d461dc7. Configure here.
Contributor
Author
|
Cursor (@cursor) review |
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
1 issue from previous review remains unresolved.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit d461dc7. Configure here.
Addresses Cursor bugbot feedback on PR #1230. findDefaultBranchValueMisuse only returned the extracted value, so the error message always quoted '--default-branch=<value>' even when the user typed the camelCase '--defaultBranch=<value>' form. Return the matched prefix alongside the value so the error quotes what the user actually typed.
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 54f92cc. Configure here.
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 54f92cc. Configure here.
Match the sibling `cmd-scan-*` convention of placing `export const cmd*` immediately before `async function run`, and drop comments that restated the code rather than explaining non-obvious *why*. The one remaining comment on the misuse check keeps the meow/yargs-parser coercion detail, which isn't derivable from reading the code.
John-David Dalton (jdalton)
changed the title
Bill Li (billxinli)
approved these changes
Apr 20, 2026
…anch Ends the --default-branch overload by aligning each command's flag name with the Socket API field it triggers: - scan create: new --make-default-branch (bool) mirrors `make_default_branch`. Legacy --default-branch / --defaultBranch kept as a deprecated boolean alias (declared as its own flag because meow's `aliases` forwarding was unreliable inside this command's flag set). Deprecation warning fires when the legacy name is used; misuse heuristic still catches --default-branch=<name> and --default-branch <name> on the deprecated alias. - repository create / repository update: flag unchanged (already matches `default_branch`). Added empty-value validation that rejects bare --default-branch and --default-branch= instead of silently persisting a blank default-branch name. Help text in cmd-scan-create.mts rewritten to describe what the flag actually does (reassigns the repo's default-branch pointer). Tests cover: primary flag happy path, primary flag misuse detection, deprecation warning on legacy flag, back-compat wiring of legacy flag, and empty-value rejection on both repository commands.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ends the
--default-branchoverload betweensocket scan createand thesocket repositorycommands by giving each command a flag name that matches what the Socket API actually does.scan create--default-branch(bool)--make-default-branch(bool)make_default_branchrepository create--default-branch=<name>--default-branch=<name>(unchanged)default_branchrepository update--default-branch=<name>--default-branch=<name>(unchanged)default_branchWhy
--default-branchhistorically meant two different things:repository create/update: "the name of this repo's default branch" (string — sent asdefault_branch).scan create: "mark this scan as the default-branch scan" (boolean — sent asmake_default_branch).Same flag name, different shapes. Users naturally carried the string-accepting form over to
scan createand lost their branch name silently (meow coerces a value on a boolean flag totrueand drops the value). The root cause is the naming collision, not the parser behavior.Changes
scan create--make-default-branch(boolean) — primary name, mirrors themake_default_branchAPI field.--default-branch/--defaultBranch— kept as a deprecated alias via meow'saliases. Emitslogger.warnon use so scripts keep working but authors know to migrate.--default-branch=<name>and--default-branch <name>(space-separated) still produce an actionable error even though the flag is deprecated, because silently dropping the branch name is worse than nagging.repository create/repository update--default-branch=<name>— it already matches the API field).--default-branchor--default-branch=now warns that a value is required.Tests
cmd-scan-create.test.mts— new suite for--make-default-branchprimary path; existing--default-branchmisuse tests kept and extended to also assert the deprecation warning on legacy use.cmd-repository-create.test.mts/cmd-repository-update.test.mts— new tests for the empty-value warning.Test plan
pnpm run typepnpm --filter @socketsecurity/cli run test:unitpnpm run build:clisocket scan create --default-branchshows deprecation warning;socket scan create --make-default-branchworks;socket scan create --default-branch=mainstill errors with actionable message.### Changedand### Deprecated.