Coana CLI

CLI Changelog

All changes to the Coana CLI are described on this page. All other Coana changes to Coana services and applications are described on the Coana Services page.

11.6.11 (Feb 25. 2024)

Fix an issue where the Coana CLI would crash on npm-based projects that use globs to resolve workspace paths.

11.6.10 (Feb 24. 2024)

Include environment variable MAVEN_CLI_OPTS in all mvn commands run by the Coana CLI.

11.6.9 (Feb 22. 2024)

Fix max buffer length exceeded error that could occur on some Maven projects.

11.6.8 (Feb 13. 2024)

Fix an issue where the CLI didn't extract dependency types correctly for peer and optional dependencies in npm.

11.6.7 (Feb 12. 2024)

Collect better errors reports if the Coana CLI crashes. Helps the Coana team to identify and fix bugs.

11.6.6 (Feb 10. 2024)

Increase default memory limit assigned to the static analyses from 4GB to 8GB.

11.6.5 (Feb 9. 2024)

Improves compatibility with yarn berry workspace projects.

11.6.4 (Feb 8. 2024)

Improvements to the static analyses.

11.6.2 (Feb 5. 2024)

Fix an issue where vulnerabilities were not reported correctly for git-based dependencies in pnpm projects.

11.6.1 (Jan 31. 2024)

  • Remove some debug logging enabled by default.
  • Improved the structure of debug logging when using the --debug flag.

11.6.0 (Jan 24. 2024)

Add support for Java (Maven) security scanning.

11.5.5 (Jan 10. 2024)

  • Various minor bug fixes mostly affecting yarn classic (< 2.x.y)
  • Record ecosystem. Change required to support non-JS languages.

11.5.1 (Jan 4. 2024)

Fix an issue where the CLI's compute dependency type feature would crash in some rare edge cases where the static analysis and the package manager disagrees on the dependency structure. Adds support for security scanning of Maven-based Java projects.

11.4.1 (Jan 2. 2024)

  • Fix an issue where the CLI didn't handle pre-release and build identifiers for some pnpm versions.

11.4.0 (Dec 27. 2023)

  • Record the name and version of packages affected by vulnerabilities.
  • Record the dependency type of direct dependencies on chains leading vulnerabilities.
  • Fix an issue where Coana would crash on npm workspace projects where at least of the workspaces used a scoped package name, e.g., @scope/pkg.

11.3.3 (Dec 18. 2023)

Better debug logging.

11.3.2 (Nov 29. 2023)

Better debug logging.

11.3.1 (Nov 28. 2023)

Fix a bug where the static analysis did not process some functions correctly.

11.3.0 (Nov 27. 2023)

  • Record dependency type (dev, prod, or dev&prod).
  • Fix an issue where not all vulnerability fixes were enabled by default.
  • Better debugging output.

11.2.0 (Nov 23. 2023)

The Coana report now includes information about dependency upgrades that can fix vulnerabilities.

11.1.1 (Nov 21. 2023)

Ensure Coana doesn't crash when it encounters an unlikely scenario where it cannot extract a file name.

11.1.0 (Nov 20. 2023)

Coana reports now include enough information to allow it to show version numbers in dependency chains.

11.0.0 (Nov 10. 2023)

Breaking changes

Includes a new and much simplified report format.

Other changes

The new format fixes a bug where the vulnChainDetails field was incorrectly shared between the same vulnerability across multiple workspaces.

10.0.1 (Nov 1. 2023)

Fix a bug where the analysis could enter an infinite loop on projects with 0 vulnerabilities.

10.0.0 (Oct 26. 2023)

Upgrade the CLI to use Node version 20, which just entered LTS.

9.1.0 (Oct 26. 2023)

Fix an issue where the offline mode would complain about a missing access paths file when running through Docker.

9.0.0 (Oct 20. 2023)

Breaking changes

This updates contains considerable breaking changes to the CLI. A lot of legacy features have been removed including the ability to generate HTML and markdown reports. It's still possible to generate JSON reports, but now -o . should be used in place -o json -p .. The JSON report format has also changed to make it compatible with DTO that's submitted to the dashboard.

Other changes

The CLI now includes an offline mode where it can run the entire Coana vulnerability scanning without access to the internet. An offline vulnerability database most be provided using the --offline-database argument.

8.6.0 (Oct 19. 2023)

Updates the underlying static analysis.

8.5.0 (Oct 18. 2023)

Using the --write-report-to-file in a GitHub action will now upload the dashboard-report.json as an artifact.

8.4.1 (Oct 6. 2023)

Supress internal errors when the CLI fails to extract git SHAs and branch names.

8.4.0 (Oct 6. 2023)

The CLI now also captures git commit shas and branch names.

8.3.0 (Oct 2. 2023)

  • Fix an issue where the CLI execution was not calculated correctly.
  • Coana will now gather more data about the performance of the static analysis. We expect this data will help us better identify bottlenecks and improve the analysis going forward. We want to emphasize that we still don't gather source code or any other sensitive information.

8.2.0 (Sep 24. 2023)

new --write-report-to-file debug option.

8.1.0 (Sep 22. 2023)

Switch to newer more efficient security auditor backend.

8.0.0 (Sep 18. 2023)

Breaking changes

Removes a lot of the non-security-related features since these are no longer a priority for us. Since you are unlikely to use any of these features, you probably won't feel the breaking changes. The CLI is now also slightly more performant.

7.2.0 (Sep 15. 2023)

The static analysis engine has been updated.

7.1.0 (Sep 14. 2023)

The static analysis engine has been updated.


The Coana CLI now integrates with the Coana dashboard using the --api-key option.

6.2.2 (Sep 7. 2023)

Fixed an issue where the Coana APIs could not be reached

6.2.1 (Aug 22. 2023)

Fixed an issue where an error getaddrinfo ENOTFOUND was thrown occasionally. The error is due to a DNS lookup timeout, so we now try to resend the request instead of throwing an error when it occurs.

6.2.0 (Aug 14. 2023)

Add --timeout/-t option for specifying the timeout of API calls to the Coana backend.

6.1.0 (Aug 4. 2023)

Breaking changes

  • --jsonReport has been renamed to --json-report such that the naming better matches the name given to the other report types.
  • --json-report, --markdown-report and --json-report have been deprecated in favor of -o, --output <html,json,md>. For example, replace --json-report with -o json. Use -p, --output-path if you want to write the output to some other folder than the current working directory.

Other changes

  • The backend API has been partially re-implemented. This change should alleviate the problem of long periods of downtime.
  • Various improvements to the precision and speed of the static analysis.
  • Fix an issue where the CLI did not work on Windows due to a bug in the mechanism that initiated the static analysis.

5.0.0 (June 23. 2023)

Breaking changes

This update shouldn't be breaking. Various new fields have been added to the Coana report json object, but it's still backward compatible.

Other changes

Contains lot of minor bug fixes and improvements. Most notably, the layout of the HTML report has improved considerable.

4.0.0 (Apr 27. 2023)

Breaking changes

The JSON output type of the Coana CLI has changed. This change was made to align the JSON output type of the CLI, with the output type used to generate the HTML and markdown reports. The new return type definition is found here (opens in a new tab). Notice, the name is also changed from CoanaCLIOutput to CoanaReport.

Adapting to the new output type

Assuming you were working in a non-workspace project (only a single package.json). If you were previously reading output.unusedPackages, you have to make the following change:

- output.unusedPackages;
+ output.packageSummaries['.'].unusedPackages;

If you were previously reading output.vulnerablePackages, you have to make the following change:

- output.vulnerablePackages;
+ output.vulnerablePackages['.'] => pkg.packageName);

If you were previously reading output.packageDetails, you have to make the following change:

- output.packageDetails[somePkgName];
+ output.packageDetails['.'][somePkgName];

For workspace projects (muliple package.json), the change is slightly more complicated. Since Coana now groups the output by workspace name, you have to iterate over the workspace names to extract all of the data. For example:

- output.unusedPackages;
+ import { resolve } from 'path';
+ Object.keys(output.unusedPackages).flatMap(workspace => output.unusedPackages[workspace].map(pkg => resolve(workspace, pkg)));

Other changes

  • The Coana CLI now supports config files in YAML format. You can continue to use the old JSON5 format if you prefer.
  • The security auditor algorithm has changed quite dramatically. The CLI tool should run a lot faster as a consequence.

3.1.0 (Apr 23. 2023)

The coana CLI is now ready to be used with GitHub actions. The GitHub actions are available here (opens in a new tab) (documentation will follow later).

3.0.0 (Apr 19. 2023)

Breaking changes

The --out <path> or -o <path> option has been replaced with --jsonReport <path>. The <path> passed to --out used to include the file name, e.g., --out ./report.json, but now it should instead point to the folder where a report (coana-report.json) is written. For example --jsonReport . writes coana-report.json to the current directory. This change was made to align the behavior of out/jsonReport with HTML and markdown reports.

Other changes

Use the --silent to remove all logging and debug output. Also disables the spinner.

2.1.0 (Apr 18. 2023)

Coana can now output a HTML and markdown report. Pass either the --html-report . or --markdown-report . option to Coana generate the report in the CWD.

For example:

docker run -v $PWD:/project coana/coana:latest coana --html-report . /project

2.0.0 (Apr 12. 2023)

Breaking changes

  • See the new support for workspaces above. For non-workspaces projects, no breaking changes should be observed.

  • The vulnerability scanning mechanism has been optimized slightly to perform better with the new workspaces mechanism. Previously, if you had a project ./packages/package-a that depends on the local workspace ./packages/package-b and package-b is affected by a vulnerability, Coana would also report that vulnerability in package-a. However, since package-b is now also analyzed separate from package-a, Coana refrains from also reporting its vulnerabilities together with package-a in version 2.0.0 and above. Notice, this change only affects where vulnerabilities are reported (NOT which vulnerabilities that are found).

Other changes

Coana now supports workspaces (mono repositories). If you use workspaces (both npm, Yarn, or pnpm are supported), the Coana CLI can now aggregate the data from each workspace in a single run. For example, if you previously had a workspaces project with the following structure:


You would have had do 3 invocations of the CLI to gather data from each workspace:

docker run -v $PWD:/project coana/coana:latest coana ./
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-a
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-b

A single invocation will now gather data for each workspace

docker run -v $PWD:/project coana/coana:latest coana ./

The output type is different for workspace projects, where the packageDetails is now a 2-layer map from workspace path to package name to details for that package (See the version 2.x.x and 3.x.x types (opens in a new tab) for more details).

1.5.0 (Apr 3. 2023)

Don't show a package as unused if it appears to be used as a plugin in a config file. This feature is a heuristic (not always correct), and can be disabled by setting 'reportUnusedConfigPlugins' to true in coana-config.json.

1.4.0 (Apr 3. 2023)

Support for Yarn classic (Yarn below version 2) projects.

1.3.0 (Apr 1. 2023)

  • Do not report packages as unused if they are peer dependencies of used packages.
  • Use --version to print the version of the Coana CLI.

1.2.1 (Mar 24. 2023)

There is a new minAuditLevel property to be set in coana-config.json. It takes the values 'info', 'low', 'moderate', 'high', 'critical' or 'none' and defaults to 'info'. Packages that are only affected by vulnerabilities below minAuditLevel are not reported in vulnerablePackages.

1.2.0 (Mar 23. 2023)

  • The Docker image now uses alpine Linux instead of Debian (it has reduced its size from about 1GB to around 250MB (370MB to 60MB in the compressed fomat)).
  • The vulnerability scanner now contains suggested fixes computed by the Coana backend. To actually apply the fixes, you can use the Coana VSCode Extension (opens in a new tab).
  • The 'check for unused packages' feature now matches bins provided by a package with the scripts in the package.json (before it would only match on package names). This change means that if you depend on TypeScript, and use the TypeScript bin 'tsc' in one of your scripts, then TypeScript will not be flagged as unused.

1.1.1 (Feb 27. 2023)

Don't report a package as unused if:

  • It's a developer dependency
  • It's used in the script section of the package.json
  • It's a @types package