add --no-major-updates and --show-affected-direct-dependencies flags to socket fix

[mtorp]

--no-major-updates: Requires that fixes computed by socket fix do not change major versions in direct and/or transitive dependencies
--show-affected-direct-dependencies: Shows the direct dependencies responsible for introducing transitive vulnerabilities, and show what updates are necessary to remove the vulnerabilities.

[claude]

Claude finished @mtorp's task —— View job

---

Code Review Complete ✅

I've reviewed the PR that adds --no-major-updates and --show-affected-direct-dependencies flags to the socket fix command. Overall, this is a well-implemented feature with good adherence to codebase patterns. Here's my detailed feedback:

✅ Strengths

1. Excellent Pattern Adherence: Follows the established command architecture perfectly (cmd-, handle-, types.mts, coana-fix.mts)
2. Comprehensive Test Coverage: 53 new lines of tests covering both flags individually and in combination
3. Consistent Type Integration: Proper TypeScript types added to FixConfig interface
4. Good CLI UX: Clear, descriptive help text for both flags
5. Proper Flag Integration: Both flags are correctly passed through the entire command chain

🔍 Detailed Analysis

Flag Implementation (cmd-fix.mts:117-123)

• --no-major-updates correctly implemented as a negated boolean flag (hidden: true pattern)
• --show-affected-direct-dependencies has clear, user-friendly description
• Both flags properly integrated into the command flow

Type Definitions (types.mts:8,17)

• Clean additions to FixConfig interface
• Follows existing naming conventions perfectly

Business Logic (handle-fix.mts, coana-fix.mts:154-157,211-216,275-278)

• Flags are correctly passed to the underlying Coana CLI tool
• Proper conditional inclusion using spread syntax
• No logic bugs identified

Test Coverage (cmd-fix.test.mts:359-400)

• Comprehensive test coverage for both flags
• Tests both individual flag usage and combination scenarios
• Follows existing test patterns consistently

🎯 Code Quality Assessment

• Security: ✅ No security concerns
• Performance: ✅ No performance impact
• Architecture: ✅ Follows established patterns perfectly
• Maintainability: ✅ Clear, readable implementation
• Documentation: ✅ Good help text and clear naming

⚖️ Minor Observations

1. Line Length: Some help text lines are quite long (cmd-fix.mts:120-122) but this is acceptable for CLI help text
2. Test Patterns: Tests follow the existing pattern of expecting org resolution failures, which is appropriate for this test setup

📋 Verification Checklist

• Code follows repository patterns (CLAUDE.md compliance)
• Proper TypeScript typing
• Comprehensive test coverage
• Clear documentation/help text
• No security vulnerabilities
• No performance regressions
• Backward compatibility maintained

🎉 Recommendation

This PR is ready to merge. The implementation is solid, well-tested, and follows all established patterns. The new flags will provide valuable functionality for users needing more control over dependency updates.

The author has done an excellent job implementing these features with attention to detail and consistency with the existing codebase.

---

[jdalton]

Merged via 02f3d61