From 0f14cca801e3c9f72040e7952e161bd975c9f61d Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Fri, 8 May 2026 15:15:10 -0700
Subject: [PATCH] fix(fix): make --ecosystems case-insensitive

Lowercase --ecosystems input before validation so values like NPM, Npm,
and npm are all accepted, mirroring --package-managers behavior. Update
help text accordingly and bump patch version.
---
 CHANGELOG.md                                  |  5 +++++
 package.json                                  |  2 +-
 src/commands/fix/cmd-fix.integration.test.mts | 19 ++++++++++++++++++-
 src/commands/fix/cmd-fix.mts                  |  8 ++++++--
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 80c5d7954..5e7462dba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.93](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.93) - 2026-05-08
+
+### Changed
+- `socket fix --ecosystems` now accepts values case-insensitively (e.g. `NPM`, `npm`, and `Npm` are all valid), matching the existing behavior of `--package-managers`.
+
 ## [1.1.92](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.92) - 2026-05-05
 
 ### Changed
diff --git a/package.json b/package.json
index 285c243b7..8823c1696 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.92",
+  "version": "1.1.93",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
diff --git a/src/commands/fix/cmd-fix.integration.test.mts b/src/commands/fix/cmd-fix.integration.test.mts
index 013b00d17..99c589f53 100644
--- a/src/commands/fix/cmd-fix.integration.test.mts
+++ b/src/commands/fix/cmd-fix.integration.test.mts
@@ -168,7 +168,7 @@ describe('socket fix', async () => {
                                 See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
             --debug             Enable debug logging in the Coana-based Socket Fix CLI invocation.
             --disable-external-tool-checks  Disable external tool checks during fix analysis.
-            --ecosystems        Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.
+            --ecosystems        Limit fix analysis to specific ecosystems. Accepts space- or comma-separated values and is case-insensitive. Defaults to all ecosystems.
             --exclude           Exclude workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
             --fix-version       Override the version of @coana-tech/cli used for fix analysis. Default: <coana-version>.
             --id                Provide a list of vulnerability identifiers to compute fixes for:
@@ -1109,6 +1109,23 @@ describe('socket fix', async () => {
       },
     )
 
+    cmdit(
+      [
+        'fix',
+        FLAG_DRY_RUN,
+        '--ecosystems',
+        'NPM,PyPI',
+        FLAG_CONFIG,
+        '{"apiToken":"fakeToken"}',
+      ],
+      'should accept --ecosystems case-insensitively',
+      async cmd => {
+        const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+        expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Not saving"`)
+        expect(code, 'should exit with code 0').toBe(0)
+      },
+    )
+
     cmdit(
       [
         'fix',
diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts
index c7c5d75b5..75d51355a 100644
--- a/src/commands/fix/cmd-fix.mts
+++ b/src/commands/fix/cmd-fix.mts
@@ -168,7 +168,7 @@ Available styles:
     type: 'string',
     default: [],
     description:
-      'Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.',
+      'Limit fix analysis to specific ecosystems. Accepts space- or comma-separated values and is case-insensitive. Defaults to all ecosystems.',
     isMultiple: true,
   },
   packageManagers: {
@@ -367,7 +367,11 @@ async function run(
   const outputKind = getOutputKind(json, markdown)
 
   // Process comma-separated values for ecosystems flag.
-  const ecosystemsRaw = cmdFlagValueToArray(ecosystems)
+  // ALL_ECOSYSTEMS is lowercase, so normalize input for a case-insensitive
+  // match (mirrors --package-managers behavior).
+  const ecosystemsRaw = cmdFlagValueToArray(ecosystems).map(s =>
+    s.toLowerCase(),
+  )
 
   // Validate ecosystem values early, before dry-run check.
   const validatedEcosystems: PURL_Type[] = []