feat(manifest): add socket manifest dotnet (1.1.126, Coana 15.5.6)

[Jeppe Fredsgaard Blaabjerg (jfblaa)]

Summary

Adds a new socket manifest dotnet command that generates a Socket facts file (.socket.facts.json) from a .NET project, mirroring the maven / gradle / scala (sbt) facts flows. socket-cli delegates to the Coana CLI's manifest dotnet command, which runs a bundled NuGet/MSBuild resolver (SDK-style projects via RestoreRunner, legacy packages.config reading); socket-cli only constructs the args and verifies the emitted facts file.

This ships as the 1.1.126 release: the feature plus the Coana bump it depends on.

What's included

• New command cmd-manifest-dotnet.mts — facts-only. Flags: --bin (defaults to dotnet on PATH), --dotnet-opts, --ignore-unresolved, --verbose. Reads defaults from socket.json like the other tools.
• convert-dotnet-to-facts.mts — thin delegate to the shared runCoanaManifestFacts (widened to accept ecosystem: 'dotnet' / --dotnet-opts).
• Auto-detection — *.csproj / *.fsproj / *.vbproj / *.sln at the directory root in detect-manifest-actions.mts, wired into socket manifest auto.
• Setup wizard — a .NET choice + setupDotnet in the socket manifest setup configurator.
• Types — dotnet entry in socket.json manifest defaults.
• Docs/changelog — README section and a 1.1.126 changelog entry.
• Coana bump — @coana-tech/cli 15.5.5 → 15.5.6, which adds the manifest dotnet command this delegates to.

Design note: no config filters

Unlike the JVM generators, Coana's runDotnet does not consume --include-configs / --exclude-configs (.NET resolution has no equivalent of Gradle/Maven configurations). To avoid advertising no-op flags, the dotnet command intentionally omits them and exposes only --ignore-unresolved (which still applies via the generic unresolved-dependency policy) and --dotnet-opts.

Verification

• pnpm build:dist:src, pnpm check:tsc, biome format, eslint all clean.
• New cmd-manifest-dotnet.test.mts (help + dry-run); updated cmd-manifest.test.mts snapshot; full unit suite passes (1337 tests).
• Confirmed the published Coana 15.5.6 ships manifest-scripts/dotnet/Coana.Dotnet.Manifest.dll at the path the runner resolves (so real users don't hit an empty-graph asset-path miss).

Follows #1373 (maven), now merged.

---

Note

Medium Risk
New manifest path spawns dotnet/Coana and shapes scan SBOM inputs; behavior is beta and follows existing facts generators, with dependency on the Coana 15.5.6 bundle.

Overview
Release 1.1.126 adds socket manifest dotnet [beta], which writes .socket.facts.json for .NET repos by delegating to Coana’s manifest dotnet (NuGet/MSBuild via the dotnet host). Flags include --bin, --dotnet-opts, and --ignore-unresolved; --include-configs / --exclude-configs are omitted on purpose for .NET.

The same release wires dotnet (and maven, where present in the branch) into socket manifest auto, manifest setup, and socket.json defaults, with root-level detection for *.csproj / *.sln (and related extensions). parseBuildToolOpts centralizes quoted parsing for --gradle-opts, --sbt-opts, --maven-opts, and --dotnet-opts. @coana-tech/cli is bumped to 15.5.6.

^{Reviewed by Cursor Bugbot for commit ee925e3. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​coana-tech/​cli@​15.5.6

View full report