SocketDev · Martin Torp (mtorp) · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.83](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.83) - 2026-04-14
+
+### Fixed
+- `socket fix` now shows a clear error when a vulnerability ID (GHSA, CVE, or PURL) is passed as a positional argument instead of with `--id`, with a helpful "Did you mean" suggestion
+- `socket fix` now shows a clear error when the target directory does not exist, instead of a confusing API error about missing files
+
 ## [1.1.82](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.82) - 2026-04-13
 
 ### Changed

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.82",
+  "version": "1.1.83",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",

diff --git a/src/commands/fix/cmd-fix.integration.test.mts b/src/commands/fix/cmd-fix.integration.test.mts
@@ -442,9 +442,7 @@ describe('socket fix', async () => {
     async cmd => {
       const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
       const output = stdout + stderr
-      expect(output).toMatch(
-        /Unable to resolve|An error was thrown while requesting/,
-      )
+      expect(output).toMatch(/Target directory does not exist/)
       expect(code, 'should exit with non-zero code').not.toBe(0)
     },
   )
@@ -737,9 +735,7 @@ describe('socket fix', async () => {
       async cmd => {
         const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
         const output = stdout + stderr
-        expect(output).toMatch(
-          /Unable to resolve|An error was thrown while requesting/,
-        )
+        expect(output).toMatch(/Target directory does not exist/)
         expect(code).toBeGreaterThan(0)
       },
     )

diff --git a/src/commands/fix/cmd-fix.mts b/src/commands/fix/cmd-fix.mts
@@ -1,3 +1,4 @@
+import { existsSync } from 'node:fs'
 import path from 'node:path'
 
 import terminalLink from 'terminal-link'
@@ -400,6 +401,34 @@ async function run(
     return
   }
 
+  // Check if a positional argument looks like a vulnerability ID (GHSA, CVE,
+  // or PURL) that was likely intended to be passed with --id.
+  const rawInput = cli.input[0]
+  if (
+    rawInput &&
+    (/^GHSA-/i.test(rawInput) ||
+      /^CVE-/i.test(rawInput) ||
+      rawInput.startsWith('pkg:'))
+  ) {
+    logger.fail(
+      `"${rawInput}" looks like a vulnerability identifier, not a directory path.\nDid you mean: socket fix ${FLAG_ID} ${rawInput}`,
+    )
+    process.exitCode = 1
+    return
+  }
+
+  let [cwd = '.'] = cli.input
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd)
+
+  // Validate the target directory exists.
+  if (!existsSync(cwd)) {
+    logger.fail(`Target directory does not exist: ${cwd}`)
+    process.exitCode = 1
+    return
+  }
+
   if (dryRun) {
     logger.log(constants.DRY_RUN_NOT_SAVING)
     return
@@ -416,11 +445,6 @@ async function run(
 
   const orgSlug = orgSlugCResult.data
 
-  let [cwd = '.'] = cli.input
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd)
-
   const { spinner } = constants
 
   const includePatterns = cmdFlagValueToArray(include)