|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## 2.2.91 |
| 4 | + |
| 5 | +### Dependencies |
| 6 | + |
| 7 | +Bundles twelve open Dependabot dependency PRs: |
| 8 | + |
| 9 | +- Main-app `uv` deps (closes #175, #177, #181, #184, #188, #190, #198, #200, #205): |
| 10 | + `urllib3 2.6.3 -> 2.7.0`, `gitpython 3.1.46 -> 3.1.50`, `python-dotenv 1.2.1 -> 1.2.2`, |
| 11 | + `pytest 9.0.2 -> 9.0.3`, `uv 0.9.21 -> 0.11.6`, `cryptography 46.0.5 -> 46.0.7`, |
| 12 | + `pygments 2.19.2 -> 2.20.0`, `requests 2.32.5 -> 2.33.0`, `idna 3.11 -> 3.15`. |
| 13 | +- E2E fixture manifests (closes #186, #187, #196): |
| 14 | + `axios 1.15.0 -> 1.15.2` (simple-npm), `requests 2.31.0 -> 2.33.0` (simple-pypi), |
| 15 | + `flask 3.0.0 -> 3.1.3` (simple-pypi). |
| 16 | + |
| 17 | +**`idna` 3.11 -> 3.15 is security-motivated**: pulls in the fix for **CVE-2026-45409** |
| 18 | +(a quadratic-time DoS vector via oversized inputs that bypassed the earlier |
| 19 | +CVE-2024-3651 mitigation). The remaining bumps are version-currentness hygiene. |
| 20 | + |
| 21 | +All twelve target versions were verified through Socket Firewall (`sfw`) on the |
| 22 | +full transitive dependency tree before bundling. |
| 23 | + |
| 24 | +### CI / Internal |
| 25 | + |
| 26 | +- **`.github/dependabot.yml`** (new -- the repo had no explicit config). Groups Python |
| 27 | + minor/patch into ONE weekly PR plus a separate major-update PR. Groups GitHub Actions |
| 28 | + similarly. 7-day cooldown across ecosystems. `tests/e2e/fixtures/**` intentionally |
| 29 | + excluded (fixture pins should be chosen for the supply-chain signal they expose, not |
| 30 | + auto-rolled). Pattern adapted from `SocketDev/socket-basics`. |
| 31 | +- **`.github/workflows/dependabot-review.yml`** (new). On every Dependabot PR: inspect |
| 32 | + changed files, then conditionally run Socket Firewall (`sfw`) install smoke jobs |
| 33 | + against the affected manifests. Because `sfw` uses the free, anonymous Socket |
| 34 | + public-data path it needs NO API key, so this runs cleanly under the standard |
| 35 | + `pull_request` context -- no `pull_request_target`, no token-leak surface. |
| 36 | +- **`python-tests.yml`** now runs a `uv lock --locked` drift check, a top-level import |
| 37 | + smoke step (catches API-removal breaks from upgraded deps instantly), and `pip-audit` |
| 38 | + against the locked dependencies. |
| 39 | +- **`e2e-test.yml`** now skips on Dependabot PRs (which don't have access to |
| 40 | + `SOCKET_CLI_API_TOKEN`); the new `dependabot-review` workflow's `sfw` smoke jobs |
| 41 | + cover the supply-chain check without needing the secret. |
| 42 | + |
| 43 | +### Housekeeping |
| 44 | + |
| 45 | +- `.gitignore` reorganized into labeled sections with sorted entries. Added `.context/` |
| 46 | + (Conductor workspace scratch), `coverage.xml`, `.pytest_cache/`, and vim swap files |
| 47 | + (`*.swp`, `*.swo`) for completeness. Dropped a stray `*.cpython-312.pyc\`` line that |
| 48 | + had a literal-backtick typo (it wasn't matching anything, and `*.pyc` already covers |
| 49 | + it). |
| 50 | +- Backfilled missing CHANGELOG entries for `2.2.81`, `2.2.85`, `2.2.86`, `2.2.88`, and |
| 51 | + `2.2.89` (the previous backfill in #180 covered `2.2.74`-`2.2.80`). |
| 52 | + |
3 | 53 | ## 2.2.90 |
4 | 54 |
|
5 | 55 | - Migrated license enrichment PURL lookup to the org-scoped endpoint (`POST /v0/orgs/{slug}/purl`) from the deprecated global endpoint (`POST /v0/purl`). |
6 | 56 |
|
| 57 | +## 2.2.89 |
| 58 | + |
| 59 | +- Added `uv.lock` to the version-incrementation CI check so a `pyproject.toml` / |
| 60 | + `__init__.py` version bump without a matching lockfile sync no longer slips through. |
| 61 | +- Updated the local Python pre-commit hook to keep `uv.lock` in sync with |
| 62 | + `pyproject.toml` and `socketsecurity/__init__.py` version changes automatically. |
| 63 | + |
| 64 | +## 2.2.88 |
| 65 | + |
| 66 | +- Added `bun.lock`, `bun.lockb`, and `vlt-lock.json` to the recognized manifest files |
| 67 | + for Socket scanning, with matching unit-test coverage. |
| 68 | + |
| 69 | +## 2.2.86 |
| 70 | + |
| 71 | +- Bumped `socketdev` to `>=3.0.33,<4.0.0` to pick up the SDK fix for unknown alert |
| 72 | + categories (the SDK previously crashed while deserializing diff alerts when the API |
| 73 | + returned a category like `"other"`). |
| 74 | +- Normalized diff artifacts with `score=None` to an empty score map in the CLI model |
| 75 | + layer; PR-comment dependency-overview rendering no longer crashes on missing or |
| 76 | + partial score data. |
| 77 | +- Defaulted missing badge values to a valid `100%` fallback rather than producing |
| 78 | + invalid badge URLs. |
| 79 | + |
| 80 | +## 2.2.85 |
| 81 | + |
| 82 | +- Added four hidden `--reach-continue-on-*` flags in preparation for Coana CLI v15: |
| 83 | + `--reach-continue-on-analysis-errors`, `--reach-continue-on-install-errors`, |
| 84 | + `--reach-continue-on-missing-lock-files`, `--reach-continue-on-no-source-files`. |
| 85 | + Each forwards to the matching Coana flag and opts out of one of Coana v15's new |
| 86 | + halt-by-default behaviors. No-op against today's default Coana version; will take |
| 87 | + effect automatically once Coana v15 becomes the default. |
| 88 | + |
7 | 89 | ## 2.2.83 |
8 | 90 |
|
9 | 91 | - Fixed branch detection in detached-HEAD CI checkouts. When `git name-rev --name-only HEAD` returned an output with a suffix operator (e.g. `remotes/origin/master~1`, `master^0`), the `~N`/`^N` was previously passed through as the branch name and rejected by the Socket API as an invalid Git ref. The suffix is now stripped before the prefix split, producing the bare branch name. |
10 | 92 |
|
| 93 | +## 2.2.81 |
| 94 | + |
| 95 | +- Fixed GitLab security report schema compliance: corrected schema validation errors so |
| 96 | + Socket-produced reports parse cleanly under GitLab's dependency-scanning ingestion. |
| 97 | +- Populated scan alert data in the GitLab security report so previously-empty alert |
| 98 | + sections now carry the expected findings. |
| 99 | + |
11 | 100 | ## 2.2.80 |
12 | 101 |
|
13 | 102 | - Hardened GitHub Actions workflows. |
|
0 commit comments