Migrate license enrichment to org-scoped endpoint#180
Merged
Conversation
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.90.dev3Docker image: |
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
requested review from
Eric Hibbs (flowstate)
and removed request for
Douglas (dacoburn)
# Conflicts: # CHANGELOG.md # pyproject.toml # socketsecurity/__init__.py
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
5 tasks
lelia
added a commit
that referenced
this pull request
May 29, 2026
Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added a commit
that referenced
this pull request
May 29, 2026
Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added a commit
that referenced
this pull request
May 29, 2026
Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added a commit
that referenced
this pull request
May 29, 2026
Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added a commit
that referenced
this pull request
May 29, 2026
* chore: prettify, sort, and round out .gitignore
Reorganizes .gitignore into labeled sections (Python cache, venvs, build
artifacts, IDE, OS, logs, env files, generated output, project scratch,
Conductor) with sorted entries within each group and trailing slashes on
directory patterns for clarity.
Folds in three smaller intents that would otherwise be separate commits:
- Add .context/ for Conductor workspaces (collaboration scratch)
- Add coverage.xml + .pytest_cache/ to fully cover pytest-cov outputs
(.coverage.* and htmlcov/ were already on main from prior work)
- Add *.swp / *.swo for vim swap files
Drops the stale `*.cpython-312.pyc\`` line with a literal-backtick typo;
it wasn't matching anything and `*.pyc` already covers the case.
No behavior changes anyone would notice from the resulting rule set.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* ci: add .github/dependabot.yml to tame Dependabot PR noise
The repo had no explicit Dependabot config, so Dependabot ran on full
defaults: one PR per package per manifest, across every manifest in
the tree -- including the e2e test fixtures that are intentionally
crafted to exercise Socket's scanner. The cumulative result was the
"PR pileup" this PR is consolidating.
New config:
- uv ecosystem (main app): grouped weekly into ONE minor/patch PR and
one major PR; matches the existing python:uv labeling
- github-actions: grouped weekly into ONE minor/patch PR
- docker: separate weekly PR per Dockerfile change
- 7-day cooldown across all ecosystems to give upstream time to pull
bad releases
- e2e fixtures (tests/e2e/fixtures/{simple-npm,simple-pypi}) are
INTENTIONALLY excluded -- their pins should be chosen for supply-
chain signal, not auto-bumped (this is why we had three fixture
PRs in the cleanup)
Pattern adapted from SocketDev/socket-basics.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* ci: add dependabot-review workflow with Socket Firewall smoke jobs
For every Dependabot-authored PR, inspect what changed and conditionally
run Socket Firewall (sfw) install smoke jobs against the affected
manifests. Because sfw uses the anonymous Socket public-data API it
needs NO secret, so this runs cleanly under the standard `pull_request`
context -- no pull_request_target, no token-leak surface.
Jobs (all conditional on file diff):
- python-sfw-smoke: pyproject.toml / uv.lock -> `sfw uv sync` plus
an import smoke on the modules that depend on
the upgraded packages (cryptography, gitpython,
requests, ...). Catches API-removal breaks
from minor/patch deprecations.
- fixture-npm-sfw-smoke: tests/e2e/fixtures/simple-npm/** -> `sfw npm
install` in a clean cwd.
- fixture-pypi-sfw-smoke: tests/e2e/fixtures/simple-pypi/** -> `sfw pip
install -r requirements.txt` in a clean venv.
- dockerfile-smoke: `docker build --pull` (no push) when the
Dockerfile changes.
- workflow-notice: Flag Dependabot PRs that touch workflow or
dependabot config files for explicit human
review (anti-supply-chain-confusion guardrail).
Pattern adapted from SocketDev/socket-basics dependabot-review.yml.
Action SHAs match the pins already in python-tests.yml and e2e-test.yml
so zizmor stays happy.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* ci: add lock-drift, import-smoke, and pip-audit; skip e2e on dependabot
python-tests.yml:
- `uv lock --locked` -- fails if uv.lock has drifted from pyproject.toml.
Prevents the "forgot to commit the lockfile" class of mistake.
- Import smoke step that loads every top-level module touching the
upgraded packages (cryptography, gitpython, requests, urllib3, ...).
Catches API-removal breaks from minor/patch deprecations that the
unit suite alone wouldn't surface.
- `uvx pip-audit --strict` against the synced env -- light CVE check
on the resolved transitive tree. Runs in seconds via uv's caching.
e2e-test.yml:
- Skip e2e on Dependabot PRs. They don't have access to the Socket API
secret so e2e would always fail on them, polluting the PR check UI.
Supply-chain risk for dep bumps is covered by dependabot-review.yml's
Socket Firewall smoke jobs, which need no secrets.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* ci: fix pip-audit invocation to scan exported requirements
`uvx pip-audit --disable-pip` requires `-r` plus either hashed
requirements or `--no-deps`. The previous invocation crashed at start.
Now: export the locked deps via `uv export --no-hashes --no-emit-project`
into a tmp requirements file (skipping the local editable install of
the project itself), then feed that to pip-audit with `--disable-pip
--no-deps`. Verified locally -- no known vulnerabilities found across
the 85 locked transitive deps.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* chore(deps): bump 9 main-app dependencies to latest
Bundles the nine open Dependabot PRs against the main app into a single
uv.lock regeneration. Where Dependabot's target trailed the latest published
release, we went to the current latest and re-verified through sfw:
- urllib3 2.6.3 -> 2.7.0 (closes #200)
- gitpython 3.1.46 -> 3.1.50 (closes #198)
- python-dotenv 1.2.1 -> 1.2.2 (closes #190)
- pytest 9.0.2 -> 9.0.3 (closes #188)
- uv 0.9.21 -> 0.11.17 (closes #210; Dependabot targeted 0.11.15)
- cryptography 46.0.5 -> 46.0.7 (closes #181)
- pygments 2.19.2 -> 2.20.0 (closes #177)
- requests 2.32.5 -> 2.33.0 (closes #175)
- idna 3.11 -> 3.15 (closes #205, CVE-2026-45409)
idna 3.14 fixed CVE-2026-45409 -- a quadratic-time DoS via oversized inputs
that bypassed the earlier CVE-2024-3651 mitigation. The rest are hygiene.
All nine final versions verified clean through Socket Firewall (sfw) on the
full transitive tree.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* chore(deps): bump e2e fixture manifests
Closes the open Dependabot PRs against the e2e test fixtures. axios went to
the current latest (1.16.1) rather than Dependabot's 1.16.0 target:
- tests/e2e/fixtures/simple-npm: axios 1.15.0 -> 1.16.1 (closes #209)
- tests/e2e/fixtures/simple-pypi: requests 2.31.0 -> 2.33.0 (closes #187)
- tests/e2e/fixtures/simple-pypi: flask 3.0.0 -> 3.1.3 (closes #186)
These fixtures were stale rather than intentionally pinned. Socket Firewall
verified the install paths. The new .github/dependabot.yml intentionally
excludes tests/e2e/fixtures/** from future auto-bumps.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
* chore(release): 2.2.93 with CHANGELOG backfill
Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.
Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.
CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).
Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
---------
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
org_slugtosdk.purl.post()so license enrichment uses the current org-scoped PURL endpoint (POST /v0/orgs/{slug}/purl) instead of the deprecated global endpoint (POST /v0/purl)CHANGELOGentries forv2.2.74–v2.2.80Changes
get_license_text_via_purl()now routes through the org-scoped endpointReviewer Notes
🚨 NOTE: Should be reviewed in parallel with
socket-sdk-pythoncompanion PR (SocketDev/socket-sdk-python#76) which passesorg_slugin the CLI's license enrichment call. This CLI PR should not be merged until the SDK change is released.Next Steps
Once the SDK is released, bump the version in
pyproject.tomland regenerate the lockfile before merging this PR.fixes: CE-86