Badge API returns 403 (Cloudflare challenge) — GitHub README badges broken #1123
Description
Description
The Socket badge API endpoint (https://socket.dev/api/badge/npm/package/<name>) is returning a Cloudflare challenge page (403) instead of the SVG badge. This breaks badge rendering on GitHub READMEs and any automated badge consumers.
Steps to reproduce
curl -sI "https://socket.dev/api/badge/npm/package/kastell"
# Returns: HTTP/1.1 403 with Cloudflare challenge HTMLExpected behavior
The badge endpoint should return an SVG image without requiring JavaScript/cookie-based Cloudflare verification, since badge consumers (GitHub camo proxy, shields.io, CI tools) cannot execute JavaScript.
Actual behavior
- GitHub README shows a stale/cached badge or "in progress" text
curland other HTTP clients receive a 403 with Cloudflare challenge page- The socket.dev website itself shows the correct score (e.g., 73 for
kastell)
Environment
- Package:
kastell(npm) - Badge URL:
https://socket.dev/api/badge/npm/package/kastell - Tested from multiple locations and user agents
Suggestion
Consider allowlisting the /api/badge/ path from Cloudflare's managed challenge, similar to how shields.io and other badge services handle their SVG endpoints.