Changed version to be optional so that if it isn't there in a diff or… #59

dacoburn · 2025-12-10T14:49:49Z

With the generic error message version might not exist which is breaking the types for full scans and diff scans

Root Cause

Generic error messages might not include the version attribute which had been required

Fix

Made the version attribute be optional

Public Changelog

Fixed an issue where if there was a malformed .socket.facts.json from the Reachability Engine or Socket Basics then it could break the SDK for diff scans and full scans results

… full scan things don't break

socket-security · 2025-12-10T14:50:18Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability	Quality	License
pypi/pytest@8.4.1 ⏵ 9.0.2	^-3
pypi/uv@0.8.13 ⏵ 0.9.17	⁺²	⁺³	^-10
pypi/docutils@0.22 ⏵ 0.22.3
pypi/hatch@1.14.1 ⏵ 1.16.2	^-1
pypi/coverage@7.10.5 ⏵ 7.13.0	⁺¹
pypi/hatchling@1.27.0 ⏵ 1.28.0	⁺¹
pypi/pycparser@2.22 ⏵ 2.23	⁺¹
pypi/urllib3@2.5.0 ⏵ 2.6.1		⁺²²
pypi/twine@6.1.0 ⏵ 6.2.0	⁺¹
pypi/zstandard@0.24.0 ⏵ 0.25.0	⁺¹
pypi/charset-normalizer@3.4.3 ⏵ 3.4.4
pypi/certifi@2025.8.3 ⏵ 2025.11.12
pypi/pyproject-hooks@1.2.0
pypi/tomli@2.2.1 ⏵ 2.3.0	⁺¹
pypi/nh3@0.3.0 ⏵ 0.3.2
pypi/typing-extensions@4.14.1 ⏵ 4.15.0	⁺¹
pypi/ruff@0.12.10 ⏵ 0.14.8	⁺¹			⁺³¹
pypi/pytest-cov@6.2.1 ⏵ 7.0.0
pypi/platformdirs@4.3.8 ⏵ 4.5.1	⁺¹
pypi/iniconfig@2.1.0 ⏵ 2.3.0
pypi/more-itertools@10.7.0 ⏵ 10.8.0	⁺¹
pypi/backports-zstd@1.2.0
pypi/filelock@3.19.1 ⏵ 3.20.0
pypi/idna@3.10 ⏵ 3.11
pypi/trove-classifiers@2025.8.6.13 ⏵ 2025.12.1.14

View full report

github-actions · 2025-12-10T14:50:32Z

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketdev==3.0.22.dev1

socket-security-staging · 2025-12-10T14:52:00Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
pypi/pytest@8.4.1 ⏵ 9.0.2	^-3
pypi/docutils@0.22 ⏵ 0.22.3
pypi/hatch@1.14.1 ⏵ 1.16.2	^-1
pypi/coverage@7.10.5 ⏵ 7.13.0	⁺¹
pypi/hatchling@1.27.0 ⏵ 1.28.0	⁺¹
pypi/pycparser@2.22 ⏵ 2.23	⁺¹
pypi/urllib3@2.5.0 ⏵ 2.6.1		⁺²²
pypi/backports-zstd@1.2.0
pypi/twine@6.1.0 ⏵ 6.2.0	⁺¹
pypi/zstandard@0.24.0 ⏵ 0.25.0	⁺¹
pypi/certifi@2025.8.3 ⏵ 2025.11.12
pypi/pyproject-hooks@1.2.0
pypi/uv@0.8.13 ⏵ 0.9.17		⁺³
pypi/tomli@2.2.1 ⏵ 2.3.0	⁺¹
pypi/nh3@0.3.0 ⏵ 0.3.2
pypi/typing-extensions@4.14.1 ⏵ 4.15.0	⁺¹
pypi/ruff@0.12.10 ⏵ 0.14.8
pypi/pytest-cov@6.2.1 ⏵ 7.0.0
pypi/platformdirs@4.3.8 ⏵ 4.5.1	⁺¹
pypi/iniconfig@2.1.0 ⏵ 2.3.0
pypi/more-itertools@10.7.0 ⏵ 10.8.0	⁺¹
pypi/filelock@3.19.1 ⏵ 3.20.0
pypi/idna@3.10 ⏵ 3.11

View full report

socket-security-staging · 2025-12-10T14:52:02Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: pypi `docutils` License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.3/PKG-INFO) License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.3/pyproject.toml) From: uv.lock → `pypi/docutils@0.22.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore pypi/docutils@0.22.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `docutils` License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.3.dist-info/METADATA) From: uv.lock → `pypi/docutils@0.22.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore pypi/docutils@0.22.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `zstandard` under GPL-2.0+ License: GPL-2.0+ - the applicable license policy does not allow this license (4) (zstandard-0.25.0/zstd/COPYING) From: uv.lock → `pypi/zstandard@0.25.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore pypi/zstandard@0.25.0`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Changed version to be optional so that if it isn't there in a diff or…

3eea029

… full scan things don't break

dacoburn requested a review from a team as a code owner December 10, 2025 14:49

dacoburn added the product changelog Any public-facing change in the product's features label Dec 10, 2025

dacoburn requested review from jhiesey and staltz and removed request for a team December 10, 2025 14:49

philidem approved these changes Dec 10, 2025

View reviewed changes

dacoburn merged commit e518f11 into main Dec 10, 2025
6 checks passed

dacoburn deleted the doug/fix-no-version-in-diff branch December 10, 2025 14:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Changed version to be optional so that if it isn't there in a diff or… #59

Changed version to be optional so that if it isn't there in a diff or… #59

Uh oh!

dacoburn commented Dec 10, 2025

Uh oh!

socket-security bot commented Dec 10, 2025

Uh oh!

github-actions bot commented Dec 10, 2025

Uh oh!

socket-security-staging bot commented Dec 10, 2025

Uh oh!

socket-security-staging bot commented Dec 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Changed version to be optional so that if it isn't there in a diff or… #59

Changed version to be optional so that if it isn't there in a diff or… #59

Uh oh!

Conversation

dacoburn commented Dec 10, 2025

Root Cause

Fix

Public Changelog

Uh oh!

socket-security bot commented Dec 10, 2025

Uh oh!

github-actions bot commented Dec 10, 2025

Uh oh!

socket-security-staging bot commented Dec 10, 2025

Uh oh!

socket-security-staging bot commented Dec 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants