Skip to content

[codex] Use Socket purl scoring for non-npm packages#15

Merged
hammadtq merged 7 commits intomainfrom
fix/pypi-cargo-go-endpoint
Apr 3, 2026
Merged

[codex] Use Socket purl scoring for non-npm packages#15
hammadtq merged 7 commits intomainfrom
fix/pypi-cargo-go-endpoint

Conversation

@hammadtq
Copy link
Copy Markdown
Collaborator

@hammadtq hammadtq commented Apr 2, 2026

Summary

Use Socket's POST /v0/purl endpoint as a temporary non-npm scoring shim for PyPI, Go, and Cargo while keeping npm/pnpm on the existing /score path.

What changed

  • route PyPI, Go, and Cargo GetPackageScore calls through isolated purl helpers
  • batch non-npm ListVersions scoring through a single capped purl request
  • aggregate multi-artifact PyPI responses conservatively using worst-case score plus deduped alerts
  • treat missing purl rows as unsupported-source/manual-review rather than zero-score success
  • surface a clearer error when the Socket token is missing the packages:list scope

Why

The current GET /v0/{ecosystem}/{name}/{version}/score path only works for npm, so non-npm packages were falling back to zero scores and getting denied incorrectly.

Validation

  • go test ./internal/provider/socket
  • go test ./...
  • go vet ./...
  • go build ./...

hammadtq and others added 7 commits April 2, 2026 16:18
@hammadtq
Use Socket purl scoring for non-npm packages
5e7426d
@hammadtq
Fix purl metadata and partial batch fallback
cba558e
@hammadtq
Preserve rewrite order and malware alerts for purl
8916a40
@hammadtq
Support JSON and NDJSON purl responses
f35da11
@hammadtq
Fix PyPI purl normalization and batch-empty scoring behavior (#16)
82d5e93
@hammadtq
Fallback to zero-score candidates on purl batch errors
7195080
@hammadtq @claude
Classify missing purl artifacts as scoring errors, not unsupported so…
816fa5e 
…urce

When the purl endpoint returns no artifact for a public PyPI/Go/Cargo
package, return a plain error instead of ErrUnsupportedSource. This
preserves fail-closed behavior in the selector (deny) rather than
fail-open (allow with source not supported).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@hammadtq hammadtq marked this pull request as ready for review April 3, 2026 01:47
@hammadtq hammadtq merged commit 8aea172 into main Apr 3, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hammadtq