Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: SocketDev/socket-sdk-python
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.1.1
Choose a base ref
Loading
...
head repository: SocketDev/socket-sdk-python
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v3.1.2
Choose a head ref
Loading
  • 1 commit
  • 10 files changed
  • 2 contributors

Commits on Jun 2, 2026

  1. Dependabot hardening + dependency update bundle (#84)

    * Harden Dependabot reviews and bundle dependency updates
    
    Mirrors the Dependabot hardening done in socket-python-cli (#207/#217/#218),
    adapted to this SDK (no Dockerfile, no e2e fixtures, hatch/pip build path).
    
    Bundle dependency updates (supersedes 4 open Dependabot PRs):
    - idna 3.11 -> 3.17 (security: CVE-2026-45409 quadratic-time DoS fix)
    - cryptography 46.0.5 -> 46.0.7
    - pygments 2.19.2 -> 2.20.0
    - uv 0.9.21 -> 0.11.17
    
    Verified via uv sync --locked, import smoke, and pytest tests/unit (102 passed).
    
    Adds grouped/cooldowned dependabot.yml (uv + github-actions), a
    dependabot-review workflow running anonymous Socket Firewall smoke jobs,
    Version Check / PR Preview skips for Dependabot PRs, and setup-sfw /
    setup-hatch composite actions.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * chore(release): bump to 3.1.2
    
    Version Check requires a package-version increment on maintainer PRs, and
    this PR bundles dependency bumps + Dependabot hardening. Bump version.py,
    pyproject.toml, and the uv.lock project version in sync.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * Extend dependency review to maintainers (free + enterprise SFW)
    
    Broaden dependabot-review into dependency-review so the Socket Firewall
    guardrail covers maintainer PRs too, not just Dependabot:
    
    - inspect now runs on every PR and computes the SFW edition per-PR:
      enterprise for a trusted SocketDev member (author_association OWNER/
      MEMBER/COLLABORATOR) on an in-repo (non-fork) PR when SOCKET_API_TOKEN
      is present; free (anonymous) for Dependabot, forks, external
      contributors, or when the token is absent.
    - The mode degrades to free whenever the token is missing, so this is
      safe to ship before the secret exists and auto-upgrades to enterprise
      once SOCKET_API_TOKEN is added (repo or org level). The SDK has no
      Socket token today (cf. socket-python-cli's SOCKET_CLI_API_TOKEN).
    - setup-sfw composite action gains `mode` + `socket-token` inputs,
      forwarded to socketdev/action (same action, firewall-free vs
      firewall-enterprise).
    - Rename workflow dependabot-review.yml -> dependency-review.yml to match
      the broadened scope (not a required status check).
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * fix(dependency-review): use runner Python, forbid uv interpreter download
    
    .python-version pins 3.12.7; setup-python provides 3.12.13, so `uv sync`
    tried to download the exact managed CPython from GitHub, which Socket
    Firewall's TLS interception blocked (UnknownIssuer). Set UV_PYTHON=3.12 +
    UV_PYTHON_DOWNLOADS=never so uv uses the runner interpreter and only PyPI
    package fetches route through sfw.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * fix(dependency-review): require strict org membership for enterprise SFW
    
    Tighten the enterprise-mode gate to author_association OWNER/MEMBER only.
    Outside collaborators (COLLABORATOR) now fall through to the free edition,
    same as Dependabot / forks / external contributors.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * chore(dependency-review): rename enterprise secret to SOCKET_SFW_API_TOKEN
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * fix(dependency-review): scope SFW token to a dedicated environment
    
    Resolve zizmor secrets-outside-env (medium) without suppressing it. Split
    the single mode-switching smoke job into two:
    
    - python-sfw-smoke-free: untrusted PRs (Dependabot, forks, outside
      collaborators, externals). Anonymous free edition, never references the
      token.
    - python-sfw-smoke-enterprise: SocketDev org members (OWNER/MEMBER) on an
      in-repo PR. Authenticated enterprise edition; SOCKET_SFW_API_TOKEN is
      scoped to the `socket-firewall` GitHub environment, so only this job can
      read it.
    
    inspect now classifies PR trust (author_association OWNER/MEMBER, non-fork,
    non-Dependabot) and references no secret. No required-reviewer protection
    on the environment, so trusted dep PRs still run automatically.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * fix(dependency-review): gate enterprise on write-access (non-fork), not author_association
    
    author_association only reflects PUBLIC org membership, so private members
    (the common case here) show as CONTRIBUTOR and were misclassified -> the
    enterprise job always skipped. Switch the trust gate to "non-fork PR and not
    Dependabot": only accounts with write access can push an in-repo branch, the
    same boundary GitHub uses for secret exposure. No read:org token needed.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    * ci(dependency-review): upload SFW smoke artifacts
    
    * ci(dependency-review): include SFW JSON report artifact
    
    * ci(dependency-review): read SFW report path from env var, drop stdout scrape
    
    Match socket-python-cli: discover the firewall report via the
    $SFW_JSON_REPORT_PATH env var that socketdev/action exports, instead of
    parsing the 'sfw report written to:' line out of stdout.
    
    The two sync steps return to plain 'set -o pipefail' + tee. A new
    'Collect SFW JSON report' step (if: always(), before each upload) copies
    $SFW_JSON_REPORT_PATH into sfw-artifacts/sfw-report.json -- copy, not
    move, since socketdev/action's post step reads that temp path for its job
    summary -- and drops a sfw-report-missing.txt breadcrumb when absent.
    
    More robust than scraping an undocumented log string, and keeps the
    report-capture pattern uniform across both repos.
    
    Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
    
    ---------
    
    Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
    Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
    lelia and claude authored Jun 2, 2026
    Configuration menu
    Copy the full SHA
    8dfb7a1 View commit details
    Browse the repository at this point in the history
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.