@socketsecurity/sdk 3.2.0 → 3.3.1

package/CHANGELOG.md

@@ -4,6 +4,38 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [3.3.1](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.3.1) - 2026-03-03
+
+### Changed
+
+- **createRepository**: Now requires `repoSlug` as second parameter with typed options including `workspace`, `visibility`, `homepage`, `archived`, `default_branch`, and `description`
+
+### Added
+
+- New API endpoints from OpenAPI sync: CSV/PDF export for full scans, delete triage alerts, new alert types
+
+## [3.3.0](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.3.0) - 2026-01-25
+
+### Added
+
+- New SDK convenience methods for OpenAPI v3.3.0 endpoints:
+  - `batchOrgPackageFetch(orgSlug, components, options)` - Organization-scoped PURL batch lookup with security policy label support
+  - `exportOpenVEX(orgSlug, id, options)` - Export vulnerability exploitability data as OpenVEX v0.2.0 documents (includes patch data and reachability analysis)
+  - `getOrgAlertFullScans(orgSlug, options)` - List full scans associated with specific alerts
+  - `rescanFullScan(orgSlug, fullScanId, options)` - Rescan existing full scans with shallow (policy reapplication) or deep (dependency resolution rerun) modes
+- Repository endpoints now support optional `workspace` parameter for workspace-scoped operations:
+  - `createRepository(orgSlug, params, { workspace })`
+  - `deleteRepository(orgSlug, repoSlug, { workspace })`
+  - `getRepository(orgSlug, repoSlug, { workspace })`
+  - `updateRepository(orgSlug, repoSlug, params, { workspace })`
+
+### Changed
+
+- Updated `@socketsecurity/lib` to v5.5.3
+- TypeScript: Auto-generated strict types from OpenAPI schema for improved type safety
+- TypeScript: All optional properties now explicitly include `| undefined` for better null checking
+- Synced OpenAPI type definitions with latest API specification
+
 ## [3.2.0](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.2.0) - 2025-12-08
 
 ### Added
@@ -320,8 +352,6 @@ Strict types now mark guaranteed API fields as required instead of optional, imp
 
 - File-upload methods automatically skip unreadable files with warnings instead of failing
 
-See [docs/migration-v3.md](./docs/migration-v3.md) and [docs/when-to-use-what.md](./docs/when-to-use-what.md) for migration guidance.
-
 ## [2.0.7](https://github.com/SocketDev/socket-sdk-js/releases/tag/v2.0.7) - 2025-10-22
 
 ### Changed

package/README.md

@@ -2,7 +2,7 @@
 
 [![Socket Badge](https://socket.dev/api/badge/npm/package/@socketsecurity/sdk)](https://socket.dev/npm/package/@socketsecurity/sdk)
 [![CI](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml/badge.svg)](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml)
-![Coverage](https://img.shields.io/badge/coverage-79.95%25-green)
+![Coverage](https://img.shields.io/badge/coverage-40%25-orange)
 
 [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
 [![Follow @socket.dev on Bluesky](https://img.shields.io/badge/Follow-@socket.dev-1DA1F2?style=social&logo=bluesky)](https://bsky.app/profile/socket.dev)
@@ -35,7 +35,7 @@ if (quota.success) {
 // Analyze a package
 const result = await client.getScoreByNpmPackage('express', '4.18.0')
 if (result.success) {
-  console.log(`Security Score: ${result.data.score}/100`)
+  console.log(`Dependency Score: ${result.data.depscore}`)
 }
 
 // Batch analyze multiple packages
@@ -51,21 +51,8 @@ const batchResult = await client.batchPackageFetch({
 
 | Guide | Description |
 |-------|-------------|
-| **[Getting Started](./docs/getting-started.md)** | Quick start for contributors (5 min setup) |
 | **[API Reference](./docs/api-reference.md)** | Complete API method documentation |
-| **[Usage Examples](./docs/usage-examples.md)** | Real-world patterns and code samples |
 | **[Quota Management](./docs/quota-management.md)** | Cost tiers (0/10/100) and utilities |
-| **[Testing Guide](./docs/dev/testing.md)** | Test helpers, fixtures, and patterns |
-| **[Method Reference](./docs/when-to-use-what.md)** | Quick method selection guide |
-
-## Examples
-
-See **[usage-examples.md](./docs/usage-examples.md)** for complete examples including:
-- Package security analysis
-- Batch operations
-- Full scans with SBOM
-- Policy management
-- Quota planning
 
 ## License
 

package/data/api-method-quota-and-permissions.json

@@ -12,6 +12,10 @@
       "quota": 100,
       "permissions": ["report:write"]
     },
+    "createFullScan": {
+      "quota": 0,
+      "permissions": ["full-scans:create"]
+    },
     "createOrgFullScan": {
       "quota": 0,
       "permissions": ["full-scans:create"]
@@ -227,6 +231,22 @@
     "sendApi": {
       "quota": 0,
       "permissions": []
+    },
+    "batchOrgPackageFetch": {
+      "quota": 100,
+      "permissions": ["packages:list"]
+    },
+    "exportOpenVEX": {
+      "quota": 0,
+      "permissions": ["report:read"]
+    },
+    "getOrgAlertFullScans": {
+      "quota": 10,
+      "permissions": ["alerts:list"]
+    },
+    "rescanFullScan": {
+      "quota": 0,
+      "permissions": ["full-scans:create"]
     }
   }
 }

package/dist/constants.d.ts

@@ -13,4 +13,4 @@ export declare const MAX_RESPONSE_SIZE: number;
 export declare const MAX_STREAM_SIZE: number;
 export declare const SOCKET_PUBLIC_BLOB_STORE_URL = "https://socketusercontent.com";
 export declare const httpAgentNames: Set<string>;
-export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;
+export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "recentlyPublished" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "skillAutonomyAbuse" | "skillCommandInjection" | "skillDataExfiltration" | "skillDiscoveryAbuse" | "skillHardcodedSecrets" | "skillObfuscation" | "skillPromptInjection" | "skillResourceAbuse" | "skillSupplyChain" | "skillToolAbuse" | "skillToolChaining" | "skillTransitiveTrust" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "tooManyFiles" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;

package/dist/http-client.d.ts

@@ -16,11 +16,12 @@ import type { ClientRequest, IncomingMessage } from 'node:http';
  */
 export declare class ResponseError extends Error {
     response: IncomingMessage;
+    url?: string | undefined;
     /**
      * Create a new ResponseError from an HTTP response.
      * Automatically formats error message with status code and message.
      */
-    constructor(response: IncomingMessage, message?: string);
+    constructor(response: IncomingMessage, message?: string, url?: string | undefined);
 }
 /**
  * Create and execute an HTTP DELETE request.
@@ -74,28 +75,15 @@ export declare function getResponse(req: ClientRequest): Promise<IncomingMessage
  * @throws {ResponseError} When response has non-2xx status code
  * @throws {SyntaxError} When response body contains invalid JSON
  */
-export declare function getResponseJson(response: IncomingMessage, method?: string | undefined): Promise<JsonValue | undefined>;
+export declare function getResponseJson(response: IncomingMessage, method?: string | undefined, url?: string | undefined): Promise<JsonValue | undefined>;
 /**
- * Check if HTTP response has a successful status code (2xx range).
- * Returns true for status codes between 200-299, false otherwise.
- */
-export declare function isResponseOk(response: IncomingMessage): boolean;
-/**
- * Transform artifact data based on authentication status.
- * Filters and compacts response data for public/free-tier users.
- */
-export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined): T;
-/**
- * Retry helper for HTTP requests with exponential backoff.
- * Wraps any async HTTP function and retries on failure.
+ * Create DELETE request with automatic retry logic.
+ * Retries on network errors and 5xx responses.
  *
- * @param fn - Async function to retry
  * @param retries - Number of retry attempts (default: 0, retries disabled)
  * @param retryDelay - Initial delay in ms (default: 100)
- * @returns Result of the function call
- * @throws {Error} Last error if all retries exhausted
  */
-export declare function withRetry<T>(fn: () => Promise<T>, retries?: number, retryDelay?: number): Promise<T>;
+export declare function createDeleteRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
 /**
  * Create GET request with automatic retry logic.
  * Retries on network errors and 5xx responses.
@@ -105,18 +93,31 @@ export declare function withRetry<T>(fn: () => Promise<T>, retries?: number, ret
  */
 export declare function createGetRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
 /**
- * Create DELETE request with automatic retry logic.
+ * Create request with JSON payload and automatic retry logic.
  * Retries on network errors and 5xx responses.
  *
  * @param retries - Number of retry attempts (default: 0, retries disabled)
  * @param retryDelay - Initial delay in ms (default: 100)
  */
-export declare function createDeleteRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
+export declare function createRequestWithJsonAndRetry(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
 /**
- * Create request with JSON payload and automatic retry logic.
- * Retries on network errors and 5xx responses.
+ * Check if HTTP response has a successful status code (2xx range).
+ * Returns true for status codes between 200-299, false otherwise.
+ */
+export declare function isResponseOk(response: IncomingMessage): boolean;
+/**
+ * Transform artifact data based on authentication status.
+ * Filters and compacts response data for public/free-tier users.
+ */
+export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined): T;
+/**
+ * Retry helper for HTTP requests with exponential backoff.
+ * Wraps any async HTTP function and retries on failure.
  *
+ * @param fn - Async function to retry
  * @param retries - Number of retry attempts (default: 0, retries disabled)
  * @param retryDelay - Initial delay in ms (default: 100)
+ * @returns Result of the function call
+ * @throws {Error} Last error if all retries exhausted
  */
-export declare function createRequestWithJsonAndRetry(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
+export declare function withRetry<T>(fn: () => Promise<T>, retries?: number, retryDelay?: number): Promise<T>;

package/dist/index.d.ts

@@ -9,7 +9,7 @@ export { createDeleteRequest, createGetRequest, createRequestWithJson, getErrorR
 export { calculateTotalQuotaCost, getAllMethodRequirements, getMethodRequirements, getMethodsByPermissions, getMethodsByQuotaCost, getQuotaCost, getQuotaUsageSummary, getRequiredPermissions, hasQuotaForMethods, } from './quota-utils';
 export { SocketSdk } from './socket-sdk-class';
 export type { ALERT_ACTION, ALERT_TYPE, Agent, ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CompactSocketArtifact, CompactSocketArtifactAlert, CreateDependenciesSnapshotOptions, CreateOrgFullScanOptions, CreateScanFromFilepathsOptions, CustomResponseType, Entitlement, EntitlementsResponse, FileValidationCallback, FileValidationResult, GetOptions, GotOptions, HeadersRecord, PatchFile, PatchRecord, PatchViewResponse, TelemetryConfig, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, RequestInfo, RequestOptions, RequestOptionsWithHooks, ResponseInfo, SecurityAlert, SendMethod, SendOptions, SocketArtifact, SocketArtifactAlert, SocketArtifactWithExtras, SocketId, SocketMetricSchema, SocketSdkArrayElement, SocketSdkData, SocketSdkErrorResult, SocketSdkGenericResult, SocketSdkOperations, SocketSdkOptions, SocketSdkResult, SocketSdkSuccessResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesResponse, UploadManifestFilesReturnType, Vulnerability, } from './types';
-export type { CreateFullScanOptions, DeleteRepositoryLabelResult, DeleteResult, FullScanItem, FullScanListData, FullScanListResult, FullScanResult, ListFullScansOptions, ListRepositoriesOptions, OrganizationItem, OrganizationsResult, RepositoriesListData, RepositoriesListResult, RepositoryItem, RepositoryLabelItem, RepositoryLabelResult, RepositoryLabelsListData, RepositoryLabelsListResult, RepositoryResult, StreamFullScanOptions, StrictErrorResult, StrictResult, } from './types-strict';
+export type { CreateFullScanOptions, DeleteRepositoryLabelResult, DeleteResult, FullScanItem, FullScanListData, FullScanListResult, FullScanResult, GetRepositoryOptions, ListFullScansOptions, ListRepositoriesOptions, OrganizationItem, OrganizationsResult, RepositoriesListData, RepositoriesListResult, RepositoryItem, RepositoryLabelItem, RepositoryLabelResult, RepositoryLabelsListData, RepositoryLabelsListResult, RepositoryListItem, RepositoryResult, StreamFullScanOptions, StrictErrorResult, StrictResult, } from './types-strict';
 export { createUserAgentFromPkgJson } from './user-agent';
 export { calculateWordSetSimilarity, filterRedundantCause, normalizeBaseUrl, promiseWithResolvers, queryToSearchParams, resolveAbsPaths, resolveBasePath, shouldOmitReason, };
 export { DEFAULT_USER_AGENT, httpAgentNames, publicPolicy };