@socketsecurity/sdk 3.4.1 → 3.5.0

package/CHANGELOG.md

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [3.5.0](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.5.0) - 2026-04-03
+
+### Added
+
+- **checkMalware**: New API method for normalized malware detection across public and org tokens
+  - Public tokens use the firewall API with client-side `publicPolicy` filtering
+  - Org tokens use the batch PURL API with full server-assigned org policy
+  - Both paths return the same normalized `MalwareCheckResult` shape
+- New exported types: `MalwareCheckAlert`, `MalwareCheckPackage`, `MalwareCheckResult`, `MalwareCheckScore`
+- New audit log action types: `CreateTicket`, `DisconnectJiraIntegration`, `JiraIntegrationConnected`
+- New `alert-resolution` permission scope (list, create, read, delete)
+- New `workspace` parameter for `createOrgFullScan` package entries
+- New `SocketSBOMScore` schema for supply chain risk score breakdowns with formulas and components
+- New `skillPreExecution` alert type and policy action
+- Full scan `include_scores` and `include_scores_details` query parameters with `scores` ndjson event
+- Batch PURL `timeoutSec` parameter for scan result timeout control
+
 ## [3.4.1](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.4.1) - 2026-03-12
 
 ### Changed

package/README.md

@@ -2,7 +2,7 @@
 
 [![Socket Badge](https://socket.dev/api/badge/npm/package/@socketsecurity/sdk)](https://socket.dev/npm/package/@socketsecurity/sdk)
 [![CI](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml/badge.svg)](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml)
-![Coverage](https://img.shields.io/badge/coverage-40%25-orange)
+![Coverage](https://img.shields.io/badge/coverage-96%25-brightgreen)
 
 [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
 [![Follow @socket.dev on Bluesky](https://img.shields.io/badge/Follow-@socket.dev-1DA1F2?style=social&logo=bluesky)](https://bsky.app/profile/socket.dev)

package/dist/constants.d.ts

@@ -12,5 +12,7 @@ export declare const MIN_HTTP_TIMEOUT = 5000;
 export declare const MAX_RESPONSE_SIZE: number;
 export declare const MAX_STREAM_SIZE: number;
 export declare const SOCKET_PUBLIC_BLOB_STORE_URL = "https://socketusercontent.com";
+export declare const MAX_FIREWALL_COMPONENTS = 8;
+export declare const SOCKET_FIREWALL_API_URL = "https://firewall-api.socket.dev/purl";
 export declare const httpAgentNames: Set<string>;
-export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "recentlyPublished" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "skillAutonomyAbuse" | "skillCommandInjection" | "skillDataExfiltration" | "skillDiscoveryAbuse" | "skillHardcodedSecrets" | "skillObfuscation" | "skillPromptInjection" | "skillResourceAbuse" | "skillSupplyChain" | "skillToolAbuse" | "skillToolChaining" | "skillTransitiveTrust" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "tooManyFiles" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;
+export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "recentlyPublished" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "skillAutonomyAbuse" | "skillCommandInjection" | "skillDataExfiltration" | "skillDiscoveryAbuse" | "skillHardcodedSecrets" | "skillObfuscation" | "skillPreExecution" | "skillPromptInjection" | "skillResourceAbuse" | "skillSupplyChain" | "skillToolAbuse" | "skillToolChaining" | "skillTransitiveTrust" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "tooManyFiles" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;

package/dist/http-client.d.ts

@@ -76,30 +76,6 @@ export declare function getResponse(req: ClientRequest): Promise<IncomingMessage
  * @throws {SyntaxError} When response body contains invalid JSON
  */
 export declare function getResponseJson(response: IncomingMessage, method?: string | undefined, url?: string | undefined): Promise<JsonValue | undefined>;
-/**
- * Create DELETE request with automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createDeleteRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
-/**
- * Create GET request with automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createGetRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
-/**
- * Create request with JSON payload and automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createRequestWithJsonAndRetry(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
 /**
  * Check if HTTP response has a successful status code (2xx range).
  * Returns true for status codes between 200-299, false otherwise.
@@ -109,15 +85,4 @@ export declare function isResponseOk(response: IncomingMessage): boolean;
  * Transform artifact data based on authentication status.
  * Filters and compacts response data for public/free-tier users.
  */
-export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined): T;
-/**
- * Retry helper for HTTP requests with exponential backoff.
- * Wraps any async HTTP function and retries on failure.
- *
- * @param fn - Async function to retry
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- * @returns Result of the function call
- * @throws {Error} Last error if all retries exhausted
- */
-export declare function withRetry<T>(fn: () => Promise<T>, retries?: number, retryDelay?: number): Promise<T>;
+export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined, policy?: Map<string, string> | undefined): T;

package/dist/index.d.ts

@@ -8,7 +8,7 @@ export { createRequestBodyForFilepaths, createRequestBodyForJson, createUploadRe
 export { createDeleteRequest, createGetRequest, createRequestWithJson, getErrorResponseBody, getHttpModule, getResponse, getResponseJson, isResponseOk, ResponseError, reshapeArtifactForPublicPolicy, } from './http-client';
 export { calculateTotalQuotaCost, getAllMethodRequirements, getMethodRequirements, getMethodsByPermissions, getMethodsByQuotaCost, getQuotaCost, getQuotaUsageSummary, getRequiredPermissions, hasQuotaForMethods, } from './quota-utils';
 export { SocketSdk } from './socket-sdk-class';
-export type { ALERT_ACTION, ALERT_TYPE, Agent, ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CompactSocketArtifact, CompactSocketArtifactAlert, CreateDependenciesSnapshotOptions, CreateOrgFullScanOptions, CreateScanFromFilepathsOptions, CustomResponseType, Entitlement, EntitlementsResponse, FileValidationCallback, FileValidationResult, GetOptions, GotOptions, HeadersRecord, PatchFile, PatchRecord, PatchViewResponse, TelemetryConfig, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, RequestInfo, RequestOptions, RequestOptionsWithHooks, ResponseInfo, SecurityAlert, SendMethod, SendOptions, SocketArtifact, SocketArtifactAlert, SocketArtifactWithExtras, SocketId, SocketMetricSchema, SocketSdkArrayElement, SocketSdkData, SocketSdkErrorResult, SocketSdkGenericResult, SocketSdkOperations, SocketSdkOptions, SocketSdkResult, SocketSdkSuccessResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesResponse, UploadManifestFilesReturnType, Vulnerability, } from './types';
+export type { ALERT_ACTION, ALERT_TYPE, Agent, ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CompactSocketArtifact, CompactSocketArtifactAlert, CreateDependenciesSnapshotOptions, CustomResponseType, Entitlement, EntitlementsResponse, FileValidationCallback, FileValidationResult, GetOptions, GotOptions, HeadersRecord, MalwareCheckAlert, MalwareCheckPackage, MalwareCheckResult, MalwareCheckScore, PatchFile, PatchRecord, PatchViewResponse, TelemetryConfig, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, RequestInfo, RequestOptions, RequestOptionsWithHooks, ResponseInfo, SecurityAlert, SendMethod, SendOptions, SocketArtifact, SocketArtifactAlert, SocketArtifactWithExtras, SocketId, SocketMetricSchema, SocketSdkArrayElement, SocketSdkData, SocketSdkErrorResult, SocketSdkGenericResult, SocketSdkOperations, SocketSdkOptions, SocketSdkResult, SocketSdkSuccessResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesResponse, UploadManifestFilesReturnType, Vulnerability, } from './types';
 export type { CreateFullScanOptions, DeleteRepositoryLabelResult, DeleteResult, FullScanItem, FullScanListData, FullScanListResult, FullScanResult, GetRepositoryOptions, ListFullScansOptions, ListRepositoriesOptions, OrganizationItem, OrganizationsResult, RepositoriesListData, RepositoriesListResult, RepositoryItem, RepositoryLabelItem, RepositoryLabelResult, RepositoryLabelsListData, RepositoryLabelsListResult, RepositoryListItem, RepositoryResult, StreamFullScanOptions, StrictErrorResult, StrictResult, } from './types-strict';
 export { createUserAgentFromPkgJson } from './user-agent';
 export { calculateWordSetSimilarity, filterRedundantCause, normalizeBaseUrl, promiseWithResolvers, queryToSearchParams, resolveAbsPaths, resolveBasePath, shouldOmitReason, };

package/dist/index.js

@@ -71,7 +71,7 @@ module.exports = __toCommonJS(index_exports);
 // package.json
 var package_default = {
   name: "@socketsecurity/sdk",
-  version: "3.4.1",
+  version: "3.5.0",
   description: "SDK for the Socket API client",
   homepage: "https://github.com/SocketDev/socket-sdk-js",
   license: "MIT",
@@ -130,16 +130,18 @@ var package_default = {
     publish: "node scripts/publish.mjs",
     "publish:ci": "node scripts/publish.mjs --tag ${DIST_TAG:-latest}",
     claude: "node scripts/claude.mjs",
+    security: "agentshield scan && { command -v zizmor >/dev/null && zizmor .github/ || echo 'zizmor not installed \u2014 run pnpm run setup to install'; }",
     test: "node scripts/test.mjs",
     type: "tsgo --noEmit -p .config/tsconfig.check.json",
     update: "node scripts/update.mjs"
   },
   dependencies: {
-    "@socketregistry/packageurl-js": "1.3.5",
-    "@socketsecurity/lib": "5.8.1",
+    "@socketregistry/packageurl-js": "1.4.1",
+    "@socketsecurity/lib": "5.11.4",
     "form-data": "4.0.5"
   },
   devDependencies: {
+    "@anthropic-ai/claude-code": "2.1.89",
     "@babel/generator": "7.28.5",
     "@babel/parser": "7.26.3",
     "@babel/traverse": "7.26.4",
@@ -154,6 +156,7 @@ var package_default = {
     acorn: "8.15.0",
     del: "8.0.1",
     "dev-null-cli": "2.0.0",
+    "ecc-agentshield": "1.4.0",
     esbuild: "0.25.11",
     "fast-glob": "3.3.3",
     "http2-wrapper": "2.2.1",
@@ -180,10 +183,10 @@ var package_default = {
     strict: true
   },
   engines: {
-    node: ">=18",
-    pnpm: ">=10.25.0"
+    node: ">=18.20.8",
+    pnpm: ">=10.33.0"
   },
-  packageManager: "pnpm@10.32.1",
+  packageManager: "pnpm@10.33.0",
   pnpm: {
     ignoredBuiltDependencies: [
       "esbuild",
@@ -216,6 +219,8 @@ var MIN_HTTP_TIMEOUT = 5e3;
 var MAX_RESPONSE_SIZE = 10 * 1024 * 1024;
 var MAX_STREAM_SIZE = 100 * 1024 * 1024;
 var SOCKET_PUBLIC_BLOB_STORE_URL = "https://socketusercontent.com";
+var MAX_FIREWALL_COMPONENTS = 8;
+var SOCKET_FIREWALL_API_URL = "https://firewall-api.socket.dev/purl";
 var httpAgentNames = /* @__PURE__ */ new Set(["http", "https", "http2"]);
 var publicPolicy = /* @__PURE__ */ new Map([
   // error (1):
@@ -327,6 +332,7 @@ var publicPolicy = /* @__PURE__ */ new Map([
 
 // src/utils.ts
 var import_node_path = __toESM(require("node:path"));
+var import_node_process = __toESM(require("node:process"));
 var import_memoization = require("@socketsecurity/lib/memoization");
 var import_normalize = require("@socketsecurity/lib/paths/normalize");
 function normalizeToWordSet(s) {
@@ -405,7 +411,7 @@ function resolveAbsPaths(filepaths, pathsRelativeTo) {
   return filepaths.map((p) => (0, import_normalize.normalizePath)(import_node_path.default.resolve(basePath, p)));
 }
 function resolveBasePath(pathsRelativeTo = ".") {
-  return (0, import_normalize.normalizePath)(import_node_path.default.resolve(process.cwd(), pathsRelativeTo));
+  return (0, import_normalize.normalizePath)(import_node_path.default.resolve(import_node_process.default.cwd(), pathsRelativeTo));
 }
 function shouldOmitReason(errorMessage, reason, threshold = 0.6) {
   if (!reason || !reason.trim()) {
@@ -803,9 +809,10 @@ function isResponseOk(response) {
   const { statusCode } = response;
   return statusCode ? statusCode >= 200 && statusCode < 300 : false;
 }
-function reshapeArtifactForPublicPolicy(data, isAuthenticated, actions) {
+function reshapeArtifactForPublicPolicy(data, isAuthenticated, actions, policy) {
   if (!isAuthenticated) {
     const allowedActions = actions?.trim() ? actions.split(",") : void 0;
+    const resolvedPolicy = policy ?? publicPolicy;
     const reshapeArtifact = (artifact) => ({
       name: artifact.name,
       version: artifact.version,
@@ -818,17 +825,19 @@ function reshapeArtifactForPublicPolicy(data, isAuthenticated, actions) {
       // Compact the alerts array to reduce response size for non-authenticated
       // requests.
       alerts: artifact.alerts?.filter((alert) => {
+        const action = resolvedPolicy.get(alert.type);
         if (alert.severity === "low") {
           return false;
         }
-        if (allowedActions && alert.action && !allowedActions.includes(alert.action)) {
+        if (allowedActions && action && !allowedActions.includes(action)) {
           return false;
         }
         return true;
       }).map((alert) => ({
-        type: alert.type,
+        action: resolvedPolicy.get(alert.type),
+        key: alert.key,
         severity: alert.severity,
-        key: alert.key
+        type: alert.type
       }))
     });
     if (data["artifacts"]) {
@@ -1064,6 +1073,7 @@ function hasQuotaForMethods(availableQuota, methodNames) {
 var import_node_events = __toESM(require("node:events"));
 var import_node_fs3 = require("node:fs");
 var import_node_path4 = __toESM(require("node:path"));
+var import_node_process2 = __toESM(require("node:process"));
 var import_node_readline = __toESM(require("node:readline"));
 var import_cache_with_ttl = require("@socketsecurity/lib/cache-with-ttl");
 var import_core = require("@socketsecurity/lib/constants/core");
@@ -1077,7 +1087,7 @@ var import_promises = require("@socketsecurity/lib/promises");
 var import_suppress_warnings = require("@socketsecurity/lib/suppress-warnings");
 var import_url = require("@socketsecurity/lib/url");
 var abortSignal = (0, import_process.getAbortSignal)();
-var SocketSdk = class {
+var SocketSdk = class _SocketSdk {
   #apiToken;
   #baseUrl;
   #cache;
@@ -1191,11 +1201,12 @@ var SocketSdk = class {
         );
         if ((0, import_objects.isObjectObject)(artifact)) {
           yield this.#handleApiSuccess(
-            /* c8 ignore next 7 - Public token artifact reshaping branch for policy compliance. */
+            /* c8 ignore next 8 - Public token artifact reshaping branch for policy compliance. */
             isPublicToken ? reshapeArtifactForPublicPolicy(
               artifact,
               false,
-              queryParams?.["actions"]
+              queryParams?.["actions"],
+              publicPolicy
             ) : artifact
           );
         }
@@ -1336,7 +1347,6 @@ var SocketSdk = class {
    * Extract text content from HTTP response stream.
    * Internal method with size limits to prevent memory exhaustion.
    */
-  /* c8 ignore start - unused utility method reserved for future text response handling */
   async #getResponseText(response) {
     const chunks = [];
     let size = 0;
@@ -1350,7 +1360,6 @@ var SocketSdk = class {
     }
     return Buffer.concat(chunks).toString("utf8");
   }
-  /* c8 ignore stop */
   /**
    * Handle API error responses and convert to standardized error result.
    * Internal error handling with status code analysis and message formatting.
@@ -1547,14 +1556,17 @@ var SocketSdk = class {
     const url = `${this.#baseUrl}orgs/${encodeURIComponent(orgSlug)}/purl?${queryToSearchParams(queryParams)}`;
     let res;
     try {
-      const req = getHttpModule(this.#baseUrl).request(url, {
-        method: "POST",
-        ...this.#reqOptions
-      }).end(JSON.stringify(componentsObj));
-      res = await getResponse(req);
-      if (!isResponseOk(res)) {
-        throw new ResponseError(res, "", url);
-      }
+      res = await this.#executeWithRetry(async () => {
+        const req = getHttpModule(this.#baseUrl).request(url, {
+          method: "POST",
+          ...this.#reqOptions
+        }).end(JSON.stringify(componentsObj));
+        const response = await getResponse(req);
+        if (!isResponseOk(response)) {
+          throw new ResponseError(response, "POST Request failed", url);
+        }
+        return response;
+      });
     } catch (e) {
       return await this.#handleApiError(e);
     }
@@ -1620,11 +1632,12 @@ var SocketSdk = class {
         );
         if ((0, import_objects.isObjectObject)(artifact)) {
           results.push(
-            /* c8 ignore next 7 - Public token artifact reshaping for policy compliance. */
+            /* c8 ignore next 8 - Public token artifact reshaping for policy compliance. */
             isPublicToken ? reshapeArtifactForPublicPolicy(
               artifact,
               false,
-              queryParams?.["actions"]
+              queryParams?.["actions"],
+              publicPolicy
             ) : artifact
           );
         }
@@ -1713,6 +1726,111 @@ var SocketSdk = class {
       }
     }
   }
+  /**
+   * Check packages for malware and security alerts.
+   *
+   * For small sets (≤ MAX_FIREWALL_COMPONENTS), uses parallel firewall API
+   * requests which return full artifact data including score and alert details.
+   *
+   * For larger sets, uses the batch PURL API for efficiency.
+   *
+   * Both paths normalize alerts through publicPolicy and only return
+   * malware-relevant results.
+   *
+   * @param components - Array of package URLs to check
+   * @returns Normalized results with policy-filtered alerts per package
+   */
+  async checkMalware(components) {
+    if (components.length <= MAX_FIREWALL_COMPONENTS) {
+      return this.#checkMalwareFirewall(components);
+    }
+    return this.#checkMalwareBatch(components);
+  }
+  // Small-set path: parallel firewall API requests per PURL.
+  // Returns full artifact data (score, alert props, categories, fix info).
+  async #checkMalwareFirewall(components) {
+    const packages = [];
+    const results = await Promise.allSettled(
+      components.map(async ({ purl }) => {
+        const urlPath = `/${encodeURIComponent(purl)}`;
+        const response = await createGetRequest(
+          SOCKET_FIREWALL_API_URL,
+          urlPath,
+          this.#reqOptions
+        );
+        if (!isResponseOk(response)) return void 0;
+        const json = await getResponseJson(response);
+        return json;
+      })
+    );
+    for (const settled of results) {
+      if (settled.status === "rejected" || !settled.value) continue;
+      packages.push(_SocketSdk.#normalizeArtifact(settled.value, publicPolicy));
+    }
+    return {
+      cause: void 0,
+      data: packages,
+      error: void 0,
+      status: 200,
+      success: true
+    };
+  }
+  // Multi-component path: batch PURL API request, normalized to publicPolicy.
+  async #checkMalwareBatch(components) {
+    const result = await this.batchPackageFetch(
+      { components },
+      { alerts: true, cachedResultsOnly: true }
+    );
+    if (!result.success) {
+      return {
+        cause: result.cause,
+        data: void 0,
+        error: result.error,
+        status: result.status,
+        success: false
+      };
+    }
+    const packages = [];
+    for (const artifact of result.data) {
+      packages.push(_SocketSdk.#normalizeArtifact(artifact, publicPolicy));
+    }
+    return {
+      cause: void 0,
+      data: packages,
+      error: void 0,
+      status: 200,
+      success: true
+    };
+  }
+  // Normalize an artifact into MalwareCheckPackage.
+  // When policy is provided, derive action from the map.
+  // When policy is undefined, use server-assigned alert.action.
+  static #normalizeArtifact(artifact, policy) {
+    const alerts = [];
+    if (artifact.alerts) {
+      for (const alert of artifact.alerts) {
+        const action = policy ? policy.get(alert.type) ?? "ignore" : alert.action ?? "ignore";
+        if (action === "error" || action === "warn") {
+          alerts.push({
+            category: alert.category,
+            fix: alert.fix ? { description: alert.fix.description, type: alert.fix.type } : void 0,
+            key: alert.key,
+            props: alert.props,
+            severity: alert.severity,
+            type: alert.type
+          });
+        }
+      }
+    }
+    return {
+      alerts,
+      name: artifact.name,
+      namespace: artifact.namespace,
+      score: artifact.score,
+      type: artifact.type,
+      version: artifact.version
+    };
+  }
   /**
    * Create a snapshot of project dependencies by uploading manifest files.
    * Analyzes dependency files to generate a comprehensive security report.
@@ -2367,41 +2485,31 @@ var SocketSdk = class {
     }
   }
   /**
-     * Delete a legacy scan report permanently.
-  
-    /**
-     * Download patch file content by hash.
-     *
-     * Downloads the actual patched file content from the public Socket blob store.
-     * This is used after calling viewPatch() to get the patch metadata.
-     * No authentication is required as patch blobs are publicly accessible.
-     *
-     * @param hash - The blob hash in SSRI (sha256-base64) or hex format
-     * @param options - Optional configuration
-     * @param options.baseUrl - Override blob store URL (for testing)
-     * @returns Promise<string> - The patch file content as UTF-8 string
-     * @throws Error if blob not found (404) or download fails
-     *
-     * @example
-     * ```typescript
-     * const sdk = new SocketSdk('your-api-token')
-     * // First get patch metadata
-     * const patch = await sdk.viewPatch('my-org', 'patch-uuid')
-     * // Then download the actual patched file
-     * const fileContent = await sdk.downloadPatch(patch.files['index.js'].socketBlob)
-     * ```
-     */
+   * Download full scan files as a tar archive.
+   *
+   * Streams the full scan file contents to the specified output path as a tar file.
+   * Includes size limit enforcement to prevent excessive disk usage.
+   *
+   * @param orgSlug - Organization identifier
+   * @param fullScanId - Full scan identifier
+   * @param outputPath - Local file path to write the tar archive
+   * @returns Download result with success/error status
+   * @throws {Error} When server returns 5xx status codes
+   */
   async downloadOrgFullScanFilesAsTar(orgSlug, fullScanId, outputPath) {
     const url = `${this.#baseUrl}orgs/${encodeURIComponent(orgSlug)}/full-scans/${encodeURIComponent(fullScanId)}/files.tar`;
     try {
-      const req = getHttpModule(this.#baseUrl).request(url, {
-        method: "GET",
-        ...this.#reqOptions
-      }).end();
-      const res = await getResponse(req);
-      if (!isResponseOk(res)) {
-        throw new ResponseError(res, "", url);
-      }
+      const res = await this.#executeWithRetry(async () => {
+        const req = getHttpModule(this.#baseUrl).request(url, {
+          method: "GET",
+          ...this.#reqOptions
+        }).end();
+        const response = await getResponse(req);
+        if (!isResponseOk(response)) {
+          throw new ResponseError(response, "", url);
+        }
+        return response;
+      });
       const writeStream = (0, import_node_fs3.createWriteStream)(outputPath);
       let bytesWritten = 0;
       res.on("data", (chunk) => {
@@ -2637,26 +2745,16 @@ var SocketSdk = class {
     };
     const url = `${this.#baseUrl}${urlPath}`;
     try {
-      const response = await createGetRequest(this.#baseUrl, urlPath, {
-        ...this.#reqOptions,
-        hooks: this.#hooks
-      });
-      if (!isResponseOk(response)) {
-        if (throws) {
-          throw new ResponseError(response, "", url);
+      const response = await this.#executeWithRetry(async () => {
+        const res = await createGetRequest(this.#baseUrl, urlPath, {
+          ...this.#reqOptions,
+          hooks: this.#hooks
+        });
+        if (!isResponseOk(res)) {
+          throw new ResponseError(res, "", url);
         }
-        const errorResult = await this.#handleApiError(
-          new ResponseError(response, "", url)
-        );
-        return {
-          cause: errorResult.cause,
-          data: void 0,
-          error: errorResult.error,
-          status: errorResult.status,
-          success: false,
-          url: errorResult.url
-        };
-      }
+        return res;
+      });
       const data = await this.#handleQueryResponseData(
         response,
         responseType
@@ -2683,7 +2781,8 @@ var SocketSdk = class {
           data: void 0,
           error: errorResult.error,
           status: errorResult.status,
-          success: false
+          success: false,
+          url: errorResult.url
         };
       }
       return this.#createQueryErrorResult(e);
@@ -2800,7 +2899,7 @@ var SocketSdk = class {
   /**
    * Retrieve the enabled entitlements for an organization.
    *
-   * This method fetches the organization's entitlements and filters for only* the enabled ones, returning their keys. Entitlements represent Socket
+   * This method fetches the organization's entitlements and filters for only the enabled ones, returning their keys. Entitlements represent Socket
    * Products that the organization has access to use.
    */
   async getEnabledEntitlements(orgSlug) {
@@ -3086,7 +3185,8 @@ var SocketSdk = class {
     }
   }
   /**
-   * Get organization's license policy configuration.* Returns allowed, restricted, and monitored license types.
+   * Get organization's license policy configuration.
+   * Returns allowed, restricted, and monitored license types.
    *
    * @throws {Error} When server returns 5xx status codes
    */
@@ -3107,7 +3207,8 @@ var SocketSdk = class {
     }
   }
   /**
-   * Get organization's security policy configuration.* Returns alert rules, severity thresholds, and enforcement settings.
+   * Get organization's security policy configuration.
+   * Returns alert rules, severity thresholds, and enforcement settings.
    *
    * @throws {Error} When server returns 5xx status codes
    */
@@ -3272,36 +3373,32 @@ var SocketSdk = class {
     }
   }
   /**
-     * Get detailed results for a legacy scan report.
-    /**
-  
-    /**
-     * Get details for a specific repository.
-     *
-     * Returns repository configuration, monitoring status, and metadata.
-     *
-     * @param orgSlug - Organization identifier
-     * @param repoSlug - Repository slug/name
-     * @param options - Optional parameters including workspace
-     * @returns Repository details with configuration
-     *
-     * @example
-     * ```typescript
-     * const result = await sdk.getRepository('my-org', 'my-repo')
-     *
-     * if (result.success) {
-     *   console.log('Repository:', result.data.name)
-     *   console.log('Visibility:', result.data.visibility)
-     *   console.log('Default branch:', result.data.default_branch)
-     * }
-     * ```
-     *
-     * @see https://docs.socket.dev/reference/getorgrepo
-     * @apiEndpoint GET /orgs/{org_slug}/repos/{repo_slug}
-     * @quota 0 units
-     * @scopes repo:read
-     * @throws {Error} When server returns 5xx status codes
-     */
+   * Get details for a specific repository.
+   *
+   * Returns repository configuration, monitoring status, and metadata.
+   *
+   * @param orgSlug - Organization identifier
+   * @param repoSlug - Repository slug/name
+   * @param options - Optional parameters including workspace
+   * @returns Repository details with configuration
+   *
+   * @example
+   * ```typescript
+   * const result = await sdk.getRepository('my-org', 'my-repo')
+   *
+   * if (result.success) {
+   *   console.log('Repository:', result.data.name)
+   *   console.log('Visibility:', result.data.visibility)
+   *   console.log('Default branch:', result.data.default_branch)
+   * }
+   * ```
+   *
+   * @see https://docs.socket.dev/reference/getorgrepo
+   * @apiEndpoint GET /orgs/{org_slug}/repos/{repo_slug}
+   * @quota 0 units
+   * @scopes repo:read
+   * @throws {Error} When server returns 5xx status codes
+   */
   async getRepository(orgSlug, repoSlug, options) {
     const orgSlugParam = encodeURIComponent(orgSlug);
     const repoSlugParam = encodeURIComponent(repoSlug);
@@ -3860,7 +3957,7 @@ var SocketSdk = class {
         success: true
       };
     } catch (e) {
-      return this.#createQueryErrorResult(e);
+      return await this.#handleApiError(e);
     }
   }
   /**
@@ -3977,14 +4074,21 @@ var SocketSdk = class {
       method = "POST",
       throws = true
     } = { __proto__: null, ...options };
+    const url = `${this.#baseUrl}${urlPath}`;
     try {
-      const response = await createRequestWithJson(
-        method,
-        this.#baseUrl,
-        urlPath,
-        body,
-        { ...this.#reqOptions, hooks: this.#hooks }
-      );
+      const response = await this.#executeWithRetry(async () => {
+        const res = await createRequestWithJson(
+          method,
+          this.#baseUrl,
+          urlPath,
+          body,
+          { ...this.#reqOptions, hooks: this.#hooks }
+        );
+        if (!isResponseOk(res)) {
+          throw new ResponseError(res, "", url);
+        }
+        return res;
+      });
       const data = await getResponseJson(response);
       if (throws) {
         return data;
@@ -4008,17 +4112,11 @@ var SocketSdk = class {
           data: void 0,
           error: errorResult.error,
           status: errorResult.status,
-          success: false
+          success: false,
+          url: errorResult.url
         };
       }
-      const errStr = e ? String(e).trim() : "";
-      return {
-        cause: errStr || import_core.UNKNOWN_ERROR,
-        data: void 0,
-        error: "API request failed",
-        status: 0,
-        success: false
-      };
+      return this.#createQueryErrorResult(e);
     }
   }
   /**
@@ -4061,14 +4159,17 @@ var SocketSdk = class {
     };
     const url = `${this.#baseUrl}orgs/${encodeURIComponent(orgSlug)}/full-scans/${encodeURIComponent(scanId)}`;
     try {
-      const req = getHttpModule(this.#baseUrl).request(url, {
-        method: "GET",
-        ...this.#reqOptions
-      }).end();
-      const res = await getResponse(req);
-      if (!isResponseOk(res)) {
-        throw new ResponseError(res, "", url);
-      }
+      const res = await this.#executeWithRetry(async () => {
+        const req = getHttpModule(this.#baseUrl).request(url, {
+          method: "GET",
+          ...this.#reqOptions
+        }).end();
+        const response = await getResponse(req);
+        if (!isResponseOk(response)) {
+          throw new ResponseError(response, "", url);
+        }
+        return response;
+      });
       if (typeof output === "string") {
         const writeStream = (0, import_node_fs3.createWriteStream)(output);
         let bytesWritten = 0;
@@ -4103,15 +4204,15 @@ var SocketSdk = class {
         });
         const stdoutErrorHandler = (_error) => {
           res.destroy();
-          process.stdout.removeListener("error", stdoutErrorHandler);
+          import_node_process2.default.stdout.removeListener("error", stdoutErrorHandler);
         };
-        process.stdout.on("error", stdoutErrorHandler);
-        res.pipe(process.stdout);
+        import_node_process2.default.stdout.on("error", stdoutErrorHandler);
+        res.pipe(import_node_process2.default.stdout);
         res.on("end", () => {
-          process.stdout.removeListener("error", stdoutErrorHandler);
+          import_node_process2.default.stdout.removeListener("error", stdoutErrorHandler);
         });
         res.on("error", () => {
-          process.stdout.removeListener("error", stdoutErrorHandler);
+          import_node_process2.default.stdout.removeListener("error", stdoutErrorHandler);
         });
       }
       return this.#handleApiSuccess(res);
@@ -4196,7 +4297,8 @@ var SocketSdk = class {
     }
   }
   /**
-   * Update organization's license policy configuration.* Modifies allowed, restricted, and monitored license types.
+   * Update organization's license policy configuration.
+   * Modifies allowed, restricted, and monitored license types.
    *
    * @throws {Error} When server returns 5xx status codes
    */
@@ -4219,7 +4321,8 @@ var SocketSdk = class {
     }
   }
   /**
-   * Update organization's security policy configuration.* Modifies alert rules, severity thresholds, and enforcement settings.
+   * Update organization's security policy configuration.
+   * Modifies alert rules, severity thresholds, and enforcement settings.
    *
    * @throws {Error} When server returns 5xx status codes
    */
@@ -4514,18 +4617,25 @@ var SocketSdk = class {
    * vulnerabilities, description, license, and tier information.
    */
   async viewPatch(orgSlug, uuid) {
-    const data = await getResponseJson(
-      await createGetRequest(
-        this.#baseUrl,
-        `orgs/${encodeURIComponent(orgSlug)}/patches/view/${encodeURIComponent(uuid)}`,
-        { ...this.#reqOptions, hooks: this.#hooks }
-      )
-    );
-    return data;
+    try {
+      const data = await this.#executeWithRetry(
+        async () => await getResponseJson(
+          await createGetRequest(
+            this.#baseUrl,
+            `orgs/${encodeURIComponent(orgSlug)}/patches/view/${encodeURIComponent(uuid)}`,
+            { ...this.#reqOptions, hooks: this.#hooks }
+          )
+        )
+      );
+      return data;
+    } catch (e) {
+      const result = await this.#handleApiError(e);
+      throw new Error(result.error, { cause: result.cause });
+    }
   }
 };
 if ((0, import_debug2.isDebugNs)("heap")) {
-  const used = process.memoryUsage();
+  const used = import_node_process2.default.memoryUsage();
   (0, import_debug2.debugLog)("heap", `heap used: ${Math.round(used.heapUsed / 1024 / 1024)}MB`);
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/socket-sdk-class.d.ts

@@ -1,4 +1,4 @@
-import type { ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CreateDependenciesSnapshotOptions, Entitlement, GetOptions, PatchViewResponse, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, SendOptions, SocketSdkGenericResult, SocketSdkOptions, SocketSdkResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesReturnType } from './types';
+import type { ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CreateDependenciesSnapshotOptions, Entitlement, GetOptions, MalwareCheckResult, PatchViewResponse, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, SendOptions, SocketSdkGenericResult, SocketSdkOptions, SocketSdkResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesReturnType } from './types';
 import type { CreateFullScanOptions, DeleteRepositoryLabelResult, DeleteResult, FullScanListResult, FullScanResult, GetRepositoryOptions, ListFullScansOptions, ListRepositoriesOptions, OrganizationsResult, RepositoriesListResult, RepositoryLabelResult, RepositoryLabelsListResult, RepositoryResult, StrictErrorResult } from './types-strict';
 import type { IncomingMessage } from 'node:http';
 /**
@@ -73,6 +73,23 @@ export declare class SocketSdk {
             purl: string;
         }>;
     }, options?: BatchPackageStreamOptions | undefined): AsyncGenerator<BatchPackageFetchResultType>;
+    /**
+     * Check packages for malware and security alerts.
+     *
+     * For small sets (≤ MAX_FIREWALL_COMPONENTS), uses parallel firewall API
+     * requests which return full artifact data including score and alert details.
+     *
+     * For larger sets, uses the batch PURL API for efficiency.
+     *
+     * Both paths normalize alerts through publicPolicy and only return
+     * malware-relevant results.
+     *
+     * @param components - Array of package URLs to check
+     * @returns Normalized results with policy-filtered alerts per package
+     */
+    checkMalware(components: Array<{
+        purl: string;
+    }>): Promise<SocketSdkGenericResult<MalwareCheckResult>>;
     /**
      * Create a snapshot of project dependencies by uploading manifest files.
      * Analyzes dependency files to generate a comprehensive security report.
@@ -368,29 +385,16 @@ export declare class SocketSdk {
      */
     deleteRepositoryLabel(orgSlug: string, labelId: string): Promise<DeleteRepositoryLabelResult | StrictErrorResult>;
     /**
-     * Delete a legacy scan report permanently.
-  
-    /**
-     * Download patch file content by hash.
+     * Download full scan files as a tar archive.
      *
-     * Downloads the actual patched file content from the public Socket blob store.
-     * This is used after calling viewPatch() to get the patch metadata.
-     * No authentication is required as patch blobs are publicly accessible.
-     *
-     * @param hash - The blob hash in SSRI (sha256-base64) or hex format
-     * @param options - Optional configuration
-     * @param options.baseUrl - Override blob store URL (for testing)
-     * @returns Promise<string> - The patch file content as UTF-8 string
-     * @throws Error if blob not found (404) or download fails
+     * Streams the full scan file contents to the specified output path as a tar file.
+     * Includes size limit enforcement to prevent excessive disk usage.
      *
-     * @example
-     * ```typescript
-     * const sdk = new SocketSdk('your-api-token')
-     * // First get patch metadata
-     * const patch = await sdk.viewPatch('my-org', 'patch-uuid')
-     * // Then download the actual patched file
-     * const fileContent = await sdk.downloadPatch(patch.files['index.js'].socketBlob)
-     * ```
+     * @param orgSlug - Organization identifier
+     * @param fullScanId - Full scan identifier
+     * @param outputPath - Local file path to write the tar archive
+     * @returns Download result with success/error status
+     * @throws {Error} When server returns 5xx status codes
      */
     downloadOrgFullScanFilesAsTar(orgSlug: string, fullScanId: string, outputPath: string): Promise<SocketSdkResult<'downloadOrgFullScanFilesAsTar'>>;
     /**
@@ -526,7 +530,7 @@ export declare class SocketSdk {
     /**
      * Retrieve the enabled entitlements for an organization.
      *
-     * This method fetches the organization's entitlements and filters for only* the enabled ones, returning their keys. Entitlements represent Socket
+     * This method fetches the organization's entitlements and filters for only the enabled ones, returning their keys. Entitlements represent Socket
      * Products that the organization has access to use.
      */
     getEnabledEntitlements(orgSlug: string): Promise<string[]>;
@@ -713,13 +717,15 @@ export declare class SocketSdk {
         vulnerability_ids: string;
     }): Promise<SocketSdkResult<'fetch-fixes'>>;
     /**
-     * Get organization's license policy configuration.* Returns allowed, restricted, and monitored license types.
+     * Get organization's license policy configuration.
+     * Returns allowed, restricted, and monitored license types.
      *
      * @throws {Error} When server returns 5xx status codes
      */
     getOrgLicensePolicy(orgSlug: string): Promise<SocketSdkResult<'getOrgLicensePolicy'>>;
     /**
-     * Get organization's security policy configuration.* Returns alert rules, severity thresholds, and enforcement settings.
+     * Get organization's security policy configuration.
+     * Returns alert rules, severity thresholds, and enforcement settings.
      *
      * @throws {Error} When server returns 5xx status codes
      */
@@ -782,10 +788,6 @@ export declare class SocketSdk {
      * @throws {Error} When server returns 5xx status codes
      */
     getRepoAnalytics(repo: string, time: string): Promise<SocketSdkResult<'getRepoAnalytics'>>;
-    /**
-     * Get detailed results for a legacy scan report.
-    /**
-  
     /**
      * Get details for a specific repository.
      *
@@ -1156,13 +1158,15 @@ export declare class SocketSdk {
      */
     updateOrgAlertTriage(orgSlug: string, alertId: string, triageData: QueryParams): Promise<SocketSdkResult<'updateOrgAlertTriage'>>;
     /**
-     * Update organization's license policy configuration.* Modifies allowed, restricted, and monitored license types.
+     * Update organization's license policy configuration.
+     * Modifies allowed, restricted, and monitored license types.
      *
      * @throws {Error} When server returns 5xx status codes
      */
     updateOrgLicensePolicy(orgSlug: string, policyData: QueryParams, queryParams?: QueryParams | undefined): Promise<SocketSdkResult<'updateOrgLicensePolicy'>>;
     /**
-     * Update organization's security policy configuration.* Modifies alert rules, severity thresholds, and enforcement settings.
+     * Update organization's security policy configuration.
+     * Modifies alert rules, severity thresholds, and enforcement settings.
      *
      * @throws {Error} When server returns 5xx status codes
      */

package/dist/types.d.ts

@@ -171,6 +171,34 @@ export type SocketSdkGenericResult<T> = {
     success: false;
     url?: string | undefined;
 };
+export type MalwareCheckAlert = {
+    category?: string | undefined;
+    fix?: {
+        description: string;
+        type: string;
+    } | undefined;
+    key: string;
+    props?: Record<string, unknown> | undefined;
+    severity?: string | undefined;
+    type: ALERT_TYPE;
+};
+export type MalwareCheckPackage = {
+    alerts: MalwareCheckAlert[];
+    name?: string | undefined;
+    namespace?: string | undefined;
+    score?: MalwareCheckScore | undefined;
+    type: string;
+    version?: string | undefined;
+};
+export type MalwareCheckResult = MalwareCheckPackage[];
+export type MalwareCheckScore = {
+    license: number;
+    maintenance: number;
+    overall: number;
+    quality: number;
+    supplyChain: number;
+    vulnerability: number;
+};
 /**
  * Result from file validation callback.
  * Allows consumers to customize error handling and logging.
@@ -312,14 +340,6 @@ export type CreateDependenciesSnapshotOptions = {
     pathsRelativeTo?: string | undefined;
     queryParams?: QueryParams | undefined;
 };
-export type CreateOrgFullScanOptions = {
-    pathsRelativeTo?: string | undefined;
-    queryParams?: QueryParams | undefined;
-};
-export type CreateScanFromFilepathsOptions = {
-    issueRules?: Record<string, boolean> | undefined;
-    pathsRelativeTo?: string | undefined;
-};
 export type StreamOrgFullScanOptions = {
     output?: boolean | string | undefined;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/sdk",
-  "version": "3.4.1",
+  "version": "3.5.0",
   "description": "SDK for the Socket API client",
   "homepage": "https://github.com/SocketDev/socket-sdk-js",
   "license": "MIT",
@@ -59,16 +59,18 @@
     "publish": "node scripts/publish.mjs",
     "publish:ci": "node scripts/publish.mjs --tag ${DIST_TAG:-latest}",
     "claude": "node scripts/claude.mjs",
+    "security": "agentshield scan && { command -v zizmor >/dev/null && zizmor .github/ || echo 'zizmor not installed — run pnpm run setup to install'; }",
     "test": "node scripts/test.mjs",
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",
     "update": "node scripts/update.mjs"
   },
   "dependencies": {
-    "@socketregistry/packageurl-js": "1.3.5",
-    "@socketsecurity/lib": "5.8.1",
+    "@socketregistry/packageurl-js": "1.4.1",
+    "@socketsecurity/lib": "5.11.4",
     "form-data": "4.0.5"
   },
   "devDependencies": {
+    "@anthropic-ai/claude-code": "2.1.89",
     "@babel/generator": "7.28.5",
     "@babel/parser": "7.26.3",
     "@babel/traverse": "7.26.4",
@@ -83,6 +85,7 @@
     "acorn": "8.15.0",
     "del": "8.0.1",
     "dev-null-cli": "2.0.0",
+    "ecc-agentshield": "1.4.0",
     "esbuild": "0.25.11",
     "fast-glob": "3.3.3",
     "http2-wrapper": "2.2.1",
@@ -109,10 +112,10 @@
     "strict": true
   },
   "engines": {
-    "node": ">=18",
-    "pnpm": ">=10.25.0"
+    "node": ">=18.20.8",
+    "pnpm": ">=10.33.0"
   },
-  "packageManager": "pnpm@10.32.1",
+  "packageManager": "pnpm@10.33.0",
   "pnpm": {
     "ignoredBuiltDependencies": [
       "esbuild",

package/types/api.d.ts

@@ -896,7 +896,7 @@ export interface paths {
     /**
      * Start historical data snapshot job (Beta)
      * @description This API endpoint is used to start a historical snapshot job.
-     * While snapshots are typically taken at least once a day, this endpoint can be used to start an "on demand" snapshot job to ensure the latest data is collected and stored for historical purposes.
+     * While snapshots are typically taken multiple times a day for paid plans and once a day for free plans, this endpoint can be used to start an "on demand" snapshot job to ensure the latest data is collected and stored for historical purposes.
      *
      * An historical snapshot will contain details and raw data for the following resources:
      *
@@ -1940,6 +1940,27 @@ export interface components {
         licenseDetails?: components['schemas']['LicenseDetails']
         licenseAttrib?: components['schemas']['SAttrib1_N']
       }
+    /** @description Mapping of supply chain risk alert types to their computed score contributions and formulas used for calculation. This allows for detailed breakdowns of how each alert type impacts the overall supply chain security score, with the ability to include custom formulas and components for each alert type. */
+    SocketSBOMScore: {
+      [key: string]: {
+        value: {
+          /**
+           * @description Score from 0.0 to 1.0 for the scanned repository, computed from supply chain risk alerts using weighted exponential decay per direct dependency
+           * @default 0
+           */
+          result: number
+          /** @description Components used to compute result of the formula */
+          components?: {
+            [key: string]: number
+          }
+          /**
+           * @description Formula used to compute the supply chain security score
+           * @default
+           */
+          formula?: string
+        }
+      }
+    }
     SocketDiffArtifact: components['schemas']['SocketPURL'] & {
       diffType: components['schemas']['SocketDiffArtifactType']
       id?: components['schemas']['SocketId']
@@ -4331,6 +4352,23 @@ export interface components {
             usage?: components['schemas']['SocketUsageRef']
           }
         }
+      | {
+          /** @enum {string} */
+          type?: 'skillPreExecution'
+          value?: components['schemas']['SocketIssueBasics'] & {
+            /** @default */
+            description: string
+            props: {
+              /** @default */
+              notes: string
+              /** @default 0 */
+              confidence: number
+              /** @default 0 */
+              severity: number
+            }
+            usage?: components['schemas']['SocketUsageRef']
+          }
+        }
       | {
           /** @enum {string} */
           type?: 'skillPromptInjection'
@@ -5522,6 +5560,8 @@ export interface operations {
         cachedResultsOnly?: boolean
         /** @description Include a summary object at the end of the stream with counts of malformed, resolved, and not found PURLs. */
         summary?: boolean
+        /** @description Maximum time in seconds to wait for scan results. PURLs that have not completed processing when the timeout is reached will be returned as errors (when purlErrors is enabled). Omit for no timeout. */
+        timeoutSec?: number
       }
     }
     requestBody?: {
@@ -5598,6 +5638,8 @@ export interface operations {
               version?: string
               /** @default */
               release?: string
+              /** @default */
+              workspace?: string
             }>
           }
         }
@@ -5924,6 +5966,10 @@ export interface operations {
         include_alert_priority_details?:
           | boolean
           | Array<'component' | 'formula'>
+        /** @description Include scores event in the response. include_scores_details implies this flag */
+        include_scores: boolean
+        /** @description Control which score detail fields to include in the scores event. Set to "true" to include all fields, "false" to exclude all fields, or specify individual fields like "components,formula" to include only those fields. */
+        include_scores_details?: boolean | Array<'components' | 'formula'>
         /** @description Include license details in the response. This can increase the response size significantly. */
         include_license_details: boolean
         /** @description Return cached immutable scan results. When enabled and results are cached, returns the pre-computed scan. When results are not yet cached, returns 202 Accepted and enqueues a background job. */
@@ -5937,10 +5983,16 @@ export interface operations {
       }
     }
     responses: {
-      /** @description Socket issue lists and scores for all packages */
+      /** @description Socket issue lists and scores for all packages, followed by a final scores event */
       200: {
         content: {
-          'application/x-ndjson': components['schemas']['SocketArtifact']
+          'application/x-ndjson':
+            | components['schemas']['SocketArtifact']
+            | {
+                /** @enum {string} */
+                _type: 'scores'
+                value: components['schemas']['SocketSBOMScore']
+              }
         }
       }
       /** @description Scan is being processed. Poll again later to retrieve results. */
@@ -9411,6 +9463,13 @@ export interface operations {
                  */
                 action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
               }
+              skillPreExecution?: {
+                /**
+                 * @description The action to take for skillPreExecution issues.
+                 * @enum {string}
+                 */
+                action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
+              }
               skillPromptInjection?: {
                 /**
                  * @description The action to take for skillPromptInjection issues.
@@ -10388,6 +10447,13 @@ export interface operations {
                */
               action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
             }
+            skillPreExecution?: {
+              /**
+               * @description The action to take for skillPreExecution issues.
+               * @enum {string}
+               */
+              action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
+            }
             skillPromptInjection?: {
               /**
                * @description The action to take for skillPromptInjection issues.
@@ -11519,6 +11585,13 @@ export interface operations {
                  */
                 action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
               }
+              skillPreExecution?: {
+                /**
+                 * @description The action to take for skillPreExecution issues.
+                 * @enum {string}
+                 */
+                action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
+              }
               skillPromptInjection?: {
                 /**
                  * @description The action to take for skillPromptInjection issues.
@@ -12489,6 +12562,13 @@ export interface operations {
                */
               action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
             }
+            skillPreExecution?: {
+              /**
+               * @description The action to take for skillPreExecution issues.
+               * @enum {string}
+               */
+              action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
+            }
             skillPromptInjection?: {
               /**
                * @description The action to take for skillPromptInjection issues.
@@ -13428,6 +13508,13 @@ export interface operations {
                  */
                 action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
               }
+              skillPreExecution?: {
+                /**
+                 * @description The action to take for skillPreExecution issues.
+                 * @enum {string}
+                 */
+                action: 'defer' | 'error' | 'warn' | 'monitor' | 'ignore'
+              }
               skillPromptInjection?: {
                 /**
                  * @description The action to take for skillPromptInjection issues.
@@ -15243,7 +15330,7 @@ export interface operations {
   /**
    * Start historical data snapshot job (Beta)
    * @description This API endpoint is used to start a historical snapshot job.
-   * While snapshots are typically taken at least once a day, this endpoint can be used to start an "on demand" snapshot job to ensure the latest data is collected and stored for historical purposes.
+   * While snapshots are typically taken multiple times a day for paid plans and once a day for free plans, this endpoint can be used to start an "on demand" snapshot job to ensure the latest data is collected and stored for historical purposes.
    *
    * An historical snapshot will contain details and raw data for the following resources:
    *
@@ -15313,6 +15400,7 @@ export interface operations {
           | 'CreateOauthRefreshToken'
           | 'CreateRepoAccessRule'
           | 'CreateWebhook'
+          | 'CreateTicket'
           | 'DeleteAlertTriage'
           | 'DeleteApiToken'
           | 'DeleteFullScan'
@@ -15323,8 +15411,10 @@ export interface operations {
           | 'DeleteRepository'
           | 'DeleteWebhook'
           | 'DisassociateLabel'
+          | 'DisconnectJiraIntegration'
           | 'DowngradeOrganizationPlan'
           | 'JoinOrganization'
+          | 'JiraIntegrationConnected'
           | 'MemberAdded'
           | 'MemberRemoved'
           | 'MemberRoleChanged'
@@ -15519,6 +15609,11 @@ export interface operations {
                 | 'alerts'
                 | 'alerts:list'
                 | 'alerts:trend'
+                | 'alert-resolution'
+                | 'alert-resolution:list'
+                | 'alert-resolution:create'
+                | 'alert-resolution:read'
+                | 'alert-resolution:delete'
                 | 'api-tokens'
                 | 'api-tokens:create'
                 | 'api-tokens:update'
@@ -15649,6 +15744,11 @@ export interface operations {
             | 'alerts'
             | 'alerts:list'
             | 'alerts:trend'
+            | 'alert-resolution'
+            | 'alert-resolution:list'
+            | 'alert-resolution:create'
+            | 'alert-resolution:read'
+            | 'alert-resolution:delete'
             | 'api-tokens'
             | 'api-tokens:create'
             | 'api-tokens:update'
@@ -15842,6 +15942,11 @@ export interface operations {
             | 'alerts'
             | 'alerts:list'
             | 'alerts:trend'
+            | 'alert-resolution'
+            | 'alert-resolution:list'
+            | 'alert-resolution:create'
+            | 'alert-resolution:read'
+            | 'alert-resolution:delete'
             | 'api-tokens'
             | 'api-tokens:create'
             | 'api-tokens:update'
@@ -16577,6 +16682,8 @@ export interface operations {
         cachedResultsOnly?: boolean
         /** @description Include a summary object at the end of the stream with counts of malformed, resolved, and not found PURLs. */
         summary?: boolean
+        /** @description Maximum time in seconds to wait for scan results. PURLs that have not completed processing when the timeout is reached will be returned as errors (when purlErrors is enabled). Omit for no timeout, unless a default timeout is configured for the organization. */
+        timeoutSec?: number
       }
       path: {
         /** @description The slug of the organization */
@@ -16667,7 +16774,7 @@ export interface operations {
   'fetch-fixes': {
     parameters: {
       query: {
-        /** @description The slug of the repository to fetch fixes for. Computes fixes based on the latest scan on the default branch */
+        /** @description The slug of the repository to fetch fixes for (e.g. "my-repo" or "my-org/my-repo"). Use the full org/repo path to disambiguate when multiple GitHub orgs share the same repo name. Computes fixes based on the latest scan on the default branch */
         repo_slug?: string
         /** @description The ID of the scan to fetch fixes for */
         full_scan_id?: string