@socketsecurity/sdk 3.4.1 → 4.0.0

package/CHANGELOG.md

@@ -4,6 +4,46 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [4.0.0](https://github.com/SocketDev/socket-sdk-js/releases/tag/v4.0.0) - 2026-04-06
+
+### Breaking Changes
+
+- **HTTP client refactored**: All HTTP methods (`createGetRequest`, `createDeleteRequest`, `createRequestWithJson`, `createUploadRequest`) now return `HttpResponse` from `@socketsecurity/lib/http-request` instead of Node.js `IncomingMessage`
+- **`ResponseError.response`**: Changed from `IncomingMessage` to `HttpResponse` — access status via `.status`/`.statusText` instead of `.statusCode`/`.statusMessage`
+- **Unified HTTP transport**: File uploads now use `httpRequest()` from `@socketsecurity/lib` — eliminated the dual `node:http`/`node:https` + `getResponse()` stack
+- **Trimmed public API surface**: Removed internal helpers from the main entry point:
+  - HTTP functions: `createDeleteRequest`, `createGetRequest`, `createRequestWithJson`, `getErrorResponseBody`, `getResponseJson`, `isResponseOk`, `reshapeArtifactForPublicPolicy`
+  - File upload functions: `createRequestBodyForFilepaths`, `createRequestBodyForJson`, `createUploadRequest`
+  - Utilities: `calculateWordSetSimilarity`, `filterRedundantCause`, `normalizeBaseUrl`, `promiseWithResolvers`, `queryToSearchParams`, `resolveAbsPaths`, `resolveBasePath`, `shouldOmitReason`
+  - Constants: `DEFAULT_USER_AGENT`, `httpAgentNames`, `publicPolicy`
+- **Removed exports**: `getHttpModule` and `getResponse` are fully removed (not just from index)
+- **Removed `PromiseQueue`**: The `PromiseQueue` class has been removed entirely
+- **Removed `getSupportedScanFiles()`**: Deprecated since 2023-01-15 — use `getSupportedFiles()` instead
+- **Removed `http2-wrapper` type dependency**: `Agent` type now uses `ClientHttp2Session` from native `node:http2`
+
+### Changed
+
+- Migrated HTTP internals to `@socketsecurity/lib/http-request` (`httpRequest`), reducing code duplication and consolidating response handling
+- Retry logic improved: all 4xx client errors now bail immediately (previously only 401/403)
+- New audit log action types: `CreateFirewallCustomRegistry`, `CreateFirewallDeploymentConfig`, `DeleteFirewallCustomRegistry`, `DeleteFirewallDeploymentConfig`, `UpdateFirewallCustomRegistry`, `UpdateFirewallDeploymentConfig`
+
+## [3.5.0](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.5.0) - 2026-04-03
+
+### Added
+
+- **checkMalware**: New API method for normalized malware detection across public and org tokens
+  - Public tokens use the firewall API with client-side `publicPolicy` filtering
+  - Org tokens use the batch PURL API with full server-assigned org policy
+  - Both paths return the same normalized `MalwareCheckResult` shape
+- New exported types: `MalwareCheckAlert`, `MalwareCheckPackage`, `MalwareCheckResult`, `MalwareCheckScore`
+- New audit log action types: `CreateTicket`, `DisconnectJiraIntegration`, `JiraIntegrationConnected`
+- New `alert-resolution` permission scope (list, create, read, delete)
+- New `workspace` parameter for `createOrgFullScan` package entries
+- New `SocketSBOMScore` schema for supply chain risk score breakdowns with formulas and components
+- New `skillPreExecution` alert type and policy action
+- Full scan `include_scores` and `include_scores_details` query parameters with `scores` ndjson event
+- Batch PURL `timeoutSec` parameter for scan result timeout control
+
 ## [3.4.1](https://github.com/SocketDev/socket-sdk-js/releases/tag/v3.4.1) - 2026-03-12
 
 ### Changed

package/README.md

@@ -2,7 +2,7 @@
 
 [![Socket Badge](https://socket.dev/api/badge/npm/package/@socketsecurity/sdk)](https://socket.dev/npm/package/@socketsecurity/sdk)
 [![CI](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml/badge.svg)](https://github.com/SocketDev/socket-sdk-js/actions/workflows/ci.yml)
-![Coverage](https://img.shields.io/badge/coverage-40%25-orange)
+![Coverage](https://img.shields.io/badge/coverage-96%25-brightgreen)
 
 [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
 [![Follow @socket.dev on Bluesky](https://img.shields.io/badge/Follow-@socket.dev-1DA1F2?style=social&logo=bluesky)](https://bsky.app/profile/socket.dev)

package/dist/constants.d.ts

@@ -12,5 +12,7 @@ export declare const MIN_HTTP_TIMEOUT = 5000;
 export declare const MAX_RESPONSE_SIZE: number;
 export declare const MAX_STREAM_SIZE: number;
 export declare const SOCKET_PUBLIC_BLOB_STORE_URL = "https://socketusercontent.com";
+export declare const MAX_FIREWALL_COMPONENTS = 8;
+export declare const SOCKET_FIREWALL_API_URL = "https://firewall-api.socket.dev/purl";
 export declare const httpAgentNames: Set<string>;
-export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "recentlyPublished" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "skillAutonomyAbuse" | "skillCommandInjection" | "skillDataExfiltration" | "skillDiscoveryAbuse" | "skillHardcodedSecrets" | "skillObfuscation" | "skillPromptInjection" | "skillResourceAbuse" | "skillSupplyChain" | "skillToolAbuse" | "skillToolChaining" | "skillTransitiveTrust" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "tooManyFiles" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;
+export declare const publicPolicy: Map<"ambiguousClassifier" | "badEncoding" | "badSemver" | "badSemverDependency" | "bidi" | "binScriptConfusion" | "chromeContentScript" | "chromeHostPermission" | "chromePermission" | "chromeWildcardHostPermission" | "chronoAnomaly" | "compromisedSSHKey" | "copyleftLicense" | "criticalCVE" | "cve" | "debugAccess" | "deprecated" | "deprecatedException" | "deprecatedLicense" | "didYouMean" | "dynamicRequire" | "emptyPackage" | "envVars" | "explicitlyUnlicensedItem" | "extraneousDependency" | "fileDependency" | "filesystemAccess" | "floatingDependency" | "generic" | "ghaArgToEnv" | "ghaArgToOutput" | "ghaArgToSink" | "ghaContextToEnv" | "ghaContextToOutput" | "ghaContextToSink" | "ghaEnvToSink" | "gitDependency" | "gitHubDependency" | "gptAnomaly" | "gptDidYouMean" | "gptMalware" | "gptSecurity" | "hasNativeCode" | "highEntropyStrings" | "homoglyphs" | "httpDependency" | "installScripts" | "invalidPackageJSON" | "invisibleChars" | "licenseChange" | "licenseException" | "licenseSpdxDisj" | "longStrings" | "majorRefactor" | "malware" | "manifestConfusion" | "mediumCVE" | "mildCVE" | "minifiedFile" | "miscLicenseIssues" | "missingAuthor" | "missingDependency" | "missingLicense" | "missingTarball" | "mixedLicense" | "modifiedException" | "modifiedLicense" | "networkAccess" | "newAuthor" | "noAuthorData" | "noBugTracker" | "noLicenseFound" | "noREADME" | "noRepository" | "noTests" | "noV1" | "noWebsite" | "nonOSILicense" | "nonSPDXLicense" | "nonpermissiveLicense" | "notice" | "obfuscatedFile" | "obfuscatedRequire" | "peerDependency" | "potentialVulnerability" | "recentlyPublished" | "semverAnomaly" | "shellAccess" | "shellScriptOverride" | "shrinkwrap" | "skillAutonomyAbuse" | "skillCommandInjection" | "skillDataExfiltration" | "skillDiscoveryAbuse" | "skillHardcodedSecrets" | "skillObfuscation" | "skillPreExecution" | "skillPromptInjection" | "skillResourceAbuse" | "skillSupplyChain" | "skillToolAbuse" | "skillToolChaining" | "skillTransitiveTrust" | "socketUpgradeAvailable" | "suspiciousStarActivity" | "suspiciousString" | "telemetry" | "tooManyFiles" | "trivialPackage" | "troll" | "typeModuleCompatibility" | "uncaughtOptionalDependency" | "unclearLicense" | "unidentifiedLicense" | "unmaintained" | "unpopularPackage" | "unpublished" | "unresolvedRequire" | "unsafeCopyright" | "unstableOwnership" | "unusedDependency" | "urlStrings" | "usesEval" | "vsxActivationWildcard" | "vsxDebuggerContribution" | "vsxExtensionDependency" | "vsxExtensionPack" | "vsxProposedApiUsage" | "vsxUntrustedWorkspaceSupported" | "vsxVirtualWorkspaceSupported" | "vsxWebviewContribution" | "vsxWorkspaceContainsActivation" | "zeroWidth", ALERT_ACTION>;

package/dist/file-upload.d.ts

@@ -1,22 +1,5 @@
 import FormData from 'form-data';
 import type { RequestOptionsWithHooks } from './types';
-import type { IncomingMessage } from 'node:http';
-/**
- * Create multipart form-data body parts for file uploads.
- * Converts file paths to readable streams with proper multipart headers.
- *
- * @throws {Error} When file cannot be read (ENOENT, EACCES, EISDIR, etc.)
- */
+import type { HttpResponse } from '@socketsecurity/lib/http-request';
 export declare function createRequestBodyForFilepaths(filepaths: string[], basePath: string): FormData;
-/**
- * Create multipart form-data body part for JSON data.
- * Converts JSON object to readable stream with appropriate headers.
- */
-export declare function createRequestBodyForJson(jsonData: unknown, basename?: string): FormData;
-/**
- * Create and execute a multipart/form-data upload request using form-data library.
- * Streams large files efficiently with automatic backpressure handling and early server validation.
- *
- * @throws {Error} When network errors occur or stream processing fails
- */
-export declare function createUploadRequest(baseUrl: string, urlPath: string, form: FormData, options?: RequestOptionsWithHooks | undefined): Promise<IncomingMessage>;
+export declare function createUploadRequest(baseUrl: string, urlPath: string, form: FormData, options?: RequestOptionsWithHooks | undefined): Promise<HttpResponse>;

package/dist/http-client.d.ts

@@ -1,123 +1,14 @@
-/**
- * @fileoverview HTTP client utilities for Socket API communication.
- * Provides low-level HTTP request handling with proper error management and response parsing.
- */
-import http from 'node:http';
-import https from 'node:https';
 import type { RequestOptionsWithHooks, SendMethod } from './types';
+import type { HttpResponse } from '@socketsecurity/lib/http-request';
 import type { JsonValue } from '@socketsecurity/lib/json/types';
-import type { ClientRequest, IncomingMessage } from 'node:http';
-/**
- * Array of sensitive header names that should be redacted in logs
- */
-/**
- * HTTP response error for Socket API requests.
- * Extends Error with response details for debugging failed API calls.
- */
 export declare class ResponseError extends Error {
-    response: IncomingMessage;
+    response: HttpResponse;
     url?: string | undefined;
-    /**
-     * Create a new ResponseError from an HTTP response.
-     * Automatically formats error message with status code and message.
-     */
-    constructor(response: IncomingMessage, message?: string, url?: string | undefined);
+    constructor(response: HttpResponse, message?: string, url?: string | undefined);
 }
-/**
- * Create and execute an HTTP DELETE request.
- * Returns the response stream for further processing.
- *
- * @throws {Error} When network or timeout errors occur
- */
-export declare function createDeleteRequest(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined): Promise<IncomingMessage>;
-/**
- * Create and execute an HTTP GET request.
- * Returns the response stream for further processing.
- * Performance tracking enabled with DEBUG=perf.
- *
- * @throws {Error} When network or timeout errors occur
- */
-export declare function createGetRequest(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined): Promise<IncomingMessage>;
-/**
- * Create and execute an HTTP request with JSON payload.
- * Automatically sets appropriate content headers and serializes the body.
- * Performance tracking enabled with DEBUG=perf.
- *
- * @throws {Error} When network or timeout errors occur
- */
-export declare function createRequestWithJson(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined): Promise<IncomingMessage>;
-/**
- * Read the response body from an HTTP error response.
- * Accumulates all chunks into a complete string for error handling.
- * Enforces maximum response size to prevent memory exhaustion.
- *
- * @throws {Error} When stream errors occur during reading
- * @throws {Error} When response exceeds maximum size limit
- */
-export declare function getErrorResponseBody(response: IncomingMessage): Promise<string>;
-/**
- * Get the appropriate HTTP module based on URL protocol.
- * Returns http module for http: URLs, https module for https: URLs.
- */
-export declare function getHttpModule(url: string): typeof http | typeof https;
-/**
- * Wait for and return the HTTP response from a request.
- * Handles timeout and error conditions during request processing.
- *
- * @throws {Error} When request times out or network errors occur
- */
-export declare function getResponse(req: ClientRequest): Promise<IncomingMessage>;
-/**
- * Parse HTTP response body as JSON.
- * Validates response status and handles empty responses gracefully.
- * Performance tracking enabled with DEBUG=perf.
- *
- * @throws {ResponseError} When response has non-2xx status code
- * @throws {SyntaxError} When response body contains invalid JSON
- */
-export declare function getResponseJson(response: IncomingMessage, method?: string | undefined, url?: string | undefined): Promise<JsonValue | undefined>;
-/**
- * Create DELETE request with automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createDeleteRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
-/**
- * Create GET request with automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createGetRequestWithRetry(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
-/**
- * Create request with JSON payload and automatic retry logic.
- * Retries on network errors and 5xx responses.
- *
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- */
-export declare function createRequestWithJsonAndRetry(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined, retries?: number, retryDelay?: number): Promise<IncomingMessage>;
-/**
- * Check if HTTP response has a successful status code (2xx range).
- * Returns true for status codes between 200-299, false otherwise.
- */
-export declare function isResponseOk(response: IncomingMessage): boolean;
-/**
- * Transform artifact data based on authentication status.
- * Filters and compacts response data for public/free-tier users.
- */
-export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined): T;
-/**
- * Retry helper for HTTP requests with exponential backoff.
- * Wraps any async HTTP function and retries on failure.
- *
- * @param fn - Async function to retry
- * @param retries - Number of retry attempts (default: 0, retries disabled)
- * @param retryDelay - Initial delay in ms (default: 100)
- * @returns Result of the function call
- * @throws {Error} Last error if all retries exhausted
- */
-export declare function withRetry<T>(fn: () => Promise<T>, retries?: number, retryDelay?: number): Promise<T>;
+export declare function createDeleteRequest(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined): Promise<HttpResponse>;
+export declare function createGetRequest(baseUrl: string, urlPath: string, options?: RequestOptionsWithHooks | undefined): Promise<HttpResponse>;
+export declare function createRequestWithJson(method: SendMethod, baseUrl: string, urlPath: string, json: unknown, options?: RequestOptionsWithHooks | undefined): Promise<HttpResponse>;
+export declare function getResponseJson(response: HttpResponse, method?: string | undefined, url?: string | undefined): Promise<JsonValue | undefined>;
+export declare function isResponseOk(response: HttpResponse): boolean;
+export declare function reshapeArtifactForPublicPolicy<T extends Record<string, unknown>>(data: T, isAuthenticated: boolean, actions?: string | undefined, policy?: Map<string, string> | undefined): T;

package/dist/index.d.ts

@@ -2,14 +2,9 @@
  * @fileoverview Main entry point for the Socket SDK.
  * Provides the SocketSdk class and utility functions for Socket security analysis API interactions.
  */
-import { DEFAULT_USER_AGENT, httpAgentNames, publicPolicy } from './constants';
-import { calculateWordSetSimilarity, filterRedundantCause, normalizeBaseUrl, promiseWithResolvers, queryToSearchParams, resolveAbsPaths, resolveBasePath, shouldOmitReason } from './utils';
-export { createRequestBodyForFilepaths, createRequestBodyForJson, createUploadRequest, } from './file-upload';
-export { createDeleteRequest, createGetRequest, createRequestWithJson, getErrorResponseBody, getHttpModule, getResponse, getResponseJson, isResponseOk, ResponseError, reshapeArtifactForPublicPolicy, } from './http-client';
+export { ResponseError } from './http-client';
 export { calculateTotalQuotaCost, getAllMethodRequirements, getMethodRequirements, getMethodsByPermissions, getMethodsByQuotaCost, getQuotaCost, getQuotaUsageSummary, getRequiredPermissions, hasQuotaForMethods, } from './quota-utils';
 export { SocketSdk } from './socket-sdk-class';
-export type { ALERT_ACTION, ALERT_TYPE, Agent, ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CompactSocketArtifact, CompactSocketArtifactAlert, CreateDependenciesSnapshotOptions, CreateOrgFullScanOptions, CreateScanFromFilepathsOptions, CustomResponseType, Entitlement, EntitlementsResponse, FileValidationCallback, FileValidationResult, GetOptions, GotOptions, HeadersRecord, PatchFile, PatchRecord, PatchViewResponse, TelemetryConfig, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, RequestInfo, RequestOptions, RequestOptionsWithHooks, ResponseInfo, SecurityAlert, SendMethod, SendOptions, SocketArtifact, SocketArtifactAlert, SocketArtifactWithExtras, SocketId, SocketMetricSchema, SocketSdkArrayElement, SocketSdkData, SocketSdkErrorResult, SocketSdkGenericResult, SocketSdkOperations, SocketSdkOptions, SocketSdkResult, SocketSdkSuccessResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesResponse, UploadManifestFilesReturnType, Vulnerability, } from './types';
+export type { ALERT_ACTION, ALERT_TYPE, Agent, ArtifactPatches, BatchPackageFetchResultType, BatchPackageStreamOptions, CompactSocketArtifact, CompactSocketArtifactAlert, CreateDependenciesSnapshotOptions, CustomResponseType, Entitlement, EntitlementsResponse, FileValidationCallback, FileValidationResult, GetOptions, GotOptions, HeadersRecord, MalwareCheckAlert, MalwareCheckPackage, MalwareCheckResult, MalwareCheckScore, PatchFile, PatchRecord, PatchViewResponse, TelemetryConfig, PostOrgTelemetryPayload, PostOrgTelemetryResponse, QueryParams, RequestInfo, RequestOptions, RequestOptionsWithHooks, ResponseInfo, SecurityAlert, SendMethod, SendOptions, SocketArtifact, SocketArtifactAlert, SocketArtifactWithExtras, SocketId, SocketMetricSchema, SocketSdkArrayElement, SocketSdkData, SocketSdkErrorResult, SocketSdkGenericResult, SocketSdkOperations, SocketSdkOptions, SocketSdkResult, SocketSdkSuccessResult, StreamOrgFullScanOptions, UploadManifestFilesError, UploadManifestFilesOptions, UploadManifestFilesResponse, UploadManifestFilesReturnType, Vulnerability, } from './types';
 export type { CreateFullScanOptions, DeleteRepositoryLabelResult, DeleteResult, FullScanItem, FullScanListData, FullScanListResult, FullScanResult, GetRepositoryOptions, ListFullScansOptions, ListRepositoriesOptions, OrganizationItem, OrganizationsResult, RepositoriesListData, RepositoriesListResult, RepositoryItem, RepositoryLabelItem, RepositoryLabelResult, RepositoryLabelsListData, RepositoryLabelsListResult, RepositoryListItem, RepositoryResult, StreamFullScanOptions, StrictErrorResult, StrictResult, } from './types-strict';
 export { createUserAgentFromPkgJson } from './user-agent';
-export { calculateWordSetSimilarity, filterRedundantCause, normalizeBaseUrl, promiseWithResolvers, queryToSearchParams, resolveAbsPaths, resolveBasePath, shouldOmitReason, };
-export { DEFAULT_USER_AGENT, httpAgentNames, publicPolicy };