What's new at Socket?

For customers using Socket Firewall, it's now possible to export event logs to an external data source. To do so, click "Settings" -> "Data Export" -> "Create Integration" and choose "Telemetry events" as the data type.

Archived repositories can now be excluded from the main "Overview," "Alerts," and "Dependencies" pages, as well as from notifications (such as JIRA/Linear tickets, emails, and webhooks).

To opt into this feature, enable two settings:

• "Sync archived repository status" from the GitHub Integration Settings page
• "Exclude archived repositories" from the Scan Settings page

Archived repositories are still visible in the "Repositories" page, and they are still accessible via the /repos API endpoint when include_archived is true. The archived boolean member on the response can be used to discern archived from non-archived repos.

The free plan's per-scan dependency limit has been raised from 1,000 to 10,000. When a scan exceeds the plan limit, Socket no longer posts a report based on incomplete results. It posts a clear notice explaining the limit was exceeded instead. Open source projects can contact us for a free Team account.

Package overview pages for Cargo, NuGet, Composer, and PyPI now show download counts when available. Labels reflect each registry’s download metric, including total downloads for Cargo, NuGet, and Composer, and weekly downloads for PyPI.

Go and PyPI package pages now show a warning banner for versions that have been retracted or yanked. When upstream provides a reason, Socket displays it directly in the banner so users can understand why that version should be avoided.

GitHub Actions and Packagist package pages now show package keywords when available. For GitHub Actions, this includes marketplace categories, giving users more package context directly on the package page.

OpenVEX exports now use the original scan time for VEX statement timestamps, rather than the document export time. This makes OpenVEX documents easier to compare reliably over time, while keeping the document-level timestamp tied to when the export was generated.

SBOM generation for Poetry projects now resolves root dependencies from pyproject.toml while using poetry.lock as the trusted source for pinned package versions. This improves direct, transitive, and dev dependency attribution, prevents duplicate versions from loose constraints, and recovers more transitive dependencies from Socket’s PyPI metadata when Poetry’s lockfile omits platform-specific edges.

Composer package pages now show additional package metadata, including non-default package types such as metapackage, composer-plugin, and project. Abandoned Composer packages now also display a warning with the suggested replacement package when Packagist provides one.

Composer package pages now show a Homepage link when project homepage metadata is available and differs from the repository URL. This makes it easier to get from a Composer package page to the project’s official site, documentation, or other maintained project resources.