Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Bret Comnes
Pelle Wessman
February 7, 2023
We are happy to announce version 2 of the socket.yml
configuration file format. The new format is available for immediate use; don't worry, existing version 1 configuration files will continue to work seamlessly.
If you create a new configuration file, you are encouraged to use version 2; if you have a version 1 configuration file, you are encouraged to migrate it over to version 2 next time you are modifying it or want to access settings not available in version 1.
In addition to the launch of socket.yml
version 2, the settings you specify in socket.yml
seamlessly overlay the organization settings we also launched recently.
When we launched version 1 of socket.yml
, the GitHub app was the only consumer of the settings contained within. As we began to roll out our CLI, we realized we wanted to offer a unified way to specify common settings in both the GitHub app and the CLI and any future integrations we might launch. While reconciling the needs of both integrations, we realized we wanted to make some changes to how settings were named and organized, and we ended up with socket.yml
version 2.
Everyone hates configuration migration busywork, the Socket team included, so we made sure you don't need to do it. Thats why we implemented version 2 to seamlessly work along side version 1. If you have a version 1 socket.yml
in place now, you don't need to touch it. It will continue to work.
If in the future you want to add a new setting only available in socket.yml
version 2, you will have to migrate to the new version. Luckily, it's very simple to do that, and we have a simple migration guide to help you do that step by step.
We've also published a library that manages the loading, parsing and validation of version 1 and version 2 socket.yml
files. If that sounds useful to something you are trying to do with socket, its available as a package (@socketsecurity/config
) and is open source on github.
It's built using JSONSchema and Ajv (one of the best schema based validation systems around) and is fully typed with compilation free typescript-in-js. It will automatically migrate configuration to the latest version during programmatic access. Pretty cool if you as me!
We hope you can try out this feature, and let us know how it works for you!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.