Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
By Sarah Gooding - Apr 23, 2024
socket.yml v2 now available
We have a new configuration file format and library for working with it!
Bret Comnes
Pelle Wessman
February 7, 2023
We are happy to announce version 2 of the socket.yml configuration file format. The new format is available for immediate use; don't worry, existing version 1 configuration files will continue to work seamlessly.
If you create a new configuration file, you are encouraged to use version 2; if you have a version 1 configuration file, you are encouraged to migrate it over to version 2 next time you are modifying it or want to access settings not available in version 1.
In addition to the launch of socket.yml version 2, the settings you specify in socket.yml seamlessly overlay the organization settings we also launched recently.
Captain hindsight strikes again!#
When we launched version 1 of socket.yml, the GitHub app was the only consumer of the settings contained within. As we began to roll out our CLI, we realized we wanted to offer a unified way to specify common settings in both the GitHub app and the CLI and any future integrations we might launch. While reconciling the needs of both integrations, we realized we wanted to make some changes to how settings were named and organized, and we ended up with socket.yml version 2.
Not another config migration#
Everyone hates configuration migration busywork, the Socket team included, so we made sure you don't need to do it. Thats why we implemented version 2 to seamlessly work along side version 1. If you have a version 1 socket.yml in place now, you don't need to touch it. It will continue to work.
If in the future you want to add a new setting only available in socket.yml version 2, you will have to migrate to the new version. Luckily, it's very simple to do that, and we have a simple migration guide to help you do that step by step.
A new config version brings a library#
We've also published a library that manages the loading, parsing and validation of version 1 and version 2 socket.yml files. If that sounds useful to something you are trying to do with socket, its available as a package (@socketsecurity/config) and is open source on github.
It's built using JSONSchema and Ajv (one of the best schema based validation systems around) and is fully typed with compilation free typescript-in-js. It will automatically migrate configuration to the latest version during programmatic access. Pretty cool if you as me!
We hope you can try out this feature, and let us know how it works for you!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Related posts
Back to all posts
Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
By Sarah Gooding - Apr 19, 2024
Research
Security News
npm Package for ReExt React Components Library Exfiltrates Git Credentials
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
By Sarah Gooding, Socket Research Team - Apr 18, 2024