Product
Bret Comnes
Pelle Wessman
February 7, 2023
We are happy to announce version 2 of the socket.yml configuration file format. The new format is available for immediate use; don't worry, existing version 1 configuration files will continue to work seamlessly.
If you create a new configuration file, you are encouraged to use version 2; if you have a version 1 configuration file, you are encouraged to migrate it over to version 2 next time you are modifying it or want to access settings not available in version 1.
In addition to the launch of socket.yml version 2, the settings you specify in socket.yml seamlessly overlay the organization settings we also launched recently.
When we launched version 1 of socket.yml, the GitHub app was the only consumer of the settings contained within. As we began to roll out our CLI, we realized we wanted to offer a unified way to specify common settings in both the GitHub app and the CLI and any future integrations we might launch. While reconciling the needs of both integrations, we realized we wanted to make some changes to how settings were named and organized, and we ended up with socket.yml version 2.
Everyone hates configuration migration busywork, the Socket team included, so we made sure you don't need to do it. Thats why we implemented version 2 to seamlessly work along side version 1. If you have a version 1 socket.yml in place now, you don't need to touch it. It will continue to work.
If in the future you want to add a new setting only available in socket.yml version 2, you will have to migrate to the new version. Luckily, it's very simple to do that, and we have a simple migration guide to help you do that step by step.
We've also published a library that manages the loading, parsing and validation of version 1 and version 2 socket.yml files. If that sounds useful to something you are trying to do with socket, its available as a package (@socketsecurity/config) and is open source on github.
It's built using JSONSchema and Ajv (one of the best schema based validation systems around) and is fully typed with compilation free typescript-in-js. It will automatically migrate configuration to the latest version during programmatic access. Pretty cool if you as me!
We hope you can try out this feature, and let us know how it works for you!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
