What's new at Socket?

You can now create license overlays in Socket to customize how license information appears in your dependency tree.

What you can do:

• Modify license detection results on a per-package basis
• Apply changes across versions with glob patterns (e.g., 1.*)
• Edit license identifiers and author info for cleaner attribution files
• Add context with overlay notes
• View and manage overlays under Settings → Legal → License Overlays

This is especially useful for handling messy edge cases like nonstandard license fields, multi-license files, or embedded content that doesn’t apply to your use case.

Read the announcement to learn more and see examples.

Socket now supports the Rust and Cargo ecosystem, bringing supply chain protection to one of the fastest-growing developer communities.

What's New

• Crate search for all users at socket.dev
• Security scores, maintainer info, and dependency insights for Rust packages

Enterprise Features

• Experimental SBOM generation for enterprise Rust projects (including full workspace support)
• Upload Cargo.toml + Cargo.lock for accurate analysis
• Detects malicious build scripts, unsafe patterns, FFI risks, and more
• Currently limited to crates.io dependencies

To enable SBOM generation, contact our team. Read the full announcement for details and roadmap.

The Socket GitHub app now triggers full scans and check runs for commits that land via GitHub Merge Queues, ensuring your default branch stays secure, no matter how code gets merged.

What’s new:

• Push event handler added to detect merge queue commits
• Commits are scanned immediately when merged to main, just like regular PR merges
• Security checks show up in the merge queue UI with results like Socket Security: Project Report

Permissions Update
To support this, the GitHub app now requires the “Merge queue” permission. New installs already have this; existing orgs will see a permission request to upgrade.

Socket now automatically flags unreachable CVEs using precomputed reachability analysis, with no setup required.

• Works from manifest files only (e.g., package-lock.json, requirements.txt)
• Flags up to 80% of vulnerabilities as irrelevant
• Instant results are are precomputed and cached for popular dependencies
• Supports JavaScript, Python, JVM, .NET, and Go (Ruby/Rust coming soon)
• New “CVE Reachability” section in alert modals + filter by reachability
• Unreachable CVEs now default to "monitor" action

It's available now for all Team and Enterprise users. Read the announcement for more details and check out the Reachability Analysis docs to see a full breakdown of features, tiers, and what's coming next on our roadmap.

We’ve fixed an issue where PURL-based dependency searches only returned results from a single repository, even when the same package existed across multiple repos.

• Searches using PURL filters now return results from all matching repositories
• Affected customers should now see complete organization-wide results
• No changes to the API response format, just more accurate and complete data

This improves visibility and ensures teams get full coverage when auditing package usage across multiple projects.

The Overview page now features a CVE Funnel Chart that helps you quickly focus on the most actionable vulnerabilities.

• Visualizes CVEs across four stages:
  1. Highest severity detected
  2. In-production dependencies
  3. Not unreachable
  4. Definitely reachable
• Click any stage to jump directly to filtered alerts

This update replaces the old scan bar chart and gives teams a clearer picture of real risk, not just raw counts.

Socket is expanding beyond open source packages to scan Chrome extensions for malware, risky permissions, and silent supply chain attacks.

We’re currently inviting organizations to join our pilot program for early access. Check out the announcement for details on how Socket identifies threats and monitors updates across 200,000+ extensions.

Socket MCP is now available as a Claude Desktop Extension, bringing secure dependency scanning directly into your coding conversations. With a single click, you can ensure that any code generated or dependencies recommended by Claude are safe from malicious packages and supply chain attacks.

Getting Started

1. Open Claude Desktop > Settings > Extensions > Browse Extensions.
2. Find Socket MCP and click Install.
3. Add your Socket API key.
4. Start checking packages by simply asking Claude, e.g., “Check the security of react.”

Check out the full announcement for details and examples.

Socket now supports Scala and Kotlin, extending JVM coverage beyond Java. Developers can now easily generate manifests with sbt or Gradle and run fast, AI-powered scans to catch malicious dependencies and other indicators of supply chain risk.

Read the announcement post or check out our Scala setup docs and Kotlin setup docs to get started.

You can now see the last 7 EPSS scores directly in the interface. A new popover provides a quick view of score history with improved rendering, including higher precision for fractional digits.