chore(release): 2.2.93 with CHANGELOG backfill

lelia · lelia · commit 4663c2a68cf0 · 2026-05-29T17:15:36.000-04:00
Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,117 @@
 # Changelog
 
+## 2.2.93
+
+### Dependencies
+
+Bundles twelve open Dependabot dependency PRs. Where Dependabot's target lagged the
+latest published release (it occasionally opens PRs a patch or two behind), we bumped
+to the current latest instead and re-verified through Socket Firewall:
+
+- Main-app `uv` deps (closes #175, #177, #181, #188, #190, #198, #200, #205, #210):
+  `urllib3 2.6.3 -> 2.7.0`, `gitpython 3.1.46 -> 3.1.50`, `python-dotenv 1.2.1 -> 1.2.2`,
+  `pytest 9.0.2 -> 9.0.3`, `uv 0.9.21 -> 0.11.17`, `cryptography 46.0.5 -> 46.0.7`,
+  `pygments 2.19.2 -> 2.20.0`, `requests 2.32.5 -> 2.33.0`, `idna 3.11 -> 3.15`.
+- E2E fixture manifests (closes #186, #187, #209):
+  `axios 1.15.0 -> 1.16.1` (simple-npm), `requests 2.31.0 -> 2.33.0` (simple-pypi),
+  `flask 3.0.0 -> 3.1.3` (simple-pypi).
+
+**`idna` 3.11 -> 3.15 is security-motivated**: pulls in the fix for **CVE-2026-45409**
+(a quadratic-time DoS vector via oversized inputs that bypassed the earlier
+CVE-2024-3651 mitigation). The remaining bumps are version-currentness hygiene.
+
+All twelve target versions were verified through Socket Firewall (`sfw`) on the
+full transitive dependency tree before bundling.
+
+### CI / Internal
+
+- **`.github/dependabot.yml`** (new -- the repo had no explicit config). Groups Python
+  minor/patch into ONE weekly PR plus a separate major-update PR. Groups GitHub Actions
+  similarly. 7-day cooldown across ecosystems. `tests/e2e/fixtures/**` intentionally
+  excluded (fixture pins should be chosen for the supply-chain signal they expose, not
+  auto-rolled). Pattern adapted from `SocketDev/socket-basics`.
+- **`.github/workflows/dependabot-review.yml`** (new). On every Dependabot PR: inspect
+  changed files, then conditionally run Socket Firewall (`sfw`) install smoke jobs
+  against the affected manifests. Because `sfw` uses the free, anonymous Socket
+  public-data path it needs NO API key, so this runs cleanly under the standard
+  `pull_request` context -- no `pull_request_target`, no token-leak surface.
+- **`python-tests.yml`** now runs a `uv lock --locked` drift check, a top-level import
+  smoke step (catches API-removal breaks from upgraded deps instantly), and `pip-audit`
+  against the locked dependencies.
+- **`e2e-test.yml`** now skips on Dependabot PRs (which don't have access to
+  `SOCKET_CLI_API_TOKEN`); the new `dependabot-review` workflow's `sfw` smoke jobs
+  cover the supply-chain check without needing the secret.
+
+### Housekeeping
+
+- `.gitignore` reorganized into labeled sections with sorted entries. Added `.context/`
+  (Conductor workspace scratch), `coverage.xml`, `.pytest_cache/`, and vim swap files
+  (`*.swp`, `*.swo`) for completeness. Dropped a stray `*.cpython-312.pyc\`` line that
+  had a literal-backtick typo (it wasn't matching anything, and `*.pyc` already covers
+  it).
+- Backfilled missing CHANGELOG entries for `2.2.81`, `2.2.85`, `2.2.86`, `2.2.88`,
+  `2.2.89`, `2.2.91`, and `2.2.92` (the previous backfill in #180 covered
+  `2.2.74`-`2.2.80`).
+
+## 2.2.92
+
+- Fixed dependency-overview rendering for unmapped alert types: alert types the SDK
+  has no metadata for now fall back to a humanized Title-Cased label (e.g.
+  `gptDidYouMean` -> "Possible typosquat attack (GPT)", `SQLInjection` -> "SQL
+  Injection") instead of surfacing the raw camelCase identifier.
+
+## 2.2.91
+
+- Added legal/compliance artifact presets (`--legal`) and FOSSA-compatible output
+  shapes (`--legal-format fossa`) for license and SBOM reporting.
+
 ## 2.2.90
 
 - Migrated license enrichment PURL lookup to the org-scoped endpoint (`POST /v0/orgs/{slug}/purl`) from the deprecated global endpoint (`POST /v0/purl`).
 
+## 2.2.89
+
+- Added `uv.lock` to the version-incrementation CI check so a `pyproject.toml` /
+  `__init__.py` version bump without a matching lockfile sync no longer slips through.
+- Updated the local Python pre-commit hook to keep `uv.lock` in sync with
+  `pyproject.toml` and `socketsecurity/__init__.py` version changes automatically.
+
+## 2.2.88
+
+- Added `bun.lock`, `bun.lockb`, and `vlt-lock.json` to the recognized manifest files
+  for Socket scanning, with matching unit-test coverage.
+
+## 2.2.86
+
+- Bumped `socketdev` to `>=3.0.33,<4.0.0` to pick up the SDK fix for unknown alert
+  categories (the SDK previously crashed while deserializing diff alerts when the API
+  returned a category like `"other"`).
+- Normalized diff artifacts with `score=None` to an empty score map in the CLI model
+  layer; PR-comment dependency-overview rendering no longer crashes on missing or
+  partial score data.
+- Defaulted missing badge values to a valid `100%` fallback rather than producing
+  invalid badge URLs.
+
+## 2.2.85
+
+- Added four hidden `--reach-continue-on-*` flags in preparation for Coana CLI v15:
+  `--reach-continue-on-analysis-errors`, `--reach-continue-on-install-errors`,
+  `--reach-continue-on-missing-lock-files`, `--reach-continue-on-no-source-files`.
+  Each forwards to the matching Coana flag and opts out of one of Coana v15's new
+  halt-by-default behaviors. No-op against today's default Coana version; will take
+  effect automatically once Coana v15 becomes the default.
+
 ## 2.2.83
 
 - Fixed branch detection in detached-HEAD CI checkouts. When `git name-rev --name-only HEAD` returned an output with a suffix operator (e.g. `remotes/origin/master~1`, `master^0`), the `~N`/`^N` was previously passed through as the branch name and rejected by the Socket API as an invalid Git ref. The suffix is now stripped before the prefix split, producing the bare branch name.
 
+## 2.2.81
+
+- Fixed GitLab security report schema compliance: corrected schema validation errors so
+  Socket-produced reports parse cleanly under GitLab's dependency-scanning ingestion.
+- Populated scan alert data in the GitLab security report so previously-empty alert
+  sections now carry the expected findings.
+
 ## 2.2.80
 
 - Hardened GitHub Actions workflows.
diff --git a/pyproject.toml b/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.92"
+version = "2.2.93"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [
diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py
@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.92'
+__version__ = '2.2.93'
 USER_AGENT = f'SocketPythonCLI/{__version__}'
