v1.1.308

v1.1.308 — Batch Webhook Delivery & Empty Versions Fix

Features:

• Webhook batch delivery mode: accumulate events and flush as NDJSON
  when byte-size threshold (batch_size) or time period (batch_period) is reached
• New config: webhook.batch_enabled, webhook.batch_size, webhook.batch_period
• ignore_reason tracking in decision events (gated by save_ignore_reason)
• X-Socket-Ignore-Reason response header

Bug Fixes:

• Fix metadata filtering responses returning empty JSON objects ({}) instead of
  arrays ([]) when all versions of a package are blocked, causing uv and pip to
  fail with parse errors on PyPI and NuGet registries

v1.1.306

v1.1.306 - HEAD Request Fix & SemVer-Aware Metadata Filtering

Fixes:

• HEAD requests now forwarded directly to upstream in all modes (not just proxy mode)
• Download HEAD passthrough moved after block check so blocked packages still return 403

Improvements:

• Per-ecosystem version sorting before max_versions truncation (npm, PyPI, Maven, Go, Cargo, RubyGems, NuGet, Conda, OpenVSX)
• npm falls back to SemVer sort when time field is unavailable (pnpm abbreviated metadata)
• include_unchecked_versions now properly respected — unchecked versions only included when explicitly true
• Conda max_versions applied per-package rather than globally across all packages in repodata

Security:

• OpenResty base image updated to 1.29.2.4-alpine for CVE-2026-40200 and CVE-2026-6042 (no evidence of impact, updated proactively)

v1.1.303

v1.1.303: Fix SSL verification for upstream connections

• SSL verify (api_ssl_verify, upstream_ssl_verify) now defaults to true when ssl.ca_cert is configured
• Combined CA bundle is always created when any additional CA exists (custom CA or Redis CA)
• System CA fallback for lua_ssl_trusted_certificate when no bundle is configured
• Added proxy_ssl_verify + proxy_ssl_trusted_certificate for direct proxy_pass locations
• Fixes upstream/API connections not using customer-provided CA certificates

v1.1.301

Bug Fixes:

• Fixed npm metadata filtering not running when package name matches path prefix (e.g. 'npm' package on '/npm' route)
• Fixed tarball URL rewriting skipped for same package/prefix name collision
• Fixed NuGet metadata filtering for flatcontainer registration page paths
• Fixed HTTP 304 cache validation by properly setting ETag, Last-Modified, and X-Checksum headers on filtered responses
• Fixed npm 405 errors caused by URL encoding issues in path routing
• Fixed PyPI 302 redirects caused by unnormalized package names
• Fixed HEAD request passthrough for missing ecosystems

Improvements:

• Metadata filtering now prefers universal versions (no os/cpu restrictions) when rewriting dist-tags.latest, preventing EBADPLATFORM errors on platform-suffixed packages (e.g. @openai/codex)"

v1.1.290

Fix Artifactory 409 checksum conflicts on filtered metadata

• Compute and send correct X-Checksum-Sha1/Sha256/Md5 headers when
  metadata filtering modifies response bodies (all ecosystems)
• Resolves GEN_IF_ABSENT policy rejections when filtered content changes
  between fetches
• Add HEAD passthrough to Cargo, Go, NuGet, and OpenVSX proxy_default()
  for Artifactory cache validation requests

v1.1.289

Socket Firewall v1.1.289

Highlights:

• HTTP/2 server-side support (enabled by default on HTTPS)
• 15x faster PyPI metadata responses on warm cache
• NuGet V2/V3 reliability fixes for Artifactory middle-mode

NuGet:

• Fix V2 OData gzip decompression (nuget.org ignoring Accept-Encoding)
• Fix V2 XML URL rewriting for pagination, id, and xml:base elements
• Fix V2/V3 path_prefix handling in JSON URL rewriting
• Add /package/{id}/{version} V2 content download location
• Add publish passthrough support

PyPI:

• Fix streaming proxy read timeout (60s to 300s configurable)
• Fix metadata filtering cache miss on every request
• Fix qualifier-based bulk Redis cache (hash fragments, partial hits, purlError)
• Refactor to version-only PURLs with per-artifact expansion

Performance:

• HTTP/2 on HTTPS listeners (multiplexed client connections)
• Streaming proxy timeout split (connect/send/read)
• PyPI warm cache: ~30s to ~2s per metadata request

Metadata Filtering:

• Fix max_versions: 0 treated as "check zero" in 8 ecosystems
• Conda prefetch architecture selection (conda_prefetch_archs config)

Health Endpoint:

• Authenticated JSON response with versions, config, and routes
• New socket.health_api_token config option

Windows Config (PS1):

• Complete ecosystem location blocks for all 9 ecosystems
• Full Conda support added

Redis:

• Fix batching for bulk cache updates

v1.1.273

Full Changelog: v1.1.212...v1.1.273

v1.1.265

Improvements:

• Docker image optimization: Consolidated ~75 individual COPY instructions into a single directory COPY, reducing image layers.
• Removed 15 unused legacy .luac files from the build. Impacts Docker and Tar file

v1.1.263

Improvements:

• Conda prefetch reliability: Rewritten prefetch scheduling eliminates startup contention when multiple conda routes are configured. Routes are now processed sequentially in a single queue, preventing timeout failures during initial repodata fetch.
• Conda offline detection: Prefetch gracefully handles disabled or unreachable upstream repositories, skipping offline routes and retrying on the next refresh interval.
• PyPI per-artifact filtering: Metadata filtering now operates at the individual artifact level (sdist, wheel, etc.) rather than per-version, enabling more precise policy enforcement.
• Log truncation fix: Decision log entries exceeding nginx's log buffer are now split across continuation lines instead of being silently truncated. Configurable via SOCKET_LOG_MAX_BODY_SIZE (default: 3900, set to 0 to disable).
• Cooldown route generation: Cooldown routes are now only generated during auto-discovery when a matching external registry is explicitly configured. Prevents unnecessary routes for repos without a configured external registry to verify against.
• Auto-discovery virtual repo handling: VIRTUAL (Artifactory) and group (Nexus) repositories are now excluded from auto-discovery by default. Use include_virtual: true under private_registry to include them when needed.
• Removed vendor-specific filtering from auto-discovery in favor of the general external registry matching logic.

Bug Fixes:

• Fixed checksum 409 conflict errors across ecosystems.

v1.1.258

• Updates to conda prefetch behavior
• Updates to nuget v2 metadata filtering
• Moving to batched calls to the v1 telemetry endpoint