From f7236dade2b660a867bb3634412dc2452582425e Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Thu, 21 May 2026 02:18:56 -0700 Subject: [PATCH 1/4] test: failing regression for stale didYouMean props --- tests/unit/test_issues_did_you_mean_props.py | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 tests/unit/test_issues_did_you_mean_props.py diff --git a/tests/unit/test_issues_did_you_mean_props.py b/tests/unit/test_issues_did_you_mean_props.py new file mode 100644 index 0000000..8657872 --- /dev/null +++ b/tests/unit/test_issues_did_you_mean_props.py @@ -0,0 +1,28 @@ +"""Contract test for the didYouMean alert-type class's props. + +The OpenAPI schema (`socket-sdk-js/openapi.json` around line 9298) declares +that the API emits `didYouMean` alerts with ``props: { alternatePackage, +detectedAt }``. The Python SDK previously declared four props +(``alternatePackage``, ``downloads``, ``downloadsRatio``, ``editDistance``); +the latter three are no longer in the API schema and were dead keys at +runtime — and ``detectedAt`` was missing. + +Tracks CUS2-5. Sibling of CUS2-4. +""" + +import unittest + +from socketdev.core.issues import didYouMean + + +class TestDidYouMeanProps(unittest.TestCase): + def test_props_match_openapi_schema(self): + """API emits props { alternatePackage, detectedAt } (openapi.json:9298).""" + issue = didYouMean() + self.assertEqual(set(issue.props.keys()), {"alternatePackage", "detectedAt"}) + + def test_props_label_strings_are_non_empty(self): + """Every props key must have a non-empty human-readable label.""" + issue = didYouMean() + for key, label in issue.props.items(): + self.assertTrue(label, f"props[{key!r}] label should not be empty") From 3fec08fac87891e38d9cb43379af004607332e36 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Thu, 21 May 2026 02:19:19 -0700 Subject: [PATCH 2/4] fix(issues): drop stale didYouMean props, add detectedAt Resolves CUS2-5. The didYouMean class declared four props (alternatePackage, downloads, downloadsRatio, editDistance) but the current OpenAPI schema (socket-sdk-js/openapi.json:9298) only emits { alternatePackage, detectedAt }. The three stale keys were dead at runtime and detectedAt was missing a human-readable label entirely. Updated to match the schema. --- socketdev/core/issues.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/socketdev/core/issues.py b/socketdev/core/issues.py index d712056..027ad98 100644 --- a/socketdev/core/issues.py +++ b/socketdev/core/issues.py @@ -463,7 +463,7 @@ class didYouMean: def __init__(self): self.description = "Package name is similar to other popular packages and may not be the package you want." - self.props = {"alternatePackage": "Alternate package", "downloads": "Downloads", "downloadsRatio": "Download ratio", "editDistance": "Edit distance"} + self.props = {"alternatePackage": "Alternate package", "detectedAt": "Detected at"} self.suggestion = "Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages." self.title = "Possible typosquat attack" self.emoji = "\ud83e\uddd0" From 3e2afce09da5b691b0389037a0e396668afa2ea9 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Thu, 21 May 2026 12:37:58 -0700 Subject: [PATCH 3/4] chore(release): bump to 3.1.1 and sync pyproject.toml Run via .hooks/sync_version.py after merging origin/main (now at 3.1.0 from lelia's purl PR). Keeps pyproject.toml and socketdev/version.py in lockstep, as flagged in code review. --- pyproject.toml | 2 +- socketdev/version.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5bbc081..0fc8167 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "socketdev" -version = "3.1.0" +version = "3.1.1" requires-python = ">= 3.9" dependencies = [ 'requests', diff --git a/socketdev/version.py b/socketdev/version.py index f5f41e5..d539d50 100644 --- a/socketdev/version.py +++ b/socketdev/version.py @@ -1 +1 @@ -__version__ = "3.1.0" +__version__ = "3.1.1" From 5e9d425be35c84a11ee4dcc1b67f29e1b4cbf1f4 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Fri, 22 May 2026 14:48:36 -0700 Subject: [PATCH 4/4] chore: sync uv.lock to 3.1.1 --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index a863a5c..9c96b4d 100644 --- a/uv.lock +++ b/uv.lock @@ -1343,7 +1343,7 @@ wheels = [ [[package]] name = "socketdev" -version = "3.1.0" +version = "3.1.1" source = { editable = "." } dependencies = [ { name = "requests" },