Releases: SocketDev/socket-registry-firewall
Release list
v2.0.4
Socket Firewall 2.0.4
The firewall now stays responsive when the Socket verdict service is slow or temporarily unavailable, so package installs don't stall waiting on it:
- Fast failover during API disruptions — if the verdict service becomes slow or unreachable, the firewall stops waiting on it for each request. Packages already checked continue to be served from cache immediately, and packages not yet checked apply your configured allow/deny policy right away instead of blocking for the full request timeout.
- Automatic recovery — the firewall re-checks the service in the background and resumes normal verdict lookups as soon as it's healthy again, backing off while it stays down.
- On by default — no configuration required; can be disabled per deployment if needed.
v2.0.3
Socket Firewall 2.0.3
Large package artifacts now download reliably through the firewall across all supported ecosystems. Artifact downloads are streamed using chunked transfer encoding, which improves delivery of large files:
- Large artifacts download successfully on hosted platforms — big packages (such as large Python wheels over 32 MiB) now stream through cleanly in environments like Google Cloud Run that previously rejected them.
- Complete, uncorrupted downloads — large npm and PyPI artifacts are delivered in full, eliminating the intermittent truncation that could corrupt package extraction.
v2.0.2
v2.0.2 — Reliable cache reuse for large package indexes
Socket Firewall now makes better use of its decision cache when serving large package indexes, such as PyPI packages with tens of thousands of artifacts. Repeat requests for the same package are served from cache, and the Socket API is queried only for versions that are new or whose cached decision has expired. The result is faster responses and less redundant API traffic for frequently requested packages.
This release also improves stability when filtering metadata for very large packages under load, keeping background refreshes and event delivery running smoothly.
v2.0.1
v2.0.1 — Fix metadata filtering over HTTP/2
Fixed a bug where metadata filtering could forward an upstream Connection: keep-alive header that's illegal on HTTP/2, causing strict HTTP/2 clients (such as curl and Cloudflare) to reset the request with a PROTOCOL_ERROR and fail intermittently. The firewall now strips connection-specific headers on all metadata-filtering paths across every supported ecosystem; deployments not using metadata filtering or serving over HTTP/1.1 were unaffected.
v2.0.0
v2.0.0 — Enable verified outbound connections by default
The firewall now has api and upstream verify set to true to better match best security practices and prevent potential man-in-the-middle attacks out of the box. This does mean if your environment uses things like content proxies without custom CA certificates being imported it could introduce breaking functionality. Action may be required (breaking change): if your firewall connects to internal or private registries that use self-signed or privately issued certificates, you'll need to provide your certificate authority so it can be trusted, or turn off verification for those connections. Thanks to Alberto Garcia at Magic for reporting the issue.
v1.1.346
v1.1.346 — Stale cache revalidation without thundering herds
When cached Socket decisions passed their freshness window, concurrent requests for the same package could each call the Socket API again, causing duplicate traffic and latency spikes. The firewall now refreshes each stale package once while other requests continue serving the cached decision immediately on downloads and metadata filtering alike.
New optional cache: settings in socket.yml (defaults work for most deployments):
revalidation_lock_lease_seconds— how long one caller holds the refresh lock (0= automatic, API read timeout + 30s)revalidation_jitter_seconds— spreads stale transitions per package (default120;0= disabled)revalidation_async— serve stale immediately and refresh in the background (defaulttrue;false= wait for API on each stale hit)
Also adds socket_cache_revalidation_lock_contention_total on /metrics and marks stale hits with "stale": true in SOCKET_DECISION events.
v1.1.345
v1.1.345: Fix PyPI wheel downloads for packages with build tags
PyPI wheels whose filenames include a PEP 427 build tag (for example, certain google-re2 builds) had their artifact identifier derived incorrectly, so Socket reported them as unscanned and the firewall blocked the download even when the package was healthy. The firewall now reads the build tag correctly, matching these wheels to their actual Socket scan results so they download normally. Standard wheels without a build tag are unaffected.
v1.1.344
v1.1.344: Load balancing across clusters for path-routing deployments
Path-routing firewalls can now run across multiple clusters behind a load balancer. Two new path_routing options let the firewall answer to additional hostnames and control which host is written into rewritten package URLs, so downloads balance across clusters instead of pinning to the one that served the metadata.
path_routing.allowed_domain(list, default empty) — additional hostnames the firewall answers to beyonddomain; accepts exact names, wildcards (*.cluster.company.com), or a regex (~^.+$) catch-all.path_routing.use_incoming_domain(boolean, defaultfalse) — host written into rewritten package URLs;falseuses the stabledomain,trueuses the incomingHostheader (prior behavior).
v1.1.343
cv1.1.343: Prometheus metrics endpoint, proxy authentication, and richer telemetry
Prometheus /metrics endpoint
The firewall now exposes a dedicated Prometheus /metrics endpoint on port 9145, served independently of deployment mode (path-routing or registry-per-host) so it can be scraped uniformly and ACL'd at the network layer. Alongside the existing counters, it adds latency histograms for Socket PURL checks (per ecosystem), upstream registry status-code counters grouped by class (2xx/4xx/5xx), telemetry queue-depth gauges, and telemetry circuit-breaker state — enabling p99 latency alerts and registry-incident detection without parsing logs.
Proxy Mode authentication
Forward Proxy Mode now enforces a required proxy-authorization credential when one is configured. Operators supply a Bearer or Basic credential via the environment; clients that omit or mismatch it receive a 407/403. Previously, enabling Proxy Mode could leave the proxy silently open even with a credential set.
Upstream duration on decision events
SOCKET_DECISION telemetry events now carry upstream_duration_ms, including on streaming tarball downloads, so slow installs can be correlated to a specific package without joining the decision event against the nginx access log.
Firewall counters surfaced via /health
The authenticated /health endpoint now includes a stats object exposing live firewall counters, letting operators read them without parsing logs. Fail-open events caused by an unvalidated firewall are now counted correctly — that path previously returned before incrementing its counter, leaving those fail-opens invisible.
Standardize firewall telemetry event type
All package decisions sent to Socket telemetry now use event_kind: "socket-action". Previously, only blocked packages were classified as actions; allowed and other decisions were labeled informative, causing inconsistent reporting in the Socket dashboard.
v1.1.336
v1.1.336: Fix OpenVSX extension scanning
Fixed a bug where OpenVSX extensions used an incorrect package identifier, causing Socket scans to miss them and extensions to be incorrectly blocked or treated as unscanned. VSIX downloads and metadata filtering now use the correct pkg:vscode format with the Open VSX source registry qualifier.