Slack Watchman - 4.6.0

Changed

• [High] Message and file workers now cache users.info and conversations.info lookups by ID for the lifetime of the worker, eliminating redundant API calls per match. Fixes #117
• [High] find_messages and find_files now use a bounded multiprocessing.Pool (capped at 8) instead of one Process per search string, preventing memory and file-descriptor usage from scaling with signature size. Fixes #113
• [High] Pool workers now construct their own SlackClient via _init_worker_client instead of unpickling the parent client, preserving connection pool and retry config across workers. Fixes #114
• [High] SlackClient.__init__ accepts new keyword-only session_token and cookie_dict parameters, used by pool workers to skip re-running _get_session_token on startup.
• [High] find_messages and find_files now share a single multiprocessing.Manager per call, replacing three per-call managers that leaked until GC. Fixes #116

Fixed

• [Critical] Worker exceptions (rate-limit exhaustion, malformed payloads, AttributeError) are now caught and reported via a shared errors list instead of silently killing the child process. Fixes #108
• [Critical] _multipro_message_worker no longer crashes on messages with no channel field (DMs, tombstoned messages, bot events). Fixes #109
• [Critical] _multipro_file_worker no longer crashes when a file's name or filetype is None (deleted/redacted/tombstoned states). Fixes #110
• [Critical] main() error handler no longer crashes with AttributeError when an exception is raised before init_logger runs; falls back to traceback.print_exc() when the logger is uninitialised. Fixes #111
• [High] SlackClient._make_request now honours the Retry-After header on 429s (falling back to 90s), loops back through _make_request for consecutive 429s, and raises after a configurable retry cap. Fixes #115
• [Medium] Canvas URLs are now built via _build_canvas_url(), which normalises the trailing slash on the workspace URL before concatenation. Fixes #126
• [Medium] after: query timeframes are now computed in UTC (time.gmtime) instead of local time, fixing off-by-one-day windows on CI/cloud hosts; refactored into a _compute_timeframe() helper. Fixes #125
• [Medium] find_auth_information return type widened to Dict[str, Any] | None to reflect the actual mixed-type payload. Fixes #124
• [Medium] find_auth_information now catches RequestException, JSONDecodeError, and AttributeError, returning None with a WARNING instead of aborting the scan on transient scrape failures. Fixes #123
• [Medium] find_messages and find_files now explicitly return [] on no-match and exception paths instead of implicit None. Fixes #118
• [Medium] _multipro_file_worker no longer appends a duplicate result per sig.file_types entry; replaced per-type loop with a single any() check. Fixes #119
• [Medium] Removed dead is_dataclass guard and unused dataclasses import from _resolve_file_user. Fixes #120
• [Medium] _multipro_message_worker now skips messages with no text instead of coercing None to the string 'None', preventing false positives on attachment-only and system messages. Fixes #122
• [Medium] _multipro_message_worker now compiles each pattern once per worker and reuses the Match object, eliminating per-message recompilation and a duplicate search call on the match path. Fixes #121
• [Low] cursor_api_search now updates cursor once per page after items are collected, fixing a potential infinite loop on empty pages with a non-empty next_cursor.
• [Low] OUTPUT_LOGGER annotation in __init__.py widened to StdoutLogger | JSONLogger.
• [Low] Added explicit parentheses to if everything or (not pii and not secrets): for readability; no behaviour change.

Slack Watchman - 4.5.0

Fixed

• Canvas results in StdoutLogger were rendered with the red USER colour scheme because msg_level was set to 'USER' instead of 'CANVAS'. Added a dedicated CANVAS style branch in log_to_stdout. Fixes #90
• Fixed AttributeError crash in StdoutLogger when logging file results with no resolved user. The user dict is now coerced via (message.get('user') or {}) before reading display_name/email. Fixes #91
• Removed pointless retry on log_to_stdout exception in StdoutLogger.log. The previous handler retried with identical arguments and could only fail the same way; replaced with a single contextual error message. Fixes #92 (thanks @SAY-5)
• A formatting failure inside StdoutLogger.log_to_stdout no longer terminates the process when debug mode is enabled. The sys.exit(1) call has been removed; the traceback is still printed in debug mode and the scan continues. Fixes #95
• JSONLogger no longer subclasses logging.Logger (the inheritance was unused — every emission already went through self.logger) and no longer stacks duplicate handlers when instantiated more than once. addHandler is now guarded so the process-wide singleton from logging.getLogger('Slack Watchman') keeps a single handler. Fixes #98
• JSONLogger.log now matches WORKSPACE_PROBE (the level the caller actually passes) instead of WORKSPACE_PROBE_INFORMATION. Probe results were silently falling through to the catch-all else branch and being emitted as CRITICAL with the wrong formatter. Fixes #99
• JSONLogger.log now has explicit WARNING, ERROR, and CRITICAL branches that call the matching self.logger.warning/error/critical method. Previously all three (and any unknown level) hit the catch-all else and were emitted as CRITICAL, so JSON output diverged from StdoutLogger and lost severity information. Fixes #100
• export_csv now returns a bool indicating whether the CSV was written, and its callers in __init__.py log a SUCCESS only on success and an ERROR on failure. Previously a write error was swallowed and the user saw a Users output to CSV file: ... success line for a file that was never written. Also corrected the channels CSV success message (it was incorrectly labelled Users output to CSV file). Fixes #102
• export_csv now guards against empty input. The previous dataclasses.asdict(export_data[0]) would raise IndexError, which was hidden by the bare except and reported only as a stray print line. Empty input now returns False without opening a file. Fixes #103

Removed

• Redundant f.close() call in export_csv after the with open(...) as f: block (the context manager already closes the file). Fixes #104

Changed

• Converted the notify_type cascade in StdoutLogger.log from a series of independent ifs to an elif chain, since the branches are mutually exclusive. Avoids unnecessary string comparisons on every log call. Fixes #94
• Hoisted the colourising regexes (_TYPE_COLORER, _HEADER_WORDS) in loggers.py to module-level constants instead of recompiling them on every log_to_stdout call. Fixes #96
• Replaced the 13 near-identical elif colour branches in StdoutLogger.log_to_stdout with a _LEVEL_STYLES dict lookup. Behaviour is unchanged for every existing level. Fixes #97
• Replaced the per-call handler.setFormatter mutation in JSONLogger.log with a single _JSONFormatter that builds the JSON envelope from record.msg and an extra-supplied log_level. Eliminates the eight *_format attributes, removes the not-thread-safe handler state swap, and keeps the JSON schema unchanged for every existing level. Fixes #101

Slack Watchman - 4.4.5

Changed

• Updated dependabot.yml to created PRs against develop branch instead of maaster
• Dependabot updates:
  • requests updated to 2.33.1
  • pygments updated to 2.20.0
  • pytest updated to 9.0.3

Slack Watchman - 4.4.4

Added

• Added GitHub Action to test release notes and version tag for GitHub releases

Changed

• Dependabot updates
  • requests updated to 2.33.0
• Update GitHub Actions that use Node.js 20 to the latest versions to support Node.js 24

Fixed

• Fixed broken link to Slack Cookie Authentication blog post in README (raised in [#82] by @emilstahl)

Slack Watchman - 4.4.3

Changed

• Dependabot updates
  • urllib3 updated to 2.6.0

Slack Watchman - 4.4.2

Added

• Added .github/dependabot.yml with configuration for Dependabot:
  • Use develop as target branch
  • Update both pyproject.toml and poetry.lock
• README updated to recommend using pipx for installation

Fixed

• Fixed issue with Poetry build arguments in Dockerfile, which was causing the build to fail.

Changed

• Modified signature download process to use requests instead of urllib, which is more robust and provides better SSL handling. This addresses the issue raised in #74
• Dependabot updates
  • urllib3 updated to 2.5.0
  • requests updated to 2.32.4

Slack Watchman - 4.4.1

Fixed

• Fixed a bug where an exception was raised when no suppressed signatures were passed. Fixes #66
• Fixed error when creating a Workspace object using the response from the Slack API. Validation was expecting a bool, but in some instances, a string was being returned. Fixes #68
• Fixed bug where the incorrect error message was being passed when environment variables were not set. Fixes #67

Slack Watchman - 4.4.0

Added

• Ability to disable signatures by their ID in the watchman.conf config file.
  • These signatures will not be used when running Slack Watchman
  • Signature IDs for each signature can be found in the Watchman Signatures repository
• App manifest JSON file for creating the Slack Watchman Slack application added in docs/app_manifest.json
• Pylint configuration and implement fixes and recommendations based on findings
  • Added Pylint checks in GitHub actions
• Additional tests added:
  • Unit tests for remaining non-model modules
  • Integration tests for slack_client.py

Fixed

• Bug where variables were not being imported from watchman.conf config file

Slack Watchman - 4.3.0

Changed

• Timestamps are now in UTC across all logging for consistency
• Refactor some commonly used functions into a utils module
• More general code cleanup and refactoring

Fixed

• Fixed a few bugs with models for User, Workspace and Messages not picking up all values

Added

• GitHub actions for Python tests and Docker build and run testing
• Implemented unit tests for models

Slack Watchman - 4.2.0

Added

• Added enumeration of conversations with populated Canvases attached. These can contain sensitive information, and are worth reviewing.
• Added join domain to unauthenticated probe. This is the link to use to sign into a Workspace if you have an email with one of the approved domains.