Skip to content

[codex] Improve Socket score drivers#39

Merged
andrewkoltsov merged 3 commits into
masterfrom
codex/socket-score-hardening
Apr 1, 2026
Merged

[codex] Improve Socket score drivers#39
andrewkoltsov merged 3 commits into
masterfrom
codex/socket-score-hardening

Conversation

@andrewkoltsov

Copy link
Copy Markdown
Owner

Summary

This PR hardens the repository and published package against the Socket score drivers we can address from the codebase and release workflow.

Changes in this PR:

  • replace CLI dotenv usage with Node's built-in process.loadEnvFile() helper
  • replace cliui with an internal text renderer to reduce published runtime dependencies
  • add published-package verification after npm publish --provenance to fail releases that do not expose npm attestations/signatures
  • add .github/CODEOWNERS and maintainer continuity/release documentation
  • add targeted tests for env loading, text rendering, and published-package verification

Why

Socket's public scoring docs say supply-chain and maintenance scores are influenced by dependency counts, maintainer signals, and release metadata. The package already had provenance-enabled publishing and healthy CI, so the highest-value repo-side changes were:

  • reducing direct runtime dependencies without changing the CLI or SDK surface
  • verifying that trusted publishing actually yields attestations/signatures on the published package
  • making repository ownership metadata explicit

Impact

User-facing behavior stays the same at the SDK and CLI surface.

The only intended behavioral change is implementation-level:

  • CLI startup now uses Node's built-in .env loader
  • CLI text output is rendered by internal code instead of cliui

Validation

Ran:

  • npm run validate
  • npm pack --dry-run --json
  • npm ls --omit=dev --depth=2 --json
  • npm audit --json
  • node ./scripts/verify-published-package.mjs librus-sdk 0.3.2

Manual Follow-up

Not implemented in this PR:

  • add a second trusted GitHub/npm maintainer
  • after that, tighten master protection to require approvals and include CodeQL in required checks

@andrewkoltsov andrewkoltsov marked this pull request as ready for review April 1, 2026 13:17
@andrewkoltsov andrewkoltsov merged commit f6d37b5 into master Apr 1, 2026
7 checks passed
@andrewkoltsov andrewkoltsov deleted the codex/socket-score-hardening branch April 1, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant