Skip to content

feat: Rust rewrite with cross-compilation and npm distribution#30

Merged
mikolalysenko merged 10 commits intomainfrom
rust-rewrite
Mar 4, 2026
Merged

feat: Rust rewrite with cross-compilation and npm distribution#30
mikolalysenko merged 10 commits intomainfrom
rust-rewrite

Conversation

@mikolalysenko
Copy link
Contributor

@mikolalysenko mikolalysenko commented Mar 3, 2026

Summary

  • Rewrites the socket-patch CLI from TypeScript to Rust (crates/socket-patch-core + crates/socket-patch-cli) with 154 passing unit tests
  • Adds cross-compilation for 5 targets: darwin-arm64, darwin-x64, linux-x64 (musl), linux-arm64, win32-x64
  • Adds esbuild-style npm distribution via optionalDependencies platform packages — no TypeScript fallback, pure native binaries
  • Adds release.yml workflow (tag-triggered): builds all targets, creates GitHub Release, publishes to npm
  • Adds ci.yml workflow: cargo clippy + cargo test on PRs and pushes to main
  • Updates publish.yml to bump versions across Cargo.toml and npm packages, then push tag to trigger release pipeline
  • Adds scripts/version-sync.sh to keep versions in sync across all manifests

Test plan

  • cargo test --workspace passes all 154 tests
  • cargo clippy --workspace -- -D warnings is clean
  • cargo build --release produces working binary
  • scripts/version-sync.sh 1.3.0 updates all version fields consistently
  • All npm/*/package.json files have correct os/cpu fields
  • Push a test v* tag to verify the release workflow builds all 5 targets

🤖 Generated with Claude Code

@mikolalysenko @claude
feat: add cross-compilation, npm distribution, and release workflows
67d8641 
- Add release.yml workflow triggered by v* tags: builds 5 targets
  (darwin-arm64, darwin-x64, linux-x64-musl, linux-arm64, win32-x64),
  creates GitHub Release, publishes npm platform packages
- Add ci.yml workflow for PRs/pushes: cargo clippy + cargo test
- Add npm/ directory with esbuild-style optionalDependencies pattern
  (root wrapper + 5 platform packages with os/cpu fields)
- Add scripts/version-sync.sh to propagate versions across Cargo.toml
  and all npm package.json files
- Update publish.yml to bump version, sync, and push tag to trigger
  release pipeline
- Add rust-toolchain.toml pinning stable channel
- Update .gitignore for Rust target/ and npm platform binaries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security-staging
Copy link

socket-security-staging bot commented Mar 3, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedcargo/​tokio@​1.50.05910093100100
Addedgithub/​dtolnay/​rust-toolchain@​efa25f7f19611383d5b0ccf2d1c8914531636bf96410090100100
Addedcargo/​reqwest@​0.12.287910094100100
Addedcargo/​thiserror@​2.0.188010093100100
Addedcargo/​thiserror@​1.0.698110093100100
Addedcargo/​serde@​1.0.2288110093100100
Addedcargo/​serde_json@​1.0.1498210093100100
Addedgithub/​actions/​download-artifact@​d3f86a106a0bac45b974a628896c90dbdf5c809310010010010060
Addedcargo/​clap@​4.5.609910093100100
Addedcargo/​hex@​0.4.310010093100100
Addedcargo/​once_cell@​1.21.310010093100100
Addedcargo/​regex@​1.12.310010093100100
Addedcargo/​sha2@​0.10.910010093100100
Addedcargo/​tempfile@​3.26.09910093100100
Addedcargo/​uuid@​1.21.010010093100100
Addedcargo/​indicatif@​0.17.1110010094100100
Addedcargo/​dialoguer@​0.11.010010094100100
Addedgithub/​actions/​upload-artifact@​ea165f8d65b6e75b540449e92b4886f43607fa029910010010070
Addedcargo/​walkdir@​2.5.010010095100100
Addedgithub/​actions/​cache@​0057852bfaa89a56745cba8c7296529d2fc398309810010010080
Addedgithub/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d870659910010010080
Addedgithub/​rust-lang/​crates-io-auth-action@​b7e9a28eded4986ec6b1fa40eeee8f8f165559ec99100100100100

View full report

@socket-security-staging
Copy link

socket-security-staging bot commented Mar 3, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: cargo linux-raw-sys

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (linux-raw-sys-0.12.1/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/tempfile@3.26.0cargo/linux-raw-sys@0.12.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/linux-raw-sys@0.12.1. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo rustix

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (rustix-1.1.4/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/tempfile@3.26.0cargo/rustix@1.1.4

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/rustix@1.1.4. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wasi

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wasi-0.11.1+wasi-snapshot-preview1/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/tokio@1.50.0cargo/wasi@0.11.1%2Bwasi-snapshot-preview1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/wasi@0.11.1%2Bwasi-snapshot-preview1. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo webpki-roots under CDLA-Permissive-2.0

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/Cargo.toml)

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/LICENSE)

From: ?cargo/reqwest@0.12.28cargo/webpki-roots@1.0.6

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/webpki-roots@1.0.6. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-core

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-core-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-core@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/wit-bindgen-core@0.51.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-rust-macro

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-rust-macro-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-rust-macro@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/wit-bindgen-rust-macro@0.51.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-rust

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-rust-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-rust@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/wit-bindgen-rust@0.51.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore cargo/wit-bindgen@0.51.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@mikolalysenko @claude
fix: pin all GitHub Actions to full commit SHAs
313ea79 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security
Copy link

socket-security bot commented Mar 3, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedcargo/​tokio@​1.50.05910093100100
Addedgithub/​dtolnay/​rust-toolchain@​efa25f7f19611383d5b0ccf2d1c8914531636bf96410090100100
Addedcargo/​reqwest@​0.12.287910094100100
Addedcargo/​thiserror@​2.0.188010093100100
Addedcargo/​thiserror@​1.0.698110093100100
Addedcargo/​serde@​1.0.2288110093100100
Addedcargo/​serde_json@​1.0.1498210093100100
Addedgithub/​actions/​download-artifact@​d3f86a106a0bac45b974a628896c90dbdf5c809310010010010060
Addedcargo/​clap@​4.5.609910093100100
Addedcargo/​hex@​0.4.310010093100100
Addedcargo/​once_cell@​1.21.310010093100100
Addedcargo/​regex@​1.12.310010093100100
Addedcargo/​sha2@​0.10.910010093100100
Addedcargo/​tempfile@​3.26.09910093100100
Addedcargo/​uuid@​1.21.010010093100100
Addedcargo/​indicatif@​0.17.1110010094100100
Addedcargo/​dialoguer@​0.11.010010094100100
Addedgithub/​actions/​upload-artifact@​ea165f8d65b6e75b540449e92b4886f43607fa029910010010070
Addedcargo/​walkdir@​2.5.010010095100100
Addedgithub/​actions/​cache@​0057852bfaa89a56745cba8c7296529d2fc398309810010010080
Addedgithub/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d870659910010010080
Addedgithub/​rust-lang/​crates-io-auth-action@​b7e9a28eded4986ec6b1fa40eeee8f8f165559ec99100100100100

View full report

@socket-security
Copy link

socket-security bot commented Mar 3, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: cargo linux-raw-sys

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (linux-raw-sys-0.12.1/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/tempfile@3.26.0cargo/linux-raw-sys@0.12.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/linux-raw-sys@0.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo rustix

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (rustix-1.1.4/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/tempfile@3.26.0cargo/rustix@1.1.4

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rustix@1.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wasi

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wasi-0.11.1+wasi-snapshot-preview1/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/tokio@1.50.0cargo/wasi@0.11.1%2Bwasi-snapshot-preview1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wasi@0.11.1%2Bwasi-snapshot-preview1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo webpki-roots under CDLA-Permissive-2.0

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/Cargo.toml)

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/LICENSE)

From: ?cargo/reqwest@0.12.28cargo/webpki-roots@1.0.6

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/webpki-roots@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-core

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-core-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-core@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wit-bindgen-core@0.51.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-rust-macro

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-rust-macro-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-rust-macro@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wit-bindgen-rust-macro@0.51.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen-rust

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-rust-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen-rust@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wit-bindgen-rust@0.51.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo wit-bindgen

License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (wit-bindgen-0.51.0/LICENSE-Apache-2.0_WITH_LLVM-exception)

From: ?cargo/reqwest@0.12.28cargo/uuid@1.21.0cargo/tempfile@3.26.0cargo/wit-bindgen@0.51.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wit-bindgen@0.51.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

mikolalysenko and others added 8 commits March 3, 2026 18:14
@mikolalysenko @claude
fix: add explicit toolchain input for pinned rust-toolchain action
9030590 
When dtolnay/rust-toolchain is pinned to a SHA instead of a branch
name, the toolchain version can't be inferred from the ref and must
be passed explicitly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
refactor: consolidate npm distribution into single package with bundl…
10dee6e 
…ed binaries

Delete all TypeScript source, configs, and platform-specific npm packages.
The single @socketsecurity/socket-patch package now ships all 5 platform
binaries (~20MB total) instead of using optionalDependencies with 6 packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
feat: add Windows support for Python crawler and CI test matrix
c7d3eab 
Resolve runtime gaps on Windows: use find_python_command() to discover
python3/python/py, add USERPROFILE fallback for home dir, gate Unix-only
paths and add Windows Python install locations (APPDATA, LOCALAPPDATA,
Program Files), and add Windows uv tools path. CI now runs tests on both
ubuntu-latest and windows-latest.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
feat: add cargo publish, install script, clippy fixes, and expanded t…
005c5e4 
…ests

Add crates.io publishing to release workflow, a one-line install script,
and README installation docs. Fix UTF-8 truncation bug in API client,
apply clippy suggestions (is_some_and, strip_prefix, div_ceil, derive
Default), and add comprehensive tests across API, package_json, and
blob_fetcher modules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
fix: fix Windows CI test failures for telemetry and Python crawler
ff6d7cf 
Use home_dir_string() helper (which checks USERPROFILE on Windows) in
the sanitize_error_message test instead of only checking HOME. Use
platform-appropriate venv directory layout in test_crawl_all_python.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
fix: merge telemetry env-var tests to prevent parallel race condition
74bee54 
The two tests (test_is_telemetry_disabled_default and
test_is_telemetry_disabled_when_set) mutated shared env vars and raced
when run in parallel on Windows CI. Merge them into a single test that
saves/restores the original values.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
feat: add e2e tests for npm and PyPI patch lifecycles
8fdce07 
Add full end-to-end tests that exercise the CLI against the public
Socket API:

- npm: minimist@1.2.2 patch (CVE-2021-44906, prototype pollution)
- PyPI: pydantic-ai@0.0.36 patch (CVE-2026-25580, SSRF)

Each test covers the complete lifecycle: get → list → rollback → apply
→ remove, plus a dry-run test per ecosystem. Tests are gated with
#[ignore] and run in CI via a dedicated e2e job on ubuntu and macos.

Also fixes a bug where patches with no beforeHash (new files added by a
patch) were silently dropped from the manifest. The apply and rollback
engines now handle empty beforeHash correctly:

- apply: creates new files, skips beforeHash verification
- rollback: deletes patch-created files instead of restoring from blob
- get: includes files in manifest even when beforeHash is absent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
feat: use crates.io trusted publishing via OIDC instead of static token
68414dd 
Replace CRATES_IO_TOKEN secret with rust-lang/crates-io-auth-action,
which exchanges a GitHub OIDC token for a short-lived crates.io publish
token. This eliminates the need to manage long-lived API secrets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko mikolalysenko merged commit cc267a6 into main Mar 4, 2026
10 checks passed
@mikolalysenko mikolalysenko deleted the rust-rewrite branch March 4, 2026 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mikolalysenko