What's new at Socket?

We’ve updated the SBOM export endpoints to officially document support for additional package ecosystems: NuGet (.NET), Crates (Rust), and RubyGems (Ruby). These ecosystems have been supported by the underlying system but were previously not listed in the API documentation.

We’ve introduced a new Insights panel on the dashboard's Repositories page. This panel displays a count of repositories along with a time series chart to visualize trends.

The panel also supports filtering by repository labels, updating the analytics accordingly.

We’ve made improvements to support dependencies found within the <profiles> section of Maven POM files. This update is a step towards fully supporting Maven's conditional dependency management, which allows dependencies to change based on various conditions like the command line, environment variables, and platform.

We’ve added a new Insights panel on the dashboard's Dependencies page. This panel provides a count of both direct and transitive dependencies, along with a time series chart for visualizing trends.

Additionally, we’ve refactored some code to reuse components from the Alerts Insights panel and addressed edge cases such as loading states and missing data points.

We’ve fixed an issue where Maven BOM projects did not have a file explorer. The change ensures that Maven BOM tarballs are cooked earlier in the pipeline, enabling the file explorer to function correctly.

Additionally, we’ve adjusted isSourceCodeAvailable and isMetadataOnly to ensure that packages without source code but with metadata still support file exploration, particularly for Maven's POM files.

We’ve addressed an issue in Maven where some SBOMs could be empty due to missing package version properties. The fix unifies how and when property inheritance is computed, ensuring SBOMs are correctly populated.

This update also includes a debug utility to help understand how local dependencies are specified in customer tarballs.

We’ve fixed the batch PURL endpoint to correctly track original input PURLs by introducing the inputPurl field, which replaces the broken batchIndex field. The batchIndex field is now deprecated but maintained for backward compatibility.

This change ensures accurate mapping of input-to-output PURLs, improving pipeline consistency and data integrity.

You can now create license overlays in Socket to customize how license information appears in your dependency tree.

What you can do:

• Modify license detection results on a per-package basis
• Apply changes across versions with glob patterns (e.g., 1.*)
• Edit license identifiers and author info for cleaner attribution files
• Add context with overlay notes
• View and manage overlays under Settings → Legal → License Overlays

This is especially useful for handling messy edge cases like nonstandard license fields, multi-license files, or embedded content that doesn’t apply to your use case.

Read the announcement to learn more and see examples.

We’ve added a RepoSwitcher next to the OrgSwitcher in the dashboard, providing a global repository filter that improves navigation across all pages. Key changes include:

• Global Repository Filter: Users can now select a repository from the new drop-down menu, which filters all pages—PR Stories, Repositories, Dependencies, Alerts, Scans, PRs, and Analytics—by the chosen repository.
• Repositories Page Update: We’ve added two new columns, dependencies and scans. Clicking on a repository row now redirects users to the Alerts page, with the repository filter applied.
• Alerts and Scans Tables: We’ve filtered both tables by the selected repository and removed unnecessary columns for a cleaner view.
• Analytics Page: The Analytics page now reacts to the global repository filter, ensuring consistent data presentation across the dashboard.

This enhancement streamlines navigation and makes it easier to access filtered data throughout the dashboard.

Socket now supports the Rust and Cargo ecosystem, bringing supply chain protection to one of the fastest-growing developer communities.

What's New

• Crate search for all users at socket.dev
• Security scores, maintainer info, and dependency insights for Rust packages

Enterprise Features

• Experimental SBOM generation for enterprise Rust projects (including full workspace support)
• Upload Cargo.toml + Cargo.lock for accurate analysis
• Detects malicious build scripts, unsafe patterns, FFI risks, and more
• Currently limited to crates.io dependencies

To enable SBOM generation, contact our team. Read the full announcement for details and roadmap.