What's new at Socket?

Package overview pages for Cargo, NuGet, Composer, and PyPI now show download counts when available. Labels reflect each registry’s download metric, including total downloads for Cargo, NuGet, and Composer, and weekly downloads for PyPI.

Go and PyPI package pages now show a warning banner for versions that have been retracted or yanked. When upstream provides a reason, Socket displays it directly in the banner so users can understand why that version should be avoided.

GitHub Actions and Packagist package pages now show package keywords when available. For GitHub Actions, this includes marketplace categories, giving users more package context directly on the package page.

OpenVEX exports now use the original scan time for VEX statement timestamps, rather than the document export time. This makes OpenVEX documents easier to compare reliably over time, while keeping the document-level timestamp tied to when the export was generated.

SBOM generation for Poetry projects now resolves root dependencies from pyproject.toml while using poetry.lock as the trusted source for pinned package versions. This improves direct, transitive, and dev dependency attribution, prevents duplicate versions from loose constraints, and recovers more transitive dependencies from Socket’s PyPI metadata when Poetry’s lockfile omits platform-specific edges.

Composer package pages now show additional package metadata, including non-default package types such as metapackage, composer-plugin, and project. Abandoned Composer packages now also display a warning with the suggested replacement package when Packagist provides one.

Composer package pages now show a Homepage link when project homepage metadata is available and differs from the repository URL. This makes it easier to get from a Composer package page to the project’s official site, documentation, or other maintained project resources.

OpenVSX package pages now show the extension publisher in the maintainers view and overview metadata. When repository data is available, package pages also link to the source repository and show related repository context.

OpenVSX package pages now show extension categories, VS Code version compatibility, and a homepage link when available. This gives users more of the marketplace context they would expect from the Open VSX registry directly on Socket package pages.

Chrome extension package pages now show a dedicated Users stat with the Chrome Web Store active-user count when available. This keeps user counts separate from download metrics and gives teams another signal for evaluating an extension’s popularity.