docs(changelog): correct previous release reference to 2.2.88

lelia · lelia · commit f4d3489fc3a0 · 2026-05-18T19:15:12.000-04:00
v2.2.88 was tagged from PR #202 (bun.lock / bun.lockb / vlt-lock.json manifest support) while this branch was being prepared. The earlier in-flight 2.2.87 from PR #195 was never released; its three substantive fixes (timeout SDK propagation, --exclude-license-details propagation, APIFailure exit-handling) ship for the first time as part of 2.3.0. CHANGELOG.md changes: - Drop the never-released `## 2.2.87` section - Add a `## 2.2.88` section noting the bun/vlt lockfile addition - Fold the three PR #195 bullets into the 2.3.0 "Fixed" subsection so the substantive fixes are credited in the release notes that ship Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -47,6 +47,22 @@ Bundles eight Dependabot main-app upgrades (closes #175, #177, #181, #184, #188,
 #190, #198, #200) and three e2e fixture upgrades (closes #186, #187, #196).
 All target versions verified through Socket Firewall (`sfw`).
 
+### Fixed
+
+The following fixes were originally drafted on the unreleased 2.2.87 branch
+(PR #195) and are shipping for the first time as part of this release:
+
+- Diff scan API requests now honor `--timeout` end-to-end -- previously the CLI
+  timeout was only applied to the local `CliClient`, but the full-scan diff
+  comparison uses the Socket SDK instance, which was constructed without the
+  CLI timeout and kept defaulting to 1200s.
+- `--exclude-license-details` now propagates to the full-scan diff comparison
+  request as `include_license_details=false` (it was only being applied to
+  full-scan params / report URLs before).
+- Diff-comparison `APIFailure`s now propagate to the top-level CLI handler so
+  `--disable-blocking` is honored consistently across exit paths (previously
+  they hit `sys.exit(1)` inside core diff logic).
+
 ### CI / Internal
 
 - New `.github/dependabot.yml` with grouped weekly bumps and a 7-day cooldown;
@@ -58,6 +74,11 @@ All target versions verified through Socket Firewall (`sfw`).
 - `e2e-test` workflow skips on Dependabot PRs (which can't access secrets);
   Socket Firewall covers the supply-chain check.
 
+## 2.2.88
+
+- Added `bun.lock`, `bun.lockb`, and `vlt-lock.json` to the recognized manifest
+  files for Socket scanning (#202).
+
 ## 2.2.83
 
 - Fixed branch detection in detached-HEAD CI checkouts. When `git name-rev --name-only HEAD` returned an output with a suffix operator (e.g. `remotes/origin/master~1`, `master^0`), the `~N`/`^N` was previously passed through as the branch name and rejected by the Socket API as an invalid Git ref. The suffix is now stripped before the prefix split, producing the bare branch name.
