fix(releases): switch getLatestRelease to GraphQL for immutable releases

GitHub's REST /repos/:owner/:repo/releases endpoint excludes immutable releases (the default for releases created since GitHub introduced release immutability), returning an empty array even when the repo has dozens of published releases. socket-btm's recent releases (binject, iocraft, models, node-smol, …) are all immutable, so any caller using getLatestRelease for tool-prefix discovery saw 'No <prefix>- release found in latest 100 releases' and the downstream socket-cli build failed at download-assets.

Switch the listing query to the GraphQL endpoint (repository.releases connection), which includes immutable releases. The per-tag fetch in getReleaseAssetUrl stays on REST since /releases/tags/:tag works correctly for immutable releases. Tests updated with a wrapReleasesAsGraphQL helper that wraps the existing REST-shape fixtures, keeping the test data readable while exercising the new GraphQL parse path. All 40 release-github tests pass.

Author: jdalton

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.25.1",
+  "version": "5.25.2",
   "packageManager": "pnpm@11.0.0-rc.5",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",

src/releases/github.ts

@@ -572,11 +572,34 @@ export async function getLatestRelease(
   return (
     (await pRetry(
       async () => {
-        // Fetch recent releases (100 should cover all tool releases).
+        // List releases via GraphQL. GitHub's REST endpoint
+        // `/repos/:owner/:repo/releases` excludes immutable releases
+        // (the default for releases created since GitHub introduced
+        // release immutability), returning an empty array even when
+        // the repo has dozens of published releases. GraphQL's
+        // `repository.releases` connection includes immutable releases
+        // and is the canonical replacement. Per-tag fetches via
+        // `/repos/:owner/:repo/releases/tags/:tag` still work for
+        // immutable releases, so `getReleaseAssetUrl` stays on REST.
         const response = await httpRequest(
-          `https://api.github.com/repos/${owner}/${repo}/releases?per_page=100`,
+          'https://api.github.com/graphql',
           {
-            headers: getAuthHeaders(),
+            body: JSON.stringify({
+              query: `query($owner: String!, $repo: String!) {
+                repository(owner: $owner, name: $repo) {
+                  releases(first: 100, orderBy: {field: CREATED_AT, direction: DESC}) {
+                    nodes {
+                      tagName
+                      publishedAt
+                      releaseAssets(first: 100) { nodes { name } }
+                    }
+                  }
+                }
+              }`,
+              variables: { owner, repo },
+            }),
+            headers: { ...getAuthHeaders(), 'Content-Type': 'application/json' },
+            method: 'POST',
           },
         )
 
@@ -590,10 +613,35 @@ export async function getLatestRelease(
           assets: Array<{ name: string }>
         }>
         try {
-          releases = JSON.parse(response.body.toString('utf8'))
+          const parsed = JSON.parse(response.body.toString('utf8')) as {
+            data?: {
+              repository?: {
+                releases?: {
+                  nodes?: Array<{
+                    tagName: string
+                    publishedAt: string
+                    releaseAssets?: { nodes?: Array<{ name: string }> }
+                  }>
+                }
+              }
+            }
+            errors?: Array<{ message: string }>
+          }
+          if (parsed.errors?.length) {
+            throw new Error(
+              `GraphQL error: ${parsed.errors.map(e => e.message).join('; ')}`,
+            )
+          }
+          releases = (parsed.data?.repository?.releases?.nodes ?? []).map(
+            n => ({
+              tag_name: n.tagName,
+              published_at: n.publishedAt,
+              assets: n.releaseAssets?.nodes ?? [],
+            }),
+          )
         } catch (cause) {
           throw new Error(
-            `Failed to parse GitHub releases response from https://api.github.com/repos/${owner}/${repo}/releases`,
+            `Failed to parse GitHub GraphQL response for ${owner}/${repo} releases`,
             { cause },
           )
         }

test/unit/releases-github.test.mts

@@ -36,6 +36,37 @@ vi.mock('../../src/http-request')
  * @param status - HTTP status code
  * @returns Complete mock HttpResponse object
  */
+/**
+ * Wrap a REST-shape releases array as a GraphQL response. Mirrors the
+ * exact shape `getLatestRelease` parses (data.repository.releases.nodes
+ * with tagName/publishedAt/releaseAssets.nodes), so existing test
+ * fixtures that read like REST `[{tag_name, published_at, assets}]`
+ * stay readable while the implementation queries GraphQL.
+ */
+function wrapReleasesAsGraphQL(
+  releases: Array<{
+    tag_name: string
+    published_at?: string
+    assets?: Array<{ name: string }>
+  }>,
+): Buffer {
+  return Buffer.from(
+    JSON.stringify({
+      data: {
+        repository: {
+          releases: {
+            nodes: releases.map(r => ({
+              tagName: r.tag_name,
+              publishedAt: r.published_at ?? '2026-01-01T00:00:00Z',
+              releaseAssets: { nodes: r.assets ?? [] },
+            })),
+          },
+        },
+      },
+    }),
+  )
+}
+
 function createMockHttpResponse(
   body: Buffer,
   ok: boolean,
@@ -253,11 +284,7 @@ describe('releases/github', () => {
 
     beforeEach(() => {
       vi.mocked(httpRequest).mockResolvedValue(
-        createMockHttpResponse(
-          Buffer.from(JSON.stringify(mockReleases)),
-          true,
-          200,
-        ),
+        createMockHttpResponse(wrapReleasesAsGraphQL(mockReleases), true, 200),
       )
     })
 
@@ -333,7 +360,7 @@ describe('releases/github', () => {
 
       vi.mocked(httpRequest).mockResolvedValue(
         createMockHttpResponse(
-          Buffer.from(JSON.stringify(releasesOutOfOrder)),
+          wrapReleasesAsGraphQL(releasesOutOfOrder),
           true,
           200,
         ),
@@ -368,7 +395,7 @@ describe('releases/github', () => {
       ]
 
       vi.mocked(httpRequest).mockResolvedValue(
-        createMockHttpResponse(Buffer.from(JSON.stringify(sameDay)), true, 200),
+        createMockHttpResponse(wrapReleasesAsGraphQL(sameDay), true, 200),
       )
 
       const tag = await getLatestRelease('yoga-layout-', SOCKET_BTM_REPO, {
@@ -400,7 +427,7 @@ describe('releases/github', () => {
 
       vi.mocked(httpRequest).mockResolvedValue(
         createMockHttpResponse(
-          Buffer.from(JSON.stringify(releasesNewestFirst)),
+          wrapReleasesAsGraphQL(releasesNewestFirst),
           true,
           200,
         ),
@@ -435,7 +462,7 @@ describe('releases/github', () => {
 
       vi.mocked(httpRequest).mockResolvedValue(
         createMockHttpResponse(
-          Buffer.from(JSON.stringify(releasesWithAssets)),
+          wrapReleasesAsGraphQL(releasesWithAssets),
           true,
           200,
         ),
@@ -467,7 +494,7 @@ describe('releases/github', () => {
 
       vi.mocked(httpRequest).mockResolvedValue(
         createMockHttpResponse(
-          Buffer.from(JSON.stringify(releasesWithEmpty)),
+          wrapReleasesAsGraphQL(releasesWithEmpty),
           true,
           200,
         ),
@@ -497,11 +524,7 @@ describe('releases/github', () => {
       ]
 
       vi.mocked(httpRequest).mockResolvedValue(
-        createMockHttpResponse(
-          Buffer.from(JSON.stringify(allEmpty)),
-          true,
-          200,
-        ),
+        createMockHttpResponse(wrapReleasesAsGraphQL(allEmpty), true, 200),
       )
 
       const tag = await getLatestRelease('binject-', SOCKET_BTM_REPO, {
@@ -534,7 +557,7 @@ describe('releases/github', () => {
 
       vi.mocked(httpRequest).mockResolvedValue(
         createMockHttpResponse(
-          Buffer.from(JSON.stringify(mixedReleases)),
+          wrapReleasesAsGraphQL(mixedReleases),
           true,
           200,
         ),