Socket develops tool to protect developers from npm vulnerabilities

Socket, a security firm, has created a new method for protecting developers from the flaws in npm, GitHub’s JavaScript package manager.

Npm’s registry is the world’s largest software registry, hosting software packages for the JavaScript ecosystem. However, malicious actors have increasingly targeted package registries like npm in supply chain attacks in recent years.

Over the years, those in charge of the npm registry have put in place various defenses, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). However, the tool’s implementation leaves something to be desired, and developers frequently disregard audit warning messages, especially when automated resolution fails.

Socket has developed a vulnerability scanning system that detects more issues than npm audit, including concerns about quality, maintenance, vulnerability, and license.

Socket’s scanner is now available as a command-line interface (CLI) that developers can install on their machines. Socket’s CLI has been updated with a safe npm command that protects developers when they use npm install or npm uninstall.

The average npm package has 79 transitive dependencies, according to Socket’s founder Feross Aboukhadijeh, so installing one is likely to bring dozens of additional packages along for the ride.

The safe npm command has expanded the capabilities of the Socket CLI. It is installed by running npm install -g @socketsecurity/cli, which adds a socket command to the PATH environmental variable, which specifies the location of executable programs.

The sources for this piece include an article in TheRegister.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web