March 20, 2023

Socket, a security firm, has created a new method for protecting developers from the flaws in npm, GitHub’s JavaScript package manager.

Npm’s registry is the world’s largest software registry, hosting software packages for the JavaScript ecosystem. However, malicious actors have increasingly targeted package registries like npm in supply chain attacks in recent years.

Over the years, those in charge of the npm registry have put in place various defenses, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). However, the tool’s implementation leaves something to be desired, and developers frequently disregard audit warning messages, especially when automated resolution fails.

Socket has developed a vulnerability scanning system that detects more issues than npm audit, including concerns about quality, maintenance, vulnerability, and license.

Socket’s scanner is now available as a command-line interface (CLI) that developers can install on their machines. Socket’s CLI has been updated with a safe npm command that protects developers when they use npm install or npm uninstall.

The average npm package has 79 transitive dependencies, according to Socket’s founder Feross Aboukhadijeh, so installing one is likely to bring dozens of additional packages along for the ride.

The safe npm command has expanded the capabilities of the Socket CLI. It is installed by running npm install -g @socketsecurity/cli, which adds a socket command to the PATH environmental variable, which specifies the location of executable programs.

The sources for this piece include an article in TheRegister.