Issue Categories

How package issues are categorized by Socket

Socket detects 60+ security red flags divided over the following set of categories:

Supply chain risk

SeverityDescription
CriticalPackage contains a critical supply chain risk that makes it unsuitable for use in most applications. This category is reserved for known malware, typosquats, HTTP dependencies, and other critical threats.
HighPackage contains a supply chain risk that makes it unsafe to use in most applications until a manual inspection has been performed to confirm that the package is safe.
MediumPackage contains a medium-risk supply chain security issue. Critical applications in areas such as finance, health, regulated industries, should manually inspect medium-risk issues.
LowPackage contains a low-risk supply chain security issue.

Quality

SeverityDescription
CriticalPackage has critical quality issues that make it unsuitable for use in all applications. Examples include an invalid package.json which fails to parse, or unresolved requires which import files that do not exist.
HighPackage contains a high-risk quality issue.
MediumPackage contains a medium-risk quality issue.
LowPackage contains a low-risk quality issue.

Maintenance

SeverityDescription
CriticalPackage has critical maintenance issues that make it unsuitable for use in all applications.
HighPackage contains a high-risk maintenance issue.
MediumPackage contains a medium-risk maintenance issue.
LowPackage contains a low-risk maintenance issue.

Vulnerability

SeverityDescription
CriticalPackage contains a critical CVE that makes it unsuitable for use in all applications. You should update to a fixed version immediately.
HighPackage contains a high-risk CVE. You should update to a fixed version as soon as reasonably possible.
MediumPackage contains a medium-risk CVE.
LowPackage contains a low-risk CVE.

License

SeverityDescription
CriticalPackage has a critical license issue that makes it unsuitable for use in most applications. Package should immediately be replaced with a different one to avoid significant legal risk.
HighPackage has a license issue that makes it a risk for use in most commercial applications. Package should be examined by a legal expert, or additional license metadata added to the package to make it safe for use.
MediumPackage contains a medium-risk license issue.
LowPackage contains a low-risk license issue.

What’s Next