Socket is designed to work without the need to analyze, upload, or share your source code.
The only data we collect from your repository is the
package.jsonfile and associated lockfiles such as
yarn.lock, which we call the dependency snapshot.
We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.
To support mono-repos and projects which have multiple manifest files (e.g.
package.json) located in nested folders, e.g.
bar/package.json, Socket for GitHub requests read access to all code in the repository. We're currently working with GitHub to improve their permissions model so we can reduce the required permissions to just read access to a glob pattern like
Updated 2 months ago