Install the Socket CLI by running
npm install -g @socketsecurity/cli – that's it!
That command will add a
socket binary to your PATH. Then, you can use
socket npm install instead of
npm install to benefit from Socket’s protections.
Just check that you're using version 0.5.1 or later to get the “safe npm” feature. You can verify the version you're using with
socket npm will automatically detect if it is in front of
npm in the
PATH variable, and if it is not it will prepend itself to the
PATH to intercept commands. This means if you use something like
socket npm run script-with-npx it will already intercept
npx without you needing to change your
For people wishing to avoid typing out
socket npm a shell alias like the following in your
alias npm="socket-npm" alias npx="socket-npx"
zsh autocompletions you may wish to add the following as well:
compdef \_npm socket-npm
bash autocompletions you may wish to add the following as well:
$(complete -p npm | sed 's/npm$/socket-npm/')
You might think that removing a package could never cause a new package to be installed, but you'd be mistaken! It's possible for
npm uninstall or
npm rm to actually install new packages.
So, as counterintuitive as it might seem, you also need to be careful when running
npm uninstall. Fortunately, Socket protects you in that situation if you use
socket npm uninstall – so not to worry!
npm creates what is called the "ideal tree" for a given
package.json. So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version.
For example, if
foo depends on
[[email protected]](mailto:[email protected]) it will constrain
bar to be on
1.1.x but a different dependency
baz might depend on
[[email protected]](mailto:[email protected]) which constrains
bar to any version
[[email protected]](mailto:[email protected]) exists it would be available to use if
foo is removed from the
This "ideal tree” step also performs automatic updates when using
npm install in its default configuration. If a package
bar exists in your
package.json it will automatically be updated upon being found even if what you’re installing is unrelated to
bar in any way.
Same reason as above.
pnpm throughout the product. See our full list of supported language ecosystems and package managers for more information.
However, for this current release of "safe npm", we only support
If you would like to see support for "safe pip" functionality, similar to "safe npm", please vote for this feature request here. With enough demand, we'd love to bring this feature to more ecosystems!
There were lots of interesting things we had to do in order to completely cover various situations in
npm and avoid some escapes that would bypass our wrapper. When you alias the wrapper with
alias npm="socket npm" it would have been buggy if we didn't guard against basic child process invocation. For example running
npm run will invoke a child process that can remove that alias. To that end, we are doing some tricks to protect against this. More information can be found in our documentation.
If you'd like to get involved and contribute to the CLI, the codebase is online here: https://github.com/SocketDev/socket-cli-js
Updated about 2 months ago