safe-npm FAQ

How do I start using "safe npm"?

Install the Socket CLI by running npm install -g @socketsecurity/cli – that's it!

That command will add a socket binary to your PATH. Then, you can use socket npm install instead of npm install to benefit from Socket’s protections.

Just check that you're using version 0.5.1 or later to get the “safe npm” feature. You can verify the version you're using with socket --version.

How can I use this without replacing all my code that uses npm?

socket npm will automatically detect if it is in front of npm in the PATH variable, and if it is not it will prepend itself to the PATH to intercept commands. This means if you use something like socket npm run script-with-npx it will already intercept npx without you needing to change your package.json.

For people wishing to avoid typing out socket npm a shell alias like the following in your .bashrc or .zsh:

alias npm="socket-npm"  
alias npx="socket-npx"

For zsh autocompletions you may wish to add the following as well:

compdef \_npm socket-npm

For bash autocompletions you may wish to add the following as well:

$(complete -p npm | sed 's/npm$/socket-npm/')

Why do I see an alert when using socket npm uninstall foo?

You might think that removing a package could never cause a new package to be installed, but you'd be mistaken! It's possible for npm uninstall or npm rm to actually install new packages.

So, as counterintuitive as it might seem, you also need to be careful when running npm uninstall. Fortunately, Socket protects you in that situation if you use socket npm uninstall – so not to worry!

Wait, why would npm uninstall ever install new packages?

npm creates what is called the "ideal tree" for a given package.json. So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version.

For example, if foo depends on [[email protected]](mailto:[email protected]) it will constrain bar to be on 1.1.x but a different dependency baz might depend on [[email protected]](mailto:[email protected]) which constrains bar to any version 1.x.x. If [[email protected]](mailto:[email protected]) exists it would be available to use if foo is removed from the package.json!

This "ideal tree” step also performs automatic updates when using npm install in its default configuration. If a package bar exists in your package.json it will automatically be updated upon being found even if what you’re installing is unrelated to bar in any way.

Why am I seeing alerts for an unrelated package when using socket npm install foo?

Same reason as above.

When will you support yarn and pnpm?

Socket supports yarn and pnpm throughout the product. See our full list of supported language ecosystems and package managers for more information.

However, for this current release of "safe npm", we only support npm.

When will you support pip, poetry, etc.?

Socket supports Python. Specifically, Socket for GitHub already supports pip, poetry, and other popular Python package managers. You can read the announcement where we introduced Python support.

If you would like to see support for "safe pip" functionality, similar to "safe npm", please vote for this feature request here. With enough demand, we'd love to bring this feature to more ecosystems!

How is the wrapper implemented?

There were lots of interesting things we had to do in order to completely cover various situations in npm and avoid some escapes that would bypass our wrapper. When you alias the wrapper with alias npm="socket npm" it would have been buggy if we didn't guard against basic child process invocation. For example running npm run will invoke a child process that can remove that alias. To that end, we are doing some tricks to protect against this. More information can be found in our documentation.

If you'd like to get involved and contribute to the CLI, the codebase is online here: https://github.com/SocketDev/socket-cli-js