socket npm & socket npx

package manager integration

691

Socket has integration with npm and npx in beta. During this beta, these integrations do not perform authentication against organizations, do not use socket.yml, and are limited to default issue sets. Windows support is limited to WSL for now.

These integrations act the same as npm and npx and do not use command line flags. Additionally, for some tooling that needs to run these as a single bin, aliases as socket-npm and socket-npq are made available upon installation.

socket npm ...args

This will engage Socket's integration with npm in order to preempt any attempt to install packages. It uses the real resolution by npm in order to calculate the exact thing that will be installed on the machine running the command.

Why am I not seeing a prompt when using socket npm install foo?

We only prompt for accepting risk of installing packages if there is a package going to be installed that contains issues. Additionally, if you have already installed a package at a different version and it shares the same issue as the version you are installing, we do not prompt.

NOTE: In the beta you cannot configure what is considered to be an issue. Issues will always use our default issue set.

Why am I seeing alerts when using socket npm rm foo? OR Why am I seeing alerts for an unrelated package when using socket npm install foo?

One might think that removing a package means that it will only remove vulnerabilities, however this is not the case with package management.

npm normally creates what is called the ideal tree for a given package.json by removing a package you might actually change what the ideal tree is! If foo depends on [email protected] it will constrain bar to be on 1.1.x but a different dependency baz might depend on on [email protected] which constrains bar to any version 1.x.x. If [email protected] exists it would be available only to upgrade if bar is removed from the package.json!

This ideal tree also performs things like automatic updates when using npm install in its default configuration. If a package bar exists in your package.json it will automatically be updated upon being found even if what is being installed is unrelated to bar in any way.

How can I use this without replacing all my code that uses npm?

socket npm will automatically detect if it is in front of npm in the PATH variable, and if it is not it will prepent itself to the PATH to intercept commands. This means if you use something like socket npm run script-with-npx it will already intercept npx without you needing to change your package.json.

For people wishing to avoid typing out socket npm a shell alias like the following in your .bashrc or .zsh:

alias npm="socket-npm"
alias npx="socket-npx"

For zsh autocompletions you may wish to add the following as well.

compdef _npm socket-npm

For bash autocompletions you may wish to add the following as well.

$(complete -p npm | sed 's/npm$/socket-npm/')

How can I use this with npq?

npq is an alternative security tools that has different checks provided by Snyk. npq does not directly run against a package manager and instead runs other package managers after it performs checks. You can configure the environment variable NPQ_PKG_MGR=socket-npm and then run using npq-hero in order to use both.

NOTE: due to socket npm doing a full transitive scan and integrating against npm it is expected that npq will be faster due to npq doing less.

socket npx ...args

This will engage Socket's integration with npx in order to preempt any attempt to install packages. It uses the real resolution by npx in order to calculate the exact thing that will be installed on the machine running the command.