socket npm & socket npx
package manager integration
Socket has integration with npm
and npx
in beta. During this beta, these integrations do not perform authentication against organizations, do not use socket.yml
, and are limited to default issue sets. Windows support is limited to WSL for now.
These integrations act the same as npm
and npx
and do not use command line flags. Additionally, for some tooling that needs to run these as a single bin, aliases as socket-npm
and socket-npx
are made available upon installation.
socket npm [args...]
and socket npm [args...]
socket npm [args...]
and socket npm [args...]
Wraps npm
and npx
to integrate Socket and preempt installation of alerted packages using the builtin resolution of npm
to precisely determine package installations.
FAQ
Not seeing an alert with socket npm install foo
socket npm install foo
We only prompt for accepting the risk of installing packages for those that we alert on. Additionally, if you have already installed a package at a different version and it shares the same issue as the version you are installing, we do not prompt.
NOTE: In the beta you cannot configure what is considered to be an issue. Issues will always use our default issue set.
Seeing alerts with socket npm rm foo
OR Seeing alerts for an unrelated package with socket npm install foo
socket npm rm foo
OR Seeing alerts for an unrelated package with socket npm install foo
One might think that removing a package reduces vulnerabilities, however with package management this is not so straight forward.
npm
normally creates what is called the ideal tree for a given package.json
by removing a package you might actually change what the ideal tree is! If foo
depends on [email protected]
it will constrain bar
to be on 1.1.x
but a different dependency baz
might depend on on [email protected]
which constrains bar
to any version 1.x.x
. If [email protected]
exists it would be available only to upgrade if bar
is removed from the package.json
!
This ideal tree also performs things like automatic updates when using npm install
in its default configuration. If a package bar
exists in your package.json
it will automatically be updated upon being found even if what is being installed is unrelated to bar
in any way.
Aliasing as npm
or npx
npm
or npx
socket npm
will automatically detect if it is in front of npm
in the PATH
variable, and if it is not it will prepend itself to the PATH
to intercept commands. This means if you use something like socket npm run script-with-npx
it will already intercept npx
without you needing to change your package.json
.
For people wishing to avoid typing out socket npm
a shell alias like the following in your .bashrc
or .zsh
:
alias npm="socket-npm"
alias npx="socket-npx"
For zsh
autocompletions you may wish to add the following as well.
compdef _npm socket-npm
For bash
autocompletions you may wish to add the following as well.
$(complete -p npm | sed 's/npm$/socket-npm/')
Combining with npq
npq
npq, an alternative CLI to perform pre-install syntactic and CVE checks, does not directly integrate into a package manager for installation. You can configure the environment variable NPQ_PKG_MGR=socket-npm
and alias alias yarn="NPQ_PKG_MGR=yarn npq-hero"
to use both.
NOTE: Due to socket npm
doing a full transitive scan and integrating into npm
it is expected that npq
will be faster since it is doing less.
Updated about 1 month ago