socket npm & socket npx
package manager integration
Socket has integration with npm
and npx
in beta. During this beta, these integrations do not perform authentication against organizations, do not use socket.yml
, and are limited to default issue sets. Windows support is limited to WSL for now.
These integrations act the same as npm
and npx
and do not use command line flags. Additionally, for some tooling that needs to run these as a single bin, aliases as socket-npm
and socket-npq
are made available upon installation.
socket npm ...args
socket npm ...args
This will engage Socket's integration with npm
in order to preempt any attempt to install packages. It uses the real resolution by npm
in order to calculate the exact thing that will be installed on the machine running the command.
Why am I not seeing a prompt when using socket npm install foo
?
socket npm install foo
?We only prompt for accepting risk of installing packages if there is a package going to be installed that contains issues. Additionally, if you have already installed a package at a different version and it shares the same issue as the version you are installing, we do not prompt.
NOTE: In the beta you cannot configure what is considered to be an issue. Issues will always use our default issue set.
Why am I seeing alerts when using socket npm rm foo
? OR Why am I seeing alerts for an unrelated package when using socket npm install foo
?
socket npm rm foo
? OR Why am I seeing alerts for an unrelated package when using socket npm install foo
?One might think that removing a package means that it will only remove vulnerabilities, however this is not the case with package management.
npm
normally creates what is called the ideal tree for a given package.json
by removing a package you might actually change what the ideal tree is! If foo
depends on [email protected]
it will constrain bar
to be on 1.1.x
but a different dependency baz
might depend on on [email protected]
which constrains bar
to any version 1.x.x
. If [email protected]
exists it would be available only to upgrade if bar
is removed from the package.json
!
This ideal tree also performs things like automatic updates when using npm install
in its default configuration. If a package bar
exists in your package.json
it will automatically be updated upon being found even if what is being installed is unrelated to bar
in any way.
How can I use this without replacing all my code that uses npm
?
npm
?socket npm
will automatically detect if it is in front of npm
in the PATH
variable, and if it is not it will prepent itself to the PATH
to intercept commands. This means if you use something like socket npm run script-with-npx
it will already intercept npx
without you needing to change your package.json
.
For people wishing to avoid typing out socket npm
a shell alias like the following in your .bashrc
or .zsh
:
alias npm="socket-npm"
alias npx="socket-npx"
For zsh
autocompletions you may wish to add the following as well.
compdef _npm socket-npm
For bash
autocompletions you may wish to add the following as well.
$(complete -p npm | sed 's/npm$/socket-npm/')
How can I use this with npq
?
npq
?npq
is an alternative security tools that has different checks provided by Snyk. npq
does not directly run against a package manager and instead runs other package managers after it performs checks. You can configure the environment variable NPQ_PKG_MGR=socket-npm
and then run using npq-hero
in order to use both.
NOTE: due to socket npm
doing a full transitive scan and integrating against npm
it is expected that npq
will be faster due to npq
doing less.
socket npx ...args
socket npx ...args
This will engage Socket's integration with npx
in order to preempt any attempt to install packages. It uses the real resolution by npx
in order to calculate the exact thing that will be installed on the machine running the command.
Updated 4 months ago