Documentation

socket package

Get score and other details on software packages

Suggest Edits

These set of commands are your gateway to get Socket.dev scoring on packages from ecosystems like npm, rubygems, and pypi.

socket package --help

  Commands relating to looking up published packages

  Usage
    $ socket package <command>

  Commands
    score             [beta] Look up score for one package which reflects all of its transitive dependencies as well
    shallow           [beta] Look up info regarding one or more packages but not their transitives

  Options
    --help            Print this help

  Examples
    $ socket package --help

Score

There are basically two kinds of package scores: shallow and deep scores. Before we cover that we should mention what a "purl" is.

PURL

A PURL is a string that conforms to a specification for a "package URL" which is a general way to name a package in such a way that it can be recognized and that there can be no ambiguity about the ecosystem, package name, or version. An example would be pkg:npm/socket or pkg:pypi/pip.

In docs we may casually refer to a "purl" just like you would when you say "url" for any website.

Shallow score

When the score only applies to the package itself and not its direct or transitive dependencies then it's a shallow score. It simply applies to the software that was written by that dev or vendor, not the other packages it may also depend on.

To get shallow package scores for multiple packages you can use the socket package shallow command. It supports two ways;

  • you start by specifying an ecosystem and then any number of packages
  • you specify any number of "PURL" names

The shallow scores give a good indication of what might be wrong with the package itself but it does not tell anything about how safe a package is, unless of course it has zero dependencies.

Deep score

In general when people want to know the score of a package they are talking about the package as a whole, so including any software that shipped with it. This leads us to a "deep" score, or a "transitive" score. This kind of score reflects the whole package as it gets shipped, including its direct dependencies, the dependencies that those depend on, and so forth. That's also called "transitive dependencies".

To get the transitive dependency score for a package you can use two ways, similar as for the shallow score above:

  • you start with the ecosystem followed by the package your want to inspect
    • socket package score npm babel
  • or by specifying the whole purl
    • socket package score pkg:npm/babel

The deep score for a package should give you a good indication of whether it's safe to run a package. But mind you, we can only report the things that we actually know out about!

Output flags

The commands support --json for a raw dump, --markdown for a nice legible and shareable report, and otherwise default to doing a console.log in NodeJS.

Updated 7 days ago