Socket develops tool to protect developers from npm vulnerabilities

Share post:

Socket, a security firm, has created a new method for protecting developers from the flaws in npm, GitHub’s JavaScript package manager.

Npm’s registry is the world’s largest software registry, hosting software packages for the JavaScript ecosystem. However, malicious actors have increasingly targeted package registries like npm in supply chain attacks in recent years.

Over the years, those in charge of the npm registry have put in place various defenses, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). However, the tool’s implementation leaves something to be desired, and developers frequently disregard audit warning messages, especially when automated resolution fails.

Socket has developed a vulnerability scanning system that detects more issues than npm audit, including concerns about quality, maintenance, vulnerability, and license.

Socket’s scanner is now available as a command-line interface (CLI) that developers can install on their machines. Socket’s CLI has been updated with a safe npm command that protects developers when they use npm install or npm uninstall.

The average npm package has 79 transitive dependencies, according to Socket’s founder Feross Aboukhadijeh, so installing one is likely to bring dozens of additional packages along for the ride.

The safe npm command has expanded the capabilities of the Socket CLI. It is installed by running npm install -g @socketsecurity/cli, which adds a socket command to the PATH environmental variable, which specifies the location of executable programs.

The sources for this piece include an article in TheRegister.

Featured Tech Jobs



Related articles

Kaspersky uncovers malware targeting iPhones running iOS 15.7 and below

Kaspersky has uncovered a sophisticated malware campaign specifically designed to infect iPhones running up to iOS 15.7 through...

WordPress fixes critical Jetpack plugin vulnerability

WordPress has addressed a critical flaw discovered in the Jetpack plugin, which had the potential to enable authors...

Akamai discovers Dark Frost botnet exploiting gaming platforms

Akamai's security intelligence response team recently has alerted the general public of Dark Frost, a botnet that has...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways