The NPM Registry’s Safe Word is Socket
Read more of this story at Slashdot.
An anonymous reader shares a report:
Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit — covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket’s scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. “npm creates what is called the ‘ideal tree’ for a given package.json,” explained Feross Aboukhadijeh, told The Register. “So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version.”