The safe word for the npm registry is Socket • The Register.

Exclusive Socket has found a way to protect developers from GitHub’s insecure JavaScript package manager, npm, by wrapping it in a security blanket.

Operated by NPM until Microsoft’s GitHub acquired its security business in 2020, the npm registry hosts software packages for the JavaScript ecosystem. It is, by its own description, “the world’s largest software registry.”

Over the last few years, malicious actors have turned increasingly to compromising package registries such as npm in a method known as a supply chain attack. Subverting popular software libraries can enable widespread viral distribution.

Those running npm registries have taken various defenses over the years, including: npm audit, the npm command line interface (CLI) vulnerability scanning command. However, there are still shortcomings in the implementation of this tool, and developers often ignore audit warning messages, especially when automatic resolution does not work.

Socket built its own vulnerability scanning system and made it available for free to open source projects last year (with a paid tier for teams and organizations). That scanner runs as a GitHub app in your code repository when changes are made. It covers not only supply chain risks, but also quality, maintenance, vulnerabilities, and licensing concerns, and detects more issues than npm audits.

make changes

But Socket’s scanner is now also available as a CLI that developers can install on their machines. On Thursday, Socket updated his CLI with: safe npm Commands that protect developers every time they invoke them npm install again npm uninstallyou can install packages while removing other packages.

“npm creates what is called a given ‘ideal tree’. package.jsonexplained Feross Abokhadijeh. register“Thus, removing a package can actually change the ideal tree. Removing a package can remove the constraint that keeps the package at an older version, so npm doesn’t allow them package to a more ideal/latest version.”

The reason for this concern is that JavaScript packages distributed via npm can be compromised. According to Aboukhadijeh, Socket has seen more than 200 packages removed in the last 30 days.

According to Aboukhadijeh, the average npm package has 79 transitive dependencies, so installing one can add dozens of additional packages. And manually scrutinizing all of them is not something most people have the ability, time, or inclination to do.

already taken npm audit Known vulnerabilities can surface, but Socket CLI goes deeper thanks to its additions. safe npm instructions.You can set it by running npm install -g @socketsecurity/cliAdd socket commands to PATH An environment variable that specifies where the executable can be found.

Developers can then invoke the tool by typing socket npm install Excluding that npm install. Also aliasing the command makes this even more useful.Organization recommends adding alias npm="socket npm" to them .bashrc profile (or .zshrcor whatever shell you are using), the familiar npm install The call is passed transparently to the Socket CLI.

“Socket safe npm Tool wraps transparently npm Run commands and protect developers from malware, typosquats, install scripts, telemetry, protestware, and more. There are 11 problems in all. ”

This approach can also prevent more complicated commands like npx and npm execto immediately run the downloaded code.

“Since these commands are so heavily used, we’ve also added protections to these commands to prevent them from accidentally copy-pasting and executing bad code. npx Running commands from README files or StackOverflow answers puts you at risk,” Biz promised. ®