Security News
OpenJS: “XZ Utils Cyberattack Likely Not an Isolated Incident”
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Feross Aboukhadijeh
February 2, 2023
Open source software plays a critical role in the development of modern applications. However, with the increasing popularity of open source, security has become a major concern for developers. How do you know you can trust your open source packages? To help developers stay secure, Socket provides a powerful tool for managing open source software. With Socket, developers can find, audit, and manage their open source dependencies with ease, reducing the risk of security vulnerabilities in their code.
To help address this challenge for more users in the JavaScript community, Socket is proud to announce improved support for npm and Yarn.
Socket now offers full support for npm versions 6, 7, 8, and 9, including lockfile versions 1, 2, and 3, workspaces, package overrides, file:
dependencies, shrinkwrap dependencies, and bundled dependencies. This gives developers greater flexibility and control over their npm dependencies, making it easier to manage their open source software securely.
In addition to improved npm support, Socket now fully supports Yarn versions 1, 2, and 3. This includes support for the yarn lockfile format, workspaces, selective dependency resolutions (package overrides), file:
dependencies, shrinkwrap dependencies, and bundled dependencies. With this improved support, developers can take advantage of the benefits of Yarn while ensuring their dependencies are managed securely!
Socket is also planning to fully support pnpm in the near future. This will allow developers to take advantage of pnpm's unique features, including its ability to store package files in a shared cache, reducing disk usage and speeding up installations. Vote for pnpm support on the Socket Roadmap to be notified when it's ready.
UPDATE: We shipped pnpm support. See the full announcement post.
With its improved support for npm and Yarn, Socket provides developers with a powerful tool for managing open source software securely. Whether you're a seasoned developer or just starting out, Socket is the perfect tool for anyone looking to reduce the risk of security vulnerabilities in their code.
So why not give Socket a try today? With its GitHub integration, Socket for GitHub makes it easy to start using Socket in your projects. You'll love how much time and effort you'll save, and you'll appreciate the peace of mind that comes from knowing your open source software is managed securely.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.
Security News
OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.