Bret Comnes
March 24, 2023
Adding or updating dependencies in your project can be overwhelming. One seemingly small dependency change can result in hundreds of new transitive dependencies being installed, which can impact your project's security and maintainability.
With the ever-increasing automation in dependency management, the problem of understanding and controlling dependencies has only gotten worse. It's time to upgrade your PR reviewing process and say hello to Socket Dependency Overview, a powerful new feature in Socket for GitHub!
Socket Dependency Overview provides in-depth insights into added, updated, or removed dependencies, equipping you with critical information to make informed decisions about the impact of changes. To get access to Socket Dependency Overview, install Socket for GitHub.
One of the most fundamental things not visible in pull requests today is what code is actually changing in your application. The diff view of a pull request only exposes the top-level dependency changes, which is a small subset of the total new packages coming into your project.
For example, what should a developer make of this PR diff? How much risk is being introduced? How many new transitive dependencies have been added? Who published this new version, and is this the first time we've seen a new version published by them?
To help developers make sense of dependency changes, Socket Dependency Overview leaves a helpful comment on pull requests that add, update, or remove dependencies. The comment clarifies the impact of dependency changes by offering useful metrics and stats not visible in the PR itself:
The updated dependencies table contains the same columns as the added dependencies table, with one addition:
Finally, fully removed dependencies are listed at the bottom of the comment. Dependencies are only considered fully removed when they no longer exist either top-level or transitively.
Dependencies may use high-risk capabilities such as accessing the network, filesystem, shell, environment variables, and more. While these capabilities are often necessary, it's crucial to stay vigilant. Socket Dependency Overview helps you identify packages that have unexpected capabilities, empowering you to make a thorough security assessment before accepting a new package into your app.
The following capabilities will be listed if they are detected in any new or updated dependencies:
These capabilities are not security issues on their own, but spotting unexpected capabilities on dependencies can be a cause for concern. With this previously hard-to-find information at your fingertips, you can now assess the quality and capabilities of your dependencies much faster.
Adding or updating a dependency may result in a massive increase in the number of transitive dependencies in your project. This is a huge problem for teams that wish to maintain a lean and secure codebase.
Socket Dependency Overview helps you visualize the impact of large transitive dependency graphs, which enables you to consider alternatives, fork the project, or ideally, upstream an improvements to the original project.
A transitive dependency is a dependency that is indirectly required by a package, through one or more of its direct dependencies. In other words, transitive dependencies are the dependencies of the dependencies.
Dependencies can vary widely in size and behavior, but generally having more transitive dependencies means:
With Socket Dependency Overview, if you install a seemingly trivial dependency that pulls in 500+ transitive dependencies, for example, you will notice it right away. By exposing this data so it is visible at the time and place where developers need it most—in the pull request—we can help developers choose leaner, more secure dependencies.
Open source is built on trust. A huge source of this trust comes from the personal connections and associations we develop with specific maintainers and contributors. Open source projects frequently change hands and add additional maintainers over time but this is not usually communicated clearly to the users who depend on these projects.
Socket Dependency Overview includes information about the user who published the specific version of the dependency you're installing. This information helps to create a stronger connection between dependents and publishers.
There is a hidden social network in open source that is often hard to clearly understand using normal package manager workflows. And it's virtually impossible to understand through PRs alone.
Many dependencies have large collaborator lists, but maybe only 1 or 2 individuals who are responsible for all recent release work. You may associate certain dependencies with specific individuals who may not even work on the project anymore.
Socket Dependency Overview surfaces the latest individual who released the dependency so you get a much clearer picture of who you are depending on from a human perspective.
Perhaps you know them in real life—awesome!—or at least now you have an excuse to get to know them. Or maybe the package changed hands to an industry competitor or to a new maintainer due to burnout. Whoever it may be, we hope that this information will serve to create positive and clear connections between dependents and publishers.
When a dependency is updated, Socket Dependency Overview includes a link to the differences between the two specific versions. By viewing the dependency diff on Socket, you'll see the actual changes that are contained in the dependency tarballs.
Note: it is not sufficient to evaluate GitHub diffs since there is no guarantee that code on GitHub matches code on npm.
Go beyond changelogs and github diffs by viewing the actual code changes between dependency versions. This crucial tool helps you spot any risky changes or massive refactors and can help you make well-informed decisions about when or whether to update specific dependencies.
While you may be familiar with reviewing changelogs or GitHub diffs when assessing dependency updates, neither of these approaches are guaranteed to reflect the real changes that are contained in the dependency tarballs which are actually installed when you add or update a dependency.
By viewing the dependency diff on Socket, you get the real view of the changes between versions. Hopefully this diff lines up with the git diff and changelog, but sometimes it doesn't due to things like build scripts! Large diffs are hard to process by humans, but smaller diffs are fairly easy to skim through and can give you added comfort when updating a dependency.
Socket Dependency Overview never blocks developers or causes the GitHub PR check to fail. The information is purely informational. However, we hope that if you notice a UI component (e.g. a button or checkbox) accessing the network, that you'll take the time to investigate further.
Together, we can keep our apps secure from software supply chain attacks!
Like with all of our GitHub app features, you can disable Socket Dependency Overview if you aren't interested:
Let us know on Twitter and Mastodon if you find any surprising capabilities in your dependencies! Also, if you have ideas for additional information you would find useful when assessing dependency changes in your project, please reach out with ideas!
If you want to try out Socket with the Dependency Overview feature, you can install the GitHub App in less than 2 minutes. It's super fast and easy.
Happy hacking!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
