Mikola Lysenko

We're happy to announce that Socket now supports the 

Developers can now take advantage of the benefits of pnpm while ensuring their dependencies are managed securely with Socket.

Developers choose pnpm because of it's ability to store package files in a shared cache which reduces disk usage and speeds up installations.

This release of Socket includes support for 

 dependencies, shrinkwrap dependencies, and bundled dependencies.

 installed, then there's nothing you need to do to get pnpm support—Socket will automatically start analyzing your pnpm dependencies. Just ensure that your 

 is checked into your GitHub repository, and you're good to go!

If you want to try out Socket with pnpm support, you can 

More ecosystems and languages are coming soon

If you have any questions or feedback, please don't hesitate to reach out to our dedicated support and engineering team. If you would like to chat with someone on our team, you should 

We're here to help you keep your apps secure, 

no matter what language or package manager you're using

. Stay tuned for more ecosystem support soon, and 

Socket now supports the pnpm package manager! Check it out and stay away from vulnerable and malicious packages.

Introducing pnpm support in Socket

Blog: {{category}} News and Updates

Learn about the latest security news, Socket updates and announcements.

Blog

Inherit

Block

Ignore

Monitor

Warn

License

Maintenance

Miscellaneous

Other

Quality

Supply chain risk

Vulnerability

When alerts are associated with multiple artifacts, the priority score is based on the artifact with the highest priority score.

Legal

Operational

Security

Admins only

Organization members

Dashboard

Grouping: Directs

Grouping: None

Artifact: <code>{{- fullArtifactDisplayName}}</code>

Dependency tree

<upgradeLink>Upgrade</upgradeLink> to access this feature

Rate your experience

Achievements

Why Socket?

Customer Stories

Languages

Impersonation Mode Active

Update your browser to the latest version for the best experience.

Your web browser is outdated

Use another browser for the best experience.

Your web browser is unsupported

{{count, number}} commits last two months

{{count, number}} critical severity alert

{{count, number}} critical severity alerts

{{count, number}} dependency vulnerability

{{count, number}} dependency vulnerabilities

{{count, number}} development dependencies

{{count, number}} transitive dependencies

{{count, number}} version published last month

{{count, number}} versions published last month

{{count, number}} version published in last two months

{{count, number}} versions published in last two months

{{count, number}} version published last week

{{count, number}} versions published last week

{{count, number}} version published last year

{{count, number}} versions published last year

Socket undergoes annual SOC2 Type II audits. Socket customers can request a copy of the full SOC2 Type II report.

Work with a dedicated Customer Success Manager to help you get the most out of Socket.

Control who are admins in the organization. Restrict access with Role-based Access Control (RBAC).

Restrict logins to the organization to SSO, preventing other login methods (e.g. GitHub or email)

Connect your AI code agents to Socket to get security insights and alerts.

Scans AI models in HuggingFace and PyPI packages for malicious code, backdoors, and other security risks. HuggingFace support coming soon.

Get a clear view of your current supply chain health. Track active alerts, dependency risk, and security trends across your org—all in one place on the Socket Dashboard and via API.

Allows organization owners and admins to access detailed records of actions taken by members of their organization, complete with timestamps.

Automatically generate fixes for vulnerable dependencies with safe, tested upgrades.

Prevent compromised packages from infiltrating your supply chain by monitoring for changes in real-time. Block 70+ types of open source threats, including malware, typo-squatting, backdoors, and more.

Shift left by catching risky or low-quality dependencies before they're merged. Use CI gating, PR comments, and visual warnings to guide developers early and enforce security guardrails.

Integrate with Slack. Microsoft Teams is coming soon.

Integrate with Vanta. Drata is coming soon.

Filters out CVEs in functions your code doesn’t call — reducing up to 90% of false positives and irrelevant CVEs. Tier 1 reachability provides the highest quality reachability data. Easy to setup. Need to add a CLI command to CI/CD or GitHub Action to the repository.

Customize parts of the comment sent to developers in GitHub pull requests

See how your security changes over time with 30 days of historical insights. Track alert trends, monitor dependency changes, and export data via API for custom dashboards.

Analyzes IDE extensions for security risks — supports OpenVSX and VS Code. Coming soon.

Surfaces security issues directly in IDEs to help developers fix faster while coding. VS Code extension includes a bundled MCP server by default.

Surfaces issues and fixes in the IDE, helping developers catch and resolve problems as they code.

Socket scans for vulnerabilities in your dependencies, including CVEs, security advisories, and more.

Socket supports JavaScript, TypeScript, Python, Go, Java, Ruby, .NET, Scala, Kotlin, Rust, and more — with continuous expansion to cover the most popular ecosystems.

Automatically enforce license policies across all repositories, blocking non-compliant dependencies and ensuring your entire organization stays compliant.

Local AI connector that exposes dependency scoring and security context to your tools via a standardized protocol.

Define and enforce custom license policies using repo labels — based on factors like team, criticality, environment, or any criteria you choose.

Define and enforce custom security policies using repo labels — based on factors like team, criticality, environment, or any criteria you choose.

Ranks issues by exploitability, reachability, fixability, and custom priorities set via repo labels.

Faster replies to support questions via email and Slack.

Get dedicated support from technical experts and engineers in a private Slack channel.

Use Socket Web Extension to educate developers at the earliest possible point in time about package risks before they install them on their local development systems. Supports Chrome, Edge, and Firefox.

Analyze the reachability of vulnerabilities in your dependencies.

Import or export Software Bills of Materials (SBOMs) to track and audit dependencies.

Automate user provisioning and deprovisioning with SCIM. Coming soon.

Use Socket with a self-hosted source code management (GitHub Enterprise Server, GitLab Enterprise, Bitbucket Server, and Azure DevOps Server..

Inegrate with Elastic, Google BigQuery, Panther, and Splunk.

Socket is SOC2 Type II compliant and undergoes annual audits.

The Socket CLI allows teams to prevent risky dependencies from being installed, and to get dependency insights from the command line.

Connects to your source code management system to scan repos, review PRs or MRs, and enrich the developer workflow with security insights.

Socket supports SAML SSO for single sign-on and identity management.

Paid add-on. Provides real-time access to curated vulnerability and malware threat data for use in your own tools and workflows.

Integrate with Jira and Linear. Coming soon.

Get up to speed quickly with hands-on training and guided onboarding. Our team helps your developers and security teams hit the ground running.

Receive a Service Level Agreement for uptime of the Socket application.

High-quality comprehensive vulnerability database which integrates proprietary data from Socket, NVD, GitHub, OSV, OpenSSF, and many other sources.

Scans browser extensions for risk and malware — supports Chrome, Firefox, Edge, and Safari.

Receive updates via Webhooks anytime Socket has new scan results or alert state has changed.

Socket will analyze your SBOMs up to a maximum number of dependencies.

API that allows you to analyze a project, lookup package scores and alerts, and more.

Create API tokens to authenticate with the Socket API and CLI.

A developer is someone who made a commit to your organization's repositories scanned by Socket.

A member is someone who is a part of your organization and can access your organization's Socket dashboard.

Use Socket to protect your private repositories.

Socket is always free for open source projects.

Organize repos by team, project, or importance. Apply custom policies and adjust alert priority based on labels.

Applies to all scans — whether triggered via API, CLI, IDE, or SCM integrations.

Access the threat feed that powers Socket.

Unlimited scale, self-hosting, and priority support for large teams.

For open-source projects, individuals, and small teams.

For growing teams with enhanced scale, security, and support.

This is a legacy plan that is no longer available for new customers. Upgrade to our Team or Enterprise plans for enhanced features and support.

There is a package with a similar name that is downloaded much more often.

There are packages with similar names that are downloaded much more often.

This may not be the package you want!

Instance

Alert Locations

Package

Readme not found for selected version

Provide a detailed description of the threat...

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

Socket - Secure your dependencies. Ship with confidence.

Welcome to Socket

Get actionable alerts for the supply chain risks that matter. Socket highlights risky dependencies directly within the developer workflow.

Not using GitHub? Generate reports next to your tests with our CLI

Socket CLI

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Detect and block software supply chain attacks

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Introducing pnpm support in Socket

Socket now supports the pnpm package manager! Check it out and stay away from vulnerable and malicious packages.

Developers love pnpm + Socket#

More ecosystems and languages are coming soon#

Ready to block malicious and vulnerable dependencies?

Related posts

Introducing pnpm support in Socket

Socket now supports the pnpm package manager! Check it out and stay away from vulnerable and malicious packages.

Developers love pnpm + Socket#

More ecosystems and languages are coming soon#

Ready to block malicious and vulnerable dependencies?

Related posts

Rust Support Now in Beta

Announcing Socket Fix 2.0