Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Product

Introducing Socket Optimize

We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.

Introducing Socket Optimize

John-David Dalton

October 16, 2024


At Socket, our mission is to secure the vast ecosystem of open source dependencies that are critical for modern software development. As a team of open source maintainers with software that receives millions of downloads per month, we understand that managing dependencies involves not only security challenges but also various quality concerns, such as managing legacy packages as platforms evolve.

Today we’re excited to introduce Socket Optimize

npx socket optimize

A powerful new CLI tool for proactive dependency hygiene.

Empowering developers to take charge of their dependency health#

Socket Optimize is designed to make it easy for developers to reduce transitive dependencies, leverage new platform features, improve performance, and address security issues - all with one simple CLI command.

On the fly
npx socket optimize

Or installed globally
npm install -g socket
socket optimize

Inspired by the JavaScript community’s e18e initiative aimed at improving performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter weight package alternatives our new initiative leverages package manager overrides as another strategic way of optimizing and securing your dependencies, beginning with the JavaScript ecosystem.

What are package manager overrides?

Package manager overrides are mechanisms that allow developers to customize or replace specific dependencies within their project's dependency tree. Essentially, overrides enable you to specify alternative versions or entirely different packages for certain dependencies, ensuring that your project uses the most appropriate and secure versions available.

Socket Optimize supports detecting overrides for npm, pnpm, Bun, and Yarn lock files and focuses on four main enhancement areas: cleanuplevelupspeedup, and tuneup.

  • Cleanup ✨ — Reduce dependencies and replace polyfills with built-in equivalents.
  • Levelup 🧩 — Add new features and leverage modern platform APIs.
  • Speedup ⚡ — Boost performance to run faster.
  • Tuneup 🔧 — Address CVEs, especially in outdated or unmaintained packages.

The Socket Registry: A Collection of Optimized Package Overrides#

Today we’re launching the Socket Registry, a growing collection of 128 optimized package overrides for use with the Socket CLI.

Every override

  • Passes 💯 of the original package's unit tests to ensure compatibility
  • Is interoperable with CommonJS (no module format headaches)
  • Retains copies of original licenses and is compatible with MIT
  • Ships with TypeScript types
  • Supports current and LTS Node versions

Collaborating with the Open Source Community to Improve Package Overrides#

While creating the registry we report bugs and collaborate with maintainers to address issues along the way. (1,2,3,4,5,6) We have taken steps to improve npm package override support, working through open source channels to ensure our contributions benefit the wider community.

Although our initial focus is on the JavaScript ecosystem, we have plans to expand into other ecosystems, such as Ruby and Python.

We'd love to hear from and empower maintainers to encourage broader discussion and participation in the ecosystem.

How to Contribute#

We’ve made it easy to add new overrides, with one command to automatically validate, create, pull in licenses and tests, and tie up all the loose ends.

To create an npm ecosystem package override, initialize the socket-registry repository with your favorite package manager, e.g. npm install, and run:

npm run make:npm-override [<package-name>]

Follow the prompts to create the scaffolding of your shiny new override. Fill in all TODO: commented sections, commit, and send a pull request!

Our goal is to empower developers to take charge of their dependency health by optimizing dependencies with intelligent overrides. Every package you use from this registry is tested, typed, optimized, with low to no dependencies.

As a supply chain security company that’s dedicated to protecting your projects from malicious code, we also recognize the importance of actively contributing to the underlying health and sustainability of the open source ecosystem. By promoting high-quality packages and best practices, we’re hoping to help maintainers and developers create more secure, performant, and reliable software. We’re excited to see how Socket Optimize will benefit your projects and we welcome your contributions!

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc