Introducing Socket Optimize

At Socket, our mission is to secure the vast ecosystem of open source dependencies that are critical for modern software development. As a team of open source maintainers with software that receives millions of downloads per month, we understand that managing dependencies involves not only security challenges but also various quality concerns, such as managing legacy packages as platforms evolve.

Today we’re excited to introduce Socket Optimize, a powerful new CLI tool for proactive dependency hygiene.

Empowering developers to take charge of their dependency health#

Socket Optimize is designed to make it easy for developers to reduce dependencies, leverage new platform features, improve performance, and address security issues - all with one simple CLI command.

socket optimize

Inspired by the JavaScript community’s e18e initiative aimed at improving performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter weight package alternatives our new initiative leverages package manager overrides as another strategic way of optimizing and securing your dependencies, beginning with the JavaScript ecosystem.

What are package manager overrides?

Package manager overrides are mechanisms that allow developers to customize or replace specific dependencies within their project's dependency tree. Essentially, overrides enable you to specify alternative versions or entirely different packages for certain dependencies, ensuring that your project uses the most appropriate and secure versions available.

Socket Optimize supports detecting overrides for npm, pnpm, Bun, and Yarn lock files and focuses on four main enhancement areas: cleanup, levelup, speedup, and tuneup.

• Cleanup ✨ — Reduces dependencies by replacing with stubs. For instance, polyfills are replaced by their built-in counterparts.
• Levelup 🧩 — Adds new features and uses the latest platform APIs.
• Speedup ⚡ — Focuses on performance. Gotta go blazingly lightning fast.
• Tuneup 🔧 — Address CVE vulnerabilities, especially in packages that are low to no maintained, providing secure, reliable alternatives.

The Socket Registry: A Collection of Optimized Package Overrides#

Today we’re launching the Socket Registry, a growing collection of 128 optimized package overrides for use with the @socketsecurity/cli.

Every override

• Passes 💯 of the original package's unit tests to ensure compatibility
• Is interoperable with CommonJS (no module format headaches)
• Retains copies of original licenses and is compatible with MIT
• Ships with TypeScript types
• Supports current and LTS Node versions

Collaborating with the Open Source Community to Improve Package Overrides#

While creating the registry we report bugs and collaborate with maintainers to address issues along the way. (1,2,3,4,5,6) We have taken steps to improve npm package override support, working through open source channels to ensure our contributions benefit the wider community.

Although our initial focus is on the JavaScript ecosystem, we have plans to expand into other ecosystems, such as Ruby and Python.

We'd love to hear from and empower maintainers to encourage broader discussion and participation in the ecosystem.

How to Contribute#

We’ve made it easy to add new overrides, with one command to automatically validate, create, pull in licenses and tests, and tie up all the loose ends.

To create an npm ecosystem package override, initialize the socket-registry-js repository with your favorite package manager, e.g. npm install, and run:

npm run make:npm-package [<package-name>]

Follow the prompts to create the scaffolding for your shiny new override. Fill in all TODO: commented sections, commit, and send a pull request!

Our goal is to empower developers to take charge of their dependency health by optimizing dependencies with intelligent overrides. Every package you use from this registry is tested, typed, optimized, with low to no dependencies.

As a supply chain security company that’s dedicated to protecting your projects from malicious code, we also recognize the importance of actively contributing to the underlying health and sustainability of the open source ecosystem. By promoting high-quality packages and best practices, we’re hoping to help maintainers and developers create more secure, performant, and reliable software. We’re excited to see how Socket Optimize will benefit your projects and we welcome your contributions!