Subscribe to get notified when we publish new security blog posts.
July 31, 2023
At Socket, we've been working hard to make it easier than ever to focus on your code without worrying about the security of your open-source dependencies. Today, we're excited to announce the public beta of the Socket browser extension which helps you pick better packages by adding Socket package metrics to the NPM package and search pages. The extension is available for Chrome, Firefox, and any Chromium-based browser such as Edge and Brave.
Socket analyzes potential vulnerabilities and unwanted behavior throughout your entire dependency tree. With the Socket extension, you can verify that the NPM package you're about to install is secure and trustworthy.
Let's say we were looking for an NPM package for creating peer-to-peer connections.
p2p has a pretty low Socket score (as we can see from the tiny bar next to the "S"). That means
p2p could potentially be dangerous to the security of our open-source supply chain.
bitcore-lib have better scores, but they don't seem to be made for general-purpose P2P, so let's just check out
p2p for now.
It seems that although the
p2p package is of decent quality, it's not very actively maintained and has many potential vulnerabilities. We can investigate the issues further by clicking on the issues in Socket's issue panel, but we'll instead head back to the search page to explore potential alternatives.
A few results down, we find a package based on WebRTC that's actually made for P2P data exchange in web browsers. And it has a good Socket score!
We open the NPM package page and see more detailed metrics about the impact
simple-peer could have on our security. We see that it's a pretty popular package, since all the original NPM metrics are still visible.
simple-peer seems to be a secure, popular package that matches what we're looking for, we can install it with confidence!
If you're on Chrome, Edge, Brave, or another Chromium-based browser, you can install the extension from its page on the Chrome Web Store.
The Firefox version of the extension is available on Firefox Add-Ons.
Safari is not yet officially supported, but we're working on it!
In the near-term, we're hoping to add support for Safari. We also plan to eventually add support for other package repositories like PyPI. For now, feel free to install our extension to speed up your open-source package review process. Let us know if you find any bugs!
If you like our extension, why not ensure the security of your entire project as it grows and matures? Install Socket's GitHub app and get protected today!
Socket Security Scan
Socket AI detected a malicious package on PyPI that had an abnormally high potential impact and the Socket security researchers investigated finding malicious behavior.