Product
Arjun Barrett
July 31, 2023
At Socket, we've been working hard to make it easier than ever to focus on your code without worrying about the security of your open-source dependencies. Today, we're excited to announce the public beta of the Socket browser extension which helps you pick better packages by adding Socket package metrics to the NPM package and search pages. The extension is available for Chrome, Firefox, and any Chromium-based browser such as Edge and Brave.
Socket analyzes potential vulnerabilities and unwanted behavior throughout your entire dependency tree. With the Socket extension, you can verify that the NPM package you're about to install is secure and trustworthy.
Let's say we were looking for an NPM package for creating peer-to-peer connections.
p2p has a pretty low Socket score (as we can see from the tiny bar next to the "S"). That means p2p could potentially be dangerous to the security of our open-source supply chain. gun and bitcore-lib have better scores, but they don't seem to be made for general-purpose P2P, so let's just check out p2p for now.
It seems that although the p2p package is of decent quality, it's not very actively maintained and has many potential vulnerabilities. We can investigate the issues further by clicking on the issues in Socket's issue panel, but we'll instead head back to the search page to explore potential alternatives.
A few results down, we find a package based on WebRTC that's actually made for P2P data exchange in web browsers. And it has a good Socket score!
We open the NPM package page and see more detailed metrics about the impact simple-peer could have on our security. We see that it's a pretty popular package, since all the original NPM metrics are still visible.
Since simple-peer seems to be a secure, popular package that matches what we're looking for, we can install it with confidence!
If you're on Chrome, Edge, Brave, or another Chromium-based browser, you can install the extension from its page on the Chrome Web Store.
The Firefox version of the extension is available on Firefox Add-Ons.
Safari is not yet officially supported, but we're working on it!
In the near-term, we're hoping to add support for Safari. We also plan to eventually add support for other package repositories like PyPI. For now, feel free to install our extension to speed up your open-source package review process. Let us know if you find any bugs!
If you like our extension, why not ensure the security of your entire project as it grows and matures? Install Socket's GitHub app and get protected today!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
