At Socket, we've been working hard to make it easier than ever to focus on your code without worrying about the security of your open-source dependencies. Today, we're excited to announce the public beta of the Socket browser extension which helps you pick better packages by adding Socket package metrics to the NPM package and search pages. The extension is available for Chrome, Firefox, and any Chromium-based browser such as Edge and Brave.
Socket analyzes potential vulnerabilities and unwanted behavior throughout your entire dependency tree. With the Socket extension, you can verify that the NPM package you're about to install is secure and trustworthy.
Extension tour#
Let's say we were looking for an NPM package for creating peer-to-peer connections.
p2p
has a pretty low Socket score (as we can see from the tiny bar next to the "S"). That means p2p
could potentially be dangerous to the security of our open-source supply chain. gun
and bitcore-lib
have better scores, but they don't seem to be made for general-purpose P2P, so let's just check out p2p
for now.
It seems that although the p2p
package is of decent quality, it's not very actively maintained and has many potential vulnerabilities. We can investigate the issues further by clicking on the issues in Socket's issue panel, but we'll instead head back to the search page to explore potential alternatives.
A few results down, we find a package based on WebRTC that's actually made for P2P data exchange in web browsers. And it has a good Socket score!
We open the NPM package page and see more detailed metrics about the impact simple-peer
could have on our security. We see that it's a pretty popular package, since all the original NPM metrics are still visible.
Since simple-peer
seems to be a secure, popular package that matches what we're looking for, we can install it with confidence!
Watch a quick video walkthrough!#
Installation#
If you're on Chrome, Edge, Brave, or another Chromium-based browser, you can install the extension from its page on the Chrome Web Store.
The Firefox version of the extension is available on Firefox Add-Ons.
Safari is not yet officially supported, but we're working on it!
Future plans#
In the near-term, we're hoping to add support for Safari. We also plan to eventually add support for other package repositories like PyPI. For now, feel free to install our extension to speed up your open-source package review process. Let us know if you find any bugs!
If you like our extension, why not ensure the security of your entire project as it grows and matures? Install Socket's GitHub app and get protected today!