Vercel Optimizes Open Source Dependency Management with Socket: Reduced Sprawl, Improved Hygiene, and Faster Decision-Making

About Vercel#

Vercel is revolutionizing how apps are built and delivered. The company has built dynamic user experiences on the web for customers like Under Armour, Nintendo, The Washington Post, Porsche, and Zapier. Vercel is trusted as the most secure platform for Next.js and developer experience is critically important to everything they create.

For Aaron Brown, who oversees all aspects of security at Vercel, the problem was not just about finding vulnerabilities but managing dependency sprawl and ensuring that developers can continue to work effectively.

The Challenge#

Prior to partnering with Socket, Vercel made use of native tooling within GitHub, which, despite its utility, proved to be very noisy and frustrating for developers. The team struggled with dependency sprawl, a common issue in software development where projects become bogged down with too many dependencies, including overlapping transitive dependencies, which can introduce security vulnerabilities and maintenance headaches.

"Our primary challenge was managing our dependencies in a way that didn't slow us down," Brown said. "We are managing a significant number of API services within a very large monorepo, along with overseeing a diverse array of additional repositories and technological assets, and our previous tools were not meeting us where we needed. They either lacked the necessary features or were too cumbersome to use efficiently."

Vercel Cuts Dependency Sprawl and Improves Developer Efficiency with Socket#

After a thorough evaluation of various dependency management solutions, Socket emerged as the clear choice for several reasons. In addition to providing robust security features that block malicious packages and other software supply chain attacks, Socket offers support for the pnpm package manager, which was critical for Vercel's monorepo setup.

Socket's proactive approach to dependency management is helping Vercel's engineers achieve a cleaner, more secure "OSS estate," reducing the cognitive load on developers and enabling them to focus on innovation rather than maintenance.

"Where we’ve seen the most lift on our side is in dependency health and dependency sprawl," Brown said. "Socket helped us get over the hurdle of continuous manual analysis, helping answer questions like 'Is this a dependency I should be pulling in?' and 'What other versions should I have?' Socket makes it easier to answer these questions."

Building Trust with Context-Appropriate Tools that Go Beyond CVE Scanning#

Socket's "phased rollout" features were developed in collaboration with the Vercel team, and enabled Vercel to roll out Socket using a progressive approach, which was important for their monorepo. This helped the team gain trust with the tool as it was rolled out over additional scopes.

Discoverability was another important factor in Vercel's decision to use Socket.

Socket's scorecards for packages help Vercel quickly assess the quality of a dependency's maintenance and other metrics that are important to understanding the security of a package. Previously, this determination was more of a manual process where developers would need to prepare this data themselves. Package scorecards have drastically reduced the amount of manual work for determining what is a reliable library, enabling faster decision making.

Socket's integration into Vercel's development workflows was seamless, requiring no significant changes to their existing processes. The company's engineering team found the tools to offer context-appropriate alerts, inline with the software development lifecycle where code is being pushed and where conversation is happening around that code.

"This is table stakes for any tool," Brown said. "If you cannot provide context within the scope of the work then all you’re doing is providing hurdles."

For companies like Vercel, navigating the complexities of application security in the modern development landscape requires tools that are not only effective but also efficient and developer-friendly. Socket has proven to be an invaluable partner in their quest for a secure, efficient, and productive development environment.