Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Case study

Vercel Optimizes Open Source Dependency Management with Socket: Reduced Sprawl, Improved Hygiene, and Faster Decision-Making

Vercel Optimizes Open Source Dependency Management with Socket: Reduced Sprawl, Improved Hygiene, and Faster Decision-Making

Highlights:

Socket significantly reduces dependency sprawl and improves OSS dependency hygiene by providing discoverability of packages and highlighting overlapping dependencies.

Socket's comprehensive security scorecards drastically reduce the amount of manual work required for developers to determine what is a reliable library, enabling faster decision making.

Socket's seamless integration into Vercel's workflows offers context-appropriate tools that enable developers to self-remediate issues.

Socket added the ability to block zero-day software supply chain attacks and analyze dependencies for risky behavior.

Aaron Brown Head of Security, Vercel

About Vercel#

Vercel is revolutionizing how apps are built and delivered. The company has built dynamic user experiences on the web for customers like Under Armour, Nintendo, The Washington Post, Porsche, and Zapier. Vercel is trusted as the most secure platform for Next.js and developer experience is critically important to everything they create.

For Aaron Brown, who oversees all aspects of security at Vercel, the problem was not just about finding vulnerabilities but managing dependency sprawl and ensuring that developers can continue to work effectively.

The Challenge#

Prior to partnering with Socket, Vercel made use of native tooling within GitHub, which, despite its utility, proved to be very noisy and frustrating for developers. The team struggled with dependency sprawl, a common issue in software development where projects become bogged down with too many dependencies, including overlapping transitive dependencies, which can introduce security vulnerabilities and maintenance headaches.

"Our primary challenge was managing our dependencies in a way that didn't slow us down," Brown said. "We are managing a significant number of API services within a very large monorepo, along with overseeing a diverse array of additional repositories and technological assets, and our previous tools were not meeting us where we needed. They either lacked the necessary features or were too cumbersome to use efficiently."

Vercel Cuts Dependency Sprawl and Improves Developer Efficiency with Socket#

After a thorough evaluation of various dependency management solutions, Socket emerged as the clear choice for several reasons. In addition to providing robust security features that block malicious packages and other software supply chain attacks, Socket offers support for the pnpm package manager, which was critical for Vercel's monorepo setup.

Socket's proactive approach to dependency management is helping Vercel's engineers achieve a cleaner, more secure "OSS estate," reducing the cognitive load on developers and enabling them to focus on innovation rather than maintenance.

"Where we’ve seen the most lift on our side is in dependency health and dependency sprawl," Brown said. "Socket helped us get over the hurdle of continuous manual analysis, helping answer questions like 'Is this a dependency I should be pulling in?' and 'What other versions should I have?' Socket makes it easier to answer these questions."

Aaron BrownHead of Security, Vercel

Building Trust with Context-Appropriate Tools that Go Beyond CVE Scanning#

Socket's "phased rollout" features were developed in collaboration with the Vercel team, and enabled Vercel to roll out Socket using a progressive approach, which was important for their monorepo. This helped the team gain trust with the tool as it was rolled out over additional scopes.

Discoverability was another important factor in Vercel's decision to use Socket.

Aaron BrownHead of Security, Vercel

Socket's scorecards for packages help Vercel quickly assess the quality of a dependency's maintenance and other metrics that are important to understanding the security of a package. Previously, this determination was more of a manual process where developers would need to prepare this data themselves. Package scorecards have drastically reduced the amount of manual work for determining what is a reliable library, enabling faster decision making.

Socket's integration into Vercel's development workflows was seamless, requiring no significant changes to their existing processes. The company's engineering team found the tools to offer context-appropriate alerts, inline with the software development lifecycle where code is being pushed and where conversation is happening around that code.

"This is table stakes for any tool," Brown said. "If you cannot provide context within the scope of the work then all you’re doing is providing hurdles."

Aaron BrownHead of Security, Vercel

For companies like Vercel, navigating the complexities of application security in the modern development landscape requires tools that are not only effective but also efficient and developer-friendly. Socket has proven to be an invaluable partner in their quest for a secure, efficient, and productive development environment.

Interested in Socket for your organization?

Schedule a demo with our team and try Socket.

Book a demo
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc