Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
CLI tool for Socket.dev
npm install -g socket
socket --help
socket info webtorrent@1.9.1
socket report create package.json --view
socket report view QXU8PmK7LfH608RAwfIKdbcHgwEd_ZeWJ9QEGv05FJUQ
socket wrapper --enable
socket npm [args...]
and socket npx [args...]
- Wraps npm
and npx
to
integrate Socket and preempt installation of alerted packages using the
builtin resolution of npm
to precisely determine package installations.
socket optimize
- Optimize dependencies with
@socketregistry
overrides!
(👀 our blog post)
--pin
- Pin overrides to their latest version.--prod
- Add overrides for only production dependencies.socket cdxgen [command]
- Call out to
cdxgen. See
their documentation
for commands.
socket info <package@version>
- Look up issues for a package.
socket raw-npm [args...]
and socket raw-npx [args...]
- Temporarily
disable the Socket 'safe-npm' wrapper.
socket report create <path(s)-to-folder-or-file>
- Create a report on
Socket.dev
Upload the specified package.json
and lock files for JavaScript, Python, and
Go dependency manifests. If any folder is specified, the ones found in there
recursively are uploaded.
Glob patterns such as **/package.json
, **/requirements.txt
,
**/pyproject.toml
, and **/go.mod
is supported.
Intuitively ignores files matching your project's .gitignore
, the
projectIgnorePaths
in your project's
socket.yml
, and a sensible set of
default ignore patterns.
socket report view <report-id>
- Look up issues and scores from a report.
socket wrapper --enable
and socket wrapper --disable
- Enable and disable
the Socket 'safe-npm' wrapper.
All aliases support the flags and arguments of the commands they alias.
socket ci
- alias for socket report create --view --strict
which creates a
report and quits with an exit code if the result is unhealthy. Use like eg.
socket ci .
for a report for the current folder--view
- when set on socket report create
the command will immediately do
a socket report view
style view of the created report, waiting for the
server to complete it--json
- outputs result as json which you can then pipe into
jq
and other tools--markdown
- outputs result as markdown which you can then copy into an
issue, PR or even chat--all
- by default only high
and critical
issues are included, by
setting this flag all issues will be included--strict
- when set, exits with an error code if report result is deemed
unhealthy--dry-run
- like all CLI tools that perform an action should have, we have a
dry run flag. Eg. socket report create
supports running the command without
actually uploading anything--debug
- outputs additional debug output. Great for debugging, geeks and us
who develop. Hopefully you will never need it, but it can still be fun,
right?--help
- prints the help for the current command. All CLI tools should have
this flag--version
- prints the version of the tool. All CLI tools should have this
flagThe CLI reads and uses data from a
socket.yml
file in the folder you
run it in. It supports the version 2 of the socket.yml
file format and makes
use of the projectIgnorePaths
to excludes files when creating a report.
SOCKET_SECURITY_API_KEY
- if set, this will be used as the API-keySOCKET_SECURITY_API_BASE_URL
- if set, this will be the base for all
API-calls. Defaults to https://api.socket.dev/v0/
SOCKET_SECURITY_API_PROXY
- if set to something like
http://127.0.0.1:9090
,
then all request will be proxied through that proxy@socketsecurity/sdk
- the SDK
used in this CLIFAQs
CLI tool for Socket.dev
The npm package socket receives a total of 892 weekly downloads. As such, socket popularity was classified as not popular.
We found that socket demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.