The npm registry's safe word is Socket

Exclusive Socket has found a way to protect developers from npm, GitHub's insufficiently safe JavaScript package manager, by wrapping it in a security blanket.

The npm registry, operated by NPM until the security biz was acquired by Microsoft's GitHub in 2020, hosts software packages for the JavaScript ecosystem. It is, by its own account, "the world's largest software registry."

In the past few years, the maliciously inclined have increasingly focused on compromising package registries like npm in what's known as a supply chain attack. Subverting a popular software library has the potential to enable widespread viral distribution.

Those running the npm registry have put in place various defenses over the years, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). But the tool's implementation leaves something to be desired and developers often ignore audit warning messages, particularly if automated resolution doesn't work.

Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit - covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns.

Ring in some changes

But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket plans to update its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others.

"npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."

The reason cause for this concern is that JavaScript packages distributed via npm can be compromised. According to Aboukhadijeh, Socket has seen more than 200 packages removed just in the past 30 days.

Aboukhadijeh said that the average npm package has 79 transitive dependencies, so installing one is likely to bring dozens of additional packages along for the ride. And vetting all of those manually is not something most people have the ability, time, or inclination to do.

While using npm audit may surface known vulnerabilities, the Socket CLI now goes deeper, thanks to the addition of the safe npm command. It can be set up by running npm install -g @socketsecurity/cli, which adds a socket command to the PATH environmental variable that specifies where executable programs can be found.

Thereafter, developers can invoke the tool by entering socket npm install instead of npm install. And aliasing the command can make this more convenient still. The org recommends adding alias npm="socket npm" to their .bashrc profile (or .zshrc, or whatever shell is being used) so that the familiar npm install invocation passes transparently to the Socket CLI.

"Socket's safe npm tool transparently wraps the npm command and protects the developer from malware, typosquats, install scripts, telemetry, protestware, and more - 11 issues in all," it said.

This approach can also guard against more fraught commands like npx and npm exec, which immediately execute downloaded code.

"Due to the prolific usage of these commands, we made sure to add protection for these commands too, so that you don't accidentally run bad code by copy-pasting an npx command from a README file or StackOverflow answer and get compromised," the biz promised. ®

About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Mar 31
The changing data landscape

Webinar How AI demands a new navigation

Mar 31
FTC urged to freeze OpenAI's 'biased, deceptive' GPT-4

AI policy wonks slam chatty hallucination-prone model in formal complaint

Mar 30
So you want to integrate OpenAI's bot. Here's how that worked for software security scanner Socket

Exclusive Hint: Hundreds of malicious npm and PyPI packages spotted

Mar 30
It's official: Ubuntu Cinnamon remix has been voted in

And it looks like educational flavor Edubuntu is returning, too

Mar 30
This US national lab turned to AI to hunt rogue nukes

All it needs to do is detect ■■■■■■■■■■ in the ■■■■■ at ■■■■■■ when the ■■■■■■■■

Mar 30
Judge grants subpoena to ID Twitter source code leaker

Unmasking also in store for anyone who's 'posted, uploaded, downloaded or modified' tweet biz code

Mar 29
Had enough of Android? First 'Focal' based Ubuntu Touch is out

First version built on 20.04 hits smartphones and tablets of UBPorts fans