The NPM Registry's Safe Word is Socket - Slashdot

Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!

Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area.

An anonymous reader shares a report: Socket has found a way to protect developers from npm, GitHub's insufficiently safe JavaScript package manager, by wrapping it in a security blanket. The npm registry, operated by NPM until the security biz was acquired by Microsoft's GitHub in 2020, hosts software packages for the JavaScript ecosystem. It is, by its own account, "the world's largest software registry." In the past few years, the maliciously inclined have increasingly focused on compromising package registries like npm in what's known as a supply chain attack. Subverting a popular software library has the potential to enable widespread viral distribution. Those running the npm registry have put in place various defenses over the years, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). But the tool's implementation leaves something to be desired and developers often ignore audit warning messages, particularly if automated resolution doesn't work.

Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit -- covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. "npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."