The NPM Registry's Safe Word is Socket - Slashdot
source link: https://developers.slashdot.org/story/23/03/16/191205/the-npm-registrys-safe-word-is-socket
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
The NPM Registry's Safe Word is Socket
Follow Slashdot stories on Twitter
binspamdupenotthebestofftopicslownewsdaystalestupid freshfunnyinsightfulinterestingmaybe offtopicflamebaittrollredundantoverrated insightfulinterestinginformativefunnyunderrated descriptive typodupeerror
Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area.
The NPM Registry's Safe Word is Socket (theregister.com) 15
Posted by msmash
on Thursday March 16, 2023 @03:23PM from the closer-look dept.Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit -- covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. "npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK