Safe npm commands ↭ KOLLITSCH.dev*

Socket’s “safe npm” is a command-line tool that wraps the npm command transparently and protects developers from malware, typo squats, install scripts, protestware, telemetry, and more. It works with all npm commands that can install new third-party code, including npm install, npm update, npm uninstall, npm rm, npm exec, and npx.

If safe npm detects a risk, it pauses the installation and informs the developer about it. The developer can either stop the installation and protect their machine or continue the process if they know it’s safe to install.

Installing the wrapper script is easy:

1npm install -g @socketsecurity/cli

After this you can use socket npm install instead of npm install to use the wrapper.

Of course, who likes to learn a new command? Which is why we add the following lines to our .bashrc configuration (or the place where our aliases live):

1alias npm="socket npm"
2alias npx="socket npx"

Done. npm install and it’s siblings will use the safe npm script to execute.

This post is part of #100DaysToOffload 48 posts since Dec 04, 2022 — 85 total posts

Published: Tue, Mar 28, 2023 at 9:57pm (Last Modified: Wed, Mar 29, 2023 at 7:20pm)

Git: a27ebf1973 / History / Blame Suggest edits on GitHub

Tags: #node #devops #security #100-days-to-offload

Share: LinkedIn Facebook