Safe npm commands ↭ KOLLITSCH.dev*

Socket’s “safe npm” is a command-line tool that wraps the npm command transparently and protects developers from malware, typo squats, install scripts, protestware, telemetry, and more. It works with all npm commands that can install new third-party code, including npm install, npm update, npm uninstall, npm rm, npm exec, and npx.

If safe npm detects a risk, it pauses the installation and informs the developer about it. The developer can either stop the installation and protect their machine or continue the process if they know it’s safe to install.

Installing the wrapper script is easy:

COPY

1npm install -g @socketsecurity/cli

After this you can use socket npm install instead of npm install to use the wrapper.

Of course, who likes to learn a new command? Which is why we add the following lines to our .bashrc configuration (or the place where our aliases live):

COPY

1alias npm="socket npm"
2alias npx="socket npx"

Done. npm install and it’s siblings will use the safe npm script to execute.

This post is part of #100DaysToOffload 47 posts since Apr 22, 2023 — 99 total posts

Published: Tue, Mar 28, 2023 at 9:57pm (Last Modified: Wed, Mar 29, 2023 at 7:11pm)

Git: a27ebf1973 / History / Blame Suggest edits on GitHub

Tags: #node #devops #security #100-days-to-offload

Share: LinkedIn Facebook