[Go to site: main page, start]
Documentation
  1. Socket CLI
  2. Socket CLI Commands

socket npm & socket npx

🚧

New here? Use Socket Firewall instead

"safe npm" (the socket npm / socket npx wrapper) is Socket's original install-time protection, and it only covers npm. Socket Firewall (sfw) is the recommended successor: it does the same job, blocking malicious and risky packages before they're installed, but works across far more package managers and ecosystems (npm, yarn, pnpm, pip, uv, cargo, and, on Enterprise, Go, Maven/Gradle, Ruby, and .NET) and with no Socket account required to get started.

  • Socket Firewall Free: zero config and no API key; just prefix sfw to a command (e.g. sfw npm install).
  • Socket Firewall Enterprise: adds configurable security policies, private-registry support, package allow-lists, dashboard visibility, and service/proxy deployment modes.

If you're already using "safe npm," the rest of this page still applies.

Socket integrates with npm and npx so that packages are checked through Socket before anything is installed, helping you avoid installing malicious packages. These commands require a Socket API token (see socket login).

These integrations act the same as npm and npx. Everything after npm/npx is passed straight through to the underlying command — only the --dry-run and --help flags are intercepted. Additionally, for some tooling that needs to run these as a single bin, aliases as socket-npm and socket-npx are made available upon installation.

$ socket npm --help

  Wraps npm with Socket security scanning

  Usage
    $ socket npm ...

  API Token Requirements
    - Quota: 100 units
    - Permissions: packages:list

  Note: Everything after "npm" is passed to the npm command.
        Only the `--dry-run` and `--help` flags are caught here.

  Use `socket wrapper on` to alias this command as `npm`.

  Examples
    $ socket npm
    $ socket npm install -g cowsay
    $ socket npm exec cowsay

socket npm [args...] and socket npx [args...]

Calls npm and npx and checks all packages with Socket before they get installed so you can prevent installing malicious packages. Uses the builtin resolution of npm to precisely determine package installations.

socket wrapper on

When you enable the wrapper like this we create an alias in your system to run socket npm whenever you would run npm. Same for npx. Use socket wrapper off to disable it again.

FAQ

Not seeing an alert with socket npm install foo

We only prompt for accepting the risk of installing packages for those that we alert on. Additionally, if you have already installed a package at a different version and it shares the same issue as the version you are installing, we do not prompt.

NOTE: By default these wrappers use Socket's standard issue set to decide what to prompt on.

Seeing alerts with socket npm rm foo OR Seeing alerts for an unrelated package with socket npm install foo

One might think that removing a package reduces vulnerabilities, however with package management this is not so straight forward.

npm normally creates what is called the ideal tree for a given package.json by removing a package you might actually change what the ideal tree is! If foo depends on [email protected] it will constrain bar to be on 1.1.x but a different dependency baz might depend on on [email protected] which constrains bar to any version 1.x.x. If [email protected] exists it would be available only to upgrade if bar is removed from the package.json!

This ideal tree also performs things like automatic updates when using npm install in its default configuration. If a package bar exists in your package.json it will automatically be updated upon being found even if what is being installed is unrelated to bar in any way.

Aliasing as npm or npx

socket npm will automatically detect if it is in front of npm in the PATH variable, and if it is not it will prepend itself to the PATH to intercept commands. This means if you use something like socket npm run script-with-npx it will already intercept npx without you needing to change your package.json.

For people wishing to avoid typing out socket npm a shell alias like the following in your .bashrc or .zsh. This is what socket wrapper on would do for you:

alias npm="socket npm"
alias npx="socket npx"

For zsh autocompletions you may wish to add the following as well.

compdef _npm socket-npm

For bash autocompletions you may wish to add the following as well.

$(complete -p npm | sed 's/npm$/socket-npm/')

Combining with npq

npq, an alternative CLI to perform pre-install syntactic and CVE checks, does not directly integrate into a package manager for installation. You can configure the environment variable NPQ_PKG_MGR=socket-npm and alias alias yarn="NPQ_PKG_MGR=yarn npq-hero" to use both.

NOTE: Due to socket npm doing a full transitive scan and integrating into npm it is expected that npq will be faster since it is doing less.