socket
CLI for Socket.dev
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/bootstrap.js | AI (source-diff): Long strings in bundled CLI output are normal esbuild artifacts; stable for this package. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-smol.js | AI (source-diff): Socket CLI ships esbuild-bundled dist files; minified output is expected and stable for this package. | ai | |
| source-diff | encoded-string-file:dist/vendor.js | AI (source-diff): Encoded string is a TUF root.json for sigstore.dev — legitimate supply-chain integrity data bundled by Socket's own CLI. | ai | |
| source-diff | obfuscated-file:external/@socketsecurity/registry/external/@inquirer/confirm.js | AI (source-diff): Bundled/minified third-party dependency in external/ directory; Socket CLI intentionally vendors deps this way. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects intentional vendoring of npm/pacote/blessed dependencies into the package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Socket CLI bundles external deps into external/ and dist/; large file count is expected for this package. | ai | |
| phantom-deps | phantom-dep:@socketsecurity/socket-patch | AI (phantom-deps): First-party Socket dep; referenced in config, not directly imported — stable false positive for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool intentionally passes env to child processes; stable pattern for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): blessed terminal library uses new Function for terminfo string compilation; known pattern. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): debug.js reads DEBUG_* env vars; standard debug library pattern. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): cacache integrity hash format conversion; benign. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): cacache hash conversion utility; not a payload decoder. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Security CLI wraps npm/pnpm; child_process usage is inherent to its function. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads own dist files by path; not arbitrary user input. Expected in this CLI's bootstrap. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 0 / 2 | |
| 2.0.10 | 0 / 2 | |
| 2.0.9 | 0 / 2 | |
| 2.0.8 | 0 / 2 | |
| 2.0.7 | 0 / 2 | |
| 2.0.6 | 0 / 2 | |
| 1.1.118 | 1 / 101 | |
| 1.1.117 | 1 / 101 | |
| 1.1.116 | 1 / 101 | |
| 1.1.115 | 1 / 101 | |
| 1.1.114 | 1 / 101 | |
| 1.1.113 | 1 / 101 | |
| 1.1.112 | 1 / 101 | |
| 1.1.111 | 1 / 101 | |
| 1.1.110 | 1 / 101 | |
| 1.1.109 | 1 / 101 | |
| 1.1.108 | 1 / 101 | |
| 1.1.107 | 1 / 101 | |
| 1.1.105 | 1 / 101 | |
| 1.1.104 | 1 / 101 | |
| 1.1.103 | 1 / 101 | |
| 1.1.102 | 1 / 101 | |
| 1.1.101 | 1 / 101 | |
| 1.1.100 | 1 / 101 | |
| 1.1.99 | 1 / 101 | |
| 1.1.98 | 1 / 101 | |
| 1.1.97 | 1 / 101 | |
| 1.1.96 | 1 / 101 | |
| 1.1.95 | 1 / 101 | |
| 1.1.94 | 1 / 101 | |
| 1.1.93 | 1 / 101 | |
| 1.1.92 | 1 / 101 | |
| 1.1.91 | 1 / 101 | |
| 1.1.90 | 1 / 101 | |
| 1.1.89 | 1 / 101 | |
| 1.1.88 | 1 / 101 | |
| 1.1.87 | 1 / 101 | |
| 1.1.86 | 1 / 101 | |
| 1.1.85 | 1 / 101 | |
| 1.1.84 | 1 / 101 | |
| 1.1.83 | 1 / 101 | |
| 1.1.82 | 1 / 101 | |
| 1.1.81 | 1 / 101 | |
| 1.1.80 | 1 / 101 | |
| 1.1.79 | 1 / 101 | |
| 1.1.78 | 1 / 101 | |
| 1.1.77 | 1 / 101 |
v2.1.0
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.118
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.117
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.116
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.115
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.114
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.113
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.112
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.111
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.110
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.109
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.108
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.107
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.105
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.104
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.103
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.102
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.101
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.100
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.99
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.98
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.97
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.96
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.95
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.94
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.93
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.91
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.90
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.89
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.88
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/SocketDev/socket-cli/blob/471b7aa396f4eb812d133b210444d6a33c79a136/bin/cli.js#L33 31 | ], 32 | { > 33 | env: { 34 | ...process.env, 35 | ...constants.processEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/SocketDev/socket-cli/blob/471b7aa396f4eb812d133b210444d6a33c79a136/external/@socketsecurity/registry/external/@npmcli/package-json/index.js#L14065 14063 | ...opts, 14064 | shell: false, > 14065 | env: opts.env || { 14066 | ...finalGitEnv, 14067 | ...process.env
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/SocketDev/socket-cli/blob/471b7aa396f4eb812d133b210444d6a33c79a136/external/@socketsecurity/registry/lib/spawn.js#L173 171 | // object with a null [[Prototype]]. 172 | // https://github.com/nodejs/node/blob/v24.0.1/lib/child_process.js#L674-L678 > 173 | env: { 174 | __proto__: null, 175 | ...process.env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.87
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.86
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.85
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.84
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.83
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.82
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.81
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.80
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.79
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.78
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.77
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.