Socket CLI

1.1.86 verified Sat Apr 25 auth: no javascript

CLI tool for Socket.dev security analysis of npm dependencies. Current stable version is 1.1.86, with a history of active releases (multiple releases in 2025). Provides commands for scanning, fixing CVEs, optimizing dependencies, and managing security patches. Key differentiators: wraps npm/npx for real-time security scanning, supports SBOM generation via cdxgen, offers automated CVE fixing and dependency optimization via @socketregistry overrides. ESM-only, requires Node.js >=18.20.8 and pnpm >=10.33.0.

Common errors

error Error: Cannot find module 'tiny-colors' ↓

cause Regression in Node 22+ where ESM packages moved to dependencies field incorrectly.

fix

Update to socket@0.14.39 or later which replaces 'tiny-colors' with 'yoctocolors-cjs'.

error Error [ERR_REQUIRE_ESM]: require() of ES Module /path/to/socket/index.js not supported. ↓

cause The socket package is ESM-only. Calling require('socket') fails.

fix

Change to import('socket') or use dynamic import.

error TypeError: URL.parse is not a function ↓

cause Node 18 does not support URL.parse; regression in socket v0.14.67.

fix

Upgrade Node to >=18.20.8 or downgrade socket to v0.14.65.

Warnings

gotcha Package is ESM-only. Using require() throws ERR_REQUIRE_ESM. ↓

fix Use import or dynamic import() instead of require().

breaking Node.js <18.20.8 is not supported. Starting from version 0.14.40, socket CLI requires Node >=18.20.8. ↓

fix Upgrade Node.js to >=18.20.8 or use an older version of socket CLI.

gotcha The 'socket npm' and 'socket npx' commands may interfere with your existing npm/npx workflows if not configured correctly. ↓

fix Use --dry-run to preview changes before actually running commands.

deprecated The 'socket optimize' command relies on @socketregistry overrides which may be deprecated in future versions. ↓

fix Check release notes for replacement tools or migration guides.

Install

npm install socket

yarn add socket

pnpm add socket

Imports

default
wrong
```
const socket = require('socket')
```
correct
```
import socket from 'socket'
```
Package is ESM-only; CommonJS require() fails with ERR_REQUIRE_ESM.
run
```
import { run } from 'socket'
```
The run function is the programmatic entry point. Typed as Function.
types
```
import type { Config } from 'socket'
```
TypeScript types are bundled. Use import type for types if not bundling.

Quickstart

Demonstrates programmatic usage of socket CLI with environment variable configuration and dry-run mode.

import { run } from 'socket';

const argv = ['npm', 'install', 'express'];
const config = {
  apiToken: process.env.SOCKET_CLI_API_TOKEN ?? '',
  orgSlug: process.env.SOCKET_CLI_ORG_SLUG ?? '',
  dryRun: true,
  debug: false,
};

try {
  await run(argv, config);
} catch (err) {
  console.error('Socket scan failed:', err);
  process.exit(1);
}