Also see "What's Really Going On Inside Your node_modules Folder?" for examples of recent supply chain attacks and steps you can take to protect your team: https://socket.dev/blog/inside-node-modules

Wow, awesome to see what you're working on with Socket. I feel it's a much-needed tool.

One question though: how do you think https://socket.dev will compare to https://snyk.io/ and other similar tools? How do you differentiate yourself from competition in the space?

(I've been a big fan of yours since early WebTorrent days.)

Snyk doesn’t address supply chain attacks.

Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point. Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered.

A malicious dependency can be updated, merged, and running in production in days or even hours. We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.

And thanks for the WebTorrent love!

Great answer, thank you! I'm going to sign my company up for socket.dev.