Feature Requests

https://github.com/jsr-io/jsr/issues/1254

Hello Socket Support Team, I am writing to appeal a "possible typosquat" flag on my npm package evg_observable ( https://socket.dev/npm/package/evg_observable ). This is a clear false positive, and here is why: Chronology: My package was created 4 years ago. It has a history of 80+ versions. Typosquatting is a technique used for new, malicious packages, not established projects with years of development. Origin of the name: The "evg" prefix is my personal developer shorthand (Evgeniy), which I use for my projects. It is not an attempt to mimic observable-fns. The "Competitor" Irony: Ironically, I only learned about the existence of observable-fns because of your alert. I have since added it to my devDependencies specifically to write benchmarks and compare performance, which further proves that my library is a legitimate alternative, not a clone. Verified Source: The package is linked to my GitHub repository (BarushevEA/light-observable-ts), which has been active for years. Please review this manually and remove the "Supply Chain Risk" label, as it negatively impacts the reputation of a long-standing open-source project. Best regards, E.A. Barushev

Domains ending in .test are guaranteed to never be registered into the Internet. Example report: https://socket.dev/npm/package/mockaton/alerts/11.3.1?alert_name=urlStrings

How can I merge my accounts together and the export them to my external accounts

The organization level issue settings should be configurable at the repo level. Add a settings tab within each repo.

Overview Change from a secret key type auth in VS Code to something that uses the account manager API ( https://code.visualstudio.com/api/references/vscode-api#authentication ). This prevents the secret key from being stored in an unprotected plain/obfuscated text format and remains protected via the various credential protection systems. The Entra credentials in VS Code are protected by Credential Guard and other isolation tech preventing all access to the secret store, even if a threat actor wanted to read encrypted creds, they could not as they are behind hypervisor protection from an access perspective. This also opens a lot of new SSO or SSO scenarios as VS Code is frequently already authenticated to Entra ID or GitHub or both, allowing for the easy, (sometimes) non-interactive, automatic login of the extension. This allows for integration to audit systems as standard auth APIs are frequently integrated into SEIMs and other various security systems (e.g. Entra ID Identity protection) Standard Auth APIs allow for 3rd party integration too allowing for even more integration and 3rd party friendliness without needing to anything or partner to get your integrations to other products. Tl;Dr As a threat actor I can steal the API keys from disk for your end users pretty easily. Please stop storing the authentication secrets as API keys and instead use the auth APIs.

It would be helpful if optional dependencies were labeled as optional on the dependencies page for a package on the socket website.

It would be helpful to have a way to show all dependencies of a package on the socket.dev website, not just direct dependencies. https://discord.com/channels/905691206783209574/1443016121740689468

Add a button or something to the Socket dashboard that allows a security engineer to quickly open PRs for CVE updates rather than doing this manually.

Make a GitLab app (in addition to the GitHub app) to detect and block supply chain attacks in new code changes.