Apply security patches to npm dependencies without waiting for upstream fixes.
npx @socketsecurity/socket-patch
Or install globally:
npm install -g @socketsecurity/socket-patch
Apply security patches from manifest.
Usage:
npx @socketsecurity/socket-patch apply [options]
Options:
--cwd- Working directory (default: current directory)-d, --dry-run- Verify patches without modifying files-s, --silent- Only output errors-m, --manifest-path- Path to manifest (default:.socket/manifest.json)
Examples:
# Apply patches npx @socketsecurity/socket-patch apply # Dry run npx @socketsecurity/socket-patch apply --dry-run # Custom manifest npx @socketsecurity/socket-patch apply -m /path/to/manifest.json
Download patch from Socket API.
Usage:
npx @socketsecurity/socket-patch download --uuid <uuid> --org <org> [options]
Options:
--uuid- Patch UUID (required)--org- Organization slug (required)--api-token- API token (or useSOCKET_API_TOKENenv var)--api-url- API URL (default:https://api.socket.dev)--cwd- Working directory-m, --manifest-path- Path to manifest
Examples:
# Download patch export SOCKET_API_TOKEN="your-token" npx @socketsecurity/socket-patch download --uuid "550e8400-e29b-41d4-a716-446655440000" --org "my-org" # With explicit token npx @socketsecurity/socket-patch download --uuid "..." --org "my-org" --api-token "token"
List patches in manifest.
Usage:
npx @socketsecurity/socket-patch list [options]
Options:
--cwd- Working directory-m, --manifest-path- Path to manifest--json- Output as JSON
Examples:
# List patches npx @socketsecurity/socket-patch list # JSON output npx @socketsecurity/socket-patch list --json
Sample Output:
Found 2 patch(es):
Package: pkg:npm/lodash@4.17.20
UUID: 550e8400-e29b-41d4-a716-446655440000
Tier: free
License: MIT
Vulnerabilities (1):
- GHSA-xxxx-yyyy-zzzz (CVE-2024-12345)
Severity: high
Summary: Prototype pollution in lodash
Files patched (1):
- lodash.js
Remove patch from manifest.
Usage:
npx @socketsecurity/socket-patch remove <identifier> [options]
Arguments:
identifier- Package PURL (e.g.,pkg:npm/package@version) or patch UUID
Options:
--cwd- Working directory-m, --manifest-path- Path to manifest
Examples:
# Remove by PURL npx @socketsecurity/socket-patch remove "pkg:npm/lodash@4.17.20" # Remove by UUID npx @socketsecurity/socket-patch remove "550e8400-e29b-41d4-a716-446655440000"
Downloaded patches are stored in .socket/manifest.json:
{
"patches": {
"pkg:npm/package-name@1.0.0": {
"uuid": "unique-patch-id",
"exportedAt": "2024年01月01日T00:00:00Z",
"files": {
"path/to/file.js": {
"beforeHash": "git-sha256-before",
"afterHash": "git-sha256-after"
}
},
"vulnerabilities": {
"GHSA-xxxx-xxxx-xxxx": {
"cves": ["CVE-2024-12345"],
"summary": "Vulnerability summary",
"severity": "high",
"description": "Detailed description"
}
}
}
}
}Patched file contents are in .socket/blobs/ (named by git SHA256 hash).