← Home

socket.io

npm Repository Homepage

node.js realtime framework server

12
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

rauchgdarrachequesne

Keywords

realtimeframeworkwebsockettcpeventssocketio

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-dropped AI (source-diff): Size drop is an artifact of diffing socket.io v2.x against v4.x — a major version difference. The v2 codebase is legitimately much smaller than v4. Not indicative of code replacement. ai
dependencies unvetted-dep:has-binary2 AI (dependencies): has-binary2 is a legitimate, long-standing dependency of socket.io v2.x used for binary packet detection. Its presence is expected and consistent with the v2 codebase. ai
source-diff net-exec-file:client-dist/dist/socket.io.esm.min.js AI (source-diff): Socket.IO ships browser client bundles that legitimately contain network calls and UMD/module patterns. These are standard client-side distribution files, not malware. ai
source-diff net-exec-file:client-dist/dist/socket.io.js AI (source-diff): Socket.IO ships browser client bundles that legitimately contain network calls and UMD/module patterns. These are standard client-side distribution files, not malware. ai
source-diff net-exec-file:client-dist/dist/socket.io.min.js AI (source-diff): Socket.IO ships browser client bundles that legitimately contain network calls and UMD/module patterns. These are standard client-side distribution files, not malware. ai
source-diff net-exec-file:client-dist/dist/socket.io.msgpack.min.js AI (source-diff): Socket.IO ships browser client bundles that legitimately contain network calls and UMD/module patterns. These are standard client-side distribution files, not malware. ai
publish-pattern new-deps-added AI (publish-pattern): The cors package (~2.8.5) is a well-established, trusted Express middleware. Adding it to a server framework is expected and benign. ai
source-diff net-exec-file:client-dist/socket.io.esm.min.js AI (source-diff): This is the legitimate minified Socket.IO client bundle shipped with the package. Network calls and dynamic code are inherent to a WebSocket/XHR client library, not malware. ai
phantom-deps phantom-dep:@types/cors AI (phantom-deps): @types/cors is a TypeScript type declaration listed as a runtime dep for type augmentation; not a real phantom dependency concern for socket.io. ai
phantom-deps phantom-dep:@types/node AI (phantom-deps): @types/node is a TypeScript type declaration; its presence as a dep is a known pattern for socket.io and not a security concern. ai
phantom-deps phantom-dep:@types/cookie AI (phantom-deps): @types/cookie is a TypeScript type declaration; stable false positive for this package. ai
dependencies unvetted-dep:socket.io-adapter AI (dependencies): socket.io-adapter is a documented dependency of socket.io; unvetted status is expected for transitive deps. ai
dependencies unvetted-dep:engine.io AI (dependencies): engine.io is a documented dependency of socket.io; unvetted status is expected for transitive deps. ai
dependencies unvetted-dep:base64id AI (dependencies): base64id is a documented dependency of socket.io; unvetted status is expected for transitive deps. ai

Versions (showing 12 of 12)

Version Deps Published
4.8.3 7 / 0
4.8.2 7 / 0
4.8.1 7 / 0
4.8.0 7 / 0
4.7.5 7 / 14
4.7.4 7 / 14
4.7.3 7 / 14
4.7.2 7 / 14
4.7.1 7 / 14
4.7.0 7 / 14
4.6.2 6 / 14
2.5.1 6 / 5

v4.8.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.8.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.5

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.4

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.3

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.2

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.1

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.0

6 findings
HIGH New file with network + code execution: client-dist/dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: client-dist/dist/socket.io.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: client-dist/dist/socket.io.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: client-dist/dist/socket.io.msgpack.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.2

2 findings
HIGH New file with network + code execution: client-dist/socket.io.esm.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.