From 834654230e4eb82b29008055be7cf064d7abc318 Mon Sep 17 00:00:00 2001 From: Mikola Lysenko Date: Fri, 6 Mar 2026 15:00:49 -0500 Subject: [PATCH] Fix socket-setup SKILL.md inaccuracies and add package manager support - Fix hallucinated @anthropic-ai/sfw package name to correct sfw - Fix outdated nicolo-ribaudo/socket-patch-cli URLs to SocketDev/socket-patch - Gate policy configuration to enterprise-only users - Add per-package-manager reference tables for sfw and socket-patch - Update CI/CD sections to reference appropriate PM runners Co-Authored-By: Claude Opus 4.6 (1M context) --- .claude-plugin/marketplace.json | 34 +++++------ README.md | 16 ++--- agents/AGENTS.md | 32 +++++----- scripts/generate-agents.ts | 8 +-- .../SKILL.md | 6 +- .../{dep-patch => socket-dep-patch}/SKILL.md | 22 +++---- .../SKILL.md | 20 +++---- .../SKILL.md | 20 +++---- skills/{fix => socket-fix}/SKILL.md | 32 +++++----- skills/{inspect => socket-inspect}/SKILL.md | 8 +-- skills/{scan => socket-scan}/SKILL.md | 20 +++---- skills/{setup => socket-setup}/SKILL.md | 60 ++++++++++++++----- .../tier1-structural/skill-discovery.test.ts | 2 +- tests/tier3-e2e/dep-cleanup.e2e.test.ts | 4 +- tests/tier3-e2e/dep-patch.e2e.test.ts | 4 +- tests/tier3-e2e/dep-replace.e2e.test.ts | 4 +- tests/tier3-e2e/dep-upgrade.e2e.test.ts | 4 +- tests/tier3-e2e/fix.e2e.test.ts | 6 +- tests/tier3-e2e/inspect.e2e.test.ts | 4 +- tests/tier3-e2e/scan.e2e.test.ts | 8 +-- tests/tier3-e2e/setup.e2e.test.ts | 4 +- 21 files changed, 174 insertions(+), 144 deletions(-) rename skills/{dep-cleanup => socket-dep-cleanup}/SKILL.md (97%) rename skills/{dep-patch => socket-dep-patch}/SKILL.md (82%) rename skills/{dep-replace => socket-dep-replace}/SKILL.md (95%) rename skills/{dep-upgrade => socket-dep-upgrade}/SKILL.md (94%) rename skills/{fix => socket-fix}/SKILL.md (84%) rename skills/{inspect => socket-inspect}/SKILL.md (95%) rename skills/{scan => socket-scan}/SKILL.md (93%) rename skills/{setup => socket-setup}/SKILL.md (81%) diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 353593f..ba9308b 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -9,50 +9,50 @@ }, "plugins": [ { - "name": "scan", - "source": "./skills/scan", + "name": "socket-scan", + "source": "./skills/socket-scan", "skills": "./", "description": "Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation." }, { - "name": "inspect", - "source": "./skills/inspect", + "name": "socket-inspect", + "source": "./skills/socket-inspect", "skills": "./", "description": "Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches." }, { - "name": "setup", - "source": "./skills/setup", + "name": "socket-setup", + "source": "./skills/socket-setup", "skills": "./", "description": "Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems." }, { - "name": "dep-patch", - "source": "./skills/dep-patch", + "name": "socket-dep-patch", + "source": "./skills/socket-dep-patch", "skills": "./", - "description": "Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill." + "description": "Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /socket-setup skill." }, { - "name": "dep-upgrade", - "source": "./skills/dep-upgrade", + "name": "socket-dep-upgrade", + "source": "./skills/socket-dep-upgrade", "skills": "./", "description": "Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration." }, { - "name": "dep-cleanup", - "source": "./skills/dep-cleanup", + "name": "socket-dep-cleanup", + "source": "./skills/socket-dep-cleanup", "skills": "./", "description": "Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification." }, { - "name": "dep-replace", - "source": "./skills/dep-replace", + "name": "socket-dep-replace", + "source": "./skills/socket-dep-replace", "skills": "./", "description": "Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements." }, { - "name": "fix", - "source": "./skills/fix", + "name": "socket-fix", + "source": "./skills/socket-fix", "skills": "./", "description": "Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full)." } diff --git a/README.md b/README.md index 157aa11..633446a 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ Install, authenticate, and configure Socket for your project. | Name | Description | Documentation | |------|-------------|---------------| -| `setup` | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | [SKILL.md](skills/setup/SKILL.md) | +| `socket-setup` | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | [SKILL.md](skills/socket-setup/SKILL.md) | #### Analysis @@ -147,8 +147,8 @@ Scan dependencies and inspect individual packages for security risks. | Name | Description | Documentation | |------|-------------|---------------| -| `inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/inspect/SKILL.md) | -| `scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | [SKILL.md](skills/scan/SKILL.md) | +| `socket-inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/socket-inspect/SKILL.md) | +| `socket-scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | [SKILL.md](skills/socket-scan/SKILL.md) | #### Dependency Management @@ -156,10 +156,10 @@ Upgrade, patch, and clean up individual dependencies. | Name | Description | Documentation | |------|-------------|---------------| -| `dep-cleanup` | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | [SKILL.md](skills/dep-cleanup/SKILL.md) | -| `dep-patch` | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. | [SKILL.md](skills/dep-patch/SKILL.md) | -| `dep-replace` | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. | [SKILL.md](skills/dep-replace/SKILL.md) | -| `dep-upgrade` | Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | [SKILL.md](skills/dep-upgrade/SKILL.md) | +| `socket-dep-cleanup` | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | [SKILL.md](skills/socket-dep-cleanup/SKILL.md) | +| `socket-dep-patch` | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /socket-setup skill. | [SKILL.md](skills/socket-dep-patch/SKILL.md) | +| `socket-dep-replace` | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. | [SKILL.md](skills/socket-dep-replace/SKILL.md) | +| `socket-dep-upgrade` | Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | [SKILL.md](skills/socket-dep-upgrade/SKILL.md) | #### Fix @@ -167,7 +167,7 @@ Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a | Name | Description | Documentation | |------|-------------|---------------| -| `fix` | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). | [SKILL.md](skills/fix/SKILL.md) | +| `socket-fix` | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). | [SKILL.md](skills/socket-fix/SKILL.md) | ## Contributing diff --git a/agents/AGENTS.md b/agents/AGENTS.md index 047a2c0..2b96cd2 100644 --- a/agents/AGENTS.md +++ b/agents/AGENTS.md @@ -6,14 +6,14 @@ You have additional SKILLs documented in directories containing a "SKILL.md" fil | Skill | Description | |-------|-------------| -| dep-cleanup | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | -| dep-patch | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. | -| dep-replace | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. | -| dep-upgrade | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | -| fix | Holistic dependency repair — orchestrates cleanup, replacement, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). Delegates to /dep-cleanup, /dep-replace, /dep-patch, and /dep-upgrade as subroutines. | -| inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | -| scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | -| setup | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | +| socket-dep-cleanup | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | +| socket-dep-patch | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /socket-setup skill. | +| socket-dep-replace | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. | +| socket-dep-upgrade | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | +| socket-fix | Holistic dependency repair — orchestrates cleanup, replacement, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). Delegates to /socket-dep-cleanup, /socket-dep-replace, /socket-dep-patch, and /socket-dep-upgrade as subroutines. | +| socket-inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | +| socket-scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | +| socket-setup | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | ## Usage @@ -26,11 +26,11 @@ Paths referenced within SKILL folders are relative to that SKILL. For example th ## Skill Files The skills are located in: -- `skills/dep-cleanup/SKILL.md` -- `skills/dep-patch/SKILL.md` -- `skills/dep-replace/SKILL.md` -- `skills/dep-upgrade/SKILL.md` -- `skills/fix/SKILL.md` -- `skills/inspect/SKILL.md` -- `skills/scan/SKILL.md` -- `skills/setup/SKILL.md` +- `skills/socket-dep-cleanup/SKILL.md` +- `skills/socket-dep-patch/SKILL.md` +- `skills/socket-dep-replace/SKILL.md` +- `skills/socket-dep-upgrade/SKILL.md` +- `skills/socket-fix/SKILL.md` +- `skills/socket-inspect/SKILL.md` +- `skills/socket-scan/SKILL.md` +- `skills/socket-setup/SKILL.md` diff --git a/scripts/generate-agents.ts b/scripts/generate-agents.ts index 5b503f2..456ab04 100644 --- a/scripts/generate-agents.ts +++ b/scripts/generate-agents.ts @@ -79,10 +79,10 @@ const CATEGORIES: [string, CategoryDef][] = [ ]; function getCategory(skillName: string): string { - if (skillName === "setup") return "setup"; - if (skillName === "scan" || skillName === "inspect") return "analysis"; - if (skillName.startsWith("dep-")) return "dep"; - if (skillName === "fix") return "fix"; + if (skillName === "socket-setup") return "setup"; + if (skillName === "socket-scan" || skillName === "socket-inspect") return "analysis"; + if (skillName.startsWith("socket-dep-")) return "dep"; + if (skillName === "socket-fix") return "fix"; return "setup"; } diff --git a/skills/dep-cleanup/SKILL.md b/skills/socket-dep-cleanup/SKILL.md similarity index 97% rename from skills/dep-cleanup/SKILL.md rename to skills/socket-dep-cleanup/SKILL.md index 9ad7764..db6c243 100644 --- a/skills/dep-cleanup/SKILL.md +++ b/skills/socket-dep-cleanup/SKILL.md @@ -1,5 +1,5 @@ --- -name: dep-cleanup +name: socket-dep-cleanup description: Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. @@ -24,7 +24,7 @@ If the user specifies a package name, use that. Otherwise, ask which package the If the user isn't sure which package to evaluate, help them pick one: - Check `devDependencies` first — removing unused dev dependencies is lower risk - Look for packages with names that suggest narrow or outdated functionality -- Suggest running `/scan` first to get an overview of the dependency landscape +- Suggest running `/socket-scan` first to get an overview of the dependency landscape **One package at a time.** If the user wants to evaluate multiple packages, run this workflow once per package sequentially. @@ -187,4 +187,4 @@ Follow the standard build & test verification workflow (see `skills/_shared/veri - Some packages are used only in CI, deployment scripts, or editor configs — the search in Step 3 covers these - For PyPI, consult the package metadata on pypi.org if the import name is unclear - For monorepos, check usage across all workspaces before removing a root dependency -- After cleanup, use the `/scan` skill to verify no issues remain in the dependency set +- After cleanup, use the `/socket-scan` skill to verify no issues remain in the dependency set diff --git a/skills/dep-patch/SKILL.md b/skills/socket-dep-patch/SKILL.md similarity index 82% rename from skills/dep-patch/SKILL.md rename to skills/socket-dep-patch/SKILL.md index 808d396..3c059b8 100644 --- a/skills/dep-patch/SKILL.md +++ b/skills/socket-dep-patch/SKILL.md @@ -1,19 +1,19 @@ --- -name: dep-patch +name: socket-dep-patch description: Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and - infrastructure setup, use the /setup skill. + infrastructure setup, use the /socket-setup skill. --- # Dep Patch Apply Socket's binary-level security patches to vulnerable dependencies **without changing their version numbers**. This skill uses `socket-patch apply` to fix known vulnerabilities in-place. Patches are applied in bulk — `socket-patch apply` patches all available packages at once. -For setting up automated patching infrastructure (postinstall hooks, CI integration, GitHub Actions), use the `/setup` skill. +For setting up automated patching infrastructure (postinstall hooks, CI integration, GitHub Actions), use the `/socket-setup` skill. -## How This Differs from `/dep-upgrade` +## How This Differs from `/socket-dep-upgrade` -| | `/dep-patch` (this skill) | `/dep-upgrade` | +| | `/socket-dep-patch` (this skill) | `/socket-dep-upgrade` | |---|---|---| | **Primary tool** | `socket-patch apply` | `socket fix` | | **What it does** | Applies binary-level patches without changing versions | Upgrades dependency versions to fix CVEs | @@ -22,7 +22,7 @@ For setting up automated patching infrastructure (postinstall hooks, CI integrat | **Scope** | All patchable packages at once | One dependency at a time | | **When to use** | You need fixes without version churn, or the upstream fix doesn't exist yet | You want to bring dependencies up to date | -Use `/dep-patch` when you want to fix vulnerabilities without risking breaking changes from version upgrades. Use `/dep-upgrade` when you want full version upgrades with automated code migration. +Use `/socket-dep-patch` when you want to fix vulnerabilities without risking breaking changes from version upgrades. Use `/socket-dep-upgrade` when you want full version upgrades with automated code migration. ## When to Use @@ -45,7 +45,7 @@ Choose the installation method for your ecosystem: | npm (global) | `npm install -g @socketsecurity/socket-patch` | | pip | `pip install socket-patch` | | cargo | `cargo install socket-patch-cli` | -| Standalone (macOS/Linux) | `curl -fsSL https://raw.githubusercontent.com/nicolo-ribaudo/socket-patch-cli/main/install.sh \| sh` | +| Standalone (macOS/Linux) | `curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh \| sh` | Verify installation: @@ -87,7 +87,7 @@ After patching, verify the project still works: ## Setting Up Automated Patching -To keep patches applied automatically in CI/CD or via postinstall hooks, use the `/setup` skill. It covers: +To keep patches applied automatically in CI/CD or via postinstall hooks, use the `/socket-setup` skill. It covers: - GitHub Actions (`SocketDev/action@v1` with `mode: patch`) - GitLab CI / Bitbucket Pipelines / generic CI `socket-patch apply` steps - Local dev postinstall hooks (`socket-patch setup`) @@ -96,7 +96,7 @@ To keep patches applied automatically in CI/CD or via postinstall hooks, use the ## Error Handling - **`socket-patch` not found**: Install it using one of the methods in Step 1. For CI, ensure the install step runs before `socket-patch apply`. -- **No patches available**: This means Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/dep-upgrade` skill to upgrade versions instead. +- **No patches available**: This means Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/socket-dep-upgrade` skill to upgrade versions instead. - **Build fails after patching**: Run `socket-patch apply --dry-run` to identify which patch caused the issue. Report the failing patch so the user can decide whether to skip it. - **Permission errors**: Ensure write access to `node_modules/` or the equivalent dependency directory. @@ -106,5 +106,5 @@ To keep patches applied automatically in CI/CD or via postinstall hooks, use the - Use `SocketDev/action@v1` (correct casing) in GitHub workflow files - For monorepos, use `patch-cwd` to target specific directories - Commit `.socket/manifest.json` to track which patches are applied -- After patching, use the `/scan` skill to verify no residual vulnerabilities remain -- Combine with the `/dep-upgrade` skill for vulnerabilities that don't have binary patches available +- After patching, use the `/socket-scan` skill to verify no residual vulnerabilities remain +- Combine with the `/socket-dep-upgrade` skill for vulnerabilities that don't have binary patches available diff --git a/skills/dep-replace/SKILL.md b/skills/socket-dep-replace/SKILL.md similarity index 95% rename from skills/dep-replace/SKILL.md rename to skills/socket-dep-replace/SKILL.md index c343f66..014cb00 100644 --- a/skills/dep-replace/SKILL.md +++ b/skills/socket-dep-replace/SKILL.md @@ -1,5 +1,5 @@ --- -name: dep-replace +name: socket-dep-replace description: Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. --- @@ -18,7 +18,7 @@ Replace a dependency with an alternative package, eliminate it via code rewrite, ## Prerequisites -- **Socket CLI** — optional but recommended. Required for Strategy A (`socket-optimize`). Install via `/setup` if not available. +- **Socket CLI** — optional but recommended. Required for Strategy A (`socket-optimize`). Install via `/socket-setup` if not available. - **Build and test commands** — the project should have a working build and test setup for verification. ## Step 1: Identify the Target Package @@ -26,7 +26,7 @@ Replace a dependency with an alternative package, eliminate it via code rewrite, If the user specifies a package name, use that. If they also specify a replacement, note it for Step 5. If the user isn't sure which package to replace, help them pick one: -- Suggest running `/scan` first to identify flagged or low-score dependencies +- Suggest running `/socket-scan` first to identify flagged or low-score dependencies - Check for packages with known maintenance issues or security alerts - Look for trivial utility packages that could be inlined @@ -134,7 +134,7 @@ Usage map: Unique APIs used: {list} ({count} total) ``` -If the package has zero usages, suggest using `/dep-cleanup` instead (it's unused, not needing replacement). +If the package has zero usages, suggest using `/socket-dep-cleanup` instead (it's unused, not needing replacement). ## Step 5: Determine Replacement Strategy @@ -148,12 +148,12 @@ If the Socket CLI is installed: 2. Present the suggestions to the user with package names, descriptions, and Socket scores 3. If the user picks one, proceed to Step 6 with that replacement -If the Socket CLI is not installed, mention that `socket-optimize` is available via `/setup` and move to Strategy B. +If the Socket CLI is not installed, mention that `socket-optimize` is available via `/socket-setup` and move to Strategy B. -### Strategy B: Research Alternatives via `/inspect` +### Strategy B: Research Alternatives via `/socket-inspect` 1. Research candidate replacement packages — use knowledge of the ecosystem to identify 2-4 alternatives -2. For each candidate, gather via `/inspect`: +2. For each candidate, gather via `/socket-inspect`: - Socket score and alerts - Number of dependencies - Package size @@ -268,9 +268,9 @@ Follow the standard build & test verification workflow (see `skills/_shared/veri - **Partial API coverage**: If no single replacement covers all used APIs, report the gap and let the user decide — they may want to use multiple packages or inline the uncovered APIs. - **`socket-optimize` not available**: Fall back to Strategy B (manual research). -## How This Differs from /dep-cleanup +## How This Differs from /socket-dep-cleanup -| Aspect | /dep-cleanup | /dep-replace | +| Aspect | /socket-dep-cleanup | /socket-dep-replace | |--------|-------------|-------------| | **Goal** | Remove an unused dependency | Swap a used dependency for an alternative | | **Precondition** | Package is (suspected) unused | Package IS used but needs replacement | @@ -281,7 +281,7 @@ Follow the standard build & test verification workflow (see `skills/_shared/veri ## Tips - For large migrations (many call sites or complex API differences), use subagents to parallelize the rewrite across files -- Run `/scan` after replacement to verify the new dependency's security posture +- Run `/socket-scan` after replacement to verify the new dependency's security posture - When replacing a package used across many files, consider creating a thin adapter module first, then swapping the implementation behind it - For Strategy C (inline), keep the utility file small and well-tested — don't inline complex logic - If the user isn't sure which replacement to pick, Strategy B's API compatibility table helps make an informed decision diff --git a/skills/dep-upgrade/SKILL.md b/skills/socket-dep-upgrade/SKILL.md similarity index 94% rename from skills/dep-upgrade/SKILL.md rename to skills/socket-dep-upgrade/SKILL.md index 7b5da2c..6a357e4 100644 --- a/skills/dep-upgrade/SKILL.md +++ b/skills/socket-dep-upgrade/SKILL.md @@ -1,5 +1,5 @@ --- -name: dep-upgrade +name: socket-dep-upgrade description: Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. --- @@ -29,7 +29,7 @@ If `socket` is not installed globally, use `npx` to run it without installing: npx socket fix --all --no-apply-fixes --json ``` -All `socket fix` commands in this skill can be prefixed with `npx` as a drop-in replacement. If you need a permanent installation, use the `setup` skill. +All `socket fix` commands in this skill can be prefixed with `npx` as a drop-in replacement. If you need a permanent installation, use the `socket-setup` skill. ## Update Strategy @@ -129,7 +129,7 @@ Iterate until everything passes: 1. **Build the project** to check for compile/type errors 2. **Run the full test suite** and fix any failing tests -3. **Run the `/scan` skill** to confirm no new vulnerabilities were introduced by the upgrades +3. **Run the `/socket-scan` skill** to confirm no new vulnerabilities were introduced by the upgrades 4. **Re-run `socket fix --all --no-apply-fixes --json`** to verify no fixable vulnerabilities remain If tests fail after fixing, investigate each failure: @@ -149,7 +149,7 @@ Fixing all vulnerabilities in a Node.js project (success case): - Major bump applied → 2 test failures in route tests - Fix route handler code to match new Express API - Tests pass → commit → reports success -6. All subagents succeeded → run `/scan` skill → no new vulnerabilities +6. All subagents succeeded → run `/socket-scan` skill → no new vulnerabilities Failure case — main agent stops on first failure: @@ -180,19 +180,19 @@ To manage context window limits without subagents: - **`socket fix` returns no results**: The project may have no fixable vulnerabilities, or the Socket API may not cover the project's ecosystems. Check that manifest and lock files exist in the repository. - **`socket fix --id` fails with "GHSA not found"**: The advisory ID may be incorrect or not yet indexed. Try searching by CVE ID or PURL instead. - **`socket fix` modifies files but tests fail**: The subagent (or main agent in fallback mode) should revert the changes with `git checkout -- .` and try an alternative version. Never leave the project in a broken state. -- **Authentication required**: Some `socket fix` features require enterprise authentication. Run `socket login` or set `SOCKET_CLI_API_TOKEN`. Use the `/setup` skill for guidance. +- **Authentication required**: Some `socket fix` features require enterprise authentication. Run `socket login` or set `SOCKET_CLI_API_TOKEN`. Use the `/socket-setup` skill for guidance. - **Network errors during fix**: `socket fix` contacts the Socket API to compute upgrade paths. Check network connectivity and try again. -## How This Differs from `/dep-patch` +## How This Differs from `/socket-dep-patch` -| | `/dep-upgrade` (this skill) | `/dep-patch` | +| | `/socket-dep-upgrade` (this skill) | `/socket-dep-patch` | |---|---|---| | **Primary tool** | `socket fix` | `socket-patch apply` | | **What it does** | Upgrades dependency versions to fix CVEs | Applies binary-level patches without changing versions | | **Version changes?** | Yes | No | | **Code changes needed?** | Possibly (API migration for major bumps) | No | -Use `/dep-upgrade` when you want full version upgrades. Use `/dep-patch` when you need fixes without version churn. +Use `/socket-dep-upgrade` when you want full version upgrades. Use `/socket-dep-patch` when you need fixes without version churn. ## Tips @@ -204,6 +204,6 @@ Use `/dep-upgrade` when you want full version upgrades. Use `/dep-patch` when yo - **Stop on failure** — if any single update cannot be completed, halt the entire process and report to the user rather than continuing with a broken state - Commit after each successful update so progress is saved and failures can be cleanly reverted - Use `--minimum-release-age 2d` to avoid upgrading to freshly-published versions -- Combine with the `/inspect` skill to compare security profiles before and after upgrades -- After all fixes are applied, run the `/scan` skill to verify no new risks were introduced +- Combine with the `/socket-inspect` skill to compare security profiles before and after upgrades +- After all fixes are applied, run the `/socket-scan` skill to verify no new risks were introduced - For monorepos, use `--include` and `--exclude` to target specific workspaces diff --git a/skills/fix/SKILL.md b/skills/socket-fix/SKILL.md similarity index 84% rename from skills/fix/SKILL.md rename to skills/socket-fix/SKILL.md index ae8e07e..0cac7ca 100644 --- a/skills/fix/SKILL.md +++ b/skills/socket-fix/SKILL.md @@ -1,14 +1,14 @@ --- -name: fix +name: socket-fix description: Holistic dependency repair — orchestrates cleanup, replacement, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, - cautious, full). Delegates to /dep-cleanup, /dep-replace, /dep-patch, and /dep-upgrade + cautious, full). Delegates to /socket-dep-cleanup, /socket-dep-replace, /socket-dep-patch, and /socket-dep-upgrade as subroutines. --- # Fix -Holistic dependency repair — orchestrate `/dep-cleanup`, `/dep-replace`, `/dep-patch`, and `/dep-upgrade` into a single phased workflow. Choose from three aggressiveness levels (conservative, cautious, full) to control how far the repair goes. +Holistic dependency repair — orchestrate `/socket-dep-cleanup`, `/socket-dep-replace`, `/socket-dep-patch`, and `/socket-dep-upgrade` into a single phased workflow. Choose from three aggressiveness levels (conservative, cautious, full) to control how far the repair goes. This skill is an **orchestrator**. It does not have its own tools — it delegates every concrete action to the dep-* skills. @@ -71,12 +71,12 @@ For each dependency in the project: - CLI tools referenced in `package.json` scripts - Build plugins (webpack, babel, eslint, jest, etc.) - Packages with ambiguous import names (PyPI packages where import name differs from package name) -4. For each clearly unused package, execute the `/dep-cleanup` skill workflow +4. For each clearly unused package, execute the `/socket-dep-cleanup` skill workflow 5. **Commit after each removal** so progress is preserved ### Phase 1b: Apply Binary Patches -Execute the `/dep-patch` workflow: +Execute the `/socket-dep-patch` workflow: 1. Run `socket-patch apply --dry-run` to preview available patches 2. Apply all patches with `socket-patch apply` @@ -98,7 +98,7 @@ Execute Phase 1a (unused dep removal) and Phase 1b (binary patches) as described After Level 1 completes, identify the single highest-value change that carries some risk. Prioritize in this order: 1. **Critical/high CVE upgrade** — a dependency with a known critical or high severity vulnerability that requires a version bump (use `socket fix --all --no-apply-fixes --json` to discover) -2. **Replacement of a flagged dependency** — a dependency with a low Socket score or known maintenance issues that should be swapped for a better alternative (use `/dep-replace`) +2. **Replacement of a flagged dependency** — a dependency with a low Socket score or known maintenance issues that should be swapped for a better alternative (use `/socket-dep-replace`) 3. **Ambiguous unused dependency** — a package that is *probably* unused but was excluded from Phase 1a due to ambiguity (e.g., a `@types/*` package whose base package is not used, or a build plugin that may no longer be needed) 4. **Safe minor version bump** — a dependency with a minor/patch update available that fixes a medium-severity issue @@ -117,7 +117,7 @@ Proposed risky change (Level 2): ### Phase 2c: Execute If Approved -- If the user approves, execute via `/dep-upgrade` (for version bumps) or `/dep-cleanup` (for removals) +- If the user approves, execute via `/socket-dep-upgrade` (for version bumps) or `/socket-dep-cleanup` (for removals) - Build and test after applying - **Revert on failure** — if the change breaks the build or tests, revert immediately and report what happened - If the user declines, skip and report Level 2 complete @@ -132,14 +132,14 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa 1. Run `socket fix --all --no-apply-fixes --json` to discover all fixable vulnerabilities 2. Filter to **minor and patch bumps only** (`--no-major-updates`) -3. For each vulnerability, dispatch `/dep-upgrade` to apply the fix -4. **Skip and continue on failure** — if a single upgrade fails after retries, log the failure and move on to the next one (this diverges from `/dep-upgrade`'s default "bail on failure" behavior — intentional for Level 3's aggressive posture) +3. For each vulnerability, dispatch `/socket-dep-upgrade` to apply the fix +4. **Skip and continue on failure** — if a single upgrade fails after retries, log the failure and move on to the next one (this diverges from `/socket-dep-upgrade`'s default "bail on failure" behavior — intentional for Level 3's aggressive posture) 5. Commit after each successful upgrade ### Phase 3b: Aggressive Cleanup 1. Re-scan all dependencies for usage (the dependency list may have changed after Phase 3a upgrades) -2. Run `/dep-cleanup` for **both** clearly unused AND ambiguous packages +2. Run `/socket-dep-cleanup` for **both** clearly unused AND ambiguous packages 3. After each removal, build and test 4. **Revert removals that break the build** — if removing a package causes failures, re-add it and mark it as "still needed" 5. Commit after each successful removal @@ -147,7 +147,7 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa ### Phase 3b2: Replace Flagged Dependencies 1. Review scan results for dependencies with low Socket scores, unmaintained status, or known supply-chain risks -2. For each flagged dependency, run `/dep-replace` to find and execute a replacement +2. For each flagged dependency, run `/socket-dep-replace` to find and execute a replacement 3. **Skip and continue on failure** — if a replacement cannot be completed (no suitable alternative, migration too complex, tests fail), log it and move on 4. Commit after each successful replacement @@ -160,7 +160,7 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa ### Phase 3d: Risky Major Upgrades 1. Re-run `socket fix --all --no-apply-fixes --json` to find remaining vulnerabilities -2. Attempt **major version bumps** via `/dep-upgrade` with code migration +2. Attempt **major version bumps** via `/socket-dep-upgrade` with code migration 3. **Skip and continue on failure** — if a major upgrade cannot be completed (migration too complex, tests fail), log it and move on 4. Commit after each successful upgrade @@ -170,7 +170,7 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa After all phases complete (regardless of level): -1. Run `/scan` to get a fresh security scan +1. Run `/socket-scan` to get a fresh security scan 2. Compare findings against the pre-repair state 3. Report a summary: @@ -194,7 +194,7 @@ Repair Complete (Level 2 — Cautious) - **No dependencies found**: The project may not have manifest files in the expected locations. Check for monorepo structures or non-standard layouts. - **Build/test command unknown**: Ask the user for the correct build and test commands before starting repair. -- **Socket CLI not available**: Binary patches and `socket fix` require the Socket CLI. Suggest running `/setup` first, or fall back to cleanup-only mode (Phase 1a only). +- **Socket CLI not available**: Binary patches and `socket fix` require the Socket CLI. Suggest running `/socket-setup` first, or fall back to cleanup-only mode (Phase 1a only). - **All upgrades fail in Level 3**: If every upgrade attempt fails, report what was tried and suggest the user investigate manually. The cleanup and patch phases may still have succeeded. - **Network errors**: `socket fix` and `socket-patch` require network access. Check connectivity and retry once before skipping. @@ -205,6 +205,6 @@ Repair Complete (Level 2 — Cautious) - Level 3 is best for major cleanup efforts where you're prepared to review and test extensively - Each level builds on the previous one, so you can start conservative and escalate - All changes are committed individually, making it easy to revert any single change -- Run `/scan` before and after repair to measure improvement +- Run `/socket-scan` before and after repair to measure improvement - For monorepos, consider running repair on each workspace individually -- Combine with `/setup` to ensure the Socket CLI is properly configured before starting +- Combine with `/socket-setup` to ensure the Socket CLI is properly configured before starting diff --git a/skills/inspect/SKILL.md b/skills/socket-inspect/SKILL.md similarity index 95% rename from skills/inspect/SKILL.md rename to skills/socket-inspect/SKILL.md index cd5c1d2..2428578 100644 --- a/skills/inspect/SKILL.md +++ b/skills/socket-inspect/SKILL.md @@ -1,5 +1,5 @@ --- -name: inspect +name: socket-inspect description: Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. --- @@ -156,7 +156,7 @@ To research alternatives: - Check the API response data for available Socket patches or overrides - If patches are available, mention the patched version and link to the socket.dev page -- Cross-reference the `/dep-patch` and `/dep-upgrade` skills — remind the user they can apply patches with `/dep-patch` (binary-level, no version change) or run a security-audited upgrade with `/dep-upgrade` (version upgrade with code migration) +- Cross-reference the `/socket-dep-patch` and `/socket-dep-upgrade` skills — remind the user they can apply patches with `/socket-dep-patch` (binary-level, no version change) or run a security-audited upgrade with `/socket-dep-upgrade` (version upgrade with code migration) ## Output Format @@ -194,7 +194,7 @@ List all Socket alerts grouped by category (security, quality, maintenance, lice Summarize findings across the five dimensions (malware, vulnerabilities, dependency tree, maintenance health, author trust). Call out anything that warrants concern. **Socket Patches** -State whether Socket patches are available. If yes, mention the patched version and how to apply via `/dep-patch`. +State whether Socket patches are available. If yes, mention the patched version and how to apply via `/socket-dep-patch`. **Alternatives** (if applicable) Include the comparison table from Step 4. @@ -217,7 +217,7 @@ A clear, actionable recommendation: safe to use, use with caution (with reasons) - Single-maintainer packages carry higher supply-chain risk - Large transitive dependency trees increase attack surface - If a package is flagged as malware, do NOT install it — recommend immediate removal if already present -- Use inspect results to inform decisions with the `/dep-upgrade`, `/dep-patch`, and `/scan` skills +- Use inspect results to inform decisions with the `/socket-dep-upgrade`, `/socket-dep-patch`, and `/socket-scan` skills - Weigh Socket score and maintenance health over download count alone - Re-review periodically — a package's security posture changes over time - Prefer Socket patches over manual version pinning when available diff --git a/skills/scan/SKILL.md b/skills/socket-scan/SKILL.md similarity index 93% rename from skills/scan/SKILL.md rename to skills/socket-scan/SKILL.md index 7d0e215..4a16edf 100644 --- a/skills/scan/SKILL.md +++ b/skills/socket-scan/SKILL.md @@ -1,5 +1,5 @@ --- -name: scan +name: socket-scan description: Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license @@ -38,7 +38,7 @@ If `socket` is not installed globally, use `npx` to run it without installing: npx socket scan create --repo . --json ``` -All `socket` commands in this skill can be prefixed with `npx` as a drop-in replacement. If you need a permanent installation, use the `setup` skill. +All `socket` commands in this skill can be prefixed with `npx` as a drop-in replacement. If you need a permanent installation, use the `socket-setup` skill. For enterprise features (reachability analysis), authentication is required via `socket login` or the `SOCKET_CLI_API_TOKEN` environment variable. Verify with: @@ -129,10 +129,10 @@ Reachability analysis generates a `.socket.facts.json` file in the project root Based on scan results, cross-reference other skills to resolve issues: -- **Vulnerabilities with available fixes** — use the `/dep-upgrade` skill to apply safe upgrades -- **Packages needing deeper investigation** — use the `/inspect` skill to research specific packages -- **Packages with Socket patches available** — use the `/dep-patch` skill to apply security patches -- **Unused dependencies** — use the `/dep-cleanup` skill to remove packages that are no longer needed +- **Vulnerabilities with available fixes** — use the `/socket-dep-upgrade` skill to apply safe upgrades +- **Packages needing deeper investigation** — use the `/socket-inspect` skill to research specific packages +- **Packages with Socket patches available** — use the `/socket-dep-patch` skill to apply security patches +- **Unused dependencies** — use the `/socket-dep-cleanup` skill to remove packages that are no longer needed ### 5. License & Compliance Audit @@ -252,7 +252,7 @@ Produce a human-readable compliance summary: ## Error Handling -- **`socket: command not found`**: Install the Socket CLI with `npm install -g socket` or use `npx socket` as a prefix. If you need a permanent installation, use the `/setup` skill. +- **`socket: command not found`**: Install the Socket CLI with `npm install -g socket` or use `npx socket` as a prefix. If you need a permanent installation, use the `/socket-setup` skill. - **`socket scan create` fails with authentication error**: Enterprise scans require authentication. Run `socket login` or set the `SOCKET_CLI_API_TOKEN` environment variable. Free-tier users can still run basic scans without authentication. - **`socket scan reach` returns "not available"**: Reachability analysis requires an enterprise subscription. Skip this step for free-tier users. - **No manifest/lock files found**: The scan relies on manifest files (`package.json`, `requirements.txt`, `go.mod`, etc.). Ensure the `--repo` path points to a directory containing these files. @@ -265,8 +265,8 @@ Produce a human-readable compliance summary: - Always run a scan after adding, updating, or removing dependencies to verify the project's security posture - Use `--json` for machine-readable output that is easier to parse and summarize -- Combine with the `/inspect` skill for deep-dives into specific flagged packages -- Combine with the `/dep-upgrade` skill to fix vulnerabilities discovered during the scan +- Combine with the `/socket-inspect` skill for deep-dives into specific flagged packages +- Combine with the `/socket-dep-upgrade` skill to fix vulnerabilities discovered during the scan - Enterprise customers should use reachability analysis to prioritize fixes — focus on `reachable` vulnerabilities first - Scan results are available in the Socket dashboard for team visibility and historical tracking - If `socket` is not installed, `npx socket` works as a drop-in replacement for all commands @@ -274,4 +274,4 @@ Produce a human-readable compliance summary: - For enterprise compliance, generate SBOMs in both CycloneDX and SPDX formats - Re-audit after adding or updating dependencies — license information can change between versions - When flagging GPL dependencies, check if they are dev-only — GPL in devDependencies is generally lower risk for commercial projects -- Use the `/inspect` skill to deep-dive into specific packages flagged during the audit +- Use the `/socket-inspect` skill to deep-dive into specific packages flagged during the audit diff --git a/skills/setup/SKILL.md b/skills/socket-setup/SKILL.md similarity index 81% rename from skills/setup/SKILL.md rename to skills/socket-setup/SKILL.md index b473da2..6559267 100644 --- a/skills/setup/SKILL.md +++ b/skills/socket-setup/SKILL.md @@ -1,5 +1,5 @@ --- -name: setup +name: socket-setup description: Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. @@ -39,7 +39,7 @@ description: Set up Socket — prompt for API key, install the CLI, authenticate - Skip entirely for free tier ## Step 4: Ask What to Set Up -- Ask the user: do you want to set up **Firewall**, **Patches**, **Policies**, or a combination? +- Ask the user: do you want to set up **Firewall**, **Patches**, **Policies** (enterprise only), or a combination? - Route to the appropriate section(s) below ## Step 5: Detect SCM and CI System @@ -68,6 +68,17 @@ Or manually detect: ## Firewall Setup +### Installing sfw per Package Manager + +| Package Manager | Install sfw | +|----------------|------------| +| npm | `npm install -g sfw` | +| pnpm | `pnpm add -g sfw` | +| bun | `bun add -g sfw` | +| Standalone | `curl -fsSL https://socket.dev/download/sfw/latest/{platform} -o /usr/local/bin/sfw && chmod +x /usr/local/bin/sfw` | + +Replace `{platform}` with `linux-x64`, `darwin-arm64`, etc. as appropriate. + ### GitHub Actions - Use SocketDev/action@v1 - Free tier: mode: firewall-free (no socket-token needed) @@ -80,7 +91,7 @@ Or manually detect: ### GitLab CI - Add a `before_script` or dedicated stage to install `sfw` -- Install via npm: `npm install -g @anthropic-ai/sfw` +- Install via npm: `npm install -g sfw` - Or install standalone binary: ```bash curl -fsSL https://socket.dev/download/sfw/latest/linux-x64 -o /usr/local/bin/sfw && chmod +x /usr/local/bin/sfw @@ -104,16 +115,18 @@ Or manually detect: # macOS arm64 curl -fsSL https://socket.dev/download/sfw/latest/darwin-arm64 -o /usr/local/bin/sfw && chmod +x /usr/local/bin/sfw ``` -- Or install via npm: `npm install -g @anthropic-ai/sfw` +- Or install via npm: `npm install -g sfw` - Prefix install commands with sfw - Set `SOCKET_CLI_API_TOKEN` as env var for enterprise ### Local Development -- `npm install -g @anthropic-ai/sfw` (or standalone binary as above) +- `npm install -g sfw` (or standalone binary as above) - Usage: `sfw npm install`, `sfw pip install`, etc. ## Socket Policy Configuration +> **Enterprise only** — free tier users cannot configure policies. Skip this section if on the free tier. + Configure Socket policies to control which issues are flagged during scans and CI checks. ### Repository-Level Policy (`socket.yml`) @@ -215,7 +228,7 @@ For local development, authenticate using one of: ## Patch Infrastructure Setup -Set up automated patching so `socket-patch apply` runs after every dependency install. For one-time manual patching, use the `/dep-patch` skill instead. +Set up automated patching so `socket-patch apply` runs after every dependency install. For one-time manual patching, use the `/socket-dep-patch` skill instead. ### Scan Codebase for Install/Build Locations @@ -241,6 +254,23 @@ For each location, record the file path, the install command, and where to inser Present findings to the user before making changes. +### Package Manager Reference + +Use the appropriate command to run `socket-patch` based on the project's package manager: + +| Package Manager | Run socket-patch | +|----------------|-----------------| +| npm | `npx @socketsecurity/socket-patch apply` | +| pnpm | `pnpx @socketsecurity/socket-patch apply` | +| yarn | `npx @socketsecurity/socket-patch apply` | +| bun | `bunx @socketsecurity/socket-patch apply` | +| deno | `deno run npm:@socketsecurity/socket-patch apply` | +| Python | `pipx run socket-patch apply` (if pipx available), else `pip install socket-patch && socket-patch apply` | +| Standalone | `curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh \| sh` then `socket-patch apply` | +| GitHub Actions | `SocketDev/action@v1` with `mode: patch` (preferred) | + +Use the appropriate runner (`npx`, `pnpx`, `bunx`, etc.) based on the detected package manager in the sections below. + ### GitHub Actions (Preferred for GitHub repos) Use `SocketDev/action@v1` with `mode: patch`: @@ -257,22 +287,22 @@ Place after `actions/checkout`, before install steps. No `socket-token` is neede ### GitLab CI -Add a step to install `socket-patch` and apply patches after dependency install: +Add a step to install `socket-patch` and apply patches after dependency install. Use the appropriate package manager runner (see reference table above): ```yaml before_script: - - curl -fsSL https://raw.githubusercontent.com/nicolo-ribaudo/socket-patch-cli/main/install.sh | sh + - curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh | sh - npm install - socket-patch apply ``` ### Bitbucket Pipelines -Add a step to install `socket-patch` and apply patches: +Add a step to install `socket-patch` and apply patches. Use the appropriate package manager runner (see reference table above): ```yaml script: - - curl -fsSL https://raw.githubusercontent.com/nicolo-ribaudo/socket-patch-cli/main/install.sh | sh + - curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh | sh - npm install - socket-patch apply ``` @@ -281,7 +311,7 @@ script: Generic pattern for any CI system: -1. Install `socket-patch` via curl or npm +1. Install `socket-patch` via curl, npm, or the appropriate package manager runner (see reference table above) 2. Run your normal dependency install step 3. Run `socket-patch apply` after install, before build @@ -297,7 +327,7 @@ This auto-adds `"postinstall": "socket-patch apply"` to your `package.json` scri ### Dockerfile Patterns -Add a `RUN socket-patch apply` layer after the install layer: +Add a `RUN socket-patch apply` layer after the install layer. Use the appropriate runner for the project's package manager (e.g., `pnpx` for pnpm, `bunx` for bun): ```dockerfile FROM node:20-alpine @@ -311,7 +341,7 @@ RUN npm run build ### Makefile Patterns -Add a patch target that runs after install: +Add a patch target that runs after install. Adapt commands to match the project's package manager: ```makefile install: @@ -324,7 +354,7 @@ build: install ### Generic Fallback -If the project uses an unusual build system: +If the project uses an unusual build system, use the appropriate package manager runner (see reference table above): - **Interpreted projects** (Python, Ruby): add `socket-patch apply` after `pip install` / `bundle install` - **Compiled projects** (Rust, Go, Java): add after dependency fetch, before compile @@ -343,6 +373,6 @@ If the project uses an unusual build system: - `socket-patch apply` does not require an API key. - Use `SocketDev/action@v1` (correct casing) in GitHub workflow files. - For monorepos, use `patch-cwd` to target specific directories. -- After setup, use the `/scan` skill for a first audit and the `/inspect` skill for package inspection. +- After setup, use the `/socket-scan` skill for a first audit and the `/socket-inspect` skill for package inspection. - For GitHub repos, consider also installing the Socket Security GitHub App for automatic PR scanning. diff --git a/tests/tier1-structural/skill-discovery.test.ts b/tests/tier1-structural/skill-discovery.test.ts index e1e1e0e..e3aa96b 100644 --- a/tests/tier1-structural/skill-discovery.test.ts +++ b/tests/tier1-structural/skill-discovery.test.ts @@ -6,7 +6,7 @@ import { parseFrontmatter } from "../../scripts/lib/frontmatter"; const ROOT = path.resolve(__dirname, "../.."); const SKILLS_DIR = path.join(ROOT, "skills"); -const EXPECTED_SKILLS = ["dep-cleanup", "dep-patch", "dep-replace", "dep-upgrade", "fix", "inspect", "scan", "setup"]; +const EXPECTED_SKILLS = ["socket-dep-cleanup", "socket-dep-patch", "socket-dep-replace", "socket-dep-upgrade", "socket-fix", "socket-inspect", "socket-scan", "socket-setup"]; function getSkillDirs(): string[] { return fs diff --git a/tests/tier3-e2e/dep-cleanup.e2e.test.ts b/tests/tier3-e2e/dep-cleanup.e2e.test.ts index 126e074..640bfbe 100644 --- a/tests/tier3-e2e/dep-cleanup.e2e.test.ts +++ b/tests/tier3-e2e/dep-cleanup.e2e.test.ts @@ -28,7 +28,7 @@ describe("Dep Cleanup E2E", () => { it("evaluates a single unused dep", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-cleanup", + "socket-dep-cleanup", "Check if 'is-odd' is used anywhere in this project. Do not remove it, just report whether it is used or unused." ), workingDir: testDir, @@ -55,7 +55,7 @@ describe("Dep Cleanup E2E", () => { it("reports usage locations for a used dep", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-cleanup", + "socket-dep-cleanup", "Check if 'lodash' is used anywhere in this project. Do not remove it, just report all usage locations." ), workingDir: testDir, diff --git a/tests/tier3-e2e/dep-patch.e2e.test.ts b/tests/tier3-e2e/dep-patch.e2e.test.ts index 4cfae00..f77bd1c 100644 --- a/tests/tier3-e2e/dep-patch.e2e.test.ts +++ b/tests/tier3-e2e/dep-patch.e2e.test.ts @@ -28,7 +28,7 @@ describe("Dep Patch E2E", () => { it("suggests patching for lodash", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-patch", + "socket-dep-patch", "How do I patch the lodash vulnerabilities in this project? Use the Socket CLI tools to find the right approach." ), workingDir: testDir, @@ -45,7 +45,7 @@ describe("Dep Patch E2E", () => { it("mentions verification steps", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-patch", + "socket-dep-patch", "What steps should I take to fix security vulnerabilities in this project's dependencies? Read the package.json, identify the vulnerable packages, and describe the verification steps (testing, scanning, etc.) I should follow after applying patches." ), workingDir: testDir, diff --git a/tests/tier3-e2e/dep-replace.e2e.test.ts b/tests/tier3-e2e/dep-replace.e2e.test.ts index 4a30608..ede17ac 100644 --- a/tests/tier3-e2e/dep-replace.e2e.test.ts +++ b/tests/tier3-e2e/dep-replace.e2e.test.ts @@ -28,7 +28,7 @@ describe("Dep Replace E2E", () => { it("identifies replacement strategies for a dependency", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-replace", + "socket-dep-replace", "Analyze the 'is-odd' package in this project and suggest replacement strategies. Do not execute any migration, just present the strategies." ), workingDir: testDir, @@ -45,7 +45,7 @@ describe("Dep Replace E2E", () => { it("builds a usage map for a target dependency", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-replace", + "socket-dep-replace", "Build a usage map for the 'lodash' package in this project. List all files, line numbers, and specific APIs used. Do not execute any replacement." ), workingDir: testDir, diff --git a/tests/tier3-e2e/dep-upgrade.e2e.test.ts b/tests/tier3-e2e/dep-upgrade.e2e.test.ts index c56443e..15b305e 100644 --- a/tests/tier3-e2e/dep-upgrade.e2e.test.ts +++ b/tests/tier3-e2e/dep-upgrade.e2e.test.ts @@ -31,7 +31,7 @@ describe("Dep Upgrade E2E", () => { it("discovers vulns and suggests updates", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-upgrade", + "socket-dep-upgrade", "Read this project's package.json and identify which dependencies have known vulnerabilities. lodash 4.17.20 is known to have CVEs — what version should it be updated to? Suggest safe upgrade versions for any vulnerable packages. Do not run socket fix. You can use npm audit if available, but primarily rely on reading the package.json and your knowledge of CVEs." ), workingDir: testDir, @@ -48,7 +48,7 @@ describe("Dep Upgrade E2E", () => { it("identifies lodash upgrade path", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "dep-upgrade", + "socket-dep-upgrade", "What version should lodash be updated to for security? Try `npx socket npm/lodash` to check, but if the command fails, use your knowledge of lodash CVEs to recommend a safe version." ), workingDir: testDir, diff --git a/tests/tier3-e2e/fix.e2e.test.ts b/tests/tier3-e2e/fix.e2e.test.ts index e2254a5..f0679a3 100644 --- a/tests/tier3-e2e/fix.e2e.test.ts +++ b/tests/tier3-e2e/fix.e2e.test.ts @@ -28,7 +28,7 @@ describe("Fix E2E", () => { it("identifies repair levels and environment", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "fix", + "socket-fix", "Analyze this project and describe what each repair level (conservative, cautious, full) would do. Detect the ecosystem and list the dependencies. Do not make any changes." ), workingDir: testDir, @@ -45,7 +45,7 @@ describe("Fix E2E", () => { it("performs conservative repair analysis", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "fix", + "socket-fix", "Run a conservative (Level 1) repair analysis on this project. Identify which dependencies appear unused and which patches are available. Do not actually remove or patch anything — just report what you would do." ), workingDir: testDir, @@ -62,7 +62,7 @@ describe("Fix E2E", () => { it("proposes a risky change for level 2", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "fix", + "socket-fix", "If this project were at repair Level 2 (cautious), what single risky change would you propose? Look at the dependencies for known vulnerabilities and suggest the highest-value upgrade. Do not apply it." ), workingDir: testDir, diff --git a/tests/tier3-e2e/inspect.e2e.test.ts b/tests/tier3-e2e/inspect.e2e.test.ts index 67a25ad..500009e 100644 --- a/tests/tier3-e2e/inspect.e2e.test.ts +++ b/tests/tier3-e2e/inspect.e2e.test.ts @@ -23,7 +23,7 @@ describe("Inspect E2E", () => { it("reviews lodash and provides security info", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "inspect", + "socket-inspect", "Review the npm package 'lodash'. Try using `npx socket npm/lodash` to look up its Socket score. If the CLI command fails, still provide a review based on what you know about lodash's security posture, known vulnerabilities (especially in versions before 4.17.21), and maintenance status." ), workingDir: process.cwd(), @@ -40,7 +40,7 @@ describe("Inspect E2E", () => { it("reviews express and assesses health", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "inspect", + "socket-inspect", "Review the npm package 'express'. Try using `npx socket npm/express` to look up its Socket score. If the CLI command fails, still provide a review based on what you know about express's security posture, quality, and dependency footprint." ), workingDir: process.cwd(), diff --git a/tests/tier3-e2e/scan.e2e.test.ts b/tests/tier3-e2e/scan.e2e.test.ts index 0f092b8..4687f94 100644 --- a/tests/tier3-e2e/scan.e2e.test.ts +++ b/tests/tier3-e2e/scan.e2e.test.ts @@ -31,7 +31,7 @@ describe("Scan E2E", () => { it("scans project and reports findings", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "scan", + "socket-scan", "Scan this project's dependencies for security risks. Use the Socket CLI to create a scan and report the findings." ), workingDir: testDir, @@ -48,7 +48,7 @@ describe("Scan E2E", () => { it("identifies specific vulnerable package", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "scan", + "socket-scan", "Use the Socket CLI to check if any dependencies have known CVEs or vulnerabilities." ), workingDir: testDir, @@ -66,7 +66,7 @@ describe("Scan E2E", () => { it("generates a compliance report", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "scan", + "socket-scan", "Audit the licenses of all dependencies in this project. Read the package.json and classify each dependency's license. Produce a compliance summary showing license types and any issues." ), workingDir: testDir, @@ -83,7 +83,7 @@ describe("Scan E2E", () => { it("identifies SBOM output format", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "scan", + "socket-scan", "What SBOM formats can you generate for this project? List the dependencies and describe how you would produce a CycloneDX or SPDX SBOM." ), workingDir: testDir, diff --git a/tests/tier3-e2e/setup.e2e.test.ts b/tests/tier3-e2e/setup.e2e.test.ts index 8f1c0d9..7fb444e 100644 --- a/tests/tier3-e2e/setup.e2e.test.ts +++ b/tests/tier3-e2e/setup.e2e.test.ts @@ -28,7 +28,7 @@ describe("Setup E2E", () => { it("detects GitHub Actions and suggests config", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "setup", + "socket-setup", "Set up Socket for this project. Detect the CI/CD system and tell me what configuration is needed." ), workingDir: testDir, @@ -45,7 +45,7 @@ describe("Setup E2E", () => { it("provides CLI installation guidance", { timeout: 300_000 }, async () => { const response = await adapter.runPrompt({ prompt: buildSkillPrompt( - "setup", + "socket-setup", "How do I install and set up the Socket CLI for this project?" ), workingDir: testDir,