nvm.sh v0.40.5 is out, with some CVE fixes: https://github.com/nvm-sh/nvm/releases/tag/v0.40.5
Be sure to update!
Jordan Harband
@ljharb
- 398 Followers
- 355 Following
- 77 Posts
FerossToday is a big day for Socket. We just raised a $60M Series C at a $1B valuation, led by Thrive Capital with participation from Andreessen Horowitz, Abstract, and Capital One Ventures. Total funding is now $125M.
Four years ago, we started Socket because open source dependencies were flowing into production faster than anyone could vet them. AI has massively accelerated that. Code is being written, shipped, and deployed before any human reads it. Security has to operate at that same speed.
One data point from Thrive's diligence that I keep coming back to: they first discovered Socket because Cursor, OpenAI, and Anthropic all independently told them it was the most important security tool they'd adopted for AI-driven development. Three of the most sophisticated AI companies converging on the same vendor unprompted.
Since our Series B, Socket has grown to more than 20,000 organizations, protecting over 1.5 million repositories and blocking more than 1,000 supply chain attacks every week. The team is now over 100 people.
Three out of five FAANG companies are Socket customers. So are the companies building the most ambitious AI products: Anthropic, Cursor, xAI, Figma, Vercel, Replit, Scale AI, Gusto, Mercado Libre, and Cribl, alongside Fortune 100s in financial services and global media.
What we've shipped since the last round:
• Socket Firewall blocks malicious packages at install time, before they reach a developer's laptop or CI pipeline. Free for everyone.
• Reachability analysis via our acquisition of Coana, eliminating 50-80% of irrelevant vulnerability alerts by focusing only on CVEs that are actually exploitable.
• Socket Certified Patches for remediating exploitable CVEs in seconds without waiting on upstream maintainers.
• Coverage extending to browser extensions, editor extensions, MCP servers, and AI tools via our acquisition of Annex Security.
When the Axios compromise hit, our detection systems flagged the malicious dependency within six minutes. Within 24 hours, more than 2,000 organizations onboarded to Socket to block it.
Where the funding goes: deeper investment in Firewall, massively expanding Certified Patches, moving protection closer to every point of install across the developer toolchain, and new product launches pushing Socket into a category we haven't entered before.
We're hiring across engineering, sales, customer success, and threat intel.
❤️ Thank you to our customers, investors, and the open-source community for your support. Together, we’re making software safer for everyone.
Clutching pearls about how many PURLs are in your application is just FUD and nonsense. The only thing that matters is, how many humans can put code into it. (ie all your engineers + every linux dev + every OSS maintainer etc)
SocketWe're excited to announce that Socket is joining the @openjsf Proud to support the #JavaScript ecosystem alongside so many great projects and contributors.
nvm.sh users: please upgrade to https://github.com/nvm-sh/nvm/releases/tag/v0.40.4 if you're using `wget` on your system, to fix a medium vulnerability (https://github.com/nvm-sh/nvm/security/advisories/GHSA-4fc5-r4vr-8rp7).
I made a new thing! like the semver package, but for PURLs: https://www.npmjs.com/package/purl
`npx purl $specifier` or `npx purl $purl` will validate, normalize, and provide parse info.
add `--check` & it'll contact the relevant registry & verify the package and version exist.
(you can import it too)
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. https://www.npmjs.com/package/eslint-plugin-lockfile
You can also run the eslint rule as a standalone CLI! `npx lintlock` / https://www.npmjs.com/package/lintlock
(all written in ESM, all with minimal deps, all supporting only modern node, for those that care about that sort of thing)
OH at GitHub Universe day 0, in a session on “beyond the bus factor”, discussing accidental leadership: “you didn’t choose the maintainer life…”
also, v5.0.0, which got the same treatment. I assume this was from a pre-existing session and one of npm’s publish servers hadn’t caught up yet - tokens are disallowed (on virtually all my packages)
Heads up that v3.3.1 of https://npmjs.com/is has malware in it, due to another maintainer’s account being hijacked. They’re removed for now, v3.3.0 is set at latest, v3.3.1 is deprecated, and a v3.3.2 will be published once I’m not on my phone (thx @github codespaces)
