Reference
Package Manager overview
| Feature | npm (11.7.X) | Yarn Classic (1.22.X) | Yarn Berry (4.12.X) | pnpm (10.23.X) | Bun Install (1.3.X) |
|---|---|---|---|---|---|
| Supports big 3 🐇 runtimes (Node.JS, deno, bun) | ⚠️ Node.JS and Deno only | ⚠️ Node.JS only | ⚠️ Node.JS only | 🛠️ If configured | ⚠️ Node.JS and Bun only |
| Minimum release age | ❌ Not implemented | ❌ Not implemented | ✅ Yes, 3d default | 🛠️ If configured, has override | 🛠️ If configured |
| Block install scripts | 🛠️ If configured | ❌ Not implemented | ❔ Documentation unclear | ✅ Default, with allowlist override and strict mode (exit instead of warn) | ⚠️ Default, only blocks dependencies, has allowlist override |
| Block git repo/tarball sources for indirect dependencies | ❌ Not implemented | ❌ Not implemented | ❌ Not implemented | 🛠️ If configured | ❌ Not implemented |
| Don't install newer versions if security measures decreased | ❌ Not implemented | ❌ Not implemented | ❌ Not implemented | 🛠️ If configured, has override | ❌ Not implemented |
| Limit plug & play to listed dependencies | N/A | ⚠️ Default, with exception of top-level (package.json) dependencies | ✅ By default | 🛠️ If configured, has override | 🛠️ If configured |
| Verify integrity of global store | ❔ Need more info | ❔ Need more info | ✅ By default, has override | ✅ By default, has override | ❔ Need more info |
| Anti-lockfile poisoning | ❌ Not implemented | ❌ Not implemented | 🛠️ Default for public PR, can be set to true to do so everywhere | ✅ Not needed | ✅ Not needed |
Runtime overview
| Feature | Node.JS (24.12.X) | Bun runtime (1.3.X) | Deno (2.6.X) |
|---|---|---|---|
| Limit resource access | ⚠️ If configured, limited to some built-in node api's | ❌ Not implemented | ✅ By default, has override |
| Freezing intrinsics/built-ins | 🛠️ If configured | ❌ Not implemented | ❌ Not implemented |
| Runtime-level package auditor | ❌ Not implemented | 🛠️ If configured | ❌ Not implemented |
Safer installers overview
| Feature | Socket Safe NPM (1.1.45) | npq (v3.15.4) |
|---|---|---|
| Supports the big 4 package managers (npm/yarn classic+berry/pnpm) | ✅ By default | 🛠️ Yes, set by env variable |
| Supports Bun Install | ✅ By default | ❔ Need more info |
Package auditer overview
| Feature | npm audit (11.7.X) | yarn (npm) audit (1.22.X/4.12.X) | pnpm audit (10.23.X) | lockfile-lint (4.14.1) | Socket CLI scan (1.1.45) | Artemis (3.6.X) | Mend Renovate CLI (42.71.X) |
|---|---|---|---|---|---|---|---|
| Method | ✅ Dependency checker | ✅ Dependency checker | ✅ Dependency checker | ✅ Anti-lockfile poisoning | ✅ Too much to list | ✅ Website vulnerability scanner | ✅ Cross-platform version of GitHub's dependabot |
| Supports the big 4 (npm/yarn classic+berry/pnpm) | ⚠️ npm only | ⚠️ yarn classic (yarn audit) or yarn berry (yarn npm audit) only | ⚠️ pnpm only | ⚠️ npm & yarn only. Pnpm is safe by default | ✅ By default | N/A | ✅ By default |
| Supports Bun Install | ❌ Not implemented | ❌ Not implemented | ❌ Not implemented | ⚠️ Bun is safe by default | ❌ Not implemented | N/A | ✅ By default |