Integration with socket.dev

[felipecrs]

Tell us more.

socket.dev is interesting. It has a different take on supply chain attack prevention. It provides a repository that acts as a "firewall" for https://registry.npmjs.org. In such repository, socket.dev will use their "intelligence" based on static analysis to detect potentially malicious packages, and prevent them from even being downloaded.

They provide a public API for their database (https://firewall-api.socket.dev/) which can be used to look for known issues against specific packages, amongst other things like a scoring system. It can be optionally paired with an API key for access to more data.

Some ideas:

1. Before updating a dependency, Renovate could look it up in socket.dev. If some critical issue has been found for such new update, it should skip it.
2. Renovate could enrich the PR description with data from socket.dev, like their dependency score. They provide interesting insights, even if not critical.
3. Maybe Renovate could even use it as a source of vulnerable dependencies (to propose updates addressing them), similar to osv.dev.

Deno has implemented integration with their API (denoland/deno#31106), which could be used as a reference.

What do you think?

[jamietanna]

Sounds interesting - we'll need to implement #40048 first for us to be able to add this functionality in