Deno 2.6 was released this week with new security improvements that make it easier to catch threats before they hit production. The release introduces a new deno audit command that scans your dependencies against GitHub's CVE database, along with granular controls for lifecycle scripts and minimum dependency age requirements.
Deno 2.6 also includes experimental Socket integration through deno audit --socket, which queries Socket's Firewall API to fetch malicious package detections and supply chain risk indicators in real time. While CVE databases catalog vulnerabilities after they've been discovered and reported, Socket's Firewall analyzes package behavior to catch threats as they emerge, things like typosquatting, malicious install scripts, and obfuscated code that slip past traditional scanners.
How the Socket Integration Works#
Socket's supply chain security risk detection is available through two authentication modes:
Unauthenticated mode provides instant security scanning for any Deno project:
$ deno install npm:lodahs
Add npm:lodahs@0.0.1-security
Dependencies:
+ npm:lodahs 0.0.1-security
$ deno audit --socket
No known vulnerabilities found
Socket.dev firewall report
╭ pkg:npm/lodahs@0.0.1-security
│ Supply Chain Risk: 0
│ Maintenance: 76
│ Quality: 41
│ Vulnerabilities: 100
│ License: 100
╰ Alerts (1/0/0): [critical] malware
Found 1 alerts across 1 packages
Severity: 0 low, 0 medium, 0 high, 1 criticalAuthenticated mode applies your organization's security policies when SOCKET_API_KEY is set as an environment variable. Teams can enforce company-wide rules and access detailed threat analysis across their entire dependency graph.
Beyond CVE Databases#
Traditional vulnerability scanning relies on CVE databases, which only catch known exploits after they've been reported and cataloged. Socket's approach analyzes package behavior to detect supply chain attacks before they have a chance to hit your codebase.
With the Socket integration, Deno users get access to our threat detection for free, with continuous tracking of every package and version on npm (and other popular open source registries). Socket has identified and flagged thousands of malicious packages that will never receive CVEs, including attacks like Shai-Hulud, cryptomining campaigns, and the frequent typosquatting attempts targeting popular packages.
What Else Is New in Deno 2.6#
Deno 2.6 integrates tsgo for faster typechecking. The team has observed a 2x speed improvement on type checking times for internal projects. The release also includes several security and dependency management features that complement Socket integration:
Granular script control with deno approve-scripts replaces the previous --allow-scripts flag. When installing packages with lifecycle scripts, Deno prompts you to review and approve each package individually. Your choices persist in deno.json, creating an audit trail of which packages can execute code during installation.
Dependency age requirements let you specify minimum package ages in deno.json. Setting "minimumDependencyAge": "7 days" ensures your project only uses dependencies that have been publicly available long enough for the community to identify potential issues.
The dx command provides an npx-equivalent for running package binaries. While it defaults to full permissions like npx, it prompts before downloading packages and running lifecycle scripts, giving you visibility into what code executes during installation.
Check out the Deno 2.6 announcement post for more details on everything that's new, along with all the Node.js compatibility improvements and fixes in this release.