[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5UZssOvBoM8Y3ZfkOxJh1Utzo98WFrht6wftrkMShwg":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"498b3ae0-5499-4f8e-8dd1-dfaa7ecd160f","Introducing Manifest Alerts","introducing-manifest-alerts-17162e","Socket now detects missing lockfiles with Manifest Alerts, a new kind of alert for supply chain risks found in project manifests. The feature was built in response to a real problem customers faced during the Axios npm compromise. Due to the complexities of modern dependency resolution, the blast radius of this incident was much wider than it initially appeared. Exposure was not limited to projects that directly depended on the compromised Axios version. For teams with committed lockfiles and deterministic installs, it was easier to verify what dependency versions were resolved. But for repos without lockfiles, the dependency tree was not pinned. A fresh install could resolve to a different set of versions depending on when it ran, what versions were available in the registry, and whether the workflow introduced new dependency resolution. Manifest Alerts are designed to make that risk more visible. They surface problems found in your manifests, not in the dependencies themselves. The Reproducibility Problem Behind Missing Lockfiles # A lockfile records the exact dependency versions resolved by a package manager. Without one, installs can drift over time. Two identical install commands can produce different dependency trees if the registry changes between runs. That is what makes missing lockfiles different from most dependency alerts. The risk is not tied to one dependency artifact. The risk is in the project setup itself. A missing lockfile turns dependency resolution into a moving target. Security teams may be able to inspect the manifest, but the manifest alone does not show the exact dependency tree that will be installed. Manifest Alerts flag that gap directly, so teams can identify projects where the resolved dependency graph is not reproducible from the files in the repo. Missing lockfiles make dependency exposure harder to reproduce, harder to verify, and harder to contain. Manifest Alerts in Socket # Socket now includes Manifest Alerts alongside Dependency Alerts. Dependency Alerts continue to show risks tied to specific packages. Manifest Alerts show risks tied to the manifest itself. With this release, Socket detects when a package manifest exists without a corresponding lockfile and alerts that the dependency tree is not pinned. In scan results, Socket separates alerts into Dependency Alerts and Manifest Alerts. If a scan has alerts in the other view, Socket shows a banner so users can switch between them without missing important findings. When Socket detects a missing lockfile, the alert identifies the manifest where the issue was found and explains that the dependency tree is not pinned. The dedicated alert drawer includes: Impact: How the missing lockfile affects dependency resolution and reproducibility. Remediation: Package-manager-specific guidance for generating a lockfile with npm, pnpm, yarn, or bun. About: Additional details about the manifest alert. Teams can ignore a Manifest Alert, undo the ignore action, or create a ticket from the alert drawer if Jira or Linear are connected. What’s Next for Manifest Alerts # Manifest Alerts help teams find repositories where dependency installs are not reproducible, and the missing lockfile alert is the first one we’re shipping. This is part of a broader direction for surfacing issues that live in manifests rather than individual packages. We’re exploring additional alerts for cases like malformed manifests, plain HTTP dependency references, and lockfiles that are out of date with the primary manifest. Manifest Alerts are available today in Socket. They extend Socket’s visibility beyond individual packages and into the project configuration decisions that determine how dependencies are installed. Run a scan to identify missing lockfiles in your repositories, then use the remediation guidance in the alert drawer to generate the right lockfile for npm, pnpm, yarn, or bun.","Socket has launched Manifest Alerts, a new feature designed to identify supply chain risks stemming from missing lockfiles in project manifests. This addresses the complexities of dependency resolution, as seen in the Axios npm compromise, where the impact was wider than initially apparent due to unpinned dependency trees. Manifest Alerts highlight projects where dependency installs are not reproducible, offering guidance for generating lockfiles across various package managers.","Socket introduces Manifest Alerts to detect missing lockfiles and supply chain risks.","ProductIntroducing Reachability for PHPReachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable. By Benjamin Barslev - Apr 24, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fintroducing-manifest-alerts?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fa1b8ce5f8fcd550abef1c43f1210d5806591a405-3200x1800.png?w=1000&q=95&fit=max&auto=format","2026-06-16T14:56:13.135+00:00","2026-06-16T16:00:42.289409+00:00",7,[18,21,23,25,28,30],{"name":19,"type":20},"Manifest Alerts","product",{"name":22,"type":20},"Socket",{"name":24,"type":20},"Axios",{"name":26,"type":27},"npm","technology",{"name":29,"type":27},"pnpm",{"name":31,"type":27},"yarn","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":32,"icon":34,"name":35,"slug":36},null,"Supply Chain","supply-chain",[38,43,45,50],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]