Dependency Reachability
- SOCKET ALERTS
- Reachability Analysis
Dependency Reachability filters out unreachable alerts by constructing a dependency graph.
š
Dependency reachability identifies unused (dead) packages by building a graph of how packages import each other. Although itās the simplest form of reachability analysis, it has a major advantage: it can help prioritize nearly all types of alerts in Socket, not just vulnerability-related ones like Tier 2 and Tier 1 reachability.
The analysis scans your manifest files (package.json, go.mod, Gemfile, pom.xml, build.gradle, and others) to generate a complete list of direct and transitive dependencies, along with the dependency graph that connects them.
For each supported language, Socket parses only the files from dependency packagesānever your proprietary source codeāand extracts every import statement (e.g., import, require, or using).
| Language | Parser | Example we catch |
|---|---|---|
| JavaScript / TypeScript | treeāsitterājavascript | import { useState } from 'react' |
| Python | treeāsitterāpython | from pathlib import Path |
| Go | treeāsitterāgo | import "github.com/user/project" |
| Ruby | treeāsitterāruby | require 'net/http' |
| Java | treeāsitterājava | import javax.sql.DataSource; |
Privacy first: Your source code is never uploaded or stored. The scan runs in a secure worker, extracts only the package names, and immediately discards the file contents.
If a transitive package never appears in any import statement, Socket marks it as dead. Then, it walks the dependency graph in the following way:
- If a parent is marked as dead, its children are also marked as deadāunless they are also required by a live parent.
- Direct dependencies are always considered alive, since the analysis doesnāt scan application source code to determine how it interacts with its direct dependencies.
The result is a clear āusedā or āunusedā status for every transitive package.
In the Vulnerabilities tab youāll find the toggle: Used dependencies only. Flip it on and watch the noise disappearāCVE counts drop to only the libraries that actually execute in your application.
Dependency Reachability is already enabled by default for users on the free tierāno action needed. For paid plans, itās currently opt-in via the Settings page. Weāve kept it optional during the beta since the additional source-code scan can add a small delay to SBOM generation. After the beta, Reachability will be enabled by default for all plans, with a toggle available if you prefer to turn it off. No additional configuration or build steps required.
When you enable Reachability, you'll see a significant reduction in noiseāon average, 25ā35% of transitive dependencies are filtered out as unused. That means fewer alerts, fewer false positives, and a shorter list of vulnerabilities to triage.