npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
12 Stories
All Topics

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more...

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

read more...

npm github.com

Find the cost of adding a new dependency to your project

Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool: Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.

read more...

Spencer Brown mixmax.com

To yarn and back (to npm) again

Yarn and npm was discussed in-depth on JS Party #29. Spencer writes on the Mixmax blog: We tested that this flow with npm 6 would work for our needs and we suggest you do too. If you need the absolute fastest package manager, then you may still find Yarn to be best. But if you’re looking to simplify your setup, we’ve found that npm 6 recaptures a critical balance between speed and reliability. Spencer and team also shared deyarn a command-line tool for converting your projects from Yarn to npm.

read more...
0:00 / 0:00