npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
16 episodes
All Topics

JS Party JS Party #282

The massive bug at the heart of npm

Play
2023-07-07T16:30:00Z #javascript +3 🎧 16,609

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

JS Party JS Party #272

Making "safe npm"

Play
2023-04-21T17:15:00Z #javascript +2 🎧 16,453

Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code

Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.

Changelog Interviews Changelog Interviews #482

Securing the open source supply chain

Play
2022-03-01T22:00:00Z #infosec +3 🎧 51,394

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

JS Party JS Party #210

What's in your package.json?

Play
2022-01-29T15:15:00Z #oss +4 🎧 22,160

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Changelog Interviews Changelog Interviews #355

Federating JavaScript's language commons with Entropic

Play
2019-08-02T11:00:00Z #oss +2 🎧 24,568

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

Founders Talk Founders Talk #61

Isaac Schlueter on building npm and hiring a CEO

Play
2019-01-25T12:05:00Z #npm +1 🎧 6,620

With JavaScript in every corner of software development and npm in every corner right along with it, the rise of npm can be drawn as a hockey stick up and to the right with Isaac Schlueter at the top grinning ear to ear. After reading their recent announcement to hire a CEO, I knew it was time to talk one-on-one with Isaac about building npm and the journey of hiring his successor.

Changelog Interviews Changelog Interviews #326

The insider perspective on the event-stream compromise

Play
2018-12-05T21:50:10Z #infosec +3 🎧 24,917

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.

They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

JS Party JS Party #43

Interviews from JSConf

Play
2018-09-14T17:00:00Z #javascript +2 🎧 6,231

KBall interviews with Michael Chan, Juan Pablo Buriticá and Julián David Duque, and Tim Doherty at JSConf.US. Conversations about the importance of DRY code, the metaphors we use for software, JavaScript communities across Latin America, how to advocate for modern tech stacks in large companies, and fostering mentorship.

Player art
  0:00 / 0:00