Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code
Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.
node_modulesfolders on your disk? Would you prefer if all of your projects shared their
node_modulesfolders instead of each getting their own copy?
The single character that saved him all that space? The p in pnpm…
This is alpha software, but it seems pretty low risk to give it a try.
Wireit works with
npm run, it doesn’t replace it. To configure an NPM script for Wireit, move the command into a new
wireitsection of your
package.json, and replace the original script with the
Now when you run
npm run build, Wireit upgrades the script to be smarter and more efficient.
This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.
While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.
The latest Phoenix release ditches webpack and npm for esbuild and… nothing?
Of course, these are just the defaults — docs for Elixir’s esbuild clearly state that NPM is still supported and you can always pass
--no-assetsand do things 100% your way. But it’s easy to underestimate the power of defaults, especially those that cover area outside of target audience’s expertise — which is the case of Phoenix devs and JS bundlers.
In this post, the author lays out how they stitched together an esbuild + npm setup that will likely scale alongside the frontend of your application. I will surely be trying this setup on our app over the next few weeks and might even video it if you’re interested in going along for the ride.
Dan Abramov cuts right to the chase:
Have you heard the story about the boy who cried wolf? Spoiler alert: the wolf eats the sheep. If we don’t want our sheep to be eaten, we need better tools.
As of today,
npm auditis a stain on the entire npm ecosystem. The best time to fix it was before rolling it out as a default. The next best time to fix it is now.
He goes on to lay out how it works, why it’s broken, and what changes he’s hoping to see.
electron-native-notify - because hey, that’s a malicious package!
NPM provides an easy way to publish and distribute Node JS packages for both code dependencies as well as global command-line tools. This article demonstrates how it can be used to publish and distribute binaries written in Golang.
Mikeal and Chris welcome (back) special guest Fred K. Schott, who you may recall from our episode on Pika. This time, we’re talking ESM: what it is, what’s new about it, why it’s the future, writing libraries with it, and much more.
The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.
He then spends some time measuring the extent of the problem.
This.. is a bit of a bombshell:
Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.
A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.
Jerod and Divya welcome npm CTO Ahmad Nassri to discuss modular architecture. What it is, why it matters, and how you can achieve it. Ahmad has been thinking deeply about this topic lately and we have a very fruitful discussion that should have takeaways for developers of all experience levels.
As of npm 6.13, maintainers can add a funding field to their
package.json (which works very much like GitHub’s
FUNDING.yml) and users can run
npm fund to see how they can support their dependency authors.
Darcy Clarke had this to say about the feature on npm’s blog:
Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.
At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.
shoulders is a simple script that lists open issues of your project’s open source dependencies. Simply run it inside of a JS project:
Modern software is built on the shoulders of giants—take a moment to contribute back 💛
Bryan Bogensberger (CEO of npm) writes on npm blog:
Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.
Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.
Send questions/comments to email@example.com, or discuss your thoughts right here.
Jerod, Feross, and Nick discuss the latest npm security fiasco, opine on the strengths and weaknesses of spreadsheets, explain CORS like they’re 5 (sorta), and give shout outs to deserving purveyors of fine software.
I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?
The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:
Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.
By one account, former npm CTO C J Silverio’s talk “rocked JS Conf EU over the weekend”. If you know some of the history and are already familiar with the challenges of centralization, scrub to the end for the BIG announcement.