Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code

Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.

Tobias Bieniek:

Have you ever worked with JavaScript? Have you been annoyed by the three hundred copies of left-pad in all of the node_modules folders on your disk? Would you prefer if all of your projects shared their node_modules folders instead of each getting their own copy?

The single character that saved him all that space? The p in pnpm…

This is alpha software, but it seems pretty low risk to give it a try.

Wireit works with npm run, it doesn’t replace it. To configure an NPM script for Wireit, move the command into a new wireit section of your package.json, and replace the original script with the wireit command.

Now when you run npm run build, Wireit upgrades the script to be smarter and more efficient.

Feross has been working on something big. He joins Chris and Nick, along with guests Bret Comnes and Mik Lysenko to discuss Socket, what it is, and its focus on the security of the JavaScript supply chain.

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

The latest Phoenix release ditches webpack and npm for esbuild and… nothing?

Of course, these are just the defaults — docs for Elixir’s esbuild clearly state that NPM is still supported and you can always pass --no-assets and do things 100% your way. But it’s easy to underestimate the power of defaults, especially those that cover area outside of target audience’s expertise — which is the case of Phoenix devs and JS bundlers.

In this post, the author lays out how they stitched together an esbuild + npm setup that will likely scale alongside the frontend of your application. I will surely be trying this setup on our app over the next few weeks and might even video it if you’re interested in going along for the ride.

Dan Abramov cuts right to the chase:

Have you heard the story about the boy who cried wolf? Spoiler alert: the wolf eats the sheep. If we don’t want our sheep to be eaten, we need better tools.

As of today, npm audit is a stain on the entire npm ecosystem. The best time to fix it was before rolling it out as a default. The next best time to fix it is now.

He goes on to lay out how it works, why it’s broken, and what changes he’s hoping to see.

What are typosquatting attacks and how do they impact open source developers? If you’re a JavaScript developer then you should understand them and be conscious that you aren’t mistakenly installing a package such as electron-native-notify - because hey, that’s a malicious package!

Utkarsh Agarwal:

NPM provides an easy way to publish and distribute Node JS packages for both code dependencies as well as global command-line tools. This article demonstrates how it can be used to publish and distribute binaries written in Golang.

Mikeal and Chris welcome (back) special guest Fred K. Schott, who you may recall from our episode on Pika. This time, we’re talking ESM: what it is, what’s new about it, why it’s the future, writing libraries with it, and much more.

Sam Bleckley:

The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.

He then spends some time measuring the extent of the problem.

This.. is a bit of a bombshell:

The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million packages with 75 billion downloads a month. Together, they’ve helped JavaScript become the largest developer ecosystem in the world. We at GitHub are honored to be part of the next chapter of npm’s story and to help npm continue to scale to meet the needs of the fast-growing JavaScript community.

Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.

Liran Tal:

A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.

Jerod and Divya welcome npm CTO Ahmad Nassri to discuss modular architecture. What it is, why it matters, and how you can achieve it. Ahmad has been thinking deeply about this topic lately and we have a very fruitful discussion that should have takeaways for developers of all experience levels.

As of npm 6.13, maintainers can add a funding field to their package.json (which works very much like GitHub’s FUNDING.yml) and users can run npm fund to see how they can support their dependency authors.

Darcy Clarke had this to say about the feature on npm’s blog:

Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.

At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.

shoulders is a simple script that lists open issues of your project’s open source dependencies. Simply run it inside of a JS project: npx shoulders

Modern software is built on the shoulders of giants—take a moment to contribute back 💛

Bryan Bogensberger (CEO of npm) writes on npm blog:

Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.

Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.

Send questions/comments to funding-contributors@npmjs.com, or discuss your thoughts right here.

Jerod, Feross, and Nick discuss the latest npm security fiasco, opine on the strengths and weaknesses of spreadsheets, explain CORS like they’re 5 (sorta), and give shout outs to deserving purveyors of fine software.

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

With the settlement behind it, NPM Inc can now turn its attention toward repairing relationships with the JavaScript community and generating enough revenue to sustain itself.

I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:

Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

By one account, former npm CTO C J Silverio’s talk “rocked JS Conf EU over the weekend”. If you know some of the history and are already familiar with the challenges of centralization, scrub to the end for the BIG announcement.

Jerod and Nick are joined by Fred K. Schott – the main brain behind Pika. What’s that, you ask? An effort to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm.