Jerod, KBall & Nick discuss the latest news: Devin, Astro DB, The JavaScript Registry, Tailwind 4 & Angular merging with Wiz. Oh, and a surprise mini-game of HeadLIES!

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code

Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.

Feross has been working on something big. He joins Chris and Nick, along with guests Bret Comnes and Mik Lysenko to discuss Socket, what it is, and its focus on the security of the JavaScript supply chain.

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Mikeal and Chris welcome (back) special guest Fred K. Schott, who you may recall from our episode on Pika. This time, we’re talking ESM: what it is, what’s new about it, why it’s the future, writing libraries with it, and much more.

Jerod and Divya welcome npm CTO Ahmad Nassri to discuss modular architecture. What it is, why it matters, and how you can achieve it. Ahmad has been thinking deeply about this topic lately and we have a very fruitful discussion that should have takeaways for developers of all experience levels.

Jerod, Feross, and Nick discuss the latest npm security fiasco, opine on the strengths and weaknesses of spreadsheets, explain CORS like they’re 5 (sorta), and give shout outs to deserving purveyors of fine software.

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

Jerod and Nick are joined by Fred K. Schott – the main brain behind Pika. What’s that, you ask? An effort to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm.

With JavaScript in every corner of software development and npm in every corner right along with it, the rise of npm can be drawn as a hockey stick up and to the right with Isaac Schlueter at the top grinning ear to ear. After reading their recent announcement to hire a CEO, I knew it was time to talk one-on-one with Isaac about building npm and the journey of hiring his successor.

In this special episode of JS Party, KBall and Nick are on location at Node + JS Interactive in Vancouver. They talks with Laurie Voss, co-founder and COO of npm Inc. They chat about his talk, “npm and the Future of JavaScript”, JavaScript frameworks, and how the definition of “the fundamentals of the web” is constantly changing.

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.

They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

KBall interviews with Michael Chan, Juan Pablo Buriticá and Julián David Duque, and Tim Doherty at JSConf.US. Conversations about the importance of DRY code, the metaphors we use for software, JavaScript communities across Latin America, how to advocate for modern tech stacks in large companies, and fostering mentorship.

Jerod, Nick, and Chris talk with Jeff Lembeck about his tweets, the people behind npm, the need for empathy, and things they’re excited about.