electron-native-notify - because hey, that’s a malicious package!
NPM provides an easy way to publish and distribute Node JS packages for both code dependencies as well as global command-line tools. This article demonstrates how it can be used to publish and distribute binaries written in Golang.
The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.
He then spends some time measuring the extent of the problem.
This.. is a bit of a bombshell:
Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.
A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.
As of npm 6.13, maintainers can add a funding field to their
package.json (which works very much like GitHub’s
FUNDING.yml) and users can run
npm fund to see how they can support their dependency authors.
Darcy Clarke had this to say about the feature on npm’s blog:
Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.
At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.
shoulders is a simple script that lists open issues of your project’s open source dependencies. Simply run it inside of a JS project:
Modern software is built on the shoulders of giants—take a moment to contribute back 💛
Bryan Bogensberger (CEO of npm) writes on npm blog:
Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.
Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.
Send questions/comments to firstname.lastname@example.org, or discuss your thoughts right here.
I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?
The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:
Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.
By one account, former npm CTO C J Silverio’s talk “rocked JS Conf EU over the weekend”. If you know some of the history and are already familiar with the challenges of centralization, scrub to the end for the BIG announcement.
- Avoid publishing secrets to the npm registry
- Enforce the lockfile
- Minimize attack surfaces by ignoring run-scripts
- Assess npm project health
- Audit for vulnerabilities in open source dependencies
Click through for those tips plus 5 more and a downloadable cheat sheet. Good stuff 👍
Install npm dependencies that run natively in the browser… without a bundler!
In this post, Isaac shares some backstory and details about this transition:
Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months.
Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.
See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples.
Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, …
It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.
If you already know what save-exact, npm ci, npm audit fix, npx, updtr, and NVM_SYMLINK_CURRENT do, maybe skip this post. If not, check it out!
Contribute your insights to the 2018 npm survey and help to evolve and improve tools, services, and the ecosystem.
Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool:
Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.
git-authors-cli to your release process and never worry about updating the authors list again.
Imagine all your components organized on the cloud, made discoverable for your team and synced in all your projects. That’s Bit.
This could be a game changer if they drill the management side of sharing your UI components. Intrigued? Watch the demo video to see what it’s all about.
Yarn and npm was discussed in-depth on JS Party #29. Spencer writes on the Mixmax blog:
We tested that this flow with npm 6 would work for our needs and we suggest you do too. If you need the absolute fastest package manager, then you may still find Yarn to be best. But if you’re looking to simplify your setup, we’ve found that npm 6 recaptures a critical balance between speed and reliability.
Spencer and team also shared deyarn a command-line tool for converting your projects from Yarn to npm.