This just in: JavaScript uses memory.

I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...

GitHub's product leadership sure knows how to piss off developers these days

To recap, NPM allows 2FA TOTP token reuse within the token’s validity window. I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.” So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/

Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?

Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!

The top licenses published on #npm . Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]

🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build #javascript #nodejs #packages

Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors. arstechnica.com/security/202...

Hello Internet @darcyclarke.me @wesbos.com

If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...

Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs

Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out. Join me and check them out: www.vlt.sh

👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid. A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why. 🧵

Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.

To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction. I'll be auctioning an exclusive wagyu BBQ at my house for up to 15. Join us and ideally offer more donations! All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com

Just tested and it works with varlock.dev!

please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨ ... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏

A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...

Been working with @pi0.io on a great DX for the upcoming v3 of @nitro.build Stay tuned ⚡︎

Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected. Meet the new vlt client `:host()` Query selector: blog.vlt.sh/blog/host-co... #javascript #nodejs #packages

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor. Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

ℹ️ Don't know who needs to hear this but npm has had a --before=<date> flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v… Setting a relative date is easy w/: $ npm install --before="$(date -v -7d)" # & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re

These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies. cc: @campuscodi.risky.biz

Good credentials != Good code...

Do not update to @ctrl/[email protected]. It has malware that is currently live on npm.

Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW. It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.

Typical day in life of a web dev

⚡ Point. Click. Discover. 🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).

🔥 Just your yearly reminder that the JS ecosystem could be much worse off... stuck in the *first level* of "Dependency Hell" like many other ecosystems with minimal options/diversity... lucky for us, we get to face much hotter problems 😉

🚨 If you think you might be effected by the nx compromise please revoke the GitHub CLI Authorized OAuth App: github.com/settings/con... Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.

🚀 New query-powered @vlt.sh commands just dropped! See how to release subsets of your packages with the new version, pack, and publish commands, all backed by the powerful dependency selector syntax.

🚀 Dependency Selector Syntax can now be used across @vlt.sh commands like run, exec, and pkg! This enables precise filtering when running scripts, executing commands, or getting package info. You have access to the whole graph! Read more about how it works and some example use cases:

🚀 @vercel.com now supports vlt in builds with zero config: vercel.com/changelog/vl... @vlt.sh

🚀 Excited to announce another major addition to the @vlt.sh client: Graph Modifiers! Graph Modifiers enable fine-grain customization of your install using our powerful Dependency Selector Syntax ⚡️ Read more about it here: blog.vlt.sh/blog/introdu... #javascript #nodejs #packages

Congrats to @slev.life who did the hard work and made @shiki.style's JS engine compatible with 100% of the built-in languages! github.com/shikijs/shik...

💬 @vlt.sh is starting Weekly Community Sync calls today (in ~5min actually); here's the deets: 📝 Agenda: github.com/vltpkg/vltpk... 🎙️ Join: recording.vlt.sh 🔴 Watch... On Riverside: recording.vlt.sh On YouTube: www.youtube.com/@vltpkg/live Excited to build together!

🚀 We just shipped catalog support to @vlt.sh! If you go grab the latest version you can now install & manage dependencies with pnpm-like catalog definitions (ex. `vlt i typescript@catalog:dev`). You can read more here: blog.vlt.sh/blog/catalog...

We're looking for a Senior Backend Engineer to join our team at @vlt.sh based here in Toronto 🇨🇦 at our HQ. If you love JavaScript & open source this may be right up your alley. Please share if you know anyone who would be a great fit. www.linkedin.com/posts/darcyc... #javascript #nodejs #packages

Posting a job to LinkedIn is a dumpster fire 💩🔥 I don't know how they're still running their opaque pricing racket. Apparently, if you have a "hot" job title (ie. ANY at all right now) then you MUST pay for a "promoted" posting 🤨 Think Uber's surge pricing but drivers are paying & MUST pay to drive.

Watching @bizza.pizza speak at @github.com HQ like it's early 2020... only took 5+ years & me quitting to finally see the inside of this office 🤦🏻‍♂️ Continue Dev landed a good one

ℹ️ I'm in 🇺🇸 SF all this week for the ai.engineer conference; if you're around DM & let's hang.

JSR now supports @vlt.sh 🎉

⚡️📦 Wherever your packages are, we're there... `$ vlt i jsr:@hono/hono`

$ vlx all-the-things

vlt client: query package data for security information (provided by Socket) @ruyadorno.com @vlt.sh blog.vlt.sh/blog/insight... #ECMAScript #JavaScript

🚀 The @vlt.sh team just launched real-time dependency analysis powered by Socket! Developers can now explore supply chain risks directly in their graph, with rich security metadata from Socket built in. More on the integration → socket.dev/blog/vlt-lau... #JavaScript

🚀 Querying dep graphs w/ @vlt.sh is even more powerful today w/ the introduction of @socket.dev's first-class security insights. There's 30+ new selectors & all kinds of data to explore. For Automation/CI purposes we've also added a new `--expects-results=<numeric>` flag to `vlt query`. Try it out!